Castlebridge logo
Who we are

Castlebridge is an Irish-based  company specialising in:

  • Data Protection
  • Data Governance
  • Data Strategy

We are Bridgecastle Information Management Ltd, trading as Castlebridge. We are an Information Strategy consultancy based in Ireland specialising in Information Governance, Data Privacy, Data Quality, and Information Ethics.

Our postal address is Unit 7, 12 Mountjoy Square, Dublin 1, Ireland.

Our DPO can be contacted via dataprotection@castlebridge.ie

What is a NomRep?

A NomRep acts as a point of contact within the EU for Data Controllers outside the EU who fall within the territorial scope of the legislation.

They act to help the Controller meet their obligations under EU law.

A Nominated Representative acts on behalf of a Data Controller or Data Processor based outside the EU with regard to their obligations under GDPR. The representative acts as a direct contact to the authorities and data subjects (Users/Customers), while also being an authorized agent to receive legal documents.

A Nominated Representative may also maintain the Article 30 Register of Processing Activities on behalf of a Controller or Processor in respect of their activities carried out that target or monitor the behaviour of data subjects in the EU.

A Nominated Representative also acts as the liaison between the Data Controller or Data Processor and Data Protection Supervisory Authorities within the EU.

Why we use Personal Data

For our Nominated Representative service, we process personal data on instruction from the Controller and to enable us to act as the representative of the Controller in the EU

As a Nominated Representative we process personal data on behalf of an non-EU based Controller for the following purposes

  • Liaising with Data Subjects in the EU with respect to queries and the exercise of their rights
  • Liasing with Supervisory Authorities
  • Maintaining contact details for management team within the Data Controller
  • Management of sub-contractors engaged by us on the Client’s behalf
What data do we use?

We use a variety of categories of personal data depending on our purposes. In all cases, we aim to capture and process the minimum necessary to deliver our services and meet our obligations.

We process the following categories of personal data for the purposes set out.

Processing Purpose Category of Information Processed
Liaison with Data Subject
  • Contact information (name, email, postal address)
  • Personal information associated with a query or rights request
Management of Client Relationship
  • Contact names (project stakeholders and participants)
  • Email addresses
  • Contact phone numbers
Liaison with Supervisory Authorities
  • Contact information (name, email, postal address)
  • Personal information associated with a query or rights request
General Office Administration and Accounting
  • Contact names
  • Contact details (e.g. address, email address and telephone number)
  • Tax identifiers (e.g Irish PPS Number for employees and VAT number for subcontractors)
  • Timesheets
  • Data associated with accounts receivable or accounts payable.
HR Administration and Management of Sub Contractors
  • Contact names
  • Contact details (address, email and phone number)
  • PPSN (for employees)
  • Attendance records/time sheets
  • Training records
  • Sick certs and data relating to occupational health
  • CVs
Third Party Recipients

In the course of our business we are required to disclose data to third parties who are not data processors on our behalf.

For many of our processing activities, we are required to disclose data to third parties who are not data processors acting on our behalf or data controllers on whose behalf we are working. Categories of recipients include:

  • Tax authorities (e.g. Irish Revenue Commissioners)
  • Law enforcement (where required for the investigation, detection, or prosecution of criminal offences)
  • Standards bodies or bodies accrediting certifications taught or examined by Castlebridge.
Cross Border Transfer

Some of our service providers or partners are based outside the EU/EEA. We make sure to only use providers who are processing data outside EU on a valid basis.

Castlebridge will, from time to time, make use of services provided by 3rd parties for the delivery of our services which may necessitate the transfer of personal data outside the EU/EEA. For example, we use a variety of cloud-based tools such as Teamwork.comOffice365, and similar tools. Where data needs to be transferred or processed outside the EU/EEA, we chose providers who process data on the basis of

  • Model Contract Clauses
  • An Adequacy Decision from the European Commission.

In exceptional circumstances we will rely on the consent of the data subject or the necessity of the processing for the performance of or conclusion/performance of a contract that the Data Subject has entered into (e.g. transferring data to a US-based accrediting body for certifications so that a client can receive their accreditation). On a case by case basis, we may rely on other grounds for transfer, including processing that is necessary for the establishment, exercise, or defence of legal claims.

Data Processors

We use a variety of 3rd party tools to run the business and deliver our Nominated Representative service.

The categories of suppliers used includes:

  • Telephones & Comms
  • Office productivity
  • Helpdesk and Case Management
  • Accounting
  • Payment Processing

We use a variety of data processors in the course of our work. Our current list of processors is:

Data Processor Purpose for Processing Cross Border Transfer?
Microsoft – Office365 Office administration, email, video conferencing, document storage (Sharepoint) EU Data Centres selected
Blueface.com Telephony and conference call bridges EU based
Teamwork.com Helpdesk platform (Teamwork Desk), Project Management (Teamwork Project) EU Data Centres Selected
RDA Accountants Accounting EU-based
3 Ireland Telecommunications EU-based
DevHaus Website Development EU-based
Innocraft Website Statistics (Matomo) hosting New Zealand
Defiant Inc Website Security US-based – SCC
SendInBlue Email Marketing and Markeing automation EU-based
GoCardless.com Direct Debit Payment Processing EU-based
Blacknight Web hosting / email EU-based
Stripe Credit Card Processing US,  Transfers via SCC
Zoom Video Conferencing / Webinar Hosting EU-based

This list is maintained on a quarterly basis or when new suppliers are added.

Keeping Data

We retain data for as little time as possible. Our retention periods are based on:

  • Statutory Obligations
  • Contractual Requirements
  • Quality Assurance
  • Prudent risk management

Castlebridge retains personal data about individuals for a range of periods. The basis for our retention periods is based on:

  • Statutory obligations
  • Contractual obligations
  • Quality assurance standard obligations provided by our training partners or accrediting bodies.
  • For reasonable periods after the conclusion of engagements for QA and risk management purposes.

On a case by case basis, records may be retained for longer where required for actual or potential legal actions or the management or mitigation of operational or strategic risks to the organisation.  Where records are subject to this kind of “hold” process, the ongoing retention will be reviewed on an annual basis.

Your Rights

You have a range of rights under EU Data Protection law. Among these rights is the right to assistance from a Supervisory Authority. Our Supervisory Authority is the Irish Data Protection Commission.

Your Rights
  • For processing activities for which we rely on consent as a basis for processing your data, you have the right to withdraw your consent at any time.
  • For processing activities which are based on a statutory or contractual requirement, you may request your data not be processed for that purpose. However, this is not an absolute right and may be over-ridden by our statutory obligations. In other cases, requesting that data should not be processed for a particular reason may prevent us from executing a contract or delivering a service to you.
  • You have the right to request:
    • A copy of data we hold about you. (Right of Access)
    • That any error in data we hold about you is corrected. (Right of Rectification)
    • That data we hold about you be erased, unless we have a countervailing interest or legal obligation to retain it. (Right of Erasure)
    • That we refrain from processing data for a specific purpose. (Right to Restrict processing)
  • You have the right to complain to the Irish Data Protection Commissioner ( dataprotection.ie), and to seek compensation through the Courts.

As we said earlier, you can contact us via our Contact Page. Alternatively, if you have a specific data protection query you can email dataprotection@castlebridge.ie.

Last Updated: 20/09/2020