GDPR Compliance Statement

Protential Resources
Last Updated: 31/07/2025

Our Commitment to GDPR Compliance

Protential Resources is fully committed to compliance with the EU General Data Protection Regulation (GDPR) and Irish data protection law. This statement outlines our approach to protecting your personal data and respecting your privacy rights.

Data Controller Information

Protential Resources acts as the Data Controller for all personal data processing activities.

Controller Details:

  • Legal Entity: Bluestone Personnel Limited t/a Protential Resources

  • Registration: IE 497107

  • Address: New Town Centre, 14 Killegland St, Ashbourne, Co. Meath

  • Contact: info@protentialresources.ie

Legal Basis for Processing

We process personal data under the following GDPR legal bases:

Article 6(1)(f) - Legitimate Interests

Primary legal basis for recruitment activities

Our Legitimate Interests:

  • Ongoing Recruitment Services: Maintaining candidate databases to provide career opportunities over extended periods

  • Long-term Career Support: Keeping candidate profiles available for opportunities that may arise years after initial contact

  • Market Intelligence: Understanding talent availability and client needs across market cycles

  • Relationship Management: Building sustainable professional relationships with candidates and clients

  • Service Excellence: Maintaining comprehensive databases to improve matching accuracy and service quality

Extended Retention Justification: The recruitment industry operates on long-term relationship cycles. Suitable opportunities often arise months or years after initial candidate contact. Our retention practices serve both legitimate business interests and candidate career development interests.

Balancing Test: We have conducted thorough balancing assessments and implemented regular review processes to ensure our legitimate interests do not override individual fundamental rights and freedoms.

Article 6(1)(a) - Consent

When we obtain your explicit consent for:

  • Sharing your CV with specific client companies

  • Future marketing communications (if introduced)

  • Special category data processing (where applicable)

Article 6(1)(b) - Contract Performance

For managing employment placements and service delivery

Article 6(1)(c) - Legal Obligation

For compliance with employment, taxation, and immigration laws

Special Category Data

We generally do not process special category personal data. However, if such data is revealed during the recruitment process:

Legal Basis: Article 9(2)(a) - Explicit consent or Article 9(2)(b) - Employment law requirements Safeguards: Enhanced security measures and restricted access Retention: Minimum necessary period with regular review

International Data Transfers

Transfers Outside the EEA

Primary Data Storage:

  • Location: AWS Dublin, Ireland (within the EEA)

  • Provider: Amazon Web Services EU-West-1 region

  • Availability: 99.99%+ uptime with robust security measures

  • Data Residency: Master database remains in Dublin, Ireland

Limited International Processing:

  • Global Synchronization: Brief data synchronization across RecruitCRM's global network for performance optimization

  • Sub-Processors: Some RecruitCRM partners may process data outside EEA under appropriate safeguards

  • Our International Offices: UK and Dubai offices access Dublin-stored data for business operations

Enhanced Safeguards:

  • EU Standard Contractual Clauses (2021/914) for any non-EEA processing

  • Data minimization during international synchronization

  • Encryption in transit and at rest for all data transfers

  • Access logging and monitoring for international access

Transfer Impact Assessment

We have conducted Transfer Impact Assessments and determined that:

  • Primary data residence in Ireland significantly reduces transfer risks

  • Millisecond synchronization minimizes exposure during global updates

  • Robust contractual and technical safeguards protect any transferred data

  • No permanent data storage outside EEA except under explicit safeguards

Data Subject Rights

How to Exercise Your Rights

Contact Methods:

  • Email: info@protentialresources.ie

  • Phone: +353 1 835 0044

  • Post: New Town Centre, 14 Killegland St, Ashbourne, Co. Meath

Response Time: We will respond within one month of receiving your request.

Right of Access (Article 15)

What you can request:

  • Confirmation of data processing

  • Copy of your personal data

  • Information about processing purposes, recipients, retention periods

  • Details of international transfers and safeguards

How to request: Email us with "Data Access Request" in the subject line

Right to Rectification (Article 16)

What you can request:

  • Correction of inaccurate personal data

  • Completion of incomplete data

How to request: Email us with updated information

Right to Erasure (Article 17)

When this applies:

  • Data no longer necessary for our recruitment services (we will assess this based on reasonable prospects of future service provision)

  • You withdraw consent (where consent was the legal basis)

  • Data processed unlawfully

  • Legal obligation to erase

Our Assessment Process: When you request erasure, we will evaluate:

  • Whether there remains a reasonable prospect of providing recruitment services

  • The length of time since last contact or engagement

  • Market conditions and typical career development patterns in your sector

  • Your expressed intentions regarding future job seeking

Limitations:

  • We may retain data where we can demonstrate compelling legitimate grounds for ongoing recruitment services

  • Legal retention requirements (employment records, financial compliance)

  • Your objection rights allow you to challenge our assessment

Right to Restriction (Article 18)

When this applies:

  • You contest data accuracy (during verification period)

  • Processing is unlawful but you prefer restriction to erasure

  • We no longer need the data but you need it for legal claims

  • You object to processing (pending balancing test)

Right to Data Portability (Article 20)

What you receive:

  • Your personal data in structured, commonly used format

  • Direct transfer to another controller (where technically feasible)

Applies to: Data processed by consent or contract, using automated means

Right to Object (Article 21)

General objection right:

  • Processing based on legitimate interests

  • Public interest or official authority tasks

Absolute objection right:

  • Direct marketing (we will stop immediately)

Rights Related to Automated Decision-Making (Article 22)

Current practice: We do not engage in automated decision-making with legal or similarly significant effects.

If introduced: We will notify you and provide meaningful information about the logic involved and significance of such processing.

Data Protection by Design and Default

Technical Measures

  • Encryption: Data encrypted in transit and at rest

  • Access Controls: Role-based access with multi-factor authentication

  • Audit Logging: Comprehensive logging of data access and processing

  • Regular Updates: Security patches and system updates

Organizational Measures

  • Staff Training: Regular GDPR and data protection training

  • Privacy Policies: Clear internal data handling procedures

  • Vendor Management: Data processing agreements with all suppliers

  • Impact Assessments: Regular review of processing activities

Data Minimization

  • We collect only data necessary for recruitment purposes

  • Regular review and deletion of unnecessary data

  • Purpose limitation enforced through system controls

Data Breach Response

Our Response Process

  1. Detection and Assessment (within 24 hours)

  2. Containment and Investigation (immediate)

  3. Regulatory Notification (within 72 hours if high risk)

  4. Individual Notification (without undue delay if high risk)

  5. Remediation and Lessons Learned

What We Will Tell You

  • Nature of the breach

  • Likely consequences

  • Measures taken to address the breach

  • Contact point for more information

  • Recommendations for protection

Records of Processing Activities

We maintain comprehensive records of all processing activities including:

For Each Processing Activity

  • Purpose and legal basis

  • Categories of data subjects and personal data

  • Recipients of personal data

  • International transfers and safeguards

  • Retention periods

  • Security measures

These records are available to supervisory authorities upon request.

Third-Party Processors

Primary Processor

RecruitCRM (Workforce Cloud Tech, Inc.)

  • Role: Recruitment database and CRM system

  • Data Location: AWS Dublin, Ireland (primary storage within EEA)

  • Architecture: Master database in Dublin with global network synchronization

  • Safeguards: EU Standard Contractual Clauses, 99.99%+ availability, industry-leading security

  • Data Processing Agreement: Comprehensive DPA with enhanced data residency provisions

Sub-Processors

RecruitCRM engages 28+ sub-processors for various services including:

  • Cloud hosting (Amazon Web Services)

  • Email delivery (SendGrid)

  • Communications (Twilio)

  • AI services (OpenAI)

  • Analytics and monitoring (various providers)

Complete list available upon request

Processor Obligations

All processors are contractually required to:

  • Process data only on our documented instructions

  • Implement appropriate security measures

  • Assist with data subject rights requests

  • Notify us of data breaches within 72 hours

  • Delete or return data upon termination

Supervisory Authority

Lead Supervisory Authority

Data Protection Commission (Ireland)

  • Website: www.dataprotection.ie

  • Phone: +353 57 868 4757

  • Email: info@dataprotection.ie

  • Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

Your Right to Lodge a Complaint

You have the right to lodge a complaint with the supervisory authority if you believe we have not complied with GDPR requirements.

Before complaining: We encourage you to contact us first so we can try to resolve any issues directly.

Regular Review and Updates

Compliance Monitoring

  • Quarterly review of processing activities

  • Annual assessment of technical and organizational measures

  • Regular training for all staff handling personal data

  • Continuous monitoring of regulatory developments

Policy Updates

This GDPR statement is reviewed regularly and updated when:

  • Our processing activities change

  • New legal requirements are introduced

  • Supervisory authority guidance is issued

  • Best practices evolve

Training and Awareness

Staff Training Program

  • Induction training for all new employees

  • Annual refresher training for existing staff

  • Specialized training for staff handling sensitive data

  • Regular updates on regulatory changes

Training Content

  • GDPR principles and requirements

  • Data subject rights and how to respond

  • Data security best practices

  • Breach response procedures

  • International transfer requirements

Accountability Measures

Demonstrating Compliance

We maintain evidence of GDPR compliance through:

  • Documentation: Comprehensive records and policies

  • Training Records: Evidence of staff training

  • Technical Measures: Audit logs and security reports

  • Vendor Assessments: Due diligence on processors

Continuous Improvement

  • Regular internal audits

  • External compliance assessments

  • Feedback incorporation from data subjects

  • Regulatory guidance implementation

Contact for GDPR Matters

Data Protection Inquiries

Email: info@protentialresources.com
Subject Line: "GDPR Inquiry - [Your Request Type]"
Phone: +353 1 835 0044
Address: New Town Centre, 14 Killegland St, Ashbourne, Co. Meath

Urgent Data Protection Matters

For urgent matters (such as suspected data breaches), contact us immediately by phone.

This GDPR statement demonstrates our commitment to protecting your personal data and complying with the highest standards of data protection law. We regularly review and update our practices to ensure continued compliance.

Document Version: 1.0
Effective Date: 31/07/2025
Next Review: 30/06/2026