Privacy Policy
Altura Credit Union Limited
Privacy Notice
In accordance with Data Protection and Privacy law
1. Altura Credit Union Limited as a data controller
Altura Credit Union (ACU) is a member-owned financial organisation that provides financial services to its members. Our members are persons living in a common bond area covering areas of Wexford, Wicklow, Carlow, and Kildare. We are committed to the privacy of those that we engage with, and this statement details our approach. While providing personal data to us during business or using our website, we will manage your data in accordance with this privacy notice/statement.
- Controller name; Altura Credit Union Limited
- Controller contact: if you would like to contact ACU's data protection representative regarding this notice please email us at dp@alturacu.ie or call on 0818 345 925.
Personal data processed by Altura Credit Union is managed in accordance with current Data Protection Regulation in Ireland and the GDPR.
If you are under 18 please read this statement with the assistance of a parent or guardian. We advise you to use a current version of this document when considering your rights.
2. Key Definitions
- Our or we or ACU or the Credit Union refers to Altura Credit Union Limited
- You, Your, Member or Subject refers to the individual person whose personal data is the subject of the text.
- Personal Data is information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as; a name, an identification number, location data, an online identifier, or one of more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.
- Data Subject is the identified or identifiable natural person.
- Special (often referred to as sensitive) data is racial or ethnic origin, political opinions, religious or philosophical beliefs, or trades union membership, or that includes genetic data, biometric data to reveal the identity of a person, or data concerning health, sex life or sexual orientation. Personal data relating to criminal convictions is also considered sensitive.
- Controller is the natural or legal person or body which alone or jointly determines the purpose and means of the processing of personal data. ACU is a Controller of personal data.
3. Purpose and lawful basis
ACU processes your personal data for many reasons, and we are obliged to inform you of the purposes for which we use your data and legal basis for processing.
In general, we may obtain personal data including name, address, phone numbers, e-mail address, other electronic identifiers, title, profession, images, IP address, photographic ID, company details, dependents or partner details, your bank or mortgage details, politically exposed status, tax identities, video recordings, e-mails and other information provided by you while engaging with the Credit Union and while agreeing credit. We may also obtain similar information from third parties such as the Irish credit agencies, or from your use of ACU systems, or when you sign up to or attend events or otherwise engage with the Credit Union.
The purposes for processing your personal data may overlap, and some purposes for processing may have multiple legal basis. They are as follows:
| Category | Purpose | Examples of the type of data processed | Legal basis for processing* |
|---|---|---|---|
| Application/membership administration | To initiate and manage our relationship with our members or potential members | General Personal Details: name, contact details, address, tax identities, date of birth tax residency, financial position, proof of identity details, beneficial ownership details, security details, occupation, security facts | - Entering into or performance of a contract - Consent - Legitimate interest of ACU* - There is a legal / regulatory obligation |
| Savings | To manage member savings accounts | General Personal Details plus source of funds, bank details, record of transactions and balances. For clubs or businesses, identity of officers | - Performance of a contract - Legitimate interest of ACU* - There is a legal / regulatory obligation - Consent |
| The personal data of third parties | We may need to communicate with connected 3rd parties that are not members of the Credit Union to manage an event, to comply with law or regulation, or in relation to a financial product | Identification details, relationship, securities, and address relating to partners, family, guarantors, beneficiaries, nominees or a director or representative of an entity or person | - Performance of a contract - Legitimate interest of ACU* - There is a legal / regulatory obligation - Consent |
| Affiliation with the Irish League of Credit Unions ILCU or Credit Union Development Authority CUDA | Reporting and use of services provided by representative bodies and to fulfil our obligation in accordance with ILCU/CUDA rules | Member details and information relating to the provision of insurance | - Performance of a contract - There is a legal / regulatory obligation - Credit Union Act and amendments - Legitimate interest of ACU* |
| Enquiries | To engage with individuals who make an enquiry | Details provided on the enquiry including name, and contact details | - Consent - Legitimate interest of ACU* |
| Incapacity to act upon an account | When a person is unable to transact due to an intellectual incapacity - Appointment of an individual to administer the account or - board approval of transactions | All personal data | - There is a legal / regulatory obligation - Vital interest of the subject - Legitimate interest of ACU* |
| Loan applications and loan management | To manage the loan process and loan agreement including assessing creditworthiness, validating information provided during the application process, determine if you are a connected or related party borrower, assessing credit history with the CCR, effecting a legal charge over an asset and to manage the loan account. | Personal details & proof of identity plus credit history/rating, monthly income/outgoings, employment details and payslips, bank statements, PPS number, connected party status, Marital status, spouse/partner/dependents details, property details, social welfare receipts, Declaration of Health, information relating to connected parties, details of a guarantor to the loan application, records of communication relating to a loan | - Entering into or the performance of a contract. - There is a legal / regulatory obligation (including the Credit Union Acts, Anti Money Laundering legislation and Central Bank regulations) - Legitimate interest of ACU* |
| Credit Control | To manage the debt recovery process including credit searches and engaging with the CCR the recovery of debt, the transfer of debt and the enforcement of security or guarantee against a loan | As above (for loan application and loan management) | - Performance of a contract (loan and membership agreements) - There is a legal / regulatory obligation - Legitimate interest of ACU* |
| Identity details; | To establish the Identity, status, address and proof of identity of the parties to a loan | Identity data relating to the member, guarantors, nominees, family members or advisors | - Performance of a contract (loan and membership agreements) - There is a legal / regulatory obligation - Legitimate interest of ACU* |
| Spouse / Partner | To assess a loan application, validate data provided on a loan application, perform a credit search with the CCR to establish credit status and comply with law or regulation | Name, identification and contact details, financial and creditworthiness details, dependents, relationship with applicant | - Performance of a contract (loan and membership agreements) - There is a legal / regulatory obligation - Legitimate interest of ACU* |
| Guarantors | To evaluate suitability / creditworthiness, verify identity, inform of changes to performance of a loan, the collection of debt and comply with law or regulation | Name and contact details, financial details, ID verification, creditworthiness, connected party status | - Performance of a contract (loan and membership agreements) - There is a legal / regulatory obligation - Legitimate interest of ACU* |
| Data required for the employment of staff | To enter into contracts with members of staff and to manage staff. | Personal data includes but is not limited to; name, address, contact details, PPS number, bank account details, nationality, next of kin, background vetting, reviews and other information to effectively manage the relationship between ACU and a member of staff | - The performance of a contract. - There is a legal / regulatory obligation - Legitimate interest of ACU* - Consent |
| The role of a member of staff | Personal data required to the effective functioning of a member of staff in their role. In particular the management of members and interaction with regulators, representative bodies and other state organisations | CCTV recordings, voice recordings, meeting notes, professional opinion, judgements or signatures during the performance of your role | - The performance of a contract. - There is a legal / regulatory obligation - Legitimate interest of ACU* - Consent |
| Life savings & Loan Protection Insurance provided By ECCU. | To provide loan protection and life savings protection for loans issued | Personal data relating to loan protection insurance. Loan protection insurance personal data may include 'special' personal data including medical records | - The performance of a contract. - There is a legal / regulatory obligation - Legitimate interest of ACU* |
| Death Benefit Insurance provided by CMutual | To provide a payment upon death of an eligible sole or first named member for the purposes of funeral expenses | Personal data obtained as part of your membership application and balance information upon death to show eligibility. | - The performance of a contract. - There is a legal / regulatory obligation - Legitimate interest of ACU* |
| Direct Marketing to Members | To inform members of ACU of services and events that they may be interested in | Contact details including postal address, e-mail, text, phone, mobile phone. (You may opt out of any of the above upon request. | - Consent - Legitimate interest of ACU* |
| Competitions or Quizzes | To hold a competition or draw for Members or members of the public | Name and contact details Member number | - Consent - Legitimate interest of ACU* |
| Surveys | To understand the requirements or views of subjects | Name and contact details Member number | - Consent - Legitimate interest of ACU* |
| CCTV recordings on all premises, both internally and externally | For safety and security | Motion images from cameras (not including voice) | - Legitimate interest of ACU* or another party - and to protect the Credit Union in the event of security or safety incident or other unlawful event - Vital interest of subjects |
| Internal cameras | For safety, security and the monitoring of transactions and cash handling | Motion images from cameras (not including voice) | - Legitimate interest of ACU* or another party - and to protect the Credit Union in the event of security or safety incident or other unlawful event and to monitor transactions and resolve disputes |
| Voice - to maintain a record of communications and advice to member or potential members | To verify content relating to advice or communication relating to the services of the Credit Union | Voice calls | - There is a legal / regulatory obligation - Consent - Legitimate interest of ACU* |
| Voice - Security | Security | Voice calls | - Vital interest of a natural person - Consent - Legitimate interest of ACU* to protect the Credit Union against malicious or other harm |
| Voice Mail | To record a message provided by a Subject | Voice message | - Consent - Legitimate interest of ACU* |
| Employment and engagement with staff or volunteers | To engage with staff members for the purpose of managing the affairs of the Credit Union | Name, address, taxation details, next of kin, qualifications, personal work assessments and records, work related personal requirements, records of work activities | - Performance of a contract (employment or other arrangement) - There is a legal / regulatory obligation - Consent - Legitimate interest of ACU* |
| Revenue | To comply with the requirements of Revenue, to pay all applicable taxes, enable tax audits and provide tax reports as required in law and in compliance with Irish Common Reporting Standards | Identity, address, TIN or PPS number, date of birth, Account details including balance, dividend or interest payments, country of residence, details relating to the payment of tax | - There is a legal / regulatory obligation |
| Regulatory Authorities | To enable processes that are compliant with law and regulation, and to facilitate audits and compliance reporting to the Central Bank of Ireland relating to Credit Unions, and any other mandatory requirements relating to ACU | Prudential Returns | - There is a legal / regulatory obligation - Legitimate interest of ACU* |
| AML | To comply with the Criminal Justice (money laundering and terrorist financing) Act and Amendments | Name, Identification, proof of address, date of birth, PEP statue, Photographic ID including passport or driving license, other form of identification, PPS number, details of transactions, AML or Fraud reports | - There is a legal / regulatory obligation |
| Auditors & Compliance | To audit the activities of the Credit Union in line with regulation and best practice | All data | - There is a legal / regulatory obligation - Legitimate interest of ACU* |
4. Where you have provided consent
Where we are processing data based on your consent you may withdraw that consent at any time.
5. Who we share Personal Data with.
We take all reasonable measures to protect your personal information while it is in our possession, however, it may be transferred to others where there is a legitimate and lawful reason. This section lists the categories and types of organisations that we may transfer personal data to.
5.1 Operational
Individuals whom you name such as guarantors, nominees or partners, joint account holders, individuals authorised to act on your behalf (including Decision Making Representatives or Attorneys), professional advisors, industry representation, payroll bureau and oversight authorities.
Companies who carry out services in relation as part of our lending process including Metamo, and Graphical Financial Analysis (Visualyse service) for credit risk assessment, and CRIF and Truelayer for account information services (open banking information).
The Visualyse privacy notice can be found at https://www.graphicalfinancialanalysis.com/Policies/PrivacyPolicy.pdf
Truelayer is an independent data controller providing Account Information Services https://truelayer.com/en-ie/legal/privacy/
CRIF is also an independent data controller providing Account Information Services https://www.crif.ie/privacy-policy/
If we issue you a debit card, Transact Payments Malta Limited (which is an authorised e-money institution) will also be a controller of your personal data. In order for you to understand what they do with your personal data, and how to exercise your rights in respect of their processing of your personal data, you should review their privacy policy which is available at https://currentaccount.ie/files/tpl-privacy-policy.pdf
If you use our electronic payment services to transfer money into or out of your credit union account we are required to share your data with our electronic payment service provider. As part of these processes, we may be required to pass some personal information to an intermediary or counterparty (e.g., if you perform a payment transaction, we pass information on the transaction to the payee concerned).
For members joining via our app, we use verification of identity services provided by Jumio.
5.2 Legal / Regulatory Requirements
Central Bank - Credit Union Regulator, Department of Finance, Revenue, Department of Social Protection, Financial services and pensions ombudsman, State anti-fraud/criminal investigation (Gardaí, CAB), Central Credit Register, Irish League of Credit Unions, Credit Union Development Authority, Audit & Compliance, Solicitors, Banks, other organisations the event of a merger, and advisors representing the Credit Union.
Data provided to Revenue may be exchanged with other tax authorities. Further information on the exchange of data by Revenue can be found at https://www.revenue.ie/en/companies-and-charities/international-tax/aeoi/index.aspx.
5.3 Credit assessment, credit control, and loan in arrears or debt recovery
Guarantors, debt collection agencies or others legitimately involved in this process, a solicitor to affect a legal charge over an asset, a third party who has purchased debt, Irish credit organisations including the CCR (Central Credit Register).
5.4 Insurance
ECCU Assurance DAC, CMutual, ILCU SPS, or other organisations for the purpose of insurance relating to Credit Union products
5.5 Information technology & support services
Your personal information may also be transferred to third party service providers who process information on the Credit Union's behalf, including providers of information technology, loan application technology providers, website hosting and management, data analysis, anti spam services, data back-up, security, e-mail, communications, voice recording and storage services. The Credit Union's principal operating system is provided by Progress.
5.6 Staff management and employment
Your information may be shared with others including financial institutions, regulators, state bodies where we are obliged to provide that information in law, strategic partners (ILCU, CUDA, Metamo, professional advisors etc) Payroll, pension administration, benefits provision and administration, HR support, occupational health specialists, IT services.
6. International transfer
ACU does not currently transfer personal data to any recipients outside of the EEA European Economic Area unless;
- members use online identity validation software or
- requested to do so by the subject or
- in the course to the recovery of a debt where connected parties are outside of the EEA.
In the event that a service provider to the Credit Union is international in nature, or sub processes with entities that are not within the EU, we will take steps to ensure that personal data is retained in the EU and that any further processing that may expose such data to international transfer is subject to the protections provided by a lawful basis of transfer.
7. Responsibility of Members and others who provide personal data to us
You warrant that personal information provided to us by you that relates to third parties (e.g., family, guarantors, nominees) for the administration and delivery of services being provided, or while engaging with us in any other way, has been obtained fairly and lawfully and that such information is accurate. You also warrant that third parties introduced by you are aware of the purpose for which their personal data is being used and that their privacy rights have been upheld.
Failure to provide data that is required as part of a request for services from the Credit Union or to fulfil the Credit Union’s legal and regulatory obligations may result in us being unable to provide you with the services requested or continue existing services.
8. Information relating to children and vulnerable persons
The processing of personal data relating to children receives special attention under Data Protection Regulation and we shall treat this information with particular care. Information obtained about children under 16 shall comply with the requirement for parental consent and shall receive additional consideration while planning an operational process.
9. Special (Sensitive) Data
ACU recognises special categories of data, specifically personal data revealing racial or ethnic origin, political opinion, religious of philosophical beliefs, trades union membership, genetic or biometric data, or a subject’s health or sexual life. The processing of these categories of information shall typically require consent. We may also process Special data where there is a legal/regulatory obligation, there is a legitimate interest or where it is in the public interest.
Health data may be processed for the processing of an insurance or mortgage product under Irish law. Such processing will not normally require your consent.
10. Nominations
Irish legislation enables the nomination of successors to a deceased member's property in their Credit Union account and provides for special treatment independent of the deceased persons estate. This is a unique facility available to Credit Unions and all members are entitled to a nominate successor(s). A Member's nomination together with a record of revocations (the revoking of a nomination) shall be retained confidentially by the Credit Union. Personal data relating to nominations will be retained for up to six years following the completion of the nomination process.
ACU will request confirmation of a Nominees identity, relationship to the member, and payment details to administer a valid nomination following the death of a member. Nomination information may be transferred to advisors, auditors, administrative staff and recognised oversight authorities for the administration of this facility and will always be bound by confidentiality obligations.
11. Confidentiality & security
ACU have implemented generally accepted standards of technology and operational security to protect personal data from alteration, unauthorised disclosure, or destruction, and from use for unauthorised purposes. Furthermore, we have taken measures to ensure that contracts with all third parties that provide technical and processing services include terms that specify appropriate technical and organisational security measures to prevent accidental, unauthorised, or unlawful disclosure or processing of personal data.
12. Your Rights
Subjects have the right to:
- Be informed of information on whether we have personal data relating to a subject, the categories of data and the purpose of processing
- Where information is collected directly from you, you will be informed of the controller, the representative, details about the processing of your data and your rights
- Where data was not provided by you, we will identify the source of that data together with data categories
- Be informed if a failure to provide the personal data will have any direct and material personal consequences
- Access your personal data. Where the format is not reasonably understood, this shall be delivered in an intelligible format
- Have inaccurate, incomplete, or out-of-date personal data that we hold about you corrected, or deleted
- Withdraw consent for your personal data to be processed - where it was obtained from you on the basis of consent
- Make a submission on any automated decisions making processes or profiling of you.
- Transfer your data to another controller
- Have your personal data excluded from certain categories of processing
- Lodge a complaint with the Data Protection Commissioner. Contact details for the DPC can be found at www.dataprotection.ie
Please note
- There are some limitations to these rights
- Nomination data is confidential and will not be released
- You can contact us to exercise these rights by e-mail at dp@alturacu.ie. We will ask for additional information to verify your identity prior to acting upon such requests.
12. Removal from mailing lists
You may unsubscribe from our mailing lists at any time by using the ‘unsubscribe’ button on marketing communications, or by contacting us at dp@alturacu.ie.
14. Reporting of Data Breaches
Where a data breach occurs that poses a risk to the subject it shall be reported to the Data Protection Commission. Where such a breach occurs and poses a high risk to you, we will also inform you. All breaches will be managed in accordance with Irish law and the GDPR.
15. Profiling
We may profile personal data in certain instances. This is typically in the context of applying for a loan, fulfilling our obligations under Anti Money Laundering legislation or for the purpose of marketing. Such processing and any decisions we make about you as a member (including assessment of a loan application or approval of any other services) will not be automated and will always be subject to the intervention of an officer of the Credit Union.
16. Cookies
While using our web site we use cookies – small text files – which are placed on your hard drives to provide a more intuitive website experience. Cookies are a typical part of operating procedure for most websites and most browsers permit users to opt-out of receiving them if the user would prefer.
You can opt out of the use of certain categories of cookies on the cookie notice tool that is always visible while you use the ACU website. This may reduce some of the functionality of the site.
Cookies can also be deleted by you from your browser at any time.
17. Data Retention
We retain personal data that you submit to us only for as long as is necessary and for the purposes for which it was obtained, or as required by law. We have detailed retention periods for which personal data shall be retained for particular purposes below. The Credit Union reserves the right to delete personal data prior to the conclusion of the retention period or where such retention is not absolutely necessary for the provision of service to a subject.
| Purpose of processing | Duration (minimum) | Criteria for the storage of personal data |
|---|---|---|
| Membership information | 7 years | From closing of the account, or greater where regulation mandates. |
| Identity verification data | 2 years | Upon expiry of use (and it has been replaced) |
| Call Recordings | 6 months | From the date of call. |
| Loan application denied - application and supporting documents | 1 year | From loan final denial |
| Loan related data (transaction details) | 7 years | From closing of the account, or greater where regulation mandates. |
| Death benefit | 1 year | From closure of membership account |
| Loan protection insurance | 1 year | From closure of a membership account |
| Employment/volunteer data | Generally, for the duration of employment plus 7 years. Where categories of data have - regulatory limitations to possible liability, or - mandatory retention periods, We will retain for these periods plus one year. | |
| Marketing data relating to non-members | 12 months | From the last communication |
| CCTV | 1 month | From recording. Up to 6 years in the event of an incident where a material risk of a liability exists |
| Incidents or complaint reports | Permanent | |
| Small balance write-offs / Un-cashed Cheque details | Permanent | Mandatory requirement |
| Documentation relating to revenue | Stored as mandated by law plus 12 months | |
| AML and Fraud prevention documentation | Stored as mandated by law plus 12 months | |
| Records and explanation of transactions, and of the provision of service | As mandated by the CU Handbook published by the Central Bank plus 12 months |
Nothing in this section creates an obligation upon the Credit Union to retain personal data on behalf of a data subject.
18. Updates
This notice may be updated to comply with precedent, to reflect changes in the service delivered, or to provide further clarification. The most up to date version is available in all branches and a record of updates is published on the Credit Union website. We advise you to use a current version of this document when considering your rights.
