Privacy Statement | NBI

1. What does this Privacy Statement do and does it apply to me?

1.1 Many countries (including Ireland) have data protection laws that protect the privacy of individuals by regulating the way in which organisations handle personal information (personal data). Among other things, data protection laws require organisations that process (handle) personal data to be open and transparent about why and how they handle personal data.

1.2 The purpose of this Privacy Statement is to inform you why and how NBI Infrastructure Designated Activity Company and NBI Deployment Designated Activity Company (collectively referred to in this privacy statement as “NBI”, “we”, “our” or “us”[1]) handles personal information in connection with your use of our website or our provision of products, services or related offerings.

1.3 This Privacy Statement only applies to you if you are at least one of the following types of persons:

(a) Visitor/User of our website – Individuals that are visitors to or users of our website (https://www.nbi.ie).

(b) Customer/End User –  A customer contact, a supplier contact and/or a residential householder whose personal data is collected by us or our contracted retail service providers (or similar providers) and used by us.

(c) Client Business Contacts – Individuals who are employed or otherwise engaged by legal entities which enter into contract for the provision of services directly with NBI or interact with us in the course of our business.

(d) Business Owners – Individuals who are in control of our corporate vendor or supplier counterparties and their affiliates/subsidiaries through executive powers vested in them (irrespective of whether or not they hold any ownership interest in our corporate counterparties or their affiliates/subsidiaries).

(e) Other Relevant Individuals – Individuals who do not belong to any of the foregoing categories but interact with us in connection with (or are otherwise affected by) the services provided or the business conducted by us. Depending on the circumstances, such individuals can include, without limitation, the following:

(i) individuals who bring legal action against us or our customers and/or counterparties which implicates us;

(ii) individuals who work for other entities that interact with us in connection with the services we provide to customers and related parties;

(iii) individuals who work for entities that provide goods and services to us; and

(iv) individuals who we have no business relationship with.

1.4 Nothing in this Privacy Statement creates any new relationship between you and us or alters any existing relationship between you and us. Nothing in this Privacy Statement affects any right you have under any applicable law, including Regulation (EU) 2016/679 (the General Data Protection Regulation, or “GDPR”) and any other data protection law (including Ireland’s Data Protection Act 2018) that applies to you.

1.5 This Privacy Statement will be reviewed from time to time to take into account changes in the law and the experience of the Privacy Statement in practice.

2. What sort of personal data about me does NBI process?

2.1 The types of personal data which we process will vary significantly depending on various factors including your personal circumstances, the nature of your relationship with us and the nature of the services we are asked to perform.

2.2 The personal information we obtain can be grouped into the following categories:

(a) Information about your device and about your visits to and use of the website including IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views, website navigation;

(b) Information provided when you register with us, subscribe to our website services and email notifications, or that you may send us via our website, email address, contact centre or our business premises, for example when you make an enquiry;

(c) For business contacts at our existing and prospective customers, partners and suppliers / third party service providers, basic contact details such as name, address, telephone number, email address, Skype /messenger service details, LinkedIn profile details, job title and other information, such as details contained in commercial bid documentation;

(d) For residential householders, basic contact details such as name, address, telephone number, email address and details contained in wayleave access documentation;

(e) Information that you may provide to our sales representatives, customer service team, trusted partners (as defined below) and third party service providers, for example, when they attend premises to carry out installations, when you contact us for pre or post-sales support, or at corporate events.

2.3 We may also obtain some information relating to you from trusted third parties such as our wholesale channel partners, our installation partners, our service provider partners and also providers of lead generation services. We carry out due diligence and have contracts in place with such third parties to ensure they have obtained your information lawfully and can pass it on to us to use.

2.4 We will collect your personal data only where we are legally permitted to do so, and so to the extent it is appropriate and necessary for one or more of the purposes described in Section 3 of this Privacy Statement.

3. Why does NBI collect my personal data and what are the legal justifications?

3.1 We handle your personal data to manage our relationship with you appropriately, effectively and lawfully. At the same time, it enables us to run our business.  The personal data will be used for one or more of the following purposes:

(a) Service Delivery – To facilitate the provision of our services.

(b) Service Development -To improve our existing services and identify and develop new services.

(c) Service Marketing -To promote the services we offer and related services offered by us.

(d) Customer Relationship Management – To manage, maintain and develop our relationship with customers.

(e) Business Administration -To facilitate the effective management and administration of our organisation, including in relation to matters such as business planning, budgeting and forecasting, as well as enforcement of our terms of engagement with relevant parties.

(f) Legal and Regulatory Compliance -To ensure our compliance with all relevant legal and regulatory requirements that our organisation may be subject to.

3.2 We may disclose personal data about you to any of our employees, officers, agents, suppliers or subcontractors insofar as reasonably necessary for the purposes as set out in this Privacy Statement. We may also disclose your personal data:

(a) To other companies in our corporate group for the purposes of internal administration, governance and recordkeeping, business analytics, financial and account management and reporting purposes;

(b) To other companies that provide essential support to our network, such as (where relevant) our network integrators and resellers, our approved third party internet service provider, data centres and mobile operators / “fibre to the home” providers and other internet service providers, and our broadcasting partners, and our wholesale channel partner (“trusted partners”);

(c) To authorised third parties providing a service on our behalf or in connection with our business, including our insurers and professional advisors;

(d) To the extent that we are required to do so by law, including by regulators, courts or law enforcement agencies;

(e) In connection with any legal proceedings or prospective legal proceedings; In order to establish, exercise or defend our legal rights;

(f) For the purposes of fraud prevention and reducing credit risk;

(g) To the purchaser (or prospective purchaser) of any business or asset that we are (or are contemplating) selling; and

(h) To any person who we reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information, or as otherwise set out in this privacy statement.

3.3 When handling your personal data, we rely on the following legal justifications for doing so (in accordance with GDPR Article 6):

Operation of website(s):
Processing purpose : operation and management of our website(s); providing content to you; displaying advertising and other information to you; and communicating and interacting with you via our website(s).

Legal justification for processing

• The processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us; or

• We have a legitimate interest in carrying out the processing for the purpose of on-boarding new clients (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms); or

• We have obtained your prior consent to the Processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).

Customer, vendor and business partner on-boarding
Processing purpose:
on-boarding new customers, vendors and business partners; and compliance with our internal compliance requirements, policies and procedures.

Legal justification for processing

• The processing is necessary for compliance with a legal obligation; or

• The processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us; or

• We have a legitimate interest in carrying out the processing for the purpose of on-boarding new clients (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms); or • We have obtained your prior consent to the Processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).

Provision of products and services to you
Processing purpose: administering relationships and related services; performance of tasks necessary for the provision of the requested services; communicating with you in relation to those services.

Legal justification for processing

• The processing is necessary for compliance with a legal obligation; or

• The processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us; or

• We have a legitimate interest in carrying out the processing for the purpose of on-boarding new clients (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms); or

• We have obtained your prior consent to the Processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).

Marketing / Prospecting
Processing Purpose: communicating with you via any means (including via email, telephone, text message, social media, post or in person) subject to ensuring that such communications are provided to you in compliance with applicable law; and maintaining and updating your contact information where appropriate.

Legal justification for processing

• We have a legitimate interest in carrying out the processing for the purpose of on-boarding new clients (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms); or

• We have obtained your prior consent to the Processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).

IT operations
Processing Purpose: management of our communications systems; operation of IT security; and IT security audits.

Legal justification for processing

• The processing is necessary for compliance with a legal obligation; or

• The processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us; or

• We have a legitimate interest in carrying out the processing for the purpose of on-boarding new clients (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms).

Health and safety
Processing Purpose: health and safety assessments and record keeping; and compliance with related legal obligations

Legal justification for processing

• The processing is necessary for compliance with a legal obligation; or

• We have a legitimate interest in carrying out the processing for the purpose of on-boarding new clients (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms); or

• The processing is necessary to protect the vital interests of any individual.

Financial management
Processing Purpose: sales; finance; corporate audit; and vendor management

Legal justification for processing

• The processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us; or

• We have a legitimate interest in carrying out the processing for the purpose of on-boarding new clients (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms); or

• We have obtained your prior consent to the Processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).

Research
Processing Purpose: conducting market or customer satisfaction research; and engaging with you for the purposes of obtaining your views on our products and services.

Legal justification for processing

• We have a legitimate interest in carrying out the processing for the purpose of on-boarding new clients (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms); or

• We have obtained your prior consent to the Processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).

Security
Processing Purpose: physical security of our premises (including records of visits to our premises and CCTV recordings); and electronic security (including login records and access details, where you access our electronic systems).

Legal justification for processing

• The processing is necessary for compliance with a legal obligation; or

• We have a legitimate interest in carrying out the processing for the purpose of on-boarding new clients (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms).

Improving our products and services
Processing Purpose: identifying issues with existing products and services; planning improvements to existing products and services; and creating new products and services.

Legal justification for processing

• The processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us; or

• We have a legitimate interest in carrying out the processing for the purpose of on-boarding new clients (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms); or

• We have obtained your prior consent to the Processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).

Risk Management
Processing Purpose: Audit, compliance, controls and other risk management.

Legal justification for processing

• The processing is necessary for compliance with a legal obligation; or

• We have a legitimate interest in carrying out the processing for the purpose of on-boarding new clients (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms).

Legal compliance
Processing Purpose: compliance with our legal and regulatory obligations under applicable law

Legal justification for processing
• The processing is necessary for compliance with a legal obligation.

Legal proceedings
Processing Purpose: establishing, exercising and defending legal rights.

Legal justification for processing

• The processing is necessary for compliance with a legal obligation; or

• We have a legitimate interest in carrying out the processing for the purpose of on-boarding new clients (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms).

4. Visiting our premises in person

4.1 Upon signing in when visiting our premises, we will process your personal data for the purpose of site security and fire safety. The legal basis for this processing is that it is necessary for compliance with a legal obligation to which we are subject to for example Covid 19.

4.2 We will store personal data relating to your visit for 12 months, or longer if required in relation to a legal claim. We will share your personal data with other third parties only to the extent that the disclosure is reasonably necessary for the purposes of investigating incidents occurring on our premises.

5. Marketing to our business and customer contacts

5.1 As a wholesale fibre network infrastructure provider, we may periodically send promotional information to our business and customer contacts by email, phone or mail about new products, special offers, network updates, local events or other information from us, our affiliate companies  or our approved third party internet service provider partners, which we think you may find interesting and relevant, using the contact details which you have provided.

5.2 In practice, you will usually either expressly agree in advance to our use of your personal data for marketing purposes, or we will provide you with an opportunity to opt-out of the use of your personal data for marketing purposes.

5.3 Please follow the “Unsubscribe” or opt-out process in any of our communications or email  info@nbi.ie at any time with “Unsubscribe” in the subject line if you do not wish to receive such information.

6. Third Party Services and Websites

6.1 We may, from time to time, engage the services of other parties for the provision of services related to payment handling, delivery of purchased items or services, search engine facilities, hosting and IT services, advertising and marketing and network activities (such as installation, testing, repair, upgrade or removal). The providers of such services may be granted access to certain personal data to the extent strictly necessary for them to perform the services that we request. Any personal data that is processed by third parties must be processed in accordance with data protection laws and subject to contractual obligations, including regarding security and confidentiality.

6.2 Where our website contains links to other websites, we are not responsible for the privacy policies or practices of such third party websites.

7. Retaining your personal data

7.1 We will retain your personal data for as long as we are obliged, under relevant legislation and regulation and our contractual obligations (particularly the contract for National Broadband Plan that NBI was awarded by Department of Communications Climate Action & Environment (DCCAE)  and was executed on 19 November 2019), or otherwise for no longer than it is necessary for our lawful purposes. We securely erase it once no longer needed.

7.2 The retention period of your personal data may need to be extended where we require this to bring or defend legal claims. We may also retain data for longer periods for statistical purposes, and if so we will anonymise or pseudonymise this.

8. Security of your personal data

8.1 We are committed to ensuring that your personal data is secure. We have put in place appropriate technical and organisational measures to safeguard and secure your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

8.2 You are responsible for keeping your password and user details for any restricted areas of our websites (such as the supplier portal) confidential and for implementing your own security measures to protect your information, network and devices. We will not ask you for your password (except when you log in to the website).

8.3 Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of any data transmitted us and any such transmission is at your own risk.

8.4 Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. To the extent permitted by law, we are not responsible for any delays, delivery failures, or any other loss or damage resulting from (i) the transfer of data over communications networks and facilities, including the internet, or (ii) any delay or delivery failure on the part of any other service provider not contracted by us, and you acknowledge that the Website may be subject to limitations, delays and other problems inherent in the use of such communications facilities.

8.5 You will appreciate that we cannot guarantee the absolute prevention of cyber-attacks such as hacking, spyware and viruses. Accordingly, you will not hold us liable for any unauthorized disclosure, loss or destruction of your personal data arising from such risks.

9. International data transfers

9.1 Information that we collect may be stored and processed in and transferred between any of the countries in which we operate in order to enable us to use the information as set out in this privacy statement, in particular to provide you with our products or services.

9.2 Some of our trusted partners who have access to your personal data may be located or transfer or host data outside the European Economic Area (EEA). Additionally, some of the third party service providers we use who have access to your personal data may be located or transfer or host data outside the EEA.

9.3 In these circumstances, we will ensure your personal data is processed under strict organisational and contractual controls, specifically EU model clauses coupled with supplementary controls which includes encryption at rest and in transit.

10. How we use cookies

10.1 We use cookies in a number of ways on our website, which include improving user experience of our website or online services and remembering information about your preferences. You have choices about how you want cookies to be used. For further information about how we use cookies and how to update your preferences, see our Cookies Statement.

11. What rights do I have in respect of my personal data?

11.1 Under the GDPR, you have certain legal rights in respect of your personal data handled by us. These include the following:

11.2    IMPORTANT NOTE: The rights you have in respect of your personal data are not absolute and are subject to a range of legal conditions and exceptions. If and to the extent a relevant legal condition or exemption applies, we reserve the right not to accede to your request. Additionally, while the rights you have can normally be exercised free of charge, the law allows us to chare you in certain limited circumstances. In such case, we reserve the right to charge you a fee for processing your request.

12. Who can I contact about by Personal Data?

12.1 If you would like to exercise any of the rights you have in respect of your personal data or if you have any question or concern regarding the way in which we handle your personal data, please contact our data protection officer in the first instance. If you have a complaint regarding the way in which we handle your personal data, please also contact our data protection officer in the first instance. Our data protection officer details are as follows:

Attention: Data Protection Officer

Email: dpo@nbi.ie

Address: 3009 Lake Drive, Citywest, Dublin 24, D24 H6RR

12.2 We will endeavour to respond satisfactorily to any request, query or complaint you may have in respect of your personal data, but if you are dissatisfied with our response and wish to make a formal complaint, or if you simply wish to learn more about your rights, you can contact the data protection authority of Ireland:

Data Protection Commission

Address: 21 Fitzwilliam Square South,
Dublin 2,
Ireland
D02 RD28
Website:www.dataprotection.ie

13. Will this Privacy Statement change in the future?

13.1  This Privacy Statement was last revised on 30th Sept 2020. We may revise this Privacy Statement from time to time to reflect changes in law or changes in how we run our business, but where such revision becomes necessary in the future, we will announce the changes on our website at [https://www.nbi.ie/privacy/] and bring them to your attention to the extent it is practicable to do so.


[1] NBI Infrastructure Designated Activity Company is our corporate function and NBI Deployment Designated Activity Company is our operational company, assisting NBI Infrastructure Designated Activity Company with its corporate function on an at-arms-length basis. To the extent that they are joint controllers, their respective responsibilities for data protection compliance are set out in this privacy statement.