Privacy and Cookie Policy

Privacy Statement regarding use of Your Personal Data by Irish Tobacco Manufacturers’ Advisory Committee (“ITMAC”) (collectively made up of P.J. Carroll & Company Limited, JTI Ireland Limited (formerly Gallagher (Dublin) Limited) and John Player and Sons Limited) – Effective from 15.10.2018

Data protection law safeguards the privacy rights of living individuals in relation to the processing of their personal information, in both paper and electronic format.

Irish Tobacco Manufacturers’ Advisory Committee (collectively made up of P.J. Carroll & Company Limited, JTI Ireland Limited (formerly Gallagher (Dublin) Limited) and John Player and Sons Limited (“we”, “us”, “our” or “ITMAC ”) is committed to protecting the privacy and security of your personal data, which is data identifying you or from which you can be identified.

This privacy statement is a privacy statement that we must provide to you in accordance with Irish data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and the Data Protection Acts 1988 to 2018, as such laws may be updated from time to time, (“data protection laws”).

This privacy statement applies to all people who are living individuals about whom we process personal data in the course of our operations (“you” and “your”) who visit and/or interact with our website, , and any webpage containing this domain name, (the “ITMAC Website”) and to all subsequent correspondence or communications with those people, whether by email using email addresses from our ITMAC Website, telephone or VOIP.

Each ITMAC member is a “controller”; this means that we are responsible for deciding how we hold and use personal data about you. It is important that you read this privacy statement so that you are aware of how and why we are using your personal data.

1. The personal data we collect and use about you

In this privacy statement when we refer to “personal data” this means any information identifying you (such as your name, address and email address) or information from which you can be identified. ITMAC may collect statistical and analytical information relating to all visitors to the ITMAC Website, such as non-personal information which may include the type of internet you use or the website from which you linked to the ITMAC Website. You cannot be identified from this information.

2. How your personal data is collected by us

We collect personal data about you directly from you through our ITMAC Website when you contact us, or when you correspond or communicate with us (including by telephone) in connection with the ITMAC Website.

[ITMAC may send cookies to your computer, tablet or mobile device when you access the Website. A cookie is a small text file sent from the server which is stored on your computer, tablet or mobile device when you visit a website. Cookies can be used by web servers to identify and track a user to a website as the user navigates the different pages of a website and can identify users returning to a website. A cookie cannot access or read any personal data or other cookies on your computer, tablet or mobile device. You can manage your preferences relating to the use of cookies on our ITMAC Website by setting your internet browser to disable cookies. You can control and/or delete cookies as that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit the ITMAC Website and some services and functionalities may not work.]1 [ITMAC uses cookies for the following reasons:

  • To estimate our audience size and patterns; and
  • To track preferences and to improve and update the ITMAC Website.

Some of these grounds for processing will overlap, and there may be several grounds which
justify our use of your personal data.]

3. How we will use information about you and the basis for that use

We gather and process your personal information for a variety of reasons and rely on a number of different legal bases to use that information. For example, use of a contact form and internal review to help us monitor traffic and enhance user experience of the ITMAC Website.

We need all the categories of information in the list above (in section 1) primarily to enable us to carry out the following actions with your personal data:

  • to determine how best to run the ITMAC Website, and to respond to your communications to us via the ITMAC Website or contact points referred to on the ITMAC Website;
  • to provide services to you or others;
  • to verify the personal information provided to us;
  • to perform the acts that you ask us to perform using your data, such as contacting you to supply information about ITMAC to you; and
  • to comply with applicable laws, tax and regulatory reporting obligations.

For each of the situations listed in which your personal data is processed, one, several, or all of the following grounds justify this use of your personal data: (1) processing is necessary in order to take steps at your request; (2) processing is necessary to comply with our legal obligations; and/or (3) to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override our legitimate interests.

4. What happens if you do not give us personal data or tell us when it changes?

It is important that the personal data we hold about you is accurate and current. You agree to notify us without delay in the event of any change in the personal data that we hold about you, to enable us to comply with our obligations, including to keep information up to date. If you fail to provide certain information when requested by us, or by our processor(s) on our behalf, we may not be able to give you the full benefit of our services or to respond to your communications. In addition, we may be prevented from complying with our obligations to you as we require your personal data to perform our obligations, or we may be prevented from complying with our legal obligations or applicable laws. This may also be the case if you exercise your rights to erasure or restriction of processing, or object to our processing of your personal data (as described in section 9).

You can contact us at any time using the details set out in section 11.

5. Third Party Information

We may from time to time supply the owners or operators of third party sites from which it is possible to link to the ITMAC Website from information relating to the number of users linking to the ITMAC Website from other sites. ITMAC will not share or sell your personal information to third party suppliers who provide services on our behalf.

The ITMAC Website contains links to the sites of third parties, for example Twitter. When you visit these websites, we suggest that you read their privacy policies. ITMAC is not responsible for the privacy policies or the content of such sites.

6. Sharing your personal data

We will only ever share your personal data with third parties in connection with our obligations to you. We will share your personal data with third parties where required by law or where we have a legitimate interest in doing so.

We may transfer your personal data outside the European Economic Area (“EEA”), to service providers which use resources, or which carry on data processing facilities outside of the EEA. We will only transfer your personal data to these entities where the EU Commission has decided that the third country in question in which they are located ensures an adequate level of protection in line with EU data protection laws; in accordance with your instructions where you have explicitly consented; or where we have agreed with these recipients to use EU Commission approved standard contractual clauses to transfer the personal data.

7. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to ITMAC and other third parties who have a business need to know about the personal data that you give to us. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

Although we cannot guarantee against any loss, misuse, unauthorised disclosure, alteration or destruction of data, we take reasonable steps to prevent this from happening. We have put in place measures to protect the security of your personal data.

Please note however that where you are transmitting information to us or to our service provider over the internet or another telecommunications network this can never be guaranteed to be 100% secure. For any payments which we take from you or pay to you online we will use a recognised third party online secure payment system, and we are not responsible for the security of this system. You should contact these third parties for information about the security of these websites, telecommunications systems or payment systems if you need further information.

8. How long will we hold and use your personal data for?

We will hold some personal data about you for as long as you are involved in a business relationship with us. We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for; see section 3 of this privacy statement. Your personal data will be retained by us for any period required by law. Some of your personal data may need to be retained because of circumstances such as a legal dispute or regulatory investigation, which would not normally be subject to retention.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

We review our retention of personal data regularly, to establish whether we are still entitled to process it. If we decide that we are not entitled to do so, we will stop processing your personal data except that we will retain your personal data in an archived form in order to be able to demonstrate compliance with future legal obligations.

9. Your rights in connection with the personal data we hold about you

You have the right, subject to some conditions and limited exceptions contained in the data protection laws (such as those set out below), to:

  • Request access to your personal data that we hold about you. This right enables you to receive a copy of this personal data from us;
  • Request correction of the personal data that we hold about you. This right enables you to have any incomplete or inaccurate information we hold about you corrected;
  • Request erasure of your personal data. This right enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below);
  • Where we hold and process your personal data in order to comply with legal obligations, such as compliance with tax requirements and exemptions, or for the establishment exercise or defence of legal claims, your right to ask us to delete or remove your personal data is limited;
  • Object to our processing your personal data where we are relying on a legitimate interest (or those of a third party) in order to justify the basis for our processing your personal data and there is something about your particular situation which makes you wish to object to processing on this ground;
  • Request that we restrict processing of your personal data. This right enables you to ask us to suspend the processing of your personal data, e.g., if you want us to establish its accuracy or the reason for processing it; and
  • Request the transfer of your personal data to another party where you provided that information to us.

We are not under an obligation to rectify or delete your personal information where to do so would prevent us from meeting our contractual obligations to you, or where we are required or permitted to process your personal information for legal purposes or otherwise in accordance with our legal obligations.

If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact our GDPR Coordinator, by email at setting out in writing your request clearly, including by specifying the personal data to which the request relates. We recommend that you provide as much detail as possible in your when sending requests to us, and that you identify yourself clearly, so that we can deal with your query properly and efficiently.

(a) What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the personal data, or to exercise any of your other rights. We may ask you to provide us with your current name and address, proof of identity (a copy of your driving licence, passport or two different utility bills that display your name and address), and once verified we will delete this data. This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

(b) Fees for our response to your requests

Generally you will not have to pay a fee to access, or to exercise any of your other rights in connection with, your personal data. However, we may charge you a reasonable fee if your request for access to your data is clearly unfounded or excessive and/or we are permitted by data protection laws to do so; alternatively, we may refuse to comply with the request in such circumstances.

10. Changes to this privacy statement

This privacy statement is introduced with effect from 15.10.2018. We reserve the right to change this privacy statement at any time (for example, to comply with changes in laws or regulations, our practices, procedures and organisational structures, requirements imposed or recommended by supervisory authorities or otherwise). Any changes to this privacy statement will be communicated to you in writing by us where we are legally required to do so.

Changes to this privacy statement shall be applicable on the effective date set out in the updated privacy statement and the latest version of this privacy statement will be available to view on the ITMAC Website available at

11. How to contact us

If you have any queries or complaints regarding our use of your personal data or the contents of this privacy statement you may contact our GDPR Coordinator, by email at .

If you are still dissatisfied with how we have handled your complaint, you may contact the Data Commission’s Office and may lodge a complaint by emailing or writing to the following address: Data Protection Commission, Canal House, Station Road, Portarlington, R32 AP23 Co. Laois. You can visit the website of the Data Protection Commission at for more details.