Last Updated: 25 November 2025

1) Who we are

This Privacy Policy explains how Gael Linn (“we”, “us”, “our”) collects, uses, shares, and protects personal data. We are committed to safeguarding privacy and complying with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Acts 1988–2018.

Data Controller: Gael Linn
Email (privacy/DPO): eolas@gael-linn.ie (or use siopa@gael-linn.ie if preferred)
Phone: +353 (0)1 675 1200
Website: https://www.gael-linn.ie
Registered Address: 35 Dame Street, Dublin 2, D02H797

If you are under 18, please ask a parent/guardian or teacher to contact us on your behalf.

2) Scope

This policy covers:

Competitions (including those for students and schools)
Summer courses/camps
School programmes and teacher CPD
Events for teachers, students, and adult learners
Online shop (orders, payments, fulfilment and returns)
Website, email communications, and social media channels

3) Personal data we collect

A) Accounts, enquiries & communications

Name, email, phone, postal address
Role/affiliation (teacher, student, adult learner, school)
Language level/interests (where provided)
Queries and correspondence metadata (timestamps, system logs)

B) Competitions

Entrant details (name, age/DOB, school/class, county)
Teacher/parent/guardian contact details
Submission materials (text, audio, video, images, artwork)
Consent forms and publicity preferences

C) Summer courses & camps

Participant and parent/guardian details (for minors)
Emergency contacts and health/allergy information where necessary for duty of care
Accommodation and dietary preferences (if applicable)
Attendance records and activity selections

D) School programmes & events

Registrations, attendance, CPD certificates/records
Photos/recordings (subject to consent/notices)
Feedback and evaluation forms

E) Shop & payments

Order details (items, amounts)
Delivery name, address, phone, email
Payment processing via third‑party provider(s); we do not store full card numbers
Invoicing (billing address, VAT number if applicable)

F) Website & device data

Cookies and similar technologies (see Annex C: Cookie Policy)
IP address, device/browser type, pages visited, referral source
Security/event logs (e.g., failed logins, fraud checks)

G) Marketing preferences

Newsletter/event subscriptions (opt‑in status)
Communication preferences and engagement metrics (opens/clicks)

4) Legal bases (GDPR)

We process data under:

Contract (Art. 6(1)(b)) – to provide competitions, courses, events, CPD, and shop orders.
Consent (Art. 6(1)(a)) – for optional marketing; image/audio/video use where required; children’s data with parental/guardian consent.
Legal obligation (Art. 6(1)(c)) – tax/accounting; child protection; health & safety; regulatory reporting.
Legitimate interests (Art. 6(1)(f)) – programme administration; service improvement; fraud/security; proportionate analytics (balanced against your rights).

Special category data (e.g., health/allergy) is processed where necessary for vital interests (Art. 9(2)(c)), substantial public interest (Art. 9(2)(g)) or explicit consent (Art. 9(2)(a)).

5) How we use personal data

Administer competitions (eligibility checks, judging, contacting winners, prizes, publicity with consent)
Manage summer courses/camps, school programmes and events (bookings, schedules, attendance, safety)
Operate the shop (payments, delivery, returns, customer support)
Send service communications (confirmations, updates, changes)
Provide newsletters and marketing only with your consent/opt‑in
Improve services, website performance and user experience
Safeguard participants and meet legal obligations

6) Photography, audio & video

We may capture images/recordings at events and programmes:

We provide notices and obtain consent where required (especially for minors).
You can object to being photographed/recorded (except where required for safety/compliance).
Approved images/recordings may be used for educational/promo purposes (details given at or before the event).

7) Children’s data

For competitions, courses and school programmes involving minors, we obtain parent/guardian or school authorisation as appropriate.
We collect only what’s necessary for participation and safety.
We do not use children’s data for marketing without verified parental/guardian consent.
Parents/guardians may exercise rights on behalf of minors (see Section 12).

8) Sharing your data

We share data only as needed with:

Service providers/processors: payment gateways [e.g., Stripe/PayPal]; e‑commerce/website hosting [e.g., Shopify/WordPress host]; email platforms [e.g., Mailchimp/Sendinblue]; event/registration [e.g., Eventbrite]; video platforms [e.g., Zoom/Teams]; IT support; cloud storage.
Delivery partners: [e.g., An Post, DPD, DHL] for order fulfilment.
Schools and programme partners: where necessary to organise activities.
Judges/competition panels: to evaluate entries (under confidentiality).
Authorities/regulators: where legally required (e.g., tax, safeguarding).
Media/publicity: winners/featured participants with appropriate consent.

All processors are bound by contracts to protect data, follow our instructions, and not use data for their own purposes. See Annex A for our current processors and safeguards.

9) International transfers

If data is transferred outside the EEA, we use appropriate safeguards (e.g., EU Standard Contractual Clauses, adequacy decisions) and implement additional measures where necessary. Details are available on request (see Section 18).

10) Data retention

We keep personal data only as long as needed:

Competitions: entries up to 12 months; winners/publicity materials & consents up to 3 years (longer if in official publications/archives).
Summer courses/camps: registration & safety records up to 3 years; incident records per legal requirements.
School programmes/events: registrations & attendance up to 3 years; CPD certification per scheme rules.
Shop orders & finance: records up to 6 years for tax/accounting.
Marketing lists: until you unsubscribe/withdraw consent.
Website analytics/logs: typically 12–24 months aggregated/anonymised.

When retention ends, we securely delete or anonymise data.

11) Security

We implement technical and organisational measures, including:

Role‑based access, staff training, confidentiality commitments
Encryption in transit and at rest where appropriate
Secure payment processing via accredited providers (no storage of full card data)
Backups, patching, and vulnerability management
Processor contracts and due diligence

We act promptly on incidents and, where required, notify you and the authorities.

12) Your rights (GDPR)

Subject to conditions/exemptions, you have the right to:
Access, Rectification, Erasure, Restriction, Portability, Objection (including to marketing), and to Withdraw consent at any time. You also have the right to lodge a complaint with the Data Protection Commission (DPC).

DPC: https://www.dataprotection.ie | +353 57 868 4800 / +353 76 110 4800

To exercise your rights, contact eolas@gael-linn.ie (or shop@gael-linn.ie). We may need to verify your identity.

13) Cookies and similar technologies

We use cookies to operate our website and shop, remember preferences, enable secure checkout, and analyse traffic. Manage your preferences via our Cookie Banner/Settings and your browser. See Annex C (Cookie Policy) for details.

14) Marketing communications

We send newsletters and updates only if you opt in (or where the “soft opt‑in” applies for similar products/services). You can unsubscribe any time via the link in our emails or by contacting us.

15) Automated decision‑making & profiling

We do not use automated decisions that produce legal or similarly significant effects. Any limited segmentation (e.g., by region or role) is reviewed by staff.

16) Third‑party links

Our website may contain links to third‑party sites. We are not responsible for their privacy practices. Please review their policies.

17) Changes to this policy

We may update this policy from time to time. Material changes will be highlighted on our website and, where appropriate, notified by email.

18) Contact us

Gael Linn
Shop/General: siopa@gael-linn.ie
Phone: +353 (0)1 675 1200
Address: 35 Dame Street, Dublin 2 D02H797
Website: https://www.gael-linn.ie

Annex A – Our Processors & Data Sharing

Purpose	Processor	Data	Location	Legal Safeguard
Payments	[Stripe / PayPal ]	Name, email, billing details, payment tokens	EU/EEA/US (varies)	SCCs/Adequacy (as applicable)
E‑commerce/Hosting	[WooCommerce host / WordPress host]	Orders, accounts, contact details	EU	SCCs/Adequacy
Email marketing	[Mailchimp ]	Name, email, preferences	EU/EEA/US (varies)	SCCs/Adequacy
Transactional email	[SendGrid / Amazon SES]	Email, order updates	EU/EEA/US (varies)	SCCs/Adequacy
Event registration	[Eventbrite ]	Names, emails, tickets	EU/EEA/US (varies)	SCCs/Adequacy
Video platforms	[Zoom / MS Teams]	Names, recordings (if consented)	EU/EEA/US (varies)	SCCs/Adequacy

Delivery/courier	[An Post / DPD / DHL]	Name, address, phone, order ref	EU/IE	N/A (delivery)
Cloud storage/backup	[Microsoft 365 / Google Drive]	Documents, media	[Location]	SCCs/Adequacy
Analytics	[Google Analytics (consent)]	Cookie IDs, IP (truncated)	[Location]	SCCs/Adequacy

Annex B – Record of Processing Activities (RoPA) – Summary

Activity	Data subjects	Personal data	Purpose	Legal basis	Retention
Competitions	Students, teachers	Identity, school, submissions, consents	Run competitions, award prizes	Contract; consent (publicity)	12 months (entries); 3 years (winners/publicity)
Courses/camps	Minors, adults	Identity, contacts, health (if necessary)	Deliver programmes & ensure safety	Contract; vital interests/consent (health)	Up to 3 years; incidents per law
School programmes/CPD	Teachers, schools	Registration, attendance, CPD	Administer and certify	Contract; legitimate interests	Up to 3 years
Events	Attendees	Registration, images/recordings	Organise events; promotion (with consent)	Contract; consent (images)	Up to 3 years
Shop	Customers	Orders, delivery, payments	Fulfil orders, returns	Contract; legal obligation (tax)	Finance: 6 years
Marketing	Subscribers	Name, email, preferences	Newsletters, updates	Consent; soft opt‑in	Until unsubscribe
Website	Visitors	Cookies, IP, logs	Security, performance, analytics	Legitimate interests; consent (non‑essential)	12–24 months

Annex C – Cookie Policy (Website/Shop)

Types of cookies

Strictly necessary – session ID, cart, CSRF/security tokens.
Functional – language or preference storage.
Analytics – aggregated statistics (loaded only with consent where required).
Marketing – remarketing/ads (loaded only with consent).

Managing cookies
Use our Cookie Banner/Settings to accept/reject non‑essential cookies. You can also manage cookies in your browser. Blocking some cookies may impact site functionality (e.g., checkout).

Illustrative cookie list (customise):

__stripe_mid, __stripe_sid – payment security (necessary)
woocommerce_cart_hash, woocommerce_items_in_cart – shopping cart (necessary)
_ga, _gid – Google Analytics (analytics; consent)
pll_language or similar – language preference (functional)

Annex D – Data Sharing with Schools/Partners (Summary of Agreement)

When we partner with schools or organisations, we agree that:

Data is used only to deliver the programme/competition/event.
Each party implements appropriate security and confidentiality.
Access is restricted to staff who need it.
Retention is limited to what’s necessary, then data is securely deleted/anonymised.
Photography/recordings are handled per consent and notices.
Each party assists the other with data subject rights and incident reporting.
International transfers require appropriate legal safeguards.

(We can provide a full Data Sharing Agreement template on request.)

Annex E – DPIA (Events & Recordings involving Minors) – Outline

When to conduct: New or changed activities likely to pose high risk (e.g., widespread recordings, new platforms, location tracking).

Template headings:

Description of activity, stakeholders, data flows
Lawful basis and necessity/proportionality
Risk assessment (e.g., unintended disclosure of minors’ data)
Mitigations (restricted areas, opt‑out badges, consent controls, storage limits)
Residual risk and sign‑off
Review schedule and incident plan

Annex F – Photo/Recording Consent Forms

F.1 Adult consent (18+)

Purpose: Educational documentation and promotion by Gael Linn (website, social media, print).
I consent to:
☐ Photography ☐ Video ☐ Audio
Use in: ☐ Website ☐ Social media ☐ Print ☐ Press ☐ Other: ______
Duration: Up to 3 years unless withdrawn earlier.
Name: __________ Email: __________ Signature/Date: __________
You can withdraw consent at any time by emailing privacy@gael-linn.ie. Withdrawal does not affect prior lawful use.

F.2 Minor consent (Parent/Guardian)

Child’s name: __________ Age: _____ Event/Course: __________
I, the parent/guardian, consent to Gael Linn capturing and using:
☐ Photography ☐ Video ☐ Audio
Use in: ☐ Website ☐ Social media ☐ Print ☐ Press ☐ Other: ______
Duration: Up to 3 years unless withdrawn.
Parent/Guardian name & contact: __________
Signature/Date: __________
You may withdraw consent at any time by emailing privacy@gael-linn.ie.

Annex G – Competition Entry Terms (Privacy & Publicity)

By entering, participants (and where applicable, their parent/guardian or school) agree that we may process personal data to run the competition, verify eligibility, contact winners, and award prizes.
Entries must be original and may be used for educational display or limited publication by Gael Linn with appropriate consent.
Winners’ names, school/county, and entry title may be announced publicly with consent.
We may ask winners for a brief profile/interview (optional).
Entries containing third‑party personal data require that you have permission to include it.
We reserve the right to disqualify entries that breach rules or applicable law.
Data will be retained per Section 10 and handled as per this Privacy Policy.