Privacy Policy.
(GDPR) General Data Protection Regulation
1. Purpose
This document explains how OEAI collects, processes, stores and shares personal data to carry out its functions as an association. It outlines the categories of personal information we handle and how we comply with applicable data protection law (GDPR and Irish law). References to “our Website” or “the Website” are to www.oeai.ie. This notice covers data you provide to us directly, through the Website, or via our service providers acting on our instructions.
2. Definitions
Personal Data: Information that identifies or can identify a living person (e.g., name, role, organisation, email, phone, postal address, billing details, IP address).
Membership Information: Data about OEAI members (e.g., contact details, membership status, payments, event participation).
Business and Contact Information: Data relating to individuals and organisations with whom OEAI interacts for advocacy, collaboration and events.
Processing: Any operation performed on personal data (collection, storage, use, sharing, deletion).
Data Controller: OEAI - determines the purposes and means of processing.
Processor: Third parties who process personal data for us under contract (e.g., web host, email platform, event platform, cloud storage, payment gateway).
Cookies: Small files placed on devices by websites; may be essential or require consent (see Section 7. Cookies).
3. Why We Collect and Use This Information
We process personal data to:
- Manage memberships (applications, renewals, member communications, benefits).
- Support operational activities (events, networking, governance, website operation and security).
- Fulfil legal/financial obligations (invoicing, accounts, taxation).
- Pursue legitimate interests of OEAI (advocacy, stakeholder engagement, community management).
- Send optional updates/marketing where you consent (you can withdraw anytime).
4. Lawful Basis for Processing
We rely on:
- Contract (Art. 6(1)(b)) for membership administration and delivering member benefits/services.
- Legitimate Interests (Art. 6(1)(f)) for operating the association efficiently and securely (events, website/IT, stakeholder engagement). We balance these interests against your rights and expectations.
- Legal Obligation (Art. 6(1)(c)) for finance/tax records and compliance.
- Consent (Art. 6(1)(a)) for non-essential cookies/analytics and optional newsletters to non-members.
Note: References to Art. 6(1)(a–f) are to the EU GDPR (Regulation (EU) 2016/679).
5. Storing Information
We keep personal data in secure digital systems and, where necessary, paper files kept under lock and key. Access is role-based and protected by strong passwords/MFA; data is encrypted in transit; processors are vetted and under data-processing agreements.
Retention:
- Membership admin data: 12 months after membership lapses.
- Financial/transaction records: 6 years from financial year-end.
- Event registrations/attendance: 24 months post-event.
- General enquiries: 12 months after resolution.
- Server logs (security/diagnostics): up to 12 months.
We delete or anonymise data after these periods.
Sharing: We do not share personal data with third parties except (a) processors acting on our instructions, or (b) where required by law.
International transfers: If any provider stores data outside the EEA/UK, we use EU-approved safeguards such as Standard Contractual Clauses (and UK IDTA where relevant).
6. Your Rights
You can access, rectify or erase your personal data; restrict or object to processing (including objection to marketing based on legitimate interests); and port your data. You may withdraw consent at any time (this won’t affect prior lawful processing). We aim to respond within one month and may request proof of identity. You can complain to the Data Protection Commission (www.dataprotection.ie) or contact us first at opexassirl@gmail.com. We do not carry out automated decision-making producing legal or similarly significant effects.
7. Market place information
Where we obtain information from you to enable you to register for or purchase a third-party service (e.g., an event platform ticket, venue services), we will use that information solely for that purpose and, where necessary, share it with the relevant provider. Depending on the service, the provider may act as an independent controller and will provide their own privacy notice. Our lawful basis is contract (to fulfil your request) or legitimate interests (to coordinate association activities). We do not sell personal data.
Your domain name and e‑mail address may be recognised by our servers and the pages that you visit may be recorded. Server logs may record IP address, user-agent, referrer and timestamps for security and diagnostics. We do not share personal data with third parties except as described in this notice (processors under contract or where required by law). This information is used:
7.1 to correspond with you or deal with you as you expect, e.g., service updates, member notices, event administration;
7.2 to send you news about the services to which you have signed up. For optional newsletters/marketing to non-members, we rely on consent, which you can withdraw at any time.
8. Website usage information
Our website may use essential technologies (e.g., cookies, scripts) to deliver pages and ensure security/performance. Server logs may record IP address, user-agent, referrer and timestamps for diagnostics and security. If we use analytics or other non-essential technologies, we will request your consent before setting them and provide details in a Cookie Notice. You can withdraw consent at any time via the cookie banner/settings.
9. Financial information relating only to your credit cards
Card payments (if offered) are processed by Stripe on its secure, PCI-compliant pages. We do not receive or store card numbers. Stripe may receive your name, email and billing information to process payment and provide confirmations and may act as an independent controller for some activities - see Stripe’s privacy notice. We retain related invoicing/transaction records for 6 years.
10. Third party advertising
OEAI does not currently host third‑party advertising or ad‑tech. If this changes, we will update this notice, implement appropriate consent controls, and describe any data sharing.
11. Cookies
We use essential cookies to make the site work (e.g., security, preferences). Where we use analytics or other non-essential cookies, we will ask for your consent via a banner before setting them and provide a simple table (name, purpose, duration, provider). You can refuse or withdraw consent at any time without affecting essential site functionality.
2. How to Contact Us
Data Controller: Operational Excellence Association Ireland (OEAI)
Data Protection Lead: Eoin Barry.
Email: opexassirl@gmail.com
For complaints, you may contact the Data Protection Commission: www.dataprotection.ie.