Privacy Policy v2.1

In accordance with Data Protection and Privacy law

1. Comhar Linn INTO Credit Union Limited as a data controller

Comhar Linn INTO Credit Union (CLCU) is a member-owned financial organisation that provides financial services to its members. Our members are members of the INTO, members of the Retired Teachers Association of Ireland, staff of the INTO Head Office and staff of Comhar Linn INTO Credit Union Ltd and family members of such persons. We are committed to the privacy of those that we engage with, and this statement details our approach. While providing personal data to us during business or using our website, we will manage your data in accordance with this privacy statement.

  • Controller name; Comhar Linn INTO Credit Union Limited
  • Controller contact: if you would like to contact CLCU's data protection representative regarding this policy please email us at dataprotection@intocreditunion.ie.  or call on 01 873 1101

Personal data processed by Comhar Linn INTO Credit Union is done in accordance with current Data Protection Regulation in Ireland and the GDPR.

If you are under 16 please read this statement with the assistance of a parent or guardian. We advise you to use a current version of this document when considering your rights.

2. Key Definitions

  • Our or we or CLCU or Credit Union refers to Comhar Linn INTO Credit Union Limited
  • You, Your, Member or Subject refers to the individual person whose personal data is the subject of the text.
  • Personal Data is information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one of more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.
  • Data Subject is the identified or identifiable natural person.
  • Special (often referred to as sensitive) data is racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that includes genetic data, biometric data to reveal the identity of a person, or data concerning health, sex life or sexual orientation. Personal data relating to criminal convictions is also considered sensitive.
  • Controller is the natural or legal person or body which alone or jointly determines the purpose and means of the processing of personal data. CLCU is a Controller of personal data.

3. Purpose and lawful basis

CLCU processes your personal data for many reasons, and we are obliged to inform you of the purposes for which we use your data and legal basis for processing.

In general, we may obtain personal data including name, address, phone numbers, e-mail address, other electronic identifiers, title, profession, images, IP address, photographic ID, company details, dependents or partner details, your bank or mortgage details, politically exposed status, tax identities, video & voice recordings, e-mails and other information provided by you while engaging with the Credit Union and while agreeing credit. We may also obtain similar information from third parties such as the Irish credit agencies, or from your use of CLCU systems, or when you sign up to or attend events or otherwise engage with the Credit Union.

The purposes for processing your personal data may overlap, and some purposes for processing may have multiple legal basis. They are as follows:

Category

Purpose

Examples of the type of data processed

Legal basis for processing*

*Note; Where this document refers to the Legitimate interest of CLCU as a legal basis for processing, such legitimate interest refers to the management and delivery of the services of a Credit Union as provided for in the Credit Union Act 1997 as amended in 2012. Such processing also includes activities mandated, approved, or deemed acceptable by Irish or EU regulatory or oversight authorities.

Membership

Application/membership administration

To initiate and manage our relationship with our

members or potential members

General Personal Details: name, contact details, address, tax identities, date of birth tax residency, financial position, proof of identity details, beneficial ownership details, security details, occupation, security facts

-Entering into or performance of a contract

-Consent

-Legitimate interest of CLCU*

-There is a legal / regulatory obligation

Funds

To manage member accounts

General Personal Details plus source of funds, bank details, record of transactions and balances.  For clubs or businesses, identity of

officers

-Performance of a contract

-Legitimate interest of CLCU * - There is a legal / regulatory obligation

-Consent

The personal data of third parties

We may need to communicate with connected 3rd parties that are not members of the Credit Union to manage an event, to comply with law or regulation, or in relation to a financial product

Identification details, relationship, securities, and address relating to partners, family, guarantors, beneficiaries, nominees or a director or representative of an entity or person

-Performance of a contract

-Legitimate interest of CLCU * - There is a legal / regulatory obligation - Consent

Affiliation with the Credit Union

Development Authority CUDA

Reporting and use of services provided by representative bodies and

to fulfil our obligation in accordance with CUDA rules

Member details and information relating to the provision of insurance

-Performance of a contract

-There is a legal / regulatory obligation

-Credit Union Act and amendments

-Legitimate interest of CLCU *

Enquiries

To engage with individuals who make an enquiry

Details provided on the enquiry including name, and contact details

-Consent

-Legitimate interest of CLCU *

Incapacity to act upon an account

When a person is unable to transact due to an intellectual incapacity - Appointment of an individual to administer the account or

- board approval of transactions

All personal data

-There is a legal / regulatory obligation

-Vital interest of the subject

-Legitimate interest of CLCU *

Loans

Credit applications and credit management

To manage the loan process and loan agreement including assessing creditworthiness, validating information provided during the application process, determine if you are a connected or related party borrower, assessing credit history with the CCR,

Personal details & proof of identity plus credit history/rating, monthly income/outgoings, payslips, bank statements, connected party status, Marital status, spouse/partner/dependents details, property details, social welfare receipts, Declaration of Health,

-Entering into or the performance of a contract.

-There is a legal / regulatory obligation (including the Credit Union Acts, Anti Money Laundering legislation and Central Bank regulations)

-Legitimate interest of CLCU *

effecting a legal charge over an asset and to manage the loan account.

information relating to connected parties, details of a guarantor to the loan application, records of communication relating to a loan

Credit Control

To manage the debt recovery process including credit searches and engaging with the CCR the recovery of debt, the transfer of debt and the enforcement of security or guarantee against a loan.

As above (for loan application and loan management)

-Performance of a contract (loan and membership agreements)

-There is a legal / regulatory obligation

-Legitimate interest of CLCU *

Identity details;

To establish the Identity, status, address and proof of identity of the parties to a loan

Identity data relating to the member, guarantors, nominees, family members or advisors

-Performance of a contract (loan and membership agreements)

-There is a legal / regulatory obligation

-Legitimate interest of CLCU *

Spouse / Partner

To assess a loan application, validate data provided on a loan application, perform a credit search with the CCR to establish credit status and comply with law or regulation

Name, identification and contact details, financial and creditworthiness details, dependents, relationship with applicant

-Performance of a contract (loan and membership agreements)

-There is a legal / regulatory obligation

-Legitimate interest of CLCU *

Guarantors

To evaluate suitability / creditworthiness, inform of changes to performance of a loan, the collection of debt and comply with law or regulation

Name and contact details, financial details, and creditworthiness, connected party status

-Performance of a contract (loan and membership agreements)

-There is a legal / regulatory obligation

-Legitimate interest of CLCU *

Insurance & Investments

Life Savings & Loan Protection Insurance provided by CU Mutual.

To provide loan protection and life savings protection for loans issued

Personal data relating to loan protection insurance. Loan protection insurance personal data may include 'special' personal data including medical records

-The performance of a contract.  -  There is a legal / regulatory obligation

-Legitimate interest of CLCU *

Marketing & other activities

Direct Marketing to Members

To inform members of CLCU of services and events that they may be interested in

Contact details including postal address, e-mail, text, phone, mobile phone. (You may opt out of any of the above upon request.

-Consent

-Legitimate interest of CLCU *

Competitions or Quizzes

To hold a competition or draw for Members or members of the public

Name and contact details

Member number

-Consent

-Legitimate interest of CLCU *

Surveys

To understand the requirements or views of subjects

Name and contact details Member number

-Consent

-Legitimate interest of CLCU *

CCTV

CCTV recordings on all premises, both internally and externally

For safety and security

Motion images from cameras (not including voice)

-Legitimate interest of CLCU * or another party - and to protect the Credit Union in the event of security or safety incident or other unlawful event

-Vital interest of subjects

Internal cameras

For safety, security and the monitoring of transactions and cash handling

Motion images from cameras (not including voice)

-  Legitimate interest of CLCU * or another party - and to protect the Credit Union in the event of security or safety incident or other unlawful event and to monitor transactions and resolve disputes

Voice Recording

Voice - to maintain a record of communications and advice to member or potential members

To verify content relating to advice or communication relating to the services of the Credit Union

Voice calls

-There is a legal / regulatory obligation

-Legitimate interest of CLCU *

Voice - Security

Security

Voice calls

- Vital interest of a natural person - Legitimate interest of CLCU * – and to protect the Credit Union against malicious harm

Voice Mail

To record a message provided by a Subject

Voice message

- Consent

- Legitimate interest of CLCU *

General Legal/regulatory obligations

Revenue

To comply with the requirements of Revenue, to pay all applicable taxes, enable tax audits and provide tax reports as required in law and in

compliance with Irish Common Reporting Standards.

Identity, address, TIN or PPS number, date of birth, Account details including balance, dividend or interest payments, country of residence, details relating to the payment of tax

- There is a legal / regulatory obligation

Regulatory Authorities

To enable processes that are compliant with law and regulation, and to facilitate audits and compliance reporting to the Central Bank of Ireland relating to Credit Unions, and any other mandatory requirements relating to

CLCU

Prudential Returns

-There is a legal / regulatory obligation

-Legitimate interest of CLCU *

AML

To comply with the Criminal Justice (money laundering and terrorist financing) Act and Amendments

Name, Identification, proof of address, date of birth, PEP statue, Photographic ID including passport or driving license, other form of identification, PPS number, details of transactions, AML or Fraud reports

- There is a legal / regulatory obligation

Auditors & Compliance

To audit the activities of the Credit Union in line with regulation and best practice

All data

-There is a legal / regulatory obligation

-Legitimate interest of CLCU *

4. Where you have provided consent

Where we are processing data based on your consent you may withdraw that consent at any time.

5. Who we share Personal Data with.

We take all reasonable measures to protect your personal information while it is in our possession, however, it may be transferred to others where there is a legitimate and lawful reason. This section lists the categories and types of organisations that we may transfer personal data to.

5.1 Operational

Individuals whom you name such as guarantors, nominees or partners, professional advisors, industry representation, and oversight authorities.

5.2 Legal / Regulatory Requirements

Central Bank - Credit Union Regulator, Department of Finance, Revenue, Department of Social Protection, Financial services and pensions ombudsman, State anti-fraud/criminal investigation (Gardaí, CAB), Central Credit Register, Credit Union Development Authority, Audit & Compliance, Solicitors, Banks, and advisors representing the Credit Union.

Data provided to Revenue may be exchanged with other tax authorities. Further information on the exchange of data by Revenue can be found at https://www.revenue.ie/en/companies-and-charities/international-tax/aeoi/index.aspx .

5.3 Credit assessment, credit control, and loan in arrears or debt recovery

Guarantors, debt collection agencies or others legitimately involved in this process, a solicitor to affect a legal charge over an asset, Irish credit organisations including the CCR (Central Credit Register).

5.4 Insurance

CUNA Mutual for the purpose of insurance relating to Credit Union products.

5.5 Information technology & support services

Your personal information may also be transferred to third party service providers who process information on the Credit Union's behalf, including providers of information technology, website hosting and management, data analysis, anti-spam services, data back-up, security, e-mail, voice recording and storage services. The Credit Union's principal operating system is provided by Progress.

6. International transfer

CLCU does not currently transfer personal data to any recipients outside of the EEA European Economic Area unless.

  • members use online identity validation software,
  • requested to do so by the subject or
  • in the course to the recovery of a debt where connected parties are outside of the EEA.

If a service provider to the Credit Union is international in nature, or sub processes with entities that are not within the EU, we will take steps to ensure that personal data is retained in the EU and that any further processing that may expose such data to international transfer is subject to the protections provided by a lawful basis of transfer.

7. Responsibility of Members and others who provide personal data to us

You warrant that personal information provided to us by you that relates to third parties (e.g., family, guarantors, nominees) for the administration and delivery of services being provided, or while engaging with us in any other way, has been obtained fairly and lawfully and that such information is accurate. You also warrant that third parties introduced by you are aware of the purpose for which their personal data is being used and that their privacy rights have been upheld.

8. Information relating to children and vulnerable persons

The processing of personal data relating to children receives special attention under Data Protection Regulation and we shall treat this information with particular care. Children are defined as under 16's in Ireland. Information obtained about children shall comply with the requirement for parental consent and shall receive additional consideration while planning an operational process.

9. Special (Sensitive) Data

CLCU recognises special categories of data, specifically personal data revealing racial or ethnic origin, political opinion, religious of philosophical beliefs, trades union membership, genetic or biometric data, or a subject’s health or sexual life. The processing of these categories of information shall typically require consent. We may also process Special data where there is a legal/regulatory obligation, there is a legitimate interest or where it is in the public interest.

Health data may be processed for the processing of an insurance or mortgage product under Irish law. Such processing will not normally require your consent.

10. Nominations

Irish legislation enables the nomination of successors to a deceased member's property in their Credit Union account and provides for special treatment independent of the deceased persons estate. This is a unique facility available to Credit Unions and all members are entitled to a nominate successor(s). A Member's nomination together with a record of revocations (the revoking of a nomination) shall be retained confidentially by the Credit Union. Personal data relating to nominations will be retained for up to six years following the completion of the nomination process.

CLCU will request confirmation of a Nominee’s identity, relationship to the member, and payment details to administer a valid nomination following the death of a member. Nomination information may be transferred to advisors, auditors, administrative staff and recognised oversight authorities for the administration of this facility and will always be bound by confidentiality obligations.

11. Confidentiality & security

CLCU have implemented generally accepted standards of technology and operational security to protect personal data from alteration, unauthorised disclosure, or destruction, and from use for unauthorised purposes. Furthermore, we have taken measures to ensure that contracts with all third parties that provide technical and processing services include terms that specify appropriate technical and organisational security measures to prevent accidental, unauthorised, or unlawful disclosure or processing of personal data.

12. Your Rights

Subjects have the right to:

  1. Be informed of information on whether we have personal data relating to a subject, the categories of data and the purpose of processing
  2. Where information is collected directly from you, you will be informed of the controller, the representative, details about the processing of your data and your rights
  3. Where data was not provided by you, we will identify the source of that data together with data categories
  4. Be informed if a failure to provide the personal data will have any direct and material personal consequences
  5. Access your personal data. Where the format is not reasonably understood, this shall be delivered in an intelligible format
  6. Have inaccurate, incomplete, or out-of-date personal data that we hold about you corrected, or deleted
  7. Withdraw consent for your personal data to be processed - where it was obtained from you on the basis of consent
  8. Make a submission on any automated decisions making processes or profiling of you.
  9. Transfer your data to another controller
  10. Have your personal data excluded from certain categories of processing
  11. Lodge a complaint with the Data Protection Commissioner. Contact details for the DPC can be found at dataprotection.ie

Please note

  • There are some limitations to these rights
  • Nomination data is confidential and will not be released
  • You can contact us to exercise these rights by e-mail at dataprotection@intocreditunion.ie. We will ask for additional information to verify your identity prior to acting upon such requests.

13. Removal from mailing lists

You may unsubscribe from our mailing lists at any time by using the ‘unsubscribe’ button on marketing communications, or by contacting us at dataprotection@intocreditunion.ie

14. Reporting of Data Breaches

Where a data breach occurs that poses a risk to the subject it shall be reported to the Data Protection Commission. Where such a breach occurs and poses a high risk to you, we will also inform you. All breaches will be managed in accordance with Irish law and the GDPR.

15. Profiling

We may profile personal data in certain instances. This is typically in the context of applying for a loan, fulfilling our obligations under Anti Money Laundering legislation or for the purpose of marketing. Such processing shall not be fully automated and shall always be subject to the intervention of an officer of the Credit Union.

16. Cookies

While using our web site we use cookies – small text files – which are placed on your hard drives to provide a more intuitive website experience. Cookies are a typical part of operating procedure for most websites and most browsers permit users to opt-out of receiving them if the user would prefer.

You can opt out of the use of certain categories of cookies on the cookie notice tool that is always visible while you use the CLCU website. This may reduce some of the functionality of the site. Cookies can also be deleted by you from your browser at any time

17. Data Retention

We retain personal data that you submit to us only for as long as is necessary and for the purposes for which it was obtained, or as required by law. We have detailed retention periods for which personal data shall be retained for purposes below. The Credit Union reserves the right to delete personal data prior to the conclusion of the retention period or where such retention is not necessary for the provision of service to a subject.

Storage of personal data - 

Purpose of processing

Duration

Criteria for the storage of personal data

Membership information

7 years

From closing of the account, or greater where regulation mandates.

Identity verification data

2 years

Upon expiry of use (and it has been replaced)

Loan application denied - application and supporting documents

1 year

From loan final denial

Loan related data (transaction details)

7 years

From closing of the account, or greater where regulation mandates.

Death benefit

7 years

From closure of membership account

Loan protection insurance

7 years

From closure of a membership account

Employment/volunteer data

Generally, for the duration of employment plus

7 years. Where categories of data have

-regulatory limitations to possible liability, or

-mandatory retention periods,

We will retain for these periods plus one year.

Marketing data relating to non-members

12 months

From the last communication

CCTV

1 month

From recording. Up to 6 years in the event of an incident where a material risk of a liability exists

Incidents or complaint reports

Permanent

Small balance write-offs / Un-cashed Cheque details

Permanent

Mandatory requirement

Documentation relating to revenue

Stored as mandated by law plus 12 months

AML and Fraud prevention documentation

Stored as mandated by law plus 12 months

Records and explanation of transactions, and of the provision of service

As mandated by the CU Handbook published by the Central Bank plus 12 months

Nothing in this section creates an obligation upon the Credit Union to retain personal data on behalf of a data subject.

18. Updates

This notice may be updated to comply with precedent that has been established or to provide further clarification. The most up to date version is available in all branches and a record of updates is published on the Credit Union website. We advise you to use a current version of this document when considering your rights.