ECCU Assurance DAC General Data Protection Privacy Notice
ECCU Assurance DAC, (“ECCU”), is the credit union movement’s own life assurance company. ECCU was established in 1980 by credit unions for credit unions following years of work by the Irish League of Credit Unions, (“ILCU”), and its affiliates, with government departments and regulators. ECCU’s policyholders consist solely of the credit unions affiliated to the ILCU across the Republic and Northern Ireland. ECCU and its credit union policyholders capture, process and exchange between them, relevant personal data of credit union members, as joint controllers, for the purposes of their life assurance policies.
2. The essence of ECCU’s relationship with the credit unions
ECCU insures credit union members’ lives when they borrow money from their credit union, (“CU”). The CU is the policyholder, pays the insurance premium and receives the benefits ECCU pays in respect of successful claims. Some credit unions take out additional cover but all credit unions affiliated to the ILCU subscribe to a minimum level of cover which aims to pay off an outstanding loan upon the death of a borrower, subject to the terms and conditions of each credit union’s policy.
3. Why does ECCU process personal data?
ECCU needs the information for underwriting purposes, which means we assess it to identify any risk factors which would impact the terms on which ECCU provides cover, and for claims administration – in order to decide whether to accept or reject a credit union’s claim.
Furthermore, as a life assurance company, ECCU is required to monitor transactions in accordance with the requirements of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, and to detect/prevent fraud. ECCU processes personal data for these and other legal purposes as well.
4. Which personal data does ECCU collect and process ?
ECCU informs members of the specific data it processes in specific privacy notices which are provided by credit unions when the data are collected.
Some of the personal data is health related. This is a special category of personal data which ECCU needs and is allowed to process because, in the Republic of Ireland, it is necessary for the purposes of a life assurance policy and, in Northern Ireland, because the UK Government has provided that, with the provision of insurance and payment of claims being in the substantial public interest, the processing of health related personal data necessary for an insurance purpose is lawful. ECCU takes very good care of it either way.
5. How long does ECCU keep personal data ?
ECCU processes and retains personal data until after loan repayment or finalisation of all claims relating to a member whichever comes first.
6. What is the lawful basis for ECCU’s processing of personal data ?
ECCU needs this information for the purposes of a life assurance policy, i.e. for underwriting, claims administration, fraud prevention and statistical purposes.
ECCU also needs your personal data to comply with legal obligations under Section 35(3) of the Criminal Justice (Anti Money Laundering and Prevention of Terrorism) Act 2010, and to establish, exercise or defend legal claims in the courts or before the Data Protection Commission and to respond to complaints made to the Financial Services and Pensions Ombudsman’s Bureau of Ireland, in the Republic of Ireland, or to the Financial Ombudsman Service in the UK, by the credit unions, ECCU’s policyholders.
ECCU does not process personal data on the lawful basis of consent.
7. Who has access to personal data and to whom is it disclosed by ECCU?
The credit unions, ECCU and its reinsurer, where necessary, access the personal data which are processed in connection with ECCU’s policies, as joint controllers of the data.
ECCU may disclose personal data to other third parties, e.g. ECCU uses the services of document storage and electronic data processing companies, as data processors, for safe and secure file storage, retrieval and analysis. ECCU has agreements in place with such third parties containing measures that provide for the protection and security of personal data when within their care.
ECCU is required by law to operate an internal audit function to review its internal control system and to undergo statutory external audit as well. These audit functions are supplied to ECCU by specialist external professional services firms. ECCU is also required to have an actuarial function which has a role in determining ECCU’s reassurance and capital requirements, statistical analysis and regulatory reporting. ECCU outsources this function to a specialist firm of actuaries. ECCU may be required to make personal data available to these firms in the course of their work.
Keeping Personal Data Secure
In all cases ECCU takes very good care of personal data and uses appropriate measures to safeguard the interests and fundamental rights and freedoms of credit union members with respect to protection of their private information.
ECCU has security measures in place, which include physical, technical and administrative safeguards to protect the confidentiality and security of personal data. These measures are employed by qualified staff who are provided with appropriate annual training and equipped with technical and organisational policies, procedures and practices so as to protect all data from loss, misuse and unauthorised access.
8. Personal information rights and how to exercise them ?
Members have rights in relation to the personal data ECCU collects and processes, including the right, where relevant, to:-
• Be kept informed. This includes details on how data is collected, used and secured by ECCU. ECCU provides specific privacy notices to inform on these matters.
• Request a copy of personal data by making a subject access request to the data controller(s);
• Rectify errors, if any, in ECCU’s records;
• Request erasure, where relevant, of personal data;
• Withdraw consent that provided previously, for continued processing of personal data. This only applies where consent is the lawful basis for the processing;
• Object to the processing of personal data on the lawful basis of legitimate interests;
• Not be subject to automated decision making without human intervention being available;
• Request a portable machine readable copy, where relevant, of any personal data provided by electronic means.
Credit Union members also have the right to lodge a complaint with the relevant supervisory authority in Ireland, the Data Protection Commission at firstname.lastname@example.org, if resident in the Republic of Ireland, and, alternatively, the Information Commissioner’s Office, see www.ico.org.uk, if resident in the UK.
9. Contact information
Members may exercise their rights by contacting the Data Protection Officer at ECCU in writing or by telephone, details below:-
The Data Protection Officer,
ECCU Assurance DAC,
Address: 33-41 Lower Mount Street, Dublin 2, D02 Y489.
Tel: +353 1 6146700 (e-mail: DPO@eccu.ie)