Community Action Tenants Union

Privacy Policy

CATU’s Privacy and Data Protection Policy  

CATU Data Protection & Privacy Policy

This document provides a concise policy regarding the data protection obligations of CATU and is part of our commitment to data protection by design and default.

CATU is a data controller with reference to the personal data which it manages, processes and stores.

CATU commitment to Data Protection

Transparency and accountability are core principles at CATU, which is why we respect your rights to privacy and data control. Participants and members can expect full compliance with both the General Data Protection Regulation (GDPR) and Ireland’s own data protection laws.

Purpose of this Policy

As a data controller, CATU and its staff (hereafter referred-to collectively as CATU) must comply with the data protection Principles set out in the relevant Irish and EU legislation.

This Policy applies to all personal data collected, processed and stored by CATU in the course of its activities. This Policy is designed to ensure CATU’s compliance with the following legislation:

  • The European General Data Protection Regulation (GDPR)
  • The EU Electronic Communications “ePrivacy” Regulations (2011)

The GDPR confers rights on individuals as well as additional responsibilities on those persons and organisations processing personal data and CATU will ensure that all policies and activities are done in compliance with this legislation.

(1) Why does CATU collect and process personal data?

CATU, as a data controller, collects, processes and stores personal data on an ongoing basis – only when a member permits us to do so. CATU collects data about its staff, volunteers, donors, partners and members who come into contact with the organisation through our work. We process personal data for the following reasons:

  • The collection and management of membership data
  • The collection and management of door to door contact information, survey, petition and outreach data
  • The facilitation of community events;
  • The facilitation of sharable community content for social media;
  • The notification of members, regarding relevant activities, via instant messaging services (SMS, WhatsApp or similar) and by phone;
  • Communication between members of the public, staff, committee members and members;
  • The collection and management of donations;
  • The operation, monitoring and evaluation of our work;
  • The recruitment, management and payment of staff;
  • Ensuring the security of staff and premises;
  • Compliance with statutory obligations.
  • The publishing of relevant, publicly available contact information of landlords, agents and others against whom we may conduct online and in-person pickets and actions in support of our members. This data is processed on the basis of legitimate interest as per Article 6(f) of the GDPR.

This Policy applies to all data collected, both manually and automated, held by CATU. This includes electronic and paper records.

(2) What data does CATU collect and process?

In order to provide you with an optimal web experience, build community power and positive change in Ireland, we need to collect and process your personal data.

The following table gives a summary of the personal data we collect from you, how we process it, and according to personal data protection regulations, what is the legal basis for the processing of your personal data.

Personal data collectedPersonal data processingLegal basis for processing
Contact data (name, email address, phone number)sending you emails about campaigns, events and actionsConsent
Social media data (handle, public comments, private messages to CATU)Answering campaign related queries, re-broadcasting values aligned contentLegitimate Interest to pursue our campaign goals
Survey dataIdentifying issues in communities, building committees and taking actionsLegitimate Interest to pursue our campaign goals
Activity data (petitions signed)Informing campaign strategy, matching content to the most relevant audienceLegitimate Interest to pursue our campaign goals
Publicly available contact data (email, social media handles, phone number)Contacting individuals (politicians, journalists, public figures such as CEOs) with persuasive messages, factual arguments, member stories, press releases and other campaign informationLegitimate Interest to pursue our campaign goals
Financial dataWe use your credit card or bank account details to process donationsConsent

Lawful processing

We are required to have one or more lawful grounds to process your personal information. Only 3 of these are relevant to us:

  • Personal information is processed on the basis of a person’s consent
  • Personal information is processed on the basis of a contractual relationship
  • Personal information is processed on the basis of legitimate interests

(2.a) Consent

We will ask for your consent to use your information for the following purposes:

to send you electronic communications such as emails, surveys, newsletters, event and action information.

(2.b) Contractual relationships

Most of our interactions with subscribers and website users are voluntary and not contractual. However, sometimes it will be necessary to process personal information so that we can enter contractual relationships with people. For example, if you apply for a paid position, role or to volunteer with us.

(2.c) Legitimate interests

Applicable law allows personal information to be collected and used if it is reasonably necessary for our legitimate activities (as long as its use is fair, balanced and does not unduly impact individuals’ rights). We will rely on this ground to process your personal data when it is not practical or appropriate to ask for consent.

Achieving our purposes

These include (but are not limited to) pursuing campaigns in line with our values:

  • Housing and Community Justice is about the provision of secure affordable homes for everyone and the fair distribution of wealth to all communities on the Island. CATU members believe in the right of people to realise their full potential. This includes taking a stand on housing and community justice.
  • CATU members believe that discrimination and prejudice need to be challenged so that everyone can participate fully and equally. This includes taking a stand against racism, sexism, classism, transphobia, ableism, homophobia and biphobia. It also means taking a stand for the rights of communities experiencing economic, social, and political exclusion.

(3) Who has access to your data?

CATU staff and the national committee, and local committees, where relevant to their work, have access to your data and they process it in line with the purposes and practices outlined in this document. 

(3.a) The use of third-party data processors

In the course of its role as data controller, CATU engages third-party service providers, or data processors, to process personal data on its behalf.

In each case, a formal, written contract is in place with the processor, outlining their obligations in relation to the personal data, the security measures that they must have in place to protect the data, the specific purpose or purposes for which they are engaged, and the understanding that they will only process the data

  • as instructed by CATU, and
  • in compliance with the European General Data Protection Regulation and the EU Electronic Communications Regulations.

The contract will also include reference to the fact that the data controller is entitled, from time to time, to audit or inspect the data management activities of the data processor, and to ensure that they remain compliant with the relevant legislation, and with the terms of the contract.

Regular audit trail monitoring will be carried out to ensure compliance with this Agreement by any third-party entity which processes personal data on behalf of CATU.

Failure of a data processor to manage CATU’s data in a compliant manner will be viewed as a breach of contract, and will be pursued through the courts if necessary.

(4) How is your data protected?

CATU will ensure that the personal data it collects will be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. To this end, CATU will employ high standards of security in order to protect the personal data under its care. CATU’s Password Policy and Data Retention & Destruction Policies guarantee protection against unauthorised access to, or alteration, destruction or disclosure of any personal data held by CATU in its capacity as data controller.

In the event of a data breach likely to result in a risk to the rights and freedoms of the data subject or other persons, CATU will notify the Irish Data Protection Commissioner without undue delay and, where feasible, within 72 hours after having become aware of the breach, in line with Article 33 of the GDPR.

(5.a) Membership dues and Donations

Financial transactions carried out on our website are usually handled through Stripe, Inc. (“Stripe”), a third party payment services provider. We recommend that you read Stripe’s privacy policy (available at prior to effecting any transactions with us. We will provide your personal data to Stripe only to the extent necessary for the purposes of processing payments for transactions you enter into with us. We do not store your financial details.

(5 b) Public contact data

In the pursuit of our campaign goals, CATU may collect and categorize publicly available contact information (emails, phone numbers and social media handles). For this specific category, we engage in the following practices:

  • We record the public source of the data and when it was collected
  • We audit the data at least annually and remove any data which is no longer publicly available

(6) Your Rights

Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for direct marketing purposes or to be unsubscribed from our email list at any time. You also have the following rights:

(6.a) Right to be informed

You have the right to be told how your personal information will be used. This Policy and other policies and statements used on our website and in our communications are intended to provide you with a clear and transparent description of how your personal information may be used.

(6.b) Right of access

You can write to us to ask for confirmation of what information we hold about you and to request a copy of that information. Provided we are satisfied that you are entitled to see the information requested and we have successfully confirmed your identity, we will provide you with your data. The simplest way to access your data is to use the form on this page:

(6.c) Right of erasure

You can ask us for your personal information to be deleted from our records. In many cases we would propose to suppress further communications with you, rather than delete it. 

(6.d) Right of rectification

If you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated.

(6.e) Right to restrict processing

You have the right to ask for processing of your personal data to be restricted if there is disagreement about its accuracy or legitimate usage.

(6.f) Right to data portability

To the extent required by applicable data protection laws, where we are processing your personal information (i) under your consent, (ii) because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contact or (iii) by automated means, you may ask us to provide it to you – or another service provider – in a machine-readable format.

To exercise these rights, please send a description of the personal information in question using the contact details in section 9 below. We also have specific pages to unsubscribe from our email list . Where we consider that the information with which you have provided us does not enable us to identify the personal information in question, we reserve the right to ask for (i) personal identification and/or (ii) further information.

Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you consult the Data Protection Commission (“DPC”) guidance – or please contact us using the details in section 9 below.

You are further entitled to make a complaint including about the way we have processed your data to the DPC. For further information on how to exercise this right, please see the guidance at

(7) Data retention

CATU will ensure that personal data is not kept for longer than what is strictly necessary for the purpose for which the data is processed, in line with the principles set out in Article 5 of the GDPR.

To fulfil this commitment, CATU has developed a Data Retention and Destruction Policy and associated schedule to ensure CATU fulfils its obligation in regards to retention periods for all categories of personal data processed by the organisation.

Once the respective retention period has elapsed, CATU undertakes to destroy, erase or otherwise put this data beyond use, in line with its Data Retention and Destruction Policy.

(8) Review

This Policy will be reviewed at least annually by the Board of Directors to ensure alignment to appropriate risk management requirements and its continued relevance to current and planned operations, or legal developments and legislative obligations.

(9) Supervisory authority

CATU’s headquarters is in Ireland. Should you wish to contact the relevant supervisory authority in relation to a data protection issue involving CATU, you should contact:

The Irish Data Protection Commissioner

Telephone+353 57 8684800, +353 (0)761 104 800 
Fax+353 57 868 4757
Postal AddressData Protection Commissioner, Canal House, Station Road, Portarlington, R32 AP23, Co. Laois
Dublin Office21 Fitzwilliam Square, Dublin 2, D02 RD28
Portarlington OfficeCanal House, Station Road, Portarlington, R32 AP23, Co. Laois