Privacy Policy

Data Privacy Notice

(Click below link to view our policy as PDF)

April 2025 Privacy Notice 

We are committed to protecting the privacy and security of your personal information. This notice (together
with our website terms and conditions, Privacy Notice and Cookie Notice) describes how we process personal
information about you during and after your relationship with us.

We will always comply with the General Data Protection Regulation ("GDPR") when dealing with your personal
data. Further details on the GDPR can be found under ‘Your Data’ at the Office of the Data Protection
Commission website (dataprotection.ie). For the purposes of the GDPR, we will be the “controller” of all
personal data which we hold about you. You can find our contact details at the end of this privacy notice.
If you are providing personal information on behalf of a third party, you must ensure that the third party
receives a copy of this privacy notice before their personal data is shared with us.

PURPOSES OF PROCESSING AND LEGAL BASIS

A credit union is a member-owned financial cooperative, democratically controlled by its members, and
operated for the purpose of promoting thrift, providing credit at competitive rates, and providing other financial
services to its members. Data collection, processing and use are conducted solely for the purpose of carrying
out the abovementioned objectives.

PERFORMANCE OF A CONTRACT

This basis is appropriate where the processing is necessary for us to manage your accounts and provide services
to you. This includes for example account opening, payments, lending, current accounts. As part of this process,
we may be required to pass some of your personal information to a third party, intermediary or counterparty.

COMPLIANCE WITH A LEGAL OBLIGATION

This basis is appropriate when we are processing personal data to comply with legal obligations to which we are
subject.
Tax Regulations: We may share information and documentation with domestic and foreign tax authorities to
establish your liability to tax in any jurisdiction. Where a member is tax resident in another jurisdiction, we have
certain reporting obligations to the Revenue Commissioners under the Common Reporting Standard. Revenue
will then exchange this information with the jurisdiction of tax residence of the member. We shall not be
responsible to you or any third party for any loss incurred as a result of us taking such actions.
Regulatory and Statutory Requirements: To meet our duties to regulators (which includes the Central Bank of
Ireland), we may allow authorised people to see our records (which may include information about you) for
reporting, compliance and auditing purposes. For the same reason, we will also hold the information about you
when you are no longer a member. We may also process your personal data and share your information with
certain statutory bodies such as the Department of Finance, the Department of Social Protection and the
Financial Services and Pensions Ombudsman Bureau of Ireland if required by law. We also collect and process
your information for compliance with Anti-Money Laundering/ Combating Terrorist Financing regulations.

Audit: To meet our legislative and regulatory duties for general compliance and to maintain audited financial
accounts, we appoint auditors in various capacities. We allow such auditors to see our records (which may
include information about you) for these purposes.
Central Credit Register: We are required to perform credit checks in the event you apply for a loan and to supply
information to the Central Credit Register and to use the Central Credit Register when considering loan
applications to determine your borrowing options and repayment capacity and/or facilitate other lending
institutions to carry out similar checks.
Nominations: The Credit Union Act 1997 (as amended) allows members to nominate a person/persons to
receive a certain amount of funds from their account on death, subject to a statutory maximum. We must record
and process the personal data of nominees in this event and you should inform your chosen nominees of this
fact and show them a copy of this privacy notice.

LEGITIMATE INTERESTS

A Legitimate interest is when we have a business or commercial reason to use your information. It is our
legitimate interest to protect our assets and the savings of our members. But even then, it must not unfairly go
against what is right and best for you. Examples of situations in which your personal information is processed
based on our legitimate interests are:

Guarantors: As part of your loan conditions, we may make the requirement for the appointment of a guarantor
a condition of your loan agreement in order to ensure the repayment of your loan. Should your account go into
arrears, we may need to call upon the guarantor to repay the debt in which case we will give them details of the
outstanding indebtedness. If your circumstances change it may be necessary to contact the guarantor. Likewise,
if you are acting as the guarantor in these circumstances, your personal information will be used and shared for
the purposes of providing the guarantee which includes disclosing information to relevant third parties as
required

Debt Collection: We may use the services of debt collection agencies if you are in breach of any agreement
relating to credit. This will involve passing your personal information to agencies such as solicitors, private
investigators and other third parties so that debts can be collected.

CCTV: We have CCTV footage installed in our premises with clearly marked signage. The purpose of this is for
security.

Your Image: When you open an account or when we need to update your identification we will take and/or
store your image and place this on our systems. This will be displayed on our account screens when we access
your account information and at the front counter when you come in to transact with us. The purpose of this is
to help us to identify you, to provide security and to help prevent fraud.

Consent

Sometimes we need your consent to use your personal information.

With direct marketing for example, we need
your consent to make you aware of products and services which may be of interest to you. Before you give your
consent, we will tell you what information we collect and what we use it for.

You can withdraw your consent at
any time by contacting us or by logging on to our website (https://www.athenrycu.ie/login.asp).

Biometric data means personal data resulting from specific technical processing relating to the physical,
physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification
of that natural person, such as facial images. In the context of the use of biometric data for our mobile app, we only use biometric data as set by you to allow verify online Debit Card transactions without the need to enter the PIN. This setting is optional and you can alternatively verify transactions by using your PIN.

In the event that you apply for a loan, we may collect and process information on your health. You will be asked
for your consent to process this type of personal information. During the course of your loan application, if you
choose to share your bank account information with us via TrueLayer (Ireland) Limited, who are registered as an
Account Information Services Provider (AISP) with the Central Bank of Ireland, we will send you an email
explaining the process and containing a link to the portal of the AISP (TrueLayer). Thereafter, you will be asked
to provide your consent directly to TrueLayer (Ireland) Limited to proceed with the account information service
and TrueLayer (Ireland) Limited will be a Controller of your personal data. Their privacy policy is available here.

Consent is also required for entry to competitions we may run from time to time e.g. Art competition and schools
quiz, and for electronic AGM notifications, annual account statements, and online access.

What Personal Data do we Use?

We may collect, use and store the following categories of personal information about you either in paper or
electronic form (which will be dependent on which credit union service you avail of):

Name, address, date of birth, email address, telephone number, financial data, status and history, transaction
data, contract data, details of the credit union product you hold with us, signatures, identification documents,
salary, occupation, accommodation status, mortgage details, previous addresses, your spouse, partner,
nominee, guarantor or other connected third party, Tax Identification Numbers (TIN), Personal Public Service
Numbers (PPSN), legal documentation, third party professional services correspondence, local authority/
government correspondence, records of discussions with our personnel whether on our premises, by phone or
email, current or past complaints, CCTV footage and your image (for security and verification purposes) and
telephone voice recordings with respect to both incoming and outgoing calls.

We may also collect and use the following 'special categories' of more sensitive personal information:
• information about your health or any medical conditions (when it is required in connection with a loan
application for insurance purposes).

We need all of this information to contact you, to identify and verify who you are, to comply with our legal
obligations and to be able to provide you with our services.

Special Categories Data: “Special categories” of particularly sensitive personal data require higher levels of
protection. We need to have further justification for collecting, storing and using this type of personal
information. We may process special categories of personal information in the following circumstances:
• in limited circumstances, with your explicit written consent;
• where we need to carry out our legal obligations and in line with our data protection policy; and
• where it is needed in the public interest, and in line with our data protection policy.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where
it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent
or where you have already made the information public.

Sharing Of Personal Data

We may share your personal information with trusted external third parties we have appointed to perform
important functions on our behalf based on our instructions and applying appropriate confidentiality and
security measures in compliance with Data Protection regulations. We may share your personal information
with the following third parties:

 statutory and regulatory bodies. These include the courts and those appointed by the courts, statutory
and regulatory bodies including: the Central Bank of Ireland, the European Central Bank, the Data
Protection Commission, Financial Services Ombudsman, An Garda Síochána/ police authorities/
enforcement agencies, Revenue Commissioners, Criminal Assets Bureau, ombudsmen and regulatory
authorities, as well as fraud prevention agencies;
 our legal and professional advisers such as auditors and external legal counsel;
 trade associations and professional bodies;
 insurers;
 any sub-contractors, agents or service providers engaged by the Credit Union (including their
employees, directors and officers), such as back up and server hosting providers, IT software and
maintenance providers, and suppliers of other back office functions;
 credit reference (CCR), debt recovery or fraud prevention agencies;
 payment recipients and other financial institutions.

If we issue you a debit card, Transact Payments Limited (which is an authorised e-money institution) will also be
a controller of your personal data. In order for you to understand what they do with your personal data, and
how to exercise your rights in respect of their processing of your personal data, you should review their privacy
policy which is available at https://currentaccount.ie/files/tpl-privacy-policy.pdf.
If you use our electronic payment services to transfer money into or out of your credit union account we are
required to share your data with our electronic payment service provider. As part of these processes, we may
be required to pass some personal information to an intermediary or counterparty (e.g., if you perform a
payment transaction, we pass information on the transaction to the payee concerned).

We may also share your personal information with any third parties to whom you have instructed us to share
your information with.

Transfer to a Third Country or International Organisation

For the majority of our services, we do not transfer your personal data to countries outside the European Economic Area (EEA) or those countries not deemed by governmental authorities to have an equivalent system of data protection in place.

In relation to our current account, some of your data may be transferred outside of the EEA (for example the United Kingdom) which is connected to the business of the service providers who we rely on to assist us to provide this particular service to you.

Data Retention Period

We will only retain your personal data for as long as necessary to fulfil the purpose(s) for which it was obtained, taking into account any legal/contractual obligation to keep it. Where possible we record how long we will keep your data. Where that is not possible, we will explain the criteria for the retention period. This information is documented in our Retention Policy. Once the retention period has expired, the data will be permanently deleted. Examples of our retention periods are as follows:

• Successful Membership Application: 7 Years after the relationship has ended
• Member ID, address verification and PPSN documentation: 5 years after relationship has ended
• Loan Applications Approved: 7 years after the loan is paid in full
• Nomination Forms: 7 Years after the relationship has ended.

If you would like further information about our data retention policy, you can contact us using the details below.

Your Rights Under Data Protection Laws

Consistent with the requirement to have a legal basis for processing your personal data as outlined above, you also have certain rights in relation to such processing under applicable data protection law. These are:

• to find out whether we hold any of your personal data and if we do, to request access to that data or to be furnished a copy of that data. You are also entitled to request further information about the processing;
• to request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you rectified;
• to request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You have also the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
• to object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes;
• to request the restriction of processing of your personal information. You can ask us to suspend processing personal information about you in certain circumstances;
• to withdraw your consent at any time and free of charge when this is the sole basis upon which we process your personal information;
• to request that we provide you with a copy of any relevant personal data in a reusable format or request that we transfer your relevant personal data to another data controller where it is technically feasible to do so. ("relevant personal data” is personal data that you have provided to us or which is generated by the use of our services which is processed by automated means and where the basis that we process it is on your consent or to fulfil a contract you have with us).

You have a right to complain to the Data Protection Commissioner (DPC) in respect of any processing of your data by:

Please note that the above rights are not always absolute and there may be some limitations.

If you want access to and/or copies of any of your personal data or if you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we send you a copy, or a third party a copy of your relevant personal data in a reusable format, please contact our Data Protection Officer in writing or by email using their contact details below.

There is no fee for exercising any of these rights unless we deem your request to be unfounded or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to verify your identity if we have any doubt as to who you are, and we will not be able to act on any requests in relation to your personal data until we receive this verification and are satisfied with it.

Ensuring our information is up to date and accurate: We want the service provided by us to meet your expectations at all times. Please help us by telling us straightaway if there are any changes to your personal information.

Implications of Not Providing Information

If you fail to provide information when requested, we may be unable to enter into or administer the relationship with you. In cases where providing your personal information is optional, we will make this clear. In particular, it is not mandatory that our members sign up to receive marketing communications.

Automated Decision Making/Profiling

Sometimes we may use electronic systems to assist us to make decisions based on personal information we have (or are allowed to collect from others) about you. This information may be used for loan assessment, provisioning and anti-money laundering purposes and compliance with our legal duties in those regards. Please let us know if you would like further information on these processes and how they may impact our provision of services to you.

Processing for Another Purpose

You can be assured that we will only use your personal data for the purpose it was provided and in ways compatible with that stated purpose. If we need to use this data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.

Contact Details

Any queries with respect to this notice or if you want to exercise any of your rights in relation to your personal data, please contact:

The Data Protection Officer, Athenry Credit Union, Old Church Street, Athenry, Co. Galway.

Email: dataprotection@athenrycu.ie - Telephone: 091 844306

Please also note that you have a right to complain to the Data Protection Commission (DPC) in respect of any processing of your personal data by:

Telephone: 076 110 4800/057 868 4800 - Post: DPC, 21 Fitzwilliam Square, South Dublin 2, D02 RD28, Ireland

Please also see the DPC website for how to complain and for further information on data protection law and the rights available to you (this website also contains the most up to date contact details for the DPC and their preferred method of contact for example by the online webforms available.): https://www.dataprotection.ie/

This Privacy Notice may be updated from time to time and the current version of this Privacy Notice shall be
displayed on our website www.athenrycu.ie