Data Privacy Notice for East Coast Credit Union Limited

September 2024

This privacy notice explains how East Coast Credit Union, (the “Credit Union”, “we”, “us” and “our”) use your personal information.

Please take the time to read this notice carefully. If you are under 16 years of age, please read this notice with a parent or guardian to ensure you understand it fully

Introduction

We are committed to protecting your privacy. This Privacy Notice (together with our website terms and conditions, Cookie’s privacy notice and Member Onboarding privacy notice) set out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Details how we collect, use, disclose, transfer, and store your personal information.

We reserve the right to amend this Privacy Notice from time to time without prior notice. You are advised to check our website www.eastcoastcu.ie or our branch noticeboard regularly for any amendments. Such amendments will not be made retrospectively.

If you are providing personal information on behalf of a third party, you must ensure that the third party receives a copy of this privacy notice before their personal information is shared with us.

Data protection has always been a priority for us and a core part of our business is keeping the data you entrust to us secure. We will always comply with the General Data Protection Regulation ("GDPR") when dealing with your personal data. Further details on the GDPR can be found at Office of the Data Protection Commissions website www.dataprotection.ie. For the purposes of the GDPR, we will be the “controller” of all personal data which we hold about you.

Controller – East Coast Credit Unions Contact Details

AddressEast Coast Credit Union Limited, Main Street Bray, Co Wicklow
PhoneBray Branch - 01 2862624Wicklow Branch - 0404 69 380
Emailinfo@eastcoastcu.ie
Websitewww.eastcoastcu.ie

Data Protection Officer Contact Details

Phone01 2862624
EmailDPO@eastcoastcu.ie

Is providing your personal information obligatory?

We are unable to enter or administer the relationship with you without some personal information about you. In cases where providing your personal information is optional, we will make this clear. It is not mandatory that our members sign up to receive marketing communications.

Updates to your personal information

If any of the personal information you have given to us should change, such as your contact details, please inform us without delay. Similarly, if we have collected personal information about you that you consider to be inaccurate, please inform us as soon as possible.

Why do we collect and use your personal information?

We gather and process your personal information for a variety of reasons and rely on several different legal bases to use that information, for example, we use your personal information to process your membership application, to help administer your products and services, to ensure we provide you with the best service possible, to prevent unauthorised access to your account and to meet our legal and regulatory obligations.

1. To comply with a legal obligation

We are required to process your personal information to comply with certain legal and other obligations, for example:

  1. to report and respond to queries raised by regulatory authorities, law enforcement and other government agencies such as the Central Bank of Ireland and An Garda Siochana.
  2. to comply with tax regulations that require us to report the tax status of our members.
  3. to verify the personal information provided to us and meet our legal and compliance obligations, including to prevent money laundering, tax avoidance, financing of terrorism and fraud.
  4. to perform credit checks in the event you apply for a loan/overdraft and to supply information to the Central Credit Register and to use the Central Credit Register when considering loan / overdraft applications to determine your borrowing options and repayment capacity and/ or facilitate other lending institutions to carry out similar checks.
  5. to cooperate and provide information requested in the context of legal and/or regulatory investigations or proceedings.
  6. to keep records of communications and member account activities.
  7. to maintain a register of members of the Credit Union.
  8. to administer our internal operational requirements (including credit, compliance and risk management, system development, staff training, accounting and for audit purposes).
  9. to communicate with you through certain mandatory service communications such as providing notice of the AGM; and
  10. to undertake systems testing, maintenance and development and to ensure network and information security

2. To enter and perform a contract with you for the services or products which you require

To consider your application for membership of the Credit Union and to process any product/service applications which you may make, we must gather some personal information. To administer and manage any account you have with the Credit Union; we must process your personal information. Examples of processing include the administration of accounts, payments, deposits, lending, credit decisions. As part of this process, we may be required to pass some personal information to an intermediary or counterparty (e.g., if you perform a payment transaction, we pass information on the progress of the transaction to the payee concerned).

  • Carry our credit reviews, to search form details of your credit history and information at credit bureaus/agencies, including the Central Credit Register. Where we make these searches, agencies may keep a record of the search.
  • Recover debts you may owe us
  • Manage and respond to a complaint or appeal

3. To enable the Credit Union to function as a business

In certain circumstances, we process your personal information based on the legitimate interests of the Credit Union. In doing so, we ensure that the impact of the processing on your privacy is minimised and that there is a fair balance between the legitimate interests of the Credit Union and your privacy rights. If you disagree with your information being processed in this manner, you are entitled to exercise your right to object.

Examples of situations in which your personal information is processed based on our legitimate interests, include:

  1. to collect due and outstanding debt which may involve passing your personal information to debt collection agencies.
  2. to keep records of communications, including telephone lines, if required to evidence what has been discussed and keep a record of your instructions and to prevent or detect crime.
  3. to perform research and analysis aimed at improving our products, services, and technologies.
  4. to establish, exercise and safeguard our rights, including where necessary to take enforcement action and to respond to claims made against the Credit Union.

4. Where you have provided consent

We use your personal information to make you aware of products and services which may be of interest to you where you have consented to us doing so and in accordance with your preferences. You can at any time withdraw that consent using the contact details below. If you apply for a loan, we may collect and process information on your health. You will be asked for your consent to process this type of personal information.

Sometimes we need your consent to use your personal information. If we use your sensitive personal information (or Special Category information as it is known in GDPR), such as medical or biometric data, we will ask for your explicit consent.

5. If we issue you a debit card

Transact Payments Malta Limited (which is an authorised e-money institution) will also be a controller of your personal data. For you to understand what they do with your personal data, and how to exercise your rights in respect of their processing of your personal data, you should review their Privacy Policy which is available here https://currentaccount.ie/files/tpl-privacypolicy.pdf

6. When you apply for a loan

When you apply for a loan, we carry out information searches and verify your identity. We share your information with credit reference agencies, such as the Central Credit Register (CCR). When you enter into a credit agreement with us, this data is registered on the CCR database. Each month the CCR receive an update for each open account. This builds up a credit history which indicates how you are meeting the repayment terms of any credit agreements you may have.

When you apply for a loan, we may access the CCR’s databases to get your credit report. You may have loans from one or more credit providers and your credit report will include details of all registered loans, open and closed. Credit agreements are retained on the CCR’s databases for five years after they are closed.

You may not have any credit history in the cases where you have not borrowed previously, or where any credit agreements have been concluded for more than 5 years.

Further information on the CCR is available in their full notices on www.centralcreditregister.ie.

7. If you consent to use our loan assessment tool

True Layer (which is a global open banking platform) will also be a controller of your personal data. For you to understand what they do with your personal data, and how to exercise your rights in respect of their processing of your personal data, you should review their Privacy Policy which is available here https://truelayer.com/en-ie/legal/privacy/

What personal information do we collect about you?

The information we hold about you can vary depending on the products and services you use. This includes personal information which you give to us when you are applying for membership or applying for a product or service, personal information we collect automatically, for instance, your IP address and the date and time you accessed our services when you visit our website [or app], and personal information we receive from other sources like credit referencing agencies. The personal information we collect about you may include:

  1. Full name, current home address, previous addresses, date of birth, place of birth, phone number and email address.
  2. Identification documents, passport details, driving licence details, nationality and tax identification number, politically exposed status, proof of your address.
  3. Parent / Guardian details for minor accounts
  4. Information obtained from third parties such as credit reference agencies or business information providers.
  5. Details of employment status and occupation; details of income, source of wealth and source of funds.
  6. Educational information,
  7. Information about your family, and social circumstances such as dependants, marital status, nominee
  8. Information that we gather from publicly available sources such as biographies held on the Internet.
  9. Recordings of calls between you and employees of the Credit Union.
  10. Emails between you and employees of the Credit Union.
  11. Records of current and past complaints / incidents
  12. Closed-circuit television may be used in and around our premises for the purposes of security, preventing crime, health, and safety – therefore we may have images of you captured by our CCTV cameras.
  13. Information relating to member transactions (such as dates, history, amounts, currencies, payer, and payee details).
  14. Financial Information, bank statements, revenue documents, household bills.
  15. Information we learn about you from the way you operate our products and services and use our website and
  16. Details and photos of competition winners

How is the personal information collected?

We collect personal information from several sources, including:

  1. information we receive directly from you or from a person acting on your behalf.
  2. information we obtain from third parties such as credit reference, debt recovery or fraud prevention agencies, which may have originated from publicly accessible sources.
  3. information that we gather from publicly available sources such as the Internet

Cookies

We may obtain information about your general Internet usage by using a cookie file which is stored on your browser or the hard drive of your computer. Cookies are small pieces of information, stored in simple text files, placed on your computer by a website. Cookies can be read by the website on your subsequent visits so that you can access information in a faster and more efficient way. The information stored in a cookie may relate to your browsing habits on the web page, or a unique identification number so that the website can "remember" you on your return visit. Cookies do not contain personal data from which you can be identified, unless you have separately furnished such information to the website. Some of the cookies we use are essential for the website to operate.

Our website uses external scripts and cookies from third parties to enhance your browsing experience, to create a secure and effective website for our customers and to provide advertising we think may be of interest to you.

We will only use third party scripts and cookies with your explicit permission which you can grant by clicking “Accept”. You may withdraw your permission at any time via the Help / Cookie Settings menu item. You can also disable or delete cookies via your browser settings. For more information on how to manage cookies, including how to disable cookies please visit: www.aboutcookies.org .

How do we use personal information for direct marketing?

From time to time, we would like to make you aware of other products and services that we offer which may be of interest to you. We can do this by using some of the personal information we hold about you. You have a right not to receive such information. You can make changes to your marketing preferences at any time by contacting us at the address below.

How does the Credit Union make use of Automated Decision Making?

We sometimes use automated decision making to enable us to deliver decisions within a shorter time frame and to improve the efficiency of our processes. An example of where we use automated decision making is as part of our credit decision process, which involves assessing your application for credit, taking account of your current circumstances, and evaluating your ability to meet the required repayments. The decision process considers different types of information, for example: information you have provided in your application such as the amount requested, the repayment period, your income, employment details, credit history with credit reference agencies such as the Central Credit Register and details of other credit facilities you may have such as loans, overdrafts, credit cards, etc. The Credit Union uses this information to apply internal credit assessment rules in a consistent manner. This ensures that your application for credit is treated fairly, efficiently, and that we believe you can afford the required repayments. We review the automated credit decision making process on an ongoing basis to ensure that it remains fair, efficient, and unbiased to better serve our members.

Who do we share your personal information with?

We sometimes share your personal information with trusted third parties who perform important functions for us based on our instructions and applying appropriate confidentiality and security measures. For example, we may share your personal information with the following third parties:

  1. our legal and professional advisers such as auditors and external legal counsel.
  2. trade / representative bodies.
  3. any sub-contractors, agents or service providers engaged by the Credit Union (including their employees, directors, and officers), such as back up and server hosting providers, IT software and maintenance providers, document storage providers and suppliers of other back-office functions.
  4. credit reference, debt recovery or fraud prevention agencies.
  5. payment recipients and other financial institutions
  6. Your authorised representatives, these include, attorney (under a Power of Attorney) and any other party authorised by you to receive your personal data.
  7. Guarantors
  8. Third parties we need to share your information within order to facilitate payments, you have requested.
  9. If you use our electronic payment services to transfer money into or out of your credit union account or make payments through with your debit card into your credit union account, we are required to share your personal data with our electronic payment service provider Intesa San Paolo and Global Payments

We may also share your personal information with any third parties to whom you have instructed us to share your information with.

We are required to cooperate by law or otherwise through a legal process with Irish and EU regulatory and enforcement bodies such as the Central Bank of Ireland, An Garda Siochana, the courts, fraud prevention agencies or other bodies. We are also required to report personal and account information to Irish Revenue for interest reporting, CRS and FATCA purposes.

We may disclose personal information relating to our members to any third party in the event of a transfer or merger (or potential transfer or merger) of the Credit Union.

The people and organisations that we may share your personal information with may be in a country that does not have data protection laws which provide the same level of protection as the laws in Ireland. Some countries already have adequate protection for personal information under their applicable laws. In other countries safeguards will be applied to maintain the same level of protection as the country in which the products and services are supplied. These safeguards may be contractual agreements with the overseas recipient or it may require the recipient to subscribe to international data protection frameworks.

For more information about the European Commission’s decisions on the adequacy of the protection of personal information in countries outside the EEA, please visit:

https://ec.europa.eu/info/law/law-topic/data-protection_en

How long do we keep your personal information?

We need to keep your personal information for as long as necessary to fulfil the purposes for which it was collected (as described above). Even when you close your account with us, we must retain some of your personal information to comply with legal and regulatory requirements and in case of claims. We will also keep some of it in case of queries from you. The criteria we use to determine data retention periods for your personal information includes the following:

  1. Retention in case of queries. We will retain some of it in case of queries from you (for instance, if you apply for a product or service and if that is unsuccessful).
  2. Retention in case of claims. We will retain some of it for the period in which you might legally bring claims against us; and
  3. Retention in accordance with legal and regulatory requirements. We will retain some of it after our agreement with you has come to an end, based on our legal and regulatory requirements.

Examples of Retention Periods

Accounting records7-year retention for financial records under the Finance Acts.
AML documentationThe money laundering provisions of anti-money laundering legislation require that certain documents must be retained for a period of five years after the relationship with the member has ended.
CCTV footageWhich is used in the normal course of business (i.e., for security purposes and health and safety), this is retained for 30 days
Telephone recordingsWhich is used in the normal course of business (i.e. training and verification), these are retained for 6 months
Credit agreementsThese are contracts and as such the credit union retains them for six years from date of final repayment.
Loan applicationsForm part of your credit agreement and as such we retain them for six years form the date of final repayment.

Your rights under Data Protection law

Providing and holding personal information comes with significant rights on your part and significant obligations on ours. You have several rights in relation to how we use your information. If you make your request electronically, we will, where possible, provide the relevant information electronically unless you ask us otherwise:

1. The right to be informed

To know how your data is processed, stored, deleted, and transferred

2. The right to access information

To access your information and to receive copies of the information we have about you. Under the new data protection regulations, we are obliged to respond to your access request without undue delay. In most instances, we will respond within 30 Days. If we are unable to deal with your request fully within 30 Days (due to the complexity or number of requests), we may extend this period by a further two calendar months. Should this be necessary, we will explain the reasons why. If you make your request electronically, we will, where possible, provide the relevant information electronically unless you ask us otherwise.

3. The right to rectification

Request that inaccurate information is corrected and incomplete information updated.

4. The right to be forgotten

Request that your data is erased if one of the following grounds applies: it's no longer necessary in relation to the purpose for which it was collected, your consent was withdrawn, you object to processing or the processing is unlawful.

5. Right to data portability

Obtain a transferable copy of certain data to which can be transferred to another provider, known as "the right to data portability".

This right applies where personal information is being processed based on consent or for performance of a contract and the processing is carried out by automated means. You are not able to obtain through the data portability right all the personal information that you can obtain through the right of access.

The right also permits the transfer of data directly to another provider where technically feasible. Therefore, depending on the technology involved, we may not be able to receive personal data transferred to us and we will not be responsible for the accuracy of same.

6. The right to object to the processing of personal data

Object to use of your personal data for direct marketing purposes. If you object to this use, we will stop using your data for direct marketing purposes.

Withdraw consent at any time, where any processing is based on consent. If you withdraw your consent, it will not affect the lawfulness of processing based on your consent before its withdrawal.

7. The right of restriction

Have your data deleted or its use restricted - you have a right to this under certain circumstances. For example, where you withdraw consent, you gave us previously and there is

no other legal basis for us to retain it, or where you object to our use of your personal information for legitimate business interests.

8. The right not to be subject to automated decision making, including profiling

Object to uses of your personal data where the legal basis for our use of your data is our legitimate business interests (for example, profiling we carry out for our legitimate business interests) or the performance of a task in the public interest. However, doing so may have an impact on the services and products we can / are willing to provide.

Please note that the above rights are not always absolute, and there may be some limitations

If you want access and/ or copies of any of your personal data or if you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we send you or a third party a copy your relevant personal data in a reusable format, if you have any questions about how your personal data is gathered, stored, shared or used, or if you wish to exercise any of your data rights, please contact our Data Protection Officer at:

Data Protection Officer Contact Details

PhoneBray Branch - 01 2862624 | Wicklow Branch - 0404 69 380
EmailDPO@eastcoastcu.ie

Under Article 77 of the GDPR, you have the right to lodge a complaint with the Data Protection Commission or another supervisory authority if you consider that processing of your personal data is contrary to the GDPR.

Data Protection Commission Contact Details

Postal AddressData Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28
Websitewww.dataprotection.ie
Phone(01) 765 0100 or 1800 437 737
Emailinfo@dataprotection.ie

Where do I get more information?

If you have any questions about GDPR or your personal information, please contact DPO@eastcoastcu.ie

Further details on the GDPR can be found at Office of the Data Protection Commissioner's website www.dataprotection.ie

We reserve the right to amend this Privacy Notice from time to time without prior notice. You are advised to check our website www.eastcoastcu.ie or our branch regularly for any amendments

Data Privacy Notice Member Onboarding 2024