1. Definitions

Personal data: means any information relating to an identified or identifiable natural person (‘data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental economic, cultural or social identity of that person. 

Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Data Controller or Controller: means the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law.

Data Protection Acts means the Data Protection Acts 1988 to 2018.

Delete for the purposes of this agreement means removing all data which is electronically held in such a way that it can never be retrieved from the device on which it is held;

Special categories of personal data means personal data revealing the racial or ethnic origin of the data subject; the political opinions or the religious or philosophical beliefs of the data subject, or whether the data subject is a member of a trade union, genetic data; biometric data for the purposes of uniquely identifying an individual, data concerning health, or personal data concerning an individual’s sex life or sexual orientation.

Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health.

Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result in particular, from analysis of a biological sample from the natural person in question.

Freedom of Information Act means the Freedom of Information Act 2014 and any amendments to or replacements thereof, including by means of directly effective EU Regulation;

GDPR: means the EU General Data Protection Regulation, Regulation (EU) 2016/679, the effective date of which is 25th May 2018;

Third Party: means a natural or legal person, pubic authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor are authorised to process personal data;

  1. Purpose of this Privacy Notice

CAFNBO takes your data privacy very seriously and intends to process your personal data and special category data in a fair and transparent manner. Therefore, as a member of CAFNBO it is important that you understand the manner in which your data is processed and what it means for you. This document outlines the approach of CAFNBO to your data privacy as a member.

  1. The CAFNBO data protection policy

The CAFNBO data protection policy is issued pursuant to GDPR – the EU General Data Protection Regulation, Regulation (EU) 2016/679 and the Data Protection Acts 1988 to 2018.

  1. Who is the-Data Controller

The Chair of the CAFNBO Board of Management and the Chair of CAFNBO Trustees Committee have been designated jointly, as the Data Controllers for CAFNBO pursuant to section 3 subsection (2) of the Data Protection Acts 1988 to 2018. The office of the Data Controller is located at CAFNBO House, 33 Infirmary Road, Dublin 7. The Data Controller regulates for the protection of your right to privacy and your right to be informed as to how your personal data and special categories of personal data are processed in accordance with your statutory and regulatory service obligations as a member of CAFBO.

  1. Who is the Data Protection Officer

The Data Protection Officer for CAFNBO is appointed by the joint Controllers, and can be contacted at the address below:

Data Protection Officer CAFNBO,


33 Infirmary Road

Dublin 7

Tel: 01-8042780 / 01-6711841

  1. e.
  2. The category of data processed – personal data

CAFNBO  will process personal data – information from which you can be identified either directly or indirectly by reference to an identifier such as name or, identification through the use of the data in conjunction with other information such as but not limited to: army number, rank, name, e-mail, telephone number, next of kin, home address, date of birth, PPS number, bank account details, CCTV images.

  1. This personal data will be processed pursuant to :
  • GDPR – the EU General Data Protection Regulation, Regulation (EU) 2016/679 and
  • the Data Protection Acts 1988 to 2018.
  1. Data that is processed – Special Categories of personal data:

CAFNBO will process special categories of personal data namely Special category data relating to your health (medical health data).

  1. The lawful basis and purpose of the processing

The personal data and special categories of personal data processed are necessary in order for CAFNBO to deliver the services contracted to you as part of your membership of the organisation.

  1. Requirement for processing

The requirement for processing will be, for example, in respect of matters such as the management and administration of your personal data in the performance of CAFNBOs role as a Registered Friendly Society.

  1. Use of anonymised data

Certain anonymised data not specific to any member may be extracted for general statistical purposes.

  1. The processing of your data is necessary for compliance with a legal obligation to which the controller is subject.

CAFNBO has an obligation to share data with the Revenue Commissioners, or in defence of legal claims against the organisation, or where the Courts make orders in a judicial capacity, or criminal investigations undertaken by AGS.

  1. The use of your data is necessary to protect your vital interests.

CAFNBO ma be required on occasion to use your data to protect your vital interests.

  1. You have consented or explicitly consented to the using of your data (including special categories of data) in a specific way.

CAFNBO may be required to share your data for research purposes by a third party.

  1. The processing is carried out in the public interest or in the exercise of official authority vested in the data controller.
  2. The processing is necessary for the legitimate interests of the data controller BUT only where such interests are NOT outweighed by your rights.
  3. The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR. For example, your personal file is retained for archival purposes under the National Archives Act 1986.
  4. Who do CAFNBO share your personal data with

This data will be retained under the control of the designated data controller of CAFNBO and may be shared with the data controller of the Department of Defence. For example, for the deduction of subscriptions from pay and pensions, assisting in replies to Solicitor Queries, defence of legal claims, or for the administration of your entitlements.

  1. Your data will not be further processed to any other third party unless you consent, or unless the processing is necessary for compliance with a legal obligation to which the controller is subject. For example, in the processing of assignments connected to financial institutions.
  2. How CAFNBO retains your data

Your data will be retained on your personal file for the duration of your membership of CAFNBO and for the protection against  future claims.

  1. Your data rights

You have the rights subject to any restrictions under the GDPR, to:

  1. a. Access any of your data – The designated data controller will process your request within 1 calendar month of the request. There may be grounds where that could be extended by a further two calendar months due to complexity or a number of requests. Should this be necessary the reasons will be explained by the Data Protection Officer.
  2. Rectification of any of your data – If your personal data is inaccurate, you have the right to have the data rectified without undue delay. If your personal data is incomplete, you have the right to have data completed, including by means of providing supplementary information.
  3. Erasure of any of your data provided there are valid grounds for doing so.
  4. Restriction on any processing of your data – This can occur where: (a) you have raised objection (see (f) below), or (b) your data is inaccurate. In these cases the restrictions will apply until the Data Protection Officer has determined the accuracy of the data or the outcome of your objection; or, (c) the processing was unlawful, or (d) you have a legal claim and need the data. Where you have obtained restriction of processing of your data, the data controller must inform you before lifting the restriction.
  5. Right to data portability – In some circumstances, you may be entitled to obtain your personal data from a data controller in a format that makes it easier to reuse your information in another context, and to transmit this data to another data controller of your choosing without hindrance.
  1. You have the right to object to certain types of processing of your personal data where this processing is carried out in connection with tasks in the public interest, or under official authority, or in the legitimate interests of others. You may also object to processing of your personal data for research purposes, unless the processing is necessary for the performance of a task carried out in the public interest.
  2. Withdraw your consent at any time – If you withdraw your consent it will not affect the lawfulness of processing based on your consent before its withdrawal. It is important to note that failure to provide certain data may affect the ability of CAFNBO to fulfil all of the contractual obligations made to you.


  1. You also have the right in any case to lodge a complaint to the Data Protection

Commissioner or another Supervisory Authority on any matter as regards the processing of your data by the CAFNBO  designated data controller. You can contact the Office of the Data Protection Commissioner at the postal address given below:

Data Protection Commission,

Canal House,

Station Road,

Portarlington, R32 AP23,

Co. Laois. us/b/11.html

Telephone: +353(0)761 104800 or Lo Call Number 1890252231


  1. The Data Protection Officer (DPO) may modify or amend this privacy notice from time to time. In order for all members to be aware of changes, the DPO will amend the “last updated” date at the top of the cover page. The new modified or amended privacy notice will apply from that updated date. It is important for all members to review this notice to be informed about how data is processed.