This statement outlines what we do with the personal information you provide to us, why we gather it and what it means to you. If you are under 16 years of age, please read this summary with a parent or guardian and ensure you understand it. This statement outlines our approach to Data Privacy to fulfil our obligations under the General Data Protection Regulation (2018)

Table of Contents

Privacy Statement    

1. The data we collect about you    

2. When and how we collect information about you    

3. How we use your information

4. How long we hold your information

5. Who we share your information with

6. Implications of not providing information

7. The legal basis for using your information

8. Processing your information outside of the EEA

9. How to exercise your information rights (including the right to object)

10. How to contact us for contact preferences updates and/or our Data Protection Officer

11. Changes to this statement

1.     The information we collect about you

There are a number of reasons for gathering information about you. For instance, we need to know how to get in touch with you, we need to be certain of your identity and we need to understand your financial circumstances, so we can offer you products and services and provide you with the best possible member experience. The information we collect falls into several categories:

1.1 Identity & Contact Information

Name, date of birth, copies of ID, contact details, PPS number (or tax identification number), online user identities, security details to protect identity, nationality, home status and address, email address, work and personal phone numbers, marital status, family details, tax residency and tax related information.

1.2 Financial details/circumstances

Income details, Bank account details, personal guarantees provided, application processing and administration records, your employment status and employment details of your partner, credit history, credit assessment records, credit data from credit registers, credit agency performance data, life assurance, pension and investment details, transaction details, contact outcomes, authorised signatories details, information relating to nominations, information relating to power of attorney arrangements.

1.3 Marital status and/or financial associations

If you are married or are financially linked to another person in the context of a product or service, a financial association may be created between data information, including any previous and subsequent names used by you (for example, marital name or maiden name or if you apply jointly or one is guaranteeing the debts of another or assessment of joint household income maybe required to satisfy lending criteria). This means that we may treat your financial affairs as affecting each other. These links will remain on your and their files until you or they break that link. We may make searches on all joint loan applicants, and evidence of that search will be retained on applicant's records.

1.4 Information you provide us about others or others provide us about you.

If you give us information about someone else (for example, information about a spouse or financial associate provided during the course of an application).  If someone gives us information about you, we may add it to any personal information we already hold and use it in the ways described in this Data Privacy Statement. Before you disclose information to us about another person, you should be sure that you have their consent to do so. You should also show them this Data Privacy Statement. You need to ensure they confirm that they know you are sharing their personal information with us for the purposes described in this Data Privacy Statement.

1.5 Sensitive categories of data

We may hold information about you which includes sensitive personal data, such as health or criminal conviction information. We will only hold this data when we need to for the purposes of the product or services we provide to you or where we have a legal obligation to do so. Examples of when we use this type of data include:

-          Medical information, for example, where you are seeking a forbearance arrangement.

-          If you have criminal convictions, we may process this information in the context of compliance with our anti-money laundering obligations

1.6 Information which you have consented to us using:

a)       Your agreement to allow us to contact you through certain channels to offer you relevant products and services.

b)      Information from online activities:

-          We collect information about your internet activity using technology known as cookies, which can often be controlled through internet browsers.

-          We collect website activity information such as: click-throughs and number of page visits. The purpose of this collection is solely to increase website visits and we do not hold any personal data.

-          We collect information about your internet browser settings or otherwise Internet Protocol (IP) and other relevant information to help us identify your geographic location when providing you with our services.

1.7 Other personal information:

         Image recordings

-          CCTV images at our branch (but only for security reasons and to help prevent fraud or crime).

-          Information in relation to data access, correction, restriction, deletion, porting requests and complaints.

1.8 Sometimes we may collect and use your information even though you are not a member of ours

For example, you may be a beneficiary, guarantor, director or representative of one of our members, or you may be in the process of making an application for an esccu product or service. In other cases, your own circumstances may have a material impact on the ability of our member to perform their obligations to us, and we will need to consider these. If so, we will apply the principles outlined in this Data Privacy Statement when dealing with your information.

2. When and how we collect information about you

As you use our services, apply for products, make enquiries and engage with us, information is gathered about you. We may also collect information about you from other people and other parties, for example, from credit reference agencies and from sources where you have chosen to make your information publicly available, such as social media.

When we collect information about you:

-  When you ask us to provide you with certain products and services. For example, loan product requires that we collect relevant health information from you.

-  When you use our website and online services provided by us (including mobile applications) and visit our office or when esccu is onsite in your office.

-  When you or others give us information verbally or in writing. This information may be on application forms, in records of your transactions with us or if you make a complaint.

-  When you use our products or services, including making transactions on your account, we gather details about who you get money from, who you pay money to, how much the payments are for and when the payments are made

-  From information publicly available about you - for example, online forums, websites, Facebook, Twitter, YouTube or other social media. When you make information about yourself publicly available on your social media accounts or where you choose to make information available to us through your social media account (example engaging with esccu through social media for the purpose of research or competition entries and general queries), and where it is appropriate for us to use it, this information can help enable us to do things like (1) improve our service (for example, identifying common service issues), (2) personalise your online experience with us, (3) contact you through the social media services, and (4) enable you to share your experience and content via social media services. For a description on how social media services and other third-party platforms, plug-ins, integrations or applications use your information, please refer to their respective privacy policies and terms of use, which may permit you to modify your privacy settings.

-  From your online activities with third parties where you have given us your consent (for example, by consenting to our use of certain cookies or other location tracking technologies).

-  From credit reference agencies, credit registration agencies, fraud prevention agencies or public agencies such as property registration authorities, the Companies Registration Office, Judgement Registries or Insolvency Service of Ireland Registers of Certificates or Arrangements

Please note: If you apply for or hold a financial product in joint names, you should only give personal information about someone else (for example, a joint applicant, guarantor or dependant) with their consent.

3. How we use your information

Whether we're using it to confirm your identity, to help in the processing of an application for a product or service or to improve your experiences with us, your information is always handled with care and the principles outlined in this Data Privacy Statement are always applied.

We use your information:

3.1 To provide our products and services to you, and to fulfil our contract with you to:

-          Establish your eligibility for our products and services.

-          Manage and administer your accounts, policies, benefits or other products and services that we may provide you with.

-          Process your applications for credit or financial services.

-          Carry out credit reviews and to search for details of your credit history and information at credit bureaus/agencies, including the Central Credit Register. Where we make these searches, agencies may keep a record of the search.

-          Process payments that are paid to you or by you. For example, if you hold a debit card with us, we will share transaction details with our card scheme providers.

-          Contact you by post, phone, text message, email, social media, fax, using our online banking website or other means, but not in a way contrary to your instructions to us or contrary to law.

-          Recover debts you may owe us.

-          Manage and respond to a complaint or appeal.

3.2 To manage our business for our legitimate interests in order to:

a)      Carry out credit scoring, credit management including collecting and enforcing debts and arrears:

-          Tell credit reference and credit registration agencies about your dealings with us including details of your credit facilities and your credit history with us. We may also search the Central Credit Register where permitted but not obliged to do so.

-          Engage agencies to trace you (for example, where the address you have provided is no longer accurate and esccu needs to provide you with legal documentation).

b)      Conduct marketing activities

For example, running competitions, promotions and direct marketing (provided that you have given us consent to do so), and research, including member surveys, analytics and related activities.

c)       To run our business on a day to day basis including to:

-          Carry out strategic planning and business portfolio management.

-          Compile and process your information for audit, statistical or research purposes (including, in some instances, making your data anonymous) in order to help us understand trends in our member behaviour and to understand our risks better, including for providing management information, operational and data risk management.

-          Protect our business, reputation, resources and equipment, manage network and information security (for example, developing, testing and auditing our website and other systems, dealing with accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services) and prevent and detect fraud, dishonesty and other crimes (for example, to prevent someone trying to steal your identity), including using CCTV at our premises.

-          Manage and administer our legal and compliance affairs, including complying with our legal obligations, compliance with regulatory guidance and voluntary codes of practice to which we have committed.

-          Enable us to share or access your information for internal administrative purposes, audit, prudential, statistical or research purposes (including making your data anonymous) to help us understand trends in member behaviour, for helping us to understand our risks better and for the purposes set out in this Data Privacy Statement (but not for the purposes of direct marketing where you have objected to this).

d)      To enter into a merger agreement:

esccu may in the future wish to enter into a merger with another credit union. If so, we may disclose your personal information under strict duties of confidentiality to a merger partner and their advisers, so long as they agree to keep it confidential and to use it only to consider the possible transaction. If the transaction goes ahead, the transferee or merger partner may use or disclose your personal information in the same way as set out in this Data Privacy Statement.

e)      To comply with our legal and regulatory obligations

We need to use your information to comply with legal and regulatory obligations including:

-          Complying with your information rights.

-          Providing you with statutory and regulatory information and statements.

-          Establishing your identity, residence and tax status in order to comply with law and regulation concerning taxation and the prevention of money laundering, fraud and terrorist financing

-          We are required by law to screen applications that are made to us to ensure we are complying with the international fight against terrorism and other criminal activities. As a result, we may need to disclose information to government and other statutory bodies.

-          Preparing returns to regulators and relevant authorities including preparing income tax, capital gains tax, capital acquisition tax and other revenue returns.

-          Reporting to and, where relevant, conducting searches on the Central Credit Register and other industry registers.

-          Complying with binding requests from regulatory bodies, including the Central Bank of Ireland.

-          Complying with binding production orders or search warrants, and orders relating to requests for mutual legal assistance in criminal matters received from An Garda Siochana or from foreign law enforcement agencies/prosecutors. For other reasons where a statutory reason exists we do so, including use of your Personal Public Service (PPS) number (or foreign equivalent).

-          Complying with court orders arising in civil or criminal proceedings.

-          Performing a task carried out in the public interest.

f)        Where you have given us permission (which you may withdraw at any time) we may:

-          Send electronic messages to you about product and service offers from us.

-          Use cookies

-          Use special categories of data, or sensitive data.

-          Use information you have made public and combine with this with the activities outlined above.

4.     How long we hold your information

The length of time we hold your data depends on a number of factors, such as regulatory rules and the type of financial product we have provided to you.

Those factors include:

-          The regulatory rules contained in laws and regulations or set by authorities like the Central Bank of Ireland, for example, in the Criminal Justice Act 2010

-          The type of financial product we have provided to you. For example, we may keep data relating to a loan product for a longer period compared to data regarding a single payment transaction.

-          Whether you and us are in a legal or some other type of dispute with another person or each other.

-          The type of data we hold about you.

-          Whether you or a regulatory authority asks us to keep it for a valid reason.

As a general rule, we keep your information for a specified period after the date on which a

transaction has completed or you cease to be a member. In most cases this period is six years.

5.     Who we share your information with

We only share your information with a select number of individuals and companies, and only as

necessary. Sharing can occur in the following circumstances and/or with the following persons:

a)      Your authorised representatives:

These include your Solicitor, attorney (under a Power of Attorney) and any other party authorised by you to receive your personal data.

b)      Third parties we need to share your information with in order to facilitate payments you have requested (for example, correspondent banks) and those you ask us to share your information with.

c)       When you open or use a joint account or product. 

If you open or hold a joint account or joint loan product, this will mean that your personal data will be shared with your co-applicant. For example, transactions made by you will be seen by your co-account holder, and you will see their transactions.

d)      Companies that provide support services for the purposes of protecting our legitimate interests.

-          Your personal information remains protected when our service providers use it. We only permit service providers to use your information in accordance with our instructions, and we ensure that they have appropriate measures in place to protect your information.

-          Our service providers include marketing and market research companies, analytics companies, investment companies, IT and telecommunication service providers, software development contractors, data processors, , computer maintenance contractors, printing companies, property contractors, document storage and destruction companies, archiving services suppliers, debt collection agencies, budgeting and advice agencies, tracing agencies, receivers, liquidators, examiners, official Assignee for Bankruptcy and equivalent in other jurisdictions, auditors, including legal advisors.

e)      We may also share information with the following third parties to help us manage our business for our legitimate interests:

-          Trade associations and professional bodies, non-statutory bodies and members of trade associations such as Credit Union Development Association (CUDA)

-          Persons making an enquiry or complaint.

-          Statutory and regulatory bodies (including central and local government) and law enforcement authorities. These include the courts and those appointed by the courts, government departments, statutory and regulatory bodies in all jurisdictions where esccu operates including: the Central Bank of Ireland, the European Central Bank, the Data Protection Commission, Financial Services Ombudsman, An Garda Síochána/police authorities/enforcement agencies, Revenue Commissioners, Criminal Assets Bureau, US, EU and other designated authorities in connection with combating financial and other serious crime, police forces and security organisations, ombudsmen and regulatory authorities, as well as fraud prevention agencies.

-          Credit reference agencies, including the Central Credit Register and The Irish Credit Bureau: we share your data with the Central Credit Register in order to comply with our legal obligations under the Credit Reporting Act 2013. We may also search the Central Credit Register where permitted but not obliged to do so to protect our legitimate interests.

-          When we share your data with the Irish Credit Bureau, they will process that data for their legitimate interests. Those legitimate interests are promoting greater financial stability by supporting a full and accurate assessment of loan applications, aiding in the avoidance of over-indebtedness, assisting in lowering the cost of credit, complying with and supporting compliance with legal and regulatory requirements, enabling more consistent, faster decision-making in the provision of credit and assisting in fraud prevention.

-          Please review the Irish Credit Bureau's Fair Processing Notice which is available at http://www.icb.ie/pdf/fair%20processing%20notice.pdf. It documents who they are, what they do, details of their Data Protection Officer, how they get the data, why they take it, what personal data they hold, what they do with it, how long they retain it, who they share it with, what entitles them to process the data (legitimate interests), what happens if your data is inaccurate and your rights i.e. right to information, right of access, right to complain, right to object, right to restrict, right to request erasure and right to request correction of your personal information.

6.     Implications of not providing information

Sharing information with us is in both your interest and ours. We need your information in order to:

-          Provide our products and services to you and fulfil our contract with you.

-          Manage our business for our legitimate interests.

-          Comply with our legal obligations.

Of course, you can choose not to share information, but doing so may limit the services we are

able to provide to you:

-          We may not be able to provide you with certain products and services that you request.

-          We may not be able to continue to provide you with or renew existing products and services.

-          We may not be able to assess your suitability for a product or service, or, where relevant, give you a recommendation to provide you with a financial product or service.

-          When we request information, we will tell you if providing it is a contractual requirement or not, and whether or not we need it to comply with our legal obligations.

7.     The legal basis for using your information

We will use your data and share that data where:

-          Its use is necessary in relation to a service or a contract that you have entered into or because you have asked for something to be done so you can enter into a contract with us.

-          Its use is in accordance with our legitimate interests outlined in this statement.

-          Its use is necessary because of a legal obligation that applies to us (except an obligation imposed by a contract). An example of this would be us sharing your information with the Central Credit Register.

-          You have consented or explicitly consented to the using of your data (including special categories of data) in a specific way.

-          Its use is necessary to protect your "vital interests".

-          In exceptional circumstances we may use and/or disclose information (including special categories of data) we hold about you to identify, locate or protect you, for example, if it comes to our attention that you are in imminent physical danger and this information is requested by An Garda Síochána or your relative.

-          Where you have made clearly sensitive categories of data about yourself public.

-          Where the processing of special categories of data is necessary for the establishment, exercise or defence of legal claims.

-          Where authorised by law or regulation, we may undertake processing of special categories of data for a substantial public interest.

8.     Processing your information outside the EEA

Your information is stored on secure systems within esccu premises and with providers of secure information storage.

We may transfer or allow the transfer of information about you and your products and services with us to our service providers and other organisations outside the European Economic Area (EEA), but only if they agree to act solely on our instructions and protect your information to the same standard that applies in the EEA.

For example, we may process payments using third parties (including other financial institutions such as banks and the worldwide payments system operated by the SEPA Payments Schemes

9.     How to exercise your information rights (including the right to object)

Providing and holding personal information comes with significant rights on your part and significant obligations on ours. You have several rights in relation to how we use your information. If you make your request electronically, we will, where possible, provide the relevant information electronically unless you ask us otherwise:

Your rights are:

The right to be informed

To know how your data is processed, stored, deleted and transferred

The right to access information

To access your information and to receive copies of the information we have about you.

The right to rectification

Request that inaccurate information is corrected and incomplete information updated.

The right to be forgotten

Request that your data is erased if one of the following grounds applies: it's no longer necessary in relation to the purpose for which it was collected, your consent was withdrawn, you object to processing or the processing is unlawful.

Right to data portability

Obtain a transferable copy of certain data to which can be transferred to another provider, known as "the right to data portability".

This right applies where personal information is being processed based on consent or for performance of a contract and the processing is carried out by automated means. You are not able to obtain through the data portability right all of the personal information that you can obtain through the right of access. The right also permits the transfer of data directly to another provider where technically feasible. Therefore, depending on the technology involved, we may not be able to receive personal data transferred to us and we will not be responsible for the accuracy of same.

The right to object to the processing of personal data

Object to use of your personal data for direct marketing purposes. If you object to this use, we will stop using your data for direct marketing purposes.

Withdraw consent at any time, where any processing is based on consent. If you withdraw your consent, it will not affect the lawfulness of processing based on your consent before its withdrawal.

The right of restriction

Have your data deleted or its use restricted - you have a right to this under certain circumstances. For example, where you withdraw consent you gave us previously and there is no other legal basis for us to retain it, or where you object to our use of your personal information for particular legitimate business interests.

The right not to be subject to automated decision making, including profiling

Object to particular uses of your personal data where the legal basis for our use of your data is our legitimate business interests (for example, profiling we carry out for our legitimate business interests) or the performance of a task in the public interest. However, doing so may have an impact on the services and products we can / are willing to provide.

Under the new data protection regulations, we are obliged to respond to your access request without undue delay. In most instances, we will respond within 30 Days. If we are unable to deal with your request fully within 30 Days (due to the complexity or number of requests), we may extend this period by a further two calendar months. Should this be necessary, we will explain the reasons why. If you make your request electronically, we will, where possible, provide the relevant information electronically unless you ask us otherwise.

You have the right to complain to the Data Protection Commission or another supervisory authority.

You can contact the Office of the Data Protection Commission at:

https://www.dataprotection.ie/docs/Contact-us/b/11.html

Telephone: +353 (0)761 104 800 or Lo Call Number 1890 252 231

Fax: +353 57 868 4757

E-mail: info@dataprotection.ie

Postal Address: Data Protection Commission, Canal House, Station Road, Portarlington, R32 AP23, Co. Laois.

10. How to contact us for contact preferences updates and/or our Data Protection Officer

If you have any questions about how your personal data is gathered, stored, shared or used, or if you

wish to exercise any of your data rights, please contact our Data Protection Officer at:

Telephone: +353 (0)1 6427900

E-mail: Data.Protection@esccu.ie

Postal Address: E-Services & Communications Credit Union, 55 Dawson Street, Dublin 2

Contact Preferences

Members can update or change their contact preferences at any stage either by contacting us (during office hours) or through their "Personal Settings" of their esccu online banking area through esccu.ie. or by clicking here.

11. Changes to this statement

We will update this Data Privacy Statement from time to time. Any changes will be communicated to you and made available on this page and, where appropriate, notified to you by SMS, e-mail or when you log onto www.esccu.ie