Privacy & Cookies

At Straw Chip we take your privacy seriously. It is important that you know exactly what we do with personal information that you and others provide to us, why we gather it and what it means to you. This document is being provided to you in line with our obligations under the General Data Protection Regulation (GDPR) and Data Protection Act 2018. Straw Chip is committed to protecting all personal, special, and criminal categories of data held on you. As such, we want you, the ‘data subject’, to understand how we collect, use, store, and share your personal data as a Data Controller. We also want you to understand what rights you can invoke to help you to protect your privacy. In this regard, it is important that you read this Privacy Notice and understand how we use your personal data. If you are under 16 years of age, please read this summary with a parent or guardian and ensure you understand it. Please note that we reserve the right to update this Privacy Notice as required.

Straw Chip Limited, is a clinical diagnostic laboratory with the goal to continuously provide an exceptional level of service to our colleagues in the health services, on behalf of their patients. Straw Chip’s registered office is Ballycullane, Athy, Co. Kildare. Ireland. Straw Chip is committed to protecting the rights and privacy of individuals in accordance with European and Irish data protection legislation. Straw Chip shall lawfully and fairly process personal data about employees, patients, clients, and other stakeholders to achieve its mission and functions. Throughout this document, ‘we’, ‘us’, ‘our’ and ‘ours’ refer to Straw Chip. Your information is held by the Company. 1.2 Data Protection Legislation All personal data processed by Straw Chip is done so in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018. 1.3 Queries and Complaints If you are unhappy with the way we handle your personal data and wish to complain, or if you simply want further information about the way your personal data will be used, please contact us at the below: Data Protection Officer Straw Chip Limited Ballycullane, Athy, Co. Kildare. Ireland. Telephone: 059 86 31623 Email: You have the right to lodge a complaint with the Data Protection Commission. To contact the Data Protection Commission, please use the following details: Data Protection Commission 21 Fitzwilliam Square South Dublin 2 D02 RD28 Ireland Telephone: +353 (0)761 104 800 Telephone: +353 (0)57 868 4800 Email: 1.4 Personal Data Breaches Straw Chip will take all appropriate technical and organisational steps to safeguard and protect your personal data. In the unlikely event of a data breach, we will contact you in line with our legal obligations.

We may collect and process the following personal data about you: Full name. Address. Eircode. Phone/Mobile number. Email address. Online identifiers, e.g. Cookies We collect information (i) you give us; (ii) information from your use of our services or our website AND (iii) information provided to us by third parties. For further details on information collected from our website, please refer to the Cookie Policy (EMP028).

We may use your personal data where necessary for the following purposes: To process your order or contact query. Under data protection law, Straw Chip must ensure that it has an appropriate lawful basis for the processing of your personal data and let you know what that basis is. We will be processing your personal data based on the following lawful basis: You have agreed or explicitly consented to the using of your data in a specific way (you may withdraw your consent at any time). The use is necessary in relation to a service or a contract that you have entered into or will enter into, or will enter into (e.g., to provide you with laboratory services or because you have asked for something to be done so you can enter into a contract with us, or because you are applying for an open vacancy). The use is necessary because we have to comply with a legal obligation, regulatory authorities, and law enforcement The use is necessary to protect your “vital interests” in exceptional circumstances; The use for our legitimate interests (which you may object to) such as managing our business including credit risk management, providing service information, conducting marketing activities, training and quality assurance, and strategic planning and the purchase or sale of assets.

We will only use personal data for the purpose of our processing activities mentioned in the previous paragraph (3. Purpose of Processing and Legal Basis). If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact our Data Protection Officer at the contact details listed in Section 1 of this Policy. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with this Policy, where this is required or permitted by law. Also, in certain circumstances we will process your information on behalf of other Third-Parties and under their instructions in order to provide our services. In these specific situations, third parties act as Data Controller and Straw Chip as Data Processor. Third parties will provide us your personal data to enable us to complete the provision of the service that data subjects directly agreed with them initially.

We will take all steps reasonably necessary to ensure that personal data is treated securely in accordance with this Privacy Notice and the relevant law. In particular, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we manage, collect and store.

When providing our services to you, we may share your information with: Your authorised representatives. Third parties with whom: (i) we need to share your information to facilitate transactions you have requested, and (ii) you ask us to share your information. Statutory and regulatory bodies (including central and local government) and law enforcement authorities. Third parties in connection with a sale or purchase of assets by us: persons making an enquiry or complaint; debt collection agencies, budgeting and advice agencies, tracing agencies, receivers, liquidators, examiners, Official Assignee for Bankruptcy and equivalent in other jurisdictions. Trade associations and professional bodies, non-statutory bodies, and members of trade associations. Pension fund administrators, trustees of collective investment undertakings and pensions trustees, insurers/re-insurers, insurance bureaus. Business or joint venture partners. When we engage another organisation to perform services for us, we may provide them with information including personal data, in connection with their performance of those functions. We do not allow third parties to use personal data except for the purpose of providing these services.

How long we hold your data for is subject the retention periods for your data and are subject to legislation and regulatory rules we must follow, set by authorities such as the HSE, Revenue Commissioners, Irish National Accreditation Board. We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. This means that the period of time for which we store your personal data may depend on the type of data we hold. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some cases, we may transfer information about you and your products and services with us to our service providers and other organisations outside the EEA. We will always take steps to ensure that any transfer of information outside of the EEA is carefully managed to protect your privacy rights. All cross-border data transfers to countries outside the EEA will be done in accordance with guidelines laid down by the European Commission and the European Data Protection Board. Detailed Data Transfer Impact Assessments will be carried out prior to such data transfers and Standard Contractual Clauses (where applicable) will be put in place as appropriate safeguards.

You have the following rights, in certain circumstances and subject to certain restrictions, in relation to your personal data: 9.1 Right to access Data subjects have the right to access their personal data. They are entitled to receive a copy of their data held by Straw Chip and other information about the processing, sharing and retention of their personal data. The right of access allows individuals to be aware of and verify the lawfulness of the processing. Straw Chip implements procedures to ensure that requests from data subjects for access to their personal data are identified and fulfilled in accordance with the legislation within the 30 days permitted.

9.2 Right to rectification Data subjects have a right to have their personal data rectified where it is inaccurate or incomplete. Straw Chip is committed to holding accurate data about data subjects and implements processes and procedures to ensure that data subjects can rectify their data where inaccuracies have been identified.

9.3 Right to erasure (right to be forgotten) Data subjects have a right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. The right to erasure does not provide an absolute ‘right to be forgotten’. The data subject has the right to seek the erasure of their personal data by Straw Chip, where: The personal data is no longer required for the purposes for which it was obtained. The data subject has withdrawn consent and there is no other lawful basis for the processing. The data subject objects to the processing and there are no overriding legitimate grounds for the processing. The personal data is being unlawfully processed. The personal data requires deletion in line with legal requirements. Where Straw Chip receives requests from data subjects looking to exercise their right of erasure then Straw Chip carries out an assessment of whether the data can be erased without affecting the ability of Straw Chip to provide future products and services to the data subject. If the assessment indicates that the erasure does not affect Straw Chip‘s abilities to provide future products or services and where the right to erasure can be implemented, then this should be done.

9.4 Right to restriction of processing Data subjects have a right to block or suppress processing of their personal data in defined circumstances. When processing is restricted, Straw Chip is permitted to store the personal data, but not further process it. Data subjects have the right to restrict the extent of processing of personal data on receipt of a valid request if the following apply: Where the accuracy of the personal data is contested by the data subject, the personal data may be restricted pending verification. The processing of personal data is unlawful, but the data subject opposes the erasure of the data and requests restriction instead. The personal data is no longer required by the data controller, but the retention Is required by the data subject for the establishment, exercise or defence of a legal claim. The data subject has a pending objection to the processing of the personal data based on whether the legitimate grounds of Straw Chip override those of the data subject. Straw Chip implements and maintains appropriate procedures to assess whether a data subjects request to restrict the processing of their data can be implemented. Where the request for restriction of processing is carried out then Straw Chip writes to the data subject to confirm the restriction has been implemented and when the restriction is lifted.

9.5 Right to data portability Data subjects have a right to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. A data subject will have the right to portability where the following applies: Personal data which the data subject has provided to Straw Chip. Processing is completed on the basis of a contract or steps preparatory to a contract. Processing is completed based on the provision of consent by the data subject. Personal data is processed by automated means. Where Straw Chip has collected personal data on data subjects by consent or by contract then the data subjects have a right to receive the data in electronic format to give to another data controller. Straw Chip uses contractual relationship as a lawful basis for processing employees data. 9.6 Right to object Data subjects have the right to object to: Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). Direct marketing (including profiling). Processing for purposes of scientific/historical research and statistics. Currently, Straw Chip only uses legitimate interests as the lawful basis for processing personal data in relation to CCTV. Where such processing is carried on, then Straw Chip will implement and maintain procedures to allow data subjects to pursue their right to object.

9.7 Right not to be subject to automated decision making Data subjects have the right not to be subject to a decision based solely on automated processing, where such decisions would have a legal or significant effect concerning the subject. Straw Chip ensures that where systems or processes are implemented that an appropriate right of appeal to a member of staff is available to the data subject. Automated processing includes profiling.

9.8 Right to withdraw consent Data subjects have the right to withdraw their consent to the processing of their personal data at any time. If the data subject wishes to exercise the right to withdraw their consent, they may at any time directly contact the Data Protection Lead.

9.9 Right to lodge a complaint Straw Chip implements and maintains a complaint process whereby data subjects will be able to contact the Management Team. Data subjects have the right lodge a complaint with the Data Protection Commission where: They experience a delay outside of the prescribed timeframe for making a decision on a data subject right request. They are dissatisfied with a decision by Straw Chip on their data subject right request. They consider that Straw Chip’s processing of their personal data is contrary to data protection legislation. Vindication of your rights shall not affect any rights which we may have under Data Protection Law. You have the right to lodge a complaint with the local supervisory authority for data protection in the EU member state where you usually reside, where you work or where you think an infringement of data protection law has taken place. If you wish to exercise any of the rights set out above, please contact us at: Data Protection Officer, Straw Chip, Unit T, M7 Business Park, Newhall, Naas, Co Kildare. Telephone: 045 819000 Email: In certain circumstances we act under instructions given by third parties, and we may not be in condition to provide you with your personal data or fulfil your rights request. In these cases, you may need to contact the primary party in this process, or we can support you in redirecting your query to the relevant party in order to ensure the respect of your individual rights and freedoms.

For further details on our use of cookies, please refer to our Cookie Policy which you can view by requesting or visiting EMP028. 11. PRIVACY POLICY UPDATES We will post any changes on the website and when doing so will change the ‘Date of issue’ and ‘revision number’ of this Privacy Notice. Please make sure to check the date when you use our services to see if there have been any changes since you last used those services. If you are not happy with any changes that we have made you should cease using our services. In some cases, we may provide you with additional notice of changes to this Privacy Notice, such as via email. We will always provide you with such additional notice well in advance of the changes taking effect where we consider the changes to be material. Cookies 17/10/2023 (EMP028 Revision:01) 1. Cookies A cookie is a small data file that is transferred to your device (e.g., your phone or your computer) which collects information, including personal information about you. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of websites. For example, a cookie could allow our website to recognise your browser, while another could store your preferences and other information and let you navigate the website effectively.

Cookies can also help to ensure that adverts you see online are more relevant to you and your interests. 2. Types of cookies used on the website a. Strictly Necessary Cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Cookie Subgroup Cookies Cookies used _gat_UA-nnnnnnn-nn , _ga , _gid First Party Any cookie that is not ‘Strictly Necessary’ is not active by default and does not send information to the resource it is called from. Accepting all cookies, makes all cookies active. You can modify your cookie preferences for the website at any time by clicking on the ‘Cookie Settings’ button. Straw Chip ‘Cookie Settings’ will pop-up on entry to the website where a user can choose to accept or change their cookie settings for the site. Cookie settings can also be accessed through the following address: /privacy-cookies/ 4. Accepting, deleting, and how to turn off cookies Most web browsers will accept cookies by default, but if you would prefer, we did not collect data by this method, you can disable this function within your browser settings. If you want to delete any cookies that are already on your computer, please refer to the instructions for your file management software to locate the file or directory that stores cookies. You can turn off cookies in your browser settings. If you do turn them off, it is important to remember that you may not be able to use all the services on our website. Below are links which provide instructions on how to do so in popular browsers: • Google Chrome. • Internet Explorer. • Mozilla Firefox. • Safari Mobile. You can find out more about turning off cookies at the independent website