Data Protection Notice
Data Protection at Comhar Linn INTO Credit Union
We always understand and appreciate the trust you place in us to collect, process and protect your personal information.
As the Data Controller and processor of your personal information, we have and will continue to:
- to act responsibly and give priority to the security of your information through a strong culture of compliance
- to provide you with the assurance that your information is safe and secure through how we manage our controls, processes and systems to improve our level of customer service,
- conduct our business in a fair and transparent way and ensure we minimise the risk or impact on your data rights and freedoms.
There are a number of reasons for gathering personal data about you. For instance, we need to know how to get in touch with you, we need to be certain of your identity and we need to understand your financial circumstances, so we can offer you products and services and give you the best possible member experience. The personal data we collect falls into various categories, such as:
- Identity & contact information: Name, date of birth, copies of ID, contact details, PPS number (or foreign equivalent), online user identities, security details to protect identity, nationality, home status and address, email address, work and personal phone numbers, marital status, family details, tax residency and tax related information.
- Financial details/circumstances: Bank account details (including Account number, sort code), any International Bank Account Number (IBAN), currency information, payments information including, payment reference information (this may identify precisely who makes payments to you and who you make payments to and possibly include special category data e.g. a payment to a trade union) transaction credits, transaction debits, credit/debit card details, income and asset details, personal guarantees provided, application processing and administration records, your employment status and employment details of your partner, credit history, credit assessment records, credit data from credit registers, credit reference agency performance data, transaction details, information relating to power of attorney arrangements.
- Marital status and/or financial associations: If you are married or are financially linked to another person in the context of a particular product or service, a financial association may be created between your records and their records, including any previous and subsequent names used by you (for example, if you apply jointly or one is guaranteeing the debts of another). This means that we may treat your financial affairs as affecting each other. These links will remain on your and their files until you or they break that link.
- Information you provide us about others: If you give us information about someone else (for example, information about a spouse or partner provided during the course of a joint application with that person. Before you disclose information to us about another person, you should be sure that you have their agreement to do so. You should also show them this Data Privacy Notice. You need to ensure they confirm that they know you are sharing their personal information with us for the purposes described in this Data Privacy Notice.
- Sensitive or special categories of data: We may hold information about you which includes sensitive or special categories personal data, such as but not limited to health, criminal conviction information or biometric information used to uniquely identify you, (for example facial recognition). We will only hold this data when we need to for the purposes of the product or services we provide to you, where we are processing the data for a substantial public interest, where we have a legal obligation or where we have your consent to do so. Examples of when we use this type of data include: Medical information, for example, where you are seeking a forbearance arrangement.
- If you have criminal convictions, we may process this information in the context of compliance with our anti-money laundering obligations.
- We may use your biometric information to help identify you when you open an account, we will always ask for your consent to do this.
- Information which you have consented to us using: Your contact details and marketing preferences are used to share news about relevant services, products and offers that we think may be of interest to you. You can find out more about how about we use your personal information in relation to marketing activities including updating your marketing preferences in the Consent Section below.
- Information from online activities: We collect information about your internet activity using technology known as cookies, which can be controlled through internet browsers and by using our cookie preference centre on our website. For detailed information on cookies we use and the purposes for which we use them, see our Cookies Policy, which is available on our website.
- We collect website activity information such as: click-throughs and number of page visits. The purpose of this collection is solely to increase website visits and we do not hold any personal data.
- We collect information about your internet browser settings and Internet Protocol (IP) address and other relevant information to help us identify your geographic location when providing you with our services.
- Other personal information: Telephone and image recordings.
We record all telephone calls, whether made by you or by us, and you will always be advised of this.
- CCTV images are captured at our office (but only for security reasons and to help prevent fraud or crime).
Competition Entry Information:
- Occasionally, the credit union runs competitions for members and some personal information will be required for entry to the competition. This data is solely used for the running of the competition and is destroyed within 3 months of the announcement of the competition winners.
- As you use our services, apply for products, make enquiries and engage with us, information is gathered about you. We may also collect information about you from other people and other parties, for example, from credit reference agencies and from sources where you have chosen to make your information publicly available, such as social media sites.
- When you ask us to provide you with certain products and services. For example, loan application or application for a current account.
- When you use our website and online services provided by us and visit our office.
- When you or others give us information verbally or in writing. This information may be on application forms, in records of your transactions with us or if you make a complaint.
- When you use our products or services, including making transactions on your account or instruct a third-party payment service provider to initiate payments on your account, we gather details about who you get money from, who you pay money to, how much the payments are for and when the payments are made.
- From information publicly available about you – for example, when you make information about yourself publicly available on your social media accounts or where you choose to make information available to us through your social media account.
- From credit reference agencies, credit registration agencies, fraud prevention agencies or public agencies such as property registration authorities, the Companies Registration Office, Judgement Registries or Insolvency Service of Ireland Registers of Certificates or Arrangements
We use your personal information for the following purposes:
- Provide and maintain our products and services to you
- Find out how we can improve our products and services
- Inform you how our products and services might help you and how you can avail of them
- Protect our interests and
- Meet our legal and regulatory obligations
We need to collect and use your personal information to provide products and services to you under our terms and conditions. If you do not provide your personal information, we may not be able to provide our products and services.
When you apply for a loan with us, we verify your identity. During the loan application process and for the period while you repay the loan, we also conduct information searches with and provide information to third parties. The third parties include credit reference agency, the Central Credit Register www.centralcreditregister.ie/privacy/. The third parties and Comhar Linn retain the information, whether the application is successful or not.
Information that we collect on how you use our products and services and from our website, apps and social media is analysed by us. This helps us to know how we engage with you, how you use our products and services, for marketing information and the protection from financial crime and fraud.
We may use technology to help automate our decision making, for example for loan applications. All decisions are assessed by us using the technology, the personal information you provide to us, your information that we already hold and information from third parties.
We analyse information and report trends including to third parties about loans applications, loan repayments, activity on our web-site and activity on mobile devices. Reports and trends have the information anonymised; i.e. names and addresses are removed. Information that is shared in these reports does not include anything that would identify you or your account number.
All processing of your information must be supported by a lawful basis and in that context, we fully meet our legal and regulatory obligations.
We will notify you if we change the purpose for which we use your information.
To meet our legal and regulatory obligations we collect and retain your information by relying on one or more of the following bases:
- Your agreement and consent
- To create and maintain a contract
- A legal obligation
- Protect your vital interests and those of others
- In the public interest and
- Our legitimate interests
We ensure your consent is obtained under the following principles:
- Positive Action – Clear affirmative action by you is required. We will no longer use pre-ticked boxes, imply or assume consent if there is no positive action from you
- Free will – Your consent must be freely given and not influenced by external factors
- Specific – We will be clear on what exactly we are asking your consent for
- Recorded – We will keep a record of your consent and how we got it
- Can be withdrawn at any time – We will stop data processing that requires your consent at any time you make a valid request. You can withdraw your consent at any time
With your consent, we will let you know what products or services you might like. You can select how you prefer to be contacted on our application forms or by contacting us.
We collect and process your information for the following purposes:
- Providing products and services.
- We provide accounts, loans, online and mobile services.
- To validate your use of these products and services.
- To maintain products and services.
- To monitor and update information to ensure that it is up to date and accurate. We may share the information with third parties.
- To monitor repayment of loans and collect outstanding debts.
- When repayments are overdue, we may share information with and engage third parties.
In our day-to-day business and in our dealings with members we need to use your personal information to comply with legal and regulatory obligations including:
- Complying with your information and privacy rights.
- Providing you with statutory and regulatory information and statements.
- Establishing your identity, residence and tax status in order to comply with law and regulation concerning taxation and the prevention of money laundering, fraud and terrorist financing.
- We are required by law to screen applications that are made to us to ensure we are complying with the international fight against terrorism and other criminal activities. As a result, we may need to disclose information to government and other statutory bodies.
- Preparing returns to regulators and relevant authorities including Deposit Interest Retention Tax and other revenue returns.
- Reporting to and, where relevant, conducting searches on the Central Credit Register
- Complying with binding requests from regulatory bodies, including the Central Bank of Ireland.
- Complying with binding requests for information from other payment service providers you have instructed to act for you.
- Complying with binding requests for information about you from other payment service providers from whom you may have received payments in error so that the payer’s financial service provider may contact you directly. This information will include your name, address and relevant transaction information.
- For other reasons where a statutory reason exists, including use of your Personal Public Service (PPS) number (or foreign equivalent).
- Complying with court orders arising in civil or criminal proceedings.
- Where required to comply with our obligations under the Payment Services Regulations relating to fraud prevention - including monitoring your use of our online banking software or security tools.
If we suspect that you or other Credit Union members may become victim of a financial fraud or identify activity that may lead to a financial crime. We will share information with third parties to help prevent fraud and financial crime.
We compile and process your information for
- Audit, statistical or research purposes (including, in some instances, making your data anonymous) in order to help us understand trends in our member behaviour and to understand our risks better, including for providing management information, operational and data risk management.
- To protect our business, reputation, resources and equipment, manage network and information security (for example, developing, testing and auditing our website and other systems, dealing with accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services) and prevent and detect fraud, dishonesty and other crimes (for example, to prevent someone trying to steal your identity), including using CCTV at our premises.
- To manage and administer our legal and compliance affairs, including complying with our legal obligations, compliance with regulatory guidance and voluntary codes of practice to which we have committed.
- To allow you to become a member and to offer loan products we must validate your identity and your ability to repay a loan.
Using the analysis described we enhance our products and services to continuously meet your needs. This can also allow us to provide a more personalised member service, prevent financial crime and protect our computer network and data. We continually monitor and analyse activity on our computer network to identify any possible financial crime threats and protect the data. We share information with third parties to help manage these risks and protect both our interests.
When you apply for a loan, we carry out information searches and verify your identity. We share your information with the credit reference agency, the Central Credit Register (CCR).
When you enter into a credit agreement with us, this data is registered on the CCR database. Each month CCR receives an update for each open account. This builds up a credit history which indicates how you are meeting the repayment terms of any credit agreements you may have.
When you apply for a loan, we will access CCR database to get your credit report. You may have loans from one or more credit providers and your credit report will include details of all registered loans, open and closed. Credit agreement details are retained on the CCR’s database for five years after they are closed.
You may not have any credit history in the cases where you have not borrowed previously, or where any credit agreements have been concluded for more than 5 years.
The CCR transfers certain data to the Central Statistics Office (CSO). The Statistics Act 1993 provides that the CSO may obtain information from public bodies including the Central Bank (CCR). Such transfers of information are permitted under data protection law.
Further information on the CCR is available in their full notice on their websites www.centralcreditregister.ie.
Sometimes we need your consent to use your personal information. For Marketing purposes or if we need to use your sensitive personal information (or Special Category information as it is known in GDPR), such as medical or biometric data, we will ask for your explicit consent.
We will ensure that you are informed when making your decision and that you are aware that you can remove your consent at any time by contacting us.
We need your consent to make you aware of products and services which may be of interest to you. We may do this by phone, post, email, text or through other digital media.
When you become a member or apply for a loan, you can decide how much direct marketing you wish to receive.
We analyse information that we collect through your use of our products and services and on our social media, apps and websites, as part of our direct marketing. This helps us understand your financial behaviour, how we interact with you and our position in a market place. This helps us to provide you with the most suitable products and services. You may opt out at any time you like.
We protect your information with security measures under the laws that apply. We keep our computers, files and buildings secure.
The collection, use, sharing, protection and deletion of your information is overseen by our Data Control Officer. Our Data Control Officer advises on how we can best understand risks to your data rights and freedoms, processes implemented to protect these and has responsibility to report to the Office of the Data Protection Commissioner if there is any breach of your data or our obligations.
To meet our legal and regulatory obligations, we hold your information while you are a member and for a period of time after that. The length of time we hold your data depends on a number of factors, such as regulatory rules and the type of financial product we have provided to you.
Those factors include:
- The regulatory rules contained in laws and regulations or set by authorities like the Central Bank of Ireland, for example, in the Criminal Justice Act 2010
- The type of financial product we have provided to you. For example, we may keep data relating to a loan product for a longer period compared to data regarding a single payment transaction.
- Whether you and us are in a legal or some other type of dispute with another person or each other.
- Whether you or a regulatory authority asks us to keep it for a valid reason.
As a general rule, we keep your information for a specified period after the date on which a transaction has completed or you cease to be a member. In most cases this period is six years.
While these retention periods are our policy, they are also subject to legal, regulatory and business requirements, which may require us to hold the information for a longer period. This includes meeting minimum retention standards for our Anti Money Laundering requirements. External authorities may also require us to retain data for longer than our policy. We must do this to protect both of our interests.
We only share your information with a select number of individuals and companies, and only as necessary. Sharing can occur in the following circumstances and/or with the following persons:
a) Your authorised representatives:
These include your Solicitor, attorney (under a Power of Attorney) and any other party authorised by you to receive your personal data.
b) Third parties we need to share your information with in order to facilitate payments you have requested (for example, correspondent banks) and those you ask us to share your information with.
c) When you open or use a joint account or product. If you open or hold a joint account or joint loan product, this will mean that your personal data will be shared with your co-applicant. For example, transactions made by you will be seen by your co-account holder, and you will see their transactions.
d) Companies that provide support services for the purposes of protecting our legitimate interests. Your personal information remains protected when our service providers use it. We only permit service providers to use your information in accordance with our instructions, and we ensure that they have appropriate measures in place to protect your information. Our service providers include marketing and market research companies, analytics companies, IT and telecommunication service providers, software development contractors, data processors, , computer maintenance contractors, printing companies, property contractors, document storage and destruction companies, archiving services suppliers, debt collection agencies, budgeting and advice agencies, tracing agencies, official Assignee for Bankruptcy and equivalent in other jurisdictions, auditors, including legal advisers.
e) We may also share information with the following third parties to help us manage our business for our legitimate interests:
- Trade associations and professional bodies, non-statutory bodies and members of trade associations such as Credit Union Development Association (CUDA).
- Statutory and regulatory bodies (including central and local government) and law enforcement authorities. These include the courts and those appointed by the courts, government departments, statutory and regulatory bodies including: the Central Bank of Ireland, the European Central Bank, the Data Protection Commission, Financial Services Ombudsman, An Garda Síochána/police authorities/enforcement agencies, Revenue Commissioners, Criminal Assets Bureau, US, EU and other designated authorities in connection with combating financial and other serious crime, police forces and security organisations, ombudsmen and regulatory authorities, as well as fraud prevention agencies.
- Credit reference agencies, like the Central Credit Register: we share your data with the Central Credit Register in order to comply with our legal obligations under the Credit Reporting Act 2013. We may also search the Central Credit Register where permitted but not obliged to do so to protect our legitimate interests.
Your information is stored on secure systems within Comhar Linn’s IT & physical environments and with providers of secure information storage.
We may transfer or allow the transfer of information about you and your products and services with us to our service providers and other organisations outside the European Economic Area (EEA), but only if they agree to act solely on our instructions and protect your information to the same standard that applies in the EEA.
Where we authorise the processing/ transfer of your personal information outside of the EEA, we require your personal information to be protected to at least Irish standards and include the following data protection transfer mechanisms:
- Model Clauses (also known as Standard Contractual Clauses) are standard clauses in our contracts with our service providers to ensure that any personal data leaving the EEA will be transferred in compliance with EU data-protection law.
- Transfers to countries outside the EEA which have an adequate level of protection as approved by the European Commission.
- Transfers permitted in specific situations where a derogation applies as set out in Article 49 of the GDPR. For example, where it is necessary to transfer information to a non-EEA country to perform our contract with you.
We may analyse your information using automated means to:
- help us understand your needs and develop our relationship with you;
- to help us to offer you products and service information we believe will be of interest to you;
- to make assessments where you apply for a financial product (e.g. a loan) including creditworthiness and affordability. We may make lending decisions based solely on an automated analysis of your information. The types and sources of the information we process by automated means about you are listed below.
- We may also use automated processing to assist in compliance with our legal obligations in connection with prevention of money laundering, fraud and terrorist financing, for example, to screen for suspicious transactions.
When you apply for credit with us, we use different data sources to understand and assess your ability to repay the loan. This ensures responsible lending. We use the information that is provided by you on the applications and information from third parties such as credit reference agencies.
The information we may process for automated lending decisions includes:
- Financial position
- Transaction history
- Employment details
- Discretionary spending
- Credit rating
- Your other loans, mortgages and products
- Bill repayments
Analysing this information helps us assess your ability to repay and meet your loan payments. The automated decision is just one component of our overall decision-making process with regard to credit decisions.
In the event where we make solely automated decisions that affects you in a legal or a significant way, you have the right to provide your point of view and have those decisions reviewed by a member of our lending team.
If you wish to exercise your personal information rights, please contact us by email at DPO@intocreditunion.ie, by telephone on 01-8731101 or by writing to, Comhar Linn INTO Credit Union, 33 Parnell Square, Dublin 1, D01W563.
You have the right to obtain information, however this right cannot affect the rights and freedoms of others. We cannot therefore provide information on or about other people without their consent.
We will provide your information without charge. As permitted under the regulations however, where information requests are manifestly unfounded or excessive, we may either charge a reasonable fee or refuse to act on the request. The credit union will reply to your request within 1 month of receipt of the written or emailed request.
Your rights are detailed more fully as follows:
You can request a copy of the personal information we hold and further details about how we collect, share and use your personal information. When you contact us to ask about your information, we may ask you to identify yourself. This is to help us protect your information.
You can request the following information:
- the information we hold on you
- the purposes of the processing
- the categories of personal data concerned
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- where the personal data are not collected from you, any available information as to their source
- the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
You may update or correct any of your personal details. Please contact us at 01-8731101 or call to our office.
If you have given us consent in relation to the use of your personal information, you can change your mind and withdraw your consent. This could be for direct marketing or processing your sensitive (special category) information, such as medical or biometric data. Please contact us at 01-8731101 or call to our office.
You may have the right to restrict or object to us processing your personal information.
We will require your consent to further process this information once restricted. You can request restriction of processing where;
- The personal data is inaccurate and you request restriction while we verify the accuracy
- The processing of your personal data is unlawful
- You oppose the erasure of the data, requesting restriction of processing instead
- You require the data for the establishment, exercise or defence of legal claims but we no longer require the data for processing
- You disagree with the legitimate interest legal basis and processing is restricted until the legitimate basis is verified.
You may ask us to delete your personal information or we may delete your personal information under if:
- the personal data are no longer necessary in relation to the purposes for which they were collected or processed
- you withdraw your consent where there is no other legal ground for the processing
- you withdraw your consent for direct marketing purposes
- you withdraw your consent for processing a child’s data
- you object to automated decision making
- the personal data have been unlawfully processed
- the personal data have to be erased for compliance with a legal obligation.
If you request and where possible we can share a digital copy of your information directly with you or another organisation.
We will provide this information in a ‘structured, commonly used and machine-readable format’. We can only share this information where it has been processed automatically (hard copy documents are excluded for portability) and was processed under your consent or performance of a contract.
We do not share information processed under legal obligation or our legitimate interest for portability, this is in line with GDPR guidance.
If you have a complaint about your personal information, please contact us on 01-8731101 or contact a member of staff in our office. They will attempt to make any correction as quickly as possible.
You may also make a complaint to the Data Protection Officer, by email at DPO@intocreditunion.ie, by telephone on 01-8731101 or by writing to The Data Protection Officer, Comhar Linn INTO Credit Union, 33 Parnell Square, Dublin 1, D01W563.
Any complaint you make to us will be investigated as fully as possible. Please provide as much information as possible to help us quickly resolve your complaint.
You may also contact the Office of the Data Protection Commissioner via their web-site www.dataprotection.ie, by email at email@example.com or by post to Office of the Data Protection Commissioner, Canal House, Station Road, Portarlington, R32 AP23 Co. Laois.
From time to time, we will update this notice if we change how we use your information, change our technology or change our products. The most up to date notice will always be on our web-site www.comharlinnintocu.ie.
This glossary will help you to understand the data protection terms in this notice.
Anonymisation: process of turning data into a form which does not identify individuals and where identification is not likely to take place. The data once anonymised will no longer be personal data. The intention of anonymisation is that the data is irreversibly changed.
Automated Data: information on computer or information recorded with the intention of or the ability of putting it on a computer. It includes information in any electronic format.
Automated Decision-Making (ADM): when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual.
Automated Processing: any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s economic situation.
Biometric Data: means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (finger print) data.
Consent: of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data: means individual facts, statistics, or items of information regarding an individual. Data can refer to automated data and manual data.
Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Subject: means an identified or identifiable natural person (see Personal Data).
Data Processor: a Data Processor is a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his/her employment.
EEA: the 27 countries in the EU, and Iceland, Liechtenstein and Norway.
Explicit Consent: consent which requires a very clear and specific statement on the part of the Data Subject.
General Data Protection Regulation (GDPR): the General Data Protection Regulation ((EU) 2016/679). Personal Data is subject to the legal safeguards specified in the GDPR.
Information and Records Management: the application of systematic policies and procedures governing the creation, distribution, maintenance, management, use and ultimate retention or disposal of records to achieve effective legal, economical, accountable, transparent and efficient administration.
Lawful basis: the processing of data must be performed under a lawful basis. Personal data may be processed:
- On the basis that the data subject has provided consent to do so
- On the basis that it is necessary in order to enter into or perform a contract
- On the basis that there is a legal obligation for the processing
- Where Comhar Linn INTO Credit Union has a legitimate interest in processing the data
- In order to protect the vital interests of the data subject
- In the public interest
Personal Data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing or Process: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Records: documents in every format created and received by individuals or organisations in the course of conduct of affairs and accumulated as evidence of these activities.
Relevant Filing System: Is any set of information that, while not computerised, is structured by reference to individuals, or by reference to criteria relating to individuals, so that specific information is accessible.
Special Category Data: information revealing:
- racial or ethnic origin
- political opinions, religious, philosophical or similar beliefs
- trade union membership
- physical or mental health conditions
- sexual life or sexual orientation
- biometric data
- genetic data
Supervisory Authority: means an independent public authority which is established by a Member State. In the Republic of Ireland, the Office of the Data Protection Commissioner (ODPC) is the public authority established to monitor the application of Data Protection Law.