GDPR Compliance
Last updated: 4 September 2025

We are committed to protecting personal data and complying with the EU General Data Protection Regulation (GDPR) and Irish ePrivacy rules (S.I. No. 336/2011). This page explains our approach to data protection and how we help clients build GDPR‑ready websites.

Who we are

• Trading name: www.websitecompany.ie
• Email: info@websitecompany.ie
• Phone: +353-867807401
• Address: Birch Way, The Willows, Dunshaughlin, Co. Meath, Ireland
• Supervisory authority: Data Protection Commission (Ireland) — www.dataprotection.ie

Scope

• This statement covers personal data we process as a controller (e.g., when you visit our site, contact us, subscribe).
• When we provide web design, development, hosting, or maintenance for clients, we often act as a processor for personal data handled on their websites. In those cases, the client is the controller.

Our GDPR principles
We follow the core principles of GDPR:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

Our roles and responsibilities

• When we are the controller: We determine why and how we process your data for our own business (e.g., enquiries, billing, marketing). See our Privacy Policy.
• When we are the processor: We process personal data on clients’ instructions to deliver their website or related services. We sign a Data Processing Agreement (DPA) on request and follow the client’s documented instructions.

Lawful bases we rely on (as controller)

• Contract: to deliver projects and support.
• Legitimate interests: to respond to enquiries, improve our site, and ensure security.
• Legal obligation: accounting, tax, and compliance.
• Consent: non‑essential cookies/analytics and marketing newsletters. You can withdraw consent at any time.

How we build GDPR‑ready websites (privacy by design)

• Consent management: Implement a cookie banner with granular choices and consent logs; block non‑essential scripts until consent.
• Data minimisation: Collect only the fields you truly need in forms; support double opt‑in for newsletters.
• Security: Configure HTTPS/SSL, harden CMS, enforce strong access controls, and set up regular updates and backups where included.
• Transparency: Add clearly labelled Privacy Policy, Cookie Policy, and Terms pages; include microcopy explaining why data is collected.
• Data subject tools: Set up contact mechanisms for access/erasure requests; configure export/delete features where the platform supports them.
• Retention: Configure retention rules where available (e.g., auto‑purge old form entries, rotate logs).
• Third‑party integrations: Load marketing pixels or external embeds only after consent; document data flows in your privacy notice.

Sub‑processors we may use (examples)
We use reputable providers to run our business and deliver services. Typical categories include:

• Hosting and infrastructure (e.g., Hostinger)
• Email and productivity (e.g., email service/workspace)
• Analytics and tag management (only with consent)
• Project, ticketing, and support tools
• Backup and monitoring services
  We put contracts and safeguards in place and review providers periodically. A current list of specific providers is available on request and may be added to this page. Clients will be notified of material changes to sub‑processors when we act as a processor.

International transfers
If personal data is transferred outside the EEA/UK by us or our sub‑processors, we use appropriate safeguards:

• Adequacy decisions where available
• Standard Contractual Clauses (SCCs) and supplementary measures where necessary
  Details are available on request.

Security measures (technical and organisational)

• HTTPS/SSL, secure configuration, and least‑privilege access
• Strong authentication, password policies, and role‑based access
• Regular updates and patching of CMS, plugins, and dependencies
• Backups and recovery procedures where included in your plan
• Supplier due diligence and contractual controls
• Staff awareness and confidentiality commitments
  Note: No method is 100% secure, but we work continuously to reduce risk.

Retention and deletion

• We keep data only as long as necessary for the stated purposes.
• Typical periods: enquiries up to 24 months; client records up to 7 years (tax); logs 12 months; analytics per tool settings and consent.
• As a processor, we delete or return client data at the end of the engagement, subject to legal duties and agreed backup schedules.

Data breaches

• As controller: We assess incidents promptly and notify the Irish DPC within 72 hours where required, and affected individuals when there is a high risk to their rights and freedoms.
• As processor: We notify the client without undue delay and assist with investigation and notifications as required by GDPR and the DPA.

Your rights (EEA/UK)
You can:

• Access your personal data
• Rectify inaccurate data
• Erase your data (in certain cases)
• Restrict or object to processing
• Port your data
• Withdraw consent at any time (does not affect prior processing)
  To exercise rights, email info@websitecompany.ie. We may need to verify your identity and will respond within one month.

Cookies and consent

• We use essential cookies to run the site and, with your consent, analytics/marketing cookies.
• Manage your choices via our cookie banner or “Cookie Settings” link at any time.
• See our Cookie Policy for details on categories, providers, and retention.

Working with us as your processor (DPA summary)
When we process data for your website, our DPA typically covers:

• Processing on documented instructions only
• Confidentiality of personnel
• Security measures and assistance with DPIAs where relevant
• Sub‑processor appointments and change notifications with a right to object
• Assistance with data subject requests and incident handling
• International transfer safeguards (e.g., SCCs)
• Data return or deletion at end of services, subject to legal duties
• Audit rights proportionate to risk and industry norms
  A signed DPA is available on request and can be incorporated into your Proposal.

What we need from you to keep your site compliant

• Provide lawful bases for the data you collect (e.g., contact forms, orders, newsletter).
• Supply accurate Privacy Policy and Cookie Policy content relevant to your business practices.
• Decide your retention periods and deletion routines.
• Ensure your marketing complies with ePrivacy rules (e.g., consent or soft opt‑in, easy unsubscribe).
• Maintain licences and terms for third‑party tools you choose (email marketing, CRM, payment gateways).
• Handle data subject requests as the controller; we’ll assist with technical steps where feasible.

Children
Our services are not directed to children. In Ireland, the digital age of consent is 16. Do not submit children’s data through our site. If your business targets children, tell us so we can adjust design and safeguards.

Records and accountability

• We maintain appropriate records of processing and assess vendors and transfers where relevant.
• We review this page and our policies periodically and update controls as needed.

Complaints
If you have concerns, contact us first. You also have the right to complain to the Data Protection Commission:

• Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
• Phone: +353 (0)761 104 800 | +353 (0)57 868 4800
• Website: www.dataprotection.ie