Privacy Notice of St. Colman’s (Claremorris) Credit Union Limited

A credit union is a member-owned financial cooperative, democratically controlled by its members, and operated for the purpose of promoting thrift, providing credit at competitive rates, and providing other financial services to its members. Data collection, processing and use are conducted solely for the purpose of carrying out the above mentioned objectives.

St. Colman’s (Claremorris) Credit Union Limited is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal data about you during and after your relationship with us.


1. Our contact details are:

Address: The Square, Claremorris, Co Mayo and Main Street, Ballinrobe, Co Mayo
Phone: 094 9371159 and 094 9541402
General Email: info@claremorriscu.ie and ballinrobe@claremorriscu.ie
Data Protection Officer/Representative Contact Details: Data Protection Officer, St. Colman’s (Claremorris) Credit Union Limited, The Square, Claremorris, Co Mayo or email dpo@claremorriscu.ie


2. What information do we collect?

We collect and use a wide variety of information about different classes of persons including, members with loans and members with no loans, guarantors, staff, volunteers, nominees and service providers. The following details the information we collect:

Account Opening and Lending:

  • Your name, address, date of birth, email, telephone, financial data, status and history, transaction data; contract data, details of the credit union products you hold with us, signatures, identification documents, salary, occupation, source of wealth, source of funds, Politically Exposed Status, accommodation status, mortgage details, previous addresses, spouse, partners, nominations, Tax Identification/PPSN numbers, passport details, driver license details, tax residency, interactions with credit union staff and officers on the premises, by phone, or email, current or past complaints, CCTV footage and telephone voice recordings. We collect this information from membership application forms, lending forms and guarantor forms.

Guarantor Details:

  • Your name, address, contact details, income and expenditure details.

Nominations:

  • Your name, address, relationship to member, bank details (to allow payment/transfer of nominated property).

3. Purpose for which we process your personal data;

Account Opening:

  • To open and maintain an account for you.
  • To meet our obligations to you under the Credit Union’s Standard Rules.
  • To contact you in respect of your account and any product or service you avail of; and
  • To comply with our legal obligations, for example anti-money laundering.

We may also collect, store and use the following “special categories” of more sensitive personal information which includes Information about your health, including any medical condition and sickness.

Lending:

  • Assessing your loan application and determining your creditworthiness for a loan.
  • Verifying the information provided by you in the application.
  • We are obliged to purchase loan protection and life savings protection from ECCU.
  • Conducting credit searches and making submissions to the Irish Credit Bureau and the Central Credit Register.
  • Administering the loan, including where necessary, to take steps to recover the loan or enforce any security taken as part of the loan.
  • We may use credit scoring techniques and other automated decision-making systems to either partially or fully assess your application.
  • Meeting legal and compliance obligations and requirements under the Rules of the Credit Union.
  • To comply with Central Bank Regulations to determine whether you are a connected borrower or related party borrower.
  • Providing updates on our loan products and services by way of directly marketing to you.

We may also collect, store and use the following “special categories” of personal data, Information about your health, including any medical condition, health and sickness (See Insurance section for further details).

We need all the categories of information in the list above to allow us to; identify you, contact you, and in order that we perform our contract with you.

We also need your personal identification data to enable us to comply with legal obligations. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

Guarantors:

  • To ensure repayment of the loan and to facilitate the requirements of the contract between you and the credit union.
  • To contact you in respect of your guarantee in the event of a change of circumstance of the member/ member getting into arrears.
  • Collection of the debt.
  • Conduct due diligence and credit checking.
  • From 2019 in order to meet reporting obligations to the Central Credit Register.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

Nominations:

We collect personal information about nominees from the nominations form completed by the member. We need the categories of information in the list at point 2 to allow us to record your details in our register of nominations, identify you, to contact you and then on order upon the passing of the member, to process the nominations.

We need all the categories of information in the list above to allow us to; identify you, contact you, comply with our legal obligations and in order that we perform our contract with you.


4. How secure is my information with third-party service providers?

All our third-party service providers are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes unless they are deemed to be controllers in their own right(1). We only permit them to process your personal data for specified purposes and in accordance with our instructions. Usually, information will be anonymised, but this may not always be possible. The recipient of the information will also be bound by confidentiality obligations.

(1) As a data controller, the organisations will be required to have provided you with a separate privacy notice setting out what it does with its data.

5. If you fail to provide personal data

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you or we may be prevented from complying with our legal obligations.


6. Change of purpose

You can be assured that we will only use your data for the purpose it was provided and in ways compatible with that stated purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.


7. Profiling

We sometimes use systems to make decisions based on personal data we have (or are allowed to collect from others) about you. This information is used for loan-assessment, provisioning and anti-money laundering purposes and compliance with our legal duties in those regards.


8. Data Retention Periods

We will only retain your personal data for as long as necessary to fulfil the purpose(s) for which it was obtained, taking into account any legal/contractual obligation to keep it. Where possible we record how long we will keep your data. Where that is not possible, we will explain the criteria for the retention period. This information is documented in our Retention Policy. Once the retention period has expired, the respective data will be permanently deleted. Please see our retention periods below.

  • Accounting records required to be kept further to the Credit Union Act, 1997 (as amended) must be retained for not less than six years from the date to which it relates.
  • The money laundering provisions of Anti-Money Laundering legislation require that certain documents must be retained for a period of five years after the relationship with the member has ended.
  • We keep income tax records for a period of six years after completion of the transactions to which they relate.
  • Loan application information, including guarantors details are retained for a period of seven years from the date of discharge, final repayment, transfer of the loan.
  • Mortgage Agreements/Credit Agreements are contracts and as such the credit union retains them for seven years from the date of expiration or breach, and twelve years where the document is under seal.
  • CCTV footage which is used in the normal course of business (i.e. for security purposes) for approx. 30 days for the Ballinrobe Office and approx. 60 days for the Claremorris Office.
  • Telephone recordings which are used for training and quality purposes are retained for a period of 6 months.
  • Nomination Details: We will retain permanently, your name in our register of nominations. Member’s nomination forms and other documentation related to the nomination will be retained for a period of six years after the relationship with the member has ended (e.g. the member passing away).

9. How we use particularly sensitive personal data

“Special categories” of particularly sensitive personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. We may process special categories of personal data in the following circumstances:

  • When completing a loan application, we will ask you to complete a simple medical questionnaire to ensure that the Loan Protection Cover is available to clear that loan in the event of your death or serious illness, subject to the terms and conditions of the cover.
  • In limited circumstances, with your explicit written consent.
  • Where we need to carry out our legal obligations and in line with our data protection policy.
  • Where it is needed in the public interest, and in line with our data protection policy.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.


10. How we may share the information

  • We disclose information about you to various parties, mostly where required by law. These include the Central Bank, Revenue, the Gardai (in respect of suspicions of money laundering), the ICB, Data Protection Commission, Financial Services Ombudsman, Criminal Assets Bureau, as well as parties designated by under the relevant legislation, police forces and security organisations, ombudsmen and regulatory authorities, as well as fraud prevention agencies. We may share your information with ECCU Assurance DAC, the insurer who provides Loan Protection and Life Savings cover. Our statutory auditors also need to see personal information relating to members, staff and others in order to complete their audit.
  • We also use a variety of service providers who have access to different kinds to information about you. These include suppliers of our computer systems, cloud storage providers, solicitors, debt collection service providers, auditors, ILCU, risk management and compliance consultants, CCTV maintenance firms, telephone recording equipment providers and other outsourced service providers. In all cases we ensure that these service providers are of good standing & repute and commit to keeping your information safe and secure. They are also prohibited from passing information about you to any other persons.
  • We may transfer and/or store information related to you to a destination outside the European Economic Area (“EEA”). In this context, this Information may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Any transfer of information relating to you to a location outside the EEA is made in accordance with data protection law. Specifically, such transfers are only ever made lawfully by way of the European Commission’s Model Contractual Clauses. More information and a copy of the Model Contractual Clauses are available on the European Commission’s website.
  • We share your information with the Central Credit Register in order to comply with our legal obligations under the Credit Reporting Act 2013. We may also search the Central Credit Register where permitted but not obliged to do so to protect our legitimate interests. When we share your data with the Irish Credit Bureau, they will process that data for their legitimate interests. Those legitimate interests are promoting greater financial stability by supporting a full and accurate assessment of loan applications, aiding in the avoidance of over indebtedness, assisting in lowering the cost of credit, complying with and supporting compliance with legal and regulatory requirements, enabling more consistent, faster decision-making in the provision of credit and assisting in fraud prevention.
    Please review the Irish Credit Bureau’s Fair Processing Notice which is available at www.icb.ie/pdf/Fair Processing Notice.pdf It documents who they are, what they do, details of their Data Protection Officer, how they get the data, why they take it, what personal data they hold, what they do with it, how long they retain it, who they share it with, what entitles them to process the data (legitimate interests), what happens if your data is inaccurate and your rights i.e. right to information, right of access, right to complain, right to object, right to restrict, right to request erasure and right to request correction of your personal information.
  • The disclosure of personal information to State agencies (e.g. Central Bank, Revenue, Gardai) and statutory auditors is permitted under GDPR Article 6 because it is required by law. However, for virtually all other things that we do with personal information, including ICB credit checks and indeed any processing of personal information, the legal justification for obtaining the information is that it is necessary for the purposes of the credit union’s legitimate interests, and nothing that we do infringes your fundamental rights to privacy or any other rights available under law or any freedoms arising from those rights.
  • However, if you think that any collection or use of your personal information is unnecessary, disproportionate or otherwise improper please let us know and we shall be happy to address your concerns. However, our position will be that resolution of any such concerns must not prejudice the legitimate interests of the credit union. If we cannot satisfy you, it may be that your membership, loan application or any other relationship you have with us must be discontinued. If this is unsatisfactory to you, you have a right to complain to the Data Protection Commissioner who will give an independent, authoritative and binding view of whatever matter divides us.

11. We are most careful to comply with all of our data protection obligations. Specifically:

  • When we collect, use or disclose any personal information, we do so fairly and lawfully. This means that we make sure you know why we are collecting your information and what we are doing with it.
  • We collect and use it only for specified, explicit and legitimate purpose(s).
  • We do not use or disclose it in any way which is incompatible with those purposes.
  • We protect it against unauthorised access, alteration, disclosure or destruction, or unlawful use.
  • We make sure that all personal information we hold is accurate, complete and where necessary, kept up to date.
  • We make sure that when we collect personal information, it is adequate, relevant and not excessive in relation to the purpose for which it was collected.
  • We do not keep personal information for longer than is necessary. Most information is retained for 6 years which is a common minimum records retention period required by law. However, if personal information can be lawfully destroyed after a shorter period, we try to do so. We also try to destroy all personal information when we no longer have any need to retain it.
  • If you ask, we will provide you with a copy of all information we hold about you. Furthermore, if you ask us to correct or destroy any information we hold about you, we will do so, subject to the legal provisions surrounding any such request. We have a detailed Data Protection Policy which addresses our entire approach to this important topic.
  • All of our officers, whether paid staff or volunteers, are provided with data protection training regularly. They also sign a confidentiality pledge annually.
  • We view our obligations in respect of data protection very seriously and any suspected or actual breach is investigated thoroughly with appropriate action taken where necessary.

12. How do you make a complaint?

If you have a complaint about how we have used your personal information, please mark your letter “For the Attention of the Data Protection Officer’’. Under our complaints procedures we shall acknowledge your complaint within 5 working days, we shall provide you with the name of the person handling your complaint and try to have a full response within 40 working days. If you are unhappy with how we have dealt with your complaint, you will be able to refer the matter to the Data Protection Commissioner.

Should you have any further questions about any of the foregoing, please ask any of our officers who shall be pleased to help:

  • write to us,
  • telephone us on 094 9371159 or 094 9541402
  • email us at dpo@claremorriscu.ie
  • contact the ICB, CCR or Data Protection Commissioner using the details below:

13. Updates to this notice

We will make changes to this notice from time to time, particularly when we change how we use your information, and change our technology and products. You can always find an up-to-date version of this notice on our website at www.claremorriscu.ie or you can ask us for a copy.


14. Our use and sharing of your information

We will collect and use relevant information about you, your transactions, your use of our products and services, and your relationships with us. We will typically collect and use this information for the following purposes:

Fulfilling contract

This basis is appropriate where the processing is necessary for us to manage your accounts and credit union services to you

Administrative Purposes: We will use the information provided by you, either contained in this form or any other form or application, for the purpose of assessing this application, processing applications you make and to maintaining and administer any accounts you have with the credit union.

Third parties: We may appoint external third parties to undertake operational functions on our behalf. We will ensure that any information passed to third parties conducting operational functions on our behalf, will do so with respect for the security of your data and will be protected in line with data protection law.

Irish League of Credit Unions (ILCU) Affiliation: The ILCU (a trade and representative body for credit unions in Ireland and Northern Ireland) provides professional and business support services such as marketing and public affairs representation, monitoring, financial, guidance, compliance, risk, learning and development, and insurance services to affiliated credit unions. As this credit union is affiliated to the ILCU, the credit union must also operate in line with the ILCU Standard Rules (which members of the credit union are bound to the credit union by) and the League Rules (which the credit union is bound to the ILCU by). We may disclose information in your application or in respect of any account or transaction of yours from the date of your original membership to authorised officers or employees of the ILCU for the purpose of the ILCU providing these services to us.

The Privacy Notice of ILCU can be found at www.creditunion.ie

The ILCU Savings Protection Scheme (SPS): We may disclose information in any application from you or in respect of any account or transaction of yours from the date of your original membership to authorised officers or employees of the ILCU for the purpose of the ILCU providing these services and fulfilling requirements under our affiliation to the ILCU, and the SPS.

For the processing of electronic payments services on your account (such as credit transfers, standing orders and direct debits), the Credit Union is a participant of CUSOP (Payments) DAC (“CUSOP”). CUSOP is a credit union owned, independent, not-for-profit company that provides an electronic payments service platform for the credit union movement in Ireland. CUSOP is an outsourced model engaging third party companies, such as a Partner Bank, to assist with the processing of payment data.

Insurance: As part of our affiliation with the ILCU, we purchase insurance from ECCU Assurance DAC (ECCU), a life insurance company, wholly owned by the ILCU. To administer these insurances we may pass your information to ECCU and it may be necessary to process ‘special category’ personal data about you. This includes information about your health which will be shared with ECCU for the purposes of our life assurance policy to allow ECCU to deal with insurance underwriting, administration and claims on our behalf. Further information can be found in our lending privacy notice.

Electronic Payments [not through CUSOP: If you use our electronic payment services to transfer money into or out of your credit union account or make payments through your debit card into your credit union account, we are required to share your personal data with our electronic payment service provider Realex Payments.

Member Service: To help us improve our service to you, we may use information about your account to help us improve our services to you.

ATM Card: If you have an ATM card with us, we will share transaction details with companies which help us to provide this service.

Legal Duty

This basis is appropriate when we are processing personal data to comply with an Irish or EU Law.

Tax liability: We may share information and documentation with domestic and foreign tax authorities to establish your liability to tax in any jurisdiction. Where a member is tax resident in another jurisdiction the credit union has certain reporting obligations to Revenue under the Common Reporting Standard. Revenue will then exchange this information with the jurisdiction of tax residence of the member. We shall not be responsible to you or any third party for any loss incurred as a result of us taking such actions. Under the “Return of Payments (Banks, Building Societies, Credit Unions and Savings Banks) Regulations 2008” credit unions are obliged to report details to the Revenue in respect of dividend or interest payments to members, which include PPSN where held.

Regulatory and statutory requirements: To meet our duties to the Regulator, the Central Bank of Ireland, we may allow authorised people to see our records (which may include information about you) for reporting, compliance and auditing purposes. For the same reason, we will also hold the information about you when you are no longer a member. We may also share information with certain statutory bodies such as the Department of Finance, the Department of Social Protection and the Financial Services and Pensions Ombudsman Bureau of Ireland if required by law.

Compliance with our anti-money laundering and combating terrorist financing obligations: The information provided by you will be used for compliance with our customer due diligence and screening obligations under anti-money laundering and combating terrorist financing obligations under The Money Laundering provisions of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended by Part 2 of the Criminal Justice Act 2013.

Audit: To meet our legislative and regulatory duties to maintain audited financial accounts, an external auditor is appointed by the membership annually. We will allow the external auditor to see our records (which may include information about you) for these purposes.

Nominations: The Credit Union Act 1997 (as amended) allows members to nominate a person(s) to receive a certain amount from their account on their death, subject to a statutory maximum. Where a member wishes to make a nomination, the credit union must record personal data of nominees in this event.

Incapacity to Act on your account: The Credit Union Act 1997 (as amended) provides, in the circumstances where you become unable to transact on your account, due to a mental incapability and no person has been legally appointed to administer your account, that the Board may allow payment to another who it deems proper to receive it, where it is just and expedient to do so, in order that the money be applied in your best interests. In order to facilitate this, medical evidence of your incapacity will be required which will include data about your mental health. This information will be treated in the strictest confidentiality.

Legitimate interests

A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. If we rely on our legitimate interest, we will tell you what that is.

CCTV: We have CCTV footage installed on the premises with clearly marked signage. The purpose of this is for security. Our legitimate interest: With regard to the nature of our business, it is necessary to secure the premises, property herein and any staff /volunteers/members or visitors to the credit union.
Voice Recording: We record phone conversations both incoming and outgoing for the purpose of verifying information and quality of service. Our Legitimate interest: To ensure a good quality of service, to ensure that correct instructions were given or taken due to the nature of our business and to quickly and accurately resolve any disputes.

Your consent

We will only carry out processing which is based on your consent and will cease processing once you withdraw such consent

Marketing and Market Research
To help us improve and measure the quality of our products and services we undertake market research from time to time. This may include using the Irish League of Credit Unions and/ specialist market research companies. See section on Your Marketing Preferences.

Art Competition
This credit union is involved with the Art competition in liaison with the ILCU. Upon entry you will be given further information and asked for your consent to the processing of personal data. Your information is processed only where you have given consent. Where the person providing consent is below 16* then we ask that the parent/legal guardian provide the appropriate consent. A separate privacy notice is included in all Art Competition entry forms.

Schools Quiz
This credit union is involved in the Schools Quiz in liaison with the ILCU. The Schools Quiz is open to entrants aged 4 to 13. Upon entry parent/legal guardians will be given further information and asked for their consent to the processing of their child’s personal data. This information is processed only where consent has been given. Where the person providing consent is below 16* then we ask that the parent/legal guardian provide the appropriate consent. A separate privacy notice is included in all School Quiz entry forms.

Officer Information
For officers, we have all information provided when you applied for employment. We also have your contact details, attendance records, bank details, medical certificates, performance reviews as well as grievance & disciplinary records.

For officers who are subject to the Central Bank’s Fitness and Probity regime, we review and retain the information that is provided to us by the members in question. We also conduct checks for Court judgments, disqualifications and administrative sanctions by the Central Bank, other regulators and professional bodies.

Other Information
If you contact us by email, the address from which the incoming email was sent will be evident, as well as the contents of the email.

Where you have given us permission (which you may withdraw at any time) we may, share your data with third parties so that they may send you electronic messaging about their products and offers, use cookies in accordance with our Cookie Policy.


Your Rights in connection with your personal data are to:

To find out whether we hold any of your personal data and if we do to request access to that data that to be furnished a copy of that data. You are also entitled to request further information about the processing.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you rectified.

Request erasure of your personal information. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.

Request the restriction of processing of your personal information. You can ask us to suspend processing personal data about you, in certain circumstances.

Where we are processing your data based solely on your consent you have a right to withdraw that consent at any time and free of charge.

Request that we: a) provide you with a copy of any relevant personal data in a reusable format; or b) request that we transfer your relevant personal data to another controller where it’s technically feasible to do so. ‘Relevant personal data is personal data that: You have provided to us or which is generated by your use of our service. Which is processed by automated means and where the basis that we process it is on your consent or on a contract that you have entered into with us.


You have a right to complain to the Data Protection Commissioner (DPC) in respect of any processing of your data by:

Telephone +353 57 8684800 +353 (0)761 104 800
Lo Call Number 1890 252 231
E-mail info@dataprotection.ie
Postal Address: Data Protection Commissioner
Canal House Station Road
Portarlington R32 AP23 Co. Laois

Please note that the above rights are not always absolute and there may be some limitations.

If you want access and/ or copies of any of your personal data or if you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we send you or a third party a copy your relevant personal data in a reusable format please contact the data protection officer in writing using their contact details below.

There is no fee in using any of your above rights, unless your request for access is clearly unfounded or excessive. We also reserve the right to refuse to comply with the request in such circumstances.

We may need to verify your identity if we have reasonable doubts as to who you are. This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Ensuring our information is up to date and accurate. We want the service provided by us to meet your expectations at all times. Please help us by telling us straightaway if there are any changes to your personal information. If you wish to avail of either of these rights, please contact us at dpo@claremorriscu.ie, or in person or by writing to us.

…with you every step for the way