Privacy Policy

In the context of the GDPR and Data Protection Acts (1988 as amended), RTE Credit Union Ltd is the data controller, and our contact details are at the end of this page.

You can contact our DPO at dpo@rtecu.ie or write to: Data Protection Officer, Stage 7, Radio Telefís Éireann, Nutley Lane, Dublin 4, D04 H2K8.

The purpose of this notice is to provide you with all information necessary for you to understand how we process the personal information we have about you. It is written to comply with the General Data Protection Regulations (“GDPR”) which took effect from 25th May 2018. The purpose of GDPR is to protect you against misuse of your personal information and it does so by ensuring that all entities who collect, use, disclose or otherwise process personal information do so in accordance with one or more legal justifications.

We collect and use a wide variety of information about different classes of persons including members who never borrowed, loan applicants, the spouses/partners of loan applicants, guarantors of loans, staff, volunteers, nominees and service providers.

For membership, the very basic information we need to know is your name and contact details. The antimoney laundering laws amplify this by requiring us to collect, and keep up-to-date, more precise details such as date of birth, gender, photo ID & proof of address. This must be evidenced from documentation such as passports or utility bills. Revenue oblige us to collect your details of your tax residence and PPSN.

To comply with anti-money laundering laws, we also collect high level information about your occupation, where you work, family circumstances and accommodation arrangements. We do this so that if any unusual transactions go over your account we are able to make an informed assessment of whether we have grounds for making a suspicious transaction report to the Gardai & Revenue.

When completing a loan application, we ask you to complete a simple medical questionnaire to ensure that the Loan Protection Cover is available to clear that loan in the event of your death.

We also collect all information necessary to support any loan application such as details of employment, bank statements, dependents, whether you rent or own your home etc.

Our use of credit registers

If you apply for a loan, we shall need to assess your repayment capacity which will usually require us to conduct a credit check. The main reason we use credit registers is to ensure that loan applicants have not built up a bad lending record with other lenders. Therefore we check those registers before approving loans. A condition of use is that we also send them details of our members’ loans and repayment histories so that other lenders can see if their loan applicants have poor borrowing records with us.

We use 2 credit registers. The Irish Credit Bureau (“ICB”) is a private organisation which has been in existence since 1963. Its membership includes over 300 banks, credit unions, local authorities and other lenders.

The Central Credit Register (“CCR”) was established by the Central Bank in 2017. Membership is not voluntary. The law requires that from 30th September 2018 all lenders MUST conduct credit checks before approving any loans of €2,000 or more. Being older, the ICB has credit histories going back for 5 years whereas the CCR has histories going back to June 2017 only.

Contact details for both credit registers can be found at the bottom of this notice.

As stated at the outset, the purpose of this notice is to inform you of various matters relating to the GDPR. It also requires that the legal justification is disclosed to the persons in question.

Therefore the disclosures we wish to make are as follows:

1. It is a condition of applying for a loan that we shall be both conducting an ICB credit check and passing details of your repayment history to the ICB. The legal justification for so doing under GDPR is that it is in the credit union’s Legitimate Interests to do so (i.e. to facilitate a full and accurate assessment of loan applications and avoid over-indebtedness) and it does not infringe your fundamental rights to privacy. Conducting credit checks on loan applicants is a widely accepted practice for all lenders and there is no known basis for arguing that it infringes the fundamental rights to privacy of the loan applicant. In essence, the only way you can avoid having a credit check conducted is to withdraw your loan application.
2. The ICB is also using Legitimate Interests as the GDPR justification for its processing of the information we send them.

• Another legal justification permissible under GDPR is where the task at hand is required for compliance with a Legal Obligation. This is the justification we are using for
  • conducting CCR credit checks on loan applications of more than €2,000
  • passing all credit status and histories for loans above €500 to the CCR.
• However, even though the law does not oblige us to conduct CCR checks on loan applications below €2,000, we still plan to do so, as a matter of policy. We are using the Legitimate Interests justification as set out in 2. above for this.

Because of the potential sensitivity of credit checks, all loan applicants must sign a statement acknowledging their awareness that we shall be conducting credit checks.

We collect the names of participants in Children’s Quiz and Art Competitions. The rules of our member draws also permit us to publicise the names of all winners (which includes social media). We also record attendance at general meetings.

From time to time we email members with information about the credit union as well as the products and
services it offers. We are using Legitimate Interests as the legal basis for this. Given that the credit union is a mutual organization owned by its members and the benefits of such activities accrue to the members who we email, we do not believe that such emailing overrides the fundamental rights of their recipients. However, we shall abide by any request to be excluded from such emails.

We do not market non-members on an unsolicited basis by emails or text.

We sometimes take photographs of credit union events, such as member draws, the AGM or other promotional activities. Where you are the only or one of the main persons photographed and clearly pose for the photos we will take this as your Consent for us to use them for marketing purposes on our website, information newsletters or AGM notices however no photos of you will go up on Facebook or other social media without your written consent. However it is not practical to obtain such consent for larger group shots (of knowing participants) or where you appear in the background of a photo not aimed at you and use of such photos on our website, information newsletters or AGM notices will be based on Legitimate Interests

We have CCTV in operation both inside and outside the credit union. We do not record telephone calls for members as well as staff, we have the bank account details you provided to enable money to be sent to your bank account.

For staff, we have all information provided when you applied for employment. We also have your contact details, attendance records, medical certificates, performance reviews as well as grievance & disciplinary records.

For officers who are subject to the Central Bank’s Fitness and Probity regime, we review and retain the information that is provided to us by those persons. We also conduct checks for Court judgements, disqualifications and administrative sanctions by the Central Bank, other regulators and professional bodies.

If you contact us by email, the address from which the incoming email was sent will be evident, as well as the contents of the email.

Our website does not collect cookies or retain your IP address.

We disclose information about you to various parties, mostly where required by law. These include the Central Bank, Revenue, the Gardai (in respect of money laundering suspicions), the ICB and ECCU, the insurer who provides Loan Protection, Life Savings & Death Benefit Insurance cover. Our auditors also need to see personal information relating to members, staff and others to complete their audit.

We also use a variety of service providers who have access to different kinds of information about you. These include suppliers of our computer systems, cloud storage providers, solicitors, debt collection service providers, internal auditors, risk management and compliance consultants, CCTV maintenance firms & other outsourced service providers. In all cases we ensure that these service providers are of good standing & repute and commit to keeping your information safe and secure. They are also prohibited from passing information about you to any other persons.

We do not transfer or allow the transfer of any information about you outside the European Economic Area, which means that all such information enjoys the protections provided by EU law.

The disclosure of personal information to State agencies (e.g. Central Bank, Revenue, Gardai), statutory auditors that we make is permitted under GDPR because it is required by law. However, for virtually all other things that we do with personal information, including ICB credit checks and indeed any processing of personal information the legal justification for doing it under GDPR is that it is necessary for the purposes of the credit union’s Legitimate Interests and nothing that we do infringes your fundamental rights to privacy or any other rights available under law or any freedoms arising from those rights.

However, if you think that any collection or use of your personal information is unnecessary, disproportionate or otherwise improper please let us know and we shall be happy to address your concerns. However, our position will be that resolution of any such concerns must not prejudice the Legitimate Interests of the credit union. Essentially what this means is that we will abide by objections to our use of Legitimate Interests if made in respect of marketing but not for credit register checks or more fundamental business processes.

If we cannot satisfy you, it may be that your membership, loan application or any other relationship you have with us must be discontinued. If this is unsatisfactory to you, you may complain to the Data Protection Commissioner who will give an independent, authoritative and binding view of whatever matter divides us.

We will never ask you for information unless we have a specified, explicit and legitimate need to do so. Therefore if you decline to provide it we may be unable to complete whatever process you are asking us to complete e.g. a membership or loan application.

Occasionally we may process your personal data based on your Consent, rather than our Legitimate Interests in which case your consent will be obtained in writing and you may withdraw it at any time.

We are most careful to comply with all of our data protection obligations. Specifically

• when we collect, use or disclose any personal data, we do so fairly and lawfully. This means that we make sure you know why we are collecting your information and what we are doing with it;
• we collect and use it only for specified, explicit and legitimate purpose(s);
• we do not use or disclose it in any way which is incompatible with those purposes;
• we protect it against unauthorised access, alteration, disclosure or destruction, or unlawful use;
• we ensure that all personal data we hold is accurate, complete and where necessary, kept up to date;
• we make sure that when we collect personal data, it is adequate, relevant and not excessive in relation to the purpose for which it was collected;
• we do not keep personal data for longer than is necessary. Most information is retained for 6 years which is a common minimum records retention period required by law. However, if personal data can be lawfully destroyed after a shorter period, we try to do so. We also try to destroy all personal data when we no longer have any need to retain it.

If you ask, we will provide you with a copy of all information we hold about you, within 30 days of your request and at no charge. Furthermore, if you ask us to correct or destroy any information we hold about you, we will do so, subject to the legal provisions surrounding any such request.

We have a detailed Data Protection Policy which addresses our entire approach to this important topic. All of our officers, whether paid staff or volunteers, are provided with data protection training regularly. They also sign a confidentiality pledge annually.

We view our obligations in respect of data protection very seriously and any suspected or actual breach is investigated thoroughly with appropriate action taken where necessary.

If you have a complaint about how we have used your personal information please mark your letter “For the Attention of the Manager”. Under our Complaints Procedures we shall acknowledge your complaint within 5 working days, we shall provide you with the name of the person handling your complaint and try to have a full response within 40 working days. If you are unhappy with how we have dealt with your complaint, you will be able to refer the matter to the Data Protection Commissioner.

Should you have any further questions about any of the foregoing, please ask at the counter, write to us, telephone us on 01 208 2628, email us at info@rtecu.ie or contact the ICB, CCR or Data Protection Commissioner using the details below.