Privacy Policy

Introduction

A credit union is a member-owned financial co-operative, democratically controlled by its members, and operated for the purpose of promoting thrift, providing credit at competitive rates, and providing other financial services to its members. Data collection, processing and use are conducted for the purpose of facilitating the above mentioned objectives. This Privacy Notice is to provide you with information regarding the processing of information about you for account related purposes and other general purposes and further processing that may be necessary if you apply for a loan with us.

Our Contact Details

Address: Cara Credit Union Ltd., 45-47 Ashe Street, Tralee, Co. Kerry V92XY06 Tel: +353 66 712 2373 Email: [email protected]

Data Protection Officer (DPO)

Contact: [email protected]

Cara Credit Union Ltd. is committed to protecting the privacy and security of your personal data. This privacy notice describes how we collect and use personal data about you during and after your relationship with us.

CONTENTS

  • What personal data do we use?
  • The purposes for which we use your personal data How we use particularly sensitive personal data
  • How secure is my information with third-party service providers?
  • If you fail to provide personal data Change of purpose
  • Profiling
  • Automated decision making
  • Data Retention Periods
  • Planned data transfer to third countries – (outside of EEA)
  • Our use and sharing of your information
    • Fulfilling a contract
    • Our legal duty
    • Legitimate interests
    • Your Consent
  • Your Rights

 

 

What personal data do we use?

We collect and store only the information we need to provide our services to you, we may collect, store and use the following categories of personal data:

  • Your name, previous names, address, date of birth, personal and work email address, personal and work telephone numbers, contact details, security details to protect identity, nationality, home status, marital status, family details, financial data, credit status and history, transaction data, contract data, details of the credit union products you hold with us, signatures, identification documents, income details, your employment status and employment details, credit data from credit registers, life assurance, pension and investment details, financial needs/attitudes, information relating to power of attorney arrangements, source of wealth, source of funds, Politically Exposed Status, accommodation status, mortgage details, bank account details, credit/debit card details, personal guarantees provided, previous addresses, spouse, partners, nominations, Tax Identification/PPSN numbers, connected accounts, passport details, driver license details, tax residency and tax related information, interactions with credit union staff and officers on the premises, by phone or email, current or past complaints, CCTV footage, telephone voice recordings, communication preferences, online user identifiers (e.g. cookie identifiers, Facebook Profile, Twitter handle).
  • For specific loan types, e.g. Home Loans, Green Loans, Business Loans, Cultivate Loans etc. we may ask for additional information for the sole purpose of assessing your loan application.

The purposes for which we use your personal data

Cara Credit Union will use your personal data to assist it in carrying out the following:

  • To open and maintain an account for you.
  • To meet our obligations under the Credit Union’s Standard Rules.
  • To contact you in respect of your account and any product or service you avail of.
  • To comply with our legal obligations for example anti-money laundering and beneficial ownership reporting obligations.
  • In assessing your loan application and determining your creditworthiness for a loan.
  • Verifying the information provided by you in the application.
  • In order to purchase loan protection and life savings protection from ECCU.
  • Conducting credit searches and making submissions to the Central Credit Register.
  • Administering the loan, including where necessary, to take steps to recover the loan or enforce any security taken as part of the loan.
  • We may use credit scoring techniques [and other automated decision-making systems] to either partially or fully assess your application.
  • To comply with Central Bank Regulations to determine whether you are a connected borrower or related party borrower.
  • Providing updates on our loan products and services by way of directly marketing to you.
  • When acting as an insurance intermediary, to meet our obligations.

We may also collect, store and use the following ‘special categories’ of more sensitive personal data:

  • Information about your health, including any medical condition, health and sickness to assess if you are covered by our insurances (see section on Insurances on our website).

We need all the categories of information in the list above to allow us to; identify you and contact you and in order that we perform our contract with you.

We also need your personal identification data to enable us to comply with legal obligations. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

How we use particularly sensitive personal data

‘Special categories’ of particularly sensitive personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. We may process special categories of personal data in the following circumstances:

  1. In limited circumstances, with your explicit written consent.
  1. Where we need to carry out our legal obligations and in line with data protection legislation and regulation.
  1. Where it is needed in the public interest and in line with our data protection policy.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

How secure is my information with third-party service providers?

All our third-party service providers are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes unless they are deemed to be controllers in their own right1 . We only permit them to process your personal data for specified purposes and in accordance with our instructions. The recipient of the information will also be bound by confidentiality obligations.

 

If you fail to provide personal data

 

 If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you or we may be prevented from complying with our legal obligations.

Change of Purpose

You can be assured that we will only use your data for the purpose it was provided and in ways compatible with that stated purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Profiling

We sometimes use systems to make decisions based on personal data we have (or are allowed to collect from others) about you. This information is used for loan assessment, anti-money laundering and terrorist financing purposes and compliance with our legal duties in that regard.

Automated Decision Making

We may use automated decision making to assist us as part of our loan/credit decision process, and which involves assessing your application for a loan, taking account of your current circumstances and evaluating your ability to meet the required repayments on the loan. The automated decision process involves different types of information, such as information included in your loan application – as to the amount requested, the repayment period, your income, employment details, other loans or overdrafts etc. – as well as information provided to us with your explicit consent as to any account(s) held by you with any other financial institution and your credit history with the Central Credit Register. Cara Credit Union uses this information to apply internal credit assessment rules in a consistent manner and ensures that your application for a loan is treated fairly and efficiently and what is believed to be consistent with your repayment capacity.

Data Retention Periods

We will only retain your personal information for as long as necessary to fulfil the purpose(s) for which it was obtained, taking into account any legal/contractual obligation to keep it. We document the reason(s) for our retention periods and where possible the retention periods themselves in our Records Management Policy. Third parties contracted by Cara Credit Union will retain personal data on the basis of direct instructions from us and in line with our Records Management Policy.

As a general rule, we keep your information for a specified period after the date on which a transaction has completed or you cease to be a member. In most cases Cara Credit Union keeps Member Data for seven (7) years. Please note that these retention periods are subject to legal, regulatory and business requirements, which may require us to hold the information for a longer period. For example, we must meet minimum retention standards for taxation and audit requirements. To meet such needs and to protect your interests as well as the Credit Union’s interests, we may need to hold data for longer than our internal schedules dictate. However, we will not retain data that is no longer needed, and we continuously assess and delete data to ensure it is not held for longer than necessary.

Once the retention period has expired, the respective data will be permanently deleted. Please see sample of our retention periods below.

  • Accounting records 7 years (required to be kept further to the Credit Union Act, 1997 (as amended) must be retained for not less than six years from the date to which it relates).
  • The money laundering provisions of anti-money laundering legislation require that certain documents must be retained for a period of five years after the relationship with the member has ended.
  • We keep income tax records for a period of 7 years after completion of the transactions to which they relate.
  • Loan application information is retained for a period of 7 years from the date of discharge, final repayment, transfer of the loan.
  • CCTV footage which is used in the normal course of business (i.e. for security purposes) for 28 days.
  • Credit agreements are contracts and as such the credit union retains them for 7 years from date of expiration or breach, and twelve years where the document is under seal.
  • Loan applications form part of your credit agreement and as such we retain them for 7 years.

Planned data transfer to third countries (outside of EEA)

Customer Data may be transferred to, stored at, or accessed from a destination outside the European Economic Area (‘EEA’) in order to perform our contract with you. It may also be processed by staff operating outside the EEA who work for our service providers. To ensure that your personal data does receive an adequate level of protection we have put in place appropriate measure[s] to ensure that your personal data is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection.

Our use and sharing of your information

We will collect and use relevant information about you, your transactions, your use of our products and services, and your relationships with us. We will typically collect and use this information for the following purposes:

Fulfilling a Contract: This basis is appropriate where the processing is necessary for us to manage your accounts and credit union services to you.

Administrative Purposes: We will use the information provided by you, either contained in this form or any other form or application, for the purpose of assessing this application, processing applications you make and to maintain and administer any accounts you have with the credit union.

Security: In order to secure repayment of the loan, it may be necessary to obtain security such as a charge on your property or other personal assets.

Third Parties: We may appoint external third parties to undertake operational functions on our behalf. We will ensure that any information passed to third parties conducting operational functions on our behalf will be done with respect for the security of your data and will be protected in line with data protection legalisation and regulation.

Guarantors: As part of your loan conditions, we may make the requirement for the appointment of a guarantor a condition of your loan agreement in order that the credit union ensures the repayment of your loan. Should your account go into arrears, we may need to call upon the guarantor to repay the debt in which case we will give them details of the outstanding indebtedness. If your circumstances change it may be necessary to contact the guarantor.

Irish League of Credit Unions (ILCU) Affiliation:

The ILCU (a trade and representative body for credit unions in Ireland and Northern Ireland) provides professional and business support services such as marketing and public affairs representation, monitoring, financial, compliance, risk, learning and development, and insurance services to affiliated credit unions. As Cara Credit Union is affiliated to the ILCU, it must also operate in line with the ILCU Standard Rules (which members of Cara Credit Union are bound by) and the League Rules (which Cara Credit Union is bound to the ILCU by). We may disclose information in your application or in respect of any account or transaction of yours from the date of your original membership to authorised officers or employees of the ILCU for the purpose of the ILCU providing these services to us.

The ILCU savings Protection scheme (SPS):

We may disclose information in any application from you or in respect of any account or transaction of yours from the date of your original membership to authorised officers or employees of the ILCU for the purpose of the ILCU providing these services and fulfilling requirements under our affiliation to the ILCU, and the SPS.

The Privacy Notice of ILCU can be found here For You. Not for Profit. – The Irish League of Credit Unions

Electronic Payments: If you use our electronic payment services to transfer money into or out of your credit union account or make payments though your debit card into your credit union account, we are required to share your data with our electronic payment service provider.

 Insurance: As part of our affiliation with the ILCU, we purchase insurance from ECCU Assurance DAC (ECCU), a life insurance company, wholly owned by the ILCU. This includes Life Savings (LS), Loan Protection (LP), and optional related riders (where applicable). If you choose to take out a loan with us, it is a term of your membership, by virtue of our affiliation with the ILCU that the credit union will apply to ECCU for Loan Protection (LP). In order that we apply for LP it may be necessary to process ‘special category’ data, which includes information about your health. This information will be shared with ECCU to allow it deal with insurance underwriting, administration and claims on our behalf.

 Irish Life: In relation to our Irish Life referral service, Cara Credit Union also collects personal data (name and contact telephone number), allowing Cara Credit Union to facilitate a call back from Irish Life directly to you.  Once Cara Credit Union passes on your consent to Irish Life, we will not use your contact details for any other purpose, and your relationship will be with Irish Life from then on. Irish Life’s Privacy Statement can be found here Privacy Notice | Irish Life Financial Services

Credit Assessment: When assessing your application for a loan, Cara Credit Union will take a number of factors into account and will utilise personal data provided from:

  • your application form or as part of your loan supporting documentation;
  • your existing credit union file;
  • the Central Credit Register (CCR) managed by CRIF on behalf the Central Bank of Ireland; and
  • Open Banking, services provided by Plaid B.V. who are registered in the Netherlands and is regulated by the Dutch Central Bank to provide AISP (Account Information Service Provider) services within member countries in the European Economic Area. Please note that Plaid B.V is a data controller and maintains a controller to controller relationship with us. Plaid collects end user data, i.e. member account related information directly from the member’s bank or other account provider based on the explicit consent of such member. Please refer to Plaid’s privacy policy available at this link Privacy and security policies | Plaid

We then utilise this information to assess your loan application in line with the applicable legislation and regulations as well as our lending policy.

Payac: For the purposes of providing our current account, debit card and related services to our members, Cara Credit Union is a participant of Payac Services Company Limited by Guarantee (“Payac”). Payac is a credit union owned and operated company that assists participating credit unions in obtaining regulatory approval, developing, implementing and providing ongoing support for payment account services. This includes among other activities assisting in the establishment of operating standards, negotiating third party services and outsourcing arrangements on behalf of participating credit unions. Payac Privacy Policy Privacy Policy | Payac

FIS: Fidelity National Information Services (‘FIS”) is a data processor acting on our behalf through Payac for the administration of our card services associated with your current account. This service includes monitoring for and prevention of financial crime, reporting of fraud and other related activities to protect our members from financial loss.

Debit Card: If we issue you a debit card, Transact Payments Malta Limited (which is an authorised e-money institution) will also be a controller of your personal data. In order for you to understand what they do with your personal data, and how to exercise your rights in respect of their processing of your personal data, you should review their Privacy Policy which is available here: tpl-privacy-policy.pdf (currentaccount.ie)

Member Service: We may use information about your account with Cara Credit Union to help us improve our services to you.

Certain Loan Types: for certain loan types, either determined now or to be determined at any time in the future e.g. cultivate, Cara Credit Union may need to share your details with other 3rd party software providers or service providers but will only do so to enable it to fulfil our contract with you.

Our Legal Duty

 

This basis is appropriate when we are processing personal data to comply with Irish or EU Law.

 

Tax Liability: We may share information and documentation with domestic and foreign tax authorities to establish your liability to tax in any jurisdiction. Where a member is tax resident in another jurisdiction the credit union has certain reporting obligations to Revenue under the Common Reporting Standard. Revenue will then exchange this information with the jurisdiction of tax residence of the member. We shall not be responsible to you or any third party for any loss incurred as a result of us taking such actions. Under the ‘Return of Payments (Banks, Building Societies, Credit Unions and Savings Banks) Regulations 2008’ credit unions are obliged to report details to the Revenue in respect of dividend or interest payments to members, which include PPSN where held.

Regulatory and statutory Requirements: To meet our duties to our Regulator, the Central Bank of Ireland, we may allow authorised people to see our records (which may include information about you) for reporting, compliance and auditing purposes. An example of this is our legal obligation to file reports on the Central Credit Register in accordance with the Credit Reporting Act 2013. For the same reason, we will also hold the information about you when you are no longer a member. We may also share personal data with certain statutory bodies such as the Department of Finance, the Department of Social Protection, Register of Beneficial Ownership, the Financial Services and Pensions Ombudsman Bureau of Ireland, and the appropriate Supervisory Authority if required under law.

Purpose of the Loan: We are obliged to ensure that the purpose for the loan falls into one of our categories of lending.

Compliance with our Anti-Money Laundering and combating Terrorist Financing Obligations: The information provided by you will be used for compliance with our customer due diligence and screening obligations under anti-money laundering and combating terrorist financing obligations under The Money Laundering provisions of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 , as amended by Part 2 of the Criminal Justice Act 2013, the Criminal Justice (Money Laundering and Terrorist Financing) Act 2018 and the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (the latter two were introduced under the 4th and 5th AML/CTF EU Directives). This will include filing reports on the Beneficial Ownership Register and Bank Account Register (ISBAR). These reporting obligations requires Cara Credit Union to submit certain member data to the relevant authority administering the registers, such as the Central Bank of Ireland or the Revenue Commissioners. For further information, please contact us directly.

Audit: To meet our legislative and regulatory duties to maintain audited financial accounts, we appoint an external and internal auditor. We will allow the internal and external auditor to see our records (which may include information about you) for these purposes.

Nominations: The Credit Union Act 1997 (as amended) allows members to nominate a person(s) to receive a certain amount from their account on their death, subject to a statutory maximum. Where a member wishes to make a nomination, Cara Credit Union must record personal data of nominees in this event.

Credit Reporting: Where a loan is applied for in the sum of €2,000 or more, Cara Credit Union is obliged to make an enquiry of the Central Credit Register (CCR) in respect of the borrower. Where a loan is granted in the sum of €500 or more, Cara Credit Union is obliged to report both personal details and credit details of the borrower [and guarantor] to the CCR.

House Loan: Where you obtain a house loan from us, it will be necessary for Cara Credit Union to obtain a first legal charge on the property to be purchased and it will be necessary for us to process your personal data in order to register this charge or have this charge registered on our behalf.

Connected/Related Party Borrowers: We are obliged further to Central Bank regulations, to identify where borrowers are connected in order to establish whether borrowers pose a single risk. We are also obliged to establish whether a borrower is a related party when lending to them, i.e. whether they are on the Cara Credit Union’s Board/Management Team or a member of Cara Credit Union’s Board/ Management team, family or a business in which a member of the Board /Management Team has a significant shareholding.

Legitimate Interests

 

A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. If we rely on our legitimate interest, we will tell you what that is.

 

 

 

Your Consent

 

We will only carry out the below processing when we have obtained your consent and will cease processing once you withdraw such consent.

 

Marketing and Market Research

To help us improve and measure the quality of our products and services we undertake market research from time to time. This may include using the Irish League of Credit Unions and/or specialist market research companies. We make recommendations about the products or services you hold with us. Decide how the products and services you don’t yet hold might be suitable for you. Decide how we will offer them to you, for example directly or through digital media.

Art Competition

Cara Credit Union is involved with the Art competition in liaison with the ILCU. Upon entry you will be given further information. Where the person is below 16* then we ask that the parent/legal guardian to provide the appropriate consent. A separate privacy notice is included in all Art Competition entry forms. (*This is subject to change)

Schools Quiz

Cara Credit Union is involved in the Schools Quiz in liaison with the ILCU. The Schools Quiz is open to entrants aged 4 to 13. Upon entry parent/legal guardians will be given further information and asked for their consent to the processing of their child’s personal data. Where the person is below 16* then we ask that the parent/legal guardian provide the appropriate consent. A separate privacy notice is included in all School Quiz entry forms. (*This is subject to change).

Cookies

Non-essential cookies will always be de-activated when you first visit our websites and will remain so until you specify otherwise by activating them through the cookies management tool. See our cookies policy here: Cookies Policy | Cara Credit Union

Your Rights in connection with your personal data

Please note that the rights outlined below are not always absolute and there may be some limitations.

To find out whether we hold any of your personal data and if we do to request access to that data that to be furnished a copy of that data. You are also entitled to request further information about the processing.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you rectified.

Request Erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.

Request the restriction of processing of your personal information. You can ask us to suspend processing personal data about you, in certain circumstances.

Where we are processing your data based solely on your consent you have a right to withdraw that consent at any time and free of charge.

Request that we: a) provide you with a copy of any relevant personal data in a reusable format; or b) request that we transfer your relevant personal data to another controller where it’s technically feasible to do so. ‘Relevant personal data is personal data that: You have provided to us or which is generated by your use of our service. Which is processed by automated means and where the basis that we process it is on your consent or on a contract that you have entered into with us.

You have a right to complain to the Data Protection Commissioner (DPC) in respect of any processing of your data by:

Telephone:                   +353 57 8684800, +353 (0)761 104 800

Call number                  1890 252 231

Web Form:                   https://forms.dataprotection.ie/contact

Postal Address:             Data Protection Commissioner 21 Fitzwilliam square south, Dublin 2,

                                    D02 RD28 Ireland

Please note that the above rights are not always absolute and there may be some limitations.

If you wish to avail of any of these rights, access copies of any of your personal data or if you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we send you or a third party a copy your relevant personal data in a reusable format please contact our DPO in writing using their contact details listed here.

There is no fee in using any of your above rights: unless your request for access is clearly unfounded or excessive. We reserve the right to refuse to comply with the request in such circumstances.

We may need to verify your identity if we have reasonable doubts as to who you are: This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

We want the service provided by us to meet your expectations at all times. Please help us by telling us straightaway if there are any changes to your pers