Information on data processing according to GDPR articles 13 and 14

Credit Union Plus hereby inform you about the processing of your personal data and the data protection claims and rights you are entitled to. The content and scope of the data processing are largely based on each of the products and services that you have requested or that have been agreed upon with you.

Who is responsible for data processing and who can you contact?

The entity responsible for data processing is:

Credit Union Plus, Kennedy Road, Navan, Co Meath

Telephone: 046-9021395, Email: info@creditunionplus.ie

The data protection officer at Credit Union Plus is: Darren Core

Telephone: 046-9021395, E-Mail: dpo@creditunionplus.ie

Which data is processed and where does this data originate from?

Credit Union Plus process the personal data that we receive from you as part of the business relationship. We also process data that we have legitimately received from publicly available sources. Personal data includes your personal details (name, address, contact details, date and place of birth, nationality, etc.), credentials (e.g. ID data), and authentication data (e.g. specimen signature). In addition, this may include order data (e.g. payment orders), data from the fulfilment of our contractual obligation (e.g. turnover data in payment transactions), information about your financial status (e.g. creditworthiness data, etc.), advertising and documentation data (e.g. consulting records), register data, image  data (e.g. video), information from your electronic communication to Credit Union Plus (e.g. cookies, etc.), processing results generated by Credit Union Plus itself as well as data for compliance with legal and regulatory requirements.

 

For what purposes and on what legal basis is the data processed?

We process your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Data Protection Bill 2018. The specific details for the purpose of data is as follows:

For the fulfilment of contractual obligations (Art. 6 Paragraph 1b GDPR):

The processing of personal data (Art. 4 No. 2 GDPR) is carried out for the provision and arrangement of financial services and insurance and in particular for the execution of our contracts with you and the execution of your orders and all activities required for the operation and management of a credit and financial services institution. The purposes of data processing are based primarily on the specific product (e.g. credit lending, share savings, insurance etc.) and may include needs analyses, consulting, support, and the execution of transactions, among other things.

For the fulfilment of legal obligations (Art. 6 Paragraph 1c GDPR):

Processing of personal data may be necessary for the purpose of fulfilling various legal obligations (e.g.  Market-Money Laundering Act, etc.), as well as regulatory requirements (e.g. of the Central Bank, etc.), which Credit Union Plus is subject to as a regulated institution. Examples for such cases:  Reports to the Gardai and Revenue Commissioners in certain money laundering suspicion cases; and providing information to tax authorities in regards to DIRT deductions etc.

Within the scope of your consent (Art. 6 Paragraph 1a GDPR):

If you have granted us consent to process your personal data, processing will only take place in accordance with the purposes set out in the declaration of consent and to the extent agreed therein. Any consent given may be revoked at any time with future effect (for example, you may object to the processing of your personal data for marketing and promotional purposes if you no longer consent to processing in the future).

For the protection of legitimate interests (Art. 6 Paragraph 1f GDPR):

If necessary, within the framework of balancing of interests of Credit Union Plus or a third party, data may be processed, by us or by third parties, beyond the actual fulfilment of the contract, in order to safeguard legitimate interests. In the following cases, data is processed to safeguard legitimate interests:  Consultation of and data exchange with credit agencies (e.g. Irish Credit Bureau) for the identification of credit risks and default risks; Review and optimisation of needs analysis and direct member approach procedures; Advertising or market and opinion research, provided that you have not objected to the use of your data in accordance with Art. 21 GDPR; Video surveillance for collecting proof in case of offences or evidence of transactions and deposits (e.g. at counter and car-park); these especially serve to protect members of the credit union and Credit Union employees; Telephone records (e.g., in case of complaints). Other measures are:

Measures for business management and further development of services and products;

Measures for protecting credit union employees and members of the credit union and the property of the credit union;

Measures for fraud prevention and combating fraud (Fraud Transaction Monitoring).

 

Who receives my data?

Within Credit Union Plus, your data is received by those offices or credit union employees that need it for fulfilling contractual, legal and regulatory duties and for legitimate interests. Furthermore, the data processing companies (especially IT service provider and other back-office/outsourced service providers) commissioned by Credit Union Plus receive your data, as long as they need it for fulfilling their respective service. Accordingly, all the data processing companies are contractually obligated to keep your data confidential and to process it only in the context of service provision. The public authorities and institutions, (e.g., Central Bank, tax authorities, etc.), can also be recipients of your personal data, if there is a legal or regulatory obligation. In view of forwarding data to other third parties, we must point out that as a credit institution, Credit Union Plus is obligated to comply with data secrecy and therefore to maintain confidentiality regarding all the member related information and facts, which have been entrusted or made accessible to us because of the business relationship. Therefore, we can share your personal data only if you have explicitly released us from data secrecy in advance, in writing or if we have a legal or regulatory obligation or authorisation for it. In this context, recipients of personal data can be other credit and financial institutions or similar institutions to which we send the data in order to maintain the business relationship with you (depending on the contract this can be for example, correspondent banks etc.).

 

How long will my data be stored?

As far as it is necessary, we process your personal data for the duration of the entire business relationship (from the initiation, performance until the termination of a contract) and furthermore, we process it according to the legal safe-keeping and documentation obligations, which result from the Money Laundering Act and Central Bank Guidance etc.

 

Which protection rights do I have?

At any time, you have the right to obtain information regarding your data which is stored or to limit its processing or to correct, delete it, the right of objection against processing and the right to data portability according to the prerequisites of the GDPR. Complaints can be sent to the Data Protection Commission (info@dataprotection.ie.).

 

Am I obligated to provide data?

In the context of the business relationship, you must provide personal data which is necessary to establish and maintain the business relationship, as well as the information which we are legally required to collect. If you don’t provide this information to us, in principle we have to reject the conclusion of the contract or the performance of the order or we will not be able to fulfil an existing contract any longer and we must consequently terminate it. However, you are not obliged to grant consent for data processing regarding data that is not relevant or not required legally and/or in regulatory terms for fulfilling the contract.

 

Is there automatic decision making including profiling?

We do not use automated decision-making under Art. 22 to reach a decision on the establishment and conduct of the business. Credit assessments are undertaken by the Loan Underwriting team. The calculated assessment should make it possible to predict how likely it is that the credit that has been applied for will be repaid. To make this assessment, your master data (e.g., duration of employment, employer, etc.), information of your overall financial situation (e.g., income, assets, monthly expenses, total liabilities, security, etc.) and your payment history (e.g. proper loan repayments, warnings, information on credit service agencies) are used. If the default risk is too high, the credit application is rejected, if applicable, an entry is made in the Central Credit register.