What the law requires
GDPR requires all data controllers to prepare a privacy notice and make it available to all data subjects. This credit union’s privacy notice read as follows:
The purpose of this notice is to provide you with all information necessary for you to understand how we process the personal information we have about you. It is written to comply with Article 12(1) of the General Data Protection Regulations (“GDPR”) which took effect from 25th May 2018. The purpose of GDPR is to protect you against any misuse of your personal information and it does so by ensuring that all entities who collect, use, disclose or otherwise process personal information do so in accordance with one or more legal justifications.
We collect and use a wide variety of information about different classes of persons including members who never borrowed, loan applicants, the spouses/partners of loan applicants, guarantors of loans, staff, volunteers, nominees and service providers.
For membership, the very basic information we need to know is your name and contact details. The anti-money laundering laws amplify this by requiring us to collect, and keep up-to-date, more precise details such as date of birth, gender & photo ID and address. This must be evidenced from documentation such as passports or utility bills. Revenue oblige us to collect your details of your tax residence and PPSN.
To comply with anti-money laundering laws, we also collect high level information about your occupation, where you work, family circumstances and accommodation arrangements. We do this so that if any unusual transactions go over your account we are able to make an informed assessment of whether we have grounds for making a suspicious transaction report to the Gardai & Revenue.
If you apply for a loan, we shall need to assess your repayment capacity which will usually require us to conduct a credit check. We use 2 credit registers. The Irish Credit Bureau (“ICB”) is a long-standing credit register which we have been using since 2017. The Central Credit Register (“CCR”) was established by the Central Bank in 2017. We conduct credit checks with both registers. Being older, the ICB has credit histories going back for 5 years whereas the CCR has histories going back to June 2017 only. Using a credit register not only allows us to confirm your existing credit indebtedness and arrears but it also obliges us to send those registers details of your loans with us for the lifetime of those loans.
When completing a loan application, we ask you to complete a simple medical questionnaire to ensure that the Loan Protection Cover is available to clear that loan in the event of your death.
We also collect all information necessary to support any loan application such as details of employment, bank statements, dependents, whether you rent or own your home etc.
We collect the names of participants in Children’s Quiz and Art Competitions. We also record attendance at general meetings.
We have CCTV in operation both inside and outside the credit union. We also record telephone calls.
For staff, we have all information provided when you applied for employment. We also have your contact details, attendance records, medical certificates, performance reviews as well as grievance & disciplinary records.
For members as well as staff, we have the bank account details you provided us to enable money to be sent to your bank account.
For officers who are subject to the Central Bank’s Fitness and Probity regime, we review and retain the information that is provided to us by those persons. We also conduct checks for Court judgements, disqualifications and administrative sanctions by the Central Bank, other regulators and professional bodies.
If you contact us by email, the address from which the incoming email was sent will be evident, as well as the contents of the email.
We disclose information about you to various parties, mostly where required by law. These include the Central Bank, Revenue, the Gardai (in respect of suspicions of money laundering), the ICB and ECCU, the insurer who provides Loan Protection, Life Savings & Death Benefit Insurance cover. Our statutory auditors also need to see personal information relating to members, staff and others to complete their audit.
We also use a variety of service providers who have access to different kinds to information about you. These include our suppliers of our computer systems, cloud storage providers, solicitors, debt collection service providers, internal auditors, risk management and compliance consultants, CCTV maintenance firms & other outsourced service providers. In all cases we ensure that these service providers are of good standing & repute and commit to keeping your information safe and secure. They are also prohibited from passing information about you to any other persons.
Our use of Credit Registers
The main reason we use credit registers is to ensure that loan applicants have not built up a bad lending record with other lenders. Therefore we check those registers before approving loans. We also send them details of our members’ loans and repayment histories so that other lenders can see if their loan applicants have poor borrowing records with us.
We use 2 credit registers, the Irish Credit Bureau and the Central Credit Register.
The Irish Credit Bureau (“ICB”) is a private organisation which has been in existence since 1963. Its membership includes over 300 banks, credit unions, local authorities and other lenders. Membership allows lenders to perform credit checks on their loan applicants before approving loans. It also obliges each one to pass details of their borrowers’ credit histories to the bureau so that other members can perform credit checks before approving a loan. Their contact details are at the bottom of this notice.
The Central Credit Register (“CCR”) is being setup by the Central Bank on a phased basis but is due to be fully up and running in March 2019. Membership is not voluntary. The law requires that from 30th September 2018 all lenders MUST conduct credit checks before approving any loans of €2,500 or more.
As stated at the outset, the purpose of this notice is to inform you of various matters relating to the GDPR. It also requires that the legal justification is disclosed to the persons in question.
Therefore the disclosures we wish to make are as follows:
- It is a condition of applying for a loan that we shall be both conducting an ICB credit check and passing details of your repayment history to the ICB. The legal justification for so doing under GDPR is that it is in the credit union’s Legitimate Interests to do so (i.e. to facilitate a full and accurate assessment of loan applications and avoid over-indebtedness) and it does not infringe your fundamental rights to privacy. Conducting credit checks on loan applicants is a widely accepted practice for all lenders and there is no known basis for arguing that it infringes the fundamental rights to privacy of the loan applicant. In essence, the only way you can avoid having a credit check conducted is to withdraw your loan application.
- The ICB is also using Legitimate Interests as the GDPR justification for its processing of the information we send them.
- Another legal justification permissible under GDPR is where the task at hand is required for compliance with a Legal Obligation. This is the legal justification we are using for
- conducting CCR credit checks on loan applications of more than €2,000
- passing all credit status and histories for loans above €500 to the CCR
- However, even though the law does not oblige us to conduct CCR checks on loan applications below €2,000, we still plan to do so, as a matter of policy. We are using the Legitimate Interests justification as set out in 2. above for this.
Because of the potential sensitivity of credit checks, all loan applicants must sign a statement acknowledging their awareness that we shall be conducting credit checks.
We do not transfer or allow the transfer of any information about you outside the European Economic Area, which means that all such information enjoys the protections provided by EU law.
The disclosure of personal information to State agencies (e.g. Central Bank, Revenue, Gardai), statutory auditors that we conduct is permitted under GDPR Article 6 because it is required by law. However, for virtually all other things that we do with personal information, including ICB credit checks and indeed any processing of personal information the legal justification for doing it under GDPR is that it is necessary for the purposes of the credit union’s Legitimate Interests and nothing that we do infringes your fundamental rights to privacy or any other rights available under law or any freedoms arising from those rights. However, if you think that any collection or use of your personal information is unnecessary, disproportionate or otherwise improper please let us know and we shall be happy to address your concerns. However, our position will be that resolution of any such concerns must not prejudice the Legitimate Interests of the credit union without infringing any data subject’s fundamental rights.
If we cannot satisfy you, it may be that your membership, loan application or any other relationship you have with us must be discontinued. If this is unsatisfactory to you, you have a right to complain to the Data Protection Commissioner who will give an independent, authoritative and binding view of whatever matter divides us.
We will never ask you for information unless we have a specified, explicit and legitimate need to do so. Therefore if you decline to provide it we may be unable to complete whatever process you are asking us to complete e.g. a membership or loan application.
In some occasions we may process your personal data based on your Consent, rather than our Legitimate Interests. In such cases your consent will be obtained in writing and you will have a right to withdraw it at any time.
We are most careful to comply with all of our data protection obligations. Specifically
- when we collect, use or disclose any personal information, we do so fairly and lawfully. This means that we make sure you know why we are collecting your information and what we are doing with it;
- we collect and use it only for specified, explicit and legitimate purpose(s);
- we do not use or disclose it in any way which is incompatible with those purposes;
- we protect it against unauthorised access, alteration, disclosure or destruction, or unlawful use;
- we make sure that all personal information we hold is accurate, complete and where necessary, kept up to date;
- we make sure that when we collect personal information, it is adequate, relevant and not excessive in relation to the purpose for which it was collected;
- we do not keep personal information for longer than is necessary. Most information is retained for 6 years which is a common minimum records retention period required by law. However, if personal information can be lawfully destroyed after a shorter period, we try to do so. We also try to destroy all personal information when we no longer have any need to retain it.
If you ask, we will provide you with a copy of all information we hold about you, within 30 days of your request and at no charge. Furthermore, if you ask us to correct or destroy any information we hold about you, we will do so, subject to the legal provisions surrounding any such request.
We have a detailed Data Protection Policy which addresses our entire approach to this important topic. All of our officers, whether paid staff or volunteers, are provided with data protection training regularly. They also sign a confidentiality pledge annually.
We view our obligations in respect of data protection very seriously and any suspected or actual breach is investigated thoroughly with appropriate action taken where necessary.
If you have a complaint about how we have used your personal information please mark your letter “For the Attention of the Manager”. Under our Complaints Procedures we shall acknowledge your complaint within 5 working days, we shall provide you with the name of the person handling your complaint and try to have a full response within 40 working days. If you are unhappy with how we have dealt with your complaint, you will be able to refer the matter to the Data Protection Commissioner.
Should you have any further questions about any of the foregoing, please
- ask any of our officers who shall be pleased to help,
- write to us,
- telephone us on 061 378 099,
- email us at firstname.lastname@example.org or
- contact the ICB, CCR or Data Protection Commissioner using the details below:
Irish Credit Bureau
Central Credit Register
Data Protection Commissioner
Central Bank of Ireland
New Wapping Street
North Wall Quay