(Effective from 12 June 2018, Last updated July 2025)
Who We Are
XpertDPO as an information security and governance consultancy operates in the Republic of Ireland, the United Kingdom, Italy, and the Middle East, focusing on the provision of data protection, privacy compliance, and information governance services to clients across various sectors.
Scope
This Privacy Notice applies to XpertDPO’s existing clients, potential clients, and visitors to the website however it does not replace the data processing agreements (DPAs) or service contracts already in place with you.
Our Role and Your Role
When you visit our website, participate in our Learning Academy or otherwise engage with us directly, we act as the Data Controller.
When providing outsourced services (e.g., DPO-as-a-Service, EU Representative-as-a-Service), we act as the Data Processor.
Your role:
Carefully read this Privacy Notice. This Privacy Notice relates to this website, your use of it, and your use of our services.
Our clients are to refer to our contract details containing the processing agreements between us further outlining the details on how we collect and process your data.
Personal data provided about third parties or yourselves will only be used for the specific purposes for which it was intended. Submitting any information is confirmation by yourself that you have the right to authorise us to process the information on your behalf in accordance with this Privacy Notice.
- Through interactions with XpertDPO through this website.
- Through your engagement with XpertDPO’s XpertAcademy
- Direct communications with us.
- Some data is provided by you, and some may be collected automatically through cookies (see our Cookie Policy).
What Data We Collect
In accordance with the purposes outlined in this Privacy Notice, we will collect basic or regular personal data used to facilitate a consultant/client type relationship. This includes your name, email address and occasionally billing information. As a sole trader or partnership, your address could be considered as personal data.
As part of the learner registration and participation process on our Academy platform, we collect only the minimum personal data necessary to deliver our services effectively. Specifically, we collect:
- Name and email address: provided during account registration to identify and communicate with learners.
- IP address: automatically logged when users access the platform, for system security, user session management, and analytics.
- Interaction data: information about how learners interact with specific course elements (e.g. which modules are accessed, time spent, and completion status), automatically collected to support course delivery, monitoring progress, and system performance.
All data is processed in accordance with the principles of data minimisation and purpose limitation, and is used solely for the operation, improvement, and support of the Academy learning experience. We do not collect any special category data via the LMS.
We Do Not Collect
Special category (sensitive) data or criminal conviction data.
Children’s data is not collected. XpertDPO is a business-to-business service intended for the use only by those of 18 years of age or over. XpertDPO is not intentionally targeted at children, and we do not knowingly collect any personal data from any person under 16 years of age via this website.
How We Use Your Data and Why
| Purpose | Legal Basis |
| Responding to your enquiries or provide consultancy services | Performance of a contract or pre-contract steps |
| To invoice and manage billing | Compliance with a legal obligation |
| Sending occasional updates (with your consent) | Consent |
| To facilitate enrolment & participation in our Learning Academy | Performance of a contract or pre-contract steps |
| Maintaining security and business operations | Legitimate interests (business operation) |
You always have the right to opt out of marketing communications.
Your Rights and Data Collection
You can exercise your rights as a data subject by sending an email to us at dpo@xpertdpo.com, provided within one month of request unless doing so adversely impacts the rights and freedoms of others (e.g. another person’s confidentiality or intellectual property). We’ll tell you if we can’t meet your request for that reason.
Right of Access to your personal data and supplementary information including:
- The categories of personal data we’re processing
- The purposes of the data processing
- The third parties or categories of third parties to whom the data may be disclosed.
- Time period of storage or the criteria determining such.
- Information about other data protection rights you can exercise.
Right to Rectification
You have the right to have inaccurate or incomplete personal data corrected/updated by us without undue delay.
Right to Object
You have the right to object to processing where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes.
You can object to the use of your data for profiling or making automated decisions about you.
We will use your data to determine relevant information for you (e.g. tailoring emails based on your behaviour)Otherwise, the only circumstances being to provide our services to you.
Deletion of data longer needed (the “right to be forgotten”):
You may ask for your data to be erased if it is no longer necessary for us to hold your data, it shall be erased.
Move your data to another provider (“data portability”):
Where you have provided us with a copy of your data, electronically, a copy of your data will be provided in a commonly used, machine readable format to allow a transfer of information to another service provider.
Restriction of Processing
This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.
You may opt out of providing your personal data. You may continue to use our website and browse, but we will not be able to process transactions without it.
We will inform you before collecting any data if we intend on usage for marketing purposes and if third parties are involved. Opt out by emailing: dpo@xpertdpo.com
Data Transfers Outside the EEA
Our primary data processing location is Ireland. We do not, as a rule, transfer personal data outside the European Economic Area (EEA). In the instance of transfer, we ensure protection by:
- Using Standard Contractual Clauses approved by the European Commission
- Perform risk assessments and taking necessary measures.
How Long We Keep Your Data
Records are stored for as long as necessary to fulfil the purposes of collection. We have a policy for the records retention where a detailed data retention schedule is outlined, primarily aligned with retention obligations under legal and contractual requirements. We will retain your information during the operational period needed to complete our legitimate business procedures, including satisfying legal, accounting or reporting requirements. Generally, client records are stored up to seven years after the conclusion of the client relationship (to meet Revenue and legal obligations).
In consideration of retention period, the amount, nature and sensitivity of the Personal Data, potential risk of harm from unauthorised use or disclosure is factored. As well as the purposes for which processing your personal data and whether we can achieve said purposes through other means and any applicable legal requirements.
We regularly review and securely delete data no longer needed.
Security Measures
XpertDPO have implemented appropriate Technical and Organisational Measures (TOMs in GDPR terminology) to protect our data against unlawful or unauthorised processing of that data, and against the accidental loss of, or damage to, data including personal data.
The data you provide to us is protected using industry standard encryption, intrusion prevention, endpoint protection and account access techniques as appropriate and required.
We have implemented procedures and technologies to maintain the security of all data that we process during its lifecycle (e.g. from the point of collection to the point of destruction). We maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
- Confidentiality means that only people who are authorised to access the data can access it.
- Integrity involves maintaining the consistency, accuracy and trustworthiness of the data over its entire lifecycle. Data must not be changed in transit, and steps must be taken to ensure data cannot be altered by unauthorised people (for example, in a breach of confidentiality).
- Availability means information should be consistently and readily accessible for authorised parties. This involves properly maintaining our hardware and technical infrastructure and systems that hold and display the data.
Concerns and Complaints
If you have concerns about the processing of your data, you can contact us at any time.
Stuart Anderson, CEO
+353 1 678 8997
dpo@xpertdpo.com
Should we fail to address and correct your concerns regarding the use of your data, you reserve the right to contact the Data Protection Commission.
Data Protection Commission
6 Pembroke Row, Dublin 2, D02 X963
www.dataprotection.ie