This Privacy Notice is to provide you with information regarding the processing of information about you for account related purposes, lending and other general purposes.

Our contact details are:

Address: Tubbercurry & District Credit Union Ltd., The Square, Tubbercurry, Co. Sligo
Phone: 071 91 86297
Email: info@tubbercurrycu.ie

What personal data do we use?

We may collect, store and use the following categories of personal data about you:

• Your name, address, date of birth, email, telephone, nationality, financial data, status and history, transaction data; contract data, details of the credit union products you hold with us, signatures, identification documents, salary, occupation, source of wealth, source of funds, Politically Exposed Status, accommodation status, mortgage details, bank account details, CCR reports, previous addresses, spouse, partners, nominations, health data, Tax Identification/PPSN numbers, passport details, driver licence details, tax residency, interactions with credit union staff and officers on the premises, by phone, or email, current or past complaints, CCTV footage etc.

We need all the categories of information in the list above to allow us to identify you, contact you, comply with our legal obligations and in order that we perform our contract with you.

In certain instances, an individual may supply us with information relating to another individual. This may occur in the following cases:

• Bank statements provided where the account is in joint names,
• Utility bills in joint names
• Personal information contained in sets of Business Accounts

In these instances, it is the responsibility of the individual providing the data to ensure the other named individual/s are aware their data is being shared and do not object to this.

Purposes for which your data are processed

Account Opening:

We will use personal data in order to carry out the following functions related to opening an account:

• To open and maintain an account;
• To give consideration to an application prior to approval;
• Verifying the information provided in the application;
• To comply with our legal obligations, for example anti-money laundering, to identify connected borrower, to identify a politically exposed person;
• To confirm tax residency for the purposes of the Common Reporting Standard;
• To meet our obligations under the Credit Union’s Standard Rules;
• To provide members with details of the Deposit Guarantee Scheme;
• To contact members in respect of their accounts;
• To contact members in relation to any operational matters within the credit union;
• To record details of nominations and to process the nomination (subject to a valid nomination) and transfer any nominated property to the nominee(s);
• To issue members with information on any product or service held at the Credit Union or to provide details of other services, products, offers or competitions that may be of interest to our members.

Loans: Applications, Administration and Arrears:

We will use personal data in order to carry out the following functions:

• Assessing a loan application and determining creditworthiness for a loan;
• Verifying the information provided in the application;
• Conducting credit searches and making submissions to the Central Credit Register;
• To purchase loan protection from ECCU;
• To determine whether an applicant is a connected borrower or related party borrower in order to comply with Central Bank Regulations;
• Administering the loan, including where necessary, to take steps to recover the loan or enforce any security taken as part of the loan;
• To take steps to secure repayment of a loan such as processing a charge on a property;
• Providing updates on loan products and services by way of directly marketing to members;
• To contact members in relation to any transactions or missed payments on their account;
• Meeting legal and compliance obligations and requirements under the Rules of the Credit Union;
• To complete a submission to the Central Credit Register where a loan falls into arrears;
• To thank members for completing their loan payments in full;
• Where there is a breach of the loan agreement we may use the service of a solicitor to recover the debt. We will pass them details of the loan application in order that they make contact and details of the indebtedness in order that they recover the outstanding sum;

Guarantors: As part of the conditions of a loan, the appointment of a guarantor may be a requirement in order to ensure the repayment of a loan. In such instances, we have a legal and regulatory requirement to collect, process and store certain personal data of the guarantor. This will include data such as:

• name, address, contact details, occupation, PPSN, salary and other relevant financial data.

The purposes for which we may process the data of the guarantor include:

• ensure the terms of the loan agreement are met
• to contact the guarantor if the loan falls into arrears or there is a change in the payments by the member that indicate a change in circumstances
• to collect the debt
• to carry our required credit searches
• to carry out CCR checks and submissions (note: this is a legal requirement since 1^st February 2025)

The loan balance may be communicated to the guarantor at any time for the duration of the loan. The details of the guarantor will be retained in line with the loan which is 7 years from the date the loan is paid in full.

General Administration and Operation

We will use personal data to assist it in carrying out the following:

• To contact members about their account in the Credit Union for any reason;
• To contact members, using any contact method supplied, about reactivating dormant accounts;
• To record CCTV footage to ensure the safety and security of our staff, members, volunteers and any other third parties visiting our premises, to resolve complaints and improve service standards;
• To collect certain personal data if members attend the AGM such as name, account number and signature;
• To issue obligatory information to members (eg. AGM notifications, annual accounts and certain reports);
• To collect member preferences regarding marketing materials;
• Providing updates on our products and services by way of directly marketing to members;
• From time to time we may collect a small amount of personal data for entry into competitions and prize draws e.g. Car Draw. We will only use this data for the purpose of determining entry and selecting a winner for the competition/draw.

Online Operations

We offer a number of online services to our members and prospective members. In order to avail of our online services, members or prospective members must provide certain personal information.

This information is required to:

• Login to the online platform;
• Use our Mobile App;
• Transfer funds;
• Manage payments and payees;
• Apply for a loan;

Specific Terms and Conditions apply to the usage of our online platforms, and we would advise users to read these and contact us with any queries.

Nominations

Under credit union legislation, members aged 16 or over may nominate one or more individuals to receive property in their credit union account (such as shares) on their death. A member can change or revoke their nomination at any time during their membership, and a nomination may also be automatically revoked by marriage, civil partnership, or by the death of a nominee before the member. The Credit Union is required by law to keep a record of nominations (and any changes or revocations), but the validity of a nomination can only be confirmed after the member has passed away. For this reason, we cannot contact nominees during the member’s lifetime to confirm that a nomination exists.

When a nomination becomes effective, we may need to collect and process certain personal information about the nominee, such as name, address, relationship to the member, contact details, identification, bank details, and any other information necessary to verify identity and transfer the nominated property. This information may be obtained directly from the nominee or from the nomination form completed by the member. We may share such information with professional advisers (e.g. solicitors, auditors), regulators, the Irish League of Credit Unions (ILCU), or others involved in administering the deceased member’s estate, where required by law. The nominee’s name is permanently retained in the register of nominations, while nomination forms and related documentation are retained for up to seven years after the member’s passing, in line with statutory limitation periods.

Data Sharing and Data Transfers

We do not sell any personal information, nor do we share it with unaffiliated third parties unless we are required to do so by law. We will ensure that any information passed to third parties conducting operational functions on our behalf will be done with respect for the security of personal data and will be protected in line with data protection law.

Ways in which we may share personal information include:

• With official bodies including, but limited to:
  • the Irish League of Credit Unions (ILCU) under the ILCU Standard Rules and the League Rules which govern the operation of Credit Unions;
  • ECCU Assurance DAC who provide Loan Protection and personal data must be shared in order to administer claims or deal with insurance underwriting;
  • Central Credit Register who provide financial institutions with credit details relating to a member’s eligibility for a loan;
  • The Central Bank of Ireland enforce certain reporting, compliance and auditing on Credit Unions.
  • Government Departments such as Department of Finance and the Department of Social Protection may require the Credit Union to share certain personal information in order to meet legislative and regulatory requirements;
  • The Revenue Commissioners impose certain reporting obligations on Credit Unions under the Common Reporting Standards in relation to tax residency and the in respect of dividend or interest payments to members.
  • The Financial Intelligence Unit require that we submit information to them in relation to suspicious transactions.
• To engage external IT providers so as to ensure the security of our IT systems in order to protect all personal data;
• With our insurers or assessors when providing or reviewing information in the event of an incident occurring;
• To engage professional services of third parties, such as auditors, solicitors or any other such business advisers. Any such parties are bound by confidentiality;
• We reserve the right to report to law enforcement any activities that we, in good faith, believe to be illegal;
• We may share relevant personal data with the Decision Support Service where required by law or where necessary to fulfil our legal obligations in relation to supported decision-making arrangements;
• We may share relevant personal data with our fraud monitoring service provider, NEXI, to enable the monitoring of transactions for suspicious activity and the prevention of fraudulent or unauthorised payments;
• As required by the European Payments Council’s Verification of Payee Scheme, we share IBAN and Account Names with Banfico, acting as the Routing & Verification Mechanism, to verify payee information and return a match result;
• With any relevant, authorised third parties as part of a merger or acquisition, any such parties will be bound by a duty of confidentiality;
• To provide information to An Garda Síochána (e.g. CCTV footage) or other Government bodies or agencies when required to do so by law; and
• To transfer data to another credit union where we have received a request, authorised by you, from another credit union to do so.

There may be circumstances where we transfer your personal data outside the EEA, such as when we use the services of online platforms or where we use a cloud-based IT system to hold your data. We safeguard your data by ensuring a minimum of one of the following safeguards is in place:

• a contract based on “model contractual clauses” (also called Standard Contractual Clauses) approved by the European Commission, obliging them to protect your personal data;
• Binding Corporate Rules approved by relevant data protection authorities, ensuring your data is protected within a group of companies; or
• with companies located in a third country approved by the European Commission under an adequacy decision, such as the UK.

Where any of our suppliers engage the service of sub-processor to process data of which we are a Data Controller, our due diligence measures will include an assessment of this processor, in particular where the processor is located outside the EEA.  Appropriate security measures and contractual agreements are in place to protect your data whenever it is shared with any third parties.

Lawful Basis for Processing Personal Data

We are obligated to define a lawful basis for processing personal data. Below is a summary of our use of personal data and the lawful basis we rely on for the processing different categories of data for different purposes.

Article 6.1(b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”

Examples of where this lawful basis is applicable include the following:

• the processing is necessary for us to setup and manage accounts and provide all services provided to our members;
• for the purpose of assessing any loan application, processing applications individuals make and to maintain and administer any accounts held with the credit union;
• to take steps to secure repayment of a loan where a loan goes into arrears;
• to apply for Loan Protection;
• to process a credit assessment when a member applies for a loan;
• to perform any part of a contract as per the Terms and Conditions outlined to our members in any such process.

Article 6.1(c) “processing is necessary for compliance with a legal obligation to which the controller is subject”

Examples of where this lawful basis is applicable include the following:

• to comply with the all regulations as outlined in the Credit Union Act 1997 (as amended);
• to meet our duties to the Regulator, the Central Bank of Ireland;
• to fulfil reporting obligations to Revenue related to a member’s tax liability under Common Reporting Standard;
• to comply with anti-money laundering and combating terrorist financing obligations under The Money Laundering provisions of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2018, as amended by Part 2 of the Criminal Justice Act 2013;
• to meet our legislative and regulatory duties to maintain audited financial accounts;
• to comply with credit reporting obligations;
• to comply with Connected/Related Party Borrowers obligations;
• to comply with the Verification of Payee Scheme managed and governed by the European Payments Council (EPC);
• to appoint a person to administer an account where a member becomes mentally incapacitated;

Article 6.1(f) “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”

Examples of where this lawful basis is applicable include the following:

• assessing a loan application, as well as fulfilling a contract mentioned above, the credit union also utilises credit data from credit referencing agencies. Our legitimate interest: The credit union, for its own benefit and therefore the benefit of its members, must lend responsibly and will use credit scoring information in order to determine suitability for a loan. We will also review our member’s credit history on our database to assess each members past history and suitability for future lending.
• CCTV recording on our premises. Our legitimate interest: it is necessary to secure the premises, property herein and any staff /volunteers/members or visitors to the credit union and to prevent and detect fraud;
• during a recruitment process when we need to communicate with candidates. Our Legitimate interest: to update candidates on the recruitment process for the purposes of considering them for employment or for future positions;
• carrying out debt collection activities in the event of non-payment of a loan or missed payments. Our legitimate interest: we have a duty to our members to ensure the financial stability of the credit union so we must collect all amounts owed to us;
• carrying out data analytics. Our Legitimate interest: to ensure we are offering relevant services, to assess demand for certain services and to ensure we are acting in the best interests of the credit union to guarantee financial stability into the future. Data of individual accounts will not be analysed where individuals can be identified;
• enabling fraud monitoring on outgoing SEPA Instant payments. Our legitimate interest: to assist us in preventing the detecting fraud for the protecting of the credit union and our members.

Article 6.1(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”

Examples of where this lawful basis is applicable include the following:

• Declaration of health Forms: members give us consent to collect and store health data;
• Marketing: to provide our members with details on our products and services provided they have not opted out of receiving such communications. Individuals can opt-out of receiving marketing communications at any time;
• Cookies on our website: we may obtain information about general Internet usage by using a cookie file which is stored on an individual’s browser or the hard drive of their computer. Visitors to our website can choose not to consent to cookies, or they can manage their cookie preferences, or they can select to opt-in to some or all types of cookies.
• Competitions and Draws: when members participate in competitions or draws they will be asked for their consent prior to their personal information or image being displayed on our website, social media platforms or other publications;
• Schools Quiz: we participate in the Schools Quiz in liaison with the ILCU. The Schools Quiz is open to entrants aged 4 to 13. We will pass on a form to the contact in the school who is then responsible for asking the entrants’ parent/legal guardians for their consent to the processing of their child’s personal data. This information is processed only where consent has been given;

Please be aware that you have the right to withdraw your consent at any time. In marketing communications, there will always be an unsubscribe, for other withdrawals, contact us at using the details at the start of this notice.

Article 6.1(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;”

Examples of where this lawful basis is applicable include the following:

• Following guidelines from Public Health Authorities and Government in the event of any future pandemics,

If you fail to provide personal data

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you or we may be prevented from complying with our legal obligations.

Change of purpose

You can be assured that we will only use your data for the purpose it was provided and in ways compatible with that stated purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Data Retention Periods

We will only retain your personal data for as long as necessary to fulfil the purpose(s) for which it was obtained, taking into account any legal/contractual obligation to keep it. Where possible we record how long we will keep your data, where that is not possible, we will explain the criteria for the retention period. This information is documented in our Retention Policy. Once the retention period has expired, the respective data will be permanently deleted. Please see our retention periods below.

• As a general rule, your personal information will be retained for 7 years from the date your credit union account closed.
• Accounting records required to be kept further to the Credit Union Act, 1997 (as amended) must be retained for not less than six years from the date to which it relates.
• The money laundering provisions of Anti-Money Laundering legislation require that certain documents must be retained for a period of five years after the relationship with the member has ended.
• We keep income tax records for a period of six years after completion of the transactions to which they relate.
• Loan application information is retained until final repayment is made.
• CCTV footage which is used in the normal course of business (i.e. for security purposes) for one month.

Your Rights in connection with your personal data

You have rights  in relation to your personal data. Please be aware that these are no absolute rights and  there may be exemptions or limitations to the rights listed below. You have the right to:

• To information about how we process your personal data. This is the purpose of this notice.
• To find out whether we hold any of your personal data and if we do to request access to that data that to be furnished a copy of that data. You are also entitled to request further information about the processing.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you rectified.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
• Request the restriction of processing of your personal information. You can ask us to suspend processing personal data about you, in certain circumstances.
• Object to processing concerning them and to have the right not to be subject to a decision based solely on automated processing, including profiling
• Request that we: a)provide you with a copy of any relevant personal data in a reusable format; or b)request that we transfer your data to another organisation.
• Make a complaintto the Data Protection Commission about the processing of your data. Please see details below.

The Contact details for the Data Protection Commission are:

• Post: 6 Pembroke Row, Dublin 2
• Email: info@dataprotection.ie
• Phone: (01) 765 0100 / 1800 437 737
• Web: dataprotection.ie

Ensuring our information is up to date and accurate

We want the service provided by us to meet your expectations at all times. Please help us by telling us straightaway if there are any changes to your personal information.

Updates to this notice

We will make changes to this notice from time to time, particularly when we change how we use your information, and change our technology and products. You can always find an up-to-date version of this notice on our website at www.tubbercurrycu.ie or you can ask us for a copy.

We strive to identify, create and deliver innovative solutions to address the needs of our members and support them in achieving financial success.