Data Protection Policy
This policy relates to the entities of Rabobank in Ireland (the “Companies”) which includes ACC Loan Management, Rabo Ireland DAC and Rabobank Dublin Branch. All Rabobank in Ireland entities are part of the Rabobank Group (the “Group”). Data protection is the safeguarding of the privacy rights of individuals in relation to the processing of personal data held in both paper and electronic format. This document outlines the companies’ policy in respect of data protection. The Data Protection Acts 1988 and 2003 (the “Acts”) contain statutory obligations in relation to the collection, processing, and disclosure of personal and sensitive data. In addition, the Acts provide individuals with the right to access their personal data upon request, and to have incorrect personal data amended. All entities of Rabobank in Ireland are data controllers for the purposes of the Acts. Enquiries about data protection or this policy should be made to: The Privacy Officer, Compliance Department, Charlemont Place, Dublin 2.
The objective of this policy is to affirm the companies’ commitment to protecting the privacy rights of individuals in accordance with the Data Protection Acts. The definitions used in this policy are detailed in the appendix at the end of this document.
Data Protection Principles
The Companies will perform their responsibilities in accordance with the Acts and the eight Data Protection Principles contained therein. These principles state that the companies, as data controllers, shall:
- Obtain and process information fairly;
- Keep it only for one or more specified, explicit and lawful purposes;
- Use and disclose it only in ways compatible with these purposes;
- Keep it safe and secure Keep it accurate, complete and up to date;
- Ensure it is adequate, relevant and not excessive;
- Retain for no longer than is necessary;
- Give a copy of personal data to the individual upon request.
All policies and procedures in the companies shall be consistent with the eight Data Protection Principles and shall ensure that any data subject can exercise their rights under the Acts.
Collection and processing of data
The Companies may collect, process or store personal data:
- to provide credit and investment services;
- to provide banking services, including online banking services
- to perform market research for the purposes of advertising, marketing (both direct and distance marketing);
- to perform accounting and other record-keeping functions;
- to provide personnel, payroll and pension administration services for employees of the Company;
- to comply with our legal obligations.
Telephone calls may be recorded in order to confirm verbal instructions and for quality and training purposes. Personal data will be securely stored, in manual or electronic form, and in accordance with the Acts. In addition, data collected for a specific purpose, product or service may be stored in the Companies with other information relating to an individual, and only in accordance with the Acts.
Disclosure of Information
The Companies will not disclose an individual’s personal data outside the Group except:
- when the Companies have express consent to do so, or in circumstances as agreed between the Companies and an individual, and in accordance with the Companies’ terms and conditions;
- when necessary, to our service providers, agents, regulatory bodies and auditors;
- when the Companies are required or permitted to do so by law;
- to any persons, including insurers and lenders who supply benefits or services to the individual, under or in connection with the Companies’ terms and conditions;
- to fraud prevention agencies where required.
Notification shall be given to you of any significant or material changes to the way in which data is collected, processed, stored or disclosed by the Companies, where such changes are not covered by this policy, the Companies’ terms and conditions, or the Companies’ websites. In the provision of any services that have been or may be requested from time to time, it may be necessary for some or all of an individual’s data to be transferred to other countries, including those outside of the European Economic Area. When data is transferred to another country, the Companies will ensure that the country in which the recipient resides has similar Data Protection legislation to the European Economic Area. In addition, the Companies will ensure that the recipient of the data has systems and procedures in place to handle data securely and in a manner equivalent to those of the Companies.
Sensitive Personal Data
Sensitive personal data shall only be held for the specific purpose for which it was obtained and only for the purposes of providing a mortgage, credit, investment, savings product or other applicable banking service, or when the data subject is an employee, for the purpose of employment in the Company. Other than in the exceptional cases as prescribed by the Acts, explicit consent shall be obtained in order to process sensitive personal data.
Save where there is a legal requirement to retain data for an alternative timeframe, the Companies shall retain data in respect of data subjects for no longer than necessary following the end of the relationship between the Companies and the data subject. These retention periods exist to ensure compliance with any obligations the Companies may have.
Responsibility for ensuring compliance with the Acts rests with the Companies, their employees and agents. All employees and contractors of the Companies who separately collect, control or process personal data are individually responsible for compliance with the Acts. The Compliance Department co-ordinates the provision of support, assistance, advice and training within the Companies to ensure compliance with the Acts.
Procedures and Guidelines
The Companies are committed to ensuring individuals’ privacy and this is reflected in their guidelines and procedures in relation to all aspects of data protection. Specific policies and procedures that supplement this policy have been approved by Senior Management of the Companies. In addition, training procedures are in place for all employees of the Companies to ensure high standards in relation to data protection are maintained.
Right of Access to Information
Under the Acts, an individual has the right to access his/her personal data upon written request and payment of a small fee to Capita Asset Services who act as a data processor who act under instruction of the Companies. In addition, the data subject also has the right to have any incorrect data held on file corrected.
If you wish to submit a request to access personal data, a written request known as a data access request for information should be forwarded to: Capita Asset Services (Ireland) Limited, Block C, Maynooth Business Campus, Maynooth, Co. Kildare, W23 F854.
This Data Protection Policy shall be reviewed annually and in consideration of legislative or other developments, as appropriate.
Data means individual facts, statistics, or items of information regarding an individual. Data can refer to automated data and manual data;
Automated data means information that – (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or (b) is recorded with the intention that it should be processed by means of such equipment;
Data controllers refers to those who, either alone or with others, control the contents and use of personal data. Data Controllers can be either legal entities such as companies, Government Departments or voluntary organisations, or they can be individuals such as G.P.’s, pharmacists or sole traders
Data processor means a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment.
Data subject is a living individual to whom personal data relates.
Manual data means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;
Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller;
Processing, of or in relation to information or data, means performing any operation or set of operations on the information or data, whether or not by automatic means, including - (a) obtaining, recording or keeping the information, or data(b) collecting, organising, storing, altering or adapting the information or data,(c) retrieving, consulting or using the information or data,(d) disclosing the information or data by transmitting, disseminating or otherwise making it available, or(e) aligning, combining, blocking, erasing or destroying the information or data;
Relevant filing system means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;
Sensitive personal data means personal data as to –(a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject,(b) whether the data subject is a member of a trade-union,(c) the physical or mental health or condition or sexual life of the data subject, (d) the commission or alleged commission of any offence by the data subject, or (e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.