Recruitment Privacy Notice

Who we are

A credit union is a member-owned financial cooperative, democratically controlled by its members, and operated for the purpose of promoting thrift, providing credit at competitive rates, and providing other financial services to its members. Data collection, processing and use are conducted solely for the purpose of carrying out our role as a credit union.

Ballinasloe Credit Union (Our Lady of Lourdes) Limited’s Privacy Notice refers (together with our Cookies Policy) to our commitment to our compliance to data protection legislation including the Irish Data Protection Acts and the EU General Data Protection Regulation (GDPR).

Throughout this document “we”, “us”, “our”, “ours” and “the Credit Union” refers to Ballinasloe Credit Union (Our Lady of Lourdes) Limited

How to contact us

There are many ways you can contact us, including by phone, email, and post. More details can be found here https://ballinasloecreditunion.ie

Our registered address is

Main street,

Ballinasloe,

Co Galway H53VK18

Contact Data Protection Lead GDPR@ballinasloecreditunion.ie,

Telephone 090 – 9643179

What happens if we make changes to this notice

Where changes to this Privacy notice occur, the updated version will be published on our website and where appropriate/possible communicated directly to individuals through a communication channel such as email and/or our social media.

Current version Reference BCU PNDV V1. 03 2023

Who do we collect data about

We collect and process your personal data only when such data is necessary in the course of our dealings with you. This personal data includes any offline physical data or online data that makes a person identifiable.

We process data for the following groups of individuals where it is necessary:

Applicants for Director/Volunteers positions
Directors & Volunteers
Pre-Approval Controlled Functions
Related persons
Referees
Nominator

We are the controller for the personal information we process, unless otherwise stated.

What types of your data do we collect

You directly provide us with most of the data we collect. We collect data and process data when you:

Apply for a Director/Volunteer position
Are in position as Director or Volunteer
Voluntarily complete a survey or provide feedback
Use or view our website via your browser’s cookies

Applicants for Director / Volunteer positions

We may need to obtain and process the following personal data as required where necessary to assess the suitable of your application:

Your name and contact details (i.e. address, home and mobile phone numbers, email address)
PPS number
Date of birth
Nomination
Fitness & Probity

o Personal details

o Professional/Educational Qualifications, Previous Experience, Relevant Training/Professional Memberships

o Previous Relevant Experience

o Relevant Training

o Professional Memberships

o Reputation and Character

o Financial Soundness

o Current Shareholding in Financial and/or Other Entities

o Previously held Shareholding in Financial and/or Other Entities

o Business Interests in Financial and/or Other Entities involving a Personal Liability

o Guarantees in Respect of Liabilities

o Position of Executive/Non-Executive Director/Chairman/Manager or Financial Services Regulator

Signatures
Curriculum vitae and covering letter
Interview assessment details
Proof of ID [proof of address, passport or driving licence details]
If applicable political exposed person details
Any information you provide to us by email, telephone or during an interview
Details of your referees.
Declaration of conflict of interest
Connect individual’s relevant information-designed person, working in the Credit Union or Financial Institutes or Central Bank

Directors & Volunteers

We may need to obtain and process the following personal data as required where necessary to during your appointment:

Annual Due Diligence
Annual appraisal
Training attendance
Succession planning
Minutes of meetings
IP address of devices used to access Credit Union data

Pre-Approval Controlled Functions

We may need to obtain and process the following personal data as required where necessary to during your appointment:

Minimum Competency Code https://www.centralbank.ie/regulation/how-we-regulate/fitness-probity/requirements-assessment-compliance/credit-unions/introduction

Related persons

We may need to obtain and process the following personal data as required where necessary during the application process of your connected applicant:

Name
Address
Relevant connections

Referees

We may need to obtain and process the following personal data as required where necessary to during the application process of the applicant appointment:

Name
Address
Phone Number
Relationship
Any other relevant information provided

Nominator

Nominators must be 18 years of age and voting members of the Credit Union. Two nominators required. We may need to obtain and process the following personal data as required where necessary to during your appointment:

Name
Address
Signature

When do we collect sensitive personal data

Sensitive data is known as special categories of data in Data Protection law. Special categories of data are defined by GDPR as processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

We will process special categories of personal data in the following circumstances:

In limited circumstances, with your explicit written consent.
Where we need to carry out our legal obligations and in line with our data protection policy.
Where it is needed in the public interest, and in line with our data protection policy.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

To assess the required to appoint individual how are honest, ethical and with integrity, individuals are required to self-certify on their application if they have criminal convictions and offences

When do we receive your data from a third party

Where is it necessary, we may receive your data indirectly from the following sources:

Appointed Referees
Professional Bodies
Education providers
Central Bank
Nominator
Third parties employed to complete background search

What are the legal bases we process your data

We collect your data based on the following legal basis:

Consent

Where you have explicitly agreed to us processing your information for a specific reason such as

Application of role of Director or Volunteer

o An applicant may provide third party’s data

 Nominator

 Connected person

 Referee

in such cases the member obtains consent from the adults to capture their data

Any individual

o Photograph or videos for publication at events

Cookie (see cookie policy)

Right to withdraw consent at any time

Where consent is relied upon as a basis for processing of any personal data, you will be presented with an option to agree or disagree with the collection, use or disclosure of personal data. Once consent is obtained, it can be withdrawn at any stage.

Compliance

A credit union cannot permit a person to perform a Controlled Function unless the credit union is satisfied on reasonable grounds that the person complies with the Central Bank of Ireland Standards on Fitness & Probity for Credit Unions 2013 and the person has agreed to abide by the Standards of Fitness & Probity as set out in the Code issued under Section 50 of the Central Bank Reform Act 2010. An applicant must meet the eligibility requirements for election to the board of directors, as set out in the Credit Union Act, 1997 – 2016, regulations and the registered rules of the Credit Union.

The eligibility criteria for applicants include the requirements of The Central Bank Reform Act 2010 (Sections 20 and 22 –Credit Unions) (Amendment) Regulations 2018, being the standards of fitness and probity for Credit Unions under the headings;

Competence and Capability
Honest, Ethical and Acting with Integrity; and
Financial Soundness

We must meet our duties to the Regulator, the Central Bank of Ireland and comply to our legal obligations.

Where it is necessary and proportionate, we may allow authorised people to see our records (which may include information about you) for reporting, compliance and auditing purposes. For the same reason, we will also hold the information about you when you are no longer a a Director/Volunteer.

Processing may be necessary for compliance with a legal obligation:

Complying with requests from regulatory bodies, including the Central Bank of Ireland.
As this Credit Union is affiliated to the ILCU, the Credit Union must also operate in line with Irish League of Credit Unions (ILCU) Standard Rules (which members of the Credit Union are bound to the Credit Union by) and the League Rules (which the Credit Union is bound to the ILCU by)
To report and respond to queries raised by regulatory authorities, law enforcement and other government agencies such as the Central Bank of Ireland and An Garda Siochana
To meet obligations under the Credit Union Standard Rules & The Credit Union Act, 1997 (as amended)
To communicate all mandatory service communications such as providing notice of the AGM
To meet our health and safely compliance
For the establishment, exercise or defence of legal claims.

Set out below are the main legal instructions, and regulations and legislation the Credit Union must be compliant with. We will also comply with the following legislation and, other legislation as required. A member of our team will be able to answer a question you may have as to why we need certain data to provide our member services to you.

Credit Union handbook https://www.centralbank.ie/regulation/industry-market-sectors/credit-unions/credit-union-handbook
Credit union act 1997 (regulatory requirements) (amendment) regulations 2020 https://www.irishstatutebook.ie/eli/2020/si/675/made/en/pdf
Minimum Competency Code 2017 (MCC 2017) and the Central Bank (Supervision and Enforcement) Act 2013 (Section 48 (1)) Minimum Competency Regulations 2017 (MCR 2017) https://www.centralbank.ie/regulation/how-we-regulate/authorisation/minimum-competency#:~:text=The%20MCC%202017%20specifies%20certain,Supervision%20and%20Enforcement)%20Act%202013.

Legitimate interest

We have a legitimate interest to process your data in certain circumstances for our business reasons where we always respect your interests and fundamental rights. Where we rely on our legitimate interest, we tell you and what that it is as stated in this section below.

Processing of your personal data may be necessary for the purposes of a legitimate interest pursued by us in any of the following:

To manage the recruitment process of applicants for Director and Volunteer positions and communication each stage of the process with the applicant
To manage the administration of the role of Directors and Volunteers during their tenure
Conduct Directors and Volunteers Surveys to provide information on the quality of our administration of the Credit Union
To improve the Credit Union service quality
To enhance the training for our Directors and Volunteers.
To establish, exercise and safeguard our rights, (including where necessary to take enforcement action) and to respond to claims made against the Credit Union.
To safeguard the safety and security of the Directors and Volunteers, IT systems and devices, property, and member, buildings, information located or stored on the premises, and assets, and those of service providers, consultants, and advisors that assist the Credit Union in carrying out its functions.
In the prevention and detection of fraud

What happens if you do not provide us with the data if legal basis is compliance

Where lawful basis is a statutory requirement, if an applicant or Director or Volunteer is obliged to provide the personal data, failure to provide this information will result in failure to obtain and or retain a post.

What is the purpose (s) for processing your data

Applicants for Director / Volunteer positions

To assess the applicants
Identify suitable candidates for the posts
Interview the candidates

Directors & Volunteers

The Board of Directors are responsible for the strategic direction of the Credit Union. It will perform general duties to ensure that a viable direction is planned and will adhere to the specific duties and responsibilities for the board and board committees as set out in:

o The Credit Union Acts, 1997 – 2012

o Regulations to the Act

o Directives of the Department of Finance

o The Credit Union’s registered rules

o The policies of the Credit Union

Purpose for processing the Director and Volunteer’s personal data is:

To validate the Director or Volunteer meets the due diligence requirements
To manage the progression of each Director or Volunteer throughout their tenure
To ensure that correct training and development is provided

Pre-Approval Controlled Functions

For compliance to the Fitness and Probity Regime applies to Credit Unions and to persons in senior positions within a Credit Union.

Related persons

To meet the compliance of Central Bank to avoid any conflicts of interest

Referees

Identify validate the information provided by the candidates for the posts

Nominator

To ensure the candidates are nominated by a member of the credit union

What you need to do when you provide us with other individuals information data

If you are providing personal information on behalf of a third party, you must ensure that the third party receives a copy of this Privacy Notice before their personal information is shared with us (e.g., Referee, Related Parties as defined in the Credit Union handbook).

Where you are providing a name of a nominee to your shares, the nominee does not need to be informed until such time as they will receive the funds.

You do not need to provide this Privacy Notice in the following situations

the individual already has the information
obtaining or disclosure of such information is expressly laid down in the law to which the credit union must comply and which provides appropriate measures to protect the individual’s legitimate interests
where the personal data must remain confidential subject to an obligation of professional secrecy regulated by law

How we protect your data

We collect this data in a transparent way and only with the full knowledge of interested parties. Once this information is available to us, the following rules apply.

Our data will be:

Accurate and kept up-to-date
Collected fairly and for lawful purposes only
Processed by us on the basis of either a valid contract, consent, legal compliance or legitimate interest
Protected against any unauthorised access or illegal processing by internal or external parties.

Our data will not be:

Communicated to any unauthorised internal or external parties
Stored for longer than required for the purpose obtained
Transferred to organisations, states or countries outside the European Economic Area without adequate safeguards being put in place as required under Data Protection Law.

Our commitment to protect your data:

Restrict and monitor access to sensitive data
Develop transparent data collection procedures
Train employees in data protection and security measures
Build secure networks to protect online data from cyberattacks
Establish clear procedures for reporting privacy breaches or data misuse
Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorisation etc.).

How our third-party providers protect your data

We only engage with third-party service providers who provide sufficient guarantees to protect your data following our instructions and are bound by a data processing agreement.

Who we share your information with

Your personal information may also be processed by other organisations on our behalf for the purposes outlined above. We may disclose your information where necessary to the following

We have a legitimate interest to share your personal data with our approved outsourced third-party providers, such as Company to conduct the Due Diligence, IT Service Providers, legal advisors, business advisors, debt collectors, couriers, shredding company, security company, printing company, CCTV company, administration services, internal and external auditors, insurers, marketing consultants or subcontractors.
We may share your data when required with possible successors or merging Credit Unions, Statutory and regulatory bodies as legally required including but limited to Regulators Central Bank Ireland, Enforcement bodies, an Garda Siochana, Data Protection Commission, the courts, fraud prevention agencies or other bodies; the Department of Social Protection and the Financial Services and Pensions Ombudsman Bureau of Ireland, Irish Financial Services Appeals Tribunal, Irish Revenue, debt recovery or fraud prevention agencies,

We may share your data with Irish League of Credit Unions, Credit Union Development Association.

How long will we hold your information

We will only retain personal data for as long as necessary for the purposes for which it was collected as required by law or regulatory guidance to which we are subject or to defend any legal actions. Where possible we record how long we will keep your data. Where that is not possible, we will explain the criteria for the retention period. Unless required to defend a legal claim, we hold the following

Unsuccessful candidates – 1 years after campaign
Fitness and Probity records for CF or PCF – 7 years after end of position
Fitness and Probity records -CUCF-1 and CUCF–2 years after end of position
Fitness and Probity records-Volunteers –2 years after end of position
CCTV- one month

Processing your information outside the EEA

Some third parties we share your data with may reside outside the European Economic Area (which currently comprises the Member states of the European Union plus Norway, Iceland and Liechtenstein). If we do this, your information will be treated to the same standards adopted in Ireland and include the following data protection transfer mechanisms:

Model Clauses (also known as Standard Contractual Clauses) are standard clauses in our contracts with our service providers to ensure that any personal data leaving the EEA will be transferred in compliance with EU data-protection law. Copies of our current Model Clauses are available on request.
Transfers to countries outside the EEA which have an adequate level of protection as approved by the European Commission (such as the United Kingdom).
Transfers permitted in specific situations where a derogation applies as set out in Article 49 of the GDPR. For example, where it is necessary to transfer information to a non-EEA country to perform our contract with you.

How to exercise your information rights

Erasure

When have I the right to all my personal data being deleted by the Credit Union?

You have the right to have your personal data deleted without undue delay if:

The personal data is no longer necessary in relation to the purpose(s) for which it was collected/processed
You are withdrawing consent and where there is no other legal ground for the processing
You object to the processing and there are no overriding legitimate grounds for the processing
The personal data has been unlawfully processed
The personal data must be erased so that we are in compliance with legal obligation
The personal data has been collected in relation to the offer of information society services with a child.

What happens if the Credit Union has made my personal data public?

If we have made your personal data public, we, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform those who are processing your personal data that you have requested the erasure.

What happens if the Credit Union has disclosed my personal data to third parties?

Where we have disclosed your personal data in question to third parties, we will inform them of your request for erasure where possible. We will also confirm to you details of relevant third parties to whom the data has been disclosed where appropriate.

Data portability

When can I receive my personal data in machine readable format from the Credit Union?

You have the right to receive your personal data, which you provided to the Credit Union, in a structured, commonly used and machine-readable format. You have the right to transmit this data to another organisation without hindrance from the Credit Union to which the personal data have been provided, where:

processing is based on consent or contract and
processing is carried out by automated means.

Would the Credit Union transfer the personal data to another service provider if I requested this?

We can transfer this data to another company selected by you on your written instruction where it is technically feasible taking account of the available technology and the feasible cost of transfer proportionate to the service, we provide to you.

Under what circumstances can the Credit Union refuse?

You will not be able to obtain, or have transferred in machine-readable format, your personal data if we are processing this data in the public interest or in the exercise of official authority vested in us.

Will the Credit Union provide me with my personal data if the file contains the personal data of others?

We will only provide you with your personal data, ensuring we protect the rights and freedoms of others. Where personal data of another person may be on the same files as yours, we will redact the full details of the other person.

Automated individual decision making

What are my rights in respect of automated decision making?

The Credit Union does not have any automated decision-making processes at the date of this Statement. Where any such processes are introduced, we will update this Statement accordingly.

Object

Have I already been informed about my right to object?

We have informed you of your right to object prior to us collecting any of your personal data as stated in our privacy statement for example when opening an account or at loan application.

When can I object to the Credit Union processing my personal data?

You can object on grounds relating to your situation.

The Credit Union will stop processing your personal data unless:

we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms or
the processing is for the establishment, exercise or defence of legal claims.

What are my rights to object for direct marketing purposes?

Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, we will no longer process this data for such purposes.

What are my rights to object in the use of information society services (online services)?

In the context of the use of information society services, you may exercise your right to object by automated means using technical specifications.

Restrict processing

When can I restrict processing?

You may have processing of your personal data restricted:

While we are verifying the accuracy of your personal data which you have contested
If you choose restricted processing over erasure where processing is unlawful
If we no longer need the personal data for its original purpose but are required to hold the personal data for defence of legal claims
Where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our legitimate grounds override.

What if the Credit Union has provided my personal data to third parties?

Where we have disclosed your personal data in question to third parties, we will inform them about the restriction on the processing, unless it is impossible or involves disproportionate effort to do so.

How will I know if the restriction is lifted by the Credit Union and/or relevant third parties?

We will inform on an individual basis when a restriction on processing has been lifted.

Rectification

What can I do if the Credit Union is holding incorrect personal data about me?

Where you suspect that data we hold about you is inaccurate, we will on demand, in compliance to central bank rules, rectify any inaccuracies without undue delay and provide confirmation of same.

What happens if the Credit Union has disclosed my personal data to third parties?

Where we have disclosed inaccurate personal data to third parties, we will inform them and request confirmation that rectification has occurred. We will also provide you with details of the third parties to whom your personal data has been disclosed.

Withdraw consent

Under what circumstances could I withdraw consent?

You can withdraw consent if we are processing your personal data based on your consent.

When can I withdraw consent?

You can withdraw consent at any time.

If I withdraw consent what happens to my current data?

Any processing based on your consent will cease upon the withdrawal of that consent. Your withdrawal will not affect any processing of personal data prior to your withdrawal of consent, or any processing which is not based on your consent.

Lodge a complaint

Can I lodge a complaint with the Data Protection Commission?

You can lodge a complaint with the Data Protection Commission in respect of any processing by or on behalf of the Credit Union of personal data relating to you.

How do I lodge a complaint?

Making a complaint is simple and free. All you need to do is write to the Data Protection Commission giving details about the matter. You should clearly identify the organisation or individual you are complaining about. You should also outline the steps you have taken to have your concerns dealt with by the organisation, and what sort of response you received from them. Please also provide copies of any letters between you and the organisation, as well as supporting evidence/material.

What happens after I make the complaint?

The Data Protection Commission will then take the matter up with the Credit Union on your behalf.

Access your data

When do I have the right to access my personal data from the Credit Union?

Where the Credit Union process any personal data relating to you, you have the right to obtain confirmation of same from us, and to have access to your data.

What information will the Credit Union provide to me?

If we are processing your personal data, you are entitled to access a copy of all such personal data processed by us subject to a verification process to ensure we are communicating with the correct person. We will provide any of the following information:

why we are processing your personal data
the types of personal data concerned
the third parties or categories of third parties to whom the personal data have been or will be disclosed. We will inform you if any of the third parties are outside the European Economic Area (EEA) or international organisations
how your personal data is safeguarded where we provide your personal data outside the European Economic Area or to an international organisation
the length of time we will hold your data or if not possible, the criteria used to determine that period
your rights to:

o request any changes to inaccurate personal data held by us

o have your personal data deleted on all our systems

o restriction of processing of personal data concerning you

o to object to such processing

o data portability

your right to lodge a complaint with the Data Protection Commission info@dataprotection.ie
where we have collected your personal data from a third party, we will provide you with the information as to our source of your personal data
any automated decision-making, including profiling which includes your personal data. We will provide you with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

What Information is not provided?

Business Information pertaining to your role as an employee
If we do not provide you with your personal data, we have an obligation to give reasons why this personal data is being withheld.

How long will it take to receive my personal data from the Credit Union?

We will provide you with a copy of the personal data we are currently processing within one month of request. In rare situations if we are unable to provide you with the data within one month we will notify you, within one month of your valid request, explaining the reason for the delay and will commit to delivery within a further two months.

How much will it cost me to receive my personal data?

We will not charge for providing your personal data unless we believe the request is excessive and the cost of providing your data is disproportionate to your services provided.

Can I request additional copies of my personal data?

If you require additional copies, we will charge €20 to cover our administrative costs.

Can I receive my personal data electronically?

You can request your personal data by electronic means and we will provide your personal data in a commonly used electronic form if technically feasible.

What will the Credit Union do if another person’s personal data is shared with my personal data?