What the law requires
GDPR requires all data controllers to prepare a privacy notice and make it available to all data subjects. This credit union’s privacy notice read as follows:
The purpose of this notice is to provide you with all information necessary for you to understand how we process the personal information we have about you. It is written to comply with Article 12(1) of the General Data Protection Regulations (“GDPR”) which took effect from 25th May 2018. The purpose of GDPR is to protect you against any misuse of your personal information and it does so by ensuring that all entities who collect, use, disclose or otherwise process personal information do so in accordance with one or more legal justifications.
We collect and use a wide variety of information about different classes of persons including members who never borrowed, loan applicants, the spouses/partners of loan applicants, guarantors of loans, staff, volunteers, nominees and service providers.
For membership, the very basic information we need to know is your name and contact details. The anti-money laundering laws amplify this by requiring us to collect, and keep up to date, more precise details such as date of birth, gender & photo ID and address. This must be evidenced from documentation such as passports or utility bills. Revenue obliges us to collect your details of your tax residence and PPSN.
To comply with anti-money laundering laws, we also collect high level information about your occupation, where you work, family circumstances and accommodation arrangements. We do this so that if any unusual transactions go over your account, we are able to make an informed assessment of whether we have grounds for making a suspicious transaction report to the Gardai & Revenue.
If you apply for a loan, we shall need to assess your repayment capacity which will usually require us to conduct a credit check. We use the Central Credit Register for this. The Central Credit Register (“CCR”) was established by the Central Bank in 2017. CCR has histories going back to June 2017 only. Using a credit register not only allows us to confirm your existing credit indebtedness and arrears but it also obliges us to send those registers details of your loans with us for the lifetime of those loans.
When completing a loan application, we ask you to complete a simple medical questionnaire to ensure that the Loan Protection Cover is available to clear that loan in the event of your death.
We also collect all information necessary to support any loan application such as details of employment, bank statements, dependents, whether you rent or own your home etc.
We collect the names of participants in Children’s Quiz and Art Competitions. We also record attendance at general meetings.
We have CCTV in operation both inside and outside the credit union. We also record telephone calls.
For staff, we have all information provided when you applied for employment. We also have your contact details, attendance records, medical certificates, performance reviews as well as grievance & disciplinary records.
For members as well as staff, we have the bank account details you provided us to enable money to be sent to your bank account.
For officers who are subject to the Central Bank’s Fitness and Probity regime, we review and retain the information that is provided to us by those persons. We also conduct checks for Court judgements, disqualifications and administrative sanctions by the Central Bank, other regulators and professional bodies.
If you contact us by email, the address from which the incoming email was sent will be evident, as well as the contents of the email.
We disclose information about you to various parties, mostly where required by law. These include the Central Bank, Revenue, the Gardai (in respect of suspicions of money laundering), the CCR and ECCU, the insurer who provides Loan Protection, Life Savings & Death Benefit Insurance cover. Our statutory auditors also need to see personal information relating to members, staff and others to complete their audit.
We also use a variety of service providers who have access to different kinds to information about you. These include our suppliers of our computer systems, cloud storage providers, solicitors, debt collection service providers, internal auditors, risk management and compliance consultants, CCTV maintenance firms & other outsourced service providers. In all cases we ensure that these service providers are of good standing & repute and commit to keeping your information safe and secure. They are also prohibited from passing information about you to any other persons.
Our use of Credit Registers
The main reason we use credit registers is to ensure that loan applicants have not built up a bad lending record with other lenders. Therefore, we check those registers before approving loans. We also send them details of our members’ loans and repayment histories so that other lenders can see if their loan applicants have poor borrowing records with us.
We use the Central Credit Register.
The Central Credit Register (“CCR”) is operated by the Central Bank under the Credit Reporting Act 2013. Membership is not voluntary. The law requires that from 30th September 2018 all lenders MUST conduct credit checks before approving any loans of €2,500 or more.
As stated at the outset, the purpose of this notice is to inform you of various matters relating to the GDPR. It also requires that the legal justification is disclosed to the persons in question.
Therefore, the disclosures we wish to make are as follows:
- It is a condition of applying for a loan that we shall be both conducting a CCR credit check and passing details of your repayment history to the CCR. A legal justification permissible under GDPR is where the task at hand is required for compliance with a Legal Obligation. This is the legal justification we are using for
- conducting CCR credit checks on loan applications of more than €2,000
- passing all credit status and histories for loans above €500 to the CCR
- However, even though the law does not oblige us to conduct CCR checks on loan applications below €2,000, we still plan to do so, as a matter of policy. The legal justification for so doing under GDPR is that it is in the credit union’s Legitimate Interests to do so (i.e. to facilitate a full and accurate assessment of loan applications and avoid over-indebtedness) and it does not infringe your fundamental rights to privacy.
- Conducting credit checks on loan applicants is a widely accepted practice for all lenders and there is no known basis for arguing that it infringes the fundamental rights to privacy of the loan applicant. In essence, the only way you can avoid having a credit check conducted is to withdraw your loan application.
Because of the potential sensitivity of credit checks, all loan applicants must sign a statement acknowledging their awareness that we shall be conducting credit checks.
We do not transfer or allow the transfer of any information about you outside the European Economic Area, which means that all such information enjoys the protections provided by EU law.
The disclosure of personal information to State agencies (e.g., Central Bank, Revenue, Gardai), statutory auditors that we conduct is permitted under GDPR Article 6 because it is required by law. However, for virtually all other things that we do with personal information, including CCR credit checks and indeed any processing of personal information the legal justification for doing it under GDPR is that it is necessary for the purposes of the credit union’s Legitimate Interests and nothing that we do infringes your fundamental rights to privacy or any other rights available under law or any freedoms arising from those rights. However, if you think that any collection or use of your personal information is unnecessary, disproportionate or otherwise improper please let us know and we shall be happy to address your concerns. However, our position will be that resolution of any such concerns must not prejudice the Legitimate Interests of the credit union without infringing any data subject’s fundamental rights.
If we cannot satisfy you, it may be that your membership, loan application or any other relationship you have with us must be discontinued. If this is unsatisfactory to you, you have a right to complain to the Data Protection Commissioner who will give an independent, authoritative and binding view of whatever matter divides us.
We will never ask you for information unless we have a specified, explicit and legitimate need to do so. Therefore, if you decline to provide it we may be unable to complete whatever process you are asking us to complete e.g., a membership or loan application.
On some occasions we may process your personal data based on your Consent, rather than our Legitimate Interests. In such cases your consent will be obtained in writing, and you will have a right to withdraw it at any time.
We are most careful to comply with all of our data protection obligations. Specifically
- when we collect, use or disclose any personal information, we do so fairly and lawfully. This means that we make sure you know why we are collecting your information and what we are doing with it;
- we collect and use it only for specified, explicit and legitimate purpose(s);
- we do not use or disclose it in any way which is incompatible with those purposes;
- we protect it against unauthorised access, alteration, disclosure or destruction, or unlawful use;
- we make sure that all personal information we hold is accurate, complete and where necessary, kept up to date;
- we make sure that when we collect personal information, it is adequate, relevant and not excessive in relation to the purpose for which it was collected;
- we do not keep personal information for longer than is necessary. Most information is retained for 6 years which is a common minimum records retention period required by law. However, if personal information can be lawfully destroyed after a shorter period, we try to do so. We also try to destroy all personal information when we no longer have any need to retain it.
If you ask, we will provide you with a copy of all information we hold about you, within 30 days of your request and at no charge. Furthermore, if you ask us to correct or destroy any information we hold about you, we will do so, subject to the legal provisions surrounding any such request.
We have a detailed Data Protection Policy which addresses our entire approach to this important topic. All of our officers, whether paid staff or volunteers, are provided with data protection training regularly. They also sign a confidentiality pledge annually.
We view our obligations in respect of data protection very seriously and any suspected or actual breach is investigated thoroughly with appropriate action taken where necessary.
If you have a complaint about how we have used your personal information, please mark your letter “For the Attention of the Manager.” Under our Complaints Procedures we shall acknowledge your complaint within 5 working days, we shall provide you with the name of the person handling your complaint and try to have a full response within 40 working days. If you are unhappy with how we have dealt with your complaint, you will be able to refer the matter to the Data Protection Commissioner.
Should you have any further questions about any of the foregoing, please
- ask any of our officers who shall be pleased to help,
- write to us,
- telephone us on 061 378 099,
- email us at firstname.lastname@example.org or
- contact the , CCR or Data Protection Commissioner using the details below:
Central Credit Register
Data Protection Commissioner
Central Bank of Ireland
New Wapping Street
North Wall Quay