Data Protection Privacy Notice

Last updated: 5 October 2020

This data protection notice provides information about the ways in which the Central Bank collects and uses personal data. For the purposes of data protection legislation, the data controller of your personal data is the Central Bank of Ireland, New Wapping Street, North Wall Quay, Dublin 1.

This notice applies to all personal data collected by the Central Bank in connection with the performance of its statutory functions and related purposes as outlined below. The Central Bank can receive the personal information directly from individuals or indirectly from another party (such as a regulated financial service provider).

Collection and use of Personal Data to Perform Statutory Functions

As a central bank and financial services regulator, the Central Bank processes personal data to perform its functions under the EU Treaties, the ESCB Statute, the Central Bank Acts 1942 to 2015 and other provisions of financial services legislation. These functions include:

Monetary policy and financial stability-related functions
Collection of information for analysis or statistical purposes
Resolution of regulated financial service providers
Operation of deposit guarantee schemes or other compensation or customer protection schemes
Protection of the best interests of consumers of financial services and regulation of financial service providers and markets
Operation of the Central Credit Register.

The types of personal data processed by the Central Bank in order to perform its statutory functions are described in further detail below.

Fitness and Probity Applicants

Individuals applying to the Central Bank for approval to perform a pre-approval controlled function (PCF) within a regulated financial service provider are required to submit an Individual Questionnaire (IQ) to the Central Bank. Completion of the IQ requires submission of personal data to the Central Bank, including the following:

Name, address, contact details and passport number
Details of professional experience and educational qualifications
Information relating to criminal convictions and disciplinary proceedings
Details of applicants’ shareholdings and business interests
Details of applicants’ directorships and other senior positions.

The Central Bank processes this information and any other information relating to PCF role holders/applicants to perform its fitness and probity functions under Part 3 of the Central Bank Reform Act 2010 and, in particular, to assess the suitability of the applicant to perform the PCF role. If a PCF applicant does not provide the required information, the Central Bank will not be able to assess his or her application.Per the Central Bank (Supervision and Enforcement) Act 2013 the Central Bank has the power to gather other relevant personal data, where it is deemed necessary and proportionate to do so.

The Central Bank retain fitness and probity-related information for 30 years after the individual in question has vacated a PCF role.

The European Central Bank (ECB) is responsible for assessing the fitness and probity of the management board of, and key function holders with, significant credit institutions, as well as the management board of all credit institutions applying for authorisation. The Central Bank transmits such applications onwards to the ECB for assessment in accordance with Council Regulation (EU) No 1024/2013 (the SSM Regulation).

Individuals Connected to Financial Service Providers (Including Staff Members, Shareholders and Customers)

The Central Bank processes personal data of individuals such as staff members, shareholders and customers of financial service providers in connection with its regulation of financial service providers and markets. Where necessary and proportionate this may include special category and/or criminal data. We process such personal data for numerous reasons, including the authorisation and ongoing supervision of regulated financial service providers, the regulation of financial markets and the investigation of the activities of unauthorised providers of financial services.

Individuals such as proposed acquirers of qualifying holdings in authorised entities or persons discharging managerial responsibilities (PDMRs) within an issuer are also obliged to provide certain personal data to the Central Bank under statute. Staff members of regulated financial service providers may also provide limited personal data to the Central Bank in connection with the submission of regulatory returns or other information on behalf of their employer e.g. for the purpose of uploading documents to the Central Bank’s Online Reporting System (ONR).

The Central Bank may also process personal data relating to controlled function (CF) role holders for purposes related to the supervision of the regulated financial service providers by which those CF role-holders are employed.

The Central Bank retains such data for as long as needed for the specific supervisory purposes for which it is collected. On request, we can provide information relating to the retention period for specific personal data.

Individuals Directly or Indirectly Connected to an Enforcement Investigation

The Central Bank may investigate regulated financial service providers or individuals within regulated financial service providers, where a concern arises that a breach of financial services law has been, or is being, committed. The purpose of such investigations is to allow the gathering of sufficient information to enable the Central Bank to determine whether any breach of financial services law has occurred and whether the imposition of sanctions may be appropriate. The personal data may include special category data, including health data, and also may include criminal data.

In the course of an enforcement investigation process, the Central Bank may collect personal data under statutory powers including those under the Central Bank Reform Act 2010, the Central Bank (Supervision and Enforcement) Act 2013, assessor regimes or under securities markets legislation (e.g. market abuse legislation). This data may include personal data of individuals who are not the subject of the investigation. The Central Bank retains all information obtained in connection with an investigation for a period of 20 years after any related case is closed. Information collected for the purposes of market abuse investigations will be retained for a maximum period of five years after the case is closed.

Where an investigation is of either a regulatory or civil nature, processing of personal data is subject to the General Data Protection Regulation (GDPR). Processing in the context of a criminal investigation or proceeding will be subject to provisions of the Part 5 of the Data Protection Act 2018 (DPA 2018), which implements the Law Enforcement Directive (EU) 2016/680 (the LED) into Irish law. The Central Bank is a competent authority for the purposes of the LED and the DPA 2018.

Members of the Public who Provide Personal Data to the Central Bank

Members of the public or other individuals may submit queries or provide feedback to the Central Bank. The Central Bank may use the personal data provided by such individuals to respond to their queries and, where appropriate, to investigate any issues raised. Investigation of such issues may require the disclosure of personal data to third parties such as another statutory body or a regulated financial service provider. The Central Bank retains such data for as long as needed for the purpose of investigating the issues that are raised. Information relating to the retention period for specific personal data can be made available on request. We may use feedback provided by members of the public on our facilities to enhance the user experience and improve those facilities (e.g. our visitor centre).

The Central Bank also collects and processes personal data provided by members of the public in connection with the exchange of damaged euro banknotes and coins, or Irish pound banknotes or coins in order to assess the relevant application and provide reimbursement to such persons. All applications for exchange of banknotes or coins are ordinarily retained for a period of one year but may be retained for an additional six years when details are captured incorrectly or in case of a payment settlement failure. The Central Bank may also forward details of such applications, including copies of ID received, to other authorities such as An Garda Síochána or the Revenue Commissioners.

Protected Disclosure Reports

Any information including personal data received by the Central Bank from a person making a protected disclosure (i.e. a whistle-blower) may be used by the Central Bank for the purpose of performing its statutory functions. The Central Bank is legally obliged to protect the identity of a person who makes a protected disclosure and not to disclose any information that might identify that person, subject to certain exceptions. The Central Bank retains information provided by whistle-blowers for a period of 30 years after any related case is closed.

For further detail about how the Central Bank handles information provided by whistle-blowers, see Protected Disclosures including Whistleblowing and Infringement Reports.

Recruitment

The Central Bank collects personal data from candidates for recruitment purposes. The information that the Central Bank may collect and hold about candidates includes:

Name, address, telephone number(s) and email address
Details of qualifications, skills, experience and employment history
Details of current immigration status
Details of criminal or pending criminal convictions in Ireland or any other jurisdiction
Any additional information contained in a candidate’s CV such as referee information, disclosed at interview or otherwise provided to the Central Bank during the recruitment process.

The Central Bank needs to process data to decide whether to enter into a contract of employment with a particular candidate and may also process certain data to ensure that it is complying with its legal obligations. The Central Bank has a legitimate interest in processing personal data during the recruitment process and in keeping records of the process in order to manage the recruitment process, to assess and confirm a candidate's suitability for employment and decide to whom to offer a particular role. The Central Bank may also need to process candidates’ data to respond to and defend against legal claims.

For certain managerial positions, the candidate’s information may be provided to a third party service provider for the purpose of assessing the suitability for the role. In all other cases, the Central Bank will not share a candidate’s data with third parties, unless his or her application for employment is successful and an offer of employment is made to him or her. Once an offer of employment has been made to (and been accepted by) a candidate, that candidate’s personal data will be provided to An Gardaí Síochána for the purposes of vetting and the Central Bank may also contact previous employers named by that candidate as referees for the purpose of obtaining employment references. The candidate will also be required to provide medical information to the Central Bank’s occupational health provider for the purposes of assessing his or her capacity to work.

If a candidate’s application is unsuccessful, the Central Bank may keep his or her personal data on file for a period of 12 months.

Visitors to Central Bank Buildings

Individuals accessing non-public areas within the Central Bank buildings will be required to provide their name, and to permit on-site security to view photographic ID for the purposes of identity verification. The Central Bank does not retain a copy of visitors’ photographic ID.

Closed Circuit Television (CCTV)

The Central Bank has installed CCTV systems at our premises for the purposes of public and staff safety, crime prevention and detection as well as to comply with standard business and insurance protocols. The increased video surveillance measures in place at our currency-related operations reflect the risks associated with the printing operations at the premises. CCTV cameras are located at access points, general reception areas, areas in front of elevator doors on each floor, car parks, shared areas and the exterior perimeter at Sandyford. Signage advises of areas covered by CCTV equipment. The Central Bank will only disclose CCTV images to others who intend to use the images for the purposes stated above.

Images captured by CCTV will generally be retained for a minimum period of 30 days, but could be retained for up to six months, depending on the level of activity on individual cameras. However, on occasion, there may be a need to keep images for longer, for example for the purposes of investigating a crime.

Tenderers and Suppliers of Goods or Services

The Central Bank may process personal data submitted by tenderers to manage procurement award procedures and decide whether to enter into a contract with a particular tenderer. Personal data collected for this purpose may relate to the tenderer, its staff or its sub-contractors. Following finalisation of the procurement procedure in question and the entry into by the Central Bank of a contract with our chosen supplier(s), the Central Bank may process certain personal data in order to perform its obligations under that contract, such as arranging payment. We retain files relating to procurement procedures for a period of the current year plus six years.

Users of this Website

The Central Bank does not collect personal data about you on this website, apart from information which you volunteer. For example, by e-mailing us, by using our online feedback forms or providing us consent to use cookies.

Any information that you provide in this way is not made available to any third parties, and is used by us for the purpose for which you provided it.

It is the policy of the Central Bank of Ireland never to disclose information in respect of individual website visitors to any third party (apart from our internet service provider, which records such data on our behalf and which is bound by confidentiality provisions in this regard), unless obliged to disclose such information by law.

The Central Bank is not responsible for the content or privacy practices of other websites.

Cookies

The Central Bank website uses cookies. Cookies are small text files that can be placed onto your computer, smartphone or other device by this website.

Read our Cookie Policy in full.

Web forms

This website uses online forms. You can use our forms to submit feedback and to request a reply. Any information that you provide in this way is not made available to any third parties, and is used by us for the purpose for which you provided it.

Social Media Monitoring

The Central Bank uses third party suppliers to monitor publicly available social media and online platforms. This monitoring identifies complaints, queries and concerns expressed by members of the public in relation to financial products and services and is used to inform and support the Central Bank in exercising its statutory functions. As part of this monitoring, the Central Bank may receive personal data from the third party suppliers, which a member of the public has disclosed in public correspondence with regulated financial service providers or other entities. Such personal data is not retained by the Central Bank unless necessary to further investigate the details of a public posting.

Transfer of Personal Data

The Central Bank may transfer personal data to:

Third parties, where required or permitted by law to do so
Third parties may include our service providers and statutory bodies, including An Garda Síochána, the Director of Corporate Enforcement, the Revenue Commissioners, the Competition and Consumer Protection Commission and the Data Protection Commissioner.
The ECB in the context of the Single Supervisory Mechanism (SSM) or for the performance of ESCB-related tasks.
Supervisory authorities in other EEA Member States for the purpose of performance of their functions.
Supervisory authorities in countries outside of the EEA where permissible under data protection legislation. This includes personal data on individuals obtained by the Central Bank as part of Fitness and Probity applications, authorisation process and personal data on individuals directly or indirectly connected to an enforcement investigation by supervisory authorities in countries outside of the EEA.

Depending on the country and authority, these transfers may be made under (a) an adequacy decision, i.e. where the European Commission had decided that the country or organisation ensures an adequate level of data protection, (b) an Administrative Arrangement such as the IOSCO Administrative Arrangement which has been agreed with the European Data Protection Board and the Data Protection Commission or (c) the Public Interest Derogation under Article 49 of the GDPR.

The Central Bank requires all third parties to respect the security and confidentiality of personal data disclosed to them. Third-party service providers may only process such personal data for specified purposes and in accordance with the Central Bank's instructions.

Your Rights

If your personal data is processed by the Central Bank, you have certain rights in relation to that data, which are outlined in summary form below. The Central Bank may require further information from you before we can respond to your request.

You may exercise your rights by contacting our Data Protection Officer.

E-mail: dataprotection@centralbank.ie

Restrictions of your Data Protection Rights

We, along with all data controllers, are entitled to rely on certain exemptions which may have an impact on any rights request that you may make to us. These general exemptions are set out in the GDPR and the Data Protection Act 2018. However, as a regulator which performs functions in the public interest, we also entitled to a Central Bank specific exemption which may further have an impact on any rights request that you may make to us, per S.I. No. 537/2019 - Data Protection Act 2018 (Section 60(6)) (Central Bank of Ireland) Regulations 2019. For example (this is not an exhaustive list), we can withhold data, where necessary and proportionate, to the extent that its release would cause prejudice to the:

The prevention, detection or investigation of breaches of, or enforcement of, financial services laws
A process, procedure, investigation, inquiry, assessment, application or settlement being undertaken by the Bank
Regulation of financial service providers

If this is the case, we will clearly explain what the exemption is, why it applies and what impact it may have on your rights request. Also, if we are processing personal data for a law enforcement purpose, we may withhold information from you if we believe that doing so is necessary to avoid prejudicing the detection and investigation of criminal offences.

Right of Access

You have the right to receive a copy of the personal data the Central Bank holds about you as well as information about how it is used.

Applicability

This right is applicable at all times when the Central Bank holds your personal data.

Right to Rectification

You have the right to ask the Central Bank to correct personal data we hold about you where it is incorrect or incomplete.

Applicability

This right is applicable at all times when the Central Bank holds your personal data.

Right to Erasure

This right entitles you to require the erasure of your personal data from the Central Bank’s systems and records. However, this right applies only in certain circumstances (e.g. where the Central Bank no longer needs the personal data for the purpose for which we collected it or where you withdraw consent to our use of your personal data and where there is no other legal basis for continuing to use it).

Applicability

This right does not apply where personal data is required for the purpose of compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority. Therefore, this right is not applicable in respect of much of the personal data held by the Central Bank in the performance of its statutory functions.

Right to Restrict Processing

This right entitles you to restrict the processing of your personal data by the Central Bank. Where this right is exercised, the Central Bank is still permitted to store your personal data but other use of the data is prohibited, save in certain limited circumstances.

Applicability

You can exercise this right if one of the following applies:

You contest the accuracy of the personal data held about you and the CentralBank is verifying the accuracy of the data

The personal data has been processed unlawfully and you oppose erasure and request restriction instead
The Central Bank no longer needs the personal data but you need the data in connection with a legal claim
You have objected to processing and the Central Bank is considering whether its legitimate grounds override your rights and interests.

Right to Data Portability

This right allows you to obtain your personal data in a format that enables you to transfer that personal data to another organisation where the Central Bank is processing your personal data on the basis of consent or on the fulfilment of a contract and if processing is carried out by automated means. You may have the right to have your personal data transferred by us directly to the other organisation, if this is technically feasible.

Applicability

Right to Object

You have the right to object to the Central Bank’s use of your personal data in certain circumstances. However, the Central Bank may continue to use your personal data, despite your objection, where there are compelling legitimate grounds to do so or we need to use your personal data in connection with any legal claims.

Applicability

This right applies where the Central Bank processes your personal data for the performance of a task carried out in the public interest or in the exercise of official authority or in pursuance of its legitimate interests.

Right Relating to Automated Decision Making and Profiling

You have the right not to be subject to a decision based solely on automated processing (without human involvement) where that decision produces a legal effect or otherwise significantly affects you.

Applicability

As the Central Bank currently does not make any automated decisions, this right is not applicable.

Right to Withdraw Consent

You have the right to withdraw your consent to the processing of your personal data by the Central Bank at any time. This will not affect the lawfulness of our processing before the withdrawal.

Applicability

This right only applies where the sole legal basis for processing your personal data is your consent.

Right to Complain to Data Protection Commissioner

You have the right to lodge a complaint with the Data Protection Commissioner if you think that the Central Bank has not processed your personal data in accordance with data protection legislation.

Applicability

This right applies at any time.

Queries

Should you have any queries on any aspects of this data protection privacy notice, you may contact our Data Protection Officer via dataprotection@centralbank.ie. This notice may be updated from time to time.