Data Education Data Protection Notice
This is the Data Protection Notice for Castlebridge’s DataEducation.ie Learning Management Platform. It is supplemental to our main Data Protection Notice published on the Castlebridge.ie website.
Who we are
Castlebridge Data Education is the training arm of Castlebridge, an Irish-based Data Governance & Data Protection strategy and advisory company.
This Data Protection Notice is supplementary to our general Privacy Notice which can be found here.
Our postal address is Unit 7, 12 Mountjoy Square, Dublin 1, Ireland.
Our DPO can be contacted via firstname.lastname@example.org.
Why we use Personal Data
Castlebridge Data Education process (use) personal data to provide training, educational services, and events in both online and physical classroom based environments.
We process data about people for the following purposes:
- Delivering training (either directly or through partners);
- General administration and accounting;
- Organising and running events.
What Data we use
We use a variety of categories of personal data depending on our purposes. In all cases, we aim to capture and process the minimum necessary to deliver our services and meet our obligations.
We process the following categories of personal data for the purposes set out.
|Category of Information Processed
|Sales and Marketing
[Note: We deliver training either in-house for clients, through partners, or as public courses – the data processed will vary depending on the context of delivery.]
|Hosting and Promoting Webinars
[Note: Webinars are recorded, but every effort is made to ensure that participants voice or image is not published in such recordings without permission.]
|General Office Administration and Accounting
|Health and Safety
|Website Performance Management and Security
Personal Data on the Learn
Upon e-Learning Platform
Castlebridge Data Education use the LearnUpon Learning Management System as a portal and platform to provide online training.
LearnUpon processes data relating to you when you interact with their LMS servers through https://dataeducation.learnupon.com or https://castlebridge.learnupon.com in order to provide training services through their platform on behalf of Castlebridge Data Education.
Data relates to delivery, administration, automation, and metrics for recording and reporting on course interaction, completion, and marking of learning results and outcomes.
For the purposes of EU data protection law, LearnUpon is established in Ireland, and their Data Protection Manager can be contacted at:
|Data Protection Manager
1st Floor Ocean House
Cookies on the LearnUpon Platform
While Castlebridge and Castlebridge Data Education make every effort to minimise use of tracking technologies under our control, LearnUpon determine the setting cookies on dataeducation.learnupon.com and castlebridge.learnupon.com.
Learners taking courses through the LearnUpon platform may, depending on the configuration of the course, have the option of posting details of their course completion to their own social media accounts through Social Sharing functionality. This information is only processed at the request of the learner and is initiated by them. The privacy policies and GDPR compliance information for Twitter and LinkedIn can be found at the links below, along with information on how to opt-out of cookies written by these platforms.
Third party services
Castlebridge makes use of a wide range of third party online services to provide features such as embedded video and social sharing. While every effort is made to use “no-cookie” variants of embed codes and to minimise exposure to third party tracking through these services, we cannot guarantee that cookies will not be written to your device. These services may set cookies when visiting our website. Please note that some cookies written by video services are necessary for the processing of the video (e.g. to track where you last viewed to on a video).
|YouTube : embedded video
|Vimeo : embedded video
Third Party Recipients
In the course of our business we are required to disclose data to third parties who are not data processors on our behalf.
For many of our processing activities, we are required to disclose data to third parties who are not data processors acting on our behalf or data controllers on whose behalf we are working. Categories of recipients include:
- Tax authorities (e.g. Irish Revenue Commissioners);
- Law enforcement (where required for the investigation, detection, or prosecution of criminal offences);
- Standards bodies or bodies accrediting certifications taught or examined by Castlebridge.
Cross Border Transfer
Some of our service providers or partners are based outside the EU/EEA. We make sure to only use providers who are processing data outside EU on a valid basis.
Castlebridge will, from time to time, make use of services provided by 3rd parties for the delivery of our services which may necessitate the transfer of personal data outside the EU/EEA. For example, we use a variety of cloud-based tools such as Teamwork.com, Office365, and similar tools. Where data needs to be transferred or processed outside the EU/EEA, we chose providers who process data on the basis of
- Model Contract Clauses;
- An Adequacy Decision from the European Commission.
In exceptional circumstances we will rely on the consent of the data subject or the necessity of the processing for the performance of or conclusion/performance of a contract that the Data Subject has entered into (e.g. transferring data to a US-based accrediting body for certifications so that a client can receive their accreditation). On a case by case basis, we may rely on other grounds for transfer, including processing that is necessary for the establishment, exercise, or defence of legal claims.
We use a variety of 3rd party tools to run the business.
The categories of suppliers used includes:
- Telephones & Comms
- Payment Processing
We use a variety of data processors in the course of our work. Our full list of processors is available at Castlebridge’s main Privacy Notice.
|Purpose for Processing
|Cross Border Transfer?
|Microsoft – Office365
|Video Conferencing / Webinar Hosting
|EU Data Centres, SCCs
|Telephony and Conference Call Bridges
|US, Transfers via SCC
|Audio Streaming and Hosting
|EU-based, UK Head office
|Credit Card Processing
|US, Transfers via SCC
|Video Conferencing / Webinar Hosting
|EU Data Centres, SCCs
This list is maintained on a quarterly basis or when new suppliers are added.
You have control of the period of retention for the personal data held on your account in LearnUpon. You can request to have your account personally deleted from the account settings within your account, and the account deletion will be processed within 7 days.
Castlebridge retains personal data about individuals for as little time as possible. Our retention periods are based on:
- Statutory obligations;
- Contractual requirements;
- Quality assurance standard obligations provided by our training partners or accrediting bodies;
- For reasonable periods after the conclusion of engagements for QA and risk management purposes.
On a case by case basis, records may be retained for longer where required for actual or potential legal actions or the management or mitigation of operational or strategic risks to the organisation. Where records are subject to this kind of “hold” process, the ongoing retention will be reviewed on an annual basis.
You have a range of rights under EU Data Protection law. Among these rights is the right to assistance from a Supervisory Authority. Our Supervisory Authority is the Irish Data Protection Commission.
- For processing activities for which we rely on consent as a basis for processing your data, you have the right to withdraw your consent at any time.
- For processing activities which are based on a statutory or contractual requirement, you may request your data not be processed for that purpose. However, this is not an absolute right and may be over-ridden by our statutory obligations. In other cases, requesting that data should not be processed for a particular reason may prevent us from executing a contract or delivering a service to you.
- You have the right to request:
- A copy of data we hold about you. (Right of Access)
- That any error in data we hold about you is corrected. (Right of Rectification)
- That data we hold about you be erased, unless we have a countervailing interest or legal obligation to retain it. (Right of Erasure)
- That we refrain from processing data for a specific purpose. (Right to Restrict processing)
- You have the right to complain to the Irish Data Protection Commissioner (dataprotection.ie), and to seek compensation through the Courts.
Last Updated: 05/11/2021