Privacy & Data Protection Notice

Privacy Path (MDDM Limited)
Last reviewed: April 2026

Data protection is at the heart of everything we do. We will always respect your privacy, engage with you only at your request, and handle any personal data you share with us with care, transparency, and purpose.

1. Who We Are

Privacy Path is the trading name of MDDM Limited, a data protection and GDPR compliance consultancy based in Ireland. We provide data protection consultancy, external DPO services, training and representation services for non-EU organisations.

Legal name: MDDM Limited

Trading name: Privacy Path

Registered address: The Hatch, Gorey, Co. Wexford, Ireland, Y25 A8H2

Company registration: 628387

VAT number: 3551357WH

Email: privacy@privacypath.ie

Website: privacypath.ie

Note: visits to www.gdprdataprotection.ie redirect to privacypath.ie. Both domains are operated by MDDM Limited.

2. Supervisory Authority Registration

Privacy Path is registered with both the Irish and UK data protection supervisory authorities: 

•       Ireland: Data Protection Commission (DPC) — www.dataprotection.ie

•       United Kingdom: Information Commissioner's Office (ICO) — www.ico.org.uk

As a business established in the Republic of Ireland, our primary supervisory authority is the DPC. Our UK registration reflects the dual-jurisdiction compliance services we provide to clients operating under UK GDPR.

3. What Personal Data We Collect

Privacy Path is a business-to-business consultancy. The personal data we collect is limited and primarily consists of professional contact information provided to us in the course of our work. This typically includes:

•       Name, job title, and employer

•       Business email address and telephone number

•       Communications exchanged with us by email, telephone, or through our website contact form

•       Details relevant to a specific compliance engagement, where shared by you or your organisation

We actively discourage the sharing of unnecessary personal or sensitive data. Where a project requires us to handle personal data on your behalf, this is governed by a Data Processing Agreement (DPA) and kept strictly separate from our own business records.

4. How and Why We Process Your Data

We process personal data on the following lawful bases under Article 6 GDPR:

•       Contract (Article 6(1)(b)) — To deliver our consultancy services under agreement with you or your organisation.

•       Legitimate interests (Article 6(1)(f)) — To manage our client relationships, respond to enquiries, and keep clients informed of relevant regulatory developments. Our interests do not override your rights.

•       Legal obligation (Article 6(1)(c)) — Where required by Irish law, including financial and tax obligations.

•       Consent (Article 6(1)(a)) — For any marketing or newsletter communications. You may withdraw consent at any time.

We use your contact information to:

•       Deliver agreed consultancy, DPO, or representation services

•       Respond to enquiries submitted through our website or by email

•       Send newsletters or legislative updates — only where you have opted in, with a clear unsubscribe option in every communication

•       Manage our business relationship and maintain accurate records

5. Our Technology Suppliers

To deliver our services efficiently, we engage the following specialist suppliers and platforms. We carry out due diligence on each supplier, seek EU-based hosting where possible, and require all systems to be protected by multi-factor authentication.

None of our suppliers are permitted to use your data for their own purposes. Where any transfer of personal data outside the EEA is involved, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

6. How Long We Keep Your Data

We retain personal data only for as long as is necessary for the purpose for which it was collected:

•       Active client records: retained for the duration of our engagement and for 7 years thereafter, in line with Irish statutory requirements

•       Enquiries not leading to a contract: retained for 12 months from last contact, then deleted

•       Marketing/newsletter subscribers: retained until you unsubscribe

•       Financial records: retained for 7 years in accordance with Revenue obligations

We minimise the personal data we store at every stage and do not retain information beyond what is necessary.

7. Your Data Protection Rights

Under EU GDPR, you have the following rights in relation to your personal data. These rights apply to all individuals whose data we hold, including contacts at client organisations.

To exercise any of these rights, please contact us at privacy@privacypath.ie. We will respond within one calendar month and will not charge a fee unless a request is manifestly unfounded or excessive. We accept rights requests by email, phone, or in writing.

8. Our Website

Our website (privacypath.ie) uses Plausible Analytics, a privacy-focused analytics tool that does not use cookies, does not track individuals across sites, and does not collect personal data. No cookie consent banner is required for analytics on our site.

Our website may use functional cookies required for the site to operate correctly. A Cookie Policy is available on our website.

Our website is hosted by Squarespace (USA). Squarespace processes data under Standard Contractual Clauses with the European Commission, providing appropriate safeguards for any transfer of data outside the EEA.

9. Data Security

We take the security of personal data seriously. Our measures include:

•       Multi-factor authentication required across all platforms and systems

•       Password management via Bitwarden with strong, unique credentials for every system

•       IT support and managed security through Gorey IT Solutions

•       Microsoft 365 with EU-based data storage for email and documents

•       Regular review of system access and supplier security arrangements

In the unlikely event of a data breach affecting your personal data, we will notify you and the Data Protection Commission in accordance with our obligations under Articles 33 and 34 GDPR.

10. Data Processing Agreements

Where Privacy Path processes personal data on behalf of a client organisation, for example, when reviewing client records or acting as an external DPO, we operate under a Data Processing Agreement (DPA) that sits alongside our engagement contract. We will always propose a DPA at the outset of any engagement involving personal data.

 In our role as external DPO, Privacy Path remains independent and acts in the interests of the organisation's data subjects, not solely in the commercial interests of the client.

11. Supervisory Authority

If you have a concern about how Privacy Path handles your personal data and we have not been able to resolve it to your satisfaction, you have the right to lodge a complaint with the Data Protection Commission:

Website: www.dataprotection.ie

Phone: +353 57 868 4800 or +353 (0)761 104 800

Email: info@dataprotection.ie

Address: 21 Fitzwilliam Square, Dublin 2, D02 RD28

We would always welcome the chance to address any concern directly in the first instance,  please contact us at privacy@privacypath.ie.

12. Changes to This Statement

We review this Privacy & Data Protection Statement at least annually and whenever our processing activities change in a material way. The current version will always be available at privacypath.ie. Changes take effect from the date of publication and apply to data processed from that date onward.