Privacy Policy

1. Introduction

 Johnson Hana International (“JHI”) is a limited company with registered address at Dargan House, 21 Fenian Street, Dublin 2. Its primary function is the provision of outsourced legal services, including managed legal services and “on-demand” lawyers. For further information, please visit the About Johnson Hana section of our website.

JHI is committed to protecting the rights and privacy of individuals in accordance with both European Union and Irish data protection legislation. JHI shall lawfully and fairly process personal data about candidates, employees, clients, consultants and other stakeholders to allow us to undertake our primary function and activities. We want you, the ‘data subject’, to understand how we collect, use, store, and share your personal data. We also want you understand what rights you can invoke to help you to protect your privacy. In this regard, it is important that you read this Privacy Notice and understand how we use your personal data. Please note that we reserve the right to update this Privacy Notice as required.

2. Legislation

All personal data processed by us is done so in accordance with applicable Sections 5 and 6 of the Data Protection Act 2019.

3. Queries & Complaints

If you are unhappy with the way we handle your personal data and wish to complain, or if you simply want further information about the way your personal data will be used, please contact our data champion using our details below.

  • Address: Dargan House, 21 Fenian Street, Dublin 2
  • Telephone: +353 (01) 514 3613
  • Email: [email protected]

You have the right to lodge a complaint with the Data Protection Commission. To contact the Data Protection Commission, please use the following details:

  • Address: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28
  • Telephone: +353 (0)761 104 800 or +353 (0)57 868 4800
  • Email: [email protected]

4. Breaches

 JHI will take all appropriate technical and organisational steps to safeguard your personal data. In the unlikely event of a data breach, we will contact you in line with our legal obligations.

5. How do we collect data?

We collect personal data to enable the provision of services to support the JHI purpose. The following non-exhaustive methods of data collection are an indication of ways in which we may obtain your information:

  • Obtain personal data directly from you (through use of our website, by phone, by email, through meetings etc); and
  • Personal data that we receive from other sources.

Please note that when entering our premises, you will be recorded on CCTV surveillance and the Visitor Sign In tablet/book for security purposes. JHI does not collect or process this data. This data is collected and controlled by our landlord WeWork, Dublin Landings Tenant Limited.

It is important that the personal data you provide us is up to date and accurate. As outlined in Section 10 (Right to Rectification) of this notice, if personal data we hold on you is inaccurate or incomplete, please contact us and we will update the information.

6. What do we do with your data

 For our legal consultants, we use your data in the following ways:

  • Use your personal data to evaluate your suitability for contract opportunities with JHI clients and communicate with you in relation to same;
  • With your prior consent, send your personal data to JHI clients or third parties engaged by JHI clients to assess your suitability for said opportunities;
  • Store your personal data on our electronic database, on our cloud-based systems or servers;
  • Your personal data may also be processed by our staff, our suppliers (such as couriers, web-conferencing facilitators and technology providers) or third parties (including, but not limited to, professional indemnity insurers, brokers, auditors, and other professional advisors).

7. Who do we share this data with?

As detailed above, we may share personal data with other parties in the course of our duties. When this is done, we adhere to the following principles:

  • The transfer is based on a legal obligation, the performance of a contract, or explicit consent.
  • Where data is transferred to another party, we ensure appropriate technical and organisational safeguards are used to protect your personal data.
  • Where we engage a third party to provide a service to us, we ensure the provider has taken appropriate technical and organisational measures to process, store, and safeguard your personal data.

JHI, as a Data Controller, will not sell your data to any third party and will take all appropriate steps to ensure the security of your data in dealings with third parties.

While the parties we engage may change occasionally, we believe it is important you are aware of the types of parties we share data with. The categories and types of third parties outlined below is a non-exhaustive list but provides an indication of the parties we share data with.

  • Other Third Bodies

Third parties for the purposes of internal and external audits, carrying out research, general practitioners, and or third parties who may improve our processes and services (such as consultants)

  • Government Departments, Bodies or Agencies

JHI is legally obligated to share personal data with state actors which is outlined in the Data Protection Act 2018.

Recipients of this data include Government departments, agencies, bodies, investigatory bodies, local authorities, and the Gardaí.

  • International Transfers

Where personal data is transferred outside the European Economic Area, JHI shall use safeguards known as Standard Contractual Clauses (SCCs).

8. What do we use information for?

Process, Purpose, and Lawful Basis

We use personal data collected to fulfil our purpose of providing outsourced legal services.

We use personal data we gather for any of the following purposes:

PurposeProcessLawful Basis
Pre-RecruitmentTo register a prospective data subject’s interest in working with JHI.Processing is necessary for JHI’s legitimate interests.Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract.
Recruitmentand SelectionTo complete the recruitment process and assess data subject suitability.Processing is necessary for JHI’s legitimate interests.Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract.Processing relates to our obligations in employment and for assessing data subject’s suitability and capacity.
PensionTo administer a data subject’s pension entitlement and to comply with pension rules.To comply with various pension laws.Processing is necessary for the performance of a contract to which the data subject is party.
PayrollTo enable JHI to effect payment to the data subject.Processing is necessary for the performance of a contract to which the data subject is party.
Personnel FileTo comply with employment and revenue laws and to ensure that terms and conditions of employment are adhered to.Processing is necessary for the performance of a contract to which the data subject is party.To comply with various employment and revenue laws.To protect the vital interests of the data subject in the event of an accident or emergency.
Entitlement to WorkTo enable JHI to achieve compliance with its obligations pursuant to any local legislation governing the entitlement to work.
Processing is necessary for compliance with a legal obligation to which JHI is subject.
Time and Attendance RecordsTo enable the data subject to avail of their rights and entitlement pursuant to the Organisation of Working Time Act, 1997.
The processing is necessary for the performance of contract to which the data subject is party.
Statutory EntitlementTo enable JHI to achieve compliance with:Its obligation to the data subject;Record keeping obligations pursuant to a variety of employment law statutes.
The processing is necessary for compliance with legal obligation to which JHI is subject.
Training RecordsTo ensure that JHI is in a position to assess the data subject’s training needs and to capture proof of training.
The processing is necessary for the performance of contract to which the data subject is party.
Performance DetailsTo manage the data subject’s performance in accordance with relevant JHI policies.The processing is necessary for the performance of contract to which the data subject is party.
Grievanceand DisciplinaryTo ensure the data subject’s complaints are fairly investigated in accordance with JHI policies.To comply with JHI legal obligation to apply fair procedures to any data subject’s investigation.The processing is necessary for the performance of contract to which the data subject is party.
Medical InformationTo manage the data subject’s absences, to manage sick pay in accordance with the contract of employment, and to manage the fitness to work of data subjects.Processing is necessary to assess, subject to data subject safeguards, the working capacity of the data subject.To carry out obligations and exercise rights under employment law.
Making or Receiving PaymentsTo make or receive any payments in the discharge of normal business functions, dispute settlement, or to carry out any other payment requirements.Processing is necessary for compliance with various employment and revenue laws.The processing is necessary for the performance of contract to which the data subject is party.
Voice of the CustomerTo obtain the data subject’s feedback by survey on the JHI recruitment processes and services.
Processing is based on request of consent which will be taken from the data subject.
Attracting TalentTo provide support and assistance on recruitment services to data subjects via third party sources, such as LinkedIn and other job sites, from which JHI obtain personal data.
Processing is based on legitimate interest.
Supporting TalentTo support data subjects in their career guidance and communicate with them directly with useful information, advice, and support materials through email, messaging, or mobile/web notification.
Processing is based on legitimate interests and contractual obligations.
Regulatory ComplianceTo comply with financial regulations and any other relevant laws and regulations.Processing is necessary for compliance with a legal obligation to which JHI is subject.Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Third PartyData SharingTo allow JHI to conduct and carry out functions with third party service providers that enable us to deliver our services.Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Back-upsTo store personal data and make back-ups of that data in case of emergencies and for disaster recovery purposes.Processing is necessary for compliance with a legal obligation to which the JHI is subject.
Evidence SubmissionsTo gather information for dispute resolution services and legal proceedings.Processing is necessary for compliance with a legal obligation to which the JHI is subject.
Transfer ofInformation forParties LegalProceedingsTo allow parties to commence legal proceedings.Processing is necessary for compliance with a legal obligation to which the JHI is subject.
Accidents andIncidentsTo enable JHI to comply with record keeping obligation pursuant to the Safety, Health, and Welfare Act.Processing is necessary for compliance with a legal obligation to which the JHI is subject.

9. What type of information is collected?

To fulfil our mandate and perform tasks as outlined in this statement, we need to collect various types of personal data.

While the type of personal data may change occasionally, we believe it is important you are aware of the types of data we gather and use. The following table is a non-exhaustive list and provides an indication of the categories and types of data we use to perform our tasks.

Please note that information listed under one category may be used for the performance of a task or in relation to activities under another heading or as outlined under Section 3.

CategoryType of Data
CandidatesFirst name, last name, date of birth, contact details, email address, passport, identification copy, PPS number, pictures, CVs, work position, qualifications, employment history, job interests, transcripts, education, training history, cover letters, salary details, bank details, next of kin, tax, VAT details, interviews attended, interview feedback, technical data includes username, password, and survey responses (CSAT scores and text entry questions captured as comments).Special data revealing racial or ethnic origin, VISA, and data concerning health. Garda Vetting and International Police clearance. Relevant Insurance Policies.This list is not exhaustive, and we may seek to process, use or disclose your information for any other purpose which has not been listed in this policy always with your explicit prior consent.Please note you are not required to provide us with your personal data. However, if you do provide us with your personal data you are deemed to have consented to our collection, use and/or disclosure of your personal data in the manner set out in this policy.
EmployeesFirst name, last name, date of birth, address, contact details, email address, family details, financial, tax, pension, remuneration details, performance, visual images details, employee ID, lifestyle and social circumstances, education, and training details.Special data revealing racial or ethnic origin and data concerning health.
Other StakeholdersFirst name, last name, address, contact details, email address, PPS number, job title, , financial details, technical data includes IP address, browser history, and survey responses (CSAT scores and text entry questions captured as comments).Special data revealing data concerning health.
ClientsFirst name, last name, contact details, email address.

10. What are your rights?

As a data subject, you will have the following rights as outlined in this section. However, restrictions may apply in certain situations.

Where do I send requests?

Please send all your requests to the contact details provided in Section 3, with as much detail as possible about your requirements to allow us to deal with your request efficiently. To answer your request, we may ask you to provide identification for verification purposes.

How long will a request take?

Upon receipt of a request, we will have 30 days to provide an answer with an extension of two further months if required. If we require more time to deal with your request, we will notify you of the delay and the reasons behind it within 30 days of the receipt of the request. If we refuse your request, we will also notify you within 30 days of the receipt of the request accompanied by the reasons for the refusal.

We will not charge a fee for any requests, provided we do not consider them to be unjustified or excessive. If we do consider these to be unjustified or excessive, we may charge a reasonable fee (also applicable for multiple copies) or refuse the request.

You are entitled to contact the Data Protection Commission if we refuse your request.

Consent

Where processing is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. To discuss withdrawal of consent, please email [email protected].

Right of Access

You have a right to know what personal data we hold on you, why we hold the data, and how we are processing your personal data.

When submitting your request, please provide us with information to help verify your identity and as much detail as possible to help us understand the information you wish to access (i.e. date range, subject of the request) and email [email protected].

Please note that an access request is free of charge, however, where we determine a request to be unjustified or excessive, we may charge you a reasonable fee.

Right to Rectification

You have a right to request that our information held on you is up to date and accurate.

Where information is inaccurate or incomplete, we encourage you to contact us to have this information rectified. Upon receipt of request, we will ensure that the personal data is rectified and as up to date as is reasonably possible.

Right to be Forgotten

You have the right to seek the erasure of your personal data in the following circumstances:

  • The personal data is no longer required for the purposes for which is was obtained;
  • Where data is being processed on the basis of consent, you withdraw consent to the processing and no other lawful basis exists;
  • The personal data is being unlawfully processed;
  • You object to the processing of personal data and there are no overriding legitimate grounds for the processing;
  • Your personal data requires deletion in line with legal requirements.

However, we will be unable to fulfil an erasure request if the processing of personal data is necessary for the following:

  • Exercising the right of freedom of expression and information;
  • Compliance with a legal obligation or for the performance of a task carried out in public interest;
  • Reasons of public interest in the area of public health;
  • Archiving or statistical purposes in the public interest;
  • The establishment, exercise, or defence of legal claims.

Please note that the where the legal basis for our processing of personal data is on the basis of a legal obligation, some processing in relation to your data may not be subject to the right to erasure.

To determine your request for erasure, we will carry out an assessment of the justification for the retaining your personal data where a legal requirement applies and contact you if we are unable to fulfil your request.

Please be aware that in some circumstances we may need to retain some information to ensure all of your preferences are properly respected. For example, we cannot erase all information about you where you have also asked us not to send you marketing material. Otherwise, we would delete your preference not to receive marketing material.

Right to Restriction

You have the right to restrict the extent of personal data processed by the us in circumstances where:

  • You believe the personal data is not accurate (restriction period will exist until we update your information);
  • The processing of the personal data is unlawful, but you wish to restrict the processing of data rather than erase it;
  • Where the personal data is no longer required by us, but you require retention of the information for the establishment, exercise, or defence of a legal claim;
  • You have a pending objection to the processing of the personal data.

When processing is restricted, your personal data will only be processed: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of other people; or for reasons important to public interest.

We will contact you confirm where the request for restriction is fulfilled and will only lift the restriction after we have informed you that we are doing so.

Right to Data Portability

You have the right to the provision of all personal data held in relation to you in a structured, commonly used and machine-readable format where:

  • Processing is completed on the basis a contract;
  • Processing is completed based on consent by the you;
  • Processing is carried out by automated means.

You may also request that we send this personal data to another data controller where technically feasible.

Right to Object

You have the right to object to the processing of your personal data; however, the processing must have been undertaken on the basis of public interest or legitimate interest by us.

If you wish to object to the processing of data, please contact us with your request. We will then stop the processing of personal data unless it is required for legal proceedings.

piAId = '1016692'; piCId = '1802'; piHostname = 'pi.pardot.com'; (function() { function async_load(){ var s = document.createElement('script'); s.type = 'text/javascript'; s.src = ('https:' == document.location.protocol ? 'https://pi' : 'http://cdn') + '.http://pardot.com/pd.js '; var c = document.getElementsByTagName('script')[0]; c.parentNode.insertBefore(s, c); } if(window.attachEvent) { window.attachEvent('onload', async_load); } else { window.addEventListener('load', async_load, false); } })();