Privacy Notice

Why we collect and use personal data
When, and what types of data we collect
How are the data being collected on the website?
How we use the data
Your Rights
For Your Information
Purposes of Processing and Legal Bases for Processing
Legitimate Interests as a Legal Basis
Any other recipients of the personal data
Intended Transfers to non-EU member state or International organisation and details of adequacy decisions and safeguards
Retention Periods
Data Security
The Existence of other Rights
Information Re: Consent
Right to Lodge a complaint with Supervisory Authority
The Nature of the Provision of Personal Data
The Existence of Automated Decision – Making, including Profiling
Website Tracking
How We Use Cookies
Links To Other Websites
Changes To Our Notice


GDPR Xpert respects the data protection rights of all its clients and is committed to strictly adhering to all data protection rules and regulations. At the core of our relationship with you (‘the data subject’, i.e., the person whose data is being processed) is complete transparency about what we do with any personal data that you and others provide to us. Therefore, the main purpose of this notice is to inform you in a clear, simple and intelligible manner, which avoids unnecessary legalese, of personal data processing in relation to the operation of the website. This Privacy Notice explains in unambiguous terms, the data we collect and use in connection with the website, and the uses we make of such data, including any disclosures to third parties.

Why we collect and use personal data.

We collect data on our website in order to initiate a business relationship and provide a data protection consultancy service. The personal data are  necessary in order to respond to a query and provide additional information if requested. Personal data are  also necessary where a contract for services is being considered, prior to contract, and to draw up a contract. Other data are  used to improve and develop the website. We may also use data  to send you promotional material and our newsletter, subject to your clear preference when we collect your contact details, or at a later stage. You can opt out of promotional and marketing material by e-mailing Our lawful bases for processing the data are outlined below. (see ‘Purposes of Processing and Legal Bases for Processing’.)

When, and what types of data we collect.

When you access the website you will have the opportunity to provide personal data in the contact box. This is completely optional and you are under no statutory or contractual obligation to do so. When you do fill out the contact detail box you will be made aware that you are consenting to the processing of your personal data in accordance with the GDPR and this Privacy Notice. At this point other technical data will also be collected in line with our cookie policy. This other data comprises analytic and statistical information collected on an aggregate basis of visitors to the website. When you visit the website normally the IP address of your web server, your TLD name (.com, .ie, .org etc.), the type of web browser and operating system you use, will be retained.

Amongst the data initially collected are name, postal address, e-mail address, phone number and company name. At a later stage further details may become necessary including financial data such as IBAN, BIC, bank sort code, and account name. These data are consciously provided by the data subject. Other data collected such as IP address, geolocation information, and how you use the website are provided by our analytics service provider, Google Analytics,  (Privacy policy) and are used in order to manage the business and web site more effectively. More  data include how you interacted with the website, e.g., how long you stayed on the site, what pages you viewed etc. We make no attempt to use the technical details to try and identify individuals who visit the website.

How are the data being collected on the website?

Most personal data are collected directly from the data subject through the contact box. Other technical data are collected through the use of cookies on the website and by our analytics. A cookie is a small piece of data that a website asks your browser to store on your computer or mobile device. Using a cookie allows the website to ‘remember’ your actions or preferences over time. The types of cookies used on this website and the data they collect are set out in our cookie policy.

How we use the data.

Any data collected directly through the website contact box are used solely to have essential contact information. If you do fill out the contact form you will be made aware that you are consenting to the processing of your data in accordance with GDPR and this Privacy Notice. No analytics data are shared with or pooled with any other organisation, and no data are used to target advertising to you from your visit to the website. Where we intend to use your data for marketing purposes we will inform you at the outset. You can opt out or object to processing for direct marketing purposes by e-mailing,

Your Rights.

GDPR introduced enhanced rights for the data subjects and these rights extend to ten separate rights for data subjects. More detailed information on your rights is available here.

The exercise of many of the new rights is dependent upon knowledge that the data are being processed in the first place. Therefore, the importance of the Right to Information cannot be understated. Where the personal data are being collected directly from you, we will in accordance with Art. 13 (1) and Art.13 (2) provide information as below.

For Your Information.

        Identity of Data Controller

Patrick Rowland, 60  Old Burrin ,Carlow, Ireland.


Office: 0599134259   Mobile: 0858754526

Purposes of Processing and Legal Bases for Processing.

Whether you provide personal data, or just browse the website, Patrick Rowland at acts as the ‘Data Controller’ for the purposes of GDPR. The lawful basis for data processing at this juncture is your consent. At a later stage, if services are sought by you, the data subject, the lawful basis may become one of contract, and specifically a contract for services. Both of these fall under Art. 6 GDPR. Certain information is necessary prior to entering into a contract for services, even if no contract ever materialises. For example, a quotation for services to be provided may be requested. This is another lawful basis covered under Art. 6 GDPR. If you use our DPO outsourcing service we act as the ‘Data Processor’.

As the relationship changes or grows, further personal data may need to be processed. At all stages the lawful basis for the processing operation will be communicated to the data subject and no processing will take place without a minimum of one lawful basis. If at any time you withdraw consent to the processing of your personal data we will immediately cease all processing operations except for storage. We will not seek another lawful basis for processing, even where one is legally available, unless we are under a legal obligation to do so. If you choose not to provide any personal information you are free to browse the website as you please, but technical data may be processed in accordance with our cookie policy. When our relationship becomes a contractual one, an exchange of financial information to facilitate payments becomes part of the normal course of business. Contract law and your consent will be the legal bases for the processing of the financial data. This financial data may include bank details such as IBAN, BIC, sort code, account number, account name.

Legitimate Interests as a Legal Basis.

If we, or a third party, are to use ‘legitimate interests’ as a  legal basis for processing, we will inform you of those ‘legitimate interests’.  For example, it is in the legitimate interest of our business to process information for administration and accounting requirements. We will only use ‘ legitimate interests’  as a solitary  basis for processing  when  under a legal obligation to do so.  Processing on the basis of ‘legitimate interests’ means the processing must be ‘necessary’ for the purposes of the ‘legitimate interests’ pursued by GDPRXpert or a third party.   Being useful or convenient does not mean processing is ‘necessary’. These ‘legitimate interests’ may be overridden by your rights and interests, but not in all cases. However, in all cases, ‘legitimate interests’ as a lawful basis has to be balanced against all your other rights, and not just your data protection rights.

Any other recipients of the personal data.

There are occasions when engaged in processing we are required to disclose data to third parties who are neither data processors acting on our behalf, nor data controllers on whose behalf we are working. Such recipients of data include The Revenue Commissioners and law enforcement authorities, where needed for the investigation, detection, prosecution or prevention of criminal offences. We may also disclose personal data in connection with our lawful purposes to third parties who provide services to us in connection with the website, such as IT service providers and analytic service providers

Intended Transfers to non-EU member state or International organisation and details of adequacy decisions and safeguards.

We may from time to time make use of third party service providers to deliver our services which may necessitate the transfer of personal data outside the EU/EEA. Cloud based tools are examples and these may include Office365 (Microsoft Privacy Policy). This is a cloud based office productivity suite which we use primarily to send, receive and track e-mails. Where data does have to be transferred outside the EU/EEA we will choose providers who process on the basis  an Adequacy Decision or Model Contract Clause. Appropriate safeguards will be in place to protect the rights of all  data subjects. At the time of this  most recent edit negotiations are ongoing to replace the EU/US data transfer agreement ( Privacy Shield) that has been repudiated by the CJEU.

Retention periods.

Where you provide us with personal data but no further relationship develops, we will archive your data 1 year from the first contact, and delete the data 1 year later.
Where you used our services at some point in time, but there has been no contact for 2 years, we will then archive your data. We will delete no later than 6 years after the end of the last service, unless otherwise stated in a contract with us, or we are under a legal obligation to extend this period. Where we change our retention periods you will be informed, and at least given the criteria for these changed retention periods. For example, a change in Revenue or tax law may take place that will dictate corresponding  changes in our  retention periods.

Data Security.

GDPR Xpert is committed to protecting your personal data and operates and uses appropriate technical and physical measures to protect your data. These measures are in place to protect your data from loss or alteration, accidental or unlawful destruction, and from any unauthorised disclosure or access. Data will only be stored on mobile devices that are encrypted. The effectiveness of technical and physical measures is regularly tested and assessed.

The Existence of other Rights.

At the time the data is collected from you, you must be made aware of the existence of the following rights:
Right of Access: You have the right to request a copy of your data and confirmation whether data concerning you is being processed;
Right to Rectification: you have the right to have any inaccurate data corrected and any incomplete information made complete;
Right to Erasure: You have the right to request us to delete any personal data we hold about you;
Right to Restrict Processing: You have the right to request that we no longer process your data for particular reasons;
Right to Object: You have the right to object to processing of your data for particular purposes;
Right to Data Portability; You have the right to request us to provide you, or a third party, with a copy of your data, in a structured, commonly used and machine readable format
If you wish to exercise any of these rights, please contact

Information Re: Consent.

Where processing is based on consent you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on that consent before the withdrawal. Silence, pre-ticked boxes or inactivity cannot constitute consent. On this website any request for consent will be clearly distinguishable from other matters contained on the website.

Right to Lodge a complaint with Supervisory Authority.

You have the right to lodge a complaint to the Office of the Data Protection Commission here.

Data Protection Commission,
Phone: +353 (0)761 104800 | +353 (0)57 868 4800
21 Fitzwilliam Square South,
Dublin 2,

The Nature of the Provision of Personal Data.

What we are referring to here is whether the provision of the data is a statutory or contractual requirement, or a requirement necessary to enter into a contract. Where processing activities are based on either statutory or contractual requirement, you may ask for your data not to be processed for that purpose. However, in some cases, our statutory obligations may outweigh your right. You are not obliged to provide the personal data, but no relationship can commence, no contract can be drawn up or no service delivered without your personal data being made available to us.

The Existence of Automated Decision – Making, including Profiling.

Your data is not used for either of the above.

Website Tracking

We use Google Analytics to track our websites visitor history. Our Google Analytics tracks visitor demographic, time spent on site and page visited. It does not track any private information such as your name, email, phone number, address or financial information.

How we use cookies

A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyze web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. GDPRXpert will only use cookies for the purpose of statistical analysis of visits to the website.  Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

We use traffic log cookies to identify which pages are being used. This helps us analyze data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system. Google Analytics provides us with the website statistics and their tracking cookies are explained in detail here.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. We do not use embedded third party plug-ins such as those from Twitter, Facebok and LinkedIn. No visitors to this website are tracked online or targeted with ads.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website. To view how to manage your cookies in, for example, Google Chrome, simply click here. For further information on managing cookies in your own particular browser, go to the Settings or Help function in the browser.

Cookies in Use on this website

Cookie Name:  _ga

Purpose: Registers a unique ID that is used to generate statistical data on how the website visitor uses the website.

Type: HTTP

Expiry: 2 years



Cookie Name: _gat

Purpose: Used by Google to throttle, or generally regulate, the  request rate.

Type: HTTP

Expiry: 1 day


Cookie Name: _gid

Purpose: Registers a unique ID that is used to generate statistical data on how the website visitor uses the website. This helps us to measure how visitors interact with our website content.

Type: HTTP

Expiry: 1 day


Links to other websites.

Our website , through our blog page, may sometimes contain  links that expand on a topic and  enable you to visit other websites of interest easily. We only provide links to websites we have adjudged to be reputable. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Changes to our privacy policy.

Our services and our service providers  may change from time to time. More importantly, the legal and regulatory landscape may alter.  As a result, at times it may be necessary for us to make changes to this Privacy Notice. We reserves the right to update or modify this Privacy Notice at any time, and from time to time, without prior notice. Please review this privacy notice periodically, and especially before you provide any personal data. This Privacy Notice  was last updated on the date indicated above. Your continued use of the services after any changes or revisions to this Privacy Notice shall indicate your agreement with the terms of such revised Privacy Notice.


All information on these pages is provided by GDPRXpert and is believed to be correct as at the time of issue. GDPRXpert accept no liability for any inaccuracies or any loss or damage arising from the use or reliance on information obtained from the website.

This Privacy Notice has been revised on 22/09/2023. Any queries or questions about this policy should be directed to: