St. Colman’s (Claremorris) Credit Union Limited Privacy Statement
The purpose of this notice is to provide you with all information necessary for you to understand how we process the personal information we have about you. It is written to comply with Article 12(1) of the General Data Protection Regulations (“GDPR”) which took effect from 25th May 2018. The purpose of GDPR is to protect you against any misuse of your personal information and it does so by ensuring that all entities who collect, use, disclose or otherwise process personal information, do so in accordance with one or more legal justifications.
We collect and use a wide variety of information about different classes of persons including members who don’t have a loan, loan applicants, the spouses/partners of loan applicants, guarantors of loans, staff, volunteers, nominees and service providers.
For membership, the very basic information we need to know is your name and contact details. The anti-money laundering laws amplify this by requiring us to collect, and keep up-to-date, more precise details such as date of birth, gender & photo ID. This must be evidenced from documentation such as passports or utility bills. Revenue oblige us to collect details of your tax residence and PPSN.
To comply with anti-money laundering laws, we also collect high-level information about your occupation, where you work, family circumstances and accommodation arrangements. We do this so that if any unusual transactions on your account, we are in a position to make an informed assessment of whether we have grounds for making a suspicious transaction report to the Gardai & Revenue.
We shall need to assess your repayment capacity should you apply for a loan which will usually require us to conduct a credit check. We use 2 credit registers. The Irish Credit Bureau (“ICB”) is a long-standing credit register which we have been using since 2009. The Central Credit Register (“CCR”) was established by the Central Bank in 2017. We conduct credit checks with both registers. Being older, the ICB has credit histories going back for 5 years whereas the CCR has histories going back to June 2017 only. Using a credit register not only allows us to confirm your existing credit indebtedness and arrears (if any) but it also obliges us to send those registers, details of your loans with us for the lifetime of those loans.
When completing a loan application, we ask you to complete a simple medical questionnaire to ensure that the Loan Protection Cover is available to clear that loan in the event of your death or for serious illness cover, subject to the terms and conditions of the cover.
We also collect all information necessary to support any loan application such as details of employment, bank statements, dependents, whether you rent or own your home etc.
We collect the names of participants in Children’s Quiz and Art Competitions as well as Member Draws. We also record attendance at general meetings.
We have CCTV in operation both inside and outside the credit union. We also record all incoming and outgoing telephone calls.
For staff, we have all information provided when you applied for employment. We also have your contact details, attendance records, medical certificates, performance reviews as well as grievance & disciplinary records.
For members as well as staff, we have the bank account details you provided us to enable money to be sent to your bank account.
For officers who are subject to the Central Bank’s Fitness and Probity regime, we review and retain the information that is provided to us by the members in question. We also conduct checks for Court judgments, disqualifications and administrative sanctions by the Central Bank, other regulators and professional bodies.
If you contact us by email, the address from which the incoming email was sent will be evident, as well as the contents of the email.
We disclose information about you to various parties, mostly where required by law. These include the Central Bank, Revenue, the Gardai (in respect of suspicions of money laundering), the ICB and ECCU, the insurer who provides Loan Protection and Life Savings cover. Our statutory auditors also need to see personal information relating to members, staff and others in order to complete their audit.
We also use a variety of service providers who have access to different kinds to information about you. These include suppliers of our computer systems, cloud storage providers, solicitors, debt collection service providers, internal auditors, risk management and compliance consultants, CCTV maintenance firms, telephone recording equipment providers and other outsourced service providers. In all cases we ensure that these service providers are of good standing & repute and commit to keeping your information safe and secure. They are also prohibited from passing information about you to any other persons.
The main reason we use credit registers is to ensure that loan applicants have not built up a poor lending record with other lenders. Therefore, we check those registers before approving loans. We also send them details of our members’ loans and repayment histories so that other lenders can see if their loan applicants have poor borrowing records with us.
The credit union uses 2 credit registers, the Irish Credit Bureau and the Central Credit Register.
The Irish Credit Bureau (“ICB”) is a private organisation which has been in existence since 1963. Its membership includes over 300 banks, credit unions, local authorities and other lenders. Membership allows lenders to perform credit checks on their loan applicants before approving loans. It also obliges each one to pass details of their borrowers’ credit histories to the bureau so that other members can perform credit checks before approving a loan. Their contact details are at the bottom of this notice.
The Central Credit Register (“CCR”) is being setup by the Central Bank on a phased basis but is due to be fully up and running in March 2019. Membership is not voluntary. The law requires that from 30th September 2018 all lenders MUST conduct credit checks before approving any loans of €2,000 or more.
As stated at the outset, the purpose of this notice is to inform you of various matters relating to the General Data Protection Regulations (GDPR). It also requires that the legal justification is disclosed to the persons in question.
Therefore the disclosures we wish to make are as follows:
It is a condition of applying for a loan that we shall be both conducting an ICB credit check and passing details of your repayment history to the ICB. The legal justification for so doing under GDPR is that it is in the credit union’s Legitimate Interests to do so (i.e. to facilitate a full and accurate assessment of loan applications and avoid over-indebtedness) and it does not infringe your fundamental rights to privacy.
GDPR also makes other legal justifications available to us should we wish to utilise them ¹ however in essence, conducting credit checks on loan applicants is a widely accepted practice for all lenders and there is no known basis for arguing that it infringes the fundamental rights to privacy of the loan applicant. In essence, the only way you can avoid having a credit check conducted is to withdraw your loan application.
The ICB is also using Legitimate Interests as the GDPR justification for its processing of the information that we send them. They have provided us with an information sheet explaining why which we shall give you if you ask.
Another legal justification permissible under GDPR is where the task at hand is required for compliance with a legal obligation. This is the legal justification we are using for;
- Conducting CCR credit checks on loan applications of more than €2,000
- Passing all credit status and histories for loans above €500 to the CCR
However, even though the law does not oblige us to conduct CCR checks on loan applications below €2,000, we still plan to do so, as a matter of policy. We are using the Legitimate Interests justification as set out in 2. Above for this.
Because of the potential sensitivity of credit checks, all loan applicants must sign a statement acknowledging that we shall be conducting credit checks and that they understand what is written in this box.
¹ e.g. To do so is necessary for either the performance of a contract (i.e. the loan agreement) or for compliance with a legal obligation (i.e. s35(2) of the Credit Union Act 1987 as amended)
We do not transfer or allow the transfer of any information about you outside the European Economic Area, which means that all such information enjoys the protections provided by EU law.
The disclosure of personal information to State agencies (e.g. Central Bank, Revenue, Gardai), statutory auditors that we conduct is permitted under GDPR Article 6 because it is required by law. However, for virtually all other things that we do with personal information, including ICB credit checks and indeed any processing of personal information the legal justification for dong it under GDPR is that it is necessary for the purposes of the credit union’s legitimate interests and nothing that we do infringes your fundamental rights to privacy or any other rights available under law or any freedoms arising from those rights.
However, if you think that any collection or use of your personal information is unnecessary, disproportionate or otherwise improper please let us know and we shall be happy to address your concerns. However, our position will be that resolution of any such concerns must not prejudice the legitimate interests of the credit union. If we cannot satisfy you, it may be that your membership, loan application or any other relationship you have with us must be discontinued. If this is unsatisfactory to you, you have a right to complain to the Data Protection Commissioner who will give an independent, authoritative and binding view of whatever matter divides us.
We are most careful to comply with all of our data protection obligations. Specifically:
- When we collect, use or disclose any personal information, we do so fairly and lawfully. This means that we make sure you know why we are collecting your information and what we are doing with it;
- we collect and use it only for specified, explicit and legitimate purpose(s);
- we do not use or disclose it in any way which is incompatible with those purposes;
- we protect it against unauthorised access, alteration, disclosure or destruction, or unlawful use;
- we make sure that all personal information we hold is accurate, complete and where necessary, kept up to date;
- we make sure that when we collect personal information, it is adequate, relevant and not excessive in relation to the purpose for which it was collected;
- We do not keep personal information for longer than is necessary. Most information is retained for 6 years which is a common minimum records retention period required by law. However, if personal information can be lawfully destroyed after a shorter period, we try to do so. We also try to destroy all personal information when we no longer have any need to retain it.
If you ask, we will provide you with a copy of all information we hold about you. Furthermore, if you ask us to correct or destroy any information we hold about you, we will do so, subject to the legal provisions surrounding any such request.
We have a detailed Data Protection Policy which addresses our entire approach to this important topic. A copy of this is available on request. All of our officers, whether paid staff or volunteers, are provided with data protection training regularly. They also sign a confidentiality pledge annually.
We view our obligations in respect of data protection very seriously and any suspected or actual breach is investigated thoroughly with appropriate action taken where necessary.
If you have a complaint about how we have used your personal information, please mark your letter “For the Attention of the Data Protection Officer’’. Under our Complaints Procedures we shall acknowledge your complaint within 5 working days, we shall provide you with the name of the person handling your complaint and try to have a full response within 40 working days. If you are unhappy with how we have dealt with your complaint, you will be able to refer the matter to the Data Protection Commissioner.
Should you have any further questions about any of the foregoing, please ask any of our officers who shall be pleased to help,
- write to us,
- telephone us on 094 9371159 or 094 9541402
- email us at firstname.lastname@example.org
- contact the ICB, CCR or Data Protection Commissioner using the details below:
Central Bank of Ireland
New Wapping Street
North Wall Quay
01 224 6000
CentralBank.ie What is Central Credit Register?