A Credit Union is a member-owned financial cooperative, democratically controlled by its members, and operated for the purpose of promoting thrift, providing credit at competitive rates, and providing other financial services to its members. Data collection, processing, and use are conducted solely for the purpose of carrying out our role as a Credit Union. Naomh Brendan Credit Union’s Privacy Notice refers (together with our Cookies Policy) to our commitment to our compliance to data protection legislation including the Irish Data Protection Acts, Data Protection Act 1988-2018, and the EU General Data Protection Regulation. Throughout this document “we”, “us”, “our”, and “ours” refers to Naomh Brendan Credit Union It is the member’s responsibility to read the Terms & Conditions and Privacy Notice (https://naomhbreandancu.ie/privacy-policy) before entering into a contract with the Credit Union.

Member Privacy’s Notices

The purpose of this single source combined privacy notice is to provide members and related parties with the opportunity to read our privacy information relating to your personal data in one document. This Privacy Notice should be read if any reference is made to any of the following

• Account Opening Privacy Notice
• Lending Privacy Notice
• Mortgage Privacy Notice
• Debit Card Privacy Notice
• Guarantor Privacy Notice
• Nominations Privacy Notice
• Business and Agri Loan Privacy Statement

There are many ways you can contact us, including by phone, email, and post. More details can be seen here https://naomhbreandancu.ie.

Our registered address is
Dunkellin Street,
Loughrea,
Co. Galway
Contact Data Protection Lead DPL@naomhbreandaincu.ie,
Telephone 091 841773

Where changes to this Privacy notice occur, the updated version will be published on our website and where appropriate/possible communicated directly to individuals through a communication channel such as email and/or our social media.

Current version Reference NBCU-PNM-V1.02 September 2024 effective 21 October 2024. Changes are as followings:

New sections added

• Section 20 Foreign exchange services -Fexco
• Section 24 What to do when you change any of your contact details
• Section 25 Tip’s when emailing us your information
• Section 26 Electronic Data

Minor changes to the following sections to enhance the transparency: 4,5,6,7,8,10,12,17

Additions statements provided in

• Section 1 single source combined privacy notice
• Section 5 E Nominees explanation of collecting nominations
• Section 8 Contract explanation were financially linked data
• Section 8 Compliance more details on general compliance
• Section 8 Legitimate Interest new introduction and details if a merger, or using contact details where a member is not responding to communication and additional information on use of debt collector, tracing agent, private investigator, or a solicitor to perform their services
• Section 8 Purposes for contacting members for essential communications
• Section 8 C Nominees updated to the new amount
• Section 10 Essential communications and methods
• Section 11 Enhanced the current statement to ensure you know your requirements when providing us with third party’s data.
• Section 11 Details on third party engagement for mortgages
• Section 16 Added automated decision marking and details of profiling
• Section 17 details on Irish League of Credit Unions (ILCU) Affiliation
• Section 18 Updated Joint Controller for Transact Payments Malta Limited in respect of the Cardholder Data
• Section 19 details of the Independent Controllers for the new Home Energy Upgrade Loan Scheme
• Section 21 Updated to how we determine the criteria to hold your data
• Section 23 Updates on automated decision making

We collect and process your personal data only when such data is necessary in the course of providing our member services to you.  This personal data includes any offline physical data or online data that makes a person identifiable.

We process data for the following groups of individuals where it is necessary:

1. Personal Account members (Single, Joint, and Minor)
2. Club Members
3. Business Member
4. Guarantor
5. Nominee
6. Visual Savings Scheme students
7. School Quiz entrants, winners, and co-ordinators within the schools
8. Art competition entrants and winners

If you apply for or hold an account in joint names or name a guarantor or dependant, you should only give personal information about someone else with their permission.

We are the controller for the personal information we process, unless otherwise stated.

You directly provide us with most of the data we collect.  We collect data and process data when you:

• Open an account
• Apply for membership online or open a member account in person
• Apply for a loan
• Apply for any other product we offer
• Request support which may require additional information
• Enter our competitions
• Voluntarily complete a member survey or provide feedback
• Use or view our website via your browser’s cookies

A.      Member information collected

As part of our services to you as a member, we may need to obtain and process personal data as required where necessary to provide our services such as (if requested, a member of our staff will explain the purpose why any information is required prior to obtaining the data. For example if a member wants to know why the credit union collects verification documents to open an account, the compliance reason will be explained to the member in person as also directed to where it is stated in this privacy notice):

a.       Member [For each member if Joint Account]

Your name, address, Eircode, phone number [landline & mobile], email, previous addresses, title, Nationality, Gender, Accommodation type, Tax Identification/PPSN numbers or foreign equivalent, proof via payslip or health card, proof of address, passport or driving licence details, date of birth, evidence of marital status, signatures, CCTV, Photo ID, Member Account Number, any International Bank Account Number (IBAN), currency information, if using online banking, user unique identifiers,  biometrics-facial recognition & IP address, contactless cards, security details to protect identity, Debit Cards details, beneficial owner details, if applicable political exposed person details, source of funds, employer name and address, application processing and administration records, expected  lodgements, confirmation of tax residence, tax identification number, account transaction details, Stamp 4/5 for non EU nationals, sanction lists (the Credit Union is required to identify if any member is listed for sanctions) interactions with Credit Union staff and officers on the premises, by phone, or email, current or past complaints, Inferred details of special categories of data e.g. payments to trade unions, confirmation of gift letter, occupation, cookie consent and marketing consent.

We may act on the authority of one joint Account Holder to share or allow a third-party access to your member account information. This means, unless we have agreed that we need the consent of each joint Account Holder, or have a legal obligation to get this consent, we will treat the authority of one Account Holder as authorisation on behalf of any other Account Holder(s) for a joint Account. If you instruct us to share or allow a third party access to any Account information for a joint Account you are responsible for ensuring the other Account Holder(s) are aware and permit such access.

Any joint account holder is entitled to access the details and transaction information of the joint account as a whole.

b.      Additional information when applying for a loan

Financial data (including bank and credit card account information), loan repayment status and credit history, credit assessment records, credit data from credit register, judgements searches, living expenses including child care costs, dependents, disposable income and analysis of spend, existing loan contract commitments data, details of the Credit Union products you hold with us, salary, level of education, employment status, relationship with joint borrower, directorships held, employers name and address, period of time with employer, proof of employment & salary,  any court order charges, accommodation status, family details [dependencies] mortgage details, assets and equity, Partners/Spouse banking details & earnings, details of House insurance, life assurance policy, independent valuation on property, pension information, security hold on assets, health information for the assessment of eligibility for the insurance on certain loans

c.       Additional information when applying for a mortgage loan

Valuation reports, land registry folio, certificate of title, life assurance cover documents – these documents contain the following information: name, address, date of birth, property value, medical data, members’ solicitor name, address and contact details, directorships held, relationship with joint borrower, retirement age, first time buyer, pension details.

d.      Additional information when applying for a loan on Spouse/Partner

Your name, address, email, telephone, date of birth, employment details, occupation, employment details, residential status, relationship status and dependents, financial data, wage slips, bank statements, financial data, relationship with member and salary.

e.       Additional information when applying for a loan on Dependent individuals

Relationship with member, ages, reason for dependency, financial needs.

f.        Additional information captured for vulnerable members

Name of a ward of court and proof of a ward. Name and proof of power of attorney, proof of ID, board appoint payment to another if member becomes mental incapacitated and no person has been legally appointed to administer your account.

g.       Additional information captured for entrances to the members draw

Draw numbers and winner details.

h.      Additional information captured for minor accounts

Parent/Guardian-Name, address, email, signature, phone number, proof of ID, consent- authorisation form. Proof of ID for minors- birth certificate or passport, Debit Cards age 12 to 15, MYCU Youth Card.

B.      Club Member information collected

As part of our services to you as a club member, we may need to obtain and process personal data as required where necessary to provide our services such as:

a.       For trustees and relevant officials in the club

Name, address, Eircode, phone number, email, previous addresses, Tax Identification/PPSN numbers (or foreign equivalent), proof of address, passport or driving licence details and, date of birth, signatures, CCTV, Photo ID, , if applicable political exposed person details, account transaction details, Stamp 4/5 for non EU nationals, sanction lists (the Credit Union is required to identify if any member is listed for sanctions), interactions with Credit Union staff and officers on the premises, by phone, or email, current or past complaints, inferred details of special categories of data.

b.      Additional information when applying for a loan

Solicitor details including client bank account, affiliated bodies.

C.      Business Member information collected

As part of our services to you as a business member, we may need to obtain and process personal data as required where necessary to provide our services such as:

a.       For business owners/Directors

Name, address, Eircode, phone number, email, previous addresses, Tax Identification/PPSN numbers (or foreign equivalent), proof of address, passport or driving licence details, date of birth, signatures, CCTV, Photo ID, Member Account Number, if using online banking, user unique identifiers,  biometrics-facial recognition and IP address, beneficial owner details, if applicable political exposed person details, account transaction details, Stamp 4/5 for non EU nationals, sanction lists (the Credit Union is required to identify if any member is listed for sanctions), interactions with Credit Union staff and officers on the premises, by phone, or email, current or past complaints, Inferred details of special categories of data e.g. payments to trade unions.

b.      Additional information when applying for a loan

Financial data (including bank & credit card account information), loan repayment status and credit history, credit assessment records, credit data from credit register, judgements searches, disposal income and analysis of spend, existing loan contract commitments data, details of the Credit Union products you hold with us, occupation, level of education, bank statements, income details,  mortgage details on assets, assets and equity, financial statements, cashflow projections, health information, details of insurance, health information for the assessment of eligibility for the insurance on certain loans.

D.      Guarantor

As part of our loan approval, we may need to appoint a guarantor, in such cases we need to obtain and process personal data on the guarantor as required where necessary such as:

Your name, address, Eircode, phone number, email, previous addresses, Tax Identification/PPSN numbers (or foreign equivalent), proof of address, proof of ID passport or driving licence (physical verification only), date of birth, signatures, CCTV, Member Account Number if applicable, occupation, employer details, period of time with employer, bank statements, income/payslips details, credit check, list of outstanding debts and repayment amounts

E.       Nominee

The Credit Union Act 1997 (as amended) allows members to nominate a person(s) to receive a certain amount from their account on their death, subject to a statutory maximum. To fulfil our role, we may need to obtain and process personal data on the nominee as required where necessary either at the nomination stage or the payment stage, such as

Your name, address, Eircode, phone number, email, previous addresses, proof of address, passport or driving licence details, date of birth, signatures, CCTV, Member Account Number if applicable, relationship with member who they are being nominated by.

Nominations

F.  Visual Savings Scheme students (who are existing members of the Credit Union)
We may collect store and use the following categories of personal information about you where necessary:

In addition to the students account details the following is captured Parental/Guardian Consent for School Savings Scheme, the child’s account no, home address, and school attended.

F.       School Quiz, winners and co-ordinators within the schools

Each year around 25,000 school children around Ireland take part in the Credit Union Schools Quiz. The Quiz is about encouraging learning and teamwork among young schoolchildren. Applications are received by the Credit Union. As part of our role in organising the quiz, we need to obtain and process personal data as required where necessary such as:

School Name, address, school number, school contact name and phone, team names, team data of birth, confirmation of consent from the teacher, parents/guardians’ consent, photos of team, and winners.

G.      Art competition entrants and winners

The Irish League of Credit Unions (ILCU) and our Credit Union collects your information and that relating to your parents or legal guardian for the art competition. We are primary data controller of the personal information you give us. Chapter will be considered a data controller for stage 2 (Regional level). The ILCU will be considered a data controller for the purposes of stage 3 (National level).  As part of our role in organising this competition, we may need to obtain and process personal data as required where necessary such as:

a.       General category

Age range, name, date of birth, home address, email address, school/college/club organisation, consent to use photographic images, signature parents/guardians’ consent.

b.      Extra information for Additional needs category

Group team entry, inferred medical data.

Sensitive data is known as special categories of data in Data Protection law. Special categories of data are defined by GDPR as processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. We may collect the following special categories of data where necessary:

• For loan assessments or insurance products with ECCU we may collect health data
• As part of AML, we are required to capture politically exposed persons and the country of origin
• Where a member makes payments to an organisation which may infer one of the types of special category data e.g. trade union or religious subscriptions
• Where a member chooses to join via “online onboarding”, their facial verification is used via biometrics.

We will process special categories of personal data in the following circumstances:

1. In limited circumstances, with your explicit written consent.
2. Where we need to carry out our legal obligations and in line with our data protection policy.
3. Where it is needed in the public interest, and in line with our data protection policy.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

The Credit Union is required to identify if any member is listed for sanctions and do so using the Dow Jones.

The Credit Union is required to identify if any applications for membership or existing members are listed for sanctions and do so using the Dow Jones.

Where is it necessary for the service provided, we may receive your data indirectly from the following sources:

• Related party information where a member is also an employee, volunteer or board of director
• Loan applications where member is self-employed to confirm tax clearance for example your accountant
• Account Information Services Provider (AISP)
• When you are named in an insurance policy application
• Credit reference agencies- Central Credit Register and Irish Company Search Sites
• Dow Jones
• Public agencies such as property registration authorities, the Companies Registration Office or judgement registries, Insolvency Services Ireland Registries
• Edited Electoral Register
• Farm grant payments published
• Published Revenue commissioner default payers list
• Published media reporting relating to your financial position
• Third party tracing agent
• Debt collection agents
• A member provided your data where you are the guarantor, the spouse, the dependent individual, in such cases the member obtains consent from the adults to capture their data
• ECCU Assurance DAC
• Judgement searches available
• A member who nominated you to obtain their funds
• Payee to your account

School on your behalf as an entrant to a competition

We collect your data based on the following legal basis:

Consent

Where you have explicitly agreed to us processing your information for a specific reason such as

• Members
  • Collecting your data in the event that you apply for a loan, we may require certain special categories of data such as your health information where no other lawful basis exists
  • A member provided third party’s data
    • as a guarantor,
    • the spouse,
    • the dependent individual,

in such cases the member obtains consent from the adults to capture their data

• Photograph on your member account for verification
• Where a member consents to join via “online onboarding”, their facial verification is used via biometrics.
• Provide instructions by e-mail, including a link to the portal of an Account Information Services Provider (‘AISP’)
• Member preferences to receive electronic statements and AGM booklets,
• Radio frequency tags used in contactless cards
• Use of members location data
• Marketing (see section 14)

• Art Competition entries
• Any individual
  • Photograph or videos for publication at events
• Cookie (see cookie policy)
• Member Draws
• TY Students (Consent forms for participation in TY NBCU programme)

Right to withdraw consent at any time

Where consent is relied upon as a basis for processing of any personal data, you will be presented with an option to agree or disagree with the collection, use or disclosure of personal data. Once consent is obtained, it can be withdrawn at any stage.

We will hold a list of all individuals who have withdrawn their consent to ensure there is a record of their objection to direct marketing. We will hold a minimised amount of Personal Data in order to uphold this request.

Contract

Processing is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract. We will collect your data in order to consider your application for membership of the Credit Union. Where you have opened a member account or obtained a loan and signed up to the contractual terms in our T&C’s, it is necessary to process your data for the administration of accounts, payments, deposits, lending and credit decisions. Processing may be necessary for the performance of a contract such as:

• Administrative Purposes
  • Opening Credit Union account
  • Manage and administer members accounts, transactions, policies, benefits or other products and services that the Credit Union or partners e.g., ECCU may provide the member with
  • Loan assessments,
  • To manage and respond to a complaint or appeal.
  • To help improve service as agreed in the T&C to members
  • For the processing of electronic payments services on the member account (such as SEPA direct debts, credit transfers, standing orders and direct debits), the Credit Union is a participant of Payac.
  • Providing current account services via MyCU
  • Providing online banking
  • Automated teller machine services
  • School savings programme
  • Euro drafts
  • Bureau de change “Fexco” where we are the data processor for these transactions
  • Insurance services
  • Complying with binding requests for information from other payment service providers the member has instructed to act on their behalf
• Guarantors
  • As part of a member loan conditions, the Credit Union may make the requirement for the appointment of a guarantor a condition of the member loan agreement, for the Credit Union to ensure the repayment of loan.
• Security
  • To secure repayment of the loan, it may be necessary to obtain security such as a charge on your property or other personal assets.
• Establish the members eligibility for our products and services
• Credit Assessment
  • Carry out credit reviews for loan underwriting
  • Utilises this information to assess member loan application in line with the applicable legislation and Credit Union lending policy.
  • to carry out credit reviews and to search for details of your credit history and information at credit bureaus/agencies, including the Central Credit Register. Where we make these searches, agencies may keep a record of the search.
• Insurance
  • certain loans must apply to ECCU for Loan Protection (LP). It may be necessary to process ‘special category’ data, which includes information about members health.
• Insurance Services on an introduction basis
• Home Loans/Mortgages
  • To maintain and administer home loans/mortgages we may need to share your information with our solicitors
• To contact you by post, phone, text message and email Make essential communication to provide products and services to the member
• Manage and respond to a complaint or appeal
• Recover debts the member may owe
• Member draws

If you are financially linked to another member in the context of a particular shares or loan account, a financial association may be created between your records and the other member’s records, including any previous and subsequent names used by you (for example, if you apply jointly or one is guaranteeing the debts of another). This means that we may treat your financial affairs as affecting each other. These links will remain on your and the other member’s account until you or other member terminate that link. We may make searches on all joint applicants, and evidence of that search will be left on all applicants’ records.

Compliance

We must meet our duties to the Regulator, the Central Bank of Ireland and comply to our legal obligations. We may also share personal data with certain statutory bodies such as the Department of Finance, the Department of Social Protection and the Financial Services and Pensions Ombudsman Bureau of Ireland and the appropriate Supervisory Authority if required by law.

Where it is necessary and proportionate, we may allow authorised people to see our records (which may include information about you) for reporting, compliance and auditing purposes. For the same reason, we will also hold the information about you when you are no longer a member.

Processing may be necessary for compliance with a legal obligation:

• Retaining member records and details of individual transactions for the time periods as required by law. For example, the Consumer Protection Code.
• Preparing returns to regulators and relevant authorities.
• Complying with court orders arising in civil or criminal proceedings.
• Where required to comply with our obligations under the Payment Services Regulations relating to fraud prevention.
• Preparing returns to regulators and relevant authorities including preparing Deposit Interest Retention Tax, Common reporting standard (Where a member is tax resident in another jurisdiction), Prudential Return https://www.centralbank.ie/regulation/industry-market-sectors/credit-unions/reporting-requirements and other CBI & revenue returns. Under the “Return of Payments (Banks, Building Societies, Credit Unions and Savings Banks) Regulations 2008” Credit Unions are obliged to report details to the Revenue in respect of dividend or interest payments to members, which include PPSN where held.
• Report on Central Credit Register (CCR) Register https://www.centralbank.ie/regulation/industry-market-sectors/credit-unions/reporting-requirements and https://www.centralbank.ie/regulation/industry-market-sectors/credit-unions/reporting-requirements and, where relevant, conducting searches on CCR
  • Where a loan is applied for in the sum of €2,000 or more, the Credit Union is obliged to make an enquiry of the Central Credit Register (CCR) in respect of the borrower. Where a loan is granted in the sum of €500 or more, the Credit Union is obliged to report both personal details and credit details of the borrower [and guarantor] to the CCR.
• Ireland Safe Deposit Box Bank and Payment Accounts Register (ISBAR)
  
  The information that the Credit Union will be required to send includes the IBAN, account name, date of account opening, date of account closing; the name, address and date of birth of the account holder; the name, address and date of birth of the beneficial owner of the account; and the name, address and date of birth of any person authorised to act on the account. https://www.centralbank.ie/regulation/anti-money-laundering-and-countering-the-financing-of-terrorism/ireland-safe-deposit-box-bank-and-payment-accounts-register-(isbar)

ISBAR is operated by the Central Bank of Ireland. The purpose of ISBAR is to hold information on accounts identifiable by IBAN (including account holders, beneficial owners and signatories), and information on safe deposit box services provided by credit institutions in Ireland, and to enable legally prescribed authorities to search and retrieve information. Further information (including the Central Bank’s Data Privacy Notices) can be found at https://www.centralbank.ie/regulation/anti-money-laundering-and-countering-the-financing-of-terrorism/ireland-safe-deposit-box-bank-and-payment-accounts-register-(isbar)

• Beneficial Ownership Register for Certain Financial Vehicles

The Credit Union must update the Beneficial Ownership Register with relevant information on the beneficial owners of Certain Financial Vehicles (CFV)  held by Central Bank State, where the PPS number as a validation mechanism for the information being delivered to the register https://www.centralbank.ie/regulation/anti-money-laundering-and-countering-the-financing-of-terrorism/beneficial-ownership-register.

• Report to the European Union Cross-Border Payments Reporting (“CESOP”) https://www.revenue.ie/en/companies-and-charities/international-tax/cesop/reporting-payments.aspx,

Under this package, from January 2024 all payment service providers which provide services in the EU will submit data on certain cross-border payments received by account-holders which originated in other EU Member States. Payment service providers will submit this data to the tax administrations in each EU member state in which they provide their services. 

This cross-border reporting requirement is part of a larger EU programme which is designed to modernise current cross-border VAT procedures and to make it easier for businesses to meet their VAT obligations. The new cross-border payments reporting requirement will help tax administrations to support compliant businesses by identifying businesses which do not comply with their cross-border VAT obligations.

• Report to the Central Register of Beneficial Ownership of Trusts (“CRBOT”) https://www.revenue.ie/en/crbot/index.aspx

• legal obligation to file reports on the Central Credit Register in accordance with the Credit Reporting Act 2013. https://www.irishstatutebook.ie/eli/2013/act/45/enacted

• Where you obtain a house loan from us, it will be necessary for the Credit Union to obtain a first legal charge on the property to be purchased and it will be necessary for us to process your personal data in order to register this charge or have this charge registered on our behalf.
• Connected/Related Party Borrowers
  • We are obliged further to Central Bank Regulations to identify where borrowers are connected in order to establish whether borrowers pose a single risk. We are also obliged to establish whether a borrower is a related party when lending to them, i.e., whether they are on the Board/Management Team or a member of the Board/ Management team’s family or a business in which a member of the Board /Management Team has a significant shareholding.

• Establishing members identity, nationality, residence, and tax status in order to comply with law and regulation concerning taxation and the prevention of money laundering, fraud and terrorist financing. Screening applications that are made to us to ensure we are complying with the international fight against terrorism and other criminal activities. As a result, we may need to disclose information to government and other statutory bodies.
• Providing the member with statutory and regulatory information and statements
• Complying with requests from regulatory bodies, including the Central Bank of Ireland.
• Complying with court orders arising in civil or criminal proceedings
• Complying with Assisted Decision-Making (Capacity) Act where you may be vulnerable
• Comply with all other laws and regulations.
• As this Credit Union is affiliated to the ILCU, the Credit Union must also operate in line with Irish League of Credit Unions (ILCU) Standard Rules (which members of the Credit Union are bound to the Credit Union by) and the League Rules (which the Credit Union is bound to the ILCU by)
• To report and respond to queries raised by regulatory authorities, law enforcement and other government agencies such as the Central Bank of Ireland and An Garda Siochana
• To meet obligations under the Credit Union Standard Rules & The Credit Union Act, 1997 (as amended)
• To maintain a register of members of the Credit Union
• To communicate all mandatory service communications such as providing notice of the AGM
• Nominate person
  • The Credit Union Act 1997 (as amended) allows members to nominate a person(s) to receive a certain amount from their account on their death, subject to a statutory maximum.
• Purpose of the loan
  • The Credit Union is obliged to ensure that the purpose for the loan falls into one of the Credit Union categories of lending.
• To meet legislative and regulatory duties to maintain audited financial accounts
• To meet our health and safely compliance
• For the establishment, exercise or defence of legal claims.

Set out below are the main legal instructions, and regulations and legislation the Credit Union must be compliant with.  We will also comply with the following legislation and, other legislation as required. A member of our team will be able to answer a question you may have as to why we need certain data to provide our member services to you.

• Credit Union handbook https://www.centralbank.ie/regulation/industry-market-sectors/credit-unions/credit-union-handbook
• Credit union act 1997 (regulatory requirements) (amendment) regulations 2020 https://www.irishstatutebook.ie/eli/2020/si/675/made/en/pdf
• Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021
• (Act 3 of 2021) https://www.centralbank.ie/regulation/anti-money-laundering-and-countering-the-financing-of-terrorism

• Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020 (Bill 23 of 2020) https://www.oireachtas.ie/en/bills/bill/2020/23/
• I. No. 579/2012 - European Union (Consumer Credit Agreements) (Amendment) Regulations 2012. https://www.irishstatutebook.ie/eli/2012/si/579/made/en/print
• Minimum Competency Code 2017 (MCC 2017) and the Central Bank (Supervision and Enforcement) Act 2013 (Section 48 (1)) Minimum Competency Regulations 2017 (MCR 2017) https://www.centralbank.ie/regulation/how-we-regulate/authorisation/minimum-competency#:~:text=The%20MCC%202017%20specifies%20certain,Supervision%20and%20Enforcement)%20Act%202013.
• European Union (Consumer Credit Agreements) (Amendment) Regulations 2012. https://www.irishstatutebook.ie/eli/2012/si/579/made/en/print
• European Union (Payment Services) Regulations 2018, https://www.irishstatutebook.ie/eli/2018/si/6/made/en/print
• Consumer Protection Code 2012 Guidance https://www.centralbank.ie/regulation/consumer-protection/consumer-protection-codes-regulations
• European Union (Payment Services) Regulations, 2018 https://www.centralbank.ie/regulation/psd2-overview/psd2 https://www.irishstatutebook.ie/eli/2015/act/64/enacted/en/html
• Credit Union (Amendment Act 2023 https://www.irishstatutebook.ie/eli/2023/act/34/enacted/en/html

In the case of a default of a loan, provision of section 71(2) of the Credit Union Act 1997  allows a credit union to disclose a member’s account information where the Central Bank of Ireland is of the opinion that doing so is necessary to protect shareholder or depositor funds or to safeguard the interests of the credit union.

Under the “Return of Payments (Banks, Building Societies, Credit Unions and Savings Banks) Regulations 2008” credit unions are obliged to report details to the Revenue in respect of dividend or interest payments to members, which include PPSN where held.

Public interest

The processing of personal data for the purposes of the prevention of money laundering and terrorist financing is considered to be a matter of public interest, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018L0843

Legitimate interest
Legitimate Interests means the interests of the Credit Union in conducting and managing our business to enable us to give you the best service and the best and most secure experience.

When we process your personal data based on our legitimate interests, we carefully consider the impact on you and uphold your rights under data protection laws to objective where applicable. Our legitimate business interests do not automatically take precedence over yours. We refrain from using your Personal Data for activities that would negatively impact you unless we have your consent, or we are legally required or permitted to do so.

Outlined below are the ways we process your data for our legitimate interests. If you have any concerns about this processing, you have the right to object. For more information on your rights, please refer to the "Your Rights" section below.

Processing of your personal data may be necessary for the purposes of a legitimate interest pursued by us in any of the following:

To develop and execute the strategy 

• To develop and implement the current and future strategy. Assess the current and future performance, as this enables the credit union to improve its services to the members.
• To maintain financial stability and ensure long-term growth.
• By analyzing member data, the credit union can better understand member needs, optimize product offerings, and enhance operational efficiency. This not only helps meet regulatory requirements but also supports the credit union’s mission to serve its members responsibly and sustainably, fostering a strong, member-centric financial institution.

To offer our loan products

• Use of Credit Assessment and Credit Reference Agencies as Credit Union must lend responsibly. We will use your credit scoring information in order to determine your suitability for the loan applied for. When using the service of a credit referencing agency, we will pass them your personal details and details of your credit performance.
• In carrying out our loan underwriting, we capture and use a range of Personal Data in order to assess factors affecting those risks, for example age, location and claims history.
• As part the loan underwriting process we may access third-party databases or publications as stated in Section 7. We carry out searches in order to assess your credit worthiness to repay a loan, for our own benefit and therefore the benefit of its members, we must lend responsibly and will use your credit scoring information in order to determine your suitability for the loan applied for. In carrying out such a search we can better determine your overall financial position in order to lend to you.
• Share your member data with Account Information Services Provide (AISP) to facilitate the online loan approval process when the member authorises us to do so.
• Where a member breaches the loan agreement the Credit Union may access third-party databases as stated in Section 7 and use the service of a debt collection agency, solicitors or other third parties to obtain updated contact information for you to recover the debt.
• Where the Credit Union is using a third party to assist with recouping any outstanding debt due to us by you, the Credit Union may provide your specific personal data held on file by us, which is necessary, to the third party such as a debt collector, tracing agent, private investigator, or a solicitor to perform their services. We may provide then with details of the indebtedness in order that they recover the outstanding sums. We will take the necessary steps to recover a debt to protect the assets and equity of the Credit Union.
• Tracing agency, where the address you have provided is no longer accurate and the Credit Union needs to either contact you or provide you with documentation in relation to the products or services you have obtained from us.
• Use of a Private Investigator to locate the member in the event that they fail to make repayments on member loan and/or fail to make contact with the credit union when required. We will first investigate all other less invasive means to make contact with the member.
• Where a member is not responding to correspondence from the Credit Union at their most recent verified address, the credit union may send correspondence to any other address provided by the member, for example, a different address stated on a bank statement provided as part of the loan assessment. This will only occur if the Credit Union deems it necessary, such as, default in a loan where the Credit Union has exhausted other communication channels provided by the member.
  
  

General operations

• Use of CCTV on our premises to safeguard the health, safety and security of all resources
• keep a record of your instructions
• Conduct Member Satisfaction Surveys to provide information on the quality of our services and products
• Use your member data to operate the Credit Union’s business on a day-to-day basis
• To provide service information (including sending service-related messages),
• To improve the Credit Union service quality
• To enhance the training for our staff.
• To establish, exercise and safeguard our rights, (including where necessary to take enforcement action) and to respond to claims made against the Credit Union.
• To safeguard the safety and security of the employees, IT systems and devices, property, and member, buildings, information located or stored on the premises, and assets, and those of service providers, consultants, and advisors that assist the Credit Union in carrying out its functions.
• In the prevention and detection of fraud
• To keep members informed about the services the Credit Union are currently providing.
• The Credit Union may in the future wish to sell, transfer or merge part or all of its business or assets or to buy a new business or the assets of another Credit Union or enter into a merger with another Credit Union. If so, we may disclose your personal information under strict duties of confidentiality to a potential Credit Union and their advisers, so long as they agree to keep it confidential and to use it only to consider the possible transaction. If the transaction goes ahead, the new Credit Union may use or disclose your personal information in the same way as set out in this Privacy Notice. You will be informed about any mergers prior to your data being shared

Where lawful basis is a statutory or contractual requirement, if a member is obliged to provide the personal data, failure to provide this information may result in us being unable to provide a member saving account or provide a member a loan or other services.

We are a financial co-operative formed to allow members to save and lend to each other at fair and reasonable rates of interest. We are a not-for-profit organisation with a volunteer ethos and community focus. We process your data to provide this service.

You agree that any data you provide to us will be true, complete, and accurate in all respects and you agree to notify us immediately of any changes to it. See section 24 if you need to inform us of a change.  We will only collect personal information from or about you which is necessary for the following purposes:

We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the basis which allows us to do so.

A. All Members (Joint, Club, Business)

The credit union may contact the member, where it is necessary, regarding services it provides or to inform the member of relevant changes to the existing service where such changes occur. The credit union will select the most appropriate method of media such as email, letter, phone, SMS for each situation. Such communication is deemed "essential" to the terms of the service and such communication will not constitute marketing.

• To provide and administer our member accounts per the terms of service under contract as stated in Section 8
• To meet our legal and compliance obligations and requirements under the Rules of the Credit Union, Central Bank Regulations, Anti money laundering and any other relevant compliance as stated under compliance in Section 8 for all services provided
• To maintain our relationship with you whilst you are a member and investigate any complaints or disputes or accidents
• Contact you for direct marketing purposes, subject to restrictions under the relevant laws, including the right to opt out of such marketing
• Provide you with information relating to all our products
• To provide essential communication with you, including to respond to information requests submitted
• To obtain your feedback on all our products and services
• To notify you about changes to contracted services relevant to you
• When acting as an insurance intermediary, to meet our obligations.
• We collect spouses’ details where relevant to assess the joint earnings to ensure the member has the means to meet the repayments
• To provide our member draws
• To identify death beneficiaries
• To report on related party transactions when members are employees or board members
• To assist vulnerable members with special needs.

a. For loans

• As part of loan assessment, identify dependent individuals to establish net disposal income available to pay back loan
• Verifying the information provided by you in the application
• To obtain credit references, credit checks and for debt collection, fraud detection and prevention and risk management purposes and to make submissions to the Central Credit Register.
• Assessing your loan application and determining your creditworthiness for a loan as stated under legitimate interest in Section 8.
• To apply to ECCU for your free Loan protection & Life Savings Cover where the Credit Union needs to establish if your loan is fully covered and if there are any exclusions regarding the Insurance. This protection and cover is only available to individual members on certain loans.
• Credit Reporting: Where a loan is applied for in the sum of €2,000 or more, the Credit Union is obliged to make an enquiry of the Central Credit Register (CCR) in respect of the borrower. Where a loan is granted in the sum of €500 or more, we are obliged to report both personal details and credit details of the borrower to the CCR.
• We collect information about the guarantor to ensure the loan can be repaid in the event of default by the member
• We collect dependent individuals’ expenditure needs to assess the net disposal income of the member.
• To establish new contact details where your details have changed and you have not advised the credit union of this change
• Administering the loan, including where necessary, to take steps to recover the loan or enforce any security taken as part of the loan.
• Property Loan: Where you obtain a property loan from us, it will be necessary for us to obtain a first legal charge on the property to be purchased and it will be necessary for us to process your personal data in order to register this charge or have this charge registered on our behalf.

B. Guarantor

• To have person to undertake to repay the loan if the member for whatever reason, is unable to repay.
• To assess if you can demonstrate the ability to repay the loan where you will need to disclose your financial information and agree to a credit check being carried out.
  C. Nominee

The ability of a member over the age of 16 to nominate individuals to receive property in their credit union account on their death is a unique facility available for credit union members under the credit union legislation by which we operate. The nominated property does not form part of a deceased person’s estate.

• To record the wishes and instructions of the member
• To pay the nominee of choice your property/savings- presently up to a maximum value of €23,000 predate of death 21.2.2024, €27,000 affected from 22.2.2024
• To update where necessary as member may change the details of their nomination as often as they like. The most recent nomination is the valid nomination.

D. Visual Savings Scheme students (who are existing members of the Credit Union)

• To provide a saving scheme for members attending school where the Credit Union collects the lodgements
• To provide a saving card to the members
• To enable the member to transfer the saving into their Credit Union member account.

E. All Competitions and School Quiz, winners, and co-ordinators within the schools

• To provide the competition per the Terms/Rules signed up to by the entrant
• Administer the competition
• To contact the winner
• To deal with queries
• Capture photographs of the winners to be used in advertising and publicity where consent obtained
• To meet our requirements to host a stage of one of the national competitions. Entries must be submitted directly to our Credit Union only.
• We will inform the Chapter (Regional level) of our winners to be brought forward to Stage 2, at this point the Chapter becomes an independent data controller. The winners of Stage 2 will progress to the national final Stage 3 where the Irish League of Credit Unions (ILCU) becomes an independent data controller.

F. Delegated authority acting on behalf of a member

• To facilitate a third party to conduct transaction on behalf of a member, where the member nominates such person to act on their behalf e.g., a member incapacitated or a minor where the parent nominated an individual to operate the minors account.

G. General

• To provide this website to you and respond to your queries
• To comply with all relevant laws
• To manage your safety and security while you are on our premises
• To facilitate the prevention, detection and investigation of crime and the apprehension or prosecution of offenders
• To investigate, exercise or defend legal claims or other claims of a similar nature
• To obtain consent from any individual for the purposes of publishing photos/video of such person.

If you are providing personal information on behalf of a third party, you must ensure that the third party receives a copy of this Privacy Notice before their personal information is shared with us (e.g., spouse, minors, Related Parties as defined in the Credit Union handbook). Before you disclose general information or joint account information (where you are one of the joint account holders) to us about another person, you should be sure that you have their agreement to do so.

In the event, you are providing financial information from a third party to be used as part of the loan assessment application, written authorisation confirming you have provided them with a copy of this Privacy Notice should be provided to us before we can use the third parties’ data, in advance of submission of the application .

Where you are providing a name of a nominee to your shares, the nominee does not need to be informed until such time as they will receive the funds.

You do not need to provide this Privacy Notice in the following situations

• the individual already has the information
• obtaining or disclosure such information is expressly laid down in the law to which the Credit Union must comply and which provides appropriate measures to protect the individual’s legitimate interests
• where the personal data must remain confidential subject to an obligation of professional secrecy regulated by law.

We collect this data in a transparent way and only with the full knowledge of interested parties.  Once this information is available to us, the following rules apply.

Our data will be:

• Accurate and kept up to date
• Collected fairly and for lawful purposes only
• Processed by us based on either a valid contract, consent, legal compliance or legitimate interest
• Protected against any unauthorised access or illegal processing by internal or external parties.

Our data will not be:

• Communicated to any unauthorised internal or external parties
• Stored for longer than required for the purpose obtained
• Transferred to organisations, states, or countries outside the European Economic Area without adequate safeguards being put in place as required under Data Protection Law.

Our commitment to protect your data:

• Restrict and monitor access to sensitive data
• Develop transparent data collection procedures
• Train employees in data protection and security measures
• Build secure networks to protect online data from cyberattacks
• Establish clear procedures for reporting privacy breaches or data misuse

Establish data protection practices (e.g., document shredding, secure locks, data encryption, frequent backups (either on premise or the cloud), access authorisation etc.).

We do not provide marketing to children.

Marketing

As part of improving our service to you, from time to time, we would like to inform you of goods, services, competitions and/or promotional offers available from us. We may wish to use different means when sending such marketing communications.

We may use your personal information to make you aware of products and services which may be of interest to you. We can do this by using some of the personal information we hold about you to better understand your needs. It includes information you tell us and information we collect when you use our products or services. This information helps us to understand which products, services, and offers may be relevant for you based on your profile. It is in our and our member’ interests to use personal information this way to better understand our members’ needs and preferences so that we can create more tailored and suitable marketing messages. We will use the following information about you to enable us to plan our marketing campaigns for examples:

• Types of loans
• Your spending and saving habits
• Use transaction history/ account information
• Insurance or assurance linked to a product

We can reach out to you with this information in all sorts of ways:

• through Mobile App
• by e-mail
• post
• telephone

We may share your data with third parties’ software and marketing providers so that they may send you messaging on our behalf.

Opt in

Where you have consented to marketing by opting in to marketing, we will send you marketing.

You have a right to notify us free of charge at any time that you wish to refuse such marketing by writing to us at our address at the top of this document or by using the "opt-out" options in any marketing message we send you.

Automated processing

We use systems to make automated decisions based on personal information we have – or are allowed to collect from others – about you or your organisation. When you apply for a loan, we use data from different sources to look at your ability to repay the loan. We also use information provided by you and information from third parties such as credit reference agencies. The information we process for automated lending decisions includes Income, financial statements, transaction history, salary, spending and bills, credit rating, other loans held by you.

You can object to a decision based on automated processing, you can contact us at DPL@naomhbreandaincu.ie

We do not conduct automated decisions which produces legal effects concerning any of our members.

Profiling

We do not conduct profiling on children.

We are committed to protecting your privacy and ensuring transparency in how we use your personal data. As part of our ongoing efforts to provide tailored services and improve our offerings, we may use profiling to assess your financial behaviour and preferences. Profiling allows us to better understand your needs, conduct loan assessments, anti money laundering, recommend relevant products or services, and manage risks effectively.

What is Profiling?

Profiling involves the automated processing of your personal data to evaluate certain aspects of your financial behaviour. This may include analysing your transaction history, loan activity, savings patterns, or other interactions with the credit union. Profiling helps us make informed decisions on creditworthiness, fraud prevention, and personalised offers.

We do not conduct profiling which produces legal effects concerning any of our members.

You have the right to object to the use of your personal data for profiling purposes. If you wish to exercise this right, you can contact us at DPL@naomhbreandaincu.ie, and we will review your request.

Your personal information may also be processed by other organisations on our behalf for the purposes outlined above. We may disclose your information where necessary to the following

Auditors

To meet our legislative and regulatory duties to maintain audited financial accounts, we appoint an external and internal auditor. We will allow the internal and external auditor to see our records (which may include information about you) for these purposes.

A. All categories of individuals

• We have a legitimate interest to share your personal data with our approved outsourced third-party providers, such as IT Service Providers including Cloud Providers, legal advisors, business advisors, debt collectors, couriers, shredding company, security company, printing company, CCTV company, administration services, internal and external auditors, insurers, marketing consultants or subcontractors

B. Personal Account Members, Guarantor Club Members and Business Members

• Where you authorised individuals to act on your behalf for example ward of court/Power of Attorney
• Third parties we need to share your information with order to facilitate payments or services you have requested. Examples include: Banks, Credit Unions, An Post or payment service providers, payment schemes or systems (e.g. MasterCard), merchant acquirers and providers of payment processing services;
• Those you ask us to share your information with.
• Where you instruct an Account Information Service Provider (AISP) to provide us with your data. The AIS service change enables the Credit Union to connect directly with the Member Bank account to extract historical transaction and balance information.
• When you apply to us for insurance and receive insurance we will collect and share your data with ECCU Assurance DAC per the Terms and Conditions of product you signed up to.
• Where we share your joint account details and transactions with the other holder of the account
• Following your instruction, we will share your information with your guarantor or nominated person at point of payment
• We have a legitimate interest to share your personal data for the processing of electronic payments - services on your account (such as credit transfers, standing orders and direct debits, card based payments). The Credit Union is a participant of Payac. Payac is a Credit Union owned, independent, not-for-profit company that provides an electronic payments service platform for the Credit Union movement in Ireland. Payac is an outsourced model engaging third party companies, such as a Partner Bank, to assist with the processing of payment data for example as the Card Processor, as Bank Identification Number (BIN) sponsor.
• Electronic Payments If you use our electronic payment services to transfer money into or out of your credit union account or make payments through your debit card into your credit union account, we are required to share your personal data with our electronic payment service provider
• Debit or Charge Card or ATM Card: If you have a debit with us, we will share transaction details with companies which help us to provide this service
• We may share your data with possible successors or merging Credit Unions
• Statutory and regulatory bodies as legally required including but [not] limited to Regulators Central Bank Ireland, Enforcement bodies, an Garda Siochana, Data Protection Commission, the courts, fraud prevention agencies or other bodies; the Department of Finance, the Revenue Commissioners, Department of Social Protection and the Financial Services and Pensions Ombudsman Bureau of Ireland, Irish Financial Services Appeals Tribunal, Irish Revenue, debt recovery or fraud prevention agencies, the appropriate Supervisory Authority if required under law.
• We may share your data with Irish League of Credit Unions, Credit Union Development Association.

C. Mortgages

The credit union utilises a third party Outsourced Service Provider who carry on the business of, inter alia, servicing, administering and managing mortgage loans secured on residential properties in Ireland. This business will support the credit union in the processing, fulfilment and special servicing (arrears management) of residential mortgages based on a standardised consistent and reliable methodology and is therefore of ultimate benefit to its member.

We are also members of Credit Union Mortgage Services DAC (MSDAC) which provides mortgage origination support services to the Credit Union as well as marketing support

The third parties supporting the Home Loans, Credit Union Service Organisation (CUSO) are committed to respecting the rights of those people whose data is processed under this CUSO.

The credit union utilises a third party valuation management solutions company who provide, inter alia, valuation management services on residential properties in Ireland. This service will ensure that valuations are carried out by professional valuers and that the valuations follow mandatory valuation standards and is therefore of ultimate benefit to its members.

The credit union may utilise a third party storage solution company to ensure safe, secure storage of Title Deeds and security documents and is therefore of ultimate benefit to its members.

The credit union provides your information to insurance companies for the purpose of insuring the loan.

If you have a secured loan or mortgage with us, we may need to share information with other lenders who also hold a charge on your property.

D. Irish League of Credit Unions (ILCU) Affiliation

The ILCU (a trade and representative body for credit unions in Ireland and Northern Ireland) provides professional and business support services such as marketing and public affairs representation, monitoring, financial, guidance, compliance, risk, learning and development, and insurance services to affiliated credit unions. As this credit union is affiliated to the ILCU, the credit union must also operate in line with the ILCU Standard Rules (which members of the credit union are bound to the credit union by) and the League Rules (by which the credit union is bound to the ILCU). We may disclose information in your application or in respect of any account or transaction of yours from the date of your original membership to authorised officers or employees of the ILCU for the purpose of the ILCU providing these services to us.

The ILCU Savings Protection Scheme (SPS): We may disclose information in any application from you or in respect of any account or transaction of yours from the date of your original membership to authorised officers or employees of the ILCU for the purpose of the ILCU providing these services and fulfilling requirements under our affiliation to the ILCU, and the SPS.

E. Nominee

Regulators Central Bank Ireland, Enforcement bodies, an Garda Siochana, Data Protection Commission, the courts, Financial Services and Pensions Ombudsman Bureau of Ireland, Irish Revenue, legal and professional advisers such as auditors and external legal counsel; Irish League of Credit Unions, Credit Union Development Association, potential mergers.

F. School Quiz entrants, winners and co-ordinators within the schools & Art competition entrants and winners

Regulators Central Bank Ireland, legal and professional advisers such as auditors and external legal counsel; Irish League of Credit Unions, Regional Chapter, associated named school/club/organisation potential mergers, social media (print and online).

The Credit Union, ECCU and its reinsurer, where applicable, are Joint Controllers of your personal data which is processed in connection with your Credit Union’s policy with ECCU. ECCU Privacy Statement https://www.creditunion.ie/ilcu/associated-companies/eccu/eccu-privacy-notice/ is provided when availing of the Loan Protection Insurance.

The Credit Union and Transact Payments Malta Limited  (‘TPML’) are Joint Controller of the members personal data in respect of the Cardholder Data with the Bank Identification Number (BIN) Sponsor.

Both the Credit Union and Transact Payments Malta Limited process the Cardholder Data solely for the purposes of payment services (such as Cards), managed by the Transact Payments Malta Limited and marketed by the Credit Union and issued by the BIN Sponsor. The Debit Card

Programme is designed to offer a convenient and secure payment mechanism and the Cards may be used by Cardholders to carry out transactions. The BIN Sponsor is to provide the BIN Sponsorship and compliance oversight under the PSD to enable Transact Payments Malta Limited to provide a Debit Card Programme to the Credit Union in accordance with their MPCAS approval. Please find the link to the TPML Privacy Policy https://currentaccount.ie/files/tpl-privacy-policy.pdf

Truelayer

We generally require bank account statements to assist with the assessment of loan applications. The Revised Payment Services Directive (PSD2) provides a means by which Members can supply bank account information electronically, by availing of Account Information Services (AIS). Using AIS may reduce the time taken to process loan applications.

You can find more information about AIS on our website.

AIS is provided by an independent third party (Independent Controller of your data), Truelayer (Ireland) Limited. Truelayer (Ireland) Limited is registered as an Account Information Services Provider (AISP) with the Central Bank of Ireland (Institution code C433487) and their privacy policy is available https://truelayer.com/en-ie/legal/privacy/.  As a member, this is a new optional service offering to you by Truelayer (Ireland) Limited to enhance the loan application process which is at no extra cost.

If you consent to using AIS to supply bank account information, we will provide instructions by e-mail, including a link to the portal of the Account Information Services Provider (‘AISP’) that will enable you to initiate the AIS process.

If you do not consent to using AIS to supply bank account information, you can:

• Provide paper bank statements to us.
• Send bank statements to us by e-mail.
• Upload bank statements (when making an on-line loan application).

Strategic Banking Corporation of Ireland

Strategic Banking Corporation of Ireland (SBCI) has established the Home Energy Upgrade Loan Scheme to support the delivery of low-cost finance in the form of reduced interest rates on loans to eligible individuals to fund retrofitting of their properties for energy efficiency and decarbonisation purposes. On the terms set within the agreement between the member, the credit union European Investment Fund (EIF) and the European Investment Bank (EIB), EIB shall guarantee part of the risk of the Credit Union in making financing available to such borrowers pursuant to the Home Energy Upgrade Loan Scheme.

Before any member enters into a contract for the Home Energy Upgrade Loan Scheme, the member should read the privacy statements of EIF and EIB as the Credit Union will disclose the member’s Personal Data, (in particular their name, address, email address and telephone number or any updated contact details that the member to the SBCI, and (with the exception of the member’s telephone number), onward transferred to the EIF, the EIB and/or any other Relevant Party, all acting as independent data controllers.

“EIB Privacy Statement” means EIB guidelines on handling of personal data available at: https://www.eib.org/en/privacy/lending.htm, as such document may be updated and/or replaced from time to time in line with applicable Data Protection Legislation.

“EIF Data Protection Statement Processing of Final Recipients’ Personal Data for monitoring purposes” means the EIF notice on the handling of personal data of Borrowers available at https://www.eif.org/attachments/final-recipients-monitoring-dataprotection.pdf as such document may be updated and/or replaced from time to time in line with applicable Data Protection Legislation.

“EIF Financial Intermediary Data Protection Statement” means EIF guidelines on the handling of personal data of Finance Providers available at:  http://www.eif.org/attachments/eif_data_protection_statement_financial_intermediaries_due_diligence_en.pdf

as such document may be updated and/or replaced from time to time in line with applicable Data Protection Legislation and together with the EIF Data Protection Statement Processing of Final Recipients’ Personal Data for monitoring purposes, the “EIF Data Protection Statements”.

Should you avail of foreign exchange services, the Credit Union will process your personal data on behalf of  Fexco, as their data processor. Please find the link to Fexco’s privacy policy https://www.no1currency.ie/privacy-policy/

We will only retain personal data for as long as necessary for the purposes for which it was collected as required by law or regulatory guidance to which we are subject or to defend any legal actions. Where possible we record how long we will keep your data. Where that is not possible, we will explain the criteria for the retention period. Unless required to defend a legal claim, we hold your personal data based on the following criteria:Legal compliance

• Contractual terms and conditions for the products sold
• Regulatory compliance
• Until consent is withdrawn and the data is no longer needed

Best practice for example CCTV footage is held for one month

Some third parties we share your data with may reside outside the European Economic Area (which currently comprises the Member states of the European Union plus Norway, Iceland and Liechtenstein). If we do this, your information will be treated to the same standards adopted in Ireland and include the following data protection transfer mechanisms:

• Model Clauses (also known as Standard Contractual Clauses) are standard clauses in our contracts with our service providers to ensure that any personal data leaving the EEA will be transferred in compliance with EU data-protection law. Copies of our current Model Clauses are available on request.
• Transfers to countries outside the EEA which have an adequate level of protection as approved by the European Commission such as the United Kingdom, https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. The adequacy decision on the EU-U.S. Data Privacy Framework covers data transfers from any public or private entity in the EEA to US companies participating in the EU-U.S. Data Privacy Framework https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3752.
• Transfers permitted in specific situations where a derogation applies as set out in Article 49 of the GDPR. For example, where it is necessary to transfer information to a non-EEA country to perform our contract with you.

Erasure

When have I the right to all my personal data being deleted by the Credit Union?

You have the right to have your personal data deleted without undue delay if:

• The personal data is no longer necessary in relation to the purpose(s) for which it was collected/processed
• You are withdrawing consent and where there is no other legal ground for the processing
• You object to the processing and there are no overriding legitimate grounds for the processing
• The personal data has been unlawfully processed
• The personal data must be erased so that we are in compliance with legal obligation
• The personal data has been collected in relation to the offer of information society services with a child.

What happens if the Credit Union has made my personal data public?

If we have made your personal data public, we, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform those who are processing your personal data that you have requested the erasure.

What happens if the Credit Union has disclosed my personal data to third parties?

Where we have disclosed your personal data in question to third parties, we will inform them of your request for erasure where possible.  We will also confirm to you details of relevant third parties to whom the data has been disclosed where appropriate.

Data portability

When can I receive my personal data in machine readable format from the Credit Union?

You have the right to receive your personal data, which you provided to the Credit Union, in a structured, commonly used, and machine-readable format. You have the right to transmit this data to another organisation without hindrance from the Credit Union to which the personal data have been provided, where:

• processing is based on consent or contract and
• processing is carried out by automated means.

Would the Credit Union transfer the personal data to another service provider if I requested this?

We can transfer this data to another company selected by you on your written instruction where it is technically feasible taking account of the available technology and the feasible cost of transfer proportionate to the service, we provide to you.

Under what circumstances can the Credit Union refuse?

You will not be able to obtain, or have transferred in machine-readable format, your personal data if we are processing this data in the public interest or in the exercise of official authority vested in us.

Will the Credit Union provide me with my personal data if the file contains the personal data of others?

We will only provide you with your personal data, ensuring we protect the rights and freedoms of others.  Where personal data of another person may be on the same files as yours, we will redact the full details of the other person.

Contact us at DPL@naomhbreandaincu.ie.

Automated individual decision making

What are my rights in respect of automated decision making?

We do not conduct automated decisions which produces legal effects concerning any of our members, see Section 16 for details.

You can object to a decision based on automated processing, you can contact us at DPL@naomhbreandaincu.ie.

Object

Have I already been informed about my right to object?

We have informed you of your right to object prior to us collecting any of your personal data as stated in our privacy statement.

When can I object to the Credit Union processing my personal data?

You can object on grounds relating to your situation, at any time to processing of personal data concerning you which is based on one of the following lawful basis

• public interest or
• legitimate interest,

including profiling based on those provisions.

The Credit Union will stop processing your personal data unless:

• we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms or
• the processing is for the establishment, exercise or defence of legal claims.

What are my rights to object for direct marketing purposes?

Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, we will no longer process this data for such purposes.

What are my rights to object in the use of information society services?

In the context of the use of information society services, you may exercise your right to object by automated means using technical specifications.

Contact us at DPL@naomhbreandaincu.ie.

Restrict processing

When can I restrict processing?

You may have processing of your personal data restricted:

• While we are verifying the accuracy of your personal data which you have contested
• If you choose restricted processing over erasure where processing is unlawful
• If we no longer need the personal data for its original purpose but are required to hold the personal data for defence of legal claims
• Where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our legitimate grounds override.

What if the Credit Union has provided my personal data to third parties?

Where we have disclosed your personal data in question to third parties, we will inform them about the restriction on the processing, unless it is impossible or involves disproportionate effort to do so.

How will I know if the restriction is lifted by the Credit Union and/or relevant third parties?

We will inform on an individual basis when a restriction on processing has been lifted.

Contact us at DPL@naomhbreandaincu.ie.

Rectification

What can I do if the Credit Union is holding incorrect personal data about me?

Where you suspect that data we hold about you is inaccurate, we will on demand, in compliance to central bank rules, rectify any inaccuracies without undue delay and provide confirmation of same.

What happens if the Credit Union has disclosed my personal data to third parties?

Where we have disclosed inaccurate personal data to third parties, we will inform them and request confirmation that rectification has occurred.  We will also provide you with details of the third parties to whom your personal data has been disclosed.

Contact us at DPL@naomhbreandaincu.ie.

Withdraw consent

Under what circumstances could I withdraw consent?

You can withdraw consent if we are processing your personal data based on your consent.

When can I withdraw consent?

You can withdraw consent at any time.

If I withdraw consent what happens to my current data?

Any processing based on your consent will cease upon the withdrawal of that consent.  Your withdrawal will not affect any processing of personal data prior to your withdrawal of consent, or any processing which is not based on your consent.

Contact us at DPL@naomhbreandaincu.ie.

Lodge a complaint

Can I lodge a complaint with the Data Protection Commission?

You can lodge a complaint with the Data Protection Commission in respect of any processing by or on behalf of the Credit Union of personal data relating to you.

How do I lodge a complaint?

Making a complaint is simple and free.  All you need to do is write to the Data Protection Commission giving details about the matter.  You should clearly identify the organisation or individual you are complaining about.  You should also outline the steps you have taken to have your concerns dealt with by the organisation, and what sort of response you received from them.  Please also provide copies of any letters between you and the organisation, as well as supporting evidence/material.

What happens after I make the complaint?

The Data Protection Commission will then take the matter up with the Credit Union on your behalf.

Access your data

When do I have the right to access my personal data from the Credit Union?

Where the Credit Union process any personal data relating to you, you have the right to obtain confirmation of same from us, and to have access to your data.

What information will the Credit Union provide to me?

If we are processing your personal data, you are entitled to access a copy of all such personal data processed by us subject to a verification process to ensure we are communicating with the correct person.  We will provide any of the following information:

• why we are processing your personal data
• the types of personal data concerned
• the third parties or categories of third parties to whom the personal data have been or will be disclosed. We will inform you if any of the third parties are outside the European Economic Area (EEA) or international organisations
• how your personal data is safeguarded where we provide your personal data outside the European Economic Area or to an international organisation
• the length of time we will hold your data or if not possible, the criteria used to determine that period
• your rights to:
• request any changes to inaccurate personal data held by us
• have your personal data deleted on all our systems
• restriction of processing of personal data concerning you
• to object to such processing
• data portability
• your right to lodge a complaint with the Data Protection Commission info@dataprotection.ie
• where we have collected your personal data from a third party, we will provide you with the information as to our source of your personal data
• any automated decision-making, including profiling which includes your personal data. We will provide you with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

What Information is not provided?

• Business Information pertaining to your role as an employee
• If we do not provide you with your personal data, we have an obligation to give reasons why this personal data is being withheld.

How long will it take to receive my personal data from the Credit Union?

We will provide you with a copy of the personal data we are currently processing within one month of request.  In rare situations if we are unable to provide you with the data within one month we will notify you, within one month of your valid request, explaining the reason for the delay and will commit to delivery within a further two months.

How much will it cost me to receive my personal data?

We will not charge for providing your personal data unless we believe the request is excessive and the cost of providing your data is disproportionate to your services provided.

Can I request additional copies of my personal data?

If you require additional copies, we will charge €20 to cover our administrative costs.

Can I receive my personal data electronically?

You can request your personal data by electronic means and we will provide your personal data in a commonly used electronic form if technically feasible.

What will the Credit Union do if another person’s personal data is shared with my personal data?

We will only provide you with your personal data, ensuring we protect the rights and freedoms of others.  Where personal data of another person may be on the same files as yours, we will redact the full details of the other person.

Contact us at DPL@naomhbreandaincu.ie.

If you have changed your name or your address provide the following

• current passport or driving licence,
• Proof of Address (no more than 6 months old) being a household utility bill,
• Statement from another financial institution,
• Social services document (issue by the Government), or documentation issued by the Revenue Commissioners.

Our contact details

(091) 841 773

info@naomhbreandaincu.ie

https://naomhbreandancu.ie

Drop into to us

We want to protect your personal data. Please do not send the following information in the body of an email:

• PPSN
• IBAN
• Health data
• Any special categories of data are defined by GDPR as processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
• Passport copy or details
• Driving License copy of details
• Proof of address details

If you need to send such information, put the information into a Word document and password protect it, send the password by ringing the Credit Union with the code.

If you send an email with any of the information above, the information will be transferred to our banking system and the email will be deleted immediately.

The Credit Union scan all paper received from the members and related third parties and only hold the scanned version of the personal data unless the Credit Union has a legal compliance to hold the paper version of this data.

The credit union may execute agreements with members by any form of electronic signature. An electronic signature is conclusive evidence of the member’s intent to be bound by this agreement and shall have the same legal validity and enforceability as a wet signature for all purposes.  If the Credit Union stores a duly executed copy of this agreement in an electronics format, this constitutes an original of this agreement and may be relied on as evidence of agreement.