Who we are
Castlebridge is an Irish-based company specialising in:
- Data Protection
- Data Governance
- Data Strategy
We are Bridgecastle Information Management Ltd, trading as Castlebridge. We are an Information Strategy consultancy based in Ireland specialising in Information Governance, Data Privacy, Data Quality, and Information Ethics.
Our postal address is Unit 7, 12 Mountjoy Square, Dublin 1, Ireland.
Our DPO can be contacted via dataprotection@castlebridge.ie
What is a NomRep?
A NomRep acts as a point of contact within the EU for Data Controllers outside the EU who fall within the territorial scope of the legislation.
They act to help the Controller meet their obligations under EU law.
A Nominated Representative acts on behalf of a Data Controller or Data Processor based outside the EU with regard to their obligations under GDPR. The representative acts as a direct contact to the authorities and data subjects (Users/Customers), while also being an authorized agent to receive legal documents.
A Nominated Representative may also maintain the Article 30 Register of Processing Activities on behalf of a Controller or Processor in respect of their activities carried out that target or monitor the behaviour of data subjects in the EU.
A Nominated Representative also acts as the liaison between the Data Controller or Data Processor and Data Protection Supervisory Authorities within the EU.
Why we use Personal Data
For our Nominated Representative service, we process personal data on instruction from the Controller and to enable us to act as the representative of the Controller in the EU
As a Nominated Representative we process personal data on behalf of an non-EU based Controller for the following purposes
- Liaising with Data Subjects in the EU with respect to queries and the exercise of their rights
- Liasing with Supervisory Authorities
- Maintaining contact details for management team within the Data Controller
- Management of sub-contractors engaged by us on the Client’s behalf
What data do we use?
We use a variety of categories of personal data depending on our purposes. In all cases, we aim to capture and process the minimum necessary to deliver our services and meet our obligations.
We process the following categories of personal data for the purposes set out.
| Processing Purpose | Category of Information Processed |
| Liaison with Data Subject |
|
| Management of Client Relationship |
|
| Liaison with Supervisory Authorities |
|
| General Office Administration and Accounting |
|
| HR Administration and Management of Sub Contractors |
|
Third Party Recipients
In the course of our business we are required to disclose data to third parties who are not data processors on our behalf.
For many of our processing activities, we are required to disclose data to third parties who are not data processors acting on our behalf or data controllers on whose behalf we are working. Categories of recipients include:
- Tax authorities (e.g. Irish Revenue Commissioners)
- Law enforcement (where required for the investigation, detection, or prosecution of criminal offences)
- Standards bodies or bodies accrediting certifications taught or examined by Castlebridge.
Cross Border Transfer
Some of our service providers or partners are based outside the EU/EEA. We make sure to only use providers who are processing data outside EU on a valid basis.
Castlebridge will, from time to time, make use of services provided by 3rd parties for the delivery of our services which may necessitate the transfer of personal data outside the EU/EEA. For example, we use a variety of cloud-based tools such as Teamwork.com, Office365, and similar tools. Where data needs to be transferred or processed outside the EU/EEA, we chose providers who process data on the basis of
- Model Contract Clauses
- An Adequacy Decision from the European Commission.
In exceptional circumstances we will rely on the consent of the data subject or the necessity of the processing for the performance of or conclusion/performance of a contract that the Data Subject has entered into (e.g. transferring data to a US-based accrediting body for certifications so that a client can receive their accreditation). On a case by case basis, we may rely on other grounds for transfer, including processing that is necessary for the establishment, exercise, or defence of legal claims.
Data Processors
We use a variety of 3rd party tools to run the business and deliver our Nominated Representative service.
The categories of suppliers used includes:
- Telephones & Comms
- Office productivity
- Helpdesk and Case Management
- Accounting
- Payment Processing
We use a variety of data processors in the course of our work. Our current list of processors is:
| Data Processor | Purpose for Processing | Cross Border Transfer? |
| Microsoft – Office365 | Office administration, email, video conferencing, document storage (Sharepoint) | EU Data Centres selected |
| Blueface.com | Telephony and conference call bridges | EU based |
| Teamwork.com | Helpdesk platform (Teamwork Desk), Project Management (Teamwork Project) | EU Data Centres Selected |
| RDA Accountants | Accounting | EU-based |
| 3 Ireland | Telecommunications | EU-based |
| DevHaus | Website Development | EU-based |
| Innocraft | Website Statistics (Matomo) hosting | New Zealand |
| Defiant Inc | Website Security | US-based – SCC |
| SendInBlue | Email Marketing and Markeing automation | EU-based |
| GoCardless.com | Direct Debit Payment Processing | EU-based |
| Blacknight | Web hosting / email | EU-based |
| Stripe | Credit Card Processing | US, Transfers via SCC |
| Zoom | Video Conferencing / Webinar Hosting | EU-based |
This list is maintained on a quarterly basis or when new suppliers are added.
Keeping Data
We retain data for as little time as possible. Our retention periods are based on:
- Statutory Obligations
- Contractual Requirements
- Quality Assurance
- Prudent risk management
Castlebridge retains personal data about individuals for a range of periods. The basis for our retention periods is based on:
- Statutory obligations
- Contractual obligations
- Quality assurance standard obligations provided by our training partners or accrediting bodies.
- For reasonable periods after the conclusion of engagements for QA and risk management purposes.
On a case by case basis, records may be retained for longer where required for actual or potential legal actions or the management or mitigation of operational or strategic risks to the organisation. Where records are subject to this kind of “hold” process, the ongoing retention will be reviewed on an annual basis.
Your Rights
You have a range of rights under EU Data Protection law. Among these rights is the right to assistance from a Supervisory Authority. Our Supervisory Authority is the Irish Data Protection Commission.[/text-with-icon]
Your Rights
- For processing activities for which we rely on consent as a basis for processing your data, you have the right to withdraw your consent at any time.
- For processing activities which are based on a statutory or contractual requirement, you may request your data not be processed for that purpose. However, this is not an absolute right and may be over-ridden by our statutory obligations. In other cases, requesting that data should not be processed for a particular reason may prevent us from executing a contract or delivering a service to you.
- You have the right to request:
- A copy of data we hold about you. (Right of Access)
- That any error in data we hold about you is corrected. (Right of Rectification)
- That data we hold about you be erased, unless we have a countervailing interest or legal obligation to retain it. (Right of Erasure)
- That we refrain from processing data for a specific purpose. (Right to Restrict processing)
- You have the right to complain to the Irish Data Protection Commissioner ( dataprotection.ie), and to seek compensation through the Courts.
As we said earlier, you can contact us via our Contact Page. Alternatively, if you have a specific data protection query you can email dataprotection@castlebridge.ie.
Last Updated: 20/09/2020