• At Mayo Calligraphy we are thoughtful about the personal information we ask you to provide and the personal information that we collect about you through the operation of our shop and services.
• We store personal information, like phone numbers, photos and personal details for only as long as we have a reason to keep it. Once your project is delivered, your information will be deleated.
• We aim for full transparency on how we gather, use, and share your personal information. You can ask at any time to see the information and files we have stored for your project.

Who we are

Our website address is: https://mayocalligraphy.ie. We are a calligraphy services and printing company based in Ballintubber, Co Mayo. You can contact us on +353 86 1718 330 or by email at maggi@mayocalligraphy.com or admin@mayocalligraphy.com. The data controller is Margaret Geraghty and can be contacted at the above number.

What personal data we collect and why we collect it

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

We store your photos and personal details on the company laptop and business phone. These photos are deleated when your project is completed and a print approval form is signed off.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Analytics

Who we share your data with:

If your project is one that requires ‘out of house’ printing, then we will share your details with the printing company we use. You are entitled to request the name and address of the printing company we use.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website, we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

Personal data and photos are only retained until your project is completed.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

You can request to see your project file at any time in the design process.

You have the following rights under the GDPR, in certain circumstances and subject to certain exemptions, in relation to your personal data:

• right to access the data – you have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.

• right to rectification- you have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete.

• right to erasure – you have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the right to be forgotten.

• right to restriction of processing or to object to processing – you have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.

•. Right to data portability – you have the right to request us to provide you with a copy of your personal data in a structured, commonly used machine readable format.

In order to exercise any of the rights set out above, please contact us at the contact details at the start of this privacy notice.

If we are processing personal data based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing which took place prior to its withdrawal.

If you are unhappy with how we process personal data, we ask you to contact us so that we can rectify the situation.

You may lodge a complaint with a supervisory authority. The Irish supervisory authority is the Data Protection Commission.

Where we send your data

Visitor comments may be checked through an automated spam detection service. We use BlogVault and Wordfence to filter spam. We will also send your photos and or data to ‘out of house’ printing if your project requires this.

Your contact information

I will retain your contact email and telephone number while your project is in progess. When your order is completed, your personal information is deleated.

Additional information

How we protect your data

Your data is held on the company secure, password protected laptop.

What data breach procedures we have in place

From 25 May 2018, the General Data Protection Regulation (GDPR) introduces a requirement for organisations to report personal data breaches to the relevant supervisory authority, where the breach presents a risk to the affected individuals. We will do this within72 hours of becoming aware of the breach.

Where a breach is likely to result in a high risk to the affected individuals, we will also inform those individuals without undue delay.

To facilitate decision-making and determine whether or not we need to notify the relevant supervisory authority and affected individuals, we have a high-quality risk management process and robust breach detection, investigation and reporting process in place.

 In a case where we determine that the breach is unlikely to result in high risk to the individual, we will keep an internal record of the details, the means for deciding there was no risk, who decided there was no risk, and the risk rating that was recorded.

Initial notification of a breach

• All breach notifications will be notified using the ‘Breach Notification Form’.
• All cross-border personal data breaches will be indicated as being cross-border on the relevant section of the form.
  Cross-border processing means either:
  • Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of an organisation; or
  • Processing of personal data which takes place in the context of the activities of a single establishment of an organisation that substantially affects or is likely to substantially affect data subjects in more than one Member State.

Self-Declared Risk Rating

In determining how serious we consider the breach to be for affected individuals, we will take into account the impact the breach could potentially have on individuals whose data has been exposed. In assessing this potential impact we will consider the nature of the breach, the cause of the breach, the type of data exposed, mitigating factors in place, and whether the personal data of vulnerable individuals has been exposed. The levels of risk are further defined below:

• Low Risk: The breach is unlikely to have an impact on individuals, or the impact is likely to be minimal.
• Medium Risk: The breach may have an impact on individuals, but the impact is unlikely to be substantial.
• High Risk: The breach may have a considerable impact on affected individuals.
• Severe Risk: The breach may have a critical, extensive or dangerous impact on affected individuals.

What third parties we receive data from

We do not receive data from third parties.

What automated decision making and/or profiling we do with user data

We do not make any automated decisions of partake in any profiling with regard to user data.

Data Protection Legislation

Key Data Protection legislative frameworks applicable from 25 May 2018

The Data Protection Commission (DPC) is governed by a number of legislative frameworks. Details of the key legislation and guidance about how the laws are applied is outlined below.

From 25 May 2018 the key legislative frameworks are:

• General Data Protection Regulation (GDPR)
• Data Protection Act 2018
• the “Law Enforcement Directive” (Directive (EU) 2016/680) which has been transposed into Irish law by way of the Data Protection Act 2018
• the Data Protection Acts 1988 and 2003
• the 2011 “ePrivacy Regulations” (S.I. No. 336 of 2011 – the European Communities (Electronic Communications Networks and Services) (Privacy And Electronic Communications) Regulations 2011)

The General Data Protection Regulation (GDPR) applies from 25 May 2018. It has general application to the processing of personal data in the EU, setting out more extensive obligations on data controllers and processors, and providing strengthened protections for data subjects. Although the GDPR is directly applicable as a law in all Member States, it allows for certain issues to be given further effect in national law. In Ireland, the national law, which, amongst other things, gives further effect to the GDPR, is the Data Protection Act 2018.

However, in some instances, depending on the nature and circumstances of the personal data processing, the type of personal data being processed, or when the data protection issue occurred, the GDPR will not apply and instead another legal framework concerning the regulation of the processing of personal data may apply. For example, if a data protection complaint or a possible infringement of the law relates to an incident which occurred before the GDPR became applicable on 25 May 2018, then the Data Protection Acts 1988 – 2003, and not the GDPR, will apply. After 25 May 2018, if the processing of personal data is carried out for a law enforcement purpose (in other words the prevention, investigation, detection or prosecution of a criminal offence or the execution of criminal penalties) then the GDPR will not apply and instead the Law Enforcement Directive, which has been transposed into Irish law by way of the Data Protection Act 2018, will apply.

A very brief summary of the main data protection frameworks, which the DPC will supervise and enforce from 25 May 2018 onwards, is set out in the table below.