Data Protection Notice
Who We Are
We are Castlebridge. We are a data strategy, governance, and data protection compliance consultancy. We provide a range of advisory and education services in data protection, data ethics, data management, data quality, data strategy, and data governance to clients in Ireland, the UK, and beyond.
This Data Protection Notice was last updated on the 27th May 2023.
How to Contact Us
Our postal address is Suite 6, New Work Junction, Clonard Village Centre, Wexford, Y35 WR02, Ireland.
Our Data Protection Manager can be contacted using our Contact Form. On that page you will also find contact telephone numbers for the company. Please note we work mainly in the GMT time zone, so our office hours may differ to yours if you are contacting us.
Why we use Personal Data
We process (use) personal data to help us run our business, deliver projects, and run events.
We process data about people for the following purposes:
- Sales and Marketing
- Executing projects
- Delivering training, (either directly or through partners)
- General office administration and accounting
- Organising and running events
- HR administration, including payroll and recruitment
- Management of sub-contractors
What data do we use?
We use a variety of categories of personal data depending on our purposes. In all cases, we aim to capture and process the minimum necessary to deliver our services and meet our obligations.
We process the following categories of personal data for the purposes set out. We provide general information on the lawful grounds we rely on for processing in each context. The specific basis relied on will depend on the context of processing.
Where necessary or relevant data subjects are provided with additional information relevant to the context of processing at the time their data is being processed. For example, we have a specific Data Protection Notice for our recruitment and selection processes that is provided as part of the advertising for roles in Castlebridge.
Processing Purpose | Category of Information Processed | Lawful Basis for Processing |
---|---|---|
Sales and Marketing |
| Legitimate Interest Consent As we operate B2B, Regulation 13(2) of SI336/2011 will apply to some of our marketing activity. |
Executing Projects |
| Legitimate Interests |
Delivering Training |
[Note: We deliver training either inhouse for clients, through partners, or as public courses – the data processed will vary depending on the context of delivery] | Legitimate Interest or, where contracting directly with Data Subject, Contractual Necessity |
Hosting and Promoting Webinars |
[Note: Webinars are recorded, but every effort is made to ensure that participants voice or image is not published in such recordings without permission] | Legitimate Interests See also Regulation 13(2) of SI336/2011 for B2B marketing by email. |
General Office Administration and Accounting |
| Legitimate Interests, Contractual Necessity, Statutory Obligations |
HR Administration and Management of Sub Contractors |
| Contractual Necessity Legitimate Interest |
Health and Safety |
| Statutory Obligation |
Website Performance Management and Security |
| Legitimate Interests |
Cookies on this Site
We try not to, but some of the tools we use write cookies, and some features of this site won’t work without cookies.
We take all reasonable steps to minimise the use of cookies and to anonymise cookies on this site.
Our Cookies
We use a first-party website analytics tool called Matomo to measure the performance of our website. Our analytics data is not shared with or pooled with any other organisation and it cannot be used to target advertising to you based on you visting our site. Furthermore, we have:
- Anonymised all IP addresses recorded in our analytics tools.
- Configured Matomo to use pseudonymous user ids so no directly identifiable data is logged for analytics purposes
- We only retain detailed analytics logs for six months.
- All historic data is anonymised.
- We respect “Do Not Track” signals set in Browser settings.
Details of Cookies can be found on our Cookies Notice page
Social networks and Embedded Content
We maintain active social network accounts particularly on Twitter. We may embed widgets from these networks to present content to you. This will in result cookies being set by these networks while using our site. But, in each case, you will need to provide consent before any embedded content will work. In the table below you can find where to look for more information about the data protection practices of Twitter and LinkedIn, our two main social networks. .
Social Network | Policies | Opt-out |
Privacy Policy | Cookies | GDPR Compliance | Opt-out Options | |
Privacy Policy | Cookies | GDPR Compliance | Opt-out Options |
Castlebridge makes use of several third party online services to provide features such as embedded video and social sharing. While every effort is made to use “no-cookie” variants of embed codes and to minimise exposure to third party tracking through these services, we cannot guarantee that cookies will not be written to your device. These services may set cookies when visiting our website. Please note that some cookies written by video services are necessary for the processing of the video (e.g. to track where you last viewed to on a video).
Service | Policies | Opt-out |
YouTube : embedded video | Privacy Policy (on Google) | Cookies | GDPR Compliance | Opt-out Options |
Vimeo : embedded video | Privacy Policy | Cookies | Opt-out Options |
Wordfence: Website security | Privacy Policy | Cookies Information | Wordfence is necessary functionality on this site |
SoundCloud: Podcast streaming | Privacy Policy | Cookies Information | Opt-out Options: See Soundcloud.com Cookies Information |
You can find out more about the cookies used on this site by visiting our Cookies Notice.
Third Party Recipients
In the course of our business we are required to disclose data to third parties who are not data processors on our behalf.
For many of our processing activities, we are required to disclose data to third parties who are not data processors acting on our behalf or data controllers on whose behalf we are working. Categories of recipients include:
- Tax authorities (e.g. Irish Revenue Commissioners)
- Law enforcement (where required for the investigation, detection, or prosecution of criminal offences)
- Standards bodies or bodies accrediting certifications taught or examined by Castlebridge.
- Collections agencies in respect of outstanding or delinquent invoices .
Cross Border Transfer
Some of our service providers or partners are based outside the EU/EEA. We make sure to only use providers who are processing data outside EU on a valid basis. Castlebridge will, from time to time, make use of services provided by 3rd parties for the delivery of our services which may necessitate the transfer of personal data outside the EU/EEA. For example, we use a variety of cloud-based tools such as Teamwork.com, Office365, and similar tools. Where data needs to be transferred or processed outside the EU/EEA, we chose providers who process data on the basis of
- Model Contract Clauses
- An Adequacy Decision from the European Commission.
- Appropriate additional technical safeguards, including but not limited to the use of encryption, including own-key encryption.
In exceptional circumstances we will rely on the consent of the data subject or the necessity of the processing for the performance of or conclusion/performance of a contract that the Data Subject has entered into (e.g. transferring data to a US-based accrediting body for certifications so that a client can receive their accreditation). On a case by case basis, we may rely on other grounds for transfer, including processing that is necessary for the establishment, exercise, or defence of legal claims.
Data Processors
We use a variety of 3rd party tools to run the business.
The categories of suppliers used includes:
- Telephones & Comms
- Office productivity
- HR Management
- Accounting
- Payment Processing
We use a variety of data processors in the course of our work. Our current list of processors is:
Data Processor | Purpose for Processing | Cross Border Transfer? |
Microsoft – Office365 | Office administration, email, video conferencing, document storage (Sharepoint) | EU Data Centres selected; Own-key encryption enabled |
IPTelecom | Telephony and conference call bridges etc. | EU based |
HRLocker.com | HR records management | EU based |
Teamwork.com | Helpdesk platform (Teamwork Desk), Project Management (Teamwork Project) | EU Data Centres Selected |
Xero.com | Accounting |
|
RDA Accountants | Accounting | EU-based |
3 Ireland | Telecommunications | EU-based |
Wibble | Website Development and hosting | NI-based team (UK data protection adequacy decision applies), EU-based hosting. |
Innocraft | Website Statistics (Matomo) hosting | New Zealand (Safe Country) |
SoundCloud | Audio streaming and hosting | EU-based, UK Head office |
SendInBlue | Email Marketing and Markeing automation | EU-based |
GoCardless.com | Direct Debit Payment Processing | EU-based |
Blacknight | Web hosting / email | EU-based |
Stripe | Credit Card Processing | US, Transfers via SCC |
Zoom | Video Conferencing / Webinar Hosting | US-based, using EU data centres |
Zapier | Process Automation | US-based. SCCs as basis for transfer |
LearnUpon | Learning Management System | EU-Based |
Innovate | IT systems support | EU-Based |
Cloudflare | DNS Hosting (as sub-processor to to Wibble) | Various (global DNS resolution) |
This list is reviewed on a quarterly basis or when new suppliers are added.
Keeping Data
We retain data for as little time as possible. Our retention periods are based on:
- Statutory Obligations
- Contractual Requirements
- Quality Assurance
- Prudent risk management
Castlebridge retains personal data about individuals for a range of periods. The basis for our retention periods is based on:
- Statutory obligations
- Contractual obligations
- Quality assurance standard obligations provided by our training partners or accrediting bodies.
- For reasonable periods after the conclusion of engagements for QA and risk management purposes.
On a case by case basis, records may be retained for longer where required for actual or potential legal actions or the management or mitigation of operational or strategic risks to the organisation. Where records are subject to this kind of “hold” process, the ongoing retention will be reviewed on an annual basis.
Your Rights
You have a range of rights under EU Data Protection law. Among these rights is the right to assistance from a Supervisory Authority. Our Supervisory Authority is the Irish Data Protection Commission.
Your Rights
- For processing activities for which we rely on consent as a basis for processing your data, you have the right to withdraw your consent at any time.
- For processing activities which are based on a statutory or contractual requirement, you may request your data not be processed for that purpose. However, this is not an absolute right and may be over-ridden by our statutory obligations. In other cases, requesting that data should not be processed for a particular reason may prevent us from executing a contract or delivering a service to you.
- You have the right to request:
- A copy of data we hold about you. (Right of Access)
- That any error in data we hold about you is corrected. (Right of Rectification)
- That data we hold about you be erased, unless we have a countervailing interest or legal obligation to retain it. (Right of Erasure)
- That we refrain from processing data for a specific purpose. (Right to Restrict processing)
- You have the right to complain to the Irish Data Protection Commissioner ( dataprotection.ie), and to seek compensation through the Courts.
As we said earlier, you can contact us via our Contact Page. Alternatively, if you have a specific data protection query you can email dataprotection@castlebridge.ie.