Privacy & Data Protection Statement
Version 4.1 • Effective: 28 January 2026
1. Introduction
In our everyday business operations, BoardX makes use of a variety of data about identifiable individuals, including data about:
- Current, past and prospective service users
- Visitors to our websites
- Marketing subscribers
- Other stakeholders
In collecting and using this data, BoardX is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it.
2. Scope
2.1 Application
This Data Protection Policy applies to:
- Any person who is employed by BoardX who receives, handles, or processes personal data in the course of their employment.
- Third party companies/individuals (data processors) that receive, handle, or process personal data on behalf of BoardX.
2.2 Governing Legislation
- Regulation (EU) 2016/679 (General Data Protection Regulation)
- Data Protection Act 2018
- S.I. No. 336/2011 – European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011
3. Purpose
The purpose of this policy is to set out the relevant privacy and data protection legislation and to describe the steps BoardX is taking to ensure that we comply with it.
This control applies to all systems, people and processes that constitute BoardX's information systems, including directors, management, employees, suppliers, and other third parties who may be given access to the personal data controlled by BoardX.
The following policies and procedures are relevant to this document and should be read in conjunction:
- End User Licence Agreement
- Technical and Organisational Measures Statement
- Information Security Policy
4. Data Protection Policy
4.1 The General Data Protection Regulation
It is BoardX's policy to protect the rights and freedoms of our employees and clients and to ensure that our compliance with the GDPR and other relevant legislation is clear and demonstrable at all times. The General Data Protection Regulation (GDPR) is one of the most significant pieces of legislation affecting the way that BoardX carries out its information processing activities.
4.2 Relevant Definitions
The definitions most relevant to this policy are listed below (extracted from GDPR – Article 4):
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person – Article 4(1). |
| Processing | Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction – Article 4(2). |
| Controller | The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data – Article 4(7). |
| Processor | A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller – Article 4(8). |
| Third Party | A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data – Article 4(10). |
4.3 Principles Relating to Processing of Personal Data
The GDPR is based on fundamental principles set out in Article 5. Personal data shall be:
| Principle | Description |
|---|---|
| Lawfulness, fairness & transparency | Processed lawfully, fairly and in a transparent manner in relation to the data subject. |
| Purpose limitation | Collected for specified, explicit and legitimate purposes and not further processed in an incompatible manner. |
| Data minimisation | Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. |
| Accuracy | Accurate and, where necessary, kept up to date. |
| Storage limitation | Kept in a form which permits identification of data subjects for no longer than is necessary for the stated purposes. |
| Integrity & confidentiality | Processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage. |
| Accountability | The controller shall be responsible for, and be able to demonstrate, compliance with all of the above principles. |
BoardX will take all reasonable steps to ensure that we and our outsourced processors comply with all of these principles both in current processing activities and in the introduction of new methods of processing.
4.4 The Rights of the Individual
Data Subject rights under the GDPR consist of:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Each of these rights is supported by appropriate procedures within BoardX that allow the required action to be taken within the timescales set out in the GDPR:
| Data Subject Request | Timescale |
|---|---|
| The right to be informed | When data is collected (if supplied by data subject) or within one month (if not supplied by data subject) |
| The right of access | One month |
| The right to rectification | One month |
| The right to erasure | Without undue delay |
| The right to restrict processing | Without undue delay |
| The right to data portability | One month |
| The right to object | On receipt of objection |
| Rights in relation to automated decision making and profiling | Not specified |
4.5 Lawfulness of Processing
At BoardX, it is our policy to identify and designate the appropriate lawful basis for processing personal data and to document it, in accordance with the Regulation. The six lawful bases under GDPR Article 6 are described below:
Consent
Where relying on consent as the legal basis for processing, BoardX will always obtain and retain evidence of explicit consent from a data subject to collect and process their data. In respect to children below the age of 16, parental consent will be obtained. We will provide transparent information about our use of personal data at the time consent is sought and will explain their rights, including the right to withdraw consent. This information will be provided in an accessible form, written in clear and plain language, free of charge.
Performance of a Contract
Where personal data processing is required to fulfil a contract between BoardX and the data subject, explicit consent will not be required. This will often be the case where a contract cannot be completed without the personal data in question – e.g. data required to complete a payment transaction or to process wage payments.
Legal Obligation
Where personal data processing is required in order to comply with the law, explicit consent will not be required. This may be the case for some data related to employment and taxation, for example.
Vital Interests of the Data Subject
Where personal data processing is required to protect the vital interests of the data subject or of another natural person, this may be used as the lawful basis. Where this basis is used, BoardX will retain reasonable, documented evidence. This basis will be used only in extreme circumstances – for instance, in a life or death situation – where the consent of the data subject cannot be obtained.
Task Carried Out in the Public Interest
Where BoardX needs to perform a task that it believes is in the public interest or as part of an official duty, the data subject's consent will not be requested. The assessment of the public interest or official duty will be documented and made available as evidence where required.
Legitimate Interests
If the processing of specific personal data is in the legitimate interests of BoardX and is judged not to affect the rights and freedoms of the data subject in a significant way, then this may be relied upon as the lawful basis for processing. The reasoning will be documented. For example, it may be used to send email information on events, resources or BoardX features and benefits that individuals are likely to have a professional interest in, or to send information on services or special offers. Digital marketing is governed by the ePrivacy Regulations, 2011.
4.6 Privacy by Design
BoardX has adopted the principle of Privacy by Design and has reviewed and appropriately modified our business processes to comply with this element of the GDPR. We will ensure that the definition and planning of all new or significantly changed methods for collecting or otherwise processing personal data will be subject to due consideration of privacy issues, including the completion of legitimate interest assessments and data protection impact assessments where necessary. The use of techniques such as data minimisation and pseudonymisation are considered where applicable and appropriate.
4.7 Direct Marketing
BoardX uses email to send information about free, informational GRC-related webinars and events, and about our products and services to current, past and prospective service users, and marketing subscribers. We carry out this activity under GDPR article 6.1(f), legitimate interest. This process uses minimal personal data (name, email, company name, job description). All marketing emails contain an opt-out mechanism.
4.8 Contracts Involving the Processing of Personal Data
BoardX will ensure that all personal data processing relationships it enters into are subject to a documented contract that includes, at a minimum, the specific information and terms required by the GDPR. For more information, refer to your End User Licence Agreement.
4.9 International Transfers of Personal Data
It is BoardX's policy to process all personal data within the European Union, within reason. Any potential transfers of personal data outside the EU will be carefully reviewed prior to the transfer taking place. This is so that we can ascertain that the receiving third country falls within the limits imposed by the GDPR and that they have appropriate safeguards in place in relation to privacy and personal data protection.
4.10 Data Protection Officer
A defined role of Data Protection Officer (DPO) is required under the GDPR if an organisation is a public authority, if it performs large-scale monitoring, or if it processes special categories of data on a large scale. The DPO is required to have an appropriate level of knowledge of data protection law and of their organisation's business environment. It can either be an in-house resource or be outsourced to an appropriate service provider.
BoardX has evaluated the requirement and decided that the appointment of a Data Protection Officer is not required. The responsibility for data protection has been assigned to the management team. Data protection compliance monitoring is the responsibility of the CEO.
4.11 Breach Notification
It is our policy to be fair and proportionate when considering actions to be taken to inform affected parties regarding breaches of their personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours. This will be managed in accordance with our Incident Response Plan which sets out the overall process for handling information security incidents.
4.12 Addressing Compliance with the GDPR
The following actions are undertaken to ensure that BoardX always complies with the accountability principle of the GDPR:
- The legal basis for processing personal data is clear and unambiguous.
- Appropriate resources have been assigned to the function responsible for data protection in the organisation.
- All personnel involved in handling personal data understand their responsibilities for following good data protection practice.
- Training in data protection is provided to all employees.
- Data protection is part of all new employee induction training.
- The rules regarding consent are followed.
- Routes are available to data subjects wishing to exercise their rights regarding personal data and there are procedures in place to ensure that such requests are handled effectively.
- An incident and near-miss reporting process is in place and is reviewed regularly.
- Regular reviews of processes and procedures involving personal data are carried out.
- Privacy by design is adopted for all new, or significant modifications to, systems and processes.
The following documentation of processing activities is recorded:
- Organisation name and relevant details
- Purposes of the personal data processing
- Categories of individuals and personal data processed
- Categories of personal data recipients
- Agreements and mechanisms for transfers of personal data to non-EU countries including details of controls in place
- Personal Data retention schedules
- Relevant technical and organisational controls in place
These actions are reviewed on a regular basis as part of the management process concerned with data protection.
5. Contact Details
BoardX Limited
The Hatch Lab, M11 Business Campus
Innovation House
Gorey, Co. Wexford, Y25A8H2
Ireland
Email: [email protected]
Telephone: +353 1 9131775
6. Right of Complaint to the Data Protection Supervisory Authority
You have the right to lodge a complaint with the Data Protection Supervisory Authority (DPSA). BoardX is registered in Ireland; the relevant DPSA contact details are:
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland
Webform: https://forms.dataprotection.ie/contact
Telephone: +353 (0)76 110 4800 or +353 (0)57 868 4800