Data Protection Privacy Notice
As a member of Capital Credit Union, you share your information with us. This allows us to provide our products and services to you and in doing so we commit to protect your information. This Data Protection Notice provides you with information about Data Protection at Capital Credit Union.
What is Data Protection?
If you give your personal details to an organisation or individual, they have a duty to keep these details private and safe.
As the organisation who controls the contents and use of your personal details, Capital Credit Union (CCU) is the Data Controller. CCU has appointed a ‘Data Protection Officer’ (DPO), who is responsible for the protection of your rights in how we conduct our business and ensuring compliance with Data Protection laws and regulations.
On 25th May 2018 the General Data Protection Regulation (GDPR) came into effect. This sets out a series of new EU laws concerning how data is processed and used. The objective of the regulation is to strengthen and standardise data protection laws for all EU citizens.
These regulations apply to any organisation that controls and/or processes data on behalf of an individual or group of individuals. Those responsible for adhering to these regulations include employees of the organisation, including contractors, consultants, agents and third parties who have access to data either directly or indirectly.
Data Protection at Capital Credit Union
We always understand and appreciate the trust you place in us to collect, process and protect your personal information.
As the Data Controller and processor of your personal information, we have and will continue to:
− to act responsibility and give priority to the security of your information through a strong culture of compliance
− to provide you with the assurance that your information is safe and secure through how we manage our controls, processes and systems to improve our level of customer service; and
− conduct our business in a fair and transparent way and ensure we minimise the risk or impact on your data rights and freedoms.
Who is Capital Credit Union?
Capital Credit Union provides financial related services to our members. Our head office is in Dundrum and we have other offices in the South Dublin City area.
References in this notice to Capital Credit Union Limited (CCU) will also include “CCU” or “We” or “Us” or “Our”.
Data Protection Officer
To ensure that your rights are protected our Data Protection Officer oversees the collection, use, sharing and protection of your information. The Data Protection Officer may be contacted by e:mail at DPO@capitalcu.ie, by telephone on 01-2990400 or by writing to The Data Protection Officer, Capital Credit Union, Main Street, Dundrum, Dublin D14 PD79.
How we collect your information?
We collect personal information from you, when you:
− open an account
− lodge or withdraw monies
− apply for a loan
− apply to use our services or
− contact us.
We record all telephone calls, whether made by you or by us, and you will always be advised of this.
Information is also collected through market research, our website, apps, social media and the CCTV in our offices.
Our website uses ‘cookies’. This is technology that our website uses to place a small text record on your PC or mobile, when you visit our website. The cookie helps to provide a better experience for
When you apply for a loan with us, we verify your identity and collect information from you. During the loan application process, we may direct you to CRIF Realtime Ireland Limited (CRIF) who will collect bank statements from you on our behalf. CRIF’s Privacy Notice is available here. During the loan application process and for the period while you repay the loan we also conduct information searches with and provide information to third parties. The third parties include credit reference agencies, the Central Credit Register (www.centralcreditregister.ie/privacy/), CRIF
(https://neos.crif.com/widget/assets/documentation/capitalcu/Privacy_en-GB.pdf) and credit collection agencies. The third parties and CCU retain the information, whether the application is successful or not.
What information do we collect?
To open an account, conduct business with us and make loan applications we collect:
− Personal Information
− Personal Financial Information and
− Special Categories of Personal Data.
* Under GDPR ‘Sensitive Personal Information’ is known as ‘Special Categories of Personal Data’ and require additional safeguards for processing.
How do we use the information that we collect?
We use your personal information for the following purposes:
− Provide and maintain our products and services to you
− Find out how we can improve our products and services
− Assess loan applications
− Credit control
− Inform you how our products and services might help you and how you can avail of them
− Protect our interests and
− Meet our legal and regulatory obligations.
We need to collect and use your personal information to provide products and services to you under our terms and conditions. If you do not provide your personal information we may not be able to provide our products and services.
When you apply for a loan with us, we verify your identity. During the loan application process and for the period while you repay the loan we also conduct information searches with and provide information to third parties. The third parties include credit reference agencies, the Central Credit Register (www.centralcreditregister.ie/privacy/), CRIF Realtime Ireland Limited
(https://www.crif.com/privacy-policy/) and credit collection agencies. The third parties and CCU retain the information, whether the application is successful or not.
Information that we collect on how you use our products and services and from our website, apps and social media is analysed by us. This helps us to know how we engage with you, how you use our products and services, for marketing information and the protection from financial crime and fraud.
We analyse information and report trends including to third parties about loans applications, loan repayments, activity on our web-site and activity on mobile devices. Reports and trends have the
information anonymised; i.e. names and addresses are removed. Information that is shared in these reports does not include anything that would identify you or your account number.
We may use technology to help automate our decision making, for example for loan applications. All decisions are assessed by us using a combination of the technology, the personal information you provide to us, your information that we already hold and information from third parties.
All processing of your information must be supported by a lawful basis and in that context, we fully meet our legal and regulatory obligations.
Telephone calls are recorded for training and regulatory purposes.
We collected and record CCTV images in the public areas and accesses at our offices for security reasons and to help prevent fraud or crime.
We will notify you if we change the purpose for which we use your information.
What is the lawful basis to process your information?
To meet our legal and regulatory obligations we collect and retain your information by relying on one or more of the following bases:
− Your agreement and consent
− To create and maintain a contract
− A legal obligation
− Protect your vital interests and those of others
− In the public interest and
− Our legitimate interests.
What are our legal and regulatory obligations?
Under our regulatory and legal obligations, we collect, verify and keep up to date your personal information through regular checks. We delete it once we no longer have to keep it. We may also gather information about you from third parties to help us meet our obligations. To process a loan application we will supply your personal information to Credit Reference Agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness, check your identity, manage your account, trace and recover debts and prevent criminal activity.
Until such time as your loan is fully repaid we continue to exchange information about you with CRAs, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. Your data may also be linked to the data of your spouse or any joint loan applicants.
Financial institutions in Ireland are required, under legislation which incorporates into Irish law the US Foreign Account Tax Compliance Act (FATCA) and the Organisation for Economic Cooperation and Development (OECD) Common Reporting Standard (CRS), to seek answers to certain questions for purposes of identifying accounts that are reportable to Revenue for onward transmission to tax authorities in relevant jurisdictions.
Financial institutions in Ireland, including Capital Credit Union, are required to seek answers to questions regarding tax residency. If customers do not provide all of the information requested, we may not be able to proceed with opening the new account until the relevant information is provided and we may be obliged to include the account(s) details in the annual FATCA and CRS returns to Revenue.
The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services by us.
If you do not provide the information we need, or help us keep it up to date, we may not be able to provide you with our products and services.
Credit searches and references
When you apply for a loan we carry out information searches and verify your identity. We share your information with credit reference agencies, such as the Central Credit Register (CCR) and CRIF Realtime Ireland Ltd (CRIF).
When you enter into a credit agreement with us, this data is registered on the CCR database. Each month the CCR receives an update for each open account. This builds up a credit history which indicates how you are meeting the repayment terms of any credit agreements you may have.
When you apply for a loan, we may access CCR’s and CRIF’s databases to get your credit report. You may have loans from one or more credit providers and your credit report will include details of all registered loans, open and closed. Credit agreements are retained on the CCR’s and CRIF’s databases for six years after they are closed.
You may not have any credit history in the cases where you have not borrowed previously, or where any credit agreements have been concluded for more than six years.
Further information on the CCR and CRIF is available in their full notices on their websites www.centralcreditregister.ie and https://www.crif.ie/.
Sometimes we need your consent to use your personal information. If we use your sensitive personal information (or Special Categories of Personal Data as it is known in GDPR), such as medical or biometric data, we will ask for your explicit consent.
We will ensure that you are informed when making your decision and that you are aware that you can remove your consent at any time by contacting us.
We ensure your consent is obtained under the following principles:
− Positive Action – Clear affirmative action by you is required. We do not use pre-ticked boxes,
imply or assume consent if there is no positive action from you
− Free will – Your consent must be freely given and not influenced by external factors
− Specific – We will be clear on what exactly we are asking your consent for
− Recorded – We will keep a record of your consent and how we got it
− Can be withdrawn at any time – We will stop data processing that requires your consent at
any time you make a valid request. You can withdraw your consent at any time, however this may affect your ability to transact with us.
We need your consent to make you aware of products and services which may be of interest to you. We may do this by telephone, post, email, text or through other digital media.
When you become a member or apply for a loan, you can decide how much direct marketing you wish to receive.
We analyse information that we collect through your use of our products and services and on our social media, apps and websites, as part of our direct marketing. This helps us understand your financial behaviour, how we interact with you and our position in a market place. This helps us to provide you with the most suitable products and services.
You may opt out, if we contact you to ask about our products and services or how they can be improved.
Keeping your information safe and secure
We protect your information with security measures under the laws that apply. We keep our computers, files and buildings secure.
The collection, use, sharing, protection and deletion of your information is overseen by our Data Protection Officer. Our Data Protection Officer advises on how we can best understand risks to your data rights and freedoms, processes implemented to protect these and has responsibility to report to the Office of the Data Protection Commissioner if there is any breach of your data or our obligations.
When you contact us to ask about your information, we may ask you to identify yourself. This is to help us protect your information.
To meet our legal and regulatory obligations, we hold your information while you are a member and for a period of time after that. The table below will help you understand how long we hold some of your data for. We hold all data while you are an active member with us.
While these retention periods are our policy they are also subject to legal, regulatory and business requirements, which may require us to hold the information for a longer period. This includes meeting minimum retention standards for our Anti Money Laundering requirements. External authorities may also require us to retain data for longer than our policy. We must do this to protect
both of our interests.
We continuously assess and delete data to ensure it not held for longer than necessary.
Telephone call recordings are held for six years.
CCTV recordings are held for 28 days and are automatically deleted thereafter.
Sharing your information with third parties
Sometimes we share your information with third parties, in order to:
− provide products, services and information
− analyse information
− research your experiences dealing with us
− collect debts
− prevent financial crime
− protect both our interests.
The third parties we share information with can include:
− Credit reference agencies including the CRIF (http://www.crif.ie)
− Central Credit Register (https://www.centralcreditregister.ie)
− Fraud prevention agencies
− Company search databases
− Regulatory bodies including the Data Protection Commissioner and the Central Bank of Ireland
− Companies we have a joint venture or agreement to work with
− Insurance companies
− Government bodies including Revenue
− Cards/transaction processing banks
− Market research companies
− Debt collection agencies
− External consultancy firms including Legal, Accountancy, Compliance and other Professional Services
− Any entity you request your data to be shared with.
We have contracts with third parties who provide sufficient guarantees that the necessary safeguards and controls have been implemented to ensure protection of your personal information.
We also must share information with third parties to meet any applicable laws, regulations or to meet lawful requests. When we believe we have been given false or misleading information, or we suspect criminal activity we must record this and inform law enforcement agencies.
Transfers of personal information outside of the European Economic
We do not transfer your personal information outside of the European Economic Area (EEA). If at any time in the future, we transfer your personal information outside of the European Economic Area (EEA) will notify you and obtain your consent in advance.
We may transfer your personal information to the UK, under the Adequacy Decision between the EU and the UK agreed under Article 45 of GDPR.
Your rights for your personal information
If you wish to exercise your personal information rights, please contact the Data Protection Officer by e:mail at DPO@capitalcu.ie, by telephone on 01-2990400 or by writing to The Data Protection Officer, Capital Credit Union, Main Street, Dundrum, Dublin D14 PD79.
When you contact us to ask about your information, we may ask you to identify yourself. This is to help us protect your information.
You have the right to obtain information, however this right cannot affect the rights and freedoms of others. We cannot therefore provide information on or about other people without their consent.
We will provide your information without charge. As permitted under the regulations however, where information requests are manifestly unfounded or excessive, we may either charge a reasonable fee or refuse to act on the request.
Your rights are detailed more fully in the next section.
Access your personal information
You can request a copy of the personal information we hold and further details about how we collect, share and use your personal information.
You can request the following information:
− the information we hold on you
− the purposes of the processing
− the categories of personal data concerned
− the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
− where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
− where the personal data are not collected from you, any available information as to their source
− the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
Updating your personal information
You may update or correct any of your personal details. Please contact us at 01-2990400 or call to any of our offices.
Removing your consent
If you have given us consent in relation to the use of your personal information, you can change your mind and withdraw your consent. This could be for direct marketing or processing your sensitive (Special Categories of Personal Data) information, such as medical or biometric data. Please contact us at 01-2990400 or call to any of our offices.
Restricting and objecting to processing your personal information
You may have the right to restrict or object to us processing your personal information.
We will require your consent to further process this information once restricted. You can request restriction of processing where;
− The personal data is inaccurate and you request restriction while we verify the accuracy
− The processing of your personal data is unlawful
− You oppose the erasure of the data, requesting restriction of processing instead
− You require the data for the establishment, exercise or defence of legal claims but we no longer require the data for processing
− You disagree with the legitimate interest legal basis and processing is restricted until the legitimate basis is verified.
Deleting your personal information (your right to be forgotten)
You may ask us to delete your personal information or we may delete your personal information if:
− the personal data are no longer necessary in relation to the purposes for which they were collected or processed
− you withdraw your consent where there is no other legal ground for the processing
− you withdraw your consent for direct marketing purposes
− you withdraw your consent for processing a child’s data
− you object to automated decision making
− the personal data have been unlawfully processed
− the personal data have to be erased for compliance with a legal obligation.
Moving your personal information (your right to data portability)
If you request and where possible we can share a digital copy of your information directly with you or another organisation.
We will provide this information in a ‘structured, commonly used and machine-readable format’. We can only share this information where it has been processed automatically (hard copy documents are excluded for portability) and was processed under your consent or performance of a contract.
We do not share information processed under legal obligation or our legitimate interest for portability, this is in line with GDPR guidance.
Right to lodge a complaint with a ‘Supervisory Authority’
If you have a complaint about your personal information, please contact us on 01-2990400 or contact a member of staff in any of our offices. They will attempt to make any correction as quickly as possible.
You may also make a complaint to the Data Protection Officer, by e:mail at DPO@capitalcu.ie, by telephone on 01-2990400 or by writing to The Data Protection Officer, Capital Credit Union, Main Street, Dundrum, Dublin D14 PD79.
Any complaint you make to us will be investigated as fully as possible. Please provide as much information as you can to help us quickly resolve your complaint.
You may also contact the Office of the Data Protection Commissioner via their web-site www.dataprotection.ie, by e:mail at email@example.com or by post to Office of the Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23.
Automated decision making
We may use technology to help us make decisions automatically. To help us make decisions that are efficient, quick, and fair based on the information provided, we use information provided directly by you, information we may hold about you and information from third parties.
For example, when you apply for credit with us we use different data sources to understand and assess your ability to repay the loan. This ensures responsible lending.
We use the information that is provided by you on the applications and information from third parties such as credit reference agencies.
The information we process for automated decisions include:
− Financial position
− Transaction history
− Employment details
− Discretionary spending
− Credit rating
− Your other loans, mortgages and products
− Bill repayments
Analysing this information helps us assess your ability to repay and meet the periodic loan payments. The automated decision is just one component of our overall decision-making process with regard to credit decisions.
Updates to this notice
From time to time we will update this notice if we change how we use your information, change our technology or change our products. The most up to date notice will always be on our web-site www.capitalcu.ie.
Glossary of terms used in this notice
This glossary will help you to understand the data protection terms in this notice.
Anonymisation: process of turning data into a form which does not identify individuals and where identification is not likely to take place. The data once anonymised will no longer be personal data. The intention of anonymisation is that the data is irreversibly changed.
Automated Data: Information on computer or information recorded with the intention of or the ability of putting it on a computer. It includes information in any electronic format.
Automated Decision-Making (ADM): when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual.
Automated Processing: any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s economic situation.
Biometric Data: means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (finger print) data.
Consent: of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data: means individual facts, statistics, or items of information regarding an individual. Data can refer to automated data and manual data.
Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law, the controller or the specific criteria for its nomination may be provided for by EU or Member State law.
Data Subject: means an identified or identifiable natural person (see Personal Data).
Data Processor: A Data Processor is a person who processes personal data on behalf of a
data controller but does not include an employee of a data controller who processes such
data in the course of his/her employment.
Data Protection Officer (DPO): the person required to be appointed in specific
circumstances under the regulations. The DPO oversees how we collect, use, share and
EEA: the 27 countries in the EU, and Iceland, Liechtenstein and Norway.
Explicit Consent: consent which requires a very clear and specific statement on the part of
the Data Subject.
General Data Protection Regulation (GDPR): the General Data Protection Regulation ((EU)
2016/679). Personal Data is subject to the legal safeguards specified in the GDPR.
Information and Records Management: the application of systematic policies and
procedures governing the creation, distribution, maintenance, management, use and
ultimate retention or disposal of records to achieve effective legal, economical, accountable,
transparent and efficient administration.
Lawful basis: the processing of data must be performed under a lawful basis. Personal data
may be processed:
− On the basis that the data subject has provided consent to do so
− On the basis that it is necessary in order to enter into or perform a contract
− On the basis that there is a legal obligation for the processing
− Where Capital Credit Union has a legitimate interest in processing the data
− In order to protect the vital interests of the data subject
− In the public interest.
Personal Data: means any information relating to an identified or identifiable natural
person (‘data subject’); an identifiable natural person is one who can be identified, directly
or indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing or Process: means any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by automated means, such as
collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction.
Records: documents in every format created and received by individuals or organisations in
the course of conduct of affairs and accumulated as evidence of these activities.
Relevant Filing System: Is any set of information that, while not computerised, is structured
by reference to individuals, or by reference to criteria relating to individuals, so that specific
information is accessible.
Special Categories of Personal Data: information revealing:
− Personal data revealing racial or ethnic origin
− Political opinions
− Religious or philosophical beliefs
− Trade union membership
− Genetic data and biometric data processed for the purpose of uniquely identifying a
− Data concerning health
− Data concerning a natural person’s sex life or sexual orientation.
Supervisory Authority: means the national independent authority responsible for upholding
the fundamental right of individuals in the EU to have their personal data protected. The
Office of the Data Protection Commissioner (ODPC) is the Irish supervisory authority for the
Data Protection Acts 1988 and 2003, the General Data Protection Regulation (GDPR). It also
has functions and powers related to the Irish ePrivacy Regulations (2011) and the EU Law