Privacy Policy
Privacy Policy v2.2
In accordance with Data Protection and Privacy law
1. Comhar Linn INTO Credit Union Limited as a data controller
Comhar Linn INTO Credit Union (CLCU) is a member-owned financial organisation that provides financial services to its members. Our members are members of the INTO, members of the Retired Teachers Association of Ireland, staff of the INTO Head Office and staff of Comhar Linn INTO Credit Union Ltd and family members of such persons. We are committed to the privacy of those that we engage with, and this statement details our approach. While providing personal data to us during business or using our website, we will manage your data in accordance with this privacy statement.
- Controller name; Comhar Linn INTO Credit Union Limited
- Controller contact: if you would like to contact CLCU's data protection representative regarding this policy please email us at dataprotection@intocreditunion.ie. or call on 01 873 1101
Personal data processed by Comhar Linn INTO Credit Union is done in accordance with current Data Protection Regulation in Ireland and the GDPR.
If you are under 16 please read this statement with the assistance of a parent or guardian. We advise you to use a current version of this document when considering your rights.
2. Key Definitions
- Our or we or CLCU or Credit Union refers to Comhar Linn INTO Credit Union Limited
- You, Your, Member or Subject refers to the individual person whose personal data is the subject of the text.
- Personal Data is information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one of more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.
- Data Subject is the identified or identifiable natural person.
- Special (often referred to as sensitive) data is racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that includes genetic data, biometric data to reveal the identity of a person, or data concerning health, sex life or sexual orientation. Personal data relating to criminal convictions is also considered sensitive.
- Controller is the natural or legal person or body which alone or jointly determines the purpose and means of the processing of personal data. CLCU is a Controller of personal data.
3. Purpose and lawful basis
CLCU processes your personal data for many reasons, and we are obliged to inform you of the purposes for which we use your data and legal basis for processing.
In general, we may obtain personal data including name, address, phone numbers, e-mail address, other electronic identifiers, title, profession, images, IP address, photographic ID, company details, dependents or partner details, your bank or mortgage details, politically exposed status, tax identities, video & voice recordings, e-mails and other information provided by you while engaging with the Credit Union and while agreeing credit. We may also obtain similar information from third parties such as the Irish credit agencies, or from your use of CLCU systems, or when you sign up to or attend events or otherwise engage with the Credit Union.
The purposes for processing your personal data may overlap, and some purposes for processing may have multiple legal basis. They are as follows:
Category | Purpose | Examples of the type of data processed | Legal basis for processing* |
*Note; Where this document refers to the Legitimate interest of CLCU as a legal basis for processing, such legitimate interest refers to the management and delivery of the services of a Credit Union as provided for in the Credit Union Act 1997 as amended in 2012. Such processing also includes activities mandated, approved, or deemed acceptable by Irish or EU regulatory or oversight authorities. | |||
Membership | |||
Application/membership administration | To initiate and manage our relationship with our members or potential members | General Personal Details: name, contact details, address, tax identities, date of birth tax residency, financial position, proof of identity details, beneficial ownership details, security details, occupation, security facts | -Entering into or performance of a contract -Consent -Legitimate interest of CLCU* -There is a legal / regulatory obligation |
Funds | To manage member accounts | General Personal Details plus source of funds, bank details, record of transactions and balances. For clubs or businesses, identity of officers | -Performance of a contract -Legitimate interest of CLCU * - There is a legal / regulatory obligation -Consent |
The personal data of third parties | We may need to communicate with connected 3rd parties that are not members of the Credit Union to manage an event, to comply with law or regulation, or in relation to a financial product | Identification details, relationship, securities, and address relating to partners, family, guarantors, beneficiaries, nominees or a director or representative of an entity or person | -Performance of a contract -Legitimate interest of CLCU * - There is a legal / regulatory obligation - Consent |
Affiliation with the Credit Union Development Association CUDA | Reporting and use of services provided by representative bodies and to fulfil our obligation in accordance with CUDA rules | Member details and information relating to the provision of insurance | -Performance of a contract -There is a legal / regulatory obligation -Credit Union Act and amendments -Legitimate interest of CLCU * |
Loans | |||
Credit applications and credit management | To manage the loan process and loan agreement including assessing creditworthiness, validating information provided during the application process, determine if you are a connected or related party borrower, assessing credit history with the CCR, | Personal details & proof of identity plus credit history/rating, monthly income/outgoings, payslips, bank statements, connected party status, Marital status, spouse/partner/dependents details, property details, social welfare receipts, Declaration of Health, | -Entering into or the performance of a contract. -There is a legal / regulatory obligation (including the Credit Union Acts, Anti Money Laundering legislation and Central Bank regulations) -Legitimate interest of CLCU * |
effecting a legal charge over an asset and to manage the loan account. | information relating to connected parties, details of a guarantor to the loan application, records of communication relating to a loan | ||
Credit Control | To manage the debt recovery process including credit searches and engaging with the CCR the recovery of debt, the transfer of debt and the enforcement of security or guarantee against a loan. | As above (for loan application and loan management) | -Performance of a contract (loan and membership agreements) -There is a legal / regulatory obligation -Legitimate interest of CLCU * |
Identity details; | To establish the Identity, status, address and proof of identity of the parties to a loan | Identity data relating to the member, guarantors, nominees, family members or advisors | -Performance of a contract (loan and membership agreements) -There is a legal / regulatory obligation -Legitimate interest of CLCU * |
Spouse / Partner | To assess a loan application, validate data provided on a loan application, perform a credit search with the CCR to establish credit status and comply with law or regulation | Name, identification and contact details, financial and creditworthiness details, dependents, relationship with applicant | -Performance of a contract (loan and membership agreements) -There is a legal / regulatory obligation -Legitimate interest of CLCU * |
Guarantors | To evaluate suitability / creditworthiness, inform of changes to performance of a loan, the collection of debt and comply with law or regulation | Name and contact details, financial details, and creditworthiness, connected party status | -Performance of a contract (loan and membership agreements) -There is a legal / regulatory obligation -Legitimate interest of CLCU * |
Insurance & Investments | |||
Life Savings & Loan Protection Insurance provided by CU Mutual. | To provide loan protection and life savings protection for loans issued | Personal data relating to loan protection insurance. Loan protection insurance personal data may include 'special' personal data including medical records | -The performance of a contract. - There is a legal / regulatory obligation -Legitimate interest of CLCU * |
Marketing & other activities | |||
Direct Marketing to Members | To inform members of CLCU of services and events that they may be interested in | Contact details including postal address, e-mail, text, phone, mobile phone. (You may opt out of any of the above upon request. | -Consent -Legitimate interest of CLCU * |
Competitions or Quizzes | To hold a competition or draw for Members or members of the public | Name and contact details Member number | -Consent -Legitimate interest of CLCU * |
Surveys | To understand the requirements or views of subjects | Name and contact details Member number | -Consent -Legitimate interest of CLCU * |
CCTV | |||
CCTV recordings on all premises, both internally and externally | For safety and security | Motion images from cameras (not including voice) | -Legitimate interest of CLCU * or another party - and to protect the Credit Union in the event of security or safety incident or other unlawful event -Vital interest of subjects |
Internal cameras | For safety, security and the monitoring of transactions and cash handling | Motion images from cameras (not including voice) | - Legitimate interest of CLCU * or another party - and to protect the Credit Union in the event of security or safety incident or other unlawful event and to monitor transactions and resolve disputes |
Voice Recording | |||
Voice - to maintain a record of communications and advice to member or potential members | To verify content relating to advice or communication relating to the services of the Credit Union | Voice calls | -There is a legal / regulatory obligation -Legitimate interest of CLCU * |
Voice - Security | Security | Voice calls | - Vital interest of a natural person - Legitimate interest of CLCU * – and to protect the Credit Union against malicious harm |
Voice Mail | To record a message provided by a Subject | Voice message | - Consent - Legitimate interest of CLCU * |
General Legal/regulatory obligations | |||
Revenue | To comply with the requirements of Revenue, to pay all applicable taxes, enable tax audits and provide tax reports as required in law and in compliance with Irish Common Reporting Standards. | Identity, address, TIN or PPS number, date of birth, Account details including balance, dividend or interest payments, country of residence, details relating to the payment of tax | - There is a legal / regulatory obligation |
Regulatory Authorities | To enable processes that are compliant with law and regulation, and to facilitate audits and compliance reporting to the Central Bank of Ireland relating to Credit Unions, and any other mandatory requirements relating to CLCU | Prudential Returns | -There is a legal / regulatory obligation -Legitimate interest of CLCU * |
AML | To comply with the Criminal Justice (money laundering and terrorist financing) Act and Amendments | Name, Identification, proof of address, date of birth, PEP statue, Photographic ID including passport or driving license, other form of identification, PPS number, details of transactions, AML or Fraud reports | - There is a legal / regulatory obligation |
Auditors & Compliance | To audit the activities of the Credit Union in line with regulation and best practice | All data | -There is a legal / regulatory obligation -Legitimate interest of CLCU * |
4. Where you have provided consent
Where we are processing data based on your consent you may withdraw that consent at any time.
5. Who we share Personal Data with.
We take all reasonable measures to protect your personal information while it is in our possession, however, it may be transferred to others where there is a legitimate and lawful reason. This section lists the categories and types of organisations that we may transfer personal data to.
5.1 Operational
Individuals whom you name such as guarantors, nominees or partners, professional advisors, industry representation, and oversight authorities.
5.2 Legal / Regulatory Requirements
Central Bank - Credit Union Regulator, Department of Finance, Revenue, Department of Social Protection, Financial services and pensions ombudsman, State anti-fraud/criminal investigation (Gardaí, CAB), Central Credit Register, Credit Union Development Association, Audit & Compliance, Solicitors, Banks, and advisors representing the Credit Union.
Data provided to Revenue may be exchanged with other tax authorities. Further information on the exchange of data by Revenue can be found at https://www.revenue.ie/en/companies-and-charities/international-tax/aeoi/index.aspx .
5.3 Credit assessment, credit control, and loan in arrears or debt recovery
Guarantors, debt collection agencies or others legitimately involved in this process, a solicitor to affect a legal charge over an asset, Irish credit organisations including the CCR (Central Credit Register).
5.4 Insurance
CUNA Mutual for the purpose of insurance relating to Credit Union products.
5.5 Information technology & support services
Your personal information may also be transferred to third party service providers who process information on the Credit Union's behalf, including providers of information technology, website hosting and management, data analysis, anti-spam services, data back-up, security, e-mail, voice recording and storage services. The Credit Union's principal operating system is provided by Progress.
6. International transfer
CLCU does not currently transfer personal data to any recipients outside of the EEA European Economic Area unless.
- members use online identity validation software,
- requested to do so by the subject or
- in the course to the recovery of a debt where connected parties are outside of the EEA.
If a service provider to the Credit Union is international in nature, or sub processes with entities that are not within the EU, we will take steps to ensure that personal data is retained in the EU and that any further processing that may expose such data to international transfer is subject to the protections provided by a lawful basis of transfer.
7. Responsibility of Members and others who provide personal data to us
You warrant that personal information provided to us by you that relates to third parties (e.g., family, guarantors, nominees) for the administration and delivery of services being provided, or while engaging with us in any other way, has been obtained fairly and lawfully and that such information is accurate. You also warrant that third parties introduced by you are aware of the purpose for which their personal data is being used and that their privacy rights have been upheld.
8. Information relating to children and vulnerable persons
The processing of personal data relating to children receives special attention under Data Protection Regulation and we shall treat this information with particular care. Children are defined as under 16's in Ireland. Information obtained about children shall comply with the requirement for parental consent and shall receive additional consideration while planning an operational process.
9. Special (Sensitive) Data
CLCU recognises special categories of data, specifically personal data revealing racial or ethnic origin, political opinion, religious of philosophical beliefs, trades union membership, genetic or biometric data, or a subject’s health or sexual life. The processing of these categories of information shall typically require consent. We may also process Special data where there is a legal/regulatory obligation, there is a legitimate interest or where it is in the public interest.
Health data may be processed for the processing of an insurance or mortgage product under Irish law. Such processing will not normally require your consent.
10. Nominations
Irish legislation enables the nomination of successors to a deceased member's property in their Credit Union account and provides for special treatment independent of the deceased persons estate. This is a unique facility available to Credit Unions and all members are entitled to a nominate successor(s). A Member's nomination together with a record of revocations (the revoking of a nomination) shall be retained confidentially by the Credit Union. Personal data relating to nominations will be retained for up to six years following the completion of the nomination process.
CLCU will request confirmation of a Nominee’s identity, relationship to the member, and payment details to administer a valid nomination following the death of a member. Nomination information may be transferred to advisors, auditors, administrative staff and recognised oversight authorities for the administration of this facility and will always be bound by confidentiality obligations.
11. Confidentiality & security
CLCU have implemented generally accepted standards of technology and operational security to protect personal data from alteration, unauthorised disclosure, or destruction, and from use for unauthorised purposes. Furthermore, we have taken measures to ensure that contracts with all third parties that provide technical and processing services include terms that specify appropriate technical and organisational security measures to prevent accidental, unauthorised, or unlawful disclosure or processing of personal data.
12. Debit Card
If we issue you with a debit card, transact Payments Malta Limited (which is an authorised e-money institution) will also be a controller of your personal data. In order for you to understand what they do with your personal data, and how to exercise your rights in respect of their processing of you personal data, you should review their privacy policy which is available at http://currentaccount.ie/files/tpl-privacy-policy.pdf
13. Your Rights
Subjects have the right to:
- Be informed of information on whether we have personal data relating to a subject, the categories of data and the purpose of processing
- Where information is collected directly from you, you will be informed of the controller, the representative, details about the processing of your data and your rights
- Where data was not provided by you, we will identify the source of that data together with data categories
- Be informed if a failure to provide the personal data will have any direct and material personal consequences
- Access your personal data. Where the format is not reasonably understood, this shall be delivered in an intelligible format
- Have inaccurate, incomplete, or out-of-date personal data that we hold about you corrected, or deleted
- Withdraw consent for your personal data to be processed - where it was obtained from you on the basis of consent
- Make a submission on any automated decisions making processes or profiling of you.
- Transfer your data to another controller
- Have your personal data excluded from certain categories of processing
- Lodge a complaint with the Data Protection Commissioner. Contact details for the DPC can be found at dataprotection.ie
Please note
- There are some limitations to these rights
- Nomination data is confidential and will not be released
- You can contact us to exercise these rights by e-mail at dataprotection@intocreditunion.ie. We will ask for additional information to verify your identity prior to acting upon such requests.
14. Removal from mailing lists
You may unsubscribe from our mailing lists at any time by using the ‘unsubscribe’ button on marketing communications, or by contacting us at dataprotection@intocreditunion.ie
15. Reporting of Data Breaches
Where a data breach occurs that poses a risk to the subject it shall be reported to the Data Protection Commission. Where such a breach occurs and poses a high risk to you, we will also inform you. All breaches will be managed in accordance with Irish law and the GDPR.
16. Profiling
We may profile personal data in certain instances. This is typically in the context of applying for a loan, fulfilling our obligations under Anti Money Laundering legislation or for the purpose of marketing. Such processing shall not be fully automated and shall always be subject to the intervention of an officer of the Credit Union.
17. Cookies
While using our web site we use cookies – small text files – which are placed on your hard drives to provide a more intuitive website experience. Cookies are a typical part of operating procedure for most websites and most browsers permit users to opt-out of receiving them if the user would prefer.
You can opt out of the use of certain categories of cookies on the cookie notice tool that is always visible while you use the CLCU website. This may reduce some of the functionality of the site. Cookies can also be deleted by you from your browser at any time
18. Data Retention
We retain personal data that you submit to us only for as long as is necessary and for the purposes for which it was obtained, or as required by law. We have detailed retention periods for which personal data shall be retained for purposes below. The Credit Union reserves the right to delete personal data prior to the conclusion of the retention period or where such retention is not necessary for the provision of service to a subject.
Storage of personal data - | ||
Purpose of processing | Duration | Criteria for the storage of personal data |
Membership information | 7 years | From closing of the account, or greater where regulation mandates. |
Identity verification data | 2 years | Upon expiry of use (and it has been replaced) |
Loan application denied - application and supporting documents | 1 year | From loan final denial |
Loan related data (transaction details) | 7 years | From closing of the account, or greater where regulation mandates. |
Death benefit | 7 years | From closure of membership account |
Loan protection insurance | 7 years | From closure of a membership account |
Employment/volunteer data | Generally, for the duration of employment plus 7 years. Where categories of data have -regulatory limitations to possible liability, or -mandatory retention periods, We will retain for these periods plus one year. | |
Marketing data relating to non-members | 12 months | From the last communication |
CCTV | 1 month | From recording. Up to 6 years in the event of an incident where a material risk of a liability exists |
Incidents or complaint reports | Permanent | |
Small balance write-offs / Un-cashed Cheque details | Permanent | Mandatory requirement |
Documentation relating to revenue | Stored as mandated by law plus 12 months | |
AML and Fraud prevention documentation | Stored as mandated by law plus 12 months | |
Records and explanation of transactions, and of the provision of service | As mandated by the CU Handbook published by the Central Bank plus 12 months | |
Nothing in this section creates an obligation upon the Credit Union to retain personal data on behalf of a data subject. |
19. Updates
This notice may be updated to comply with precedent that has been established or to provide further clarification. The most up to date version is available in all branches and a record of updates is published on the Credit Union website. We advise you to use a current version of this document when considering your rights.