1. Purpose
The purpose of this Privacy Notice is to outline how we collect, process and share personal data we hold about you. This Privacy Notice will outline the types of personal data we process about you and the legal basis we rely on to do so.
The CPL Institute are committed to protecting and respecting your privacy. We wish to be transparent on how we collect, store and share personal data and to ensure that you understand your rights under the General Data Protection Regulation (“GDPR”).
In this Privacy Notice, we outline:
- The types of data we collect;
- How we use your personal data;
- Your rights in relation to the data we hold about you; and
- How to contact us if you have any questions about your data.
1.1. Company Information
At the CPL Institute we specialise in delivering high-quality professional development, health and safety training, eLearning solutions, healthcare training, and driver training to empower individuals and organisations for success.
If you wish to locate further information on the CPL Institute and the services we offer, you can find this on our website here.
1.2. Legislation
All personal data we gather will be “processed” in accordance with all applicable data protection laws and principles, including the General Data Protection Regulation, the Data Protection Act 2018 and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (“ePrivacy Directive”).
1.3. Queries and Complaints
If you are unhappy with the way we have handled your personal data and wish to complain, or if you would like further information about the way your personal data will be used, please contact us at the below:
Data Protection Officer
CPL Institute
5 Saint Fintan’s, North Street, Swords, Co. Dublin
Telephone: +353 01 895 5755
Email: dataprivacy@cpl.com
If you are unsatisfied with our use of your personal data or our response to any requests by you to exercise any of your rights, then you have the right to complain to the Data Protection Commission. See contact details below:
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland
Email: info@dataprotection.ie
Telephone: +353 57 868 4800 / +353 761 104 800
2. How do we collect your personal data?
We collect personal data to enable the provision of services to support the CPL Institute purpose. The following non-exhaustive methods of data collection are an indication of ways in which we may obtain your information:
- We obtain data directly from you e.g. when you enroll in one of our courses.
- We obtain data during the provision of our services e.g. course paperwork and feedback.
It is important that the personal data you provide to us is up to date and accurate. As outlined in Section 7.2 of this notice, if the personal data we hold about you is inaccurate or incomplete, please contact us and we will update your data.
3. What personal data do we collect?
In order to provide our services, the CPL Institute needs to collect various types of personal data. The type of personal data we collect on you will vary depending on the nature of our relationship with you. Below we have outlined a non-exhaustive list of the types of data we may collect and our purpose for collecting that data.
| Process | Types of Data Collected |
| QQI Enrolment & Certification | Name, address, email address, phone number, date of birth, PPS Numbers, Gender |
| PHECC Enrolment & Certification | Name, address, email address, phone number |
| Irish Heart Foundation Enrolment & Certification | Name, address, email address, phone number |
| IOSH Enrolment & Certification | Name, address, email address, phone number |
| CPL Institute Enrolment & Certification | Name, address, email address, phone number |
| Garda Vetting | Proof of address, ID, date of birth, email address, phone number |
| Training Enrolment | Name, address, email address, phone number, credit/debit card detail if paying by card. |
| Marketing | Name, email address, phone number, course of interest, location, enquiry |
| Learner Feedback | Name, email address, phone number, course attended, course dates, trainer name |
4. How do we use your personal data?
The main purpose for which The CPL Institute processes your personal data is to provide a service to you, or otherwise manage our relationship with you. The following section provides more detail on the purposes for which we process your personal data and the legal basis by which we do this.
| Process | Description | Lawful Basis for Processing |
| QQI Enrolment & Certification | to send reports to external exam bodies. | The processing is necessary for the performance of contract to which the data subject is party. |
| PHECC Enrolment & Certification | to send reports to external exam bodies. | The processing is necessary for the performance of contract to which the data subject is party. |
| Irish Heart Foundation Enrolment & Certification | to send reports to external exam bodies. | The processing is necessary for the performance of contract to which the data subject is party. |
| IOSH Enrolment & Certification | to send reports to external exam bodies. | The processing is necessary for the performance of contract to which the data subject is party. |
| CPL Institute Enrolment & Certification | to send reports to external exam bodies. | The processing is necessary for the performance of contract to which the data subject is party. |
| Garda Vetting | to verify if the data subject is qualified and eligible to teach. | The processing is necessary for compliance with a legal obligation to which The CPL Institute is subject. |
| Training Enrolment | to enroll the learner in the course and accept payment. | The processing is necessary in order to take steps at the request of the data subject prior to entering into a contract. |
| Marketing | to keep leaners up to date on future courses. | The processing of this data is done with the consent of the data subject. |
| Learner Feedback | to provide learner with feedback on their performance in courses or assessments. | The processing is necessary for the performance of contract to which the data subject is party.
The processing of this data is for the legitimate interest of the company to ensure that learners are aware of how they performed in their exams. |
5. How long do we retain your personal data?
We only keep your personal data for as long as is necessary for the purpose for which it was originally obtained, and / or in accordance with any requirements imposed by the law. This means that the period of time for which we store your personal data may depend on the type of data we hold. To determine the appropriate retention period of personal data, we consider the amount, nature and sensitivity of the personal data, the purposes for which we process your personal data and any legal requirements to retain your data. The table below outlines a general summary of our retention periods.
| Data Type | Retention Period |
| QQI Enrolment & Certification | 7 Years |
| PHECC Enrolment & Certification | 7 Years |
| Irish Heart Foundation Enrolment & Certification | 7 Years |
| IOSH Enrolment & Certification | 7 Years |
| The CPL Institute Enrolment & Certification | 7 Years |
| Garda Vetting | 3 Years |
| Training Enrolment | 7 Years |
| Marketing | Until data subject withdraws consent |
| Learner Feedback | 7 Years |
6. Who do we share your personal data with?
We may disclose your personal information to outside organisation. Below is a list of the categories of recipients we share your personal data (as outlined above) with:
Your Representatives
Any party you have given us permission to speak to (such as a relative, friend or legal advisor) and other people or companies associated with you that are authorised by you to act on your behalf.
Our Representatives/ Service Providers
Our employees, agents and contractors including companies that provide services in relation to telecommunications and postage, data storage, document production and destruction, IT and IT security, or design.
Government, Statutory and Regulatory Bodies
Where required by law, state regulators and authorities such as the Data Protection Commission, the Revenue Commissioners, and Law Enforcement Agencies such as An Garda Síochána.
We may also disclose your personal data to the following recipients or categories of recipients:
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
- If the CPL Institute or substantially all of its business or assets are acquired or transferred to a third party whether in the event of a merger, reorganisation, transfer of undertakings, receivership, liquidation or other winding up or any other similar circumstances, in which case personal data held by it about its customers will be one of the transferred assets.
- If we are under a duty to disclose or share your personal data in order to comply with any law, legal obligation or court order, or in order to enforce rights under the GDPR or other agreements.
- To protect our rights, property or safety, our customers, or others. This includes exchanging information with other companies and organisations for the maintenance and security of the site and services.
7. International Transfers
On occasion, we may need to transmit your personal data outside of the European Economic Area. In these circumstances, we will ensure that the transfer complies with our data protection obligations, and we will ensure that the transfer agreement is based on an approved transfer mechanism, such as the European Commission’s standard contractual clauses or an adequacy decision.
8. Data Subject Rights
As a data subject, you will have the following rights in relation to the processing of your personal data. Please note that these rights are not absolute, and restrictions may apply in certain situations.
Please send all requests to dataprivacy@cpl.com with as much detail as possible about your requirements to allow us to deal with your request efficiently. Before fulfilling your request, we may ask you to provide identification to enable us to verify your identity.
Upon receipt of a valid request, we will have one calendar month to respond to your request, with the possibility of extending by two further months. If we require more time to deal with your request, we will notify you of the delay and the reasons behind it within 30 days of the receipt of the request. If we refuse your request, we will also notify you within 30 days of the receipt of the request accompanied by the reasons for the refusal.
You are entitled to contact the Data Protection Commission if we refuse your request.
8.1. Right of Access
You have the right to know what personal data we hold about you, why we hold the data and how we process your personal data.
When submitting your request, please provide us with information to help us verify your identity and as much detail as possible to help us identify the information you wish to access (i.e. date range, subject of the request).
If the request is submitted by a third party (such as a solicitor) on your behalf, the request will be required to include written authorisation from you for the provision of specific data to the third party.
Please note that an access request is free of charge, however, where we determine a request to be unjustified or excessive, we may charge you a reasonable fee.
8.2. Right to Rectification
You have a right to request that the personal data held in relation to you is up to date and accurate.
Where information is inaccurate or incomplete, we encourage you to contact us to have this information rectified. Upon receipt of your request, we will ensure that the personal data is rectified and as up to date as is reasonably possible.
8.3. Right to Erasure
You have the right to seek the erasure of personal data by on you in the following circumstances:
- Personal data is no longer required for the purposes for which it was obtained.
- Where the use of the data is only lawful based on consent, you withdraw consent to the processing and no other lawful basis exists.
- The personal data is being used unlawfully.
- You object to the use of your personal data and there are no overriding legitimate grounds for the use of the data.
- Your personal data requires deletion in line with legal requirements.
However, we will be unable to fulfil an erasure request if the personal data is required for any of the below activities:
- Compliance with a legal obligation, such as the performance of a contract or compliance with certain legislation.
- For the performance of a task carried out in the public interest.
- Archiving, research or statistical purposes in the public interest.
- The establishment, exercise or defence of legal claims.
8.4. Right to Restriction
You have the right to restrict the extent for which your personal data is being used by us in circumstances where:
- You believe the personal data is not accurate (restriction period will exist until we update your information).
- The processing of personal data is unlawful, but you wish to restrict the use of the data rather than erase it.
- Where personal data is no longer required by us, but you require the retention of the data for the establishment, exercise, or defence of a legal claim.
- You have a pending objection to the future use of your personal data.
When the use of your data has been restricted, your personal data will only be further used:
- With your consent.
- For the establishment, exercise or defence of legal claims.
- For the protection of the rights of other people.
- For reasons important to the public interest, such as for the protecting against cross-border threats or ensuring high standards of quality and safety of health care.
We will contact you to confirm where the request for restriction is fulfilled and will only lift the restriction after we have informed you that we are doing so.
8.5. Right to Data Portability
You have the right to the provision of all personal data, which you provided to us, provided to you in a structured, commonly used and machine-readable format where:
- The lawfulness of the use of your personal data by us is reliant on the basis of a contract.
- The lawfulness of the use of your personal data by us is reliant on the provision of your consent.
- The data is being utilised by fully automated means.
You may also request that we send this personal data to another legal entity where technically feasible.
We will only refuse such a request if the data being requested may adversely affect the rights and freedoms of others.
8.6. Right to Object
You have the right to object to the further use of your personal data where:
- The lawfulness of the use of your personal data by us is reliant on the basis of our legitimate interests.
- Where the data is non-sensitive and being used for reasons in the public interest.
- Where the data is being used for direct marketing purposes.
If you wish to object to the use of your data, please contact us with your request. We will then stop using the data or personal data unless it is required for legal proceedings.
8.7. Right to Withdraw Consent
Where we are processing your personal data based on your consent, you will have the right to withdraw your consent at any time. If you wish to withdraw your consent, please contact us with your request. We will then stop the further processing of your personal data.
8.8. Right to Object to Automated Decision Making
You have a right not to be subject to a decision based solely on automated processing or profiling, where such decisions would have a legal effect or significant impact on you.
Currently, we do not employ any systems which use automated decision making or profiling on data relating to our candidates.
Where we (or one of our third-party processors) use profiling, which produces legal effects for you or otherwise significantly affects you, you will have the right to object to such processing.
9. Marketing
The CPL Institute may contact you with information about products and services of ours that we think may be of interest to you.
You have the right at any time to stop the CPL Institute from contacting you for marketing purposes.
If you no longer wish to be contacted for marketing purposes, you can use the unsubscribe button in the footer of every marketing communication or by contacting dataprivacy@cpl.com.
10. Cookies
The CPL Institute respects the privacy of all visitors to our website. This website employs cookies in order to operate effectively. More information on how this website uses cookies can be found here.
11. Changes to our Privacy Notice
We will review this Privacy Notice regularly and reserve the right to make changes at any time to take into account changes in our business, legal requirements, and the manner in which we process personal data. This Privacy Notice was last updated on 13/05/2025.
This privacy policy is effective from 13/05/2025