Privacy Notice of The Lough Credit Union Limited
If you have any questions or concern regarding the processing personal data, please feel free to contact the Credit Union’s Data Protection Officer. If using email please use DATA PROTECTION in the email title.
Address: 100-103 Bandon Road, Cork. County Cork
Phone: 021 496 3384
Data Protection Officer Contact Details: DPO@loughcu.ie
The Lough Credit Union is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during and after your relationship with us.
Purpose of Data Collection, Processing or Use
A Credit Union is a member-owned financial cooperative, democratically controlled by its members, and operated for the purpose of promoting thrift, providing credit at competitive rates, and providing other financial services to its members. Data collection, processing and use are conducted solely for the purpose of carrying out the above mentioned objectives.
What personal data do we use?
We may collect, store, and use the following categories of personal information about you:
- Identifying Information such as your name, date of birth, PPSN, photograph and passport details, your signature.
- Contact Information which includes your address, email and telephone numbers.
- Financial Information including financial data, your account status and history, transaction data, contract data, details of the Credit Union products you hold with us. With loans we may also request broader information around your financial income and outgoings such as salary, occupation, accommodation status, mortgage details, previous addresses, spouse, partners.
- Operational Information identification documents, records of interactions with Credit Union staff and officers on the premises, by phone, or email, current or past complaints, CCTV footage and telephone voice recordings.
- Sensitive Information: Occasionally we may also process “special categories” of more sensitive personal information such as health information but only for very specific purposes such as insurance. We explain more below.
We need all the categories of information in the list above to allow us to carry out the functions that would expect of a Credit Union which include identifying you, contacting you, offering you services under contract and keeping your assets safe.
We also need your personal identification data to enable us to comply with legal obligations such as those set out under the Credit Union Act 1997, and the Central Bank Regulations. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
We will ONLY process your data when we have legal grounds for so doing.
What happens if you do not wish to provide this information?
If you are unwilling or unable to provide certain information when the Credit union makes a request, please understand that we may not be able to offer you the services we provide or perform the contract we have entered into. We cannot act in a way that would prevent us from complying with our legal obligations.
Change of purpose:
You can be assured that we will only use your data for the purpose it was provided at the time we collected it from you and only in ways compatible with the purpose stated at the time of collecting. If we need to use your personal information for an unrelated purpose, we will request your consent for the new purpose or explain the legal obligation that requires the further processing of your data. At all times the Credit Union will operate under full transparency with and for its members.
How we use your sensitive personal information:
”Special categories” of particularly sensitive personal information require higher levels of protection given the risk to you if there is a data breach. In addition to the legal basis for processing as is the case for all personal data, we need to have further justification for collecting, storing and using this type of sensitive personal information. We may process such data only in the following circumstances:
- In limited circumstances, with your explicit written consent.
- Where we need to carry out our legal obligations and in line with our data protection policy.
- Where it is needed in the public interest, and in line with our data protection policy.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public. See Insurance for further details
We sometimes use systems to make informed decisions based on personal information we have (or are allowed to collect from others) about you such as your credit score. This information is used as part of the decision making we carry out for services such as loans and to meet our obligations regarding anti-money laundering and comply with our legal duties under the many regulations that govern our activities. We aim to process the minimum amount of personal data possible in accordance with Data Protection principles.
Data Retention Periods:
We will only retain your personal information for as long as necessary to fulfill the purpose(s) for which it was obtained, taking into account our legal and contractual obligations to keep it. We document the reasons for our retention periods and where possible the retention periods themselves in our Retention Policy. Some of the main retention periods are set out below to help you understand how long your data is retained. In all cases we use the appropriate processes and technology to protect and secure any of your personal information we process.
Once the retention period has expired, your personal data will be securely and permanently deleted whether we have stored in digitally or in paper format.
Some of our main Retention Periods:
- Accounting records are required to be kept under the Credit Union Act, 1997 (as amended) for not less than six years from the date to which it relates.
- The money laundering provisions of Anti-Money Laundering legislation require that certain documents must be retained for a period of five years after the relationship with the member has ended.
- We keep income tax records for a period of six years after completion of the transactions to which they relate.
- Credit agreements such as loans as well as other contracts are retained for six years from date of expiration or breach, and twelve years where the document is under seal.
- CCTV footage which is used in the normal course of business (i.e. for security purposes) for 28 days.
- Membership forms are kept for as long as the account is open and the for 5 years once the account is closed.
Planned Data Transmission to Third Countries:
We do not process any of your personal data outside the European Economic Area (EEA) and we make it a condition of our processors who work for us under contract that they must process your data on our behalf within the EEA also.
The Credit Union takes the processing of your data very seriously. To protect the integrity and confidentiality of your data we put in place both technology and operational controls to limit risk to your personal data. These include:
- Physical security on the building including but not restricted to time locks, electronic door locks, CCTV and alarms.
- Technology controls including but not restricted to encryption, access controls, intrusion detection, anti-virus, application of patches and updates and the services of specialist IT professionals.
- Management controls and procedures that limit access to information based on roles, regular staff training, auditing and risk management protocols.
- Planning for scenarios through Business Continuity Plans which are tested in conjunction with Disaster Recovery Plans for our technology.
We take advice on the best technology to use when looking for new systems or updating existing systems. We also require the same level of caution and preparedness from any service providers chosen by the Credit Union who then process your data under contract for the us.
Explaining Our Use of Your Information
We will collect and use relevant information about you, your transactions, your use of our products and services, and your relationships with us:
This basis is appropriate where the processing is necessary for us to manage your accounts and for certain products the Credit Union provides to you such as loans.
|Administrative Purposes: We will use the information provided by you, either contained in this form or any other form or application, for the purpose of assessing applications, processing applications you make and to maintaining and administer any accounts you have with the Credit Union.
|Third parties: We may appoint under contract external third parties to process your data on our behalf. An example would be the printers of our AGM booklets and statement or the company that shred our paper files. We will ensure that any information passed to third parties conducting such functions on our behalf will do so with respect for the security of your data and will be protected in line with data protection law. We also have the right to audit them to check they do.|
|Irish League of Credit Unions (ILCU) Affiliation: The ILCU (a trade and representative body for Credit Unions in Ireland and Northern Ireland) provides professional and business support services such as marketing and public affairs representation, monitoring, financial, compliance, risk, learning and development, and insurance services to affiliated Credit Unions. As this Credit Union is affiliated to the ILCU, the Credit Union must also operate in line with the ILCU Standard Rules (which members of the Credit Union are bound to the Credit Union by) and the League Rules (which the Credit Union is bound to the ILCU by). We may share information in your application or in respect of any account or transaction of yours from the date of your original membership to authorised officers or employees of the ILCU for the purpose of the ILCU providing these services to us. Such services include
· ILCU Savings Protection Scheme (SPS): We may disclose information in any application from you or in respect of any account or transaction of yours from the date of your original membership to authorised officers or employees of the ILCU for the purpose of the ILCU providing these services and fulfilling requirements under our affiliation to the ILCU, and the SPS.
· Insurance: As part of our affiliation with the ILCU the Credit Union carries insurance products from ECCU Assurance DAC (ECCU) which includes Life Savings (LS), Loan Protection (LP) Death Benefit Insurance (DBI) and Disability Cover where it applies. To administer these products and services we may pass your details to ECCU Assurance DAC (ECCU), a life insurance company, wholly owned by the Irish League of Credit Unions which exists to provide insurance to Credit Unions affiliated to the Irish League of Credit Unions. It is a term of your membership, by virtue of our affiliation with the ILCU, that the Credit Union must apply to ECCU for Loan Protection (LP) if you choose to take out a loan with us. If covered any outstanding sum will be repaid to the Credit Union by ECCU in the event of your death. In order that we apply for LP it may be necessary to process ‘special category’ data, which includes data about your health. This information will be shared with ECCU to allow it deal with insurance underwriting, administration and claims on our behalf.
When assessing your application for a loan, the Credit Union will take a number of factors into account and will utilise personal data sourced from:
· your application form or as part of your loan supporting documentation
· your existing Credit Union file,
· credit referencing agencies such as the Irish Credit Bureau and the Central Credit Registrar
The Credit Union’s Loans Officer and the Loan’s Committee then utilises this information to assess your loan application in line with the applicable legislation and the Credit Union’s lending policy. We do this to ensure you have the capability to repay the loan and not to lend recklessly.
|Debit or Charge Card: If you have a debit or prepaid card with us we do not provide these services ourselves given the complexity. We share transaction details securely with a specialist service provider who we employ under contract to help us to provide this service.|
This basis is appropriate when we are processing personal data to comply with an Irish or EU Law.
|Tax liability: We may share information and documentation with domestic and foreign tax authorities to establish your liability to tax in any jurisdiction. Where a member is tax resident in another jurisdiction the Credit Union has certain reporting obligations to Revenue under the Common Reporting Standard. Revenue will then exchange this information with the jurisdiction of tax residence of the member. We cannot be responsible for any loss incurred by you or any third party as a result of complying with our legal obligations.
Under the “Return of Payments (Banks, Building Societies, Credit Unions and Savings Banks) Regulations 2008” the Credit Union is obliged to report details to the Revenue in respect of dividend or interest payments to members, which include PPSN where held.
|Regulatory and statutory requirements: To meet our duties to the Regulator and the Central Bank of Ireland and to prove we are looking after your assets properly, we must allow authorised people or officers from these organisations to see our records (which may include information about you) for reporting, compliance and auditing purposes. For the same reason, we will also hold information about you when you are no longer a member but only for a set period of time as set out in the retention periods. We may also share information with certain statutory bodies such as the Department of Finance, the Department of Social Protection and the Financial Services and Pensions Ombudsman Bureau of Ireland ONLY if required by law to do so.
If An Garda Síochána request a copy of CCTV footage in the investigation of a crime, we only supply this upon receipt of a written instruction signed by a Garda of Superintendent rank or higher.
|Compliance with our anti-money laundering and combating terrorist financing obligations: the information provided by you is used for compliance with our customer due diligence and screening obligations under anti-money laundering and combating terrorist financing obligations under The Money Laundering provisions of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 , as amended by Part 2 of the Criminal Justice Act 2013 (“the Act”), In other words, we need to make sure our services and your account(s) are not used for illegal purposes.
|Audit: To meet our legislative and regulatory duties we hire under contract an external group of experts to audit our financial accounts, advise on how we can best meet our obligations and improve our ways of operating. We will allow the external auditors to see our records (which may include information about you) for these purposes and they are bound by confidentiality.
|Nominations: The Credit Union Act 1997 as amended allows members to nominate a person(s) to receive a certain amount from their account on their death, subject to a statutory maximum. Where a member wishes to make a nomination, the Credit Union must record personal data of nominees in this event.
|Credit Reporting: Where a loan is applied for in the sum of €2,000 or more, the Credit Union is obliged to make an enquiry of the Central Credit Register (CCR) in respect of the borrower. Where a loan is granted in the sum of €500 or more, the Credit Union is obliged to report both personal details and credit details of the borrower to the CCR. All banks and Credit Unions must do this.
A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. If we rely on our legitimate interest, we will tell you what that is.
|Credit Assessment and Credit Reference Agencies:
As mention under Contracts above, when assessing an application for a loan, the Credit Union utilises credit data from credit referencing agencies such as the Irish Credit Bureau (ICB) and the Central Credit Registrar. Our legitimate interest: The Credit Union, for its own benefit and therefore the benefit of its members, must lend responsibly and will use your credit scoring information in order to determine your suitability for the loan applied for. When using the service of a credit referencing agency we will pass them your personal details and details of your credit performance.
The ICB uses Legitimate Interests (GDPR Article 6 (f)) as the legal basis for processing of your personal and credit information. These Legitimate Interests are promoting greater financial stability by supporting a full and accurate assessment of loan applications, aiding in the avoidance of over-indebtedness, assisting in lowering the cost of credit, complying with and
supporting compliance with legal and regulatory requirements, enabling more consistent, faster decision-making in the provision of credit and assisting in fraud prevention.
Please review ICB’s Fair Processing Notice which is available at http://www.icb.ie/pdf/Fair Processing Notice.pdf. It documents who they are, what they do, details of their Data Protection Officer, how they get the data, why they take it, what personal data they hold, what they do with it, how long they retain it, who they share it with, what entitles them to process the data (legitimate interests), what happens if your data is inaccurate and your rights under Data Protection Legislation and the EU’s General Data Protection Regulation.
|CCTV: We have a CCTV system installed to collect footage inside and outside the Credit union. You can see our clearly marked signage which sets out the purposes for the system. We use these for Security, Health and Safety and the Identification and Prevention of Fraud. These cameras are used given the fact that we handle cash on the premises, our ICT systems handle personal and confidential information and we have an obligation to protect the wellbeing of our staff and visitors to the premises. The footage is only held for 28 days unless need to investigate or deal with incidents that have been brought to the attention of management. Access to the CCTV images is carefully restricted within the Credit Union and only used for the stated purposes.
|Credit Union Updates: As the Union is owned by the members it is important to ensure that they are kept up to date with the products and/or services which are on offer. These may be communicated to the membership via post with the notice of the AGM or personal statements.|
To help us improve and measure the quality of our products and services we undertake market research from time to time. This may include using the Irish League of Credit Unions and/ specialist market research companies. See section on Your Marketing Preferences.
The Credit Union is involved with the Art competition in liaison with the ILCU. Upon entry you will be given further information and asked for your consent to the processing of personal data which may include your photograph. Your information is processed only where you have given this consent. Where the person providing consent is below 16* then we ask that the parent/legal guardian provides the appropriate consent. A separate privacy notice is included in all Art Competition entry forms.
The Credit Union is involved in the Schools Quiz in liaison with the ILCU. The Schools Quiz is open to entrants aged 4 to 13. Upon entry parent/legal guardians will be given further information and asked for their consent to the processing of their child’s personal data which may include a photograph. This information is processed only where consent has been given. Where the person providing consent is below 16* then we ask that the parent/legal guardian provide the appropriate consent. A separate privacy notice is included in all School Quiz entry forms.
|Social Media Marketing
From time to time we run competitions on social media such as on our twitter, facebook or instagram accounts. Winners are notified publicly through the platform. Winners will be asked for your consent to the publication of personal data elsewhere which may include your name and photograph. Your information is published only where you have given this consent. Entrants who are under 16* must have parent/legal guardian consent to enter social media competitions.
The Credit Union may wish to undertake direct marketing from time to time to inform members of services, products and special offers. This is only undertaken on the basis of freely given consent which can be withdrawn at any time. When gathering your consent, we will ask you to clearly indicate which, if any, means you would like us to communicate with you such as email, SMS, phone or post. If there should be any doubt whether consent has been given or is up to date, the Credit Union will assume no consent has been given. You can update your marketing preferences whenever you wish either on the website, in the Credit Union itself or by email. If we make a mistake and send you marketing when you have indicated you don’t want it, do let us know as soon as possible.
The Lough Credit Union Website:
Members are given access to a member-only area of the website which allow them to interact with all the services we offer to members.
1) Transient (or per-session) cookies
These only exist for the duration of your visit to a web site and are deleted when you leave.
They are sometimes necessary for the correct operation of our web site as you move between the different pages.
2) Persistent (or permanent) cookies
These cookies stay on your device until they expire after a pre-set length of time or are deleted. These cookies can be useful because such as when they store your login information so that you don’t have to enter your login information every time.
3) First and third party cookies
Additionally, cookies can be first or third party cookies. First party cookies are owned and created by the website you’re viewing- in this case by the Credit Union. Third party cookies are owned and created by an independent company, usually a company providing a service – such as Google Analytics.
What cookies do we use?
Irish legislation and the EU’s General Data Protection Regulation gives individuals significant rights over how their personal data is collected and used. A summary of these rights is set out below. Further information can be found on the website of the Data Protection Commissioner.
If you have any questions or queries please feel free to contact the Data Protection Officer in your Credit Union who is there to help answer your questions and make sure your data is processed carefully and correctly.
The Data Protection Officer can be contacted by email at firstname.lastname@example.org or by phoning 021 496 3384.
You always have the right to seek advice and support from the Data Protection Commissioner (DPC) and make a complaint where you believe we have breached your rights in the processing of your data.
**Please note that the above rights are not always absolute and there may be some limitations.
You are free to submit a Subject Access Request to the Credit Union free of charge and within 30 days the Data Protection Officer will provide you with copies of your personal data which the Credit Union process and supporting information such as the source of your data, retention periods and who your data has been share with, if anyone. There is no charge and such a request.