Privacy Notice

Who we are

XpertDPO is an information security and governance consultancy company registered in the Republic of Ireland and the United Kingdom.

Our Republic of Ireland business registered address is 26 Croghan Heights, Arklow, County Wicklow. We also have an office at 20 Harcourt Street, Dublin 2, D02 H364. We are registered in Ireland and our company number is 628375. Our Irish VAT Number is 3545944FH.

Our UK business operates from, and is registered at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

Our Middle East office operates from Blueridge Suite 907, Amani Tower, Seef 436, Bahrain.

Scope

This Privacy policy is effective from June 12th 2018 and was last updated on January 22nd 2022. If you are an XpertDPO client, potential client or you’re just browsing our website, this policy applies to you.

Our Responsibilities

If you are a registered XpertDPO client or a visitor to our website we act as the ‘Data Controller’ of personal data. This means we determine how and why your data are processed. 

If you are a client who uses one of our outsourced services (DPO-as-a-Service / European representative-as-a-Service) then we act as the ‘Data Processor’.

Your Responsibilities

Read this Privacy Policy.

This privacy notice relates to this website and your use of it. If you are our client, please also check the contracts and data processing agreements between us: they contain further details on how we collect and process your data.

If you provide us with personal information about other people, or if others give us your information, we will only use that information for the specific reason for which it was provided to us. By submitting the information, you confirm that you have the right to authorise us to process it on your behalf in accordance with this Privacy Policy.

When, and how we collect data

From the moment you interact with XpertDPO via this website, we are collecting data. Sometimes you provide us with data, sometimes data about you is collected automatically.

The data we collect

Personal Data

We will collect personal data with you in accordance with the purposes outlined in this document.  This will be basic or regular personal data used to facilitate a consultant/client type relationship usually your name and email address and from time to time billing information.  If you are a sole trader or partnership, we would consider your address to be personal data.

Special Category Personal Data

We will not collect special category data from you.

Criminal Conviction Data

We will not collect criminal conviction data from you.

What about children’s data?

XpertDPO is a business-to-business service and as such, this website directed to and intended for use only by those who are 18 years of age or over. We do not intentionally target XpertDPO at children, and we do not knowingly collect any personal data from any person under 16 years of age via this website.

Your rights as a data subject

Your rights

You can exercise your rights by sending us an email at subjectaccess@xpertdpo.com 

You have the right to access information we hold about you

This includes the right to ask us supplementary information about:

• the categories of data we’re processing
• the purposes of data processing
• the categories of third parties to whom the data may be disclosed
• how long the data will be stored (or the criteria used to determine that period)
• your other rights regarding our use of your data

We will provide you with the information within one month of your request, unless doing so would adversely affect the rights and freedoms of other (e.g. another person’s confidentiality or intellectual property rights). We’ll tell you if we can’t meet your request for that reason.

You have the right to make us correct any inaccurate personal data about you

You can object to us using your data for profiling you or making automated decisions about you. We will use your data to determine whether we should let you know information that might be relevant to you (for example, tailoring emails to you based on your behaviour). 

Otherwise, the only circumstances in which we will do this is to provide our services to you.

You have the right to port your data to another service

We will give you a copy of your electronic data in a commonly used, machine readable format so that you can provide it to another service. However, where there is a possibility that the rights and freedoms of a third person would be at risk by providing the data, we may exercise our right to refuse your request.

You have the right to be ‘forgotten’ by us

You can do this by asking us to erase any personal data we hold about you, if it is no longer necessary for us to hold the data we will erase your data.

Your Privacy choices

You can choose not to provide us with personal data. If you choose to do this, you can continue to use the website and browse its pages, but we will not be able to process transactions without personal data.

We will inform you (before collecting your data) if we intend to use your data for marketing and if third parties are involved. You can opt out from marketing by emailing us at subjectaccess@xpertdpo.com.

Making a complaint

You can contact us at any time to make a complaint about the way in which we have processed your data, this website or to make a subject access request. Please use the details below:

Founder & CEO: Stuart Anderson

Telephone: +353 1 678 8997

Email: subjectaccess@xpertdpo.com

Postal Address: 20 Harcourt Street, Dublin, D02 H364

Making a complaint to the data protection commission

You have the right to lodge a complaint regarding our use of your data

Please tell us first, so we have a chance to address your concerns. If we fail in this, you can address any complaint to the Data Protection Commission, you can find their contact details directly below…

Postal Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

Telephone: +353 1 765 01 00, 1800 437 737

Email: info@dataprotection.ie

Security

XpertDPO have implemented appropriate Technical and Organisational Measures (TOMs in GDPR terminology) to protect our data against unlawful or unauthorised processing of that data, and against the accidental loss of, or damage to, data including personal data. 

The data you provide to us is protected using industry standard encryption, intrusion prevention, endpoint protection and account access techniques as appropriate and required. 

We have implemented procedures and technologies to maintain the security of all data that we process during its lifecycle (e.g. from the point of collection to the point of destruction). We maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:

• Confidentiality means that only people who are authorised to access the data can access it.
• Integrity involves maintaining the consistency, accuracy and trustworthiness of the data over its entire lifecycle. Data must not be changed in transit, and steps must be taken to ensure data cannot be altered by unauthorised people (for example, in a breach of confidentiality).
• Availability means information should be consistently and readily accessible for authorised parties. This involves properly maintaining our hardware and technical infrastructure and systems that hold and display the data.

Where do we store data?

The personal data we collect is processed at our offices in Ireland and in any data processing facilities operated by the third parties identified below. By submitting your personal data, you agree to this transfer, storing or processing by us. If we transfer or store your information outside the EEA in this way, we will take steps to ensure that your privacy rights continue to be protected as outlined in this Privacy Policy.

How long will we retain your data?

We have a policy for the retention of records and we have detailed the retention periods for all data that we process in our data retention schedule. 

we will only retain your  Data for as long as necessary to fulfil the purposes we collected it for and for up to seven years afterwards (for example, for purposes related to statutory requirements in relation to Revenue) or otherwise permitted by applicable laws. 

We will also retain your information during the period of time needed to complete our legitimate business operations, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for data, we always consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Third parties who process your data

Modern businesses often use third parties to help them host their applications, communicate with customers, power their emails etc. We partner with third provide these services. 

When we do use these services, sometimes it is necessary for us to share your data with them in order to get these services to work well. Your data is shared only when strictly necessary and according to the safeguards and good practices detailed in this Privacy Policy.