1. INTRODUCTION

Data protection has always been of paramount importance to First Citizen Finance DAC (FCF), we appreciate the trust that you put in us to use your personal data only for appropriate reasons in the course of our relationship with you. With the implementation of EU General Data Protection Regulation 2018 (GDPR) as of the 25th of May 2018, anyone who holds individuals’ personal data must meet the obligations of GDPR which includes enhancing their policies and, in general, to be more transparent. GDPR also gives you greater control over how we use your personal data.

Though little has changed for FCF, you can read below our thorough privacy policy explaining our bases for collecting and using your personal data, what we do with it, and what your rights are with regard to your personal data in accordance with all applicable data protection laws and principles, including GDPR and the applicable Irish Data Protection Acts.

We thank you for your continued trust in us. 

2. WHO WE ARE

In this policy, the use of “FCF”, “us”, “we” or “our” refer to First Citizen Finance DAC, and its subsidiaries and related companies, including (but not limited to): FC Capital Holdings DAC, First Citizen Agri Finance DAC, First Citizen Asset Management DAC.

Our head office is located at:

Bloom House, Gloucester Square, Railway St, Dublin 1.

3. HOW WE COLLECT YOUR PERSONAL DATA

Personal data can be collected in the course of our relationship with you, and as you avail of our services, both directly from you and from other parties, when appropriate. Examples of when and the kind of data we may collect is listed below:

  • When you make an application for finance. (Name/address/Date of birth/marital status/occupation/salary/employment/place of birth/bank details/e-mail/contact number/current loan repayments/maiden name/previous address/credit history/residential status)
  • When finalising the details of a successful application. (Identification verification docs)
  • When you make a payment. (card details)
  • When you look for advice. (dependent on the query)
  • When you contact us via phone. (dependent on the query)
  • From information publicly available about you. (when data is collected on you, but not directly from you, we can provide any available information on its source at your request)
  • Through mobile applications (Abacus app – when applying for finance)
  • During the recruitment process (Full name, address, nationality, occupation, gender, e-mail address, phone number, PPSN)

When you make an application with us, in order to process your application fully, we may share with and receive personal data from third parties such as the Irish Credit Bureau and the Central Credit Register. More information on our sharing of personal data with third-parties can be found in the “Who we share personal data with” section (section 5).

4. HOW WE USE YOUR PERSONAL DATA

Our use of your personal data is primarily in relation to the performance of a contract with, or a service to, you. We have and will continue to keep our client’s personal data secure and ensure that it is only used for the needs of our relationship with you. This may require us to share your data with selected entities and organisations such as funding partners, back-up service providers, auditors, investors, and outsourcers of services.

Examples of how we use your personal data: 

  • To make an informed decision on your finance application and its suitability.
  • To provide you with a quote or product offering.
  • To carry out credit checks with the Irish Credit Bureau and the Central Credit Register.
  • To verify your identity.
  • To manage your account(s) with us.
  • To process payments to and from you.
  • To recover outstanding debts due to us in arrears cases
  • To maintain adherence to our legal and regulatory obligations.
  • To gather information when there is an insurance claim on an asset financed by us.
  • To respond appropriately to any complaints or appeals.
  • To give an accurate reflection of your loans with us to the Irish Credit Bureau and the Central Credit Register.
  • To perform audits and have audits performed on the company.
  • To analyse and understand our portfolio risk profile.
  • To maintain your data rights.
  • To provide you with statutory and regulatory information.
  • To screen prospective and existing customers for Anti-Money Laundering / Counter Financing of Terrorism reasons.
  • To comply with mandatory requests from regulatory bodies such as the Central Bank of Ireland.
  • To send you SMS messages containing information requested by you.
  • To maintain backups of critical data.
  • To acquire approval from funding partners.
  • To perform our company audits.
  • To assess potential job applicants in the recruitment process.
  • For other purposes that may arise as we provide our services to you. 
  • In the processing of applications we use technology to determine the risk profile of the applicant via a scoring system. Though this score is generated based on the data we have received and processed on you automatically, every application is presently processed independently, and accepted, or declined, following a review by our underwriters. In cases where a decision has been made automatically, you are able to contest this decision. 

5. WHO WE SHARE PERSONAL DATA WITH

We only share your personal data with third-parties when it is required in the course of our contract with you, and to fulfil the requirements of the conducting of our business. Any third-parties who we share data with are expected to have their own adequate information security measures and to be fully compliant with all applicable data protection legislation. These third-parties must enter into Data Sharing agreements with FCF prior to any transfer of personal data.

We are also bound to provide personal data in relation to regulatory or lawful requests.

Examples of situations we would share your personal data with third-parties:

  • To perform credit checks with, and provide reports on loan performance to, the appropriate credit bureaus or credit registers. 
  • To process payments, such as direct debits from accounts or refunds to customers.
  • Where we service finance products on behalf of another company, they have access to your personal data.
  • Products that are offered in conjunction with another party or another party provides funding for, we must acquire their approval before we can complete loan processing.
  • In situations where another entity or person is a member of the FCF credit committee or credit assessment process.
  • To report on performance of loan portfolios owned by another company but serviced by FCF.
  • At the request of our credit intermediaries when they act on your behalf.
  • To collect debts, such as in the event of an insurance claim or the death of a client.
  • To trace missing customers.
  • To initiate legal proceedings.
  • To obtain legal advice.
  • For external audits by audit companies.
  • Assigning loans to Special Purpose Vehicles (SPVs) owned externally, but serviced by FCF.
  • Storage of hard-copy files relating to customer information by secure storage companies.
  • In relation to providing services to politically exposed persons or sanctioned persons.
  • To prevent money-laundering / financial crime.
  • In the case of joint accounts or accounts with guarantors, they will have access to certain data on the other account holder.
  • In the event of a sale, merger, liquidation, receivership or transfer of all or substantially all of the assets of our company provided that the third party agrees to adhere to the terms outlined in our privacy policy and that they only use your personal data for the purposes that you provided it to us.
  • To third-parties in connection with a sale or purchase of assets by us. For further information on the parties we share personal data with, please do not hesitate to contact us. Our contact details can be found in section 11 of our privacy policy.

6. HOW LONG WE HOLD YOUR PERSONAL DATA FOR

How long we hold your personal data for depends on several factors:

  • Our regulatory obligations in holding the particular data.
  • Whether you are an active customer of ours or just an applicant.
  • If you or FCF are involved in legal proceedings which require the retention of the personal data.
  • If you requested we retain your data for a valid reason.
  • Other extenuating circumstances which necessitates the retention of your data.

Our current policy for the retention and deletion of personal data states that in typical cases we will hold your data for one year, if you applied but did not avail of a product, or six years after the last transaction if you are an active customer of ours. Data on job applicants who did not get hired is retained for one year. In the case of customers of ours who availed of our finance in partnership with the SBCI, as per EU state rule, we must retain your personal data for 10 years after the last transaction. When this time elapses, if the data does not need to be retained for other reasons, the data is permanently deleted in the next of our bi-annual system-wide data purges. In some cases this deletion of data, in practice, may also involve the anonymisation of some data so that it may be retained, and subsequently used, for statistical or analytical purposes.

7. OUR LAWFUL BASES FOR USING PERSONAL DATA

Under data protection lawful bases for processing, we may collect and use personal data under one or more of the following lawful bases, depending on the context:

  • For the performance of a contract you have entered, or steps prior to entering a contract at your request.
  • In compliance to a legal obligation to which we are subject.
  • To protect your vital interests, or those of another natural person.
  • For the purposes of the legitimate interests pursued by us or a third-party, except where such interests are overridden by your interests or fundamental rights and freedoms.
  • Where you have given consent to the processing of your data for one or more specific purposes.

We process limited amounts of sensitive data (special category data) but where we do, we will have a lawful basis for doing so.

In any situation where we have sought and acquired consent to process your personal data, you may withdraw your consent at any time by notifying us. Any processing of the data done prior to the withdrawal of consent is unaffected. Please do not hesitate to contact us if you wish to identify the specific basis for our holding of particular personal data of yours. We may rely on different lawful bases for different data elements.

8. THE IMPLICATIONS OF NOT GIVING REQUESTED PERSONAL DATA

We will only ever use your personal data for one or more of the reasons outlined in the lawful bases section of this document (section 7). If we ever require more personal data which falls outside of our general lawful bases (contract, legal obligation or legitimate interest) we will seek your express agreement in the collection and processing of this data.

Though you are not obligated to provide us with any data we request, if you choose not to, it is possible we will not be able to provide the service you requested or adequately assess your application for a product.

If you are ever concerned about what our basis for wanting particular personal data is, we can tell you under which category it falls and why.

9. INTERNATIONAL DATA TRANSFERS

In certain circumstances it will be required that we transfer your personal data to entities outside of the EEA in order to improve our service to you and assist us in our provision of products to you. You can be assured that if we do share your information with an entity outside of the EEA it would solely be on the basis that the recipient acts only in accordance with the agreed terms and processes the data only on our instruction, so that your data rights would never be compromised. 

10. YOUR DATA RIGHTS

We at FCF take the protection of your personal data and our responsibility to ensure your rights very seriously. Below is a list of your data protection rights. If you have any further queries please check out the useful links section at the end of the privacy policy for further reading on the subject, or contact us for further information. Our contact details can be found in section 11 of this policy.

Your rights are as follows:

Right of Access: You may request a copy of any personal data we hold on you for processing. Data can be provided via electronic or physical means. You may also request information regarding the purpose of the processing of this data, the categories of personal data concerned, with which third-parties your information was shared, and how long your data will be stored for.

Right of Rectification: You have the right to request the correction of any inaccurate personal data we hold concerning you. Incomplete data may also be completed via supporting information/documentation.

Right to Erasure (or to be forgotten): You may have the right to instruct us to erase the personal data we hold on you. This is subject to various criteria such as; that the data is no longer necessary, that there is no lawful basis for our holding/processing of this data, that the data was unlawfully processed, or in legal compliance. In a case where we can justify the holding of your personal data, the instruction to erase this data may be declined.

Right to Restriction: You may have the right to restrict our processing of your personal data in certain cases. For example, when the accuracy of the data we hold is contested (while the accuracy is verified), where the processing is unlawful but you do not wish it erased, where we no longer require your data for processing but it is needed by you for legal reasons, where you have objected to the processing but legitimate grounds have not yet been verified.

Right to Portability: You may have the right to request that we transmit your personal data to another data controller, where technically feasible. 

Right to Object: You may have the right to object to your personal data being processed, or used for direct marketing and profiling purposes providing we do not demonstrate a compelling legitimate reason in using this data, that also does not compromise your interests, rights or freedoms. You have the right not to be subject to automated decision making (ADM). However, as outlined in section 4, we do not engage wholly in ADM and our decisions are made by our underwriters.

11. CENTRAL CREDIT REGISTER (CCR)

Under the Credit Reporting Act 2013 (CRA) First Citizen Finance DAC are required to provide personal and credit information for credit applications and credit agreements of €500 and above to the Central Credit Register.

The Central Credit Register is owned and operated by the Central Bank of Ireland. For more information see www.centralcreditregister.ie

As a credit information subject (CIS) you have certain rights and duties under CRA. This applies to both borrowers and guarantors of credit agreements.

As a CIS your rights are as follows:

Insert an explanatory statement on your credit report 

You have a right to place an explanatory statement of 200 words or less, relating to any of your information held on the Central Credit Register, and this will be included on your credit report.

Apply to have your information amended

You have a right to make an application to your lender and the Central Bank to amend information held on the Central Credit Register about you, if you believe it is inaccurate, incomplete or not up to date.

Report and be informed of suspected impersonation

You have the right to give notice to a lender or the Central Bank if you reasonably believe you have been, are being, or may be about to be impersonated by any person.

Obtain your credit report

You have the right to request your credit report at any time, free of charge (subject to fair usage).

12. OUR CONTACT DETAILS / HOW TO MAKE A COMPLAINT

If you have any queries regarding this policy, or FCF in general, you can contact us by:

Post:    

Data Protection Manager

First Citizen Finance DAC

Bloom House

Gloucester Square

Dublin 1 D01 C576

E-mail: info@firstcitizen.ie

Phone: +353 (0)1 8846700

If you are concerned with our processing of personal data, or wish to make a complaint please contact us via one of the above channels with as much information on your concerns/complaint as possible. We will endeavour to respond to and resolve your issue as quickly and efficiently as possible.

Alternatively you can make your complaint by contacting the Data Protection Commissioner via the below channels:

Phone:              +353 (0)761 104 800

Fax:                       +353 (0)57 868 4757

E-mail:                  info@dataprotection.ie

Post:                     Data Protection Commission

                               Canal House

                               Station Road

                               Portarlington

                               Co. Laois R32 AP23

13. SECURITY NOTICE

We consider the security of our customers’ personal data a very important issue, especially with the rapid advancement of technology that is seen in modern times.  We maintain a high level of internal and external security and are always seeking to improve our systems in an ongoing process.

For your own protection we will seek to confirm your identity prior to providing you with any account information or personal data that you might request. 

14. WEBSITE COOKIE POLICY

Cookies are small text files that are placed on your device when you visit our website which enhance your experience and monitor our website traffic. These are stored on your device so that our website may read them and recall your chosen preferences for our website. 
Third-party providers may also set cookies on your device for other reasons, such as to retain your preferences for media displayed by them, or for marketing reasons. 
We may place cookies which are strictly necessary for the functioning of the website on your device without consent. Other cookies require your consent before they may be placed on your device. 
For more detailed information on our use of cookies, including how to manage your preferences, please see our {Cookie Policy}.

The Cookies banner pop-up which appears when you first visit our website allows you to choose and save which Cookies you are consenting to. This preference is then saved for 7 days, after which you will be asked to confirm your preferences again when you next visit our website. Simply click the ‘Details’ button and tick the boxes of the cookies you wish to consent to and the ‘Accept’ button to save your settings. Alternatively ‘Accept All’ may be chosen to consent to all Cookies. The ‘Necessary Cookies’ box is pre-ticked and cannot be un-ticked as they are a requirement for the correct functioning of the website.

Should you ever wish to change your Cookie settings you can do so on our Cookies Policy page by pressing the ‘Preferences’ button below, or by manually deleting them using a method appropriate to the browser you use (please consult your particular browser’s information or help service for details on how to do this).

15. UPDATES TO THIS POLICY

Our data privacy policy will be updated from time to time. This may reflect changes in technology, or how we use your data. Our policy will always be updated prior to changing our practical use of any data. Updates to our privacy policy will always be dated, with the previous version available on archive for a period of time.

Latest change to our Privacy Policy: 19/06/2019

Link to previous version of our Privacy Policy: https://www.firstcitizen.ie/privacy-policy-old.php

16. USEFUL LINKS

Full GDPR document (http://eur-lex.europa.eu/legal... )

Data Protection Commissioner (https://dataprotection.ie/)

GDPR and You (http://gdprandyou.ie/)

Data Protection Acts (https://www.dataprotection.ie/... )