Data Privacy
Providing and holding personal information comes with significant rights on your part and significant responsibilities on ours. At Bank of Ireland Group, we take your privacy seriously and are fully committed to keeping your information private. It is important that you know exactly what we do with the personal information that you and others provide to us, why we gather it and what it means to you.
Our Data Privacy Notice explains how we hold and use your personal information. You can download the current version of our Data Privacy Notice using the link below. Alternatively, you can get a copy in branch or request a copy by post by writing to Bank of Ireland, PO BOX 12940, Dublin 18.
This notice applies to all our products and services. Your product or service terms and conditions will specify which of our businesses is providing the relevant product or service to you. Some of our businesses and products have their own specific Data Privacy Notices or Data Privacy Summaries which you can access here. For Bank of Ireland UK customers in Northern Ireland and Great Britain please see here. If you were introduced to us by a broker or other intermediary, ask your broker or other intermediary for a copy of their Privacy Notice. You should also read a copy of the Privacy Notice of any third party product and service providers you contract with, including any you ask us to share your information with or allow to access your information. For example, third party Account Information Service Providers (AISPs), Card Based Payment Instrument Issuer (CBPII) or Payment Initiation Services Providers (PISPs).
Data Subject Rights (DSR)
If you would like to exercise any of your data subject rights, click here to find out more.
Data Privacy Notice
This is your guide to how personal data is managed by Bank of Ireland. Please read it carefully.
- 1. Who we are
Throughout this document, "we", "us", "our" and "ours" refer to Bank of Ireland and Bank of Ireland Group.
"Bank of Ireland" means: “The Governor and Company of the Bank of Ireland” incorporated in Ireland with Limited Liability, Registered Number: C-1. Address: 2 College Green, Dublin 2, D02 VR66, Ireland.
"Bank of Ireland Group" means: all members of the Bank of Ireland Group whose holding company is Bank of Ireland Group plc which is incorporated in Ireland with Limited Liability, Registered Number: 593672. Address: 2 College Green, Dublin 2, D02 VR66, Ireland.
Members of the Bank of Ireland Group include: Bank of Ireland, Bank of Ireland Mortgage Bank u.c., Bank of Ireland Insurance Services Limited, Bank of Ireland Leasing Limited, J & E Davy Unlimited Company and New Ireland Assurance Company plc.
This notice applies to all our products and services. Your product or service terms and conditions will specify which of our businesses is providing the relevant product or service to you. Some of our businesses have their own Data Privacy Notices, including New Ireland Assurance Company plc, the Davy Group and Bank of Ireland UK PLC. If you are a customer of one of these businesses, please read their Data Privacy Notice which will explain how they use your information.
In addition, if you were introduced to us by a broker or another intermediary, you should ask for a copy of their Data Privacy Notice. You should also read the Data Privacy Notice of any third party product and service providers you contract with, including any you ask us to share your information with or allow to access your information. For example, third party Account Information Service Providers (AISPs), Card Based Payment Instrument Issuer (CBPII) or Payment Initiation Service Providers (PISPs).
If you have any questions about how your information is gathered, stored, shared or used, please contact our Data Protection Officer, (see Section 12 for contact details). You have a number of rights in relation to your personal data, including the right to object to processing of your personal information for direct marketing or where the legal basis for our use of your personal data is our legitimate business interests or performance of a task in the public interest.
- 2. The information we collect about you
There are a number of reasons for gathering personal data about you. For instance, we need to know how to get in touch with you, we need to be certain of your identity and we need to understand your financial circumstances, so we can offer you products and services and give you the best possible customer experience. The personal data we collect falls into various categories such as those shown in the table below:
Category of personal details Details Identity and contact information: Name, date of birth, copies of ID, contact details, PPS number (or foreign equivalent), online user identities (such as your 365 log on identity, Twitter handle, Facebook profile, internet protocol addresses, cookie identifiers and radio frequency tags used in contactless cards), security details to protect identity, nationality, home status and address, email address, work and personal phone numbers, marital status, family details, tax residency and tax related information. Financial details/circumstances: Bank account details (including account number, sort code), any International Bank Account Number (IBAN), currency information, payments information including, payment reference information (this may identify precisely who makes payments to you and who you make payments to and possibly include special category data e.g. a payment to a trade union) transaction credits, transaction debits, credit/debit card details, income and asset details, personal guarantees provided, application processing and administration records, your employment status and employment details of your partner, credit history, credit assessment records, credit data from credit registers, credit reference agency performance data, life assurance, pension and investment details, transaction details, treasury transactions, financial needs/attitudes, contact outcomes, authorised signatories details, details relating to accounts transferred to National Asset Management Agency, information relating to power of attorney arrangements. Marital status and/or financial associations: If you are married or are financially linked to another person in the context of a particular product or service, a financial association may be created between your records and their records, including any previous and subsequent names used by you (for example, if you apply jointly or one is guaranteeing the debts of another). This means that we may treat your financial affairs as affecting each other. These links will remain on your and their files until you or they break that link. We may make searches on all joint applicants, and evidence of that search will be left on all applicants’ records. Information you provide us about others or others provide us about you: If you give us information about someone else (for example, information about a spouse or financial associate provided during the course of a joint application with that person), or someone gives us information about you, we may add it to any personal information we already hold and we will use it in the ways described in this Data Privacy Notice. Before you disclose information to us about another person, you should be sure that you have their agreement to do so. You should also show them this Data Privacy Notice. You need to ensure they confirm that they know you are sharing their personal information with us for the purposes described in this Data Privacy Notice. We may also share this Privacy Notice directly with them. Sensitive or special categories of data: We may hold information about you which includes sensitive or special categories personal data, such as but not limited to health, criminal conviction information or biometric information used to uniquely identify you, (for example your fingerprint or facial recognition). We will only hold this data when we need to for the purposes of the product or services we provide to you, where we are processing the data for a substantial public interest, where we have a legal obligation or where we have your consent to do so. Where we process criminal conviction data we will only do so where we are authorised by EU or local law to do so. Examples of when we use this type of data include: - Medical information, for example, where you apply for or make a claim under a policy of life insurance, income protection, mortgage protection or investment products or travel insurance or are seeking a forbearance arrangement.
- If you have criminal convictions, we may process this information in the context of compliance with our anti-money laundering obligations.
- We may use your biometric information to help identify you when you open or operate an account.
Information which you have consented to us using: Your contact details and marketing preferences are used to share news about relevant services, products and offers that we think may be of interest to you. You can find out more about how about we use your personal information in relation to marketing activities including updating your marketing preferences in Section 5 below. Information from online activities: - We collect information about your internet activity using technology known as cookies, which can often be controlled through internet browsers and by using our cookie preference centre on our website. For detailed information on the cookies we use and the purposes for which we use them, see our Cookies Policy, which is available on our website.
- We collect information about your internet browser settings and Internet Protocol (IP) address and other relevant information to help us identify your geographic location when providing you with our services.
Other personal information: - Telephone and image recordings.
- CCTV images at our Bank branches, offices and ATMs (but only for security
reasons and to help prevent fraud or crime). - Information in relation to requests made by you e.g. data access, correction,
restriction, deletion, data portability and complaints.
Information on non-customers
Sometimes we may collect and use your information even though you are not our customer:
For information in this category we will apply the principles outlined in this Data Privacy Notice when dealing with your information. For example, you may be a beneficiary, guarantor, director, cardholder or representative of one of our customers, or you may be in the process of making an application for a Bank of Ireland product or service. In other cases, your own circumstances may have a material impact on the ability of our customer to perform their obligations to us, and we will need to consider these. We may also obtain your information where a customer of ours makes a payment to or enters into a transaction with you, and we need your information in order to process the payment or transaction. Where we buy a new business or the assets of another business, we may also get some of your information, as explained below.
- 3. When and how we collect information about you
As you use our services, apply for products, make enquiries and engage with us, information is gathered about you. We may also collect information about you from other people and other parties, for example, when you are named in an insurance policy application, from credit reference agencies and from sources where you have chosen to make your information publicly available, such as social media sites.
We collect information about you:
- when you ask us to provide you with certain products and services. For example, insurance or investment products may require us to collect relevant health information or criminal conviction information from you;
- when you use our website and online services provided by us (including the Bank of Ireland app) and visit our branches or offices. For example when you use our online services (such as our mobile app) we will collect information from the device you use;
- when you or others give us information verbally or in writing. This information may be on application forms, in records of your transactions with us (including through our service agents such as An Post) or if you make a complaint. This includes where you use Open Banking services to request a Third Party Provider (TPP) or another financial services provider to provide us with details of your accounts with them to us. For more information on TPPs see Section 7 below;
- when we buy a new business or the assets of another business, or enter into a merger or joint venture with another business. For example, if we buy some or all of the business of another bank, we may obtain your information from that other bank where the business we are buying includes your contract with that other bank. Some of this information may be provided to us before we buy the business, and before you become our customer, so that we can undertake business and risk assessments and systems testing. If we do not buy the business, we will delete your information;
- when a customer of ours gives us information about you. For example, when you are a joint accountholder and the other joint accountholder(s) provide us with information about you, or where our customer makes a payment or enters into a transaction with you and we need your information in order to complete that payment or transaction, or where you are a beneficiary, guarantor, director, cardholder or representative of one of our customers;
- when you use our products or services, including making transactions on your account or instruct a TPP to initiate payments on your account, we gather details about who you get money from, who you pay money to, how much the payments are for and when the payments are made;
- from information publicly available about you – for example in trade directories, online forums, websites, Facebook, Twitter, YouTube or other social media. When you make information about yourself publicly available on your social media accounts or where you choose to make information available to us through your social media account, and where it is appropriate for us to use it, this information can help enable us to do things like (1) improve our service (for example, identifying common service issues), (2) personalise your online experience with us, including through games, videos or apps, (3) contact you through the social media services, and (4) enable you to share your experience and content via social media services. For a description on how social media services and other third party platforms, plug-ins, integrations or applications use your information, please refer to their respective privacy policies and terms of use, which may permit you to modify your privacy settings;
- from your online activities with third parties where you have given us your consent (for example, by consenting to our use of certain cookies or other location tracking technologies). For detailed information on cookies and how we use them, see our Cookies Policy, which is available on our website; and
- from credit reference agencies such as Central Credit Register, other credit registration agencies, fraud prevention agencies, fraud detection service providers or public agencies such as property registration authorities, the Companies Registration Office or judgement registries.
Joint accounts:
Please note: If you apply for or hold a financial product in joint names, you should only give personal information about someone else (for example, a joint applicant, guarantor or dependant) with their permission. - 4. The legal basis, the purpose for processing and the categories of data we process
Whether we’re using it to confirm your identity, to help in the processing of an application for a product or service or to improve your experiences with us, your information is always handled with care and the principles outlined in this Data Privacy Notice are always applied.
The reasons why we need to use your information (purpose), the types of information we will use (categories), and our lawful basis for using your information (legal basis for processing), are described in the table below:
Legal basis for processing Purpose of processing your personal information Categories of data processed which are relevant to the purpose of processing your personal information (see section 2 for more information on each category) Performance of a contract We will use your data and share that data where its use is necessary in relation to a service or a contract that you have entered into or because you have asked for something to be done so you can enter into a contract with us.
To establish your eligibility for our products and services. Depending on the nature of the product/service, this could involve all categories. To manage and administer your accounts, policies, benefits or other products and services that we or our partners may provide you with. For example, if you have a secured loan or mortgage with us, we may need to share information with other lenders who also hold a charge on your property. Depending on the nature of the product/service, this could involve all categories. To process your applications for credit or financial services. - Identity and contact information
- Financial details/circumstances
- Marital status and/or financial associations
- Information you provide us about others or others provide us about you
- Sensitive and special categories of data
- Other personal information
To carry out credit reviews, including automated credit decision processes (which may have a legal or similarly significant effect on you), and to search for details of your credit history and information at credit bureaus/agencies, including the Central Credit Register. Where we make these searches, agencies may keep a record of the search. - Identity and contact information
- Financial details/circumstances
- Marital status and/or financial associations
- Information you provide us about others or others provide us about you
- Sensitive or special categories of data
- Other personal information
To process payments that are paid to you or by you. For example, if you hold a credit or debit card with us, we will share transaction details with our card scheme providers (e.g. Visa or Mastercard) or other providers of payment processing services such as merchant acquirers or EBA (European Banking Association) for all SEPA Payments. - Identity and contact information
- Financial details/circumstances
- Information you provide us about others or others provide us about you
To run loyalty and reward programmes you have signed up to. - Identity and contact information
- Financial details/circumstances
- Information you provide us about others or others provide us about you
- Information from online activities
- Other personal information
To contact you by post, phone, text message, email, social media, fax, digital message, using our online banking website or other means, but not in a way contrary to your instructions to us or contrary to law. - Identity and contact information
- Financial details/circumstances
- Information you provide us about others or others provide us about you
- Information from online activities
- Other personal information
To monitor and record our conversations when we speak on the telephone (for example, to check your instructions to us, to analyse, to assess and improve customer service; for training and quality purposes; and for verification, fraud analysis and prevention purposes). All categories To recover debts you may owe us. All categories (other than 'Information from online activities') To manage and respond to a complaint or appeal. Depending on the nature of the complaint, this could involve all categories. Legitimate Interests We will use your data and share that data where its use is in accordance with our legitimate interests outlined in this notice.
To manage our business for our legitimate interests, we may process/use your information to: Carry out credit scoring, credit management including collecting and enforcing debts and arrears. In this context we may: - Tell credit reference and credit registration agencies about your dealings with us including details of your credit facilities and your credit history with us. We may also search the Central Credit Register where permitted but not obliged to do so.
- Engage agencies to trace you (for example, where the address you have provided is no longer accurate and the Bank needs to provide you with legal documentation).
All categories Provide service information (including sending you service related messages), to improve our service quality and for training purposes. We may also gather information about your interactions with us – for example, the location of the ATMs you use, or where you consent, when you download one of our apps, we may gather location information from your mobile phone or other electronic device you may use to interact with us. - Identity and contact information
- Financial details/circumstances
- Marital status and/or financial associations
- Information you provide us about others or others provide us about you
- Information from online activities
Conduct marketing activities: It is in our business interests to understand our customers’ needs and preferences so that we can improve our products and services offerings for our customers and identify suitable new products or services. It is also in both our and our customers' interests to let you know about those products or services which we believe may be of interest or relevance to you. Where we process your information for this purpose, this allows us to: - send you relevant marketing information. In the case of certain electronic marketing we may also need your consent to send these messages,
- identify where you are eligible for a particular product or service
- conduct market research, including customer surveys, analytics and related activities, and
- run competitions, promotions and other direct marketing activities.
- Identity and contact information
- Financial details/circumstances, such as your bank account details and payment reference information
- Marital status and/or financial associations
- Information from online activities
Carry out strategic planning and business portfolio management. All categories Compile and process your information for the purposes of audit and statistical analysis and to apply research and behavioural science (including, in some instances, making your data anonymous or de-personalised) in order to help us understand trends in our customers’ behaviour, to improve our digital features, products and services, to assess the performance of our platforms, to detect which features are available on your device, to determine the type of content you may be interested in, to improve the financial wellbeing of customers and communities and to understand our risks better, including for providing management information, operational and data risk management. All categories To understand general trends, we also use aggregated information we have about you and our other customers (such as spending patterns or transaction information) and we may combine this with data from other sources, such as economic or research data. We may share this analysis with third parties to help them better understand these general trends. When we do this, we combine customers’ data and do not provide information (such as your name, address or account number) that would identify you. All categories Protect our business, reputation, resources and equipment, manage network and information security (for example, developing, testing and auditing our websites and other systems, dealing with accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services) and prevent and detect fraud, dishonesty and other crimes (for example, to prevent someone trying to steal your identity), including using call recordings and CCTV at our premises and using your location data to help identify and protect against fraud. All categories, including using call recordings, CCTV at our premises and using your location data to help identify and protect against fraud. Manage and administer our Group's legal and compliance affairs, including complying with our obligations to credit card providers, compliance with regulatory guidance and voluntary codes of practice to which we have committed. All categories Enable our Group members to share or access your information for internal administrative purposes, fraud prevention, audit, prudential, statistical or research purposes (including making your data anonymous) to help us understand trends in customer behaviour, for helping us to understand our risks better and for the purposes set out in this Data Privacy Notice (but not for the purposes of direct marketing where you have objected to this). All categories Buy new businesses or the assets of another business and/or sell assets of the Group: Members of the Group may in the future wish to sell, transfer or merge part or all of its business or assets or to buy a new business or the assets of another business or enter into a merger with another business. If so, we may disclose your personal information under strict duties of confidentiality to a potential buyer, transferee, merger partner or seller and their advisers, so long as they agree to keep it confidential and to use it only to consider the possible transaction. If the transaction goes ahead, the buyers, transferee or merger partner may use or disclose your personal information in the same way as set out in this Data Privacy Notice.
All categories (other than ‘Information from online activities’). Facilitate a potential or actual transfer of any loan or product provided to you or in connection with a securitisation or other funding arrangement. All categories Use cookies in accordance with our Cookies Policy. - Identity and contact information
- Information from online activities
To comply with our legal and regulatory obligations: We will use your data and share that data where its use is necessary because of a legal obligation that applies to us (except an obligation imposed by a contract). An example of this would be us sharing your information with the Central Credit Register or complying with our obligations to identify and prevent the risk of money laundering.
We need to use your personal information to comply with legal and regulatory obligations including: Retaining consumer records and details of individual transactions for the time periods as required by law. For example the Consumer Protection Code. All categories Complying with your information and privacy rights. All categories Providing you with statutory and regulatory information and statements. - Identity and contact information
- Financial details/circumstances
- Marital status and/or financial associations
Establishing your identity, residence and tax status in order to comply with law and regulation concerning taxation and the prevention of money laundering, fraud and terrorist financing. All categories (other than 'Information which you have consented to us using' and 'Information from online activities'). Screening applications that are made to us to ensure we are complying with the international fight against terrorism and other criminal activities. As a result, we may need to disclose information to government and other statutory bodies. All categories (other than 'Information which you have consented to us using'). Preparing returns to regulators and relevant authorities. For example (where applicable) for the purposes of the Foreign Account Tax Compliance Act, Common Reporting Standard, and the Return of Payment to Revenue, and other revenue returns. All categories (other than 'Information which you have consented to us using' and 'Information from online activities'). Reporting to and, where relevant, conducting searches on the Central Credit Register, State registers (such as the Register of Beneficial Owners), and other industry registers. - Identity and contact information
- Financial details/circumstances
- Marital status and/or financial associations
- Information you provide us about others or others provide us about you
Complying with binding requests from regulatory bodies, including the Central Bank of Ireland, the Data Protection Commission, and the Revenue Commissioners. All categories (as applicable to the request). Complying with binding requests for information from other payment service providers you have instructed to act for you, including complying with our obligation to provide access to your account information to an Account Information Service Providers (AISP), Card Based Payment Instrument Issuer (CBPII) or a Payment Initiation Service Providers (PISP), where you or your joint Account Holder has instructed the AISP, CBPII or the PISP to access the information. - Identity and contact information
- Financial details/circumstances, such as your bank account details and payment reference information
- Information you provide us about others (such as the person to whom you are making a payment) or others provide us about you
Complying with binding requests for information about you from other payment service providers from whom you may have received payments in error so that the payer’s financial service provider may contact you directly. This information will include your name, address and relevant transaction information. - Identity and contact information
- Financial details/circumstances, such as your bank account details and payment reference information
- Information you provide us about others (such as the person to whom you are making a payment) or others provide to us about you
- Other personal information
Complying with binding production orders or search warrants, and orders relating to requests for mutual legal assistance in criminal matters received from foreign law enforcement agencies/prosecutors. The information specified in the production order or warrant. For other reasons where a statutory reason exists, including use of your Personal Public Service (PPS) number (or foreign equivalent). The information specified in the statutory provision or any request, order or warrant issued under the statutory provision. Complying with court orders arising in civil or criminal proceedings. The information specified in the court order, for example transactions on your account. Where required to comply with our obligations under the Payment Services Regulations relating to fraud prevention - including monitoring your use of our online banking software or security tools. All categories Consent: Where you have given us permission (which you may withdraw at any time) We will use your data and share that data where you have consented or explicitly consented to the using of your data (including special categories of data) in a specific way. When we ask for your consent, we will provide you with more information on how we will use your personal data in reliance on that consent, including in relation to third parties we would like your consent to share your data with.
Where you have given us permission (which you can withdraw at any time) to process your information we may: Send electronic messages to you about products, services and offers from Bank of Ireland Group as well as from specially selected trusted partners but only if we think they may be suitable or of interest to you. You can find out more about withdrawing or updating your marketing preferences in Section 5. - Financial details/circumstances
- Identity and contact information
- Marital status and/or financial associations
Share your data with third parties so that they may send you electronic messaging about their products and offers. - Identity and contact information
Use transaction history/account information from your Bank of Ireland account or credit card to identify your spending and saving habits in order to personalise offers that are individual to you, based on your account transactions. - Identity and contact information
- Financial details/circumstances such as your bank account details and payment reference information
- Marital status and/or financial associations
Use image recognition software to verify your identity and documentation when opening or operating an account. This process may also include using that technology to scan and copy information from the documents you provide and using that information for your application. - Identity and contact information
- Sensitive or special categories of data, such as biometric data to identify you
Use cookies in accordance with our Cookies Policy. - Identity and contact information
- Information from online activities
Use your location data for example to send you information regarding special offers from us or our partners close to your location. - Identity and contact information
- Information from online activities
Use information you have made public and combine this with the information we already hold for the activities outlined above. - All categories (for example where you have made clearly sensitive or special categories of data about yourself public.)
Processing is necessary in order to protect your/another person’s vital interests In exceptional circumstances we may use and/or disclose information (including special categories of data) we hold about you to identify, locate or protect you, for example, if it comes to our attention that you are in imminent physical danger and this information is requested by An Garda Síochána or your relative. All categories Processing is necessary for the performance of a task carried out in the public interest. Where authorised by law or regulation, we may undertake processing of special categories of data for a substantial public interest such as processing of your special categories of personal data about your health or if you are a vulnerable customer to comply with our obligations under the Consumer Protection Code. We may share this personal information with other people and organisations where required if they need to know that you are a vulnerable customer. All categories Processing is necessary for the establishment, exercise or defence of legal claims We will only use special categories of data for the establishment, exercise or defence of legal claims to the extent this is necessary. All categories - 5. How we use your information for marketing
This section explains how we work out what products or services you may be interested in and what marketing messages to send to you.
- We’d like to be able to contact you to tell you about services, products and offers but only if we have your permission or where we have a legitimate interest. Some of the ways we may get in touch include email, phone, post, SMS and digital messaging. Digital messaging includes displaying relevant messages through other websites and social media platforms where you may have accounts. We may share your data with social media platforms (in a secure way) so that where you hold an account with them they can display messages from us to you.
- We will send you marketing messages if we believe it can make your life easier, be of interest to you or offer you value for money. We can do this by using some of the personal information we hold about you to better understand your needs.
- The personal information we collect about you is set out in Section 2. It includes information you tell us and information we collect when you use our products or services. This information helps us to understand which products, services and offers may be relevant for you based on your profile. It is in our and our customers’ interests to use personal information this way to better understand our customers’ needs and preferences so that we can create more tailored and suitable marketing messages. Some examples of how we use this information include:
- We may use your product(s) and account balance information to identify products and services that better suit your needs, for example when you drawdown a mortgage, home insurance offers could be an important consideration, or a high balance on a current account might get a better return from a savings or investment account.
- We may place you in groups or segments with similar customers. This helps us to design products, services and offers for different customer segments, to manage our relationships with them and tailor the marketing messages. For example, if you are eligible (or are eligible to become) a Premier or Private Banking customer, we may contact you with details of offers, products and services available to you.
- We may contact you about relevant competitions, promotions and other direct marketing activities that we think may interest you.
How to update your marketing preferences:
You can contact us to ask us to stop using your information for the purposes above or update your marketing preferences online (visit bankofireland.com/privacy/marketing-preferences) or by calling us 01 688 3674. You can also tell us to stop sending you marketing emails by using the unsubscribe option at the end of each marketing email. For more information, please visit bankofireland.com/privacy. If you want to object to this processing please see section 11 of this notice. - 6. How we use automated processing or “analytics” and our legal basis
Where we make solely automated decisions that affect you in a legal or a significant way, you have the right to provide your point of view and have those decisions reviewed by a member of our team.
We use automated statistical analysis of the information we collect about you as part of our business:
- Analysis of your information helps us to make automated lending decisions, examples of this include:
- When you apply for a financial product, for example a loan, we may evaluate the application using statistical analysis to determine whether or not the product best meets your needs.
- We may decide whether or not to give you a financial service, for example, a personal loan.
- We may calculate the interest rate that we need to charge on a credit product to reflect the risk of lending to you. For example, although your loan may be within sensible risk guidelines, there may be a higher risk (compared to another customer) that you or a guarantor might not be able to repay a loan. If this happens, our analysis of your data may tell us that a higher interest rate is appropriate, compared to another customer, to reflect that increased risk.
- To manage existing credit agreements you have with us, such as your Current Account overdraft. For example, when you or any authorised user seeks to perform a transaction, information may be sent to us to evaluate and determine whether to approve, decline or refer a transaction for further review.
- To decide the type of financial service suitable for you, or to decide other terms – for example, the minimum amount you need as a deposit when you want buy something financed by us.
Further information about the logic behind these automated lending decisions:- When you apply for credit, we use an automated system known as credit scoring to determine if you qualify for a loan, the terms of the loan, the interest rate and the credit limits that apply. As credit scoring helps us to assess risk fairly and consistently, it is necessary for entering into our contract with you and helps our Group companies to lend responsibly and comply with our legal obligations.
- Your credit score helps us to determine whether you qualify for a particular credit card, loan, mortgage or service. It is based on a range of data, including your borrowing history, your ability to repay the loan and if you have defaulted on a loan previously.
- Credit scoring generally takes account of information from three sources: (1) information you provide during your application, (2) information provided by credit reference agencies or credit registers, and (3) information that may already be held about you by companies in the Bank of Ireland Group. Our credit scoring system will consider information from these sources to make an overall assessment of your application. The credit scoring methods used are regularly tested to ensure they remain fair, effective and unbiased.
- Automated analysis of our customer information (including your information) as a whole helps us to manage our business for our legitimate interests. It enables us to:
- Make more informed business decisions; including improving the quality of products and services we can offer (including for the purposes of direct marketing, unless you have objected to us using your details in this way). For example, if you give us permission we may use your transaction history/account information to identify your spending and saving habits, to identify offers that are relevant to you based on your account transactions or behaviour.
- Test and maintain the stability and performance of our systems.
- Carry out long-term statistical modelling, provided that such modelling does not affect any decision we make about you.
- When you apply for an insurance product(s) or service through us, the relevant insurer may conduct the following activities which involve automated (computer based) decision making:
- Underwriting and determining the applicable premiums. This process calculates the risks based on the information you have provided. This will be used by the relevant insurer to determine whether it can provide you with an insurance policy and if so calculate the premium you will have to pay.
- The results of these automated decision making processes can limit the products and services we are able to provide you with. If you do not agree with the result, you have the right to request human intervention to allow you to express your point of view and to contest the decision.
- Automated analysis of your information also enables us to form a single view of your relationship with the Bank of Ireland Group. We use this information for customer service and administrative purposes. This is intended to help us to manage and build our relationship with you and is an important part of managing our business in our legitimate interests. Some examples of how we use automated analysis for these purposes are as follows:
- to establish your eligibility for certain products or services;
- provide digital financial wellbeing services on our app and online banking services to identify transactions or activities (for example, recurring payments, low balances, upcoming bills or spending patterns) and provide you with insights or alerts to help you manage your finances; and
- to create financial wellbeing measures and financial wellbeing scores for our customers. This information includes account balances, financial inflows and outflows and comparisons of income, expenditure and available credit over periods of time. This allows us understand our customers better and is used for internal purposes only. We do not take any specific action in response to individual scores.
- Automated analysis of your information assists us to comply with our legal obligations.
- For example, in connection with our money laundering, fraud and terrorist financing prevention obligations, we may use automated processing to screen for suspicious transactions, or to identify payments which may be subject to international sanctions and to monitor calls, transactions and patterns to prevent and investigate fraud.
- We may use automated processing to make decisions such as to stop a payment or restrict access to an account. We may do this by looking at your transactions to see if there are any indications that the transaction could be fraudulent (for example, if you are making an unusual payment or the device you are using appears to be unsafe).
- There are certain automated analyses of your information that we will only carry out where you have given us your consent (which you can withdraw at any time). We will only automatically process your information to enable us to undertake the following activities where we have your consent:
- Send electronic messages to you about product and service offers from our Group and/or our selected trusted partners.
- Share your data with third parties so that they may send you electronic messaging about their products and offers.
- Use your transaction history/account information from your accounts and credit cards to identify your spending and saving habits, in order to personalise offers that are individual to you, based on your account transactions.
- Use your biometric information to help identify you when you open or operate an account.
- Use your location data to send you information regarding special offers from us or our partners close to your location.
- Where required, use sensitive or special categories of data, as set out in data protection legislation.
- Use information you have made public and combine this with the activities outlined above.
- 7. Who we share your information with
We only share your information with a select number of individuals and companies, and only as necessary. Sharing can occur in the following circumstances and/or with the following persons:
Category of receipient/scenario Details Your authorised representatives: These include your broker/retail intermediary, attorney (under a Power of Attorney) and any other party authorised by you to receive your personal data/other parties you ask us to share your information with. Third parties we need to share your information with in order to facilitate payments or services you have requested. Examples include: - Other banks or payment service providers, payment schemes or systems (e.g. SWIFT, VISA or MasterCard), digital wallet providers, merchant acquirers and providers of payment processing services;
- Our agents who provide services to you on our behalf (For example where you ask us to carry out a transaction on your account at a post office of An Post, we will need to share your information with An Post to carry out that transaction); and
- Those you ask us to share your information with.
Third Party Providers (TPP). Where you instruct a TPP to have access to an account you hold with us: There are three types of third party providers that you or your joint Account Holder may choose to instruct. They are: - Account Information Service Provider (AISPs) which may access certain information about your account (e.g. balance, charges, transaction history, etc.) on a continuous basis;
- Payment Initiation Service Provider (PISP) which allows payments to be made on your behalf directly from your online payment account; and
- Card Based Payment Instrument Issuer (CBPII) which may request information regarding the availability of funds in your account.
Where you choose to instruct a TPP in respect of a joint account, you should be mindful of the fact that personal information of your joint Account Holder may also be sent to the TPP. Similarly, your joint Account Holder may also choose to instruct a TPP resulting in your personal information being shared with the TPP without further reference to you. We may act on the authority of one joint Account Holder to share or allow a third party access to your account information for the provision of payment services including transaction details. This means, unless we have agreed that we need the consent of each joint Account Holder, or have a legal obligation to get this consent, we will treat the authority of one Account Holder as authorisation on behalf of any other Account Holder(s) for a joint account. If you instruct us to share or allow a third party access to any account information for a joint account you are responsible for ensuring the other Account Holder(s) are aware and permit such access. Once approved AISP and CBPII can make continued requests for access until you cancel such requests. You must re-authorise an AISP access to your account every 180 days. If you or your joint Account Holder wants to stop sharing information with an AISP or CBPII, you must contact the AISP or CBPII to indicate your wishes to do so. In order to avail of any TPP services, your account must be accessible online. You must follow our online authorisation and verification process that we have set up for this purpose. Your account terms and conditions will tell if you can do this and if so, the relevant terms and conditions which will apply. Companies in the Bank of Ireland Group: We share your information with some but not all members of the Bank of Ireland Group where legally required to so or to protect and pursue our legitimate interests for example: - To carry out administrative functions, (the Governor and Company of the Bank of Ireland carries out administrative functions on certain loans on behalf of Bank of Ireland Mortgage Bank);
- To provide you with specific products, services and information;
- To analyse information (where possible in an anonymised way, so that any of your personal data will only be shared where necessary);
- Track referrals and conversion rates; or
- Research your experience dealing with us.
When you apply to us for insurance: - We will pass your details to the relevant insurers and/or reinsurers.
- We or the insurer may request information relating to your health or criminal conviction data for underwriting and claims administration purposes.
- If you make a claim, any information you give us, or to the insurer, may be put onto a register of claims and shared with other parties to prevent fraudulent claims. A list of the participants is available from the insurer.
- We may disclose your information within our Group of companies, to our agents and other insurers and third parties for administration, regulatory, customer care and service purposes, and to investigate or prevent fraud.
When you open or use a joint account or product: If you open or hold a joint account or product, this may mean that your personal data will be shared with the other applicant. For example, transactions made by you will be seen by your joint account holder, and you will see their transactions. We may act on the authority of one joint Account Holder to share or allow a third party access to your account information for the provision of payment services including transaction details. These means, unless we have agreed that we need the consent of each Joint Account Holder, or have a legal obligation to get this consent, we will treat the authority of one Account Holder as authorisation on behalf of any other Account Holder(s) for a joint account. If you instruct us to share or allow a third party access to any account information for a joint account you are responsible for ensuring the other Account Holder(s) are aware and permit such access. Guarantors: We will share your information with any person or entity which guarantees your obligations to us (for example, if a parent guarantees your mortgage or an entity provides a guarantee as part of a statutory scheme such as the Strategic Banking Corporation of Ireland DAC) or gives us an indemnity concerning these obligations. Companies that provide support services for the purposes of protecting our legitimate interests: Your personal information remains protected when our service providers use it. We only permit service providers to use your information in accordance with our instructions, and we ensure that they have appropriate measures in place to protect your information. Our service providers include: - Providers of marketing services such as advertising agencies or social media companies (so they can present messages from us to you) and market research companies, analytics companies, investment companies, IT and telecommunication service providers, software development contractors, data processors, debit/credit card producers, computer maintenance contractors, printing companies, property contractors, document storage and destruction companies, custodians and providers of administration services, archiving services suppliers, debt collection agencies, budgeting and advice agencies, tracing agencies, receivers, liquidators, examiners, Official Assignee for Bankruptcy and equivalent in other jurisdictions, auditors, ATM administrators and consultants, including legal advisors.
- Providers of analytics services who assist us to make digital financial wellbeing services available.
- Providers of fraud detection software and support services who may use that information to monitor and improve our services and technology, and to help identify potential fraud.
We may also share information with the following third parties to help us manage our business for our legitimate interests: - Trade associations and professional bodies, non-statutory bodies and members of trade associations.
- Pension fund administrators, trustees of collective investment undertakings and pensions trustees.
- Insurers/re-insurers and insurance bureaus.
- Healthcare professionals and medical consultants.
- Business partners and joint ventures, for example, where the Bank has an arrangement with a car brand in relation to car finance we may share information with the car brand or relevant motor dealer for service and reconciliation purposes. In other cases, we, our business partners or those involved in the joint venture will let you know that your information is being shared and who it is being shared with.
- Select third party providers, for example, to assist with research on consumer behaviour and financial wellbeing. In these instances, we only share anonymised de-personalised data relating to your account activity and other Bank of Ireland products you hold. You will never be identifiable to these third parties.
Statutory and regulatory bodies (including central and local government) and law enforcement authorities: These include the courts and those appointed by the courts, government departments, statutory and regulatory bodies in all jurisdictions where the Bank of Ireland Group operates including: the Central Bank of Ireland, the European Central Bank, the Data Protection Commission, Financial Services Ombudsman, Credit Review Office, An Garda Síochána/police authorities/enforcement agencies, Revenue Commissioners, Criminal Assets Bureau, US, EU and other designated authorities in connection with combating financial and other serious crime, NAMA and its agents or other parties designated by or agreed with NAMA or designated under the relevant legislation, police forces and security organisations, ombudsmen and regulatory authorities, as well as fraud prevention agencies. Credit reference/rating agencies, including the Central Credit Register: We share your data with the Central Credit Register in order to comply with our legal obligations under the Credit Reporting Act 2013. We may also search the Central Credit Register where permitted but not obliged to do so to protect our legitimate interests. As a result is important that you make sure that information you provide us is accurate and up to date to allow us to correctly report your information to the Central Credit Register. Third parties in connection with a sale or purchase of assets by a member of our Group: These include the courts and those appointed by the courts, government
departments, statutory and regulatory bodies in all jurisdictions where the Bank of Ireland Group operates including: the Central Bank of Ireland, the European Central Bank, the Data Protection Commission, Financial Services Ombudsman, Credit Review Office, An Garda Síochána/police authorities/enforcement agencies, Revenue Commissioners, Criminal Assets Bureau, US, EU and other designated authorities in connection with combating financial and other serious crime, NAMA and its agents or other parties designated by or agreed with NAMA or designated under the relevant legislation, police forces and security organisations, ombudsmen and regulatory authorities, as well as fraud prevention agencies. - 8. How long we hold your information
The length of time we hold your data depends on a number of factors, such as regulatory rules and the type of financial product we have provided to you.
- Those factors include:
- The regulatory rules contained in laws and regulations or set by authorities like the Central Bank of Ireland, for example, in the Consumer Protection Code.
- The type of financial product we have provided to you. For example, we may keep data relating to a mortgage product for a longer period compared to data regarding a single payment transaction.
- Whether you and us are in a legal or some other type of dispute with another person or each other.
- The type of data we hold about you.
- Whether you or a regulatory authority asks us to keep it for a valid reason.
- Whether we use your data for long-term statistical modelling, provided that such modelling does not affect any decision we make about you.
- As a general rule, we keep your information for a specified period after the date on which a transaction has completed or you cease to be a customer. In most cases this period is 7 years after the end of a transaction, but may be up to 13 years where we had a deed in place or 6 years after you cease to be a customer.
- 9. Implications of not providing information
Sharing information with us is in both your interest and ours.
- We need your information in order to:
- Provide our products and services to you and fulfil our contract with you.
- Manage our business for our legitimate interests.
- Comply with our legal obligations.
- Of course, you can choose not to share information, but doing so may limit the services we are able to provide to you:
- We may not be able to provide you with certain products and services that you request. We may not be able to continue to provide you with or renew existing products and services.
- We may not be able to assess your suitability for a product or service, or, where relevant, give you a recommendation to provide you with a Bank of Ireland financial product or service.
- When we request information, we will tell you if providing it is a contractual requirement or not, and whether or not we need it to comply with our legal obligations.
- We need your information in order to:
- 10. Processing your information outside the EEA
Your information is stored on secure systems within Bank premises and with providers of secure information storage (including cloud storage providers).
We may transfer or allow the transfer of information about you and your products and services with us to our service providers and other organisations outside the European Economic Area (EEA), but only if they agree to act solely on our instructions and protect your information to essentially the same standard that applies in the EEA.
For example, we may process payments using third parties (including other financial institutions such as banks and the worldwide payments system operated by the SWIFT organisation) if you make a foreign payment. Those external organisations may process and store your personal information abroad and may disclose it to foreign authorities to help them in their fight against crime and terrorism.
Using companies to process your information outside the EEA
Some of our offices as well as our service providers (such as IT service providers, telecommunication providers, credit reference agencies, payment processors, custodians, providers of administration services and tracing agents), contractors and other third parties or entities used in connection with your products and services may be based outside of the EEA. Where we authorise the processing/transfer of your personal information outside of the EEA, we require your personal information to be protected to at least Irish standards and include the following data protection transfer mechanisms.
- Model Clauses (also known as Standard Contractual Clauses) are standard clauses in our contracts with our service providers to ensure that any personal data leaving the EEA will be transferred in compliance with EU data-protection law. Copies of the Bank’s current Model Clauses are available on request.
- Transfers to countries outside the EEA which have an adequate level of protection as approved by the European Commission (such as the United Kingdom).
- Binding Corporate Rules. A copy of the Binding Corporate Rules for those organisations who use them (for example Fiserv (one of the Bank’s payment processors) or Mastercard) are available on request.
- Transfers permitted in specific situations where a derogation applies as set out in Article 49 of the GDPR. For example, where it is necessary to transfer information to a non-EEA country to perform our contract with you.
- 11. How to exercise your information rights (including the right to object):
Providing and holding personal information comes with significant rights on your part and significant obligations on ours. You have several rights in relation to how we use your information. If you make your request electronically, we will, where possible, provide the relevant information electronically unless you ask us otherwise:
You have the right to:
- Find out if we use your information, to access your information and to receive copies of the information we have about you.
- Request that inaccurate information is corrected and incomplete information updated.
- Object to particular uses of your personal data where the legal basis for our use of your data is our legitimate business interests (for example, profiling we carry out for our legitimate business interests) or the performance of a task in the public interest. However, doing so may have an impact on the services and products we can / are willing to provide.
- Object to use of your personal data for direct marketing purposes. If you object to this use, we will stop using your data for direct marketing purposes (see Section 5).
- Have your data deleted or its use restricted – you have a right to this under certain circumstances.
- For example, where you withdraw consent you gave us previously and there is no other legal basis for us to retain it, or where you object to our use of your personal information for particular legitimate business interests.
- Obtain a transferable copy of certain data which can be transferred to another provider, known as “the right to data portability”.
- This right applies where personal information is being processed based on consent or for performance of a contract and the processing is carried out by automated means. You are not able to obtain through the data portability right all of the personal information that you can obtain through the right of access. The right also permits the transfer of data directly to another provider where technically feasible. Therefore, depending on the technology involved, we may not be able to receive personal data transferred to us and we will not be responsible for the accuracy of same.
- Withdraw consent at any time, where any processing is based on consent. If you withdraw your consent, it will not affect the lawfulness of processing based on your consent before its withdrawal.
We are obliged to respond without undue delay. In most instances, we will respond within one calendar month. If we are unable to deal with your request fully within a calendar month (due to the complexity or number of requests), we may extend this period by a further two calendar months. Should this be necessary, we will explain the reasons why. If you make your request electronically, we will, where possible, provide the relevant information electronically unless you ask us otherwise.
You have the right to complain to the Data Protection Commission or another supervisory authority. You can find details of how to contact the Data Protection Commission below and on their website dataprotection.ie
Fax: +353 57 868 4757
E-mail: info@dataprotection.ie
Postal Address: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28
- 12. How to contact us and/or our Data Protection Officer
If you have any questions about how your personal data is gathered, stored, shared or used, please contact our Data Protection Officer at the details below. In addition, if you wish to find more information on how to exercise any of your data rights, please see bankofireland.com/privacy.
Online: bankofireland.com/privacy
Telephone: +353 (0)1 688 3674
E-mail: DataProtectionOffice@boi.com
Postal Address: Bank of Ireland, PO Box 12940, Dublin 18
- 13. Changes to this notice
We will update this Data Privacy Notice from time to time on our website at bankofireland.com/privacy. Any material changes to this Data Privacy Notice, where appropriate, will be notified to you by SMS, e-mail, 365 online, our mobile banking app or other communication channel we deem appropriate.