A Credit Union is a member-owned financial cooperative, democratically controlled by its members, and operated for the purpose of promoting thrift, providing credit at competitive rates, and providing other financial services to its members. Data collection, processing, and use are conducted solely for the purpose of carrying out our role as a Credit Union.

Naomh Breandain Credit Union’s Privacy Notice refers (together with our Cookies Policy) to our commitment to our compliance to data protection legislation including the Irish Data Protection Acts and the EU General Data Protection Regulation.

Throughout this document “we”, “us”, “our”, and “ours” refers to Naomh Breandain Credit Union

There are many ways you can contact us, including by phone, email, and post. More details can be seen here https://naomhbreandancu.ie.

Our registered address is
Dunkellin Street,
Loughrea,
Co. Galway
Contact Data Protection Lead DPL@naomhbreandaincu.ie,
Telephone 091 841773

Where changes to this Privacy notice occur, the updated version will be published on our website and where appropriate/possible communicated directly to individuals through a communication channel such as email and/or our social media.

Current version Reference NBCU-PNM-V1.01 29.05 23 (Section 8 compliance-ISBAR, CESOP, CRBOT )

We collect and process your personal data only when such data is necessary in the course of providing our member services to you. This personal data includes any offline physical data or online data that makes a person identifiable.

We process data for the following groups of individuals where it is necessary

1. Personal Account members (Single, Joint, and Minor)
2. Club Members
3. Business Member
4. Guarantor
5. Nominee
6. Visual Savings Scheme students
7. School Quiz entrants, winners, and co-ordinators within the schools
8. Art competition entrants and winners

We are the controller for the personal information we process, unless otherwise stated.

You directly provide us with most of the data we collect.  We collect data and process data when you:

• Open an account
• Apply for membership online or open a member account in person
• Apply for a loan
• Apply for any other product we offer
• Enter our competitions
• Voluntarily complete a member survey or provide feedback
• Use or view our website via your browser’s cookies

A. Member information collected

As part of our services to you as a member, we may need to obtain and process personal data as required where necessary to provide our services such as (if requested, a member of our staff will explain the purpose why any information is required prior to obtaining the data. For example if a member wants to know why the credit union collects verification documents to open an account, the compliance reason will be explained to the member in person as also directed to where it is stated in this privacy notice):

a. Member [For each member if Joint Account]

Your name, address, Eircode, phone number [landline & mobile], email, previous addresses, Tax Identification/PPSN numbers or foreign equivalent, proof via payslip or health card, proof of address, passport or driving licence details, date of birth, evidence of marital status, signatures, CCTV, Photo ID, Member Account Number, if using online banking, user unique identifiers,  biometrics-facial recognition & IP address, contactless cards, security details to protect identity, Debit Cards details, beneficial owner details, if applicable political exposed person details, source of funds, expected monthly lodgement, confirmation of tax residence, tax identification number, account transaction details, Stamp 4/5 for non EU nationals, sanction lists (the Credit Union is required to identify if any member is listed for sanctions) interactions with Credit Union staff and officers on the premises, by phone, or email, current or past complaints, Inferred details of special categories of data e.g. payments to trade unions, confirmation of gift letter, occupation, cookie consent and marketing consent.

We may act on the authority of one joint Account Holder to share or allow a third-party access to your member account information for the provision of payment services including transaction details. This means, unless we have agreed that we need the consent of each joint Account Holder, or have a legal obligation to get this consent, we will treat the authority of one Account Holder as authorisation on behalf of any other Account Holder(s) for a joint Account. If you instruct us to share or allow a third party access to any Account information for a joint Account you are responsible for ensuring the other Account Holder(s) are aware and permit such access.

b. Additional information when applying for a loan

Financial data (including bank and credit card account information), loan repayment status and credit history, credit assessment records, credit data from credit register, judgements searches, living expenses including child care costs, disposable income and analysis of spend, existing loan contract commitments data, details of the Credit Union products you hold with us, salary, level of education, employment status, employers name and address, period of time with employer, proof of employment & salary,  any court order charges, accommodation status, family details [dependencies] mortgage details, assets and equity, Partners/Spouse banking details & earnings, details of House insurance, life assurance policy, independent valuation on property, pension information, security hold on assets, health information for the assessment of eligibility for the insurance on certain loans

c. Additional information when applying for a mortgage loan

Valuation reports, land registry folio, certificate of title, life assurance cover documents – these documents contain the following information: name, address, date of birth, property value, medical data, members’ solicitor name, address and contact details.

d. Additional information when applying for a loan on Spouse/Partner

Your name, address, email, telephone, date of birth, employment details, occupation, employment details, residential status, relationship status and dependents, financial data, wage slips, bank statements, financial data, relationship with member and salary.

e. Additional information when applying for a loan on Dependent individuals

Relationship with member, ages, reason for dependency, financial needs.

f. Additional information captured for vulnerable members

Name of a ward of court and proof of a ward. Name and proof of power of attorney, proof of ID, board appoint payment to another if member becomes mental incapacitated and no person has been legally appointed to administer your account.

g. Additional information captured for entrances to the members draw

Draw numbers and winner details.

h. Additional information captured for minor accounts

Parent/Guardian-Name, address, email, signature, phone number, proof of ID, consent- authorisation form. Proof of ID for minors- birth certificate or passport, Debit Cards age 12 to 15, MYCU Youth Card.

B. Club Member information collected

As part of our services to you as a club member, we may need to obtain and process personal data as required where necessary to provide our services such as:

a. For trustees and relevant officials in the club

Name, address, Eircode, phone number, email, previous addresses, Tax Identification/PPSN numbers (or foreign equivalent), proof of address, passport or driving licence details and, date of birth, signatures, CCTV, Photo ID, , if applicable political exposed person details, account transaction details, Stamp 4/5 for non EU nationals, sanction lists (the Credit Union is required to identify if any member is listed for sanctions), interactions with Credit Union staff and officers on the premises, by phone, or email, current or past complaints, inferred details of special categories of data.

b. Additional information when applying for a loan

Solicitor details including client bank account, affiliated bodies.

C. Business Member information collected

As part of our services to you as a business member, we may need to obtain and process personal data as required where necessary to provide our services such as:

a. For business owners/Directors

Name, address, Eircode, phone number, email, previous addresses, Tax Identification/PPSN numbers (or foreign equivalent), proof of address, passport or driving licence details, date of birth, signatures, CCTV, Photo ID, Member Account Number, if using online banking, user unique identifiers,  biometrics-facial recognition and IP address, beneficial owner details, if applicable political exposed person details, account transaction details, Stamp 4/5 for non EU nationals, sanction lists (the Credit Union is required to identify if any member is listed for sanctions), interactions with Credit Union staff and officers on the premises, by phone, or email, current or past complaints, Inferred details of special categories of data e.g. payments to trade unions.

b. Additional information when applying for a loan

Financial data (including bank & credit card account information), loan repayment status and credit history, credit assessment records, credit data from credit register, judgements searches, disposal income and analysis of spend, existing loan contract commitments data, details of the Credit Union products you hold with us, occupation, level of education, bank statements, income details,  mortgage details on assets, assets and equity, financial statements, cashflow projections, health information, details of insurance, health information for the assessment of eligibility for the insurance on certain loans.

D. Guarantor

As part of our loan approval, we may need to appoint a guarantor, in such cases we need to obtain and process personal data on the guarantor as required where necessary such as:

Your name, address, Eircode, phone number, email, previous addresses, Tax Identification/PPSN numbers (or foreign equivalent), proof of address, proof of ID passport or driving licence (physical verification only), date of birth, signatures, CCTV, Member Account Number if applicable, occupation, employer details, period of time with employer, bank statements, income/payslips details, credit check, list of outstanding debts and repayment amounts

E. Nominee

The Credit Union Act 1997 (as amended) allows members to nominate a person(s) to receive a certain amount from their account on their death, subject to a statutory maximum. To fulfil our role, we may need to obtain and process personal data on the nominee as required where necessary such as

Your name, address, Eircode, phone number, email, previous addresses, Tax Identification/PPSN numbers (or foreign equivalent), proof of address, passport or driving licence details, date of birth, signatures, CCTV, Member Account Number if applicable, relationship with member who they are being nominated by.

F. Visual Savings Scheme students (who are existing members of the Credit Union)
We may collect store and use the following categories of personal information about you where necessary:

In addition to the students account details the following is captured Parental/Guardian Consent for School Savings Scheme, the child’s account no, home address, and school attended.

F. School Quiz, winners and co-ordinators within the schools

Each year around 25,000 school children around Ireland take part in the Credit Union Schools Quiz. The Quiz is about encouraging learning and teamwork among young schoolchildren. Applications are received by the Credit Union. As part of our role in organising the quiz, we need to obtain and process personal data as required where necessary such as:

School Name, address, school number, school contact name and phone, team names, team data of birth, confirmation of consent from the teacher, parents/guardians’ consent, photos of team, and winners.

G. Art competition entrants and winners

The Irish League of Credit Unions (ILCU) and our Credit Union collects your information and that relating to your parents or legal guardian for the art completion. We are primary data controller of the personal information you give us. Chapter will be considered a data controller for stage 2 (Regional level). The ILCU will be considered a data controller for the purposes of stage 3 (National level).  As part of our role in organising this competition, we may need to obtain and process personal data as required where necessary such as:

a. General category

Age range, name, date of birth, home address, email address, school/college/club organisation, consent to use photographic images, signature parents/guardians’ consent.

b.  Extra information for Additional needs category

Group team entry, inferred medical data.

Sensitive data is known as special categories of data in Data Protection law. Special categories of data are defined by GDPR as processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. We may collect the following special categories of data where necessary:

• For loan assessments or insurance products with ECCU we may collect health data
• As part of AML, we are required to capture politically exposed persons and the country of origin
• Where a member makes payments to an organisation which may infer one of the types of special category data e.g. trade union or religious subscriptions
• Where a member chooses to join via “online onboarding”, their facial verification is used via biometrics.

We will process special categories of personal data in the following circumstances:

1. In limited circumstances, with your explicit written consent.
2. Where we need to carry out our legal obligations and in line with our data protection policy.
3. Where it is needed in the public interest, and in line with our data protection policy.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

The Credit Union is required to identify if any member is listed for sanctions and do so using the Dow Jones

Where is it necessary for the service provided, we may receive your data indirectly from the following sources:

• Related party information where a member is also an employee, volunteer or board of director
• Loan applications where member is self-employed to confirm tax clearance for example your accountant
• Account Information Services Provider (AISP)
• A member provided your data where you are the guarantor, the spouse, the dependent individual, in such cases the member obtains consent from the adults to capture their data
• ECCU Assurance DAC
• Central Credit Register is a database that stores personal and credit information on loans of €500 or more.
• Judgement searches available
• A member who nominated you to obtain their funds
• Payee to your account
• School on your behalf as an entrant to a competition

We collect your data based on the following legal basis:

Consent

Where you have explicitly agreed to us processing your information for a specific reason such as

• Members
  • Collecting your data in the event that you apply for a loan, we may require certain special categories of data such as your health information where no other lawful basis exists
  • A member provided third party’s data
    • as a guarantor,
    • the spouse,
    • the dependent individual,

in such cases the member obtains consent from the adults to capture their data

• Photograph on your member account for verification
• Where a member consents to join via “online onboarding”, their facial verification is used via biometrics.
• Provide instructions by e-mail, including a link to the portal of an Account Information Services Provider (‘AISP’)
• Member preferences to receive electronic statements and AGM booklets,
• Radio frequency tags used in contactless cards
• Use of members location data
• Marketing (see section 14)

• School Quiz entries
• Art Competition entries
• Any individual
  • Photograph or videos for publication at events
• Cookie (see cookie policy)
• Member Draws
• TY Students (Consent forms for participation in TY NBCU programme)

Right to withdraw consent at any time

Where consent is relied upon as a basis for processing of any personal data, you will be presented with an option to agree or disagree with the collection, use or disclosure of personal data. Once consent is obtained, it can be withdrawn at any stage.

Contract

Processing is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract. We will collect your data in order to consider your application for membership of the Credit Union. Where you have opened a member account or obtained a loan and signed up to the contractual terms in our T&C’s, it is necessary to process your data for the administration of accounts, payments, deposits, lending and credit decisions. Processing may be necessary for the performance of a contract such as:

• Administrative Purposes
  • Opening Credit Union account
  • Manage and administer members accounts, transactions, policies, benefits or other products and services that the Credit Union or partners e.g., ECCU may provide the member with
  • Loan assessments
  • To help improve service as agreed in the T&C to members
  • For the processing of electronic payments services on the member account (such as SEPA direct debts, credit transfers, standing orders and direct debits), the Credit Union is a participant of CUSOP (Payments) DAC (“CUSOP”).
  • Providing current account services via MyCU
  • Providing online banking
  • Automated teller machine services
  • School savings programme
  • Euro drafts
  • Bureau de change “Fexco” where we are the data processor for these transactions
  • Insurance services
  • Complying with binding requests for information from other payment service providers the member has instructed to act on their behalf
• Guarantors
  • As part of a member loan conditions, the Credit Union may make the requirement for the appointment of a guarantor a condition of the member loan agreement, for the Credit Union to ensure the repayment of loan.
• Security
  • To secure repayment of the loan, it may be necessary to obtain security such as a charge on your property or other personal assets.
• Establish the members eligibility for our products and services
• Credit Assessment
  • Carry out credit reviews for loan underwriting
  • Utilises this information to assess member loan application in line with the applicable legislation and Credit Union lending policy.
• Insurance
  • certain loans must apply to ECCU for Loan Protection (LP). It may be necessary to process ‘special category’ data, which includes information about members health.
• Insurance Services on an introduction basis
• Home Loans/Mortgages
  • To maintain and administer home loans/mortgages we may need to share your information with our solicitors
• Make essential communication to provide products and services to the member
• Manage and respond to a complaint or appeal
• Recover debts the member may owe
• Member draws

Compliance

We must meet our duties to the Regulator, the Central Bank of Ireland and comply to our legal obligations. We may also share personal data with certain statutory bodies such as the Department of Finance, the Department of Social Protection and the Financial Services and Pensions Ombudsman Bureau of Ireland and the appropriate Supervisory Authority if required by law.

Where it is necessary and proportionate, we may allow authorised people to see our records (which may include information about you) for reporting, compliance and auditing purposes. For the same reason, we will also hold the information about you when you are no longer a member.

Processing may be necessary for compliance with a legal obligation:

• Preparing returns to regulators and relevant authorities including preparing Deposit Interest Retention Tax, Common reporting standard (Where a member is tax resident in another jurisdiction), Prudential Return (https://www.centralbank.ie/regulation/industry-market-sectors/credit-unions/reporting-requirements) and other CBI & revenue returns. Under the “Return of Payments (Banks, Building Societies, Credit Unions and Savings Banks) Regulations 2008” Credit Unions are obliged to report details to the Revenue in respect of dividend or interest payments to members, which include PPSN where held.
• Report on Central Credit Register (CCR) Register (https://www.centralbank.ie/regulation/industry-market-sectors/credit-unions/reporting-requirements) andhttps://www.centralbank.ie/regulation/industry-market-sectors/credit-unions/reporting-requirements)  and, where relevant, conducting searches on CCR
  • Where a loan is applied for in the sum of €2,000 or more, the Credit Union is obliged to make an enquiry of the Central Credit Register (CCR) in respect of the borrower. Where a loan is granted in the sum of €500 or more, the Credit Union is obliged to report both personal details and credit details of the borrower [and guarantor] to the CCR.

    • Ireland Safe Deposit Box Bank and Payment Accounts Register (ISBAR)

    The information that the Credit Union will be required to send includes the IBAN, account name, date of account opening, date of account closing; the name, address and date of birth of the account holder; the name, address and date of birth of the beneficial owner of the account; and the name, address and date of birth of any person authorised to act on the account. https://www.centralbank.ie/regulation/anti-money-laundering-and-countering-the-financing-of-terrorism/ireland-safe-deposit-box-bank-and-payment-accounts-register-(isbar)

    ISBAR is operated by the Central Bank of Ireland. The purpose of ISBAR is to hold information on accounts identifiable by IBAN (including account holders, beneficial owners and signatories), and information on safe deposit box services provided by credit institutions in Ireland, and to enable legally prescribed authorities to search and retrieve information.Further information (including the Central Bank’s Data Privacy Notices) can be found at https://www.centralbank.ie/regulation/anti-money-laundering-and-countering-the-financing-of-terrorism/ireland-safe-deposit-box-bank-and-payment-accounts-register-(isbar)

    • Beneficial Ownership Register for Certain Financial Vehicles
    The Credit Union must update the Beneficial Ownership Register with relevant information on the beneficial owners of Certain Financial Vehicles (CFV) held by Central Bank State https://www.centralbank.ie/regulation/anti-money-laundering-and-countering-the-financing-of-terrorism/beneficial-ownership-register.
    • Report to the European Union Cross-Border Payments Reporting (“CESOP”) https://www.revenue.ie/en/companies-and-charities/international-tax/cesop/reporting-payments.aspx,

    • Report to the Central Register of Beneficial Ownership of Trusts (“CRBOT”) https://www.revenue.ie/en/crbot/index.aspx

• Where you obtain a house loan from us, it will be necessary for the Credit Union to obtain a first legal charge on the property to be purchased and it will be necessary for us to process your personal data in order to register this charge or have this charge registered on our behalf.
• Connected/Related Party Borrowers
  • We are obliged further to Central Bank Regulations to identify where borrowers are connected in order to establish whether borrowers pose a single risk. We are also obliged to establish whether a borrower is a related party when lending to them, i.e., whether they are on the Board/Management Team or a member of the Board/ Management team’s family or a business in which a member of the Board /Management Team has a significant shareholding.

• Establishing members identity, nationality, residence, and tax status in order to comply with law and regulation concerning taxation and the prevention of money laundering, fraud and terrorist financing
• Providing the member with statutory and regulatory information and statements
• Complying with requests from regulatory bodies, including the Central Bank of Ireland.
• Complying with court orders arising in civil or criminal proceedings
• Complying with Assisted Decision-Making (Capacity) Act where you may be vulnerable
• Comply with all other laws and regulations.
• As this Credit Union is affiliated to the ILCU, the Credit Union must also operate in line with Irish League of Credit Unions (ILCU) Standard Rules (which members of the Credit Union are bound to the Credit Union by) and the League Rules (which the Credit Union is bound to the ILCU by)
• To report and respond to queries raised by regulatory authorities, law enforcement and other government agencies such as the Central Bank of Ireland and An Garda Siochana
• To meet obligations under the Credit Union Standard Rules & The Credit Union Act, 1997 (as amended)
• To maintain a register of members of the Credit Union
• To communicate all mandatory service communications such as providing notice of the AGM
• Nominate person
  • The Credit Union Act 1997 (as amended) allows members to nominate a person(s) to receive a certain amount from their account on their death, subject to a statutory maximum.
• Purpose of the loan
  • The Credit Union is obliged to ensure that the purpose for the loan falls into one of the Credit Union categories of lending.
• To meet legislative and regulatory duties to maintain audited financial accounts
• To meet our health and safely compliance
• For the establishment, exercise or defence of legal claims.

Set out below are the main legal instructions, and regulations and legislation the Credit Union must be compliant with.  We will also comply with the following legislation and, other legislation as required. A member of our team will be able to answer a question you may have as to why we need certain data to provide our member services to you.

• Credit Union handbook https://www.centralbank.ie/regulation/industry-market-sectors/credit-unions/credit-union-handbook
• Credit union act 1997 (regulatory requirements) (amendment) regulations 2020 https://www.irishstatutebook.ie/eli/2020/si/675/made/en/pdf
• Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021
• (Act 3 of 2021) https://www.centralbank.ie/regulation/anti-money-laundering-and-countering-the-financing-of-terrorism
• Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020 (Bill 23 of 2020) https://www.oireachtas.ie/en/bills/bill/2020/23/
• I. No. 579/2012 - European Union (Consumer Credit Agreements) (Amendment) Regulations 2012. https://www.irishstatutebook.ie/eli/2012/si/579/made/en/print
• Minimum Competency Code 2017 (MCC 2017) and the Central Bank (Supervision and Enforcement) Act 2013 (Section 48 (1)) Minimum Competency Regulations 2017 (MCR 2017) https://www.centralbank.ie/regulation/how-we-regulate/authorisation/minimum-competency#:~:text=The%20MCC%202017%20specifies%20certain,Supervision%20and%20Enforcement)%20Act%202013.
• European Union (Consumer Credit Agreements) (Amendment) Regulations 2012. https://www.irishstatutebook.ie/eli/2012/si/579/made/en/print
• European Union (Payment Services) Regulations 2018, https://www.irishstatutebook.ie/eli/2018/si/6/made/en/print
• Consumer Protection Code 2012 Guidance https://www.centralbank.ie/regulation/consumer-protection/consumer-protection-codes-regulations
• European Union (Payment Services) Regulations, 2018 https://www.centralbank.ie/regulation/psd2-overview/psd2 https://www.irishstatutebook.ie/eli/2015/act/64/enacted/en/html

Public interest

The processing of personal data for the purposes of the prevention of money laundering and terrorist financing is considered to be a matter of public interest, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018L0843

Legitimate interest

We have a legitimate interest to process your data in certain circumstances for our business reasons where we always respect your interests and fundamental rights. Where we rely on our legitimate interest, we tell you and what that it is as stated in this section below.

Processing of your personal data may be necessary for the purposes of a legitimate interest pursued by us in any of the following:

• Use of Credit Assessment and Credit Reference Agencies as Credit Union must lend responsibly. We will use your credit scoring information in order to determine your suitability for the loan applied for. When using the service of a credit referencing agency, we will pass them your personal details and details of your credit performance.
• Where a member breaches the loan agreement the Credit Union may use the service of a debt collection agency, solicitors, or other third parties to recover the debt.
• Use of a Private Investigator to locate the member in the event that they fail to make repayments on member loan and/or fail to make contact with the Credit Union when required. We will first investigate all other less invasive means to make contact with the member.
• Use of CCTV on our premises to safeguard the health, safety and security of all resources
• Keep a record of your instructions and to prevent or detect crime;
• Share your member data with Account Information Services Provide (AISP) to facilitate the online loan approval process when the member authorises us to do so.
• Conduct Member Satisfaction Surveys to provide information on the quality of our services and products
• Use your member data to operate the Credit Union’s business on a day-to-day basis
• To provide service information (including sending service-related messages),
• To improve the Credit Union service quality
• To enhance the training for our staff.
• To establish, exercise and safeguard our rights, (including where necessary to take enforcement action) and to respond to claims made against the Credit Union.
• To safeguard the safety and security of the employees, IT systems and devices, property, and member, buildings, information located or stored on the premises, and assets, and those of service providers, consultants, and advisors that assist the Credit Union in carrying out its functions.
• In the prevention and detection of fraud

Where lawful basis is a statutory or contractual requirement, if a member is obliged to provide the personal data, failure to provide this information may result in us being unable to provide a member saving account or provide a member a loan or other services.

We are a financial co-operative formed to allow members to save and lend to each other at fair and reasonable rates of interest. We are a not-for-profit organisation with a volunteer ethos and community focus. We process your data to provide this service.

You agree that any data you provide to us will be true, complete, and accurate in all respects and you agree to notify us immediately of any changes to it.  We will only collect personal information from or about you which is necessary for the following purposes:

A. All Members (Joint, Club, Business)

• To provide and administer our member accounts per the terms of service under contract as stated in Section 4
• To meet our legal and compliance obligations and requirements under the Rules of the Credit Union, Central Bank Regulations, Anti money laundering and any other relevant compliance as stated under compliance in Section 4 for all services provided
• To maintain our relationship with you whilst you are a member and investigate any complaints or disputes or accidents
• Contact you for direct marketing purposes, subject to restrictions under the relevant laws, including the right to opt out of such marketing
• Provide you with information relating to all our products
• To provide essential communication with you, including to respond to information requests submitted
• To obtain your feedback on all our products and services
• To notify you about changes to contracted services relevant to you
• When acting as an insurance intermediary, to meet our obligations.
• We collect spouses’ details where relevant to assess the joint earnings to ensure the member has the means to meet the repayments
• To provide our member draws
• To identify death beneficiaries
• To report on related party transactions when members are employees or board members
• To assist vulnerable members with special needs.

a. For loans

• As part of loan assessment, identify dependent individuals to establish net disposal income available to pay back loan
• To obtain credit references, credit checks and for debt collection, fraud detection and prevention and risk management purposes and to make submissions to the Central Credit Register.
• Assessing your loan application and determining your creditworthiness for a loan as stated under legitimate interest in Section 4.
• To apply to ECCU for your free Loan protection & Life Savings Cover where the Credit Union needs to establish if your loan is fully covered and if there are any exclusions regarding the Insurance. This protection and cover is only available to individual members on certain loans.
• We collect information about the guarantor to ensure the loan can be repaid in the event of default by the member
• We collect dependent individuals’ expenditure needs to assess the net disposal income of the member.

B. Guarantor

• To have person to undertake to repay the loan if the member for whatever reason, is unable to repay.
• To assess if you can demonstrate the ability to repay the loan where you will need to disclose your financial information and agree to a credit check being carried out.

C. Nominee

• To record the wishes and instructions of the member
• To pay the nominee of choice your property/savings- presently up to a maximum value of €23,000
• To update where necessary as member may change the details of their nomination as often as they like. The most recent nomination is the valid nomination.

D. Visual Savings Scheme students (who are existing members of the Credit Union)

• To provide a saving scheme for members attending school where the Credit Union collects the lodgements
• To provide a saving card to the members
• To enable the member to transfer the saving into their Credit Union member account.

E. All Competitions and School Quiz, winners, and co-ordinators within the schools

• To provide the competition per the Terms/Rules signed up to by the entrant
• Administer the competition
• To contact the winner
• To deal with queries
• Capture photographs of the winners to be used in advertising and publicity where consent obtained
• To meet our requirements to host a stage of one of the national competitions. Entries must be submitted directly to our Credit Union only.
• We will inform the Chapter (Regional level) of our winners to be brought forward to Stage 2, at this point the Chapter becomes an independent data controller. The winners of Stage 2 will progress to the national final Stage 3 where the Irish League of Credit Unions (ILCU) becomes an independent data controller.

F. Delegated authority acting on behalf of a member

• To facilitate a third party to conduct transaction on behalf of a member, where the member nominates such person to act on their behalf e.g., a member incapacitated or a minor where the parent nominated an individual to operate the minors account.

G. General

• To provide this website to you and respond to your queries
• To comply with all relevant laws
• To manage your safety and security while you are on our premises
• To facilitate the prevention, detection and investigation of crime and the apprehension or prosecution of offenders
• To investigate, exercise or defend legal claims or other claims of a similar nature
• To obtain consent from any individual for the purposes of publishing photos/video of such person.

If you are providing personal information on behalf of a third party, you must ensure that the third party receives a copy of this Privacy Notice before their personal information is shared with us (e.g., spouse, minors, Related Parties as defined in the Credit Union handbook).

Where you are providing a name of a nominee to your shares, the nominee does not need to be informed until such time as they will receive the funds.

You do not need to provide this Privacy Notice in the following situations

• the individual already has the information
• obtaining or disclosure such information is expressly laid down in the law to which the Credit Union must comply and which provides appropriate measures to protect the individual’s legitimate interests
• where the personal data must remain confidential subject to an obligation of professional secrecy regulated by law.

We collect this data in a transparent way and only with the full knowledge of interested parties.  Once this information is available to us, the following rules apply.

Our data will be:

• Accurate and kept up to date
• Collected fairly and for lawful purposes only
• Processed by us based on either a valid contract, consent, legal compliance or legitimate interest
• Protected against any unauthorised access or illegal processing by internal or external parties.

Our data will not be:

• Communicated to any unauthorised internal or external parties
• Stored for longer than required for the purpose obtained
• Transferred to organisations, states, or countries outside the European Economic Area without adequate safeguards being put in place as required under Data Protection Law.

Our commitment to protect your data:

• Restrict and monitor access to sensitive data
• Develop transparent data collection procedures
• Train employees in data protection and security measures
• Build secure networks to protect online data from cyberattacks
• Establish clear procedures for reporting privacy breaches or data misuse
• Establish data protection practices (e.g., document shredding, secure locks, data encryption, frequent backups, access authorisation etc.).

As part of improving our service to you, from time to time, we would like to inform you of goods, services, competitions and/or promotional offers available from us. We may wish to use different means when sending such marketing communications.

We may use your personal information to make you aware of products and services which may be of interest to you. We can do this by using some of the personal information we hold about you to better understand your needs. It includes information you tell us and information we collect when you use our products or services. This information helps us to understand which products, services, and offers may be relevant for you based on your profile. It is in our and our member’ interests to use personal information this way to better understand our members’ needs and preferences so that we can create more tailored and suitable marketing messages. We will use the following information about you to enable us to plan our marketing campaigns for examples:

• Types of loans
• Your spending and saving habits
• Use transaction history/ account information
• Insurance or assurance linked to a product

We can reach out to you with this information in all sorts of ways:

• through Mobile App
• by e-mail
• post
• telephone

We may share your data with third parties’ software and marketing providers so that they may send you messaging on our behalf.

Opt in

Where you have consented to marketing by opting in to marketing, we will send you marketing.

You have a right to notify us free of charge at any time that you wish to refuse such marketing by writing to us at our address at the top of this document or by using the "opt-out" options in any marketing message we send you.

In the future, we may use credit scoring techniques and other automated decision-making systems to either partially or fully assess your application. When introduced we will inform you in advance.

The Credit Union, ECCU and its reinsurer, where applicable, are Joint Controllers of your personal data which is processed in connection with your Credit Union’s policy with ECCU. ECCU Privacy Statement is provided when availing of the Loan Protection Insurance.

The provision of the Member Personal Current Account Service (MPCAS) is integral to the continued growth, development and sustainability of the Credit Union. The strategic rationale for the Credit Union to offer the MPCAS service recognises the changing consumer behaviour and preferences for convenience banking, where financial service providers now provide multi-channel and multi-product access to accounts.

If we issue you a debit card, Transact Payment Malta Limited  (which is an authorized e-money Institution) will also be a controller of your personal data. In order for you to understand what they do with your personal data, and how to exercise your rights in respect of their processing of your personal data, you should review their privacy policy which is available at  https://currentaccount.ie/files/tpl-privacy-policy.pdf

We will only retain personal data for as long as necessary for the purposes for which it was collected as required by law or regulatory guidance to which we are subject or to defend any legal actions. Where possible we record how long we will keep your data. Where that is not possible, we will explain the criteria for the retention period. Unless required to defend a legal claim, we hold the following

• Successful Membership Application- 7 Years after the relationship has ended
• Member ID, address verification and PPSN documentation- 7 years after relationship has ended
• Loan Applications Approved (including assessment documentation- 7 years after loan is paid in full
• Loan Applications Refused- 6 years
• Loan Applications withdrawn- 1 months
• Credit agreements- 7 years after loan is paid in full or 13 years where the document is under seal
• Accounting and Revenue records- 6 years after financial year
• Nomination Forms- 7 Years after the relationship has ended
• Anti-money laundering- 7 years after the relationship with the member has ended
• CCTV- one month

Some third parties we share your data with may reside outside the European Economic Area (which currently comprises the Member states of the European Union plus Norway, Iceland and Liechtenstein). If we do this, your information will be treated to the same standards adopted in Ireland and include the following data protection transfer mechanisms:

• Model Clauses (also known as Standard Contractual Clauses) are standard clauses in our contracts with our service providers to ensure that any personal data leaving the EEA will be transferred in compliance with EU data-protection law. Copies of our current Model Clauses are available on request.
• Transfers to countries outside the EEA which have an adequate level of protection as approved by the European Commission (such as the United Kingdom).
• Transfers permitted in specific situations where a derogation applies as set out in Article 49 of the GDPR. For example, where it is necessary to transfer information to a non-EEA country to perform our contract with you.

Erasure

When have I the right to all my personal data being deleted by the Credit Union?

You have the right to have your personal data deleted without undue delay if:

• The personal data is no longer necessary in relation to the purpose(s) for which it was collected/processed
• You are withdrawing consent and where there is no other legal ground for the processing
• You object to the processing and there are no overriding legitimate grounds for the processing
• The personal data has been unlawfully processed
• The personal data must be erased so that we are in compliance with legal obligation
• The personal data has been collected in relation to the offer of information society services with a child.

What happens if the Credit Union has made my personal data public?

If we have made your personal data public, we, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform those who are processing your personal data that you have requested the erasure.

What happens if the Credit Union has disclosed my personal data to third parties?

Where we have disclosed your personal data in question to third parties, we will inform them of your request for erasure where possible.  We will also confirm to you details of relevant third parties to whom the data has been disclosed where appropriate.

Data portability

When can I receive my personal data in machine readable format from the Credit Union?

You have the right to receive your personal data, which you provided to the Credit Union, in a structured, commonly used, and machine-readable format. You have the right to transmit this data to another organisation without hindrance from the Credit Union to which the personal data have been provided, where:

• processing is based on consent or contract and
• processing is carried out by automated means.

Would the Credit Union transfer the personal data to another service provider if I requested this?

We can transfer this data to another company selected by you on your written instruction where it is technically feasible taking account of the available technology and the feasible cost of transfer proportionate to the service, we provide to you.

Under what circumstances can the Credit Union refuse?

You will not be able to obtain, or have transferred in machine-readable format, your personal data if we are processing this data in the public interest or in the exercise of official authority vested in us.

Will the Credit Union provide me with my personal data if the file contains the personal data of others?

We will only provide you with your personal data, ensuring we protect the rights and freedoms of others.  Where personal data of another person may be on the same files as yours, we will redact the full details of the other person.

Contact us at DPL@naomhbreandaincu.ie.

Automated individual decision making

What are my rights in respect of automated decision making?

The Credit Union does not have any automated decision-making processes.  Where any such processes are introduced, we will provide you with the relevant information required under the “General Data Protection Regulation”.

Object

Have I already been informed about my right to object?

We have informed you of your right to object prior to us collecting any of your personal data as stated in our privacy statement.

When can I object to the Credit Union processing my personal data?

You can object on grounds relating to your situation at any time to processing of personal data concerning you which is based on point the lawful basis of public interest or legitimate interest, including profiling based on those provisions

The Credit Union will stop processing your personal data unless:

• we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms or
• the processing is for the establishment, exercise or defence of legal claims.

What are my rights to object for direct marketing purposes?

Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, we will no longer process this data for such purposes.

What are my rights to object in the use of information society services?

In the context of the use of information society services, you may exercise your right to object by automated means using technical specifications.

Contact us at DPL@naomhbreandaincu.ie.

Restrict processing

When can I restrict processing?

You may have processing of your personal data restricted:

• While we are verifying the accuracy of your personal data which you have contested
• If you choose restricted processing over erasure where processing is unlawful
• If we no longer need the personal data for its original purpose but are required to hold the personal data for defence of legal claims
• Where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our legitimate grounds override.

What if the Credit Union has provided my personal data to third parties?

Where we have disclosed your personal data in question to third parties, we will inform them about the restriction on the processing, unless it is impossible or involves disproportionate effort to do so.

How will I know if the restriction is lifted by the Credit Union and/or relevant third parties?

We will inform on an individual basis when a restriction on processing has been lifted.

Contact us at DPL@naomhbreandaincu.ie.

Rectification

What can I do if the Credit Union is holding incorrect personal data about me?

Where you suspect that data we hold about you is inaccurate, we will on demand, in compliance to central bank rules, rectify any inaccuracies without undue delay and provide confirmation of same.

What happens if the Credit Union has disclosed my personal data to third parties?

Where we have disclosed inaccurate personal data to third parties, we will inform them and request confirmation that rectification has occurred.  We will also provide you with details of the third parties to whom your personal data has been disclosed.

Contact us at DPL@naomhbreandaincu.ie.

Withdraw consent

Under what circumstances could I withdraw consent?

You can withdraw consent if we are processing your personal data based on your consent.

When can I withdraw consent?

You can withdraw consent at any time.

If I withdraw consent what happens to my current data?

Any processing based on your consent will cease upon the withdrawal of that consent.  Your withdrawal will not affect any processing of personal data prior to your withdrawal of consent, or any processing which is not based on your consent.

Contact us at DPL@naomhbreandaincu.ie.

Lodge a complaint

Can I lodge a complaint with the Data Protection Commission?

You can lodge a complaint with the Data Protection Commission in respect of any processing by or on behalf of the Credit Union of personal data relating to you.

How do I lodge a complaint?

Making a complaint is simple and free.  All you need to do is write to the Data Protection Commission giving details about the matter.  You should clearly identify the organisation or individual you are complaining about.  You should also outline the steps you have taken to have your concerns dealt with by the organisation, and what sort of response you received from them.  Please also provide copies of any letters between you and the organisation, as well as supporting evidence/material.

What happens after I make the complaint?

The Data Protection Commission will then take the matter up with the Credit Union on your behalf.

Access your data

When do I have the right to access my personal data from the Credit Union?

Where the Credit Union process any personal data relating to you, you have the right to obtain confirmation of same from us, and to have access to your data.

What information will the Credit Union provide to me?

If we are processing your personal data, you are entitled to access a copy of all such personal data processed by us subject to a verification process to ensure we are communicating with the correct person.  We will provide any of the following information:

• why we are processing your personal data
• the types of personal data concerned
• the third parties or categories of third parties to whom the personal data have been or will be disclosed. We will inform you if any of the third parties are outside the European Economic Area (EEA) or international organisations
• how your personal data is safeguarded where we provide your personal data outside the European Economic Area or to an international organisation
• the length of time we will hold your data or if not possible, the criteria used to determine that period
• your rights to:
• request any changes to inaccurate personal data held by us
• have your personal data deleted on all our systems
• restriction of processing of personal data concerning you
• to object to such processing
• data portability
• your right to lodge a complaint with the Data Protection Commission info@dataprotection.ie
• where we have collected your personal data from a third party, we will provide you with the information as to our source of your personal data
• any automated decision-making, including profiling which includes your personal data. We will provide you with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

What Information is not provided?

• Business Information pertaining to your role as an employee
• If we do not provide you with your personal data, we have an obligation to give reasons why this personal data is being withheld.

How long will it take to receive my personal data from the Credit Union?

We will provide you with a copy of the personal data we are currently processing within one month of request.  In rare situations if we are unable to provide you with the data within one month we will notify you, within one month of your valid request, explaining the reason for the delay and will commit to delivery within a further two months.

How much will it cost me to receive my personal data?

We will not charge for providing your personal data unless we believe the request is excessive and the cost of providing your data is disproportionate to your services provided.

Can I request additional copies of my personal data?

If you require additional copies, we will charge €20 to cover our administrative costs.

Can I receive my personal data electronically?

You can request your personal data by electronic means and we will provide your personal data in a commonly used electronic form if technically feasible.

What will the Credit Union do if another person’s personal data is shared with my personal data?

We will only provide you with your personal data, ensuring we protect the rights and freedoms of others.  Where personal data of another person may be on the same files as yours, we will redact the full details of the other person.

Contact us at DPL@naomhbreandaincu.ie.

Rights Data portability

When can I receive my personal data in machine readable format from the Credit Union? You have the right to receive your personal data, which you provided to the Credit Union, in a structured, commonly used, and machine-readable format. You have the right to transmit this data to another organisation without hindrance from the Credit Union to which the personal data have been provided, where: · processing is based on consent or contract and · processing is carried out by automated means.