Data Education

Data Education Data Protection Notice

This is the Data Protection Notice for Castlebridge’s Learning Management Platform. It is supplemental to our main Data Protection Notice published on the website.

Who we are

Castlebridge Data Education is the training arm of Castlebridge, an Irish-based Data Governance & Data Protection strategy and advisory company.

This Data Protection Notice is supplementary to our general Privacy Notice which can be found here.

Our postal address is Unit 7, 12 Mountjoy Square, Dublin 1, Ireland.

Our DPO can be contacted via

Why we use Personal Data

Castlebridge Data Education process (use) personal data to provide training, educational services, and events in both online and physical classroom based environments.

We process data about people for the following purposes:

  • Delivering training (either directly or through partners);
  • General administration and accounting;
  • Organising and running events.

What Data we use

We use a variety of categories of personal data depending on our purposes. In all cases, we aim to capture and process the minimum necessary to deliver our services and meet our obligations.

We process the following categories of personal data for the purposes set out.

Processing PurposeCategory of Information Processed
Sales and Marketing
  • Contact names
  • Telephone numbers (land line and mobile)
  • Social media identifiers (e.g. twitter accounts)
  • Email addresses
  • Postal addresses
Delivering Training
  • Learner names
  • Email addresses
  • Login details
  • Metrics recording learner progress and interaction on the e-Learning platform
  • Exam scripts / assignments
  • Learner grades

[Note: We deliver training either in-house for clients, through partners, or as public courses – the data processed will vary depending on the context of delivery.]

Hosting and Promoting Webinars
  • Attendee names
  • Attendee email addresses
  • Attendee marketing preferences

[Note: Webinars are recorded, but every effort is made to ensure that participants voice or image is not published in such recordings without permission.]

General Office Administration and Accounting
  • Contact names
  • Contact details (e.g. address, email address and telephone number)
  • Tax identifiers (e.g Irish PPS Number for employees and VAT number for subcontractors)
  • Timesheets
  • Data associated with accounts receivable or accounts payable
Health and Safety
  • Occupational health data
  • Accident reports, including details of injuries and contact information for injured parties or witnesses
Website Performance Management and Security
  • IP Addresses (in server log files)

Personal Data on the Learn

Upon e-Learning Platform

Castlebridge Data Education use the LearnUpon Learning Management System as a portal and platform to provide online training.

LearnUpon processes data relating to you when you interact with their LMS servers through  or in order to provide training services through their platform on behalf of Castlebridge Data Education.

Data relates to delivery, administration, automation, and metrics for recording and reporting on course interaction, completion, and marking of learning results and outcomes.

LearnUpon’s Privacy Policy and information as to the use of cookies on their platform can be found at:

For the purposes of EU data protection law, LearnUpon is established in Ireland, and their Data Protection Manager can be contacted at:

MailData Protection Manager
LearnUpon Limited
1st Floor Ocean House
Arran Quay
Dublin 7

Cookies on the LearnUpon Platform 
While Castlebridge and Castlebridge Data Education make every effort to minimise use of tracking technologies under our control, LearnUpon  determine the setting cookies on and

LearnUpon Cookies

Further information about LearnUpon’s use of cookies is available here:  Most of the cookies they set are session cookies required for the functionality of the website. However, this may include the use of Google Analytics to analyse website use. Information on how to opt out of Google Analytics is below:

Google AnalyticsPrivacy Policy | CookiesOpt-out Options
Social networks

Learners taking courses through the LearnUpon platform may, depending on the configuration of the course, have the option of posting details of their course completion to their own social media accounts through Social Sharing functionality. This information is only processed at the request of the learner and is initiated by them. The privacy policies and GDPR compliance information for Twitter and LinkedIn can be found at the links below, along with information on how to opt-out of cookies written by these platforms.

Social NetworkPoliciesOpt-out
TwitterPrivacy Policy | Cookies | GDPR ComplianceOpt-out Options
LinkedInPrivacy Policy | Cookies | GDPR ComplianceOpt-out Options
Third party services

Castlebridge makes use of a wide range of third party online services to provide features such as embedded video and social sharing. While every effort is made to use “no-cookie” variants of embed codes and to minimise exposure to third party tracking through these services, we cannot guarantee that cookies will not be written to your device. These services may set cookies when visiting our website.  Please note that some cookies written by video services are necessary for the processing of the video (e.g. to track where you last viewed to on a video).

YouTube : embedded videoPrivacy Policy (on Google) | Cookies | GDPR ComplianceOpt-out Options
Vimeo : embedded videoPrivacy Policy | CookiesOpt-out Options

Third Party Recipients

In the course of our business we are required to disclose data to third parties who are not data processors on our behalf.

For many of our processing activities, we are required to disclose data to third parties who are not data processors acting on our behalf or data controllers on whose behalf we are working. Categories of recipients include:

  • Tax authorities (e.g. Irish Revenue Commissioners);
  • Law enforcement (where required for the investigation, detection, or prosecution of criminal offences);
  • Standards bodies or bodies accrediting certifications taught or examined by Castlebridge.

Cross Border Transfer

Some of our service providers or partners are based outside the EU/EEA. We make sure to only use providers who are processing data outside EU on a valid basis.

Castlebridge will, from time to time, make use of services provided by 3rd parties for the delivery of our services which may necessitate the transfer of personal data outside the EU/EEA. For example, we use a variety of cloud-based tools such as Teamwork.comOffice365, and similar tools. Where data needs to be transferred or processed outside the EU/EEA, we chose providers who process data on the basis of

  • Model Contract Clauses;
  • An Adequacy Decision from the European Commission.

In exceptional circumstances we will rely on the consent of the data subject or the necessity of the processing for the performance of or conclusion/performance of a contract that the Data Subject has entered into (e.g. transferring data to a US-based accrediting body for certifications so that a client can receive their accreditation). On a case by case basis, we may rely on other grounds for transfer, including processing that is necessary for the establishment, exercise, or defence of legal claims.

Data Processors

We use a variety of 3rd party tools to run the business.

The categories of suppliers used includes:

  • Telephones & Comms
  • Accounting
  • Payment Processing

We use a variety of data processors in the course of our work. Our full list of processors is available at Castlebridge’s main Privacy Notice.

Data ProcessorPurpose for ProcessingCross Border Transfer?
Microsoft – Office365Video Conferencing / Webinar HostingEU Data Centres, SCCs
IP TelecomTelephony and Conference Call BridgesUS,  Transfers via SCC
3 IrelandTelecommunicationsEU-based
SoundCloudAudio Streaming and HostingEU-based, UK Head office
StripeCredit Card ProcessingUS,  Transfers via SCC
ZoomVideo Conferencing / Webinar HostingEU Data Centres, SCCs

This list is maintained on a quarterly basis or when new suppliers are added.

Keeping Data

You have control of the period of retention for the personal data held on your account in LearnUpon. You can request to have your account personally deleted from the account settings within your account, and the account deletion will be processed within 7 days.

Castlebridge retains personal data about individuals for as little time as possible. Our retention periods are based on:

  • Statutory obligations;
  • Contractual requirements;
  • Quality assurance standard obligations provided by our training partners or accrediting bodies;
  • For reasonable periods after the conclusion of engagements for QA and risk management purposes.

On a case by case basis, records may be retained for longer where required for actual or potential legal actions or the management or mitigation of operational or strategic risks to the organisation.  Where records are subject to this kind of “hold” process, the ongoing retention will be reviewed on an annual basis.

Your Rights

You have a range of rights under EU Data Protection law. Among these rights is the right to assistance from a Supervisory Authority. Our Supervisory Authority is the Irish Data Protection Commission.

Your Rights
  • For processing activities for which we rely on consent as a basis for processing your data, you have the right to withdraw your consent at any time.
  • For processing activities which are based on a statutory or contractual requirement, you may request your data not be processed for that purpose. However, this is not an absolute right and may be over-ridden by our statutory obligations. In other cases, requesting that data should not be processed for a particular reason may prevent us from executing a contract or delivering a service to you.
  • You have the right to request:
    • A copy of data we hold about you. (Right of Access)
    • That any error in data we hold about you is corrected. (Right of Rectification)
    • That data we hold about you be erased, unless we have a countervailing interest or legal obligation to retain it. (Right of Erasure)
    • That we refrain from processing data for a specific purpose. (Right to Restrict processing)
  • You have the right to complain to the Irish Data Protection Commissioner (, and to seek compensation through the Courts.

For general enquiries, you can contact us via our Contact Page. Alternatively, if you have a specific data protection query you can email

Last Updated: 05/11/2021


Keep up to date with all our latest insights, podcast, training sessions, and webinars.

This field is for validation purposes and should be left unchanged.