Data Privacy Notice

What the Law Requires

GDPR requires all data controllers to prepare a privacy notice and make it available to all data subjects.
The purpose of this notice is to provide you with all information necessary for you to understand how we
process the personal information we have about you.

It is written to comply with Article 12(1) of the General Data Protection Regulations (“GDPR”) which took
effect from 25th May 2018. The purpose of GDPR is to protect you against any misuse of your personal
information and it does so by ensuring that all entities who collect, use, disclose or otherwise process
personal information do so in accordance with one or more legal justifications.

Our Contact Details

• Controller Name: Mulcair Credit Union
• Address: Cork Road, Newport, Co Tipperary
• Telephone: 061 378 099
• Email: info@mulcaircu.ie
• Website: www.mulcaircu.ie

We are committed to the privacy and security of your personal data. This credit union’s privacy notice read as follows:

What Personal Data Do We Use?

We collect and use a wide variety of information about different classes of people including members,
the spouses/partners of loan applicants, guarantors of loans, staff, volunteers, nominees and service providers.

For membership, the very basic information we need to know is your name and contact details. The anti-money
laundering laws amplify this by requiring us to collect, and keep up to date, more precise details such as date
of birth, gender & photo ID and address. This must be evidenced from documentation such as passports or
utility bills. Revenue obliges us to collect details of your tax residence and PPSN.

To comply with anti-money laundering laws, we also collect high level information about your occupation, where
you work, family circumstances and accommodation arrangements. We do this so that if any unusual transactions
go over your account, we are able to make an informed assessment of whether we have grounds for making a
suspicious transaction report to the Gardai & Revenue.

For Loan Applicants, we shall need to assess your repayment capacity which will usually require us to conduct
a credit check with the Central Credit Register (“CCR”).

When completing a loan application, we ask you to complete a simple medical questionnaire to ensure that the
Loan Protection Cover is available to clear that loan in the event of your death.

We also collect all information necessary to support any loan application such as details of employment, bank
statements, dependents, whether you rent or own your home etc.

For staff, we have all information provided from when you applied for employment. We also have your contact
details, attendance records, medical certificates, performance reviews as well as grievance & disciplinary records.

For members as well as staff, we have the bank account details you provided us to enable money to be sent to your bank account.

For officers who are subject to the Central Bank’s Fitness and Probity regime, we review and retain the information
that is provided to us by those people. We also conduct checks for Court judgements, disqualifications and
administrative sanctions by the Central Bank, other regulators and professional bodies.

For others, we collect the names of participants in Children’s Quiz and Art Competitions. We also record attendance at general meetings.

We have CCTV in operation both inside and outside the credit union. We also record telephone calls.

If you contact us by email, the address from which the incoming email was sent will be evident, as well as the contents of the email.

Third Party Disclosures

We disclose information about you to various parties, mostly where required by law. These include the Central Bank,
Revenue, the Gardai (in respect of suspicions of money laundering), the CCR and ECCU, the insurer who provides
Loan Protection, Life Savings & Death Benefit Insurance cover. Our statutory auditors also need to see personal
information relating to members, staff and others to complete their audit.

We also use a variety of service providers who have access to different kinds of information about you. These include
our suppliers of our computer systems, cloud storage providers, solicitors, debt collection service providers,
internal auditors, risk management and compliance consultants, CCTV maintenance firms & other outsourced service providers.
In all cases we ensure that these service providers are of good standing & repute and commit to keeping your information
safe and secure. They are also prohibited from passing information about you to any other person.

Transfer Outside the European Union

We do not transfer or allow the transfer of any information about you outside the European Economic Area, which means
that all such information enjoys the protections provided by EU law.

Legal Basis for Disclosure

As stated at the outset, the purpose of this notice is to inform you of various matters relating to the GDPR.
It also requires that the legal justification is disclosed to the people in question. Therefore, the disclosures
we wish to make are as follows:

CCR

The Central Credit Register (“CCR”) is operated by the Central Bank under the Credit Reporting Act 2013.
Membership is not voluntary. The law requires that from 30th September 2018 all lenders MUST conduct credit checks
before approving any loans of €2,000 or more.

It is a condition of applying for a loan that we shall be both conducting a CCR credit check and passing details
of your repayment history to the CCR. A legal justification permissible under GDPR is where the task at hand is
required for compliance with a Legal Obligation. This is the legal justification we are using for:

• conducting CCR credit checks on loan applications of more than €2,000
• passing all credit status and histories for loans above €500 to the CCR

However, even though the law does not oblige us to conduct CCR checks on loan applications below €2,000, we still
plan to do so, as a matter of policy. The legal justification for so doing under GDPR is that it is in the credit
union’s Legitimate Interests to do so (i.e. to facilitate a full and accurate assessment of loan applications and
avoid over-indebtedness) and it does not infringe your fundamental rights to privacy.

Conducting credit checks on loan applicants is a widely accepted practice for all lenders and there is no known
basis for arguing that it infringes the fundamental rights to privacy of the loan applicant. In essence, the only
way you can avoid having a credit check conducted is to withdraw your loan application.

For Payment Processing

We currently operate within the Sepa Classic & Sepa Instant Payment Schemes via services provided by Intesa
Sanpaolo S.p.A or Danske Bank Ireland. When using SEPA Instant Payments:

• we share your details with Nexi Payments S.p.A, an Italian based partner of Intesa Sanpaolo S.p.A who provide
  Mulcair Credit Union with an anti-fraud solution for the protection of your transactions. Nexi apply a scoring
  model to all payments to determine potentially fraudulent activity. The legal justification for so doing under
  GDPR being that it is within the credit unions legitimate interests to do so &
• we also share your Name & IBAN with Banfico under the Verification of Payee (VoP) scheme in line with the EU
  Instant Payment Regulations 2024 & have a Legal obligation to do so

State Agencies & Statutory Auditors

The disclosure of personal information to State agencies (e.g. Central Bank, Revenue, Gardai), statutory auditors
that we conduct is permitted under GDPR Article 6 because it is required by law.

Right of Refusal

If we cannot satisfy you, it may be that your membership, loan application or any other relationship you have with
us must be discontinued.

If this is unsatisfactory to you, you have a right to complain to the Data Protection Commissioner who will give an
independent, authoritative and binding view of whatever matter divides us.

We will never ask you for information unless we have a specified, explicit and legitimate need to do so. Therefore,
if you decline to provide it, we may be unable to complete whatever process you are asking us to complete e.g. a
membership or loan application.

Consent

In some occasions we may process your personal data based on your Consent, rather than our Legitimate Interests.
In such cases your consent will be obtained in writing, and you will have a right to withdraw it at any time.

Our Data Protection Obligation

We are most careful to comply with all of our data protection obligations. Specifically:

• when we collect, use or disclose any personal information, we do so fairly and lawfully. This means that we make
  sure you know why we are collecting your information and what we are doing with it;
• we collect and use it only for specified, explicit and legitimate purpose(s);
• we do not use or disclose it in any way which is incompatible with those purposes;
• we protect it against unauthorized access, alteration, disclosure or destruction, or unlawful use;
• we make sure that all personal information we hold is accurate, complete and where necessary, kept up to date;
• we make sure that when we collect personal information, it is adequate, relevant and not excessive in relation to
  the purpose for which it was collected;
• we do not keep personal information for longer than is necessary. Most information is retained for 6 years which
  is a common minimum records retention period required by law. However, if personal information can be lawfully
  destroyed after a shorter period, we try to do so. We also try to destroy all personal information when we no
  longer have any need to retain it.

If you ask, we will provide you with a copy of all information we hold about you, within 30 days of your request
and at no charge. Furthermore, if you ask us to correct or destroy any information we hold about you, we will do so,
subject to the legal provisions surrounding any such request.

We have a detailed Data Protection Policy which addresses our entire approach to this important topic. All of our
officers, whether paid staff or volunteers, are provided with data protection training regularly. They also sign a
confidentiality pledge annually.

We view our obligations in respect of data protection very seriously and any suspected or actual breach is
investigated thoroughly with appropriate action taken where necessary.

Complaints

If you have a complaint about how we have used your personal information, please mark your letter “For the Attention
of the Manager”. Under our Complaints Procedures we shall acknowledge your complaint within 5 working days, we shall
provide you with the name of the person handling your complaint and try to have a full response within one month.
If you are unhappy with how we have dealt with your complaint, you will be able to refer the matter to the Data
Protection Commissioner.

Further Questions

Should you have any further questions about any of the foregoing, please:

• ask any of our officers who shall be pleased to help,
• write to us,
• telephone us on 061 378 099,
• email us at info@mulcaircu.ie or
• contact the CCR or Data Protection Commissioner using the details below:

Central Credit Register

Data Protection Commissioner

Mulcair Credit Union is regulated by the Central Bank of Ireland