Blanchardstown & District Credit Union Data Protection Privacy Policy

Data Protection Notice to Members

(Updated February 2023)

Members are encouraged to read this notice which sets out essential information about the personal data we collect from you, how we use and safeguard this information, who we share it with and why, and how long we will keep it on file. It also explains your rights, some of which are new, arising from the General Data Protection Regulation (GDPR).

 

1. Who we are

Blanchardstown & District Credit Union Limited has been looking after the financial services needs of its members since its foundation. Blanchardstown & District Credit Union is a financial cooperative, democratically owned and controlled by our members, and operated for the purposes of promoting thrift, providing credit and other financial services to members, and providing educational services to members for the promotion of their economic, social and cultural wellbeing. Personal data is processed for these purposes and no others.

2. Our approach to Data Protection

We have always appreciated your trust in us to collect, process and protect your personal information and we will continue to look after your information in a way that merits your trust. As a data controller, we are committed to meeting our obligations under the GDPR and have appointed a Data Protection Officer (DPO), who has oversight of our information practices and is responsible for ensuring your rights are fulfilled. The DPO is also a point of contact for members should you have any questions or concerns about your personal information.

In the context of the GDPR and the Data Protection Acts (1988 as amended), Blanchardstown & District Credit Union Ltd is the data controller[1]

You can contact our DPO at dpo@blanchardstowncu.ie or write to: Data Protection Officer, Blanchardstown & District Credit Union Limited, Unit 9/10, Blanchardstown Business Centre, Clonsilla Road, Blanchardstown, Dublin 15, D15 FP92,[2]

 

3. The information we collect and hold about you

Depending on which of our savings, loans, transaction or other services you use, we will collect different types of information from you or about you. Most of the information we collect is personal, and some of it is very private to you, including information about your financial situation, person(s) you have nominated on your account, and your state of health. Information about health is treated as a “special category”, meaning that we apply additional stringent safeguards against its improper collection, use or disclosure.

We collect and store only the information that we need to look after you as a member and this will include:

 

4. Information we hold about you as a member

Your personal identification and descriptors

  • Full name/maiden name/signature
  • Current and previous addresses
  • Email address; phone number(s) and other contact information
  • Age/date of birth
  • Gender
  • Marital status
  • Partner/spouse; number of dependents
  • Names and addresses of person(s) nominated on your account
  • Occupation and place of work
  • Income
  • Tax Identification Number/PPS Number
  • Proof of identity and address e.g. copy of driving licence/passport and utility bills
  • Accommodation status; mortgage or tenancy information
  • IP address
  • Photographic ID, CCTV footage and voice (call) recordings
  • Your state of health and related information
  • Your bank account or other credit union account details
  • Payroll, credit or payment card details

 

5. How we collect this information

We record and file the identification and contact information and other data that you input into our online or printed forms or provide to us over the phone or in person when you join the credit union.

We can only deal with and communicate with the member, so when you contact us we may need to verify your identity, for example by asking you a security question or looking for some additional detail about your account or dealings with us that only you would know.

When we need information about a nominated person(s) on your account we will obtain that information from you, as the member.

We may record and/or make notes about phone conversations and will always tell you when we do so.

Our website makes limited use of ‘cookie’ technology. A cookie is a piece of text that our server places on your device when you visit our website. The type of cookie we use is “a non-persistent session enabler” which means it is used only to allow your device to communicate with the site while you log-in and use the site; the cookie expires when you log out of the site. We also collect the IP address of any device which is trying to connect with the site and use this to track successful or failed attempts at log-in to your account and the number of attempts made. You can find more information on our Cookie Policy document on our website.

 

6. Information from other sources[3]:

Sometimes we collect information about you from other sources. Again, this can be dependent on which of our services you are using. Some examples are below:

  • If you apply for a loan, we may be required by law to consult credit rating agencies, such as the Central Credit Register.
  • When a member decides to complete a Form of Nomination[4] on their account they will give us personal data on the nominated person so we can contact them should it become necessary.
  • Should you decide to volunteer with us and apply for a position on our Board of Directs, we are required to complete fitness and probity checks. This is required under regulation by the Central Bank of Ireland

Other sources of publicly available information can also be consulted, such as:

  • Registers of companies and company directors, such as the Companies Registration Office, Solocheck, etc.
  • the Register of Personal Insolvency Arrangements,
  • the Bankruptcy Register
  • the Register of Beneficial Ownership

Whatever the source, we collect and store only the information that we need to look after you as a member.

 

7. The purposes for which we process your personal data[5]

We use information about you to:

  • Set up and operate your credit union accounts on your behalf;
  • Meet our obligations to you under the Credit Union’s Registered Rules;
  • Provide savings, loan, transaction and other financial and educational services to you as a member;
  • Process your Life Saving, Loan Protection or Death Benefit Insurance claims and associated payments;
  • Keep our records up to date to contact you when required and provide the best customer service;
  • Respond to your requests and provide information;
  • Address any complaint you may have about our services;
  • Meet our legal obligations and respond to requests from the Central Bank, courts or enforcement authorities;
  • Produce internal management information to run our business and identify ways in which we can improve our services;
  • Provide relevant information to other financial service providers in the event of you requesting this or when you transfer to another credit union; and;
  • Perform any other financial services or co-operative activities which we are obliged to undertake, or which we have gained your consent to perform
  • Keep you informed about our products and services

 

8. Profiling

We sometimes use personal data we have about you to carry out profiling to better understand our memberships’ needs and wants, to identify areas of opportunity within our common bond, and to tailor our marketing efforts.

Profiling is a special form of processing involving anonymous (member names are not included) analysis of our members database, or sections of the member database. It is usually done for marketing purposes, to look for clusters of members with similar characteristics and behaviours. For instance, looking at members who are borrowing from us, and looking for common characteristics among them, like age, stage, geographical location. Then, non-borrowing members with those same or similar characteristics are sent information about appropriate products and services.

You have the right to object to your personal data being included in profiling.

 

9. Our lawful basis for processing[6]

To process your information lawfully and fairly, we rely on one or more of the following lawful bases:

  • The performance of a contract;
  • Legal obligation;
  • Our legitimate business interests;
  • Your consent; and,
  • Protecting the vital interests of you or others

Some examples for each lawful basis are given below. Please note that some information is processed under more than one lawful basis:

 

Lawful basis Examples of what we use your information for
Performance of a contract – between you and us, or in order to take steps prior to entering into a contract between you and us When you ask to join the Credit Union, we must assess your eligibility to do so, for instance, establishing that you are part of our common bond. When you sign the application form, this is a contract in which you are agreeing to comply with the rules of the credit union.

Similarly, if you apply for a loan from us, we assess your creditworthiness using your income and outgoings to identify whether you can afford the loan for which you are applying. Once approved, the credit agreement is a contract in which sign your agreement with the repayment programme outlined.

Legal obligation – we must process this information to comply with our legal obligations. We process your personal information to identify and authenticate our members.

We share your information with third parties when obliged to do so.

We must continually monitor and update information to satisfy our obligations in respect of anti-money laundering, countering the financing of terrorism and to comply with the financial sanctions regime.

We use an element of automated decision-making for loan-assessment, provisioning and anti-money laundering purposes and to ensure we comply with our legal obligations in those regards.

We continually monitor electronic devices to detect and prevent fraud and cyber-attacks. This enables us to protect and secure our member and business information, our IT system and networks and our business interests.

Our legitimate interests – means the interests of the credit union in conducting and managing our business when providing financial and educational services. Core legitimate interests of the credit union are to provide the best customer service, to protect our members and employees, and to grow our member base and product offerings to remain vital and viable[7].

We will assess whether the legitimate interest of the credit union will affect your rights and freedoms as a data subject prior to processing. We implement safeguards to ensure that the processing remains fair and balanced.

You have the right to object to being included in processing where the lawful basis used is legitimate interest.

We produce internal management information and models to ensure necessary safeguards are in place and to assess the effectiveness of these.

We send out marketing materials to our members to promote ourselves, our products and services.

We also carry out profiling by analysing your demographic and user status, channel preferences and location, in order to identify potentially useful services for you. We use this to design future services offerings and to ensure that any marketing or educational materials we send you are relevant and useful to you.

As part of our membership agreement with you, we have the right to collect payment or money owed to us.

Your consent – we require your consent for processing certain information and will ensure this is obtained under the principles:

·         Free will – your consent must be freely given and not influenced by external factors

·         Specific – we will be clear on what exactly we are asking your consent for

·         Positive action – clear affirmative action is required. We will not use pre-ticked boxes, or imply or assume your consent

·         Recorded – we will keep a record of your consent and how and when obtained

·         Right to withdraw – you can withdraw your consent at any time; we will stop any processing that requires your consent once you request this;

With your consent, we will let you know about new services you might like to avail of. We may do this by post, email, or through digital media.

You can select how you prefer to be contacted on our application forms or by contacting us.

If we ever contact you to get your feedback on ways to improve our services, you have the choice to opt out.

Protecting the vital interests of you or others Sharing information to serve you

Should a situation arise where you are incapacitated and unable to communicate for yourself, we may share relevant information with your authorised representative.

Should you become unable to transact on your account due to a mental incapability and no person has been legally appointed to administer your account, the Board may allow payment to another who it deems proper to receive it, where it is just and expedient to do so, in order that the money be applied in your best interests[8]. To facilitate this, medical evidence of your incapacity will be required which will include data about your mental health. As special category data, this information will be treated with strictest care and confidentiality.

 

10. How we keep your information safe

The safety of your information and data is very important to us. We keep our computers, files and buildings secure.

Transit of paper files is strictly limited. Where necessary to have member information available for e.g. Board or Committee meetings, meeting rooms are secure, and no member information is left in the open or on view to external parties.

Incoming post is brought directly to our office and opened by our staff. Outgoing post is either collected from our office by An Post or brought to the Post Office by our staff.

Electronic copy files are stored on our proprietary IT system which requires user authentication to access it. Back-ups of electronic files are stored securely off site. Laptops are encrypted at hard-drive level. Use of memory sticks and other portable drives is limited, restricted to management personnel, and all external drives are encrypted.

All files and hard drives being disposed of are shredded and this is certified by the shredding service provider.

When you contact us by phone to ask about your information, we will ask you to verify your identity.

 

11. How long we keep your personal information for

To meet our legal and regulatory obligations, we hold your information while you are a member and for a period of time after that. We do not hold it for longer than necessary. To help you understand how long we hold your data for, we have summarised our internal retention schedules below.

Please note that these retention periods are subject to legal, regulatory and business requirements, which may require us to hold the information for a longer period. For example, we must meet minimum retention standards for taxation and audit requirements.

To meet such needs and to protect your interests as well as the credit union’s interests, we may need to hold data for longer than our internal schedules dictate. However, we will not retain data that is no longer needed, and we continuously assess and delete data to ensure it is not held for longer than necessary.

 

Document Type Example Document Retention Period
Account and service information Membership account opening documents including:

·         Documents that identify and authenticate you, e.g. birth certificate, passport, proof of address

·         Signed authorisation for deduction at source, standing order or direct debit

·         Documents that are required for adherence to law or regulations, e.g. PPSN, copy of marriage certificate / civil partnership

7 years beyond account closure

 

 

 

 

Account operation records including instructions, communications and complaints

·         Bank details; IBAN

·         Transactions and receipts

·         Accounting records

7 years beyond completion of the transaction or contract or resolution of the complaint concerned
Loan information

·         Applications and credit agreements

·         Supporting materials, such as payslips and bank statements

7 years beyond the expiry of the loan whether by repayment, refinance, transfer, or default

Deleted on expiry of the loan whether by repayment, refinance, transfer, or death

Revenue/Tax documentation Income tax and DIRT records 7 years beyond completion of the transaction concerned
Other records ·         Records relating to legal claims

 

·         CCTV footage and voice recordings

7 beyond closure of the case

One month

 

12. Your information and third parties

Sometimes we share your information with third parties, such as persons or companies with whom we do business and who provide products or services e.g. IT Services that we use in conducting our business, including managing our relationship with our members.

Similarly, we may share or disclose personal data to professional advisers, e.g. legal advisers, accountants, auditors, whom we may engage for any reasonable purpose in connection with our business, including assistance in protecting our rights.

We will only share or disclose the minimum information that they need in order to provide the product or service.

Before we make any transfer of personal data, we require these third parties to sign a contract with us committing to the same levels of data protection that we have and guaranteeing that all necessary safeguards and controls have been implemented to ensure there is no risk to your data rights and freedoms.

We also have to share information with third parties to meet any applicable law, regulation or lawful request including dealing with complaints. For example, we have a legal obligation under the “Return of Payments (Banks, Building Societies, Credit Unions and Savings Banks) Regulations 2008” to report details to the Revenue in respect of dividend or interest payments to members, which include PPSN where held.

In all such cases, we will only disclose the minimum amount of information required to satisfy our legal obligation.

Loan Protection & Life Savings Insurance (LPLS): CMutual Services (Ireland) Limited is an insurance specialist, serving credit unions in Ireland since 1963.

We have arranged Loan Protection (which covers repayment of a loan in the case of permanent disability or death) and Life Savings Insurance (which provides a payment on death to a members account based on the amount of savings) through CMutual, an insurance specialist who have been serving credit unions in Ireland since 1963. The Privacy Notice of CMutual can be found at www.cmutual.ie/privacy-statement.

To facilitate this, when you apply for a loan from us, it may be necessary to process ‘special category’ data, which includes information about your health. This information will be shared with CMutual to allow it deal with insurance underwriting, administration and any future claims on our behalf.

We may disclose information in your application or in respect of any account or transaction of yours from the date of your original membership to authorised officers or employees of CMutual for the purpose of CMutual providing these services to us.

Electronic Payments: For the processing of electronic payments services on your account (such as credit transfers, standing orders and direct debits), the Credit Union is required to share your personal data with our electronic payment service providers Intesa San Paolo, Realex and AIB Merchant Services.

 

13. International transfers of data

In our direct provision of services to you we do not transfer data outside of the area where the GDPR is in force[9]. Some of our outsourced service provisions can involve data being transferred outside of this area, but where this happens, we make sure that we have in place a contract requiring that this is done in full compliance with the requirements of the GDPR. We provide individual Privacy Notices for all our service provisions which provide specific information on any international data transfers.

 

14. Your personal information rights

This section sets out your rights, when they apply and our responsibility to you. The exercise of your rights might be subject to certain conditions and we might require further information from you before we can respond to your request. You may exercise your rights by contacting our Data Protection Officer at: dpo@blanchardstowncu.ie or write to: Data Protection Officer, Blanchardstown & District Credit Union Limited, Unit 9/10, Blanchardstown Business Centre, Clonsilla Road, Blanchardstown, Dublin 15, D15 FP92.

Accessing your personal information

As a member, you can ask us for a copy of the personal information we hold and further details about how we collect, share and use your personal information. You can request the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  • Any personal data we might transfer to an organisation outside of the area where the GDPR is in effect, including any safeguards around such transfers

Updating and correcting your personal details

You can easily update your personal and contact information by contacting us by email or letter. You may be asked to provide supporting documentation to support your request.

If you contact us over the phone to edit or delete any information on your behalf, we will ask you questions in order to verify your identity.

Deleting your information (right to be forgotten)

You may ask us to delete your personal information or we may delete your personal information under the following conditions:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • you withdraw your consent where there is no other legal ground for the processing;
  • you withdraw your consent for direct marketing purposes;
  • you withdraw your consent for processing a child’s data;
  • you object to automated decision making;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation.

A request to delete your personal information cannot place this credit union in conflict with existing legislation requiring the retention of the information.

Removing consent

Where we process your data solely on the basis of your consent, i.e. for direct marketing purposes or to obtain feedback from you about our services, you are entitled to withdraw your consent to such processing at any time. You can do this by contacting us by email or letter.

Ask us to suspend processing your personal data (Right to restriction) You may have the right to restrict or object to us processing your personal information. We will require your consent to further process this information once restricted. You can request restriction of processing where:

  • The personal data is inaccurate, and you request restriction while we verify the accuracy;
  • The processing of your personal data is unlawful;
  • You oppose the erasure of the data, requesting restriction of processing instead;
  • You require the data for the establishment, exercise or defence of legal claims but we no longer require the data for processing;
  • You disagree with the legitimate interest legal basis and processing is restricted until the legitimate basis is verified.

Moving your information (your right to Portability)

Where possible we can share a digital copy of your information directly with you or another organisation. We will provide this information in a structured, commonly used and machine-readable format. Note, we can only share this information where it has been processed electronically (hard copy documents are excluded for portability) and was processed either under your consent or under the lawful basis of provision of a credit union service. In line with GDPR guidance, information that is processed to satisfy a legal obligation or that we process as part of our legitimate business interests, will not be regarded as portable (see section 7: ‘The purposes for which we process your personal data’).

Ask us to stop processing your personal data (Right to object)

Where we are sending you direct marketing materials and newsletters, or we are using your personal data for profiling purposes for direct marketing, you can ask us to stop doing so.

Automated decision-making

We can occasionally use automated decision-making tools to assist us in making decisions, for instance, in assessing loan applications. We do not depend on such tools as the sole basis for making our decisions. Should it ever be the case that we use only automated decision-making, and you are unhappy with the resulting decision, you have the right to obtain human intervention on this, to express your point of view on the decision, and to contest or appeal that decision.

Restrictions and charges

You should note that the exercise of your rights might be subject to certain conditions or restrictions. Where this happens, we will let you know.

Additionally, your right to obtain information cannot adversely affect the rights and freedoms of others. Therefore, we cannot provide information on other people unless legally obliged to do so.

Usually, there is no charge when you contact us to ask about your information. If requests are deemed excessive or manifestly unfounded or unreasonable, we may charge a reasonable fee to cover the additional administrative costs, or we may choose to refuse the requests.

 

15. Making a complaint

If you have a complaint about how we are using your personal information, please let us know, so that we have the opportunity to put things right as quickly as possible. If you wish to make a complaint you may do so in person, by phone, by letter or by email. Please be assured that all complaints received will be fully investigated. You can register a complaint through our DPO and we ask that you provide as much information as possible to help us resolve your complaint quickly.

You can also complain directly to the Data Protection Commission, and their contact information is:

  • Email: info@dataprotection.ie
  • Phone: +353 (0)1 765 0100, or 1800 437 437
  • Write to: Data Protection Commission, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23

 

16. Updates to this notice

We will make changes to this notice from time to time, particularly when we change how we use your information, such as in response to changing legal, technical or business developments.  When we update it, we will take appropriate measures to inform you, consistent with the significance of the changes we make.. You always will find an up-to-date version of this notice on our website at www.blanchardstowncu.ie or you can ask us for a copy.

 

[1] GDPR, Article 13 (1)(a)

[2] GDPR, Article 13 (1)(b)

[3] GDPR, Article 14 (1)(c)

[4] Under our Rules (Rule 23), by filling in a form of nomination, our members can nominate their property to a person (or persons). This means that, should the member die, on the credit union receiving satisfactory proof of the death of a member, payment of the nominated property is made to the nominated person(s).

[5] GDPR, Article 13 (1)(c)

[6] GDPR, Article 14 (1)(c)

[7] GDPR, Article 13 (1)(d)

[8] Credit Union Rules, Rule 26

[9] The European Economic Area (EU countries, Norway, Iceland, Liechtenstein, Turkey & Switzerland) and countries with a GDPR Adequacy Decision (Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, and Uruguay)