Castlebridge is an Irish-based company specialising in:
We are Bridgecastle Information Management Ltd, trading as Castlebridge. We are an Information Strategy consultancy based in Ireland specialising in Information Governance, Data Privacy, Data Quality, and Information Ethics.
Our postal address is Unit 7, 12 Mountjoy Square, Dublin 1, Ireland.
Our DPO can be contacted via dataprotection@castlebridge.ie
A NomRep acts as a point of contact within the EU for Data Controllers outside the EU who fall within the territorial scope of the legislation.
They act to help the Controller meet their obligations under EU law.
A Nominated Representative acts on behalf of a Data Controller or Data Processor based outside the EU with regard to their obligations under GDPR. The representative acts as a direct contact to the authorities and data subjects (Users/Customers), while also being an authorized agent to receive legal documents.
A Nominated Representative may also maintain the Article 30 Register of Processing Activities on behalf of a Controller or Processor in respect of their activities carried out that target or monitor the behaviour of data subjects in the EU.
A Nominated Representative also acts as the liaison between the Data Controller or Data Processor and Data Protection Supervisory Authorities within the EU.
For our Nominated Representative service, we process personal data on instruction from the Controller and to enable us to act as the representative of the Controller in the EU
As a Nominated Representative we process personal data on behalf of an non-EU based Controller for the following purposes
We use a variety of categories of personal data depending on our purposes. In all cases, we aim to capture and process the minimum necessary to deliver our services and meet our obligations.
We process the following categories of personal data for the purposes set out.
| Processing Purpose | Category of Information Processed |
| Liaison with Data Subject |
|
| Management of Client Relationship |
|
| Liaison with Supervisory Authorities |
|
| General Office Administration and Accounting |
|
| HR Administration and Management of Sub Contractors |
|
In the course of our business we are required to disclose data to third parties who are not data processors on our behalf.
For many of our processing activities, we are required to disclose data to third parties who are not data processors acting on our behalf or data controllers on whose behalf we are working. Categories of recipients include:
Some of our service providers or partners are based outside the EU/EEA. We make sure to only use providers who are processing data outside EU on a valid basis.
Castlebridge will, from time to time, make use of services provided by 3rd parties for the delivery of our services which may necessitate the transfer of personal data outside the EU/EEA. For example, we use a variety of cloud-based tools such as Teamwork.com, Office365, and similar tools. Where data needs to be transferred or processed outside the EU/EEA, we chose providers who process data on the basis of
In exceptional circumstances we will rely on the consent of the data subject or the necessity of the processing for the performance of or conclusion/performance of a contract that the Data Subject has entered into (e.g. transferring data to a US-based accrediting body for certifications so that a client can receive their accreditation). On a case by case basis, we may rely on other grounds for transfer, including processing that is necessary for the establishment, exercise, or defence of legal claims.
We use a variety of 3rd party tools to run the business and deliver our Nominated Representative service.
The categories of suppliers used includes:
We use a variety of data processors in the course of our work. Our current list of processors is:
| Data Processor | Purpose for Processing | Cross Border Transfer? |
| Microsoft – Office365 | Office administration, email, video conferencing, document storage (Sharepoint) | EU Data Centres selected |
| Blueface.com | Telephony and conference call bridges | EU based |
| Teamwork.com | Helpdesk platform (Teamwork Desk), Project Management (Teamwork Project) | EU Data Centres Selected |
| RDA Accountants | Accounting | EU-based |
| 3 Ireland | Telecommunications | EU-based |
| DevHaus | Website Development | EU-based |
| Innocraft | Website Statistics (Matomo) hosting | New Zealand |
| Defiant Inc | Website Security | US-based – SCC |
| SendInBlue | Email Marketing and Markeing automation | EU-based |
| GoCardless.com | Direct Debit Payment Processing | EU-based |
| Blacknight | Web hosting / email | EU-based |
| Stripe | Credit Card Processing | US, Transfers via SCC |
| Zoom | Video Conferencing / Webinar Hosting | EU-based |
This list is maintained on a quarterly basis or when new suppliers are added.
We retain data for as little time as possible. Our retention periods are based on:
Castlebridge retains personal data about individuals for a range of periods. The basis for our retention periods is based on:
On a case by case basis, records may be retained for longer where required for actual or potential legal actions or the management or mitigation of operational or strategic risks to the organisation. Where records are subject to this kind of “hold” process, the ongoing retention will be reviewed on an annual basis.
You have a range of rights under EU Data Protection law. Among these rights is the right to assistance from a Supervisory Authority. Our Supervisory Authority is the Irish Data Protection Commission.
As we said earlier, you can contact us via our Contact Page. Alternatively, if you have a specific data protection query you can email dataprotection@castlebridge.ie.
Last Updated: 20/09/2020
