Who we are

Castlebridge is an Irish-based Data Governance & Data Privacy company.

We are Bridgecastle Information Management Ltd, trading as Castlebridge. We are an Information Strategy consultancy based in Ireland specialising in Information Governance, Data Privacy, Data Quality, and Information Ethics.

Our postal address is Unit 7, 12 Mountjoy Square, Dublin 1, Ireland.

Our DPO can be contacted via dataprotection@castlebridge.ie

Why we use Personal Data

We process (use) personal data to help us run our business, deliver projects, and run events.

We process data about people for the following purposes:

  • Sales and Marketing
  • Executing projects
  • Delivering training, (either directly or through partners)
  • General office administration and accounting
  • Organising and running events
  • HR administration, including payroll and recruitment
  • Management of sub-contractors
What data do we use?

We use a variety of categories of personal data depending on our purposes. In all cases, we aim to capture and process the minimum necessary to deliver our services and meet our obligations.

We process the following categories of personal data for the purposes set out.

Processing Purpose Category of Information Processed
Sales and Marketing
  • Contact names
  • Telephone numbers (land line and mobile)
  • Social media identifiers (e.g. twitter accounts)
  • Email addresses
  •  Postal addresses
Executing Projects
  • Contact names (project stakeholders and participants)
  • Email addresses
  • Contact phone numbers
Delivering Training
  • Student names
  • Email addresses
  • Exam scripts / assignments
  • Student grades

[Note: We deliver training either inhouse for clients, through partners, or as public courses – the data processed will vary depending on the context of delivery]

General Office Administration and Accounting
  • Contact names
  • Contact details (e.g. address, email address and telephone number)
  • Tax identifiers (e.g Irish PPS Number for employees and VAT number for subcontractors)
  • Timesheets
  • Data associated with accounts receivable or accounts payable.
HR Administration and Management of Sub Contractors
  • Contact names
  • Contact details (address, email and phone number)
  • PPSN (for employees)
  • Attendance records/time sheets
  • Training records
  • Sick certs and data relating to occupational health
  • CVs
Health and Safety
  • Occupational health data
  • Accident reports, including details of injuries and contact information for injured parties or witnesses
Website Performance Management and Security
  • IP Addresses (in server log files)
Cookies on this Site

We try not to, but some of the tools we use write cookies, and some features of this site won’t work without cookies.

We take all reasonable steps to minimise the use of cookies and to anonymise cookies on this site.

Our Cookies

We use a first-party website analytics tool called Matomo to measure the performance of our website rather than using the more common Google Analytics. Our analytics data is not shared with or pooled with any other organisation and it cannot be used to target advertising to you based on you visting our site. Furthermore, we have:

  1. Anonymised all IP addresses recorded in our analytics tools.
  2. Configured Matomo to use pseudonymous user ids so no directly identifiable data is logged for analytics purposes
  3. We only retain detailed analytics logs for six months.
  4. All historic data is anonymised.
  5. We respect “Do Not Track” signals set in Browser settings.
Social networks

We maintain active social network accounts particularly on Twitter. We embed widgets from these networks to provide follow buttons, like boxes and stream embeds. This will in cookies being set by these networks while using our site.

Social Network Policies Opt-out
Twitter Privacy Policy | Cookies | GDPR Compliance Opt-out Options
Facebook Privacy Policy | Cookies | GDPR Compliance Opt-out Options
Third party services

Castlebridge makes use of a wide range of third party online services to provide features such as embedded video and social sharing. While every effort is made to use “no-cookie” variants of embed codes and to minimise exposure to third party tracking through these services, we cannot guarantee that cookies will not be written to your device. These services may set cookies when visiting our website.  Please note that some cookies written by video services are necessary for the processing of the video (e.g. to track where you last viewed to on a video).

Service Policies Opt-out
YouTube : embedded video Privacy Policy (on Google) | Cookies | GDPR Compliance Opt-out Options
Vimeo : embedded video Privacy Policy | Cookies Opt-out Options
Wordfence: Website security Privacy Policy | Cookies Information Wordfence is necessary functionality on this site
Third Party Recipients

In the course of our business we are required to disclose data to third parties who are not data processors on our behalf.

For many of our processing activities, we are required to disclose data to third parties who are not data processors acting on our behalf or data controllers on whose behalf we are working. Categories of recipients include:

  • Tax authorities (e.g. Irish Revenue Commissioners)
  • Law enforcement (where required for the investigation, detection, or prosecution of criminal offences)
  • Standards bodies or bodies accrediting certifications taught or examined by Castlebridge.
Cross Border Transfer

Some of our service providers or partners are based outside the EU/EEA. We make sure to only use providers who are processing data outside EU on a valid basis.

Castlebridge will, from time to time, make use of services provided by 3rd parties for the delivery of our services which may necessitate the transfer of personal data outside the EU/EEA. For example, we use a variety of cloud-based tools such as Teamwork.comOffice365, and similar tools. Where data needs to be transferred or processed outside the EU/EEA, we chose providers who process data on the basis of

  • EU/US Privacy Shield
  • Model Contract Clauses
  • An Adequacy Decision from the European Commission.

In exceptional circumstances we will rely on the consent of the data subject or the necessity of the processing for the performance of or conclusion/performance of a contract that the Data Subject has entered into (e.g. transferring data to a US-based accrediting body for certifications so that a client can receive their accreditation). On a case by case basis, we may rely on other grounds for transfer, including processing that is necessary for the establishment, exercise, or defence of legal claims.

Data Processors

We use a variety of 3rd party tools to run the business. The categories of suppliers used includes:

  • Telephones & Comms
  • Office productivity
  • HR Management
  • Accounting

We use a variety of data processors in the course of our work. Our current list of processors is:

Data Processor Purpose for Processing Cross Border Transfer?
Microsoft – Office365 Office administration, email, video conferencing, document storage (Sharepoint) EU Data Centres selected
Blueface.com Telephony and conference call bridges EU based
HRLocker.com HR records management EU based
Teamwork.com Helpdesk platform (Teamwork Desk), Project Management (Teamwork Project) EU Data Centres Selected
Trello.com Project Management US, Privacy Shield
SurfAccounts.com Accounting EU-based
TaxAssist Accountants Accounting EU-based, UK head office
eir Telecommunications EU-based
DevHaus Website Development EU-based
Innocraft Website Statistics (Matomo) hosting New Zealand
Defiant Inc Website Security US-based

This list is maintained on a quarterly basis or when new suppliers are added.

Keeping Data

We retain data for as little time as possible. Our retention periods are based on:

  • Statutory Obligations
  • Contractual Requirements
  • Quality Assurance
  • Prudent risk management

Castlebridge retains personal data about individuals for a range of periods. The basis for our retention periods is based on:

  • Statutory obligations
  • Contractual obligations
  • Quality assurance standard obligations provided by our training partners or accrediting bodies.
  • For reasonable periods after the conclusion of engagements for QA and risk management purposes.

On a case by case basis, records may be retained for longer where required for actual or potential legal actions or the management or mitigation of operational or strategic risks to the organisation.  Where records are subject to this kind of “hold” process, the ongoing retention will be reviewed on an annual basis.

Your Rights

You have a range of rights under EU Data Protection law. Among these rights is the right to assistance from a Supervisory Authority. Our Supervisory Authority is the Irish Data Protection Commission.

Your Rights
  • For processing activities for which we rely on consent as a basis for processing your data, you have the right to withdraw your consent at any time.
  • For processing activities which are based on a statutory or contractual requirement, you may request your data not be processed for that purpose. However, this is not an absolute right and may be over-ridden by our statutory obligations. In other cases, requesting that data should not be processed for a particular reason may prevent us from executing a contract or delivering a service to you.
  • You have the right to request:
    • A copy of data we hold about you. (Right of Access)
    • That any error in data we hold about you is corrected. (Right of Rectification)
    • That data we hold about you be erased, unless we have a countervailing interest or legal obligation to retain it. (Right of Erasure)
    • That we refrain from processing data for a specific purpose. (Right to Restrict processing)
  • You have the right to complain to the Irish Data Protection Commissioner ( dataprotection.ie), and to seek compensation through the Courts.

As we said earlier, you can contact us via our Contact Page. Alternatively, if you have a specific data protection query you can email dataprotection@castlebridge.ie.