Privacy Notice

St Agnes' Credit Union - Privacy Notice

A credit union is a member-owned financial cooperative, democratically controlled by its members, and operated for the purpose of promoting thrift, providing credit at competitive rates, and providing other financial services to its members. Data collection, processing and use are conducted solely for the purpose of carrying out the abovementioned objectives

Our contact details for queries relating to this Privacy Notice are:

Contact:         Data Protection Officer

Address:         St. Agnes Credit Union Ltd,

24 St. Agnes Road, Crumlin, Dublin 12.

Eircode D12 YK66

Phone: 01 455 5670

Email:              dpo@stagnescu.ie

St Agnes Credit Union Limited is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during and after your relationship with us.

This document is being provided to you in line with our obligations under the General Data Protection Regulations (GDPR) which came into force on the 25th May 2018. From that date, the GDPR, together with applicable Irish requirements, will amend existing data protection law and place enhanced accountability and transparency obligations on organisations when using your information.

Please take time to read this notice carefully. If you are under 16 years of age, please read this summary with a parent or guardian and ensure you understand it. If you have any questions about how we use your information please contact our Data Protection Officer at the details above.

Purpose of Data Collection, Processing or Use:

St Agnes Credit Union is a member-owned financial cooperative, democratically controlled by its members, and operated for the purpose of promoting thrift, providing credit at competitive rates, and providing other financial services to its members. Data collection, processing and use are conducted solely for the purpose of carrying out the above-mentioned objectives.

What personal data do we use?

We may collect, store, and use the following categories of personal information about you:

Your name, address, date of birth, gender, email, telephone financial data, status and history, transaction data; contract data, details of the credit union products you hold with us, signatures, identification documents, salary, occupation, source of wealth, source of funds, Politically Exposed Status, accommodation status, bank account details, mortgage details, previous addresses, spouse, partners, nominations, Tax Identification/PPSN numbers, passport details, driving licence details, tax residency, interactions with credit union staff and officers on the premises, by phone, or email, current or past complaints, CCTV images, information about you provided by others e.g. joint account applications/nominations

If you use our on-line app for a membership application, please be aware that automated processing of your personal data and image takes place for verification purposes.

Under GDPR Article 22 (1) you have the right to have your application processed manually at our office without automated processing.

Also, if you are unhappy with the outcome of an on-line application for membership, you have the rights of appeal and correction of adverse findings under GDPR Article. 22 (3).

We may also collect, store and use the following “special categories” of more sensitive personal information:

  • Information about your health, including any medical condition, health and sickness (See Insurance for further details)

Sometimes we may use your information even though you are not our member. For example, you may be a beneficiary, guarantor, director or representative of a member of ours or be a potential member applying for one of our products or services. We need all the categories of information in the list above to allow us to; identify you and contact you and in order that we perform our contract with you. We also need your personal identification data to enable us to comply with legal obligations. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

If you fail to provide personal information:

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you or we may be prevented from complying with our legal obligations.

Change of purpose:

You can be assured that we will only use your data for the purpose it was provided and in ways compatible with that stated purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

How we use particularly sensitive personal information:

” Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit written consent.
  • Where we need to carry out our legal obligations and in line with our data protection policy.
  • Where it is needed in the public interest, and in line with our data protection policy.

. If you apply for membership on-line using our app, we capture your image and process it using biometrics and artificial intelligence for identity verification purposes.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public. See Insurance for further details

Profiling:

We sometimes use systems to make decisions based on personal information we have (or are allowed to collect from others) about you. This information is used for loans assessment, provisioning and anti-money laundering purposes and compliance with our legal duties in that regard.

Data Retention Periods:

We will only retain your personal information for as long as necessary to fulfil the purpose(s) for which it was obtained, taking into account any legal/contractual obligation to keep it. We document the reasons for our retention periods and where possible the retention periods themselves in our Records Retention Policy. Once the retention period has expired, the respective data will be permanently deleted. Please see our retention periods below.

  • Accounting records required to be kept further to the Credit Union Act, 1997 (as amended) must be retained for not less than six years from the date to which it relates.
  • The money laundering provisions of Anti-Money Laundering legislation require that certain documents must be retained for a period of five years after the relationship with the member has ended.
  • We keep income tax records for a period of six years after completion of the transactions to which they relate.
  • Credit agreements are retained for contracts should be retained for six years from date of expiration or breach, and twelve years where the document is under seal.
  • Forms and records will be retained in individual member files for 6 years after the relationship with the member has ended
  • CCTV images recorded in the normal course of business (i.e., for security purposes) for one month.

Data transmission to third countries:

There are no plans for data transmission to third countries.

Our use and sharing of your information:

We collect and use relevant information about you, your transactions, your use of our products and services, and your relationships with us to allow us provide member services and to fulfil statutory requirements.

Fulfilling contract:

This basis is appropriate where the processing is necessary for us to manage your accounts and credit union services to you

Administrative Purposes:

We use the information provided by you, collected in on-line and paper forms or applications, for the purpose of assessing applications, processing applications you make and to maintaining and administering any accounts you have with the credit union.

Third parties:

We may appoint external third parties to undertake operational functions on our behalf. We will ensure that any information passed to third parties conducting operational functions on our behalf will do so with respect for the security of your data and will be protected in line with data protection law.

 

Irish League of Credit Unions (ILCU) Affiliation:

The ILCU (a trade and representative body for credit unions in Ireland and Northern Ireland) provides professional and business support services such as marketing and public affairs representation, monitoring, financial, compliance, risk, learning and development, and insurance services to affiliated credit unions. As this credit union is affiliated to the ILCU, the credit union must also operate in line with the ILCU Standard Rules (which members of the credit union are bound to the credit union by) and the League Rules (which the credit union is bound to the ILCU by). We may disclose information in your application or in respect of any account or transaction of yours from the date of your original membership to authorised officers or employees of the ILCU for the purpose of the ILCU providing these services to us.

The ILCU Savings Protection Scheme (SPS): We may disclose information in any application from you or in respect of any account or transaction of yours from the date of your original membership to authorised officers or employees of the ILCU for the purpose of the ILCU providing these services and fulfilling requirements under our affiliation to the ILCU, and the SPS.

Being affiliated to the ILCU we also have recourse to the following service:

CUSOP:

For the processing of electronic payments services on your account (such as credit transfers, standing orders and direct debits). CUSOP is a credit union owned, independent, not-for-profit company that provides an electronic payments service platform for the credit union movement in Ireland. CUSOP is an outsourced model engaging third party companies, such as a Partner Bank, to assist with the processing of payment data

The Privacy Notice of ILCU can be found at www.creditunion.ie

Insurance:

As part of our affiliation with the ILCU, we purchase insurance from ECCU Assurance DAC (ECCU), a life insurance company, wholly owned by the ILCU. This includes Life Savings (LS), Loan Protection (LP), and optional related riders (where applicable).

If you choose to take out a loan with us, it is a term of your membership, by virtue of our affiliation with the ILCU that the credit union will apply to ECCU for Loan Protection (LP). In order that we apply for LP it may be necessary to process ‘special category’ data, which includes information about your health. This information will be shared with ECCU to allow it deal with insurance underwriting, administration and claims on our behalf. If covered any outstanding sum will be repaid to the credit union by ECCU in the event of your death. In order that we apply for LP it may be necessary to process “special category” data, which includes data about your health. This information will be shared with ECCU to allow it deal with insurance underwriting, administration and claims on our behalf. Please refer to ECCUs Privacy Notice for further information.

Credit Assessment:

When assessing your application for a loan, the credit union will take a number of factors into account and will utilise personal data provided from:

  • Your application form or as part of your loan supporting documentation
  • Your existing credit union file,
  • Credit referencing agencies such as Central Credit Registrar (CCR)

St Agnes Credit Union then utilises this information to assess your loan application in line with the applicable legislation and the credit unions lending policy.

Customer Service:

We record your calls for quality control and error tracing. However, we do not record card or bank payment details given during calls.

Foreign Exchange:

If you use our foreign exchange services, we are required to share some of your personal data with our foreign exchange services provider FEXCO.

Legal Duty:

This basis is appropriate when we are processing personal data to comply with Irish or EU Law, GDPR Article 6. (1).

Tax liability:

We may share information and documentation with domestic and foreign tax authorities to establish your liability to tax in any jurisdiction. Where a member is tax resident in another jurisdiction the credit union has certain reporting obligations to Revenue under the Common Reporting Standard and the Foreign Accounts Tax Compliance Act. Revenue will then exchange this information with the jurisdiction of tax residence of the member. We shall not be responsible to you or any third party for any loss incurred as a result of us taking such actions.

From the 1st of January 2024 we will send cross-border payment transaction details to the Central Electronic System of Payment (CESOP) database.  This will include your PPS/VAT number and details of the payee who received the payment from you. The purpose of the CESOP is to assure the correct payment of VAT on cross-border transactions. This information may be accessed by tax administrations within the European Union. This data is required under EU directive 2020/284.

Under the “Return of Payments (Banks, Building Societies, Credit Unions and Savings Banks) Regulations 2008” credit unions are obliged to report details to the Revenue in respect of dividend or interest payments to members, which include PPSN where held.

Regulatory and statutory requirements:

To meet our duties to the Regulator, the Central Bank of Ireland, we may allow authorised people to see our records (which may include information about you) for reporting, compliance and auditing purposes. For the same reason, we will also hold the information about you when you are no longer a member. We may also share information with certain statutory bodies such as the Department of Finance, the Department of Social Protection and the Financial Services and Pensions Ombudsman Bureau of Ireland if required by law.

Compliance with our anti-money laundering and combating terrorist financing obligations:

The information provided by you in this membership application will be used for compliance with our customer due diligence and screening obligations under anti-money laundering and combating terrorist financing obligations under The Money Laundering provisions of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended by Part 2 of the Criminal Justice Act 2013 (“the Act”),

From the 27th of February 2023 the Central Bank of Ireland introduced the Ireland Safe Deposit and Payments Accounts Register (ISBAR). This requires us to send account and beneficial ownership details to ISBAR, which may be retrieved by the Garda, Revenue or Criminal Assets Bureau (CAB) during inquires.

This is required under EU Directive 2015/849, enacted in Ireland under S.I. 26/2022.

Audit:

To meet our legislative and regulatory duties to maintain audited financial accounts, we appoint an internal and external auditor. We will allow the internal and external auditor to see our records (which may include information about you) for these purposes.

Nominations:

The Credit Union Act 1997 as amended allows members to nominate a person(s) to receive a certain amount from their account on their death, subject to a statutory maximum. Where a member wishes to make a nomination, the credit union must record personal data of nominees in this event for this sole legitimate purpose.

Credit Reporting:

Where a loan is applied for in the sum of €2,000 or more, the credit union is obliged to make an enquiry of the Central Credit Register (CCR) in respect of the borrower. Where a loan is granted in the sum of €500 or more, the credit union is obliged to report both personal details and credit details of the borrower and any guarantors to the CCR.

Legitimate interest:

A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. If we rely on our legitimate interest, we will tell you what that is.  (GDPR Article 6 (1) f applies).

Credit Assessment and Credit Reference Agencies:

When assessing your application for a loan, as well as the information referred to above in credit assessment, the credit union also utilises credit data from credit referencing agencies such as the Central Credit Registrar [See legal duty]. Our legitimate interest: The credit union, for its own benefit and therefore the benefit of its members, must lend responsibly and will use your credit scoring information in order to determine your suitability for the loan applied for. When using the service of a credit referencing agency, we will pass them your personal details and details of your credit performance.

Connected/Related Borrowers:

We also process your address and Eircode to ensure that multiple loans do not overburden any household’s ability to repay.  This is a requirement of the Central Bank Act 1989 (Section 117) which applies to lending institutions. This system is provided to Credit Unions by a data processor, RW Pierce, who anonymise member’s data in the interest of privacy.

CCTV:

We have CCTV installed on the premises with clearly marked signage. The purpose of this is for security, for the prevention and detection of fraud and public safety. Our legitimate interest: With regard to the nature of our business, it is necessary to secure the premises, property herein and any staff /volunteers/members or visitors to the credit union.

Your Consent:

Marketing and Market Research:

To help us improve and measure the quality of our products and services we undertake market research from time to time. This may include using the Irish League of Credit Unions and/ specialist market research companies. See section on Your Marketing Preferences.

Art Competition:

This credit union is involved with the Art competition in liaison with the ILCU. Upon entry you will be given further information and asked for your consent to the processing of personal data. Your information is processed only where you have given consent. Consent may be granted on the membership application form. Where the person providing consent is below 16 then we ask that the parent/legal guardian provide the appropriate consent. A separate privacy notice is included in all Art Competition entry forms.

Schools Quiz:

This credit union is involved in the Schools Quiz in liaison with the ILCU. The School’s Quiz is open to entrants aged 4 to 13. Upon entry parent/legal guardians will be given further information and asked for their consent to the processing of their child’s personal data. This information is processed only where consent has been given. Where the person providing consent is below 16 then we ask that the parent/legal guardian provide the appropriate consent. A separate ILCU privacy notice is included in all School Quiz entry forms.

Your Rights in connection with your personal information are to:

  1. To find out whether we hold any of your personal data, you may submit a Subject Access Request. This will usually be processed within 28 days.
  2. Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you rectified.
  3. Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
  4. Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You can alter or withdraw your marketing preference at any time.
  5. Request the restriction of processing of your personal information. You can ask us to suspend processing personal information about you, in certain circumstances.
  6. Where we are processing your data based solely on your consent you have a right to withdraw that consent at any time and free of charge.
  7. Right of Portability: request that we: a) provide you with a copy of any relevant personal data in a reusable format; or b) request that we transfer your relevant personal data to another controller where it’s technically feasible to do so.
  8. Relevant personal data is personal data that: You have provided to us or which is generated by your use of our service. Which is processed and where the basis that we process it is on your consent or on a contract that you have entered into with us or our legitimate interest to protect members funds.

You have a right to complain to the Data Protection Commission (DPC) in respect of any processing of your personal data, contact details as follows:

Data Protection Commission

21 Fitzwilliam Square South

Dublin 2

Eircode: D02 RD28

Please note that the above rights are not always absolute and there may be some limitations.

You can exercise your rights (1 to 8 above) by contacting St Agnes Credit Union at dpo@stagnescu.ie

We need sight of your photograph identity to process rights requests. This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Ensuring our information is up to date and accurate: We want the service provided by us to meet your expectations at all times. Please help us by telling us straightaway if there are any changes to your personal information. If you wish to avail of any of these rights, please contact us at our contact details above

Updates: We will update our Privacy Notice from time to time. Our latest notice is always on our website.

Updated 08.10.2024