close

Data Protection Policy

1. Data Protection Principles

Helplink Mental Health CLG (“Helplink”) is committed to protecting the rights and privacy of all individuals whose personal data we process. In line with Article 5 GDPR and the Data Protection Act 2018, personal data shall be:

  • Lawful, fair, and transparent: Processed lawfully, fairly, and in a transparent manner.
  • Purpose-limited: Collected for specified, explicit, and legitimate purposes and not further processed in ways incompatible with those purposes.
  • Data minimised: Adequate, relevant, and limited to what is necessary.
  • Accurate: Kept accurate and up to date, with steps taken to rectify or erase inaccuracies without delay.
  • Storage-limited: Retained only for as long as necessary for the purposes for which it was collected.
  • Secure: Processed with appropriate technical and organisational measures to protect against unauthorised or unlawful processing, accidental loss, destruction, or damage.

2. General Provisions

  • This policy applies to all personal data processed by Helplink.
  • Helplink acts as the Data Controller and is responsible for compliance with GDPR and the Data Protection Act 2018.
  • This policy will be reviewed annually, or sooner if required by law or organisational changes.

3. Lawful, Fair, and Transparent Processing

  • Helplink maintains a Data Processing Activity Log detailing:
    • Categories of personal data collected.
    • Purposes for processing.
    • Lawful basis for processing.
    • Security measures in place.
  • The log is reviewed annually to ensure ongoing compliance.

4. Lawful Bases for Processing

Helplink processes personal data under one or more of the following lawful bases:

  • Consent (explicit and informed).
  • Contract (where processing is necessary for service provision).
  • Legal obligation.
  • Vital interests (to protect life).
  • Public task.
  • Legitimate interests (balanced against individual rights).

5. Data Minimisation

  • Helplink ensures that personal data collected is strictly necessary for service delivery.
  • Sensitive personal data (special category data such as health information) is only collected where essential for therapeutic or support services, and always with explicit consent or another lawful basis under Article 9 GDPR.
  • Personal data is never shared with third parties unless legally required or with explicit consent.
  • Data is not used for direct marketing or fundraising purposes.

6. Accuracy

  • Reasonable steps are taken to ensure personal data is accurate and kept up to date.
  • Clients may request rectification of inaccurate data at any time.

7. Retention and Deletion

  • Client records are retained for no longer than 7 years in line with professional standards (e.g., IACP recommendations), unless:
    • The client is still receiving treatment.
    • A legal obligation requires retention (e.g., court order).
  • At the end of the retention period, records are securely and irretrievably deleted.

8. Security Measures

  • All personal data is stored in encrypted digital formats.
  • Paper records are scanned, encrypted, and securely destroyed.
  • Encrypted storage devices are kept in secure premises and never removed.
  • Access to personal data is restricted to authorised staff (administrators and relevant counsellors).
  • Emails and contact form submissions are deleted once no longer required.
  • All staff receive regular Data Protection and GDPR training.

9. Data Subject Rights

Under GDPR and the Data Protection Act 2018, individuals have the right to:

  • Access their personal data.
  • Request rectification or erasure.
  • Restrict or object to processing.
  • Data portability (where applicable).
  • Withdraw consent at any time (where consent is the lawful basis). Requests will be responded to within one month, in line with GDPR requirements.

10. Data Breach Management

  • Any personal data breach will be reported to the Data Protection Commission (DPC) within 72 hours, unless the breach is unlikely to result in risk to individuals.
  • Affected individuals will be notified within 72 hours where the breach is likely to result in high risk to their rights and freedoms.
  • Helplink maintains a Data Breach Response Plan to ensure timely and effective action.

11. Complaints and Contact Information

If you have any concerns about how your personal data is being processed by Helplink Mental Health CLG, or wish to make a complaint, you can contact us directly:

Helplink Mental Health CLG Data Protection Officer Email: info@helplink.ie Phone: +353 (0)91 759 887 Address: 1st Floor, The Plaza Headford Road, Galway, Co. Galway, H91 KC6V

We will respond to all complaints and queries in line with our obligations under GDPR and the Data Protection Act 2018.

If you are not satisfied with our response, or believe that your data protection rights have been infringed, you have the right to lodge a complaint with the supervisory authority:

Data Protection Commission (DPC) 21 Fitzwilliam Square South Dublin 2, D02 RD28 Ireland Website: www.dataprotection.ie Email: info@dataprotection.ie Phone: +353 (0)761 104 800