Data Protection Notice to Members
(Effective from 25th May 2018)
Members are encouraged to read this notice which sets out essential information about the personal data we collect from you, how we use and safeguard this information, who we share it with and why, and how long we will keep it on file. It also explains your rights, some of which are new, arising from the General Data Protection Regulation (GDPR).
- Who we are
Athlone Credit Union Limited (ACU) has been looking after the financial services needs of its members since its foundation in 1966. ACU is a financial cooperative, democratically owned and controlled by our members, and operated for the purposes of promoting thrift, providing credit and other financial services to members, and providing educational services to members for the promotion of their economic, social and cultural wellbeing. Personal data is processed for these purposes and no others.
- Our approach to Data Protection
We have always appreciated your trust in us to collect, process and protect your personal information and we will continue to look after your information in a way that merits your trust. As a data controller, we are committed to meeting our obligations under the GDPR and have appointed a Data Protection Officer (DPO), who has oversight of our information practices and is responsible for ensuring your rights are fulfilled. The DPO is also a point of contact for members should you have any questions or concerns about your personal information.
You can contact our DPO at firstname.lastname@example.org or write to: Data Protection Officer, Athlone Credit Union Ltd, Credit Union House, Northgate Street, Athlone, Co. Westmeath, N37 F436
- The information we collect and hold about you
Depending on which of our savings, loans, transaction or other services you use, we will collect different types of information from you or about you. Most of the information we collect is personal, and some of it is very private to you, including information about your financial situation, person(s) you have nominated on your account, and your state of health. Information about health is treated as a “special category”, meaning that we apply additional stringent safeguards against its improper collection, use or disclosure.
We collect and store only the information that we need to look after you as a member and this will include:
Information about you as a member
- Your personal identification and descriptors
- Full name/maiden name/signature
- Current and previous addresses
- Email address; phone number(s) and other contact information
- Age/date of birth
- Marital status
- Partner/spouse; number of dependents
- Names and addresses of person(s) nominated on your account
- Occupation and place of work
- Tax Identification Number/PPS Number
- Proof of identity and address e.g. copy of driving licence/passport and utility bills
- Accommodation status; mortgage or tenancy information
- IP address
- Biometric data including photographic ID, CCTV footage and voice (call) recordings
- Your state of health and related information
- Your bank account or other credit union account details
- Payroll, credit or payment card details
- How we collect this information
We record and file the identification and contact information and other data that you input into our online or printed forms or provide to us over the phone or in person when you join the credit union.
We can only deal with and communicate with the member, so when you contact us we may need to verify your identity, for example by asking you a security question or looking for some additional detail about your account or dealings with us that only you would know.
When we need information about a nominated person(s) on your account we will obtain that information from you, as the member.
We may record and/or make notes about phone conversations and will always tell you when we do so.
Our website makes limited use of ‘cookie’ technology. A cookie is a piece of text that our server places on your device when you visit our website. The type of cookie we use is “a non-persistent session enabler” which means it is used only to allow your device to communicate with the site while you log-in and use the site; the cookie expires when you log out of the site. We also collect the IP address of any device which is trying to connect with the site and use this to track successful or failed attempts at log-in to your account and the number of attempts made.
- How we use your information
We use information about you to:
- Set up and operate your credit union accounts on your behalf;
- Meet our obligations to you under the Credit Union’s Registered Rules;
- Provide savings, loan, transaction and other financial and educational services to you as a member;
- Process your Life Saving, Loan Protection or Death Benefit Insurance claims and associated payments;
- Keep our records up to date to contact you when required and provide the best customer service;
- Respond to your requests and provide information;
- Address any complaint you may have about our services;
- Meet our legal obligations and respond to requests from the Central Bank, courts or enforcement authorities;
- Produce internal management information to run our business and identify ways in which we can improve our services;
- Provide relevant information to other financial service providers in the event of you requesting this or when you transfer to another credit union; and;
- Perform any other financial services or co-operative activities which we are obliged to undertake, or which we have gained your consent to perform
To process your information lawfully and fairly, we rely on one or more of the following lawful bases:
- Legal obligation;
- Our legitimate business interests;
- Your consent; and,
- Protecting the vital interests of you or others
Some examples for each lawful basis are given below. Please note that some information is processed under more than one lawful basis:
|Lawful basis||Examples of what we use your information for|
|Legal obligation – we must process this information to comply with our legal obligations.||We process your personal information to identify and authenticate our members.
We share your information with third parties when obliged to do so.
We must continually monitor and update information to satisfy our obligations in respect of anti-money laundering, countering the financing of terrorism and to comply with the financial sanctions regime.
|Our legitimate interests – legitimate interest means the interests of the credit union in conducting and managing our business when providing financial and educational services. Core legitimate interests of the credit union are to provide the best customer service and to protect our members and employees.
We will assess whether the legitimate interest of the credit union will affect your rights and freedoms as a data subject prior to processing. We implement safeguards to ensure that the processing remains fair and balanced.
|We produce internal management information and models to ensure necessary safeguards are in place and to assess the effectiveness of these.
We continually monitor electronic devices to detect and prevent fraud and cyber-attacks. This enables us to protect and secure our member and business information, our IT system and networks and our business interests.
We use an element of automated decision-making for loan-assessment, provisioning and anti-money laundering purposes and to ensure we comply with our legal obligations in those regards.
We also carry out profiling by analysing your demographic and user status, channel preferences and location, in order to identify potentially useful services for you. We use this to design future services offerings and to ensure that any marketing or educational materials we send you are relevant and useful to you.
As part of our membership agreement with you, we have the right to collect payment or money owed to us.
|Lawful basis||Examples of what we use your information for|
|Your consent – we require your consent for processing certain information and will ensure this is obtained under the principles:
· Positive action – clear affirmative action is required. We will not use pre-ticked boxes, or imply or assume your consent
· Free will – your consent must be freely given and not influenced by external factors
· Specific – we will be clear on what exactly we are asking your consent for
· Recorded – we will keep a record of your consent and how and when obtained
· Right to withdraw – we will stop any processing that requires your consent once you request this; you can withdraw your consent at any time.
|With your consent, we will let you know about new services you might like to avail of. We may do this by post, email, or through digital media.
You can select how you prefer to be contacted on our application forms or by contacting us.
If we ever contact you to get your feedback on ways to improve our services, you have the choice to opt out.
|Protecting the vital interests of you or others||Sharing information to serve you
Should a situation arise where you are incapacitated and unable to communicate for yourself, we may share relevant information with your authorised representative.
Should you become unable to transact on your account due to a mental incapability and no person has been legally appointed to administer your account, the Board may allow payment to another who it deems proper to receive it, where it is just and expedient to do so, in order that the money be applied in your best interests. To facilitate this, medical evidence of your incapacity will be required which will include data about your mental health. As special category data, this information will be treated with strictest care and confidentiality.
- How we keep your information safe
The safety of your information and data is very important to us. We keep our computers, files and buildings secure.
Transit of paper files is strictly limited. Where necessary to have member information available for e.g. Board or Committee meetings, meeting rooms are secure, and no member information is left in the open or on view to external parties.
Incoming post is brought directly to our office and opened by our staff. Outgoing post is either collected from our office by An Post or brought to the Post Office by our staff.
Electronic copy files are stored on our proprietary IT system which requires user authentication to access it. Back-ups of electronic files are stored securely off site. Laptops are encrypted at hard-drive level. Use of memory sticks and other portable drives is limited, restricted to management personnel, and all external drives are encrypted.
All files and hard drives being disposed of are shredded and this is certified by the shredding service provider.
When you contact us by phone to ask about your information, we will ask you to verify your identity.
- How long we keep your personal information for
To meet our legal and regulatory obligations, we hold your information while you are a member and for a period of time after that. We do not hold it for longer than necessary. To help you understand how long we hold your data for, we have summarised our internal retention schedules below.
Please note that these retention periods are subject to legal, regulatory and business requirements, which may require us to hold the information for a longer period. For example, we must meet minimum retention standards for taxation and audit requirements.
To meet such needs and to protect your interests as well as the credit union’s interests, we may need to hold data for longer than our internal schedules dictate. However, we will not retain data that is no longer needed, and we continuously assess and delete data to ensure it is not held for longer than necessary.
|Document Type||Example Document||Retention Period|
|Account and service information||Membership account opening documents including:
o Documents that identify and authenticate you, e.g. birth certificate, passport, proof of address
o Signed authorisation for deduction at source, standing order or direct debit
o Documents that are required for adherence to law or regulations, e.g. PPSN, copy of marriage certificate / civil partnership
|At least 6 years beyond account closure or the member’s death
At least five years after the relationship with the member has ended.
|· Account operation records including instructions, communications and complaints
o Bank details; IBAN
o Transactions and receipts
o Accounting records
· Loan application information is retained for a period of [six/seven] years from the date of discharge, final repayment, transfer of the loan.
|At least 6 years beyond completion of the transaction or contract or resolution of the complaint concerned
At least 6 years beyond the expiry of the loan whether by repayment, refinance, transfer or default
|Other records||o Records relating to legal claims
o CCTV footage and voice recordings
|At least 6 years beyond closure of the case
|Revenue/Tax documentation||o Income tax and DIRT records||At least 6 years beyond completion of the transaction concerned|
- Your information and third parties
Sometimes we share your information with third parties. We expect these third parties to have the same levels of information protection that we have, and we expect that they provide sufficient guarantees that the necessary safeguards and controls have been implemented to ensure there is no impact on your data rights and freedoms.
We share your personal information with persons or companies with whom we do business and who provide products or services e.g. IT Services that we use in conducting our business, including managing our relationship with our members. Similarly, we may share or disclose personal data to professional advisers, e.g. legal advisers, accountants, auditors, whom we may engage for any reasonable purpose in connection with our business, including assistance in protecting our rights. We will only share or disclose to these parties the information that they need in order to provide the products or services and will expect those parties to ensure that the information is always adequately protected.
Irish League of Credit Unions (ILCU) Affiliation: The ILCU (a trade and representative body for credit unions in Ireland and Northern Ireland) provides professional and business support services such as marketing and public affairs representation, monitoring, financial, compliance, risk, learning and development, and insurance services to affiliated credit unions. As this credit union is affiliated to the ILCU, the credit union must also operate in line with the ILCU Standard Rules (which members of the credit union are bound to the credit union by) and the League Rules (which the credit union is bound to the ILCU by). We may disclose information in your application or in respect of any account or transaction of yours from the date of your original membership to authorised officers or employees of the ILCU for the purpose of the ILCU providing these services to us.
The Privacy Notice of ILCU can be found at www.creditunion.ie
The ILCU Savings Protection Scheme (SPS): We may disclose information in any application from you or in respect of any account or transaction of yours from the date of your original membership to authorised officers or employees of the ILCU for the purpose of the ILCU providing these services and fulfilling requirements under our affiliation to the ILCU, and the SPS.
For the processing of electronic payments services on your account (such as credit transfers, standing orders and direct debits), the Credit Union is a participant of CUSOP (Payments) DAC (“CUSOP”). CUSOP is a credit union owned, independent, not-for-profit company that provides an electronic payments service platform for the credit union movement in Ireland. CUSOP is an outsourced model engaging third party companies, such as a Partner Bank, to assist with the processing of payment data.
Insurance: As part of our affiliation with the ILCU, we purchase insurance from ECCU Assurance DAC (ECCU), a life insurance company, wholly owned by the ILCU. To administer these insurances we may pass your information to ECCU and it may be necessary to process ‘special category’ personal data about you. This includes information about your health which will be shared with ECCU for the purposes of our life assurance policy to allow ECCU to deal with insurance underwriting, administration and claims on our behalf.
We also have to share information with third parties to meet any applicable law, regulation or lawful request including dealing with complaints. For example, we have a legal obligation under the “Return of Payments (Banks, Building Societies, Credit Unions and Savings Banks) Regulations 2008” to report details to the Revenue in respect of dividend or interest payments to members, which include PPSN where held.
In all such cases, we will only disclose the minimum amount of information required to satisfy our legal obligation.
- International transfers of data
We do not transfer data outside the European Economic Area (EEA).
- Your personal information rights
This section sets out your rights, when they apply and our responsibility to you. The exercise of your rights might be subject to certain conditions and we might require further information from you before we can respond to your request. You may exercise your rights by contacting our Data Protection Officer at: email@example.com or write to: Data Protection Officer, Athlone Credit Union Ltd, Credit Union House, Northgate Street, Athlone, Co. Westmeath, N37 F436
Accessing your personal information
As a member, you can ask us for a copy of the personal information we hold and further details about how we collect, share and use your personal information. You can request the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Updating and correcting your personal details
You can easily update your personal and contact information by contacting us by email or letter.
If you contact us over the phone to edit or delete any information on your behalf, we will ask you questions in order to verify your identity.
Where we process your data solely on the basis of your consent, i.e. for direct marketing purposes or to obtain feedback from you about our services, you are entitled to withdraw your consent to such processing at any time. You can do this by contacting us by email or letter.
Restriction and objection
You may have the right to restrict or object to us processing your personal information. We will require your consent to further process this information once restricted. You can request restriction of processing where:
- The personal data is inaccurate, and you request restriction while we verify the accuracy;
- The processing of your personal data is unlawful;
- You oppose the erasure of the data, requesting restriction of processing instead;
- You require the data for the establishment, exercise or defence of legal claims but we no longer require the data for processing;
- You disagree with the legitimate interest legal basis and processing is restricted until the legitimate basis is verified.
Deleting your information (right to be forgotten)
You may ask us to delete your personal information or we may delete your personal information under the following conditions:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw your consent where there is no other legal ground for the processing;
- you withdraw your consent for direct marketing purposes;
- you withdraw your consent for processing a child’s data;
- you object to automated decision making;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation.
A request to delete your personal information cannot place this credit union in conflict with existing legislation requiring the retention of the information.
Moving your information (your right to Portability)
Where possible we can share a digital copy of your information directly with you or another organisation. We will provide this information in a structured, commonly used and machine-readable format. Note, we can only share this information where it has been processed electronically (hard copy documents are excluded for portability) and was processed either under your consent or under the lawful basis of provision of a credit union service. In line with GDPR guidance, information that is processed to satisfy a legal obligation or that we process as part of our legitimate business interests, will not be regarded as portable (see section 5 “how we use your information”).
Your right to obtain information cannot adversely affect the rights and freedoms of others. Therefore, we cannot provide information on other people unless legally obliged to do so.
We generally do not charge you when you contact us to ask about your information. Per regulation, if requests are deemed excessive or manifestly unfounded or unreasonable, we may charge a reasonable fee to cover the additional administrative costs, or we may choose to refuse the requests.
- Making a complaint
If you have a complaint about how we are using your personal information, please let us know, so that we have the opportunity to put things right as quickly as possible. If you wish to make a complaint you may do so in person, by phone, by letter or by email. Please be assured that all complaints received will be fully investigated. You can register a complaint through our DPO and we ask that you provide as much information as possible to help us address your complaint quickly.
You can also complain directly to the Data Protection Commission, and their contact information is:
- Email: firstname.lastname@example.org
- Phone: +353 (0)761 104 800 or LoCall 1890 25 22 31
- Fax: +353 (0)57 868 4757
- Write to: Data Protection Commission, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23
- Updates to this notice
We will make changes to this notice from time to time, particularly when we change how we use your information, or change our technology and products. You will find an up-to-date version of this notice on our website at www.athlonecreditunion.ie or you can ask us for a copy.