This Data Protection policy is a statement whereby we at Lisduggan District Credit Union commit to protecting the rights and privacy of individuals in accordance with the Data Protection Act, 2018 (the Act) requirements and the General Data Protection Regulation 2016/679 (GDPR). It ensures that Lisduggan District Credit Union:
- Is compliant with the relevant data protection legislation and follow what is considered industry good practice in protecting the personal data collected, stored, and processed;
- Protects the rights of our staff, members, volunteers, directors, volunteers and partners as they relate to data protection and privacy;
- Is open and transparent in relation to how we collect, store and process individuals’ personal data; and
- Protects the organisation from the risks of a data breach.
The policy covers both personal and special categories of personal data held in relation to data subjects by Lisduggan District Credit Union as defined by the Act and GDPR. The policy applies equally to personal data held in both manual and automated forms. All personal data and special categories of personal data will be treated with equal care by Lisduggan District Credit Union. Both categories will be equally referred to as Personal Data in this policy, unless specifically stated otherwise.
At Lisduggan District Credit Union we need to collect and use certain personal information from the following persons:
- Credit Union Members
- Volunteers of the Credit Union
- Business Contacts
These guidelines set out the requirements of the Act and GDPR. and the steps to be taken by us when processing personal data. These guidelines will be updated, as required, to allow for any legislative changes.
These guidelines apply to all staff of the Credit Union including permanent and temporary staff, volunteers and any other parties who are authorised to access Personal Data held by the Credit Union.
Data Protection law safeguards the privacy rights of individuals in relation to the processing of their personal data. The Act and GDPR. confers rights on individuals as well as responsibilities on those persons processing personal data. Personal data is data relating to a living individual who is or who can be identified, either from the data or from the data in conjunction with other information available.
- The General Data Protection Regulation 2016/679 (“GDPR”)
- The Data Protection Act 2018 (“the Act”)
- The Credit Union Act, 1977 (as amended)
The Board of Directors has overall responsibility for ensuring compliance with the Data Protection legislation. The Board of Directors will approve, review and update the Data Protection Policy at least annually.
The Management / CEO will ensure that the Data Protection Policy is implemented and ensure controls are in place to facilitate compliance in line with the guidance of the Data Protection Officer (DPO).
All employees of the Credit Union who collect and / or control the contents and use of personal data are responsible for compliance with the Data Protection Policy.
The DPO will undertake a number of tasks that will include, but not necessarily be limited to the following:
- Inform, advise and issue recommendations to the organisation regarding compliance with data protection requirements;
- Asist in fostering a data protection culture within the organisation and help to implement essential elements of all relevant data protection and privacy regulations and legislation.
- Create and implement policies and procedures in relation to data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing, and notification and communication of data breaches.
- Advise the controller / processor regarding:
- Whether or not to carry out a data protection impact assessment
- What methodology to follow and appropriate resource when carrying out a DPIA.
- Whether or not the DPIA has been correctly carried out and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with data protection and privacy requirements.
- What safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects.
- Provide oversight the record of processing operations under the responsibility of the controller as one of the tools enabling compliance monitoring, informing and advising the controller or the processor;
- Document all decisions taken consistent with and contrary to advice given; and
- Offer consultation once a data breach or other incident has occurred.
Lisduggan District Credit Union undertakes to perform our responsibilities under the regulation, as follows:
- Personal data shall be collected and processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with the Act and GDPR, not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the Act and GDPR subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
- The Credit Union shall be responsible for and be able to demonstrate compliance with the above principles (‘accountability’).
Lisduggan District Credit Union will also endeavour to uphold the rights of data subjects as laid out in the Act and GDPR as follows:
- Provide transparent information and communication to data subjects on how to exercise their rights;
- Provide information about our processing activities to the data subject;
- Provide the data subject with the right to obtain from us confirmation as to whether or not we are processing personal data concerning him or her and, where that is the case, access to the personal data;
- Provide the right of rectification for the data subject to correct inaccurate personal data concerning him or her;
- Provide the data subject with the right to obtain from us the erasure of personal data concerning him or her without undue delay and we shall have the obligation to erase personal data without undue delay unless we have overriding legitimate grounds for continued processing. This will be handled on a case by case basis under the circumstances listed in the Act and GDPR;
- Allow the data subject to restrict the processing of their data unless we have an overriding legitimate lawful purpose for continuing to process the data;
- Provide the data subject with the right to receive the personal data concerning him or her, which he or she has provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller under the conditions listed in the Act and GDPR; and
- The data subject shall have the right to object to processing concerning them and to have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Please note that the above rights are not always absolute and there may be some limitations.
Lisduggan District Credit Union collects and maintains Personal Data on our members and are therefore subject to the provisions of the Act and GDPR as a Data Controller. Personal Data includes automated data (e.g. information held on computer systems) as well as manual data (e.g. paper based filing systems).
The Key definitions are set out in the Act and GDPR. are summarised below.
The term “personal data” is information related to a living individual who is or who can be identified:
- from the data, or
- from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
The term “special categories of personal data” means personal data consisting of information as to:
- the racial or ethnic origin of the data subject,
- their political opinions,
- their religious beliefs or other beliefs of a similar nature,
- whether he/she is a member of a trade union,
- their physical or mental health or condition,
- their sexual life,
- their genetic data,
- their biometric data (i.e. fingerprint, facial recognition) and
- personal data relating to criminal convictions and offences.
Data “processing” includes obtaining, recording or holding information and carrying out any operation on the information such as organising, altering, using, disclosing, erasing or destroying it.
A “data subject” is an individual who is the subject of personal data. This includes partnerships and groups of individuals, but not limited companies. In terms of Lisduggan District Credit Union, all Credit Union members, employees, officers and volunteers are data subjects.
A “data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
A “data processor” means any person (other than an employee of Lisduggan District Credit Union who processes the data on behalf of Lisduggan District Credit Union.
“Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Implementation of this Policy is the responsibility of the Credit Union management. In addition, management are responsible for the development and maintenance of a data retention schedule in respect of any paper-based data or system handling personal data. Details of retention are contained in the Records Management Policy.
Management are responsible for ensuring that all staff, officers, volunteers and any other parties working on behalf of the Credit Union observe the provisions of this policy.
While not all staff members will be expected to be experts in data protection legislation the Credit Union is committed to ensuring that staff have sufficient awareness of the legislation to be able to anticipate and identify a data protection issue, should one arise. In such circumstances, staff must ensure that the CEO is informed in order that appropriate corrective action is taken.
This policy provides the top-level guidelines for the handling of all data. The Credit Union is firmly committed to ensuring personal privacy and compliance with relevant data protection legislation, including the provision of best practice guidelines and procedures in relation to all aspects of data protection and to support this policy.
In general terms, our staff are informed that they should always consult with their manager or the DPO to seek clarification on any data protection matters.
Compliance with this Policy will be monitored by the DPO and management. If anyone considers that this Policy is not being followed, they should raise the matter with their manager or the DPO.
This policy is, at a minimum, reviewed annually by the Board of Directors and as soon as is practically possible following any new regulation or legislation that may impact upon the data protection requirements of the Credit Union.
Lisduggan District Credit Union collects and uses Personal Data such as the following:
- General: name, address, date of birth, email, telephone numbers;
- Financial data: bank account details, financial status and history, banking details and transactions, borrowings, debit card details and receipts;
- Contract data: details of the credit union products member hold with us, signatures, identification documents, salary, occupation, payslips, source of wealth, source of funds, Politically Exposed Status, accommodation status, mortgage details, previous addresses, spouse, partners, nominations, Tax Identification/PPS numbers, passport details, driver license details, tax residency, beneficial owners information, medical information, tax clearance access number, parent/guardian information (for minor accounts)
- Data collected through interactions with credit union staff and officers: CCTV footage, telephone voice recordings, email correspondence, records of current or past complaints,
- Other data: photo or videos of prize winners, IP addresses, One Time Passcodes.
Lisduggan District Credit Union will use personal data in order to carry out the following functions related to opening an account:
- To open and maintain an account;
- Verifying the information provided in the application;
- To comply with our legal obligations, for example anti-money laundering, to identify connected borrower, to identify a politically exposed person;
- To confirm tax residency for the purposes of the Common Reporting Standard;
- To meet our obligations under the Credit Union’s Standard Rules;
- To provide members with details of the Deposit Guarantee Scheme;
- To contact members in respect of their accounts;
- To record details of nominations and to process the nomination (subject to a valid nomination) and transfer any nominated property to the nominee(s);
- To issue members with information on any product or service held at the Credit Union or to provide details of other services, products, offers or competitions that may be of interest to our members.
Lisduggan District Credit Union will use personal data in order to carry out the following functions:
- Assessing a loan application and determining creditworthiness for a loan;
- Verifying the information provided in the application;
- Conducting credit searches and making submissions to Irish Credit Bureau, the Central Credit Register and, in a limited number of circumstances, Stubbs Gazette;
- To apply credit scoring techniques and other automated decision-making systems to either partially or fully assess an application;
- To purchase loan protection and life savings protection from ECCU;
- To determine whether an applicant is a connected borrower or related party borrower in order to comply with Central Bank Regulations;
- Administering the loan, including where necessary, to take steps to recover the loan or enforce any security taken as part of the loan;
- To take steps to secure repayment of a loan such as processing a charge on a property;
- Providing updates on loan products and services by way of directly marketing to members;
- To contact members regarding a loan enquiry submitted through our website or online advertising;
- Meeting legal and compliance obligations and requirements under the Rules of the Credit Union;
- To complete a Central Credit Register where a loan falls into arrears;
- Where there is a breach of the loan agreement we may use the service of a debt collection agency, solicitors or other third parties to recover the debt. We will pass them details of the loan application in order that they make contact and details of the indebtedness in order that they recover the outstanding sum;
Guarantors: As part of the conditions of a loan, the appointment of a guarantor may be a requirement in order to ensure the repayment of a loan. The loan balance may be communicated to the guarantor at any time for the duration of the loan. Should an account go into arrears, it may be necessary to call upon the guarantor to repay the debt in which case they will be given details of the outstanding indebtedness. If certain circumstances change it may be necessary to contact the guarantor.
The credit union will use personal data to assist it in carrying out the following:
- To record telephone conversations to offer individuals additional security, resolve complaints and improve service standards;
- To contact members to thank them for their custom, particularly in relation to the completion of a loan;
- To contact members, using any contact method supplied, about reactivating dormant accounts;
- To record CCTV footage to ensure the safety and security of our staff, members, volunteers and any other third parties visiting our premises, to resolve complaints and improve service standards;
- To collect certain personal data if members attend the AGM such as name, account number and signature;
- To issue obligatory information to members (eg. AGM notifications, annual accounts and certain reports);
- Providing updates on our products and services by way of directly marketing to members;
- From time to time we may collect a small amount of personal data from for entry into competitions and prize draws e.g. Car Draw. We will only use this data for the purpose of determining entry and selecting a winner for the competition/draw. Any photographic images or videos processed during participation in competitions or draws will only be done so with specific consent;
We may process data for purposes that are not specifically outlined above. If we do, we will clearly outline the purposes at the time of collecting data. We will endeavour to explain these purposes when we collect this data. We use personal information for the purpose it was collected. We do not use personal information for any different purpose other than for what it was obtained for without notification and seeking permission first.
We offer a number of online services to our members and prospective members. In order to avail of our online services, members or prospective members must provide certain personal information.
This information is required to:
- Login to the online platform;
- To generate a One Time Passcode;
- Use our Mobile App;
- Transfer funds;
- Manage payments and payees;
- Apply for a loan;
- Upload loan supporting documentation; and
- Upload updated ID and POA documents.
Specific Terms and Conditions apply to the usage of our online platforms and we would advise users to read these and contact us with any queries.
In order to provide certain services, it may be necessary for Lisduggan District Credit Union to process some “special categories” (see definition above) of personal data. “Special categories” of particularly sensitive personal data require higher levels of protection.
We need to have further justification for collecting, storing and using this type of personal data. We may process special categories of personal data in the following circumstances:
- In limited circumstances, with explicit written consent;
- Where we need to carry out our legal obligations and in line with our data protection policy;
- Where it is needed in the public interest, and in line with our data protection policy;
- We may process this type of information where it is needed in relation to legal claims or where it is needed to protect a members interests (or someone else’s interests) and a member is not capable of giving their consent, or where this information has already been made public;
- In certain circumstances, where a member becomes unable to transact on their account due to a mental incapability and no person has been legally appointed to administer the account, the Board may allow payment to another person who it deems proper to receive it, where it is just and expedient to do so, in order that the money be applied in the member’s best interests. In order to facilitate this, medical evidence of the member’s incapacity will be required which will include data about their mental health. This information will be treated as strictly confidential.
We do not sell any personal information, nor do we share it with unaffiliated third parties unless we are required to do so by law. We will ensure that any information passed to third parties conducting operational functions on our behalf will be done with respect for the security of personal data and will be protected in line with data protection law.
Ways in which we may share personal information include:
- With official bodies including, but limited to:
- the Irish League of Credit Unions (ILCU) under the ILCU Standard Rules and the League Rules which govern the operation of Credit Unions;
- ECCU Assurance DAC who provide Loan Protection and personal data must be shared in order to administer claims or deal with insurance underwriting;
- The Irish Credit Bureau and the Central Credit Register who provide financial institutions with credit details relating to a member’s eligibility for a loan;
- The Central Bank of Ireland enforce certain reporting, compliance and auditing on Credit Unions. We are obliged, further to Central Bank Regulations, to identify where borrowers are connected in order to establish whether borrowers pose a single risk. We are also obliged to establish whether a borrower is a related party when lending to them, i.e. whether they are on the Board/Management Team or a member of the Board/ Management teams family or a business in which a member of the Board /Management Team has a significant shareholding;
- Government Departments such as Department of Finance and the Department of Social Protection may require the Credit Union to share certain personal information in order to meet legislative and regulatory requirements;
- The Revenue Commissioners impose certain reporting obligations on Credit Unions under the Common Reporting Standards in relation to tax residency and the in respect of dividend or interest payments to members.
- To engage external IT providers so as to ensure the security of our IT systems in order to protect all personal data;
- With our insurers or assessors when providing or reviewing information in the event of an incident occurring;
- To engage a private investigator, tracing or collection agent from time to time in pursuance of monies owed, subject to the terms and conditions set forth in the contract, compliance with data protection legislation and registration requirements of the investigator or agent being employed;
- To engage professional services of third parties, such as auditors, solicitors or any other such business advisers. Any such parties are bound by confidentiality;
- We reserve the right to report to law enforcement any activities that we, in good faith, believe to be illegal;
- To provide information to An Garda Síochána (eg. CCTV footage) or other Government bodies or agencies when required to do so by law;
There may be circumstances where we transfer your personal data outside the EEA, such as when we use the services of online platforms or where we use a cloud-based IT system to hold your data.
We safeguard your data by ensuring a minimum of one of the following safeguards is in place:
- a contract based on “model contractual clauses” (also called Standard Contractual Clauses) approved by the European Commission, obliging them to protect your personal data; or
- with companies located in a third country approved by the European Commission under an adequacy decision.
Where any of our supplier engage the service of sub-processor to process data of which we are a Data Controller, our due diligence measures will include an assessment of this processor, in particular where the processor is located outside the EEA.
Lisduggan District Credit Union is obligated to define a lawful basis for processing personal data. Below is a summary of our use of personal data and the lawful basis we rely on for the processing different categories of data for different purposes.
- Article 6.1(b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
Examples of where this lawful basis is applicable include the following:
- the processing is necessary for us to manage accounts and credit union services provided to our members;
- for the purpose of assessing any loan application, processing applications individuals make and to maintain and administer any accounts held with the credit union;
- to take steps to secure repayment of a loan where a loan goes into arrears;
- to apply for Loan Protection;
- to process a credit assessment when a member applies for a loan;
- to perform any part of a contract as per the Terms and Conditions outlined to our members in any such process.
- Article 6.1(c) “processing is necessary for compliance with a legal obligation to which the controller is subject”
Examples of where this lawful basis is applicable include the following:
- to comply with the all regulations as outlined in the Credit Union Act 1997 (as amended);
- to meet our duties to the Regulator, the Central Bank of Ireland;
- to fulfil reporting obligations to Revenue related to a member’s tax liability under Common Reporting Standard;
- to comply with anti-money laundering and combating terrorist financing obligations under The Money Laundering provisions of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended by Part 2 of the Criminal Justice Act 2013;
- to meet our legislative and regulatory duties to maintain audited financial accounts;
- to comply with credit reporting obligations;
- to comply with Connected/Related Party Borrowers obligations;
- to appoint a person to administer an account where a member becomes mentally incapacitated;
- Article 6.1(f) “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”
Examples of where this lawful basis is applicable include the following:
- assessing a loan application, as well as fulfilling a contract mentioned above, the credit union also utilises credit data from credit referencing agencies. Our legitimate interest: The credit union, for its own benefit and therefore the benefit of its members, must lend responsibly and will use credit scoring information in order to determine suitability for a loan;
- where there is a breach of a loan agreement we may use the service of a debt collection agency, solicitors, tracing agents or other third parties to recover the debt. Our legitimate interest: The credit union, where appropriate will take necessary steps to recover a debt to protect the assets and equity of the credit union;
- when carrying out searches relating to credit worthiness. Our legitimate interest: The credit union, for its own benefit and therefore the benefit of its members, must lend responsibly and will use credit scoring information in order to determine loan suitability;
- CCTV recording on our premises. Our legitimate interest: it is necessary to secure the premises, property herein and any staff /volunteers/members or visitors to the credit union and to prevent and detect fraud;
- voice recording through phone conversation both incoming and outgoing. Our Legitimate interest: To ensure a good quality of service, to assist in training, to ensure that correct instructions were given or taken due to the nature of our business and to quickly and accurately resolves any disputes;
- during a recruitment process when we need to communicate with candidates. Our Legitimate interest: to update candidates on the recruitment process for the purposes of considering them for employment or for future positions;
- Article 6.1(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”
Examples of where this lawful basis is applicable include the following:
- Marketing and Research: to provide our members with details on our products and services provided they have not opted out of receiving such communications and to carry our market research. Individuals can opt-out of receiving marketing communications at any time;
- Cookies on our website: we may obtain information about general Internet usage by using a cookie file which is stored on an individual’s browser or the hard drive of their computer. Visitors to our website can choose not to consent to cookies, or they can manage their cookie preferences, or they can select to opt-in to some or all types of cookies. We use a cookie management platform for this purpose;
- Competitions and Draws: when members participate in competitions or draws they will be asked for their consent prior to their personal information or image being displayed on our website, social media platforms or other publications;
- Schools Quiz: we participate in the Schools Quiz in liaison with the ILCU. The Schools Quiz is open to entrants aged 4 to 13. We will pass on a form to the contact in the school who is then responsible for asking the entrants’ parent/legal guardians for their consent to the processing of their child’s personal data. This information is processed only where consent has been given;
An individual has the right to be informed whether we holds data/information about them and to be given a description of the data together with details of the purposes for which their data is being kept. The individual must make this request to us in writing and we will accede to the request within one month having first verified the identity of the requester to ensure the request is legitimate.
Where a subsequent or similar request is made soon after a request has just been dealt with, it is at the discretion of the controller whether or not it needs to comply with the second request. This will be determined on a case-by-case basis. In cases where we processes a large quantity of information concerning the data subject, we may request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.
No personal data can be supplied relating to another individual unless that third party has consented to the disclosure of their data to the applicant. Data will be carefully redacted to omit references to any other individual and only where it has not been possible to redact the data to ensure that the third party is not identifiable we must refuse to furnish the data to the applicant.
A Subject Access Request Form is available on our website www.lisduggancu.ie, requesters are asked to complete this form, though it is not mandatory. Once we have verified the identity of the requester and the request is not deemed to be manifestly unfounded or excessive, we will comply with the request at no charge to the data subject and within one month
Lisduggan District Credit Union has an internal procedure in place to handle all SARs.
Lisduggan District Credit Union may engage a private investigator, tracing or collection agent from time to time in pursuance of monies owed, subject to the terms and conditions set forth in the contract, compliance with data protection legislation and registration requirements of the investigator or agent being employed.
A Data Processing Agreement will be place between Lisduggan District Credit Union and any tracing agent used so as to ensure that the responsibilities of any tracing agent are clearly defined. Their obligations regarding the protection personal data passed to them are also stated in this agreement in compliance with data protection legislation.
Lisduggan District Credit Union must ensure the confidentiality, integrity, availability, and resilience of personal data when in use, transit and storage. We are obliged to protect the data from inadvertent destruction, amendment, loss, disclosure, corruption or unlawful processing.
- Appropriate security controls, including technical and non-technical are utilised to protect Lisduggan District Credit Union personal data;
- Computer screens, printouts, files or documents displaying personal data are only visible to authorised personnel;
- Personal data held in manual (paper) files is held securely in locked cabinets, locked rooms or rooms with restricted access;
- Data printouts are shredded and disposed of securely when no longer required;
- Staff are instructed to always keep information strictly confidential and not to disclose or discuss an employee’s or customer’s information or circumstances with any unauthorised outside parties;
- Our IT partners ensure that our systems are protected and that backups are done in real time and stored securely;
- Staff and volunteers are given regular training on how best to protect the personal data they handle during the course of their work;
- Any third parties who process personal data on our behalf are contractually bound to process personal data in line with current data protection law practices and principles thus ensuring the security of the data;
The Board of Directors are ultimately responsible for ensuring that Lisduggan District Credit Union meets its legal obligations and abides by its own policies and procedures. The company’s Data Protection Officer (DPO) is responsible for handling any Data Protection queries from staff/volunteers as well as ensuring any new staff are aware of their responsibilities and for promoting awareness of Data Protection within the company.
15. Data Retention
We will only retain your personal data for as long as necessary to fulfil the purpose(s) for which it was obtained, taking into account any legal/contractual obligation to keep it. Where possible we record how long we will keep your data, where that is not possible, we will explain the criteria for the retention period. Once the retention period has expired, the respective data will be permanently deleted.
We maintain a full Retention Schedule in our Records Management Policy.
The regulation requires that all Lisduggan District Credit Union systems and processes are compliant in nature. In Lisduggan District Credit Union the use of Data Protection Impact Assessments (DPIA) will be conducted on any new project that involves the collection of personal data or special categories of personal data as well as any changes to existing projects where there are risks to the data.
The DPO should be notified in the advance planning stages of any proposed new processes or technologies or changes to existing processes. This includes internal projects, product development, software development, IT systems, and any other type of processing where personal data is affected. This will ensure that any required DPIAs can be carried out and the findings reported to the Board where necessary prior to any action being taken.
Article 4(12) GDPR defines a ‘personal data breach’ as:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
Staff at Lisduggan District Credit Union are trained to recognise a breach and are instructed to inform their line manager immediately if they suspect a breach has occurred or have evidence of a potential breach. The line manager will then escalate it to senior management and the DPO as required.
Lisduggan District Credit Union has a Personal Data Breach Procedure in place which will be followed by the DPO and relevant staff members in the event of a breach being reported either internally or from a third-party processor.
The role of the Data Protection Officer has been outsourced to O’Dwyer Power under a contract outlining the tasks of the DPO in assisting Lisduggan District Credit Union in complying with data protection legislation. The tasks of the DPO are in keeping with those defined in Article 39 of the GDPR.
The Board of Directors of Lisduggan District Credit Union are ultimately responsible for able to demonstrate compliance with the law. Management are responsible for ensuring that all personnel are trained in their obligations.
In order to ensure that we comply with the Public Health guidelines about what businesses must do to play their part in containing the spread of Covid-19, we may be obliged to process certain special categories of data such as health data. Other additional details may be sought including; travel information, details of close contacts and other relevant information.
The collection of data in relation to managing our response to the Covid-19 pandemic, is carried out on the lawful basis of Article 9(2)(i) GDPR Section 53 of the Data Protection Act 2018 which states:
“processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy”
Also, Recital 46 GDPR states:
“Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread”
Due to the current global Covid-19 pandemic, the processing of sensitive categories of data on this basis is justified. During this uncertain time, another consideration for the credit union is its obligations to protect its staff under the Safety, Health and Welfare at Work Act 2005 (as amended). The responsibilities of employers outlined in this Act, together with the lawful basis stated above (Article 9(2)(i) GDPR), provide a clear basis for processing data, including health data, of staff where it is deemed necessary and proportionate to do so.
Certain data may be shared with Public Authorities when we are required to do this, and data collected in relation to Covid-19 will be retained for a period of no longer than 28 days.
Data Protection Officer,
Lisduggan District Credit Union,
Tel: 051 355696
You have a right to complain to the Data Protection Commissioner (DPC) in respect of any processing by using the details below:
Data Protection Commission,
21 Fitzwilliam Square South,
Tel: 0578 684 800
The most effective and efficient way to contact the DPC regarding queries or complaints is by means of the webforms which are available at: www.dataprotection.ie.