Constituency.ie Logo

Data Protection

This Data Protection statement explains how data is processed, retained, and protected across the Platform.

Table of Contents

For clarity, for Citizen Case content, the selected Representative acts as Controller, and Constituency acts as Processor. For Representative account data, platform administration data, and website visitor data, Constituency acts as Controller.

Data Processing Agreement (Controller–Processor)

Scope and Parties

This Data Processing Agreement (“DPA”) governs the processing of Personal Data by the Processor on behalf of the Controller. The Representative (as Controller) and Philoware Limited (Processor) (T/A Constituency) agree that the Processor shall process personal data strictly in accordance with documented Controller instructions, this DPA, and applicable Data Protection Laws, including the GDPR (EU) 2016/679 and the Irish Data Protection Act 2018.

Subject-Matter Duration

The subject matter of processing consists of all personal data entered or uploaded by or on behalf of the Controller into the Platform for the duration of the subscription and for thirty (30) days thereafter for export and closure purposes.

Processor Obligation

  • (a) process personal data only on documented instructions of the Controller;
  • (b) ensure that all personnel authorised to process personal data are under confidentiality obligations;
  • (c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest, access controls, and regular vulnerability assessments;
  • (d) notify the Controller without undue delay of any personal data breach affecting the Controller’s data; and
  • (e) assist the Controller with data subject request handling and impact assessments.

Sub-processor List

Authorized sub-processors

  • Amazon Web Services (AWS), Ireland (EC2, S3, RDS)
  • Error monitoring/logging and security services
  • Identity verification providers (if used)

Controller Objection Rights

The Controller may object to the use of a new sub-processor on reasonable grounds. If unresolved, the Controller may terminate the affected services.

Data Subject Rights

Right of Access

Data subjects may request confirmation as to whether their personal data is processed on the Platform and, where applicable, obtain: • A copy of their personal data held by Constituency; • Details of the categories of personal data processed (e.g., name, contact details, constituency information, communication history, account credentials); • The purposes of processing (e.g., facilitating communication between Citizens and Representatives, account administration, compliance, security monitoring); • Categories of recipients (including service providers and hosting providers); • Applicable retention periods or criteria used to determine them. Where the request relates to Citizen Case content controlled by a Representative, Constituency will promptly refer the request to the relevant Representative and provide reasonable assistance in fulfilling it.

Right to Rectification

Data subjects may request correction of inaccurate or incomplete personal data relating to account registration information, profile details, contact information, constituency assignment details, and administrative account data. Where Constituency acts as Processor in respect of Citizen Case content, rectification requests will be transmitted to the relevant Representative as Controller.

Right to Erasure

Data subjects may request deletion of personal data where the data is no longer necessary for the purposes for which it was collected, consent has been withdrawn and no other lawful basis applies, the data has been unlawfully processed, and erasure is required to comply with legal obligations. Erasure may be limited where retention is necessary for compliance with legal obligations, establishment, exercise, or defence of legal claims, regulatory record-keeping, and public interest archiving by Representatives acting in an official capacity.

Right to Restrict Processing

Data subjects may request restriction of processing where the accuracy of the data is contested, processing is unlawful but erasure is opposed, the data is required for legal claims, and an objection to processing is pending verification. During restriction, the data will be stored but not otherwise processed, except as required by law or for the defence of legal claims.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, data subjects may request their personal data (such as account information and submitted communications) in a structured, commonly used, machine-readable format. Where technically feasible, and where Constituency acts as Controller, data may be transmitted directly to another service provider upon request. This right does not apply to processing necessary for the performance of a task carried out in the public interest by Representatives.

Right to Object

Data subjects may object to processing based on legitimate interests relied upon by Constituency (e.g., fraud prevention, platform security, service improvement) or to direct marketing communications (if applicable). Where an objection is raised, processing will cease unless Constituency demonstrates compelling legitimate grounds overriding the interests, rights, and freedoms of the data subject, or where processing is required for legal claims. Objections relating to Representative-controlled processing must be directed to the relevant Representative.

Rights Related to Automated Decision-Making

Constituency does not engage in decision-making that is based solely on automated processing, and produces legal or similarly significant effects for Citizens. If automated tools are used (e.g., spam filtering, message categorisation, security monitoring), they do not determine substantive outcomes regarding Citizen requests. Where future automated processing materially affects data subjects, Constituency will implement safeguards including the right to obtain human intervention, the right to express a point of view, and the right to contest the decision.

Data Retention Policy

General Retention Principles

Personal data will be retained only for as long as necessary to fulfil the purpose for which it was collected (service delivery and support), or as required by law. Retention periods must be documented and justified.

Specific Retention Periods

  • (a) Account and verification data: retained during active account + 12 months for administrative purposes.
  • (b) Case data: retained per Controller instruction; public cases may persist as civic records.
  • (c) Logs and telemetry data: retained up to 12 months; backups up to 30 days.

Breach Reporting and Notification

Processor Reporting

The Processor must notify the Controller within twenty-four (24) hours of becoming aware of a personal data breach affecting the Controller’s data, including mitigation steps.

Controller Reporting Obligations

The Controller must notify the Irish Data Protection Commission of qualifying breaches within seventy-two (72) hours as required by GDPR.