Data Protection Privacy Notice

Last updated: 23 January 2025
This data protection notice provides information about the ways in which the Central Bank collects and processes personal data. For the purposes of data protection legislation, the data controller of your personal data is the Central Bank of Ireland, New Wapping Street, North Wall Quay, Dublin 1.

This notice applies to all personal data collected by the Central Bank in connection with the performance of its statutory functions and related purposes as outlined below. The Central Bank can receive the personal information directly from individuals or indirectly from another party (such as a regulated financial service provider). Supplementary data protection notices, which should be read in conjunction with this one, are included on:

These notices provide information relating to the processing of personal data by the Central Credit Register and the use of personal data provided to the Central Bank in connection with the purchase of collector coins and the deposit guarantee scheme respectively.

Collection and use of Personal Data to Perform Statutory Functions

As a central bank and financial services regulator, the Central Bank processes personal data to perform its functions under the EU Treaties, the ESCB Statute, the Central Bank Acts 1942 to 2015 and other provisions of financial services legislation. These functions include:

  • Monetary policy and financial stability-related functions
  • Collection of information for analysis or statistical purposes
  • Resolution of regulated financial service providers
  • Operation of deposit guarantee schemes or other compensation or customer protection schemes
  • Protection of the best interests of consumers of financial services and regulation of financial service providers and markets
  • Operation of the Central Credit Register
  • Operation of the Beneficial Ownership Register for Certain Financial Vehicles
  • Operation of Ireland’s Safe Deposit Box, Bank and Payment Accounts Register.

The types of personal data processed by the Central Bank in order to perform its statutory functions are described in further detail below.

Individuals applying to the Central Bank for approval to perform a pre-approval controlled function (PCF) within a regulated financial service provider are required to submit an Individual Questionnaire (IQ) to the Central Bank. Completion of the IQ requires submission of personal data to the Central Bank, including the following:

  • Name, address, contact details and passport number
  • Details of professional experience and educational qualifications
  • Information relating to criminal convictions and disciplinary proceedings
  • Details of applicants’ shareholdings and business interests
  • Details of applicants’ directorships and other senior positions.

The Central Bank processes this information and any other information relating to PCF role holders/applicants to perform its fitness and probity functions under Part 3 of the Central Bank Reform Act 2010 and, in particular, to assess the suitability of the applicant to perform the PCF role. If a PCF applicant does not provide the required information, the Central Bank will not be able to assess his or her application. Per the Central Bank (Supervision and Enforcement) Act 2013 the Central Bank has the power to gather other relevant personal data, where it is deemed necessary and proportionate to do so.

The Central Bank retain fitness and probity-related information for 15 years after the individual in question has vacated a PCF role.

The European Central Bank (ECB) is responsible for assessing the fitness and probity of the management board of, and key function holders with, significant credit institutions, as well as the management board of all credit institutions applying for authorisation. The Central Bank transmits such applications onwards to the ECB for assessment in accordance with Council Regulation (EU) No 1024/2013 (the SSM Regulation).

Please continue to read below for information regarding  your personal data rights.

The Central Bank processes personal data of individuals such as staff members, shareholders and customers of financial service providers in connection with its regulation of financial service providers and markets. Where necessary and proportionate this may include special category and/or criminal data. We process such personal data for numerous reasons, including the authorisation and ongoing supervision of regulated financial service providers, the regulation of financial markets and the investigation of the activities of unauthorised providers of financial services.

Individuals such as proposed acquirers of qualifying holdings in authorised entities or persons discharging managerial responsibilities (PDMRs) within an issuer are also obliged to provide certain personal data to the Central Bank under statute. Staff members of regulated financial service providers may also provide limited personal data to the Central Bank in connection with the submission of regulatory returns or other information on behalf of their employer e.g. for the purpose of uploading documents to the Central Bank’s Online Reporting System (ONR).

The Central Bank may also process personal data relating to controlled function (CF) role holders for purposes related to the supervision of the regulated financial service providers by which those CF role-holders are employed.

The Central Bank retains such data for as long as needed for the specific supervisory purposes for which it is collected. On request, we can provide information relating to the retention period for specific personal data.

Please continue to read below for information regarding  your personal data rights.

Pursuant to Article 30(3) of 4AMLD (as amended by 5AMLD), which requires that the beneficial ownership of certain financial vehicles (CFV) are held on a central register in each Member State, the Central Bank processes personal data on any natural person(s) who are beneficial owners of  Irish Collective Asset-Management Vehicles (ICAV),  Unit Trusts, Credit Unions, Investment Limited Partnerships and Common Contractual Funds.

The purpose of the Beneficial Ownership Register is to deter Money Laundering and Terrorist Financing and to identify those that seek to hide their ownership and control of corporate or legal entities by ensuring that the ultimate owners/controllers of CFV are identified and that this information is readily accessible to law enforcement, regulators and obliged entities.

CFV are obliged to submit personal information and information on the nature and extent of the beneficial interest held or control exercised by each beneficial owner. Personal information includes:

  1. Forename and surname
  2. Date of birth
  3. Current residential address including country of residence
  4. Nationality

This information is stored securely in the Beneficial Ownership Register and is released only when a request for beneficial ownership information is made to the Beneficial Ownership Register.

In addition, and solely for the purpose of verification of the above information, Regulation 21 of SI 110 of 2019 and Sections 52 and 63 of the Investment Limited Partnership (Amendment) Act 2020 (the 2020 Act) obliges CFV to provide a PPS number (or CBI Reference Number for non-PPS number holders) to facilitate the Central Bank verifying the Forename, Surname and Date of Birth of each beneficial owner.

The mechanism to verify this information is to check the PPS number, Forename, Surname and Date of Birth of the beneficial owner against the Department of Social Protection (DSP) database of PPS numbers. To do so the Central Bank shares the PPS number, the forename, surname and DOB of the beneficial owner to the DSP via electronic and secure means.  The Central Bank has entered into a data sharing agreement with the DSP for the purposes of governing and monitoring this arrangement.

Where a beneficial owner(s) has/have not been assigned an Irish PPS number, but the individual(s) has/have been previously obtained a CBI reference number from the Central Bank, the corresponding CBI Reference Number obtained may be provided for this purpose.

In the case of beneficial owners who have not been assigned a PPS number, nor a CBI Reference Number, a Declaration as to Verification of Identity must be provided to the Central Bank in order for the Central Bank to provide the beneficial owner with a CBI Reference Number.

Personal information collected as part of this process includes:

  1. Forename and Surname
  2. Date of Birth
  3. Nationality
  4. Current Residential Address
  5. Email

The mechanism to verify this information is to check the CBI Reference number, Forename, Surname and Date of Birth of the beneficial owner against other personal data collected by the Central Bank of Ireland in the course of performing its statutory functions and described elsewhere in the Data Privacy Statement.

Regulations 24 and 25 of SI 110 of 2019 and Sections 55, 56 and 63 of the 2020 Act provide for two types of access to the beneficial ownership information in the Beneficial Ownership Register – “unrestricted” and “restricted” access.

Additionally, certain information contained in the Beneficial Ownership Register is available to members of the public who can demonstrate a legitimate interest in obtaining access and designated persons in accordance with Regulation 25 of SI 110 of 2019 (as amended by SI 308 of 2023), and Sections 56 and 63 of the 2020 Act. For the purpose of Legitimate Interest applications the following information is provided to verify the applicant’s identity:

A clear and legible copy of one of the below documents:

  • Passport - the identification page (name, date of birth, photo and signature) of the applicant’s passport; or
  • EU Driving Licence card -the identification side (photograph, name and signature) of the applicant’s EU driving licence card.

The copy passport/driving licence provided must be valid and in force and its expiry date must be more than six months into the future. Following the verification of identity of the applicant, the copy of the identification document will be deleted. Further supporting documentation may be requested by the Registrar for the purposes of assessing a Legitimate Interest application.

The Central Bank will retain records in relation to each decision made by the Registrar in respect of permitting or refusing access to information held on the Central Register for a period of 5 years from the date of the record’s creation.

A designated person is defined in Section 25 of the Criminal Justice (Money Laundering and Terrorism Financing) Act 2010, as amended by the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2018. They include financial institutions, accountants, auditors, tax advisers, legal professionals, and dealers in expensive goods (such as houses, cars, jewellery, etc.). Designated persons are required to conduct background information checks on individuals or entities they enter into a financial transaction or a business relationship with under Anti-Money laundering legislation. S.I. 110 of 2019 and the 2020 Act requires, inter alia, that when a designated person enters into an occasional transaction with a CFV, the CFV shall provide certain beneficial ownership information to the designated person and the designated person may access beneficial ownership information in the Beneficial Ownership Register.

This information is ‘restricted’ or limited to:

  • The name of the CFV
  • Beneficial Owner(s) - Name; Nationality; Country of Residence; Month and Year of Birth; Nature of Beneficial Ownership held

Where the beneficial owner is a minor (i.e. under 18 years of age) their details are exempt in normal course from access by designated persons and individuals who can demonstrate a legitimate interest. In accordance with Regulation 25(5) of SI 110 of 2019 (as amended by S.I. 308 of 2023), access may be provided where a summary of the grounds on which the requestor believes that the information be disclosed to him or her, is provided to the Registrar. The Registrar in their role can decide to disclose the information or not based on these grounds.

All information (‘unrestricted’ information) in the Beneficial Ownership Register is available to certain competent authorities, including information in respect of minors. The competent authorities include:

Competent authorities may disclose the information in the Beneficial Ownership Register to any corresponding competent authority of another Member State when requested by the corresponding competent authority.

PPS numbers or CBI Reference numbers are not provided to the individuals who can demonstrate a legitimate interest, designated persons or competent authorities. The purpose of their collection is solely as an information verification mechanism. Once the identity of the beneficial owner has been verified, the PPSN will be retained securely in an irreversible hashed format and the original submitted PPSN will be deleted within 24 hours of being received.

CFV also provide limited personal data to the Beneficial Ownership Register in connection with the person submitting information to the Beneficial Ownership Register on behalf of the CFV.

The Central Bank is obliged by Article 30(4) 4AMLD (as amended by 5AMLD), to “ensure that the information held in the central register is adequate, accurate and current”. The Central Bank will delete from the Beneficial Ownership Register information held in relation to a CFV when ten years elapse from the date of dissolution of that CFV, should such dissolution occur.

The Central Bank will retain all records in relation to information obtained through the declaration of verification of identity process for a period of 15 years from when the individual has ceased being a beneficial owner of a CFV(s).

Please continue to read below for information regarding  your personal data rights.

Article 32(A) of 5AMLD, requires the identification of natural or legal persons holding or controlling payment accounts and bank accounts identified by an International Bank Account Number (IBAN), and safe-deposit boxes held by credit institutions in each Member State.

The primary purpose is to deter Money Laundering and Terrorist Financing and to identify those that seek to hide their ownership and control of payment accounts and bank accounts identified by an IBAN, and safe-deposit boxes held by credit institutions, and that this information is readily accessible to law enforcement.

The European Union (Anti-Money Laundering: Central Mechanism for Information on Safe-Deposit Boxes and Bank and Payment Accounts) Regulations 2022 (S.I. 46 of 2022) assigns responsibility to the Central Bank to establish and maintain a central database of IBANs, and safe-deposit boxes information for Ireland, and a central mechanism to enable this information to be accessed. Amendments to S.I. 46 of 2022 have been published under S.I. No. 445/2022 - European Union (Anti - Money Laundering: Central Mechanism for Information on Safe - Deposit Boxes and Bank and Payment Accounts) (Amendment) Regulations 2022.

In carrying out this responsibility, the Central Bank processes personal data on any natural person(s) party to a safe deposit box, bank or payment account, held on or after 3 February 2022,in the context of Ireland Safe Deposit Box, Bank and Payment Accounts Register (ISBAR). This may include natural person(s) under 18 years of age.

Personal information collected and processed is as follows:

Bank or Payment Account – Customer Account Holder / Person Purporting to Act on Behalf of Customer Account Holder / Beneficial Owner

  1. Forename and Surname
  2. Date of Birth
  3. Address (including Eircode if known)

Safe Deposit Box - Lessee

  1. Forename and Surname
  2. Date of Birth
  3. Address (including Eircode if known)

The European Union (Anti-Money Laundering: Central Mechanism for Information on Safe-Deposit Boxes and Bank and Payment Accounts) Regulations 2022 (S.I. 46 of 2022) permits access to information held on ISBAR, through the central mechanism, by the Financial Intelligence Unit (FIU) Ireland.

In December 2022, the European Union (Access to Anti - Money Laundering Information by Tax Authorities) (Amendment) Regulations 2022 (S.I. 704 of 2022) extended ISBAR access, through the central mechanism, to the Revenue Commissioners pursuant to the framework of administrative cooperation in the field of taxation between Member States.

In February 2023, the European Union (Money Laundering and Terrorist Financing) (Use of Financial and Other Information) Regulations 2023 (S.I. 22 of 2023), extended ISBAR access, through the central mechanism in a direct and immediate manner, to appropriately authorised individuals in An Garda Síochána and the Criminal Assets Bureau (CAB) respectively who are engaged in the prevention, detection, investigation or prosecution of certain serious criminal offences or engaged in supporting same. This includes the identification, tracing and freezing of assets related to such investigations.  In advance of accessing the ISBAR for the first time, the Central Bank will enter into a data sharing agreement with each of the aforementioned bodies for the purposes of governing and monitoring the arrangements in place for accessing information on the ISBAR.

The Central Bank is data controller of the personal information held on the ISBAR central database and on the ISBAR central mechanism.

Credit institutions are obliged to provide an initial upload of all IBAN and safe deposit box records, and thereafter to update records on a weekly basis. Where a record is updated on an ongoing basis, the original information provided is not retained on ISBAR, but is overwritten by each update to that record which is reported. Information is retained on the ISBAR central database for five years after the date of bank/payment account closes or, in the case of a safe-deposit box, the date on which the lease concerned expires.

Please continue to read below for information regarding  your personal data rights.

The Central Bank may investigate regulated financial service providers or individuals within regulated financial service providers, where a concern arises that a breach of financial services law has been, or is being, committed. The purpose of such investigations is to allow the gathering of sufficient information to enable the Central Bank to determine whether any breach of financial services law has occurred and whether the imposition of sanctions may be appropriate. The personal data may include special category data (including health data), and also may include data related to the detection, investigation and prosecution or criminal offences. 

In the course of an enforcement investigation process, the Central Bank may collect personal data under statutory powers including those under the Central Bank Reform Act 2010, the Central Bank (Supervision and Enforcement) Act 2013, assessor regimes or securities markets legislation (e.g. market abuse legislation). This data may include personal data of individuals who are not the subject of the investigation. The Central Bank retains all information obtained in connection with an investigation for a period of 20 years after any related case is closed. Information collected for the purposes of market abuse investigations will be retained for a maximum period of five years after the case is closed.

Where an investigation is of either a regulatory or civil nature, processing of personal data  is subject to the  General Data Protection Regulation (GDPR). Processing in the context of a criminal investigation or proceeding will be subject to provisions of the Part 5 of the Data Protection Act 2018 (DPA 2018), which implements the Law Enforcement Directive (EU) 2016/680 (the LED) into Irish law. The Central Bank is a competent authority for the purposes of the LED and the DPA 2018.

In the context of enforcement investigations and/or in the carrying out of its functions under various regulatory frameworks the Central Bank may appoint decision-makers or convene an inquiry to consider a particular matter. Decision-makers and inquiry members are appointed from the Regulatory Decisions Panel. The Regulatory Decisions Panel consists of both externally recruited experts and senior Central Bank staff. Decision-making and inquiry processes will be conducted in a manner which respects both the data protection and fair procedure rights of impacted data subjects.

The Central Bank expects that personal data published within a Legal Notice* shall remain in public and accessible to all users of its website for a period of at least ten years from the later of

a)           the date of publication on the Central Bank website; or

b)           the date of the expiration of a sanction (in the case of a prohibition or period of disqualification); or

c)           the date of conclusion of an ASP inquiry or related process (e.g. Court confirmation applications); and/or

d)           any associated appeals.

Notices containing personal data that relate to indefinite prohibition or disqualification of individuals will remain on the website irrespective of the length of time since publication.

* Includes public notices and press releases relating to investigations under the ASP, Fitness & Probity regime, inquiries, involuntary revocations, and assessments under securities markets legislation.

Please continue to read below for information regarding  your personal data rights.

Central Bank Regulated or non-regulated individuals and entities applying to the Central Bank in respect of EU financial sanctions laws are required to submit a Sanctions Derogation Application Form to the Central Bank. Individuals and entities also contact the Central Bank seeking further information relating to EU financial sanctions laws, including in relation to frozen funds reports and related queries. Such applications, reports and queries may involve the processing of personal data, such as:

  • Name, address, contact details and passport number.
  • Details of bank accounts held, salary information and employment record.
  • Details of individuals shareholdings and business interests, etc.
  • Details of the ultimate beneficial ownership of regulated and non-regulated entities.

The Central Bank processes this information and any other information relating to financial sanctions in accordance with EU financial sanctions laws. In certain cases, if an applicant/querist does not provide the required information, the Central Bank will not be able to progress their application/query appropriately. As provided for in law, the Central Bank has the power to gather relevant personal data, where it is deemed necessary and proportionate to do so. In this regard, the Central Bank limits the collection of personal information to what is directly relevant and necessary to accomplish the specified purpose.

The Central Bank retains financial sanctions related information for 10 years after the conclusion of the financial sanctions application.

The Central Bank is required to inform other EU Member States and the European Commission of any authorisation granted under EU financial sanctions laws. The Central Bank transmits the outcomes of such applications onwards to other EU Member States and the European Commission in accordance with our legal obligations.

Please continue to read below for information regarding  your personal data rights.

Members of the public or other individuals may submit queries or provide feedback to the Central Bank. The Central Bank may use the personal data provided by such individuals to respond to their queries and, where appropriate, to investigate any issues raised. Investigation of such issues may require the disclosure of personal data to third parties such as another statutory body or a regulated financial service provider. The Central Bank retains such data for as long as needed for the purpose of investigating the issues that are raised. Information relating to the retention period for specific personal data can be made available on request. We may use feedback provided by members of the public on our facilities to enhance the user experience and improve those facilities (e.g. our visitor centre).

The Central Bank also collects and processes personal data provided by members of the public in connection with the exchange of damaged euro banknotes and coins, or Irish pound banknotes or coins in order to assess the relevant application and provide reimbursement to such persons. All applications for exchange of banknotes or coins are ordinarily retained for a period of one year but may be retained for an additional six years when details are captured incorrectly or in case of a payment settlement failure. The Central Bank may also forward details of such applications, including copies of ID received, to other authorities such as An Garda Síochána or the Revenue Commissioners.

Please continue to read below for information regarding  your personal data rights.

Any information including personal data received by the Central Bank from a person making a protected disclosure (i.e. a whistle-blower) may be used by the Central Bank for the purpose of performing its statutory functions. The Central Bank is legally obliged to protect the identity of a person who makes a protected disclosure and not to disclose any information that might identify that person, subject to certain exceptions. The Central Bank retains information provided by whistle-blowers for a period of 10 years after any related case is closed.

For further detail about how the Central Bank handles information provided by whistle-blowers, see Protected Disclosures including Whistleblowing and Infringement Reports.

Please continue to read below for information regarding  your personal data rights.

The Central Bank collects personal data from candidates for recruitment purposes. The information that the Central Bank may collect and hold about candidates includes:

  • Name, address, telephone number(s) and email address
  • Details of qualifications, skills, experience and employment history
  • Details of current immigration status
  • Details of criminal or pending criminal convictions in Ireland or any other jurisdiction
  • Any additional information contained in a candidate’s CV such as referee information, disclosed at interview or otherwise provided to the Central Bank during the recruitment process.

The Central Bank needs to process data to decide whether to enter into a contract of employment with a particular candidate and may also process certain data to ensure that it is complying with its legal obligations. The Central Bank has a legitimate interest in processing personal data during the recruitment process and in keeping records of the process in order to manage the recruitment process, to assess and confirm a candidate's suitability for employment and decide to whom to offer a particular role. The Central Bank may also need to process candidates’ data to respond to and defend against legal claims.

For certain managerial positions, the candidate’s information may be provided to a third party service provider for the purpose of assessing the suitability for the role. In all other cases, the Central Bank will not share a candidate’s data with third parties, unless his or her application for employment is successful and an offer of employment is made to him or her. Once an offer of employment has been made to (and been accepted by) a candidate, that candidate’s personal data will be provided to An Gardaí Síochána for the purposes of vetting and the Central Bank may also contact previous employers named by that candidate as referees for the purpose of obtaining employment references. The candidate will also be required to provide medical information to the Central Bank’s occupational health provider for the purposes of assessing his or her capacity to work.

If a candidate’s application is unsuccessful, the Central Bank may keep his or her personal data on file for a period of 12 months.

Please continue to read below for information regarding your personal data rights.

Individuals accessing non-public areas within the Central Bank buildings will be required to provide their name, and to permit on-site security to view photographic ID for the purposes of identity verification. The Central Bank does not retain a copy of visitors’ photographic ID.

Please continue to read below for information regarding your personal data rights.

 

The Central Bank has installed CCTV systems at our premises for the purposes of public and staff safety, crime prevention and detection as well as to comply with standard business and insurance protocols. CCTV cameras are located at access points, general reception areas, areas in front of elevator doors on each floor, car parks, shared areas and the exterior perimeter at Sandyford. Signage advises of areas covered by CCTV equipment. The Central Bank will only disclose CCTV images to others who intend to use the images for the purposes stated above.

Images captured by CCTV will ordinarily be retained for a minimum period of up to 30 days, but could be retained for up to one year, dependent on operational, legal, and health and safety obligations and requirements. However, on occasion, there may be a need to keep images for longer, for example for the purposes of investigating a crime.

Please continue to read below for information regarding  your personal data rights.

The Central Bank may process personal data submitted by tenderers to manage procurement award procedures and decide whether to enter into a contract with a particular tenderer. Personal data collected for this purpose may relate to the tenderer, its staff or its sub-contractors. Following finalisation of the procurement procedure in question and the entry into by the Central Bank of a contract with our chosen supplier(s), the Central Bank may process certain personal data in order to perform its obligations under that contract, such as arranging payment. We retain files relating to procurement procedures for a period of the current year plus six years.

Please continue to read below for information regarding your personal data rights.

 

The Central Bank does not collect personal data about you on this website, apart from information which you volunteer. For example, by e-mailing us, by using our online feedback forms or providing us consent to use cookies.

Any information that you provide in this way is not made available to any third parties, and is used by us for the purpose for which you provided it.

It is the policy of the Central Bank of Ireland never to disclose information in respect of individual website visitors to any third party (apart from our internet service provider, which records such data on our behalf and which is bound by confidentiality provisions in this regard), unless obliged to disclose such information by law.

The Central Bank is not responsible for the content or privacy practices of other websites.

Cookies

The Central Bank website uses cookies. Cookies are small text files that can be placed onto your computer, smartphone or other device by this website.

Read our Cookie Policy in full.

Web forms

This website uses online forms. You can use our forms to submit feedback and to request a reply. Any information that you provide in this way is not made available to any third parties, and is used by us for the purpose for which you provided it.

Please continue to read below for information regarding your personal data rights.

The Central Bank uses third party suppliers to monitor publicly available social media and online platforms. This monitoring identifies complaints, queries and concerns expressed by members of the public in relation to financial products and services and is used to inform and support the Central Bank in exercising its statutory functions. As part of this monitoring, the Central Bank may receive personal data from the third party suppliers, which a member of the public has disclosed in public correspondence with regulated financial service providers or other entities. Such personal data is not retained by the Central Bank unless necessary to further investigate the details of a public posting.

Please continue to read below for information regarding your personal data rights.

Transfer of Personal Data

The Central Bank may transfer personal data to:

  • Third parties, where required or permitted by law to do so
    Third parties may include our service providers and statutory bodies, including An Garda Síochána, the Director of Corporate Enforcement, the Revenue Commissioners, the Competition and Consumer Protection Commission and the Data Protection Commissioner.
  • The ECB in the context of the Single Supervisory Mechanism (SSM) or for the performance of ESCB-related tasks.
  • Supervisory authorities in other EEA Member States for the purpose of performance of their functions.
  • Supervisory authorities in countries outside of the EEA where permissible under data protection legislation. This includes personal data on individuals obtained by the Central Bank as part of Fitness and Probity applications, authorisation process and personal data on individuals directly or indirectly connected to an enforcement investigation by supervisory authorities in countries outside of the EEA.

Depending on the country and authority, these transfers may be made under (a) an adequacy decision, i.e. where the European Commission had decided that the country or organisation ensures an adequate level of data protection, (b) an Administrative Arrangement such as the IOSCO Administrative Arrangement which has been agreed with the European Data Protection Board and the Data Protection Commission or (c) the Public Interest Derogation under Article 49 of the GDPR.

Service Providers

The Central Bank uses third parties such as service providers and suppliers, under contract, for the provision of various services.  These third parties may process personal data on our behalf in accordance with the Central Bank’s instruction.

Your Rights

If your personal data is processed by the Central Bank, you have certain rights in relation to that data, which are outlined in summary form below. The Central Bank may require further information from you before we can respond to your request.

You may exercise your rights by contacting our Data Protection Officer.

E-mail: [email protected]

You have the right to receive a copy of the personal data the Central Bank holds about you as well as information about how it is used.

You have the right to receive a copy of the personal data the Central Bank holds about you as well as information about how it is used.

To obtain a copy of personal data the Central Bank may hold on you, you can email [email protected], providing as much information as possible to allow us to identify your data, i.e. prior engagement.  

Applicability

This right is applicable at all times when the Central Bank holds your personal data.

 

You have the right to ask the Central Bank to correct personal data we hold about you where it is incorrect or incomplete.

Applicability

This right is applicable at all times when the Central Bank holds your personal data.

This right entitles you to require the erasure of your personal data from the Central Bank’s systems and records. However, this right applies only in certain circumstances (e.g. where the Central Bank no longer needs the personal data for the purpose for which we collected it or where you withdraw consent to our use of your personal data and where there is no other legal basis for continuing to use it).

Applicability

This right does not apply where personal data is required for the purpose of compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority. Therefore, this right is not applicable in respect of much of the personal data held by the Central Bank in the performance of its statutory functions. 

If you wish to make a request for erasure, you can contact [email protected] setting out the reasons why you consider the data should be erased.

This right entitles you to restrict the processing of your personal data by the Central Bank. Where this right is exercised, the Central Bank is still permitted to store your personal data but other use of the data is prohibited, save in certain limited circumstances.

Applicability

You can exercise this right if one of the following applies:

  • You contest the accuracy of the personal data held about you and the Central Bank is verifying the accuracy of the data
  • The personal data has been processed unlawfully and you oppose erasure and request restriction instead
  • The Central Bank no longer needs the personal data but you need the data in connection with a legal claim
  • You have objected to processing and the Central Bank is considering whether its legitimate grounds override your rights and interests.

This right allows you to obtain your personal data in a format that enables you to transfer that personal data to another organisation where the Central Bank is processing your personal data on the basis of consent or on the fulfilment of a contract and if processing is carried out by automated means.  You may have the right to have your personal data transferred by us directly to the other organisation, if this is technically feasible.

Applicability

This right does not apply where personal data is required for the purpose of compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority. Therefore, this right is not applicable in respect of much of the personal data held by the Central Bank in the performance of its statutory functions.

You have the right to object to the Central Bank’s use of your personal data in certain circumstances. However, the Central Bank may continue to use your personal data, despite your objection, where there are compelling legitimate grounds to do so or we need to use your personal data in connection with any legal claims.

Applicability

This right applies where the Central Bank processes your personal data for the performance of a task carried out in the public interest or in the exercise of official authority or in pursuance of its legitimate interests.

You have the right not to be subject to a decision based solely on automated processing (without human involvement) where that decision produces a legal effect or otherwise significantly affects you.

Applicability

As the Central Bank currently does not make any automated decisions, this right is not applicable.

You have the right to lodge a complaint with the Data Protection Commissioner if you think that the Central Bank has not processed your personal data in accordance with data protection legislation.

Applicability

This right applies at any time.

Restrictions of your Data Protection Rights

The Central Bank, as a data controller may apply certain restrictions which may limit rights requests that you may make to us. These general exemptions are set out in the GDPR and the Data Protection Act 2018. However, as a regulator which performs functions in the public interest, we also entitled to a Central Bank specific exemption which may further have an impact on any rights request that you may make to us, per S.I. No. 534/2020 - Data Protection Act 2018 (Section 60(6)) (Central Bank of Ireland) Regulations 2020.  For example (this is not an exhaustive list), we can withhold data, where necessary and proportionate, to the extent that its release would cause prejudice to the:

  • The prevention, detection or investigation of breaches of, or enforcement of, financial services laws
  • A process, procedure, investigation, inquiry, assessment, application or settlement being undertaken by the Bank
  • Regulation of financial service providers

If this is the case, we will clearly explain what the exemption is and why it applies where appropriate. 

Queries

Should you have any queries on any aspects of this data protection privacy notice, you may contact our Data Protection Officer via [email protected]. This notice may be updated from time to time.

If you want to view your Credit Report please view the website for the fastest way to get a copy of your Central Credit Register Credit Report.

To access all of your data which may be held by the CCR please contact [email protected]