Privacy Policy

1. Who We Are

The data controller for personal data described in this Notice is:

Legal name: Saoirse Housing Association CLG

Trading as Saoirse Domestic Violence Services (SDVS)

Charity number: 20058296

Company number: 390584

Revenue number: 16281

Registered address: Unit 23, Block 3, Village Green, Tallaght, Dublin 24, D24F6XA

Website: https://sdvs.ie

Contact email: info@sdvs.ie

Saoirse Domestic Violence Services is a registered charity providing crisis refuge accommodation, outreach, prevention, and support services to individuals and families affected by domestic and sexual violence across Dublin and, where capacity allows, nationally across the Republic of Ireland.

2. Our Data Protection Officer

Saoirse Domestic Violence Services has appointed an external Data Protection Officer (DPO). Given the sensitive and substantial nature of the personal data we process, including data about vulnerable adults and children, the appointment of a DPO reflects both our legal obligations and our commitment to data protection.

Our DPO is Privacy Path, an independent data protection consultancy. You may contact our DPO directly at any time regarding data protection matters:

DPO: Privacy Path (external)

Email: privacy@privacypath.ie

Website: privacypath.ie

If you have a question, concern, or complaint about how we handle your personal data, please contact our DPO in the first instance. Our DPO is independent of SDVS and is there to assist you.

3. Laws That Apply to Us

SDVS is established in the Republic of Ireland and is regulated for data protection purposes by the Irish Data Protection Commission (DPC). The following laws apply to our processing of personal data:

• General Data Protection Regulation (EU) 2016/679 (GDPR)

• Irish Data Protection Acts 1988 to 2018

• ePrivacy Regulations 2011 (SI 336/2011)

• Children First Act 2015

• Charities Act 2009

4. Our Role as Data Controller

SDVS acts as the data controller in respect of the personal data described in this Notice. As data controller, we determine the purposes for which, and the manner in which, personal data is processed.

In some limited circumstances — for example, where we receive referrals from or share information with statutory agencies such as the courts service, the Garda Síochána, Tusla, or social work teams — we may act as a joint controller alongside those bodies in respect of specific data flows. Where this applies, we will endeavour to make this clear.

Where SDVS processes client data using third-party platforms and service providers, those third parties act as processors on our behalf and are bound by Data Processing Agreements.

5. Data Protection Principles

SDVS is committed to processing personal data in accordance with the following principles:

• Lawfulness, fairness and transparency — We process personal data lawfully, fairly, and in an open and transparent manner.

• Purpose limitation — We collect data for specific, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.

• Data minimisation — We collect only what is necessary for the purposes stated.

• Accuracy — We take reasonable steps to ensure personal data is accurate and, where necessary, kept up to date.

• Storage limitation — We retain personal data only for as long as is necessary, in accordance with our Retention Policy.

• Integrity and confidentiality — We apply appropriate technical and organisational security measures to protect personal data.

• Accountability — We are able to demonstrate our compliance with data protection obligations through policies, records, and governance.

6. Personal Data We Collect

6.1 General website visitors and donors

When you visit our website or contact us in a general capacity, we may collect:

• Name, address, telephone number, and email address

• Communications sent via our website contact form or by email

• Website and technical data — including information about how you interact with our website (see Section 12 on cookies)

• Donation and transaction data, where you support SDVS financially

• Business or professional details, where relevant to your engagement with us

6.2 Clients accessing our services

A separate, Data Protection Notice is provided to clients at the point of first engagement. In summary, the personal data we collect from clients — including individuals accessing our helpline, refuge, outreach, child and youth, or court support services — includes:

• Name, date of birth, address, contact details, and family composition

• Health and medical information

• Details of domestic violence or abuse experienced

• Legal proceedings, safety orders, and court-related information

• Referral information from third parties such as Garda Síochána, social workers, GPs, or family members

• Information about children associated with the individual, including child protection data

This data is categorised as special category personal data under Article 9 GDPR and is therefore processed under strict safeguards.

6.3 Staff and volunteers

A separate privacy notice is provided to staff and volunteers at the point of recruitment. This covers HR data, payroll, and related employment data processed through our HR system (BrightHR), including Garda vetting disclosures.

7. Lawful Basis for Processing

We rely on the following lawful bases under Article 6 GDPR, depending on the nature of the processing:

• Vital interests (Article 6(1)(d)) — The primary basis for processing data relating to our refuge, helpline, and direct support services. Where an individual or their children may be in immediate danger, processing is necessary to protect their vital interests.

• Legal obligation (Article 6(1)(c)) — For processing required by law, including child protection reporting obligations under the Children First Act 2015, Garda Síochána requests, court orders, financial and tax obligations, and regulatory compliance.

• Consent (Article 6(1)(a)) — Where we ask for and receive explicit consent for example, consent to store identifiable data for individuals who contact the helpline anonymously, consent to marketing communications, or consent to record and share information with third parties.

• Public task / legitimate interests (Article 6(1)(e)/(f)) — For processing related to governance, fundraising, awareness-raising, and advocacy where we balance our organisational interests against the rights of individuals.

• Contractual necessity (Article 6(1)(b)) — For processing required to fulfil contractual obligations, including employee contracts and service-level agreements.

7.1 Special Category Data

Because of the nature of our work, we process substantial volumes of special category data under Article 9 GDPR — primarily health data, data revealing the circumstances of domestic violence, and data relating to children. We rely on the following Article 9 conditions:

• Article 9(2)(c) — vital interests, where the data subject is unable to give consent

• Article 9(2)(f) — establishment, exercise, or defence of legal claims

• Article 9(2)(a) — explicit consent, where sought and given

• Article 9(2)(b) — obligations and rights in employment (for staff data)

7.2 Criminal Conviction Data

We process criminal conviction and offence data in respect of staff only, for the purpose of Garda vetting required by law. This is processed by HR under strict access controls.

8. Children's Data

SDVS works directly with children who are victims and survivors of domestic violence. We process children's personal data, including sensitive and child protection data, as an integral part of our service delivery. Parental or guardian consent is obtained, and the specific requirements of the Children First Act 2015 are observed throughout.

Our eSafe CRM system requires mandatory fields to be completed before a case file can progress, which assists in ensuring that appropriate consent and data capture obligations are met before engagement proceeds.

Where a child's information is collected and a child protection concern arises, we are obliged by law to report to Tusla and/or the Garda Síochána, regardless of consent status.

9. How We Collect Personal Data

We collect personal data through the following channels:

• Our 24-hour freephone helpline — verbal referrals processed directly into our CRM by helpline staff

• Our website — referral forms submitted online are automatically populated into our eSafe CRM system

• In-person engagement — outreach workers and refuge staff recording information on behalf of clients

• Third-party referrals — from An Garda Síochána, social workers, GPs, family members, solicitors, and other statutory or voluntary organisations (always with appropriate basis)

• Email and written correspondence

• Our Board governance platform (BoardX) — for board members and subcommittee members

Where data is collected from a third party on your behalf, we will inform you of this at the earliest reasonable opportunity.

10. How We Use Personal Data

We use personal data for the following purposes:

• Service delivery and case management — To provide crisis accommodation, outreach, helpline, court support, child and youth services, and related support.

• Referral and coordination — To connect clients with relevant statutory and voluntary services (with consent).

• Child protection — To comply with mandatory reporting obligations under the Children First Act 2015.

• Financial and governance management — Including payroll, accounts, funder reporting, and compliance with statutory obligations.

• Fundraising and awareness-raising — To communicate with donors and supporters and to run campaigns on domestic violence awareness.

• HR management — Including recruitment, employment records, supervision, and Garda vetting.

• Safety and security — Including CCTV at our premises for the safety of clients, staff, and visitors.

• Legal compliance — To respond to court orders, Garda requests, regulatory obligations, and statutory audits.

• Service improvement — To analyse and improve the quality, accessibility, and reach of our services.

11. Who We Share Personal Data With

We share personal data only where we have a lawful basis for doing so. Recipients may include:

• Statutory agencies — An Garda Síochána, Tusla (Child and Family Agency), courts service, HSE, and other public bodies where required by law or to protect vital interests.

• Third-party processors — Technology and service providers who process data on our behalf, including our IT support (Everything IT), CRM provider (eSafe/Salesforce via Include), board platform (BoardX), HR platform (BrightHR), and Microsoft 365 (including SharePoint).

• Referral partners — Other voluntary and statutory organisations to which we refer clients for housing, legal, medical, or other support (with client consent).

• Legal and professional advisors — Solicitors, accountants, auditors, and others engaged to provide professional services to SDVS.

• Funders and regulators — Cuan (Department of Justice), Charities Regulator, Revenue Commissioners, and other statutory funders and oversight bodies, to the extent required.

We do not sell, rent, or otherwise disclose personal data to third parties for their own commercial purposes. All third-party processors are bound by Data Processing Agreements requiring them to protect personal data in accordance with GDPR.

12. International Data Transfers

SDVS processes personal data within the Republic of Ireland and does not routinely transfer personal data outside the European Economic Area (EEA).

Where we use cloud-based service providers — including Salesforce (which hosts our eSafe CRM) and Microsoft 365 — we take reasonable steps to confirm that personal data is stored within the EEA where possible. Where any transfer outside the EEA is involved, we ensure

that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

If you would like further information about the specific transfer mechanisms we rely on, please contact our DPO at privacy@privacypath.ie.

13. How Long We Keep Your Data

We retain personal data only for as long as is necessary for the purposes for which it was collected and to meet our legal, regulatory, and operational obligations. Our retention periods are guided by the following principles:

• Client case files (no children involved): retained for 7 years following cessation of engagement

• Client case files involving children or ongoing court proceedings: retained for up to 18 years or until the youngest child reaches the age of majority, whichever is longer, having regard to child protection obligations

• Financial and accounting records: retained for 7 years in accordance with Revenue requirements

• HR and employment records: retained for the duration of employment and for 7 years thereafter

• Garda vetting records: retained for the duration of employment only

• CCTV footage: retained for a maximum of 28 days unless required as evidence

• Website contact form submissions and email correspondence: retained for 3 years unless ongoing correspondence requires a longer period

• Donor and fundraising records: retained for 7 years following last transaction

A full Retention Schedule is maintained internally and is available from our DPO on request.

14. How We Protect Your Data

SDVS takes data security seriously and implements the following technical and organisational measures:

• All devices — including laptops, phones, and tablets — are encrypted and managed by our IT provider, Everything IT

• Access to systems requires multi-factor authentication and role-based access controls

• Remote access is monitored and flagged if login activity occurs from unexpected locations or countries

• Devices can be remotely disabled or wiped in the event of loss, theft, or staff departure

• All physical offices are locked, alarmed, and CCTV-monitored at entry points

• Personal data stored on SharePoint and organisational systems is subject to access permissions and audit trails

• Staff receive data protection training at induction and are required to maintain confidentiality

• We have a documented data breach response procedure aligned with the 72-hour notification requirement

Despite these measures, no system is entirely immune to risk. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Data Protection Commission in accordance with our legal obligations.

15. AI Systems and Automated Decision-Making

15.1 Microsoft Copilot

SDVS uses Microsoft 365, which includes access to Microsoft Copilot. Copilot may be used by staff to assist with tasks such as transcribing meeting minutes and drafting correspondence. We are developing an internal AI usage policy to ensure that personal data — particularly special category client data — is not processed through AI tools in ways that could compromise confidentiality or compliance.

15.2 Automated decision-making

SDVS does not engage in any automated decision-making or profiling that produces legal or similarly significant effects on individuals within the meaning of Article 22 GDPR. All decisions relating to client services and support are made by trained staff members.

16. Cookies and Website Tracking

Our website (sdvs.ie) uses cookies and similar technologies. A Cookie Policy setting out the types of cookies used, their purpose, and how you can manage your preferences is available on our website. We will not place non-essential cookies on your device without your prior consent.

17. Your Rights

Under GDPR, you have the following rights in relation to your personal data. These rights may be subject to certain conditions and limitations depending on the lawful basis for processing.

Right / What it means

Right of access: You have the right to request a copy of the personal data we hold about you (a Subject Access Request).

Right to rectification: You have the right to request that inaccurate or incomplete personal data is corrected.

Right to erasure: You have the right to ask us to delete your personal data where there is no longer a legitimate basis for us to hold it. Note that legal obligations may require us to retain certain data.

Right to restriction: You have the right to ask us to suspend processing of your data — for example, while accuracy is contested or a rights request is being resolved.

Right to data portability: Where processing is based on consent or contract, and carried out by automated means, you may request a copy of your data in a structured, machine-readable format.

Right to object: You have the right to object to processing based on legitimate interests or carried out for direct marketing purposes. We will cease such processing unless we can demonstrate compelling legitimate grounds.

Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.

Right not to be subject to automated decisions: You have the right not to be subject to decisions based solely on automated processing that produce significant effects on you. As noted above, SDVS does not engage in such processing.

18. How to Exercise Your Rights

To exercise any of your rights, or to ask a question about how we handle your personal data, please contact our Data Protection Officer:

Email: privacy@privacypath.ie

Postal address: Privacy Path, FAO: SDVS Data Subjects — The Hatch, Gorey, Wexford, Ireland Y25 A8H2

We will respond to all requests within one calendar month of receipt. In complex cases, we may extend this by a further two months, in which case we will inform you of the extension and the reasons for it within the first calendar month.

We do not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to act on the request.

We accept rights requests submitted verbally (by telephone or in person) as well as in writing. Where a verbal request is made, we will confirm receipt in writing.

19. Your Right to Lodge a Complaint

If you are not satisfied with how we have handled your personal data, you have the right, without prejudice to any other administrative or judicial remedy, to lodge a complaint with the Data Protection Commission (DPC), the supervisory authority for data protection in Ireland:

Website: www.dataprotection.ie

Phone: +353 57 8684800 or +353 (0)761 104 800

Email: info@dataprotection.ie

Address: 21 Fitzwilliam Square, Dublin 2, D02 RD28; or Canal House, Station Road, Portarlington, Co. Laois, R32 AP23

We would, however, welcome the opportunity to address any concern you have before you contact the DPC. Please reach out to our DPO at privacy@privacypath.ie in the first instance.

20. Updates to This Notice

We may update this Data Protection Notice from time to time to reflect changes in our data processing practices, legal requirements, or organisational structure. Any updates will be published on our website (sdvs.ie) with a revised version date. We encourage you to review this Notice periodically.

This Notice does not apply retrospectively — any changes will apply to data processing from the date of the updated Notice onward.

This Notice was last reviewed and updated in April 2026.

Prepared by Privacy Path on behalf of Saoirse Domestic Violence Services

privacy@privacypath.ie | privacypath.ie