Data Protection Notice

Who We Are

We are Castlebridge. We are a data strategy, governance, and data protection compliance consultancy. We provide a range of advisory and education services in data protection, data ethics, data management, data quality, data strategy, and data governance to clients in Ireland, the UK, and beyond.

This Data Protection Notice was last updated on the 27th May 2023.

How to Contact Us

Our postal address is Suite 6, New Work Junction, Clonard Village Centre, Wexford, Y35 WR02, Ireland.

Our Data Protection Manager can be contacted using our Contact Form. On that page you will also find contact telephone numbers for the company. Please note we work mainly in the GMT time zone, so our office hours may differ to yours if you are contacting us.

Why we use Personal Data

We process (use) personal data to help us run our business, deliver projects, and run events.

We process data about people for the following purposes:

  • Sales and Marketing
  • Executing projects
  • Delivering training, (either directly or through partners)
  • General office administration and accounting
  • Organising and running events
  • HR administration, including payroll and recruitment
  • Management of sub-contractors

What data do we use?

We use a variety of categories of personal data depending on our purposes. In all cases, we aim to capture and process the minimum necessary to deliver our services and meet our obligations.

We process the following categories of personal data for the purposes set out. We provide general information on the lawful grounds we rely on for processing in each context. The specific basis relied on will depend on the context of processing.

Where necessary or relevant data subjects are provided with additional information relevant to the context of processing at the time their data is being processed. For example, we have a specific Data Protection Notice for our recruitment and selection processes that is provided as part of the advertising for roles in Castlebridge.

Processing PurposeCategory of Information ProcessedLawful Basis for Processing
Sales and Marketing
  • Contact names
  • Telephone numbers (land line and mobile)
  • Social media identifiers (e.g. twitter accounts)
  • Email addresses
  •  Postal addresses
Legitimate Interest


As we operate B2B, Regulation 13(2) of SI336/2011 will apply to some of our marketing activity.
Executing Projects
  • Contact names (project stakeholders and participants)
  • Email addresses
  • Contact phone numbers
Legitimate Interests
Delivering Training
  • Student names
  • Email addresses
  • Exam scripts / assignments
  • Student grades

[Note: We deliver training either inhouse for clients, through partners, or as public courses – the data processed will vary depending on the context of delivery]

Legitimate Interest or, where contracting directly with Data Subject, Contractual Necessity
Hosting and Promoting Webinars
  • Attendee names
  • Attendee email addresses
  • Attendee marketing preferences

[Note: Webinars are recorded, but every effort is made to ensure that participants voice or image is not published in such recordings without permission]

Legitimate Interests

See also Regulation 13(2) of SI336/2011 for B2B marketing by email.
General Office Administration and Accounting
  • Contact names
  • Contact details (e.g. address, email address and telephone number)
  • Tax identifiers (e.g Irish PPS Number for employees and VAT number for subcontractors)
  • Timesheets
  • Data associated with accounts receivable or accounts payable.
Legitimate Interests,
Contractual Necessity,
Statutory Obligations
HR Administration and Management of Sub Contractors
  • Contact names
  • Contact details (address, email and phone number)
  • PPSN (for employees)
  • Attendance records/time sheets
  • Training records
  • Sick certs and data relating to occupational health
  • CVs
Contractual Necessity
Legitimate Interest
Health and Safety
  • Occupational health data
  • Accident reports, including details of injuries and contact information for injured parties or witnesses
Statutory Obligation
Website Performance Management and Security
  • IP Addresses (in server log files)
Legitimate Interests

Cookies on this Site

We try not to, but some of the tools we use write cookies, and some features of this site won’t work without cookies.

We take all reasonable steps to minimise the use of cookies and to anonymise cookies on this site.

Our Cookies

We use a first-party website analytics tool called Matomo to measure the performance of our website. Our analytics data is not shared with or pooled with any other organisation and it cannot be used to target advertising to you based on you visting our site. Furthermore, we have:

  1. Anonymised all IP addresses recorded in our analytics tools.
  2. Configured Matomo to use pseudonymous user ids so no directly identifiable data is logged for analytics purposes
  3. We only retain detailed analytics logs for six months.
  4. All historic data is anonymised.
  5. We respect “Do Not Track” signals set in Browser settings.

Details of Cookies can be found on our Cookies Notice page

Social networks and Embedded Content

We maintain active social network accounts particularly on Twitter. We may embed widgets from these networks to present content to you. This will in result cookies being set by these networks while using our site. But, in each case, you will need to provide consent before any embedded content will work. In the table below you can find where to look for more information about the data protection practices of Twitter and LinkedIn, our two main social networks. .

Social NetworkPoliciesOpt-out
TwitterPrivacy Policy | Cookies | GDPR ComplianceOpt-out Options
LinkedInPrivacy Policy | Cookies | GDPR ComplianceOpt-out Options

Castlebridge makes use of several third party online services to provide features such as embedded video and social sharing. While every effort is made to use “no-cookie” variants of embed codes and to minimise exposure to third party tracking through these services, we cannot guarantee that cookies will not be written to your device. These services may set cookies when visiting our website.  Please note that some cookies written by video services are necessary for the processing of the video (e.g. to track where you last viewed to on a video).

YouTube : embedded videoPrivacy Policy (on Google) | Cookies | GDPR ComplianceOpt-out Options
Vimeo : embedded videoPrivacy Policy | CookiesOpt-out Options
Wordfence: Website securityPrivacy Policy | Cookies InformationWordfence is necessary functionality on this site
SoundCloud: Podcast streamingPrivacy Policy | Cookies InformationOpt-out Options: See Cookies Information

You can find out more about the cookies used on this site by visiting our Cookies Notice.

Third Party Recipients

In the course of our business we are required to disclose data to third parties who are not data processors on our behalf.

For many of our processing activities, we are required to disclose data to third parties who are not data processors acting on our behalf or data controllers on whose behalf we are working. Categories of recipients include:

  • Tax authorities (e.g. Irish Revenue Commissioners)
  • Law enforcement (where required for the investigation, detection, or prosecution of criminal offences)
  • Standards bodies or bodies accrediting certifications taught or examined by Castlebridge.
  • Collections agencies in respect of outstanding or delinquent invoices .

Cross Border Transfer

Some of our service providers or partners are based outside the EU/EEA. We make sure to only use providers who are processing data outside EU on a valid basis. Castlebridge will, from time to time, make use of services provided by 3rd parties for the delivery of our services which may necessitate the transfer of personal data outside the EU/EEA. For example, we use a variety of cloud-based tools such as Teamwork.comOffice365, and similar tools. Where data needs to be transferred or processed outside the EU/EEA, we chose providers who process data on the basis of

  • Model Contract Clauses
  • An Adequacy Decision from the European Commission.
  • Appropriate additional technical safeguards, including but not limited to the use of encryption, including own-key encryption.

In exceptional circumstances we will rely on the consent of the data subject or the necessity of the processing for the performance of or conclusion/performance of a contract that the Data Subject has entered into (e.g. transferring data to a US-based accrediting body for certifications so that a client can receive their accreditation). On a case by case basis, we may rely on other grounds for transfer, including processing that is necessary for the establishment, exercise, or defence of legal claims.

Data Processors

We use a variety of 3rd party tools to run the business.

The categories of suppliers used includes:

  • Telephones & Comms
  • Office productivity
  • HR Management
  • Accounting
  • Payment Processing

We use a variety of data processors in the course of our work. Our current list of processors is:

Data ProcessorPurpose for ProcessingCross Border Transfer?
Microsoft – Office365Office administration, email, video conferencing, document storage (Sharepoint)EU Data Centres selected;
Own-key encryption enabled
IPTelecomTelephony and conference call bridges etc.EU based
HRLocker.comHR records managementEU based
Teamwork.comHelpdesk platform (Teamwork Desk), Project Management (Teamwork Project)EU Data Centres Selected
  • Safe Country (NZ)
  • SCCs
RDA AccountantsAccountingEU-based
3 IrelandTelecommunicationsEU-based
WibbleWebsite Development and hostingNI-based team (UK data protection adequacy decision applies), EU-based hosting.
InnocraftWebsite Statistics (Matomo) hostingNew Zealand (Safe Country)
SoundCloudAudio streaming and hostingEU-based, UK Head office
SendInBlueEmail Marketing and Markeing automationEU-based
GoCardless.comDirect Debit Payment ProcessingEU-based
BlacknightWeb hosting / emailEU-based
StripeCredit Card ProcessingUS,  Transfers via SCC
ZoomVideo Conferencing / Webinar HostingUS-based, using EU data centres
ZapierProcess AutomationUS-based. SCCs as basis for transfer
LearnUponLearning Management SystemEU-Based
InnovateIT systems supportEU-Based
CloudflareDNS Hosting (as sub-processor to to Wibble)Various (global DNS resolution)

This list is reviewed on a quarterly basis or when new suppliers are added.

Keeping Data

We retain data for as little time as possible. Our retention periods are based on:

  • Statutory Obligations
  • Contractual Requirements
  • Quality Assurance
  • Prudent risk management

Castlebridge retains personal data about individuals for a range of periods. The basis for our retention periods is based on:

  • Statutory obligations
  • Contractual obligations
  • Quality assurance standard obligations provided by our training partners or accrediting bodies.
  • For reasonable periods after the conclusion of engagements for QA and risk management purposes.

On a case by case basis, records may be retained for longer where required for actual or potential legal actions or the management or mitigation of operational or strategic risks to the organisation.  Where records are subject to this kind of “hold” process, the ongoing retention will be reviewed on an annual basis.

Your Rights

You have a range of rights under EU Data Protection law. Among these rights is the right to assistance from a Supervisory Authority. Our Supervisory Authority is the Irish Data Protection Commission.

Your Rights

  • For processing activities for which we rely on consent as a basis for processing your data, you have the right to withdraw your consent at any time.
  • For processing activities which are based on a statutory or contractual requirement, you may request your data not be processed for that purpose. However, this is not an absolute right and may be over-ridden by our statutory obligations. In other cases, requesting that data should not be processed for a particular reason may prevent us from executing a contract or delivering a service to you.
  • You have the right to request:
    • A copy of data we hold about you. (Right of Access)
    • That any error in data we hold about you is corrected. (Right of Rectification)
    • That data we hold about you be erased, unless we have a countervailing interest or legal obligation to retain it. (Right of Erasure)
    • That we refrain from processing data for a specific purpose. (Right to Restrict processing)
  • You have the right to complain to the Irish Data Protection Commissioner (, and to seek compensation through the Courts.

As we said earlier, you can contact us via our Contact Page. Alternatively, if you have a specific data protection query you can email


Keep up to date with all our latest insights, podcast, training sessions, and webinars.

This field is for validation purposes and should be left unchanged.