1. Introduction

Personal data means data which relates to a living person who may be identified directly or indirectly from that data (“Personal Data”). The processing of Personal Data is governed by the General Data Protection Regulation 2016/679 (“GDPR”) and other applicable data protection laws (“Data Protection Law”).
Gibneys of Oldcastle Ltd Ireland (“Gibneys of Oldcastle Ltd” “we” or “us”) is a data controller. This means that Gibneys of Oldcastle Ltd determines how Personal Data is used (“Processed” / “Process” / “Processing”).

  1. Categories Of Personal Data Processed
Customers Name, address(es), telephone, mobile, email, order history, credit/payment history, direct debit details – bank a/c, sort codes,

customer delivery notes/special instructions, customer requests/queries by email, customer note/message log,

credit and debit card details for payments & refunds, marketing permission preferences, call recordings and Gibneys of Oldcastle Ltd Rewards: gender, age range, day born and month born).

Individual contact persons in suppliers and other business contacts Name, business address, telephone, mobile and email.
Name, business address, telephone, mobile and email.
  • Orders completed by Gibneys of Oldcastle Ltd for third party distributors to their customers and vice versa.
  • Preferences for various types of marketing events.


  • Digital information related to use of our websites, platforms and digital applications, including, traffic data, location data and other communication data.

Gibneys of Oldcastle Ltd Processes the following categories of Personal Data:

Gibneys of Oldcastle Ltd will ordinarily obtain or Process Special Categories of Data (“SCD”) in very limited circumstances. Where it does so it shall Process such Personal data in accordance with Data Protection Law.

  1. Purposes For Which Personal Data Is Processed

We may Process Personal Data for any of the following purposes:


    • Fulfilment of orders, delivery notifications (email and SMS), marketing and service updates, Gibneys of Oldcastle Ltd Rewards scheme, sales reporting and analysis, payment processing, payment analysis, refunds, credit notes, credit control purposes, legal requirements, customer complaints, operating of customer budget plans, to third party service providers for purchasing, polling, and invoicing purposes, sending of customer information to/ from third party distributors/hauliers for delivery of customer orders, etc.;
    • Complying with applicable law, including anti-money laundering legislation;
    • For administrative purposes, including to securing and maintaining our internal systems, platforms and digital applications;
    • Upholding an adequate level of security;
    • Carrying out controls to prevent fraud; and/or
    • Managing business relationships.

Legal basis for Processing Personal Data
We use Personal Data when:

  • We have consent to use Personal Data for a specific purpose;
  • We are, or are considering, making an agreement;
  • We have to comply with Gibneys of Oldcastle Ltd in legal obligations; and/or
  • We or the business are pursuing a legitimate interest. This could be where we have a business or commercial reason to use Personal Data. We will only do so if our interest clearly overrides the data subject’s interest in not having his/her Personal Data Processed by us.
Purpose/Activity Purpose/Activity
To manage our customer relationship
  • Performance of a contract
  • Necessary to comply with a legal obligation
  • Necessary for our legitimate interests (to keep our records updated and to study how customers use our services)
To administer and protect our business
  • Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
  • Necessary to comply with a legal obligation.
To deliver relevant website content and advertisements and measure or understand the effectiveness of our advertising.
  • Necessary for our legitimate interests (to study how customers use our services, to develop them, to grow our business and to inform our marketing strategy).
To make suggestions and recommendations about products services that may be of interest.
  • Necessary for our legitimate interests (to develop our services and grow our business).

From time to time, we may also Process Sensitive Personal Data (“SPD”) if required to do so by law. We will seek explicit consent to Process SPD, unless the law permits us to register such data without consent.

  1. Data Processors

Gibneys of Oldcastle Ltd will engage Gibneys of Oldcastle Ltd in service providers to perform Gibneys of Oldcastle Ltd in services on its behalf which may involve the Processing of Personal Data. To the extent that such Processing is undertaken based on the instructions of Gibneys of Oldcastle Ltd and gives rise to a data controller and data processor relationship, Gibneys of Oldcastle Ltd will ensure that such relationship is governed by a contract which includes the data protection provisions prescribed by Data Protection Law.

  1. Record Keeping

As part of our record keeping obligations under the GDPR, Gibneys of Oldcastle Ltd retains a record of the Processing activities under its responsibility. This comprises the following:

  • Name and contact details of the controller
  • The purposes of the Processing
  • Description of the categories of data subjects and of the categories of Personal Data.
  • The categories of recipients to whom the Personal Data have been or will be disclosed.
  • Where applicable, transfers of Personal Data to a third country outside of the EEA.
  • Where possible, the envisaged time limits for erasure of the different categories of Personal Data.
  • Where possible, a general description of the technical and organisational security measures adopted.
  1. Individual Data Subject Rights

Data Protection Law provide Gibneys of Oldcastle Ltd in rights in favour of data subjects. The rights in question are as follows (the “Data Subject Rights”): the right of a data subject to receive information on the Processing; the right of access to Personal Data; the right to rectify or erase Personal Data (right to be forgotten); the right to restrict Processing; the right of data portability; the right of objection; and the right to object to automated decision making, including profiling.

These Data Subject Rights will be exercisable subject to limitations as provided for under Data Protection Law. You may make a request to Gibneys of Oldcastle Ltd to exercise any of the Data Subject Rights by contacting info@gibneyoil.ie Your request will be dealt with in accordance with Data Protection Law.

  1. Data Security And Data Breach

We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords. The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of Gibneys of Oldcastle Ltd in types of Personal Data security breaches. Any data breaches identified in respect of Personal Data controlled by Gibneys of Oldcastle Ltd will be dealt with in accordance with Data Protection Law.

  1. Disclosing Personal Data

From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data). We may also disclose Personal Data to: (a) selected third parties including Gibneys of Oldcastle Ltd in government bodies such as the Revenue Commissioners; and (b) service providers, such as distributors, hauliers, website providers, payment processing providers, IT support providers, etc.

  1. Data Retention

We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed (as described in this Privacy Notice). We will keep Personal Data for as long as we have a relationship with the data subject, and for a period of up 6 years thereafter. We will only retain Personal Data after this time if we are required to do so to comply with the law, or if there are outstanding claims or complaints that will reasonably require such Personal Data to be retained.

  1. Further Information/Complaints Procedure

For further information about this Privacy Notice and/or the Processing of Personal Data by or on behalf of Gibneys of Oldcastle Ltd please contact info@gibneyoil.ie. While you may make a complaint in respect of our compliance with Data Protection Law to the Irish Data Protection Commission, we request that you contact info@gibneyoil.ie in the first instance to give us the opportunity to address any concerns that you may have.