GDPR Policy
Your rights under the General Data Protection Regulation
Last updated: 3 December 2025
About This Policy
This GDPR Policy explains your rights under the General Data Protection Regulation (EU) 2016/679 and how SparkHost.ie complies with EU data protection law.
This policy should be read alongside our Privacy Policy, which details what data we collect and how we use it.
SparkHost.ie is committed to protecting your personal data and being transparent about how we handle it.
Data Controller
Under GDPR, the data controller is the organisation that determines the purposes and means of processing personal data.
Everblue Digital is the data controller responsible for your personal data when you use SparkHost.ie services.
Legal Basis for Processing (Article 6)
GDPR requires us to have a valid legal basis before processing your personal data. We rely on the following:
Contract (Article 6(1)(b))
Processing necessary to provide our hosting and maintenance services, process payments, and fulfil our contractual obligations to you.
Legitimate Interests (Article 6(1)(f))
Processing for our legitimate business interests, such as improving our services, website analytics, fraud prevention, and responding to enquiries. We always balance our interests against your rights and freedoms.
Consent (Article 6(1)(a))
Where you've explicitly consented, such as subscribing to our newsletter or accepting non-essential cookies. You can withdraw consent at any time.
Legal Obligation (Article 6(1)(c))
Where we're required to process data by law, such as tax records and anti-money laundering requirements.
Your Rights Under GDPR
As an EU/EEA resident, you have the following rights regarding your personal data:
Right of Access
Request a copy of all personal data we hold about you (Subject Access Request).
Right to Rectification
Correct any inaccurate or incomplete personal data we hold about you.
Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data where there's no compelling reason for continued processing.
Right to Restrict Processing
Limit how we use your data in certain circumstances.
Right to Data Portability
Receive your data in a structured, machine-readable format and transfer it to another controller.
Right to Object
Object to processing based on legitimate interests or for direct marketing purposes.
Rights Related to Automated Decision-Making
Not be subject to decisions based solely on automated processing. Note: We do not use automated decision-making or profiling that significantly affects you.
How to Exercise Your Rights
Email us at hello@sparkhost.ie with your request. We will respond within 30 days as required by GDPR. We may need to verify your identity before processing your request.
Note: These rights may be limited in certain circumstances, such as where we have a legal obligation to retain data or where your request affects the rights of others.
International Data Transfers
We primarily store and process data within the European Economic Area (EEA). Our servers are located in EU data centres (Germany and Finland).
Where we use service providers based outside the EEA, we ensure appropriate safeguards are in place as required by GDPR Chapter V:
EU-US Data Privacy Framework
For US-based providers certified under the framework (successor to Privacy Shield)
Standard Contractual Clauses (SCCs)
EU-approved contract terms for international transfers
Adequacy Decisions
For countries deemed to have adequate data protection by the EU Commission
Data Security (Article 32)
We implement appropriate technical and organisational measures to protect your data:
- SSL/TLS encryption for all data in transit (HTTPS everywhere)
- Encryption at rest for sensitive data and backups
- Secure password hashing and two-factor authentication
- Role-based access controls (principle of least privilege)
- Regular security updates and vulnerability patching
- Web Application Firewall (WAF) and DDoS protection
- Daily automated backups stored in separate EU locations
- Regular security audits and monitoring
Data Breach Notification (Articles 33-34)
In the unlikely event of a personal data breach that poses a risk to your rights and freedoms:
- We will notify the Data Protection Commission within 72 hours of becoming aware of the breach
- We will notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
- We will document all breaches, including facts, effects, and remedial actions taken
Data Retention
We retain your personal data only for as long as necessary for the purposes for which it was collected, in line with GDPR's data minimisation principle.
| Data Type | Retention Period |
|---|---|
| Account & billing data | Duration of service + 7 years (Irish tax law) |
| Support communications | 3 years after last contact |
| Contact form submissions | 2 years (or until you become a client) |
| Website analytics | 26 months (anonymised) |
| Website backups | 30-90 days (as per your plan) |
After these periods, data is securely deleted or anonymised.
Supervisory Authority & Complaints
We aim to resolve all privacy-related complaints internally. However, you have the right to lodge a complaint with the supervisory authority in your country of residence.
As we are based in Ireland, our lead supervisory authority is:
Data Protection Commission (DPC)
21 Fitzwilliam Square South
Dublin 2, D02 RD28
Ireland
Website: www.dataprotection.ie
Phone: +353 1 765 0100 / 1800 437 737 (Freephone)
Email: info@dataprotection.ie
Contact Us
For any GDPR-related questions, to exercise your rights, or to make a complaint:
Everblue Digital (SparkHost.ie)
Email: hello@sparkhost.ie
Please include "GDPR Request" in your subject line for faster processing.
Related Policies