Privacy Policy

1. Introduction 

Data protection is the safeguarding of the privacy rights of individuals in relation to the processing, storage and security of their personal data. It is the policy of CCI to comply with the obligations of the Data Protection Acts 1988 and 2003, and now GDPR, and to ensure that all employees and volunteers are aware of their data protection responsibilities. 

Employees, volunteers and service users supply CCI with personal information, and Data Protections legislation applies to this information. Data Protections law places obligations on the organisation and all employees who keep personal information. Every individual has the right to know what personal information is held about him / her. This Act applies to living persons.
Data Protection rights apply whether the information in held in paper based form, in electronic format, in manuals, or in photographs, video or digital images.

Manual files created before July 2003 are not subject to the full application of the Acts until October 24, 2017. However, those files are subject to access on request and security rulings apply to them.

Data Protection Rules

The key responsibilities for the organisation with respect to personal information are as follows:

  1. Data should be obtained and processed fairly.
  2. Data should be kept only for one or more specified and lawful purposes.
  3. Data should be processed only in ways compatible with the purposes for which it was given to the organisation originally.
  4. Data should be kept safe and secure.
  5. Data should be kept accurate and up-to-date.
  6. Data should be adequate, relevant and not excessive for the purpose(s) for which it is collected and processed.
  7. Data should not be retained for any longer than is necessary for the specified purpose(s).
  8. An individual will be given a copy of his/her personal data on request.

2. Policy Statement

With regards to its data protection responsibilities CCI will endeavour to:

3. Policy Purposes

The purpose of this Data Protection Policy is:
•    To outline how this company endeavours to comply with the Data Protection Acts;
•    To provide guidelines for employees and volunteers;
•    To protect this from the consequences of a breach of its responsibilities.

4. Policy Scope

This Data Protection Policy applies to all employees and volunteers who handle personal data of service users, the people we support and / or employees.

5. Data Protection Principles

This company will endeavour to meet its obligations under the Data Protection Acts and apply the eight Data Protection Principles in how it stores and processes personal data and information.

5.1    Obtain and Process Data Fairly

At the time the personal data is being collected, an individual must be made aware of the following:

The individual must have given consent to the processing of the data. Processing means performing any operations or set of operations on data, including:

5.2    Purpose(s) for which information is stored

This principle requires employees processing personal data to be aware:

5.3    Processing of Data

Data should be processed only in ways compatible with the purposes for which it was given to the organisation originally.

5.4    Data should be kept safe and secure

Appropriate security measures must be taken against unauthorised access to, or alteration, disclosure or destruction of the data and against their accidental loss or destruction.

5.5    Data should be kept accurate and up-to-date

Personal information must be accurate. It is the responsibility for all employees who obtain or hold information to ensure that it is accurate and complete.

Where an individual data subject informs or advises this company of any errors or changes to their data, employees must amend the information accordingly, and as soon as is reasonably possible.

Manual and computer procedures must be adequate to ensure high levels of data accuracy and maintenance.

5.6    Data should be adequate, relevant and not excessive for the purpose(s) for which it is collected and processed

Only the information necessary to provide support or services should be collected and maintained. Periodic reviews should take place of any personal information already held, to ensure that it is adequate, relevant and not excessive for the purpose for which it was collected.

5.7    Data should not be retained for longer than is necessary for the specified purpose(s)

Data should be held for the length of time the purpose for which it was collected is valid. Once this data is no longer current or valid, it must be disposed of in a secure manner. Particular care is to be taken when shredding or incinerating paper-based or manual data and when disposing of laptops and computers.

Exceptions may apply from specific legislation which requires information to be retained for particular periods.

5.8    An individual will be given a copy of his / her personal data on request.

An individual about whom personal data is held is entitled to:

To make an access request the Data Subject must:

Additional rights under the Data Protection Acts:

6. Procedure for dealing with a request under the Data Protection Acts

Upon receiving a data protection request, the following steps will be taken:

7. Right of complaint to the Data Protection Commissioner

Any person may complain to the Data Protection Commissioner about the way in which their data protection request was handled. 

8. Management of a Data Breach

Should a data breach occur, the following actions will be taken:

9. Policy Review

This Data Protection Policy will be subject to review every three years or in response to changes made to amendments to the Data Protection Acts.

10.    GDPR Policy Update

GDPR was approved by the EU Parliament on 14th April 2016. Enforcement date was 25th May 2018.  

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy. This Data Protection Policy will be subject to review every three years or in response to changes made to amendments to the Data Protection Acts.

Personal data allows people to access entertainment, products & services, but means people have to trust the organisations that their data is shared with. From May 25th 2018, the new EU General Data Protection Regulation, GDPR:

This applies to all to businesses, online service providers or public sector bodies that ask for personal data, including CCI. CCI must tell people clearly:

CCI must:

How CCI achieve this:

GDPR implementation and Data Protection at CCI is the responsibility of the board of CCI. Board members are:

Website Privacy Policy

Crohn's & Colitis Ireland respects your right to privacy and complies with its obligations under the General Data Protection Regulation (GDPR). The goal of this website privacy policy is to help you understand how the Society deals with any personal data you provide when you visit its website.
By visiting the website, you are accepting the terms of this website privacy policy. 
This website might contain external links to other websites and the Society is not held responsible for the privacy policies of these other websites.

What type of information do we collect?

We will only collect personal data that is needed to provide our services to you. We will ensure the collected data is not used or shared for other purposes.
We will ensure where possible, data will be anonymised. 
You may browse our site anonymously but certain functions and pages may be unavailable to you. 

We collect information from you when you visit our website, register for our online community, place an order or make a donation, subscribe to our email newsletter, or fill out a form. 

When making a donation, registering for a campaign or event on our website, as appropriate, you may be asked to provide personal details such as name, email address, postal address, phone number or payment information as needed.

What do we use your information for?

Any of the information we collect from you may be used in one of the following ways:

To provide IBD information and helpline service
We collect and store personal data in order to provide information and service for people affected by Colitis or Crohn’s.
Our helpline may collect sensitive personal data about your health when you speak, email or send enquiries. We will use this information to answer your questions and give advice or support.

We may also use this information for training, quality monitoring or evaluating the services we provide. 
We may also collect and retain your data if you send feedback about any of our services or make a complaint.

To process payments, fulfil online orders and confirm transactions
Example: Donating or purchasing online, or paying for membership fee. We will use your information to complete your order and to follow up, where relevant or requested, by email, phone or post on any transactions and issue payment receipts.
To improve our website and provide a personalised experience for you
We continually try to improve our website based on the anonymous information and feedback we receive from you.
We want your visit to our website to be a useful one, making sure you are able to find the information that you’re looking for and that is relevant to you.
To keep you informed about what we’re doing in the fight against IBD
If you have signed up for Crohn's & Colitis email newsletter, you will receive this email when issued. At any time you can unsubscribe from receiving future emails by emailing 
To let you know other ways you can get involved in our fundraising and campaigns:
From time to time we will use your postal address to send you updates on the impact of your donation, and let you know how you can get involved in our fundraising and campaigns. 
We may also contact you by phone and email if you have given us consent to do so.
We will always respect your privacy and will always give you the option to stop hearing from us.

How do we protect your information?

We use a variety of security measures to securely process and keep your personal information safe when you interact with our website.

We use a secure server so that all supplied sensitive/payment information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our payment gateway provider's database (Stripe Payments). Stripe is a PCI Service Provider Level 1 which is the highest grade of payment processing security. All credit card numbers are encrypted and safely stored in Stripe's state of the art data-centre. This ensures both the security and integrity of your information.

The Society takes, and will continue to take, all reasonable steps (which includes relevant technical and organisational measures) to guarantee the safety of the data you provide to us and we will only use the data for the intended purpose.

However, the nature of the internet is such that we cannot guarantee or warrant the security of any information you transmit to us via the Internet will be 100% secure.

Do we use cookies?

Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your web browser (if you allow) that lets the sites or service providers systems to recognise your browser and capture and remember certain information.

We use cookies to help us remember and process items in your shopping cart and compile anonymous data about site traffic and site interaction so that we can offer better site experiences and tools in the future. 

This website uses Google Analytics to gather anonymous statistics about visitors to the site and which pages are visited.
If you prefer, you can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies via your browser settings. Like most websites, if you turn your cookies off, some of our services may not function properly.

However, you can still make a donation, place orders, and register for membership over the telephone on (01) 531 2983 (within Republic of Ireland).

Do we disclose any information to outside parties?

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information.

The information you provide when interacting with our website will be kept securely and used by the Crohn's & Colitis Ireland in order to make your interaction with the Society possible. Your information will not be shared with any organisation, other than with your permission, or where required by law.

Your personal information will not be held outside the EU.
We also reserve the right to enforce our site policies in order to protect our rights and the rights of other individuals in a manner that is safe and compliant with the law.

Non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses. For example, we may disclose the total number of visits to our website.

You control your information

Crohn's & Colitis Ireland is committed to upholding the rights of individuals and have processes in place for providing individuals' access to their personal information. A subject access request (SAR) is a request for access to the personal information that the Irish Society for Colitis & Crohn’s disease holds about you, which we are required to provide under the General Data Protection Regulation (GDPR) unless an exemption applies.

Under GDPR your other rights include :

You can make any request in writing to the:
Crohn's & Colitis Ireland,
Carmichael Centre for Voluntary Groups
North Brunswick Street
Dublin 7
D07 RHA8

Where requested, we will provide the following information:

Your request will be completed in 30 days  

Online privacy policy only

This online privacy policy applies only to information collected through our website and not to information collected offline.

Your consent

By using our website, you consent to our website's privacy policy (this page).

Changes to our privacy policy

We reserve the right to make changes to our web privacy policy at any time without prior consultation; these changes will be posted on this page together with the privacy policy revision date.