ACCLM Privacy Statement
ACCLM Privacy Statement Effective from 12 October 2018
ACC Loan Management DAC (“ACCLM”), a subsidiary of Rabobank Coöperatieve UA in the Netherlands (Rabobank Group), processes personal data. We want to provide you with clear, transparent information about this matter. This privacy statement contains answers to the most important questions about personal data processing by ACCLM.
This privacy statement describes how we deal with personal data processing. It also contains examples to make our explanation as clear as possible. If you have any questions about this privacy statement, please contact us by email: firstname.lastname@example.org.
What does ACCLM mean by personal data processing?
This privacy statement concerns personal data processing. What do these words mean?
- Personal data
Information that says something directly or indirectly about you is referred to as personal data. Examples include your name and address, and also information such as your income.
Information relating to a sole trader, commercial partnership or professional partnership is also considered personal data.
Information relating to a legal entity is not personal data, but information relating to a legal entity’s contact person or representative does count as personal data.
Processing means anything that can be done with personal data. This includes the collection, storage, use, transfer and removal of data.
- Whose personal data does ACCLM process?
We process personal data if we have, want to have, or have had a business relationship with you, or if we have had contact with you.
The people whose personal data we process includes:
- customers and their representatives
- people who show an interest in ACCLM or our products and services
- people who are connected in another way with a business or organisation with which we have, want to have, or have had a business relationship
- security providers and guarantors
- What does ACCLM expect from businesses and organisations?
If your business or organisation transfers any personal data concerning employees or ultimate beneficial owners (UBOs) to us, we also expect your employees, executive directors or UBOs to be informed about this. You can give this privacy statement to them so that they can learn how we deal with their personal data.
Ultimate beneficial owner: A natural person who holds a stake in a legal entity, can exercise voting rights or is the beneficiary of all or part of the legal entity’s capital. Financial institutions are required by law to determine who the UBOs are.
- Who is responsible for the processing of your personal data?
This privacy statement considers the processing of personal data by ACCLM. Data may be shared within Rabobank Group to the extent that this is permitted by law. When sharing data within Rabobank Group, we comply with the Binding Corporate Rules that we have agreed within Rabobank Group. These rules describe how the divisions of Rabobank Group deal with personal data.
- Which personal data does ACCLM process?
ACCLM processes different types of personal data:
|Types of data||What kinds of data might be involved?
|Examples of how Rabobank uses the data|
|Information that allows an individual to be identified directly or indirectly||Name, address, telephone number, e-mail address, information provided in your identity document.||For identification purposes, to draw up an agreement or to contact you.|
|Information relating to or used for agreements||Information about your financial situation, the products you have, your risk profile (if you invest) and information used for obtaining finance, such as payslips and the value of your home.||To assess whether a product is suitable for you. For example, if you have, or apply for, a mortgage loan with us, we want to know whether this loan is appropriate.|
|Payment and transaction data||When a payment is made, information about the person you paid or who paid you, when the payment took place and what the balance in your account is.||To be able to check whether the number you entered matches the name you specified in a payment instruction.
For your security and ours.
|Special categories of personal data||Information concerning your health, biometric data, information about criminal convictions, data which reveal your ethnic origin or political inclinations.||If you give your consent for this, we record information concerning your health for purposes such as providing a tailored service to your needs.
In the context of combating terrorism, we are required to record information about your country of birth. We are also required to do this in connection with tax obligations.
|Recorded calls and
documentation of e-mails.
|Conversations we have with you, and you have with us, by telephone.
E-mails you send to us and which we receive from you.
|We may use the recorded calls and e-mails to combat fraud, to fulfil legal obligations, to monitor quality, to provide proof, to improve our services and to train, coach and assess our employees.|
|Data we receive from other parties||Data obtained from the Company Registration Office, Credit Reference Agency.||We use this information to check Directors and UBO’s details and your credit position.|
|Data we share with other parties||Financial information and transaction information.||We may be required to share customer and transaction data with the relevant authorities and regulatory bodies in Ireland as part of compliance with the Anti Money Laundering, Counter Terrorism Financing and Fraud prevention laws and/or regulations. We also share information with credit reference agencies.|
|Data we require to combat fraud, to ensure your security and ours, and to prevent money laundering and the financing of terrorism||The data we keep in our internal and external referral registers, sanction lists, location information, transaction data, identity information, camera images, cookies, IP address and data relating to the device on which you use online services.||In order to comply with legal obligations and prevent you, the financial sector, Rabobank or our employees from becoming the victims of fraud, for security reasons and to protect the financial markets, we check whether you appear in our external or internal referral registers and we have to check whether your name appears in sanction lists.|
- How does ACCLM come by your personal data?
We receive your personal data because you provide it to us yourself. Examples include entering into a contract with us or data you send to us in order that we can contact you, and data arising from the services we provide in areas such as payments.
We may also receive your data from business units within Rabobank Group or from other financial institutions in the context of combating fraud, money laundering and terrorism.
We may also receive data from others, such as suppliers or other parties we work with. Or public sources like newspapers, public registers and websites. Or because you have given another party consent to share data with us.
- For which purposes, and on what basis, does ACCLM process personal data?
The types of personal data processed by ACCLM are described above. The purposes for which we process personal data are described below. In addition, we indicate the basis on which this processing is done. By law, every personal data processing operation must have a legitimate basis.
|Section||Purpose of personal data processing|
|6a||To enter into a business relationship and agreement with you|
|6b||To perform agreements and carry out instructions|
|6c||To ensure your security and integrity as well as the security and integrity of ACCLM and the financial sector|
|6d||For management of your account|
|6e||To enter into and perform agreements with suppliers and other parties we work with|
|6f||To comply with legal obligations|
|6g||To carry out business processes including management reports and internal management, and to conduct transactions, reorganisation and restructuring of our business and assets/td>|
|6h||For archiving purposes, scientific or historic research purposes or statistical purposes|
a) To enter into a business relationship and agreement with you
We need to have your personal data if you want to become a customer, or if you want to use a new service or contact us.
For example, we have to perform research to assess whether we can accept you as a customer. When you become a customer, we have to establish your identity for almost all our products and comply with our legal obligations. As part of this, we may make a photocopy of your proof of identity.
If you wish to become a customer, or are already a customer of ours, we are required by law and ACCLM Policy to screen your name against relevant international sanctions lists and ACCLM/Rabobank Group internal warning lists.
For the most part, we process your personal data because we are under a legal obligation to do so. If, however, this legal obligation does not apply directly to ACCLM, we have a legitimate interest in processing your personal data for these purposes. We may also process such data where this is necessary to conclude the agreement.
b) To perform agreements and carry out instructions
When you are a customer of ours, we want to be of service to you. We execute the instructions we receive from you and perform the agreements we have concluded. This is what we have agreed with you. We process personal data for this purpose.
If you make a payment through us, we might need to transfer your data to another financial institution. The payee can also see and record your payment data, such as the address details relating to your account. Both the person who issues the payment instruction and the beneficiary (payee) may enquire about specific data relating to the account.
We provide you with information about the transactions in your bank account, or credit or financing, or, if you are at risk of falling behind on your payments, we will contact you to look for a solution.
You may also ask us to divulge your personal data to a third party, in which case we will transfer your personal data to that party.
We may make recordings of telephone conversations and e-mail messages. The purposes for which this is to ensure a high standard of service. We may also do this if we are legally required to do so, or to provide proof and monitor quality, to investigate fraud and other matters, and for training, coaching and assessment purposes.
We process personal data because this is necessary in order to perform the agreement, and also because we are under a legal obligation to do so, for example in the context of payments. If you do not provide certain information to us, we will not be able to perform the agreement.
In a number of cases, we have a legitimate interest in processing your personal data, for example when making recordings of telephone calls.
c) To ensure your security and integrity as well as the security and integrity of ACCLM and the financial sector
We process your personal data to ensure your security and ours, and also security of the financial sector. We also do this for the purpose of preventing fraud, money laundering and the financing of terrorism.
Incident registers and warning systems
If you wish to become a customer, or are already a customer of ours, we will consult the incident registers and warning systems of ACCLM/Rabobank Group.
We may consult the incident registers and warning systems, and we may also record your personal data in these registers. If you do not agree to the recording of your personal data, you can object to this or ask that your data is corrected or erased.
Publicly accessible sources
We consult publicly accessible sources, such as public registers, newspapers and the internet, in an effort to combat fraud and protect ACCLM.
We may perform analyses aimed at preventing fraud and protecting you and ACCLM. For example, we may create a profile of your usual payment behaviour in order to reduce fraud or the misuse of bank cards and credit cards. If the observed behaviour differs from your usual payment behaviour, this may form grounds for declining payments by fully automated means. If we have decided to do this, we will inform you as soon as possible.
We may make use of information that you did not supply to us in the context of combating fraud, such as information about the transactions in your account. The regulator also requires that we do this.
We may make recordings of telephone conversations and e-mail messages, for example, and may document these recordings. We do this in the context of investigating fraud. We may also do this if we are legally required to do so, or to provide proof and monitor quality, and for training, coaching and assessment purposes.
We process your data because this is necessary in order to comply with a legal obligation. If we are not under a direct legal obligation to process your data, we process the data on the basis of a legitimate interest of ACCLM, the financial sector or our customers and employees.
d) For management of your account
We process your personal data for account management. In doing so, we use data we have obtained from you, such as payment data and your account activity , as well information not obtained directly from you, including public registers (such as the CRO), and publicly available sources (such as the internet).
We process your data to comply with a legal obligation or because we have a legitimate interest in this.
e) To enter into and perform agreements with suppliers and other parties we work with
If you have contact with ACCLM for work-related reasons, we may process your personal data, for example so that we can establish whether you are permitted to represent your business, or so that we can give you access to our offices. Where necessary, we may consult incident registers and warning systems and all relevant international sanctions lists before we enter into our agreement and also while the agreement is in effect in the context of screening.
We process your data so that we can perform the agreement we have concluded, because we are required to do so by law or because we have a legitimate interest in this.
f) To comply with legal obligations
Under various national and international legislation and regulations, we have to collect and analyse a large amount of data relating to you and sometimes transfer such information to European and other government authorities. We must comply with legislation in order to be able to offer you financial products and services. We also process personal data in order to fulfil our duty of care.
We also have to comply with legislation designed to combat fraud, crime and terrorism, such as the Criminal Justice (Anti-Money Laundering) Acts. For example, we are required to perform customer due diligence and to conduct further inquiries if you hold specific assets or if an unusual transaction takes place in your account. If we spot an unusual transaction, we must notify the competent law enforcement agency. Under this law, we have to establish who the ultimate beneficial owner (UBO) is of a business or organisation with which we have a business relationship.
We may receive requests for data from the Revenue Authorities, the Garda Síochána and the Courts Service as well as organisations such as the intelligence services. If they do this, we are required by law to cooperate with the investigation and transfer data relating to you.
European rules require that we produce risk models if you apply for a loan or credit or if you have received a loan or credit from us. This is so that we are able to determine which risks ACCLM is exposed to and comply with relevant capital requirements. We process your personal data for this purpose.
We also need to use these models to prevent situations in which you are unable to repay your financing or are unable to repay it on time. These risk models also predict how likely it is that you will fall behind on your payments. We can use the information they provide to prevent or deal more quickly with any payment problems, for example in consultation with you. We will then process your personal data for this purpose. We will do this for various reasons. These include performing our agreement with you and because we are required to do so by law.
Providing data to the government
Legislation and regulations may require that we transfer data (analysed or otherwise) relating to you to a government institution, a tax authority or a regulator outside Ireland, such as the European Central Bank (ECB) or the Dutch Central Bank (DNB).
Making and documenting recordings
We may make recordings of telephone conversations and e-mail messages and may document these recordings. We do this to comply with legal obligations, for example in the context of banking services. We may also do this to provide proof, to monitor quality, to combat and investigate fraud, and to train, coach and assess employees.
We process your data because this is required by law, or because we would otherwise not be permitted to perform an agreement with you, or if we have a legitimate interest in processing your data so that we can comply with a statutory or other legal obligation.
g) To carry out business processes including management reports and internal management, and to conduct transactions, reorganisation and restructuring of our business and assets
Know your customer
As a service provider, we believe it is important and necessary that we have a good picture of our customers. This may include knowing your employment details where necessary.
Determining credit risk associated with loans and credit facilities
Lending involves credit risk. We have to determine what that risk is, so that we can calculate the buffer we need to maintain. In connection with this, we process data relating to your loans and credit facilities.
Business Transactions including transfer of loans/mortgages
It can happen that we will sell, transfer or merge part or all of our business or assets to or with another party (which could be another member of the Rabobank Group, another bank or any other entity). Our assets include loans that we have made to you, such as your mortgage loan. This can happen in various forms including without limitation through a loan portfolio sale. If such a sale/transfer/merger takes place, your personal data will be processed. Where this happens we may need to disclose your personal data in the course of a transaction to a prospective buyer or acquirer of the asset both to facilitate the potential and the actual transfer of that asset. Once the loans have been transferred, the other party will also process your personal data. We will agree with the other party that it must comply with strict confidentiality and other legal obligations relating to confidential information and personal data protection.
Internal audits and studies
We also use your data to perform internal audits and investigations, for example in order to examine how well new rules have been introduced or to identify risks.
Improving our own business processes
We also use data to analyse and improve our business processes so that we can help you more effectively or make our processes more efficient. Where possible, we will anonymise (data that cannot be traced back to an individual in any way) or pseudonymise (data that can be linked to an individual if additional information is included) your data first.
We process your data because this is required by law or because we have a legitimate interest in doing so, including to support business transactions of the type referred to above, to effectively manage our assets and protect their value. Processing your personal data in the manner otherwise outlined above may also be necessary for the performance of our agreement with you.
h) For archiving purposes, scientific or historic research purposes or statistical purposes
We may also process your personal data if this is necessary for archiving purposes in the public interest, scientific or historic research purposes or statistical purposes. Where possible, we will anonymise or pseudonymise your data first.
When processing personal data for archiving purposes, scientific or historic research purposes or statistical purposes, we process the data on the basis of the legitimate interest of ACCLM or its parent, the financial sector or our customers and employees.
- How long does ACCLM keep your personal data?
We do not keep your data for any longer than necessary to fulfil the purposes for which we collected the data or the purposes for which data are reused. We have adopted a data retention policy. This policy specifies how long we keep data. In Ireland, this is usually for seven years following the termination of the relevant agreement or the ending of your business relationship with ACCLM. Data are sometimes kept for longer, for example if the regulator asks us to keep specific data for longer in the context of risk models. In some cases, we use different retention periods.
In specific situations, we may also keep data for longer than we are required by the retention period fixed by us. We will do this if, for example, the judicial authorities request data, in which case we will keep the material for longer than one month.
Once we no longer require the data for the purposes described in sections 6 a to 6 h, we may still keep the data for archiving purposes, in the event of legal proceedings, or for historic or scientific research purposes or statistical purposes.
- Does ACCLM also process special categories of personal data?
Special categories of personal data include data concerning health, biometric data and data which reveal racial or ethnic origin. We only process such information if we are required to do so.
Rabobank Group participates in incident registers and warning systems for the financial sector and may process information about criminal convictions in this context. The purpose of these incident registers and warning systems is to protect the interests of financial institutions and their customers, for example by detecting and recording cases of fraud.
We process special categories of personal data where this is permitted by law, because this information was made public by you, or with your permission, for example if you inform us that you have a visual impairment so that we can try and facilitate your needs. We ask for your consent to record this information. If you have given us consent to record special categories of personal data, you may withdraw that consent at any time. To do this, please contact us.
- Does ACCLM use automated individual decision making including profiling?
We do not envisage that any decisions will be taken about you that produces legal effects or significantly affects you, based solely on automated individual decision making including profiling.
- Which people at ACCLM have access to your data?
Within ACCLM, your personal data can be accessed only by individuals who need to have access owing to their position. All of these people are bound by a duty of confidentiality.
- Does ACCLM use personal data for any other purposes?
If we want to use information for any purpose other than the purpose for which it was obtained, we may do this as long as the two purposes are closely related.
If there is not a sufficiently strong connection between the purpose for which we obtained the data and the new purpose, we will ask you to give your consent. If you have given us consent to record special categories of personal data, you may withdraw that consent at any time. To do this, please contact us.
- Does ACCLM transfer your personal data to other parties and to other countries outside the EU?
a. Within Rabobank Group
Your personal data may be shared by divisions of Rabobank Group, for example because you ask us to do this.
These divisions of Rabobank may also be located in countries outside the European Union that apply less stringent data protection rules. We share your data with divisions of Rabobank Group, in which Rabobank holds a majority interest, only if the divisions comply with Rabobank’s Binding Corporate Rules, which outline the rules that all these divisions of Rabobank Group have to comply with. The Rabobank Binding Corporate Rules guarantees adequate protection of personal data.
b. Outside Rabobank Group
Your data is also transferred to other parties outside Rabobank Group if we are required to do this by law, because we have to perform an agreement with you or because we engage another service provider, for example we have outsourced the management of loans to Link ASI Limited.
We transfer your personal data to third parties if we are required to do so. Examples of such third parties include national and European regulators, such as the Central Bank of Ireland (CBI) the Dutch Central Bank (DNB) and the European Central Bank (ECB), and the various tax authorities.
We also transfer data if this is necessary in order to perform our agreements with you. For example, we use third parties such as SWIFT to enable you to make payments internationally. These third parties are subject to supervision by their local regulators. This may mean that your payment and transaction data are transferred to other parties in countries that do not enjoy the same level of personal data protection as the European Union.
If your personal data are processed in a country with a different level of data protection, this may mean that your personal data are the subject of investigations by competent national authorities in the countries where the relevant information is held.
We sometimes engage other parties / business partners that process personal data on our instructions. Examples include printers that handle customer mailshots for us and print your name and address on envelopes and parties that store data for us. Before such parties are engaged, we must first ensure they are sufficiently reliable. We may only engage parties if this is in keeping with the purpose for which we processed your personal data. Moreover, this other party can be engaged by us only if it reaches specific agreements with us, has demonstrably implemented appropriate security measures and guarantees that your personal data will remain confidential. Your personal data may also be shared with other parties that we engage in the course of our business or for the provision of our services.
If we transfer your data to other parties outside the European Union, we take additional measures to protect your data. In some countries outside the European Union, the rules for protecting your data are different from those that apply within Europe. If we make use of a third party located outside the European Union, and if the European Commission believes that the country in which this third party is located does not offer adequate protection in the area of personal data processing, we will only transfer your data if other, suitable guarantees are in place, such as the contractual arrangement approved by the European Commission, or on the basis of the Privacy Shield (United States).
- What rights do you concerning your personal data held by ACCLM?
a. right of information
This privacy statement describes what ACCLM does with your data. In certain cases, we provide additional or different information. For example, if Rabobank records your personal data in its incident registers, it will inform you about this separately (provided it is permitted to do so). We will also do this if there are other reasons for providing you with information in addition to the privacy statement. We may do that by means of a letter, by leaving a message in your inbox or in another way to be determined by us.
b. right of access to and rectification of personal data
You may ask us whether we process data relating to you, and if so, which data this concerns. In that case, we can provide you with access to the data processed by us that relates to you. If you believe your personal data has been processed incorrectly or incompletely, you may request that we change or supplement the data (rectification).
c. right to erasure (‘right to be forgotten’)
You may request that we erase data concerning yourself that we have recorded, for example if you object to the processing of your personal data. Your interest must also be greater than ACCLM’s interest in processing the data.
d. right to restriction of processing
You may request that we restrict the personal data relating to you that we process. This means that we will process less personal data relating to you.
e. right to data portability
You have the right to request that we supply you with data that you previously provided to ACCLM in the context of a contract with us or with your consent, in a structured, machine-readable format, or that we transfer such data to another party. If you ask us to transfer data directly to another party, we can do this only if this is technically feasible.
f. right to object to processing based on a legitimate interest
If we process your data because we have a legitimate interest in doing so, for example if we make recordings of telephone calls but this is not required by law, you may object to this. In that case, we will reassess whether it is indeed the case that your data can no longer be used for that purpose. We will stop processing your data if your interest outweighs our interest. We will inform you of our decision, stating the reason.
g. right to object to direct marketing
You have the right to request that we stop using your data for direct marketing purposes. It may be the case that your objection relates to being approached through a specific channel, for example if you no longer wish to be contacted by telephone but still want to receive our newsletters. We will then take steps to ensure you are no longer contacted through the relevant channel.
If you make a request as described above, we will respond no later than one month after we receive your request.
We may ask you to explain your request for access in more detail. For example, if you request access to recorded calls, we may ask you to provide search keys, such as the time the call was made and the number from which it was made. In very specific cases, we may extend this period in which we must respond to a maximum of three months. In that case, we will keep you informed about the progress made with your request.
If you make a request, we may ask you to provide proof of your identity. For example, if you submit a request to exercise your right of access or right to data portability, we will want to be certain that we provide your personal data to the right person. In some cases, we may ask you to come to the offices so that you can make your identity known and we can verify your identity. In some cases, there may be doubts as to whether we can send you the data securely. If so, we may ask you to come to the offices to collect your data.
In certain cases, we may not be able to comply with your request, for example because this would violate the rights of others, would be against the law or is not permitted by the Garda Síochána
or another public authority, or because we have weighed up the relevant interests and determined that the interests of ACCLM or others in processing the data take precedence. In that case, we will inform you.
If we adjust your data or erase your data at your request, we will notify you of this and also inform the recipients of your data wherever possible.
- Who can you contact if you have a question or complaint concerning personal data held by ACCLM?
If you have any questions or complaints concerning the processing of personal data by us, please contact the Data Protection Officer:
- by email at email@example.com or
- by post at ACC Loan Management DAC, Georges Dock House, 2 Georges Dock, International Financial Services Centre, Dublin 1, D01 H2T6.
If you wish to make an access request in relation to your personal data, please apply in writing to the Data Access Request Team, Asset Services, Block C, Maynooth Business Campus, Maynooth, Co Kildare, W23 F854.
- Can ACCLM change this privacy statement?
Yes, our privacy statement may change from time to time. We will adjust the privacy statement when new data processing operations are introduced. If these changes are also relevant for you, we will draw your attention to these changes or clearly communicate them to you. The most recent version of our privacy statement is always made available online at www.acclm.ie. You can also view previous versions on our website.