HOW WE USE YOUR PERSONAL INFORMATION
The personal information that we obtain about you
Personal information means any information relating to an identified or identifiable natural person. This includes data which either by itself or with other data held by us or available to us, can be used to identify you. Your personal information comprises personal and financial information that we have obtained from you, the Intermediary(ies), the Central Credit Register, credit reference agencies, fraud prevention agencies or similar companies who carry out identity, verification or other checks. We collect your personal information directly from you and we obtain it indirectly from these other sources. We also keep information about the conduct of your account and any communications between us.
When you enter a Credit Agreement with us, you confirm that all information provided to us or to the Intermediary(ies) by you or on your behalf, and either as part of your application for credit or at any time afterwards, is true, complete and accurate in all respects. If your personal information such as your marital status, contact details, or home address changes you must inform us without delay. See ‘Contact us’ below.
Personal information also includes special categories of personal data. This is data about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation (as relevant). We do not usually ask you for this type of information nor do we obtain it from third party sources (such as the Intermediary(ies)). The exception is data concerning your health – this may be processed if you volunteer this information when we ask you about the conduct of your Account, for instance, if you tell us that you are unable to meet repayments because you have a health condition. Personal information also includes criminal convictions and offence details and we may process these if fraud prevention agency checks reveal a fraud or if we identify a fraud on your Account.
What we may use and process your personal information for and the legal basis for our use and processing
We are required by data protection law to indicate to you the legal basis which relates to our use and processing of your personal information. This may include (as relevant):
- Processing that is necessary for performance of a contract (in particular, this Credit Agreement) or in order to take steps at your request prior to entering into a contract. In particular, personal data will be processed for the purposes of administering your accounts and assessing any applications you make. Such processing is necessary to avail of the products/services provided by Premium Credit to you. Such processing may include the use of your contact details, including your email address and/or postal address, to send service messages to you in relation to your account. Such messages may, for example, include your account statement.
- Processing that is necessary for our own legitimate interests or those of third parties provided these are not overridden by your interests and fundamental rights and freedoms – such as: (a) to protect our business information, our premises and our staff; (b) for management and audit of our business operations including auditing; (c) for market research and analysis including developing statistics (we may anonymise your personal information prior to this – see below); (d) to administer your Account and to provide customer service and support functions including those made available on our website and over the telephone; (e) for direct marketing (subject always to your consent, where that is required); (f) when there is a sale or reorganisation or our business assets (in that scenario purchasers may be able to obtain personal information from us where necessary for their own legitimate interests of preparing for completion of the sale or reorganisation); (g) for systems or other testing and analysis to help us with systems and product development (we may anonymise your personal information prior to this – see below); (h) for the monitoring purposes described below; and (i) for our corporate governance related purposes including compliance oversight and sample checking.
- Processing that is necessary to comply with a legal obligation (other than a contractual obligation) – such as: (a) to process your request for information or when you exercise your rights against us under data protection law; (b) for compliance with legal and regulatory requirements; (c) for establishment and defence of legal rights; (d) for activities relating to the prevention, detection and investigation of crime; (e) to verify identity/ies; (f) to submit information to, and perform checks at, the Central Credit Register; and (g) to perform checks at credit reference agencies and fraud prevention agencies.
- Processing that is based on your freely given, specific, informed and unambiguous consent – such as: (a) when you consent to direct marketing; (b) when you give your explicit consent in relation to data concerning your health if you volunteer this information when we ask you about the conduct of your Account; and (c) when you specifically request that we share your personal information with a third party such as your next of kin or another person to whom you have given a power of attorney in connection with the credit you have obtained from us. You are entitled to withdraw your consent at any time. If you do this and if there is no alternative lawful reason which justifies our processing of your personal data for a particular purpose, this may affect what you are entitled to receive from us. For instance, if you withdraw your consent to direct marketing, we will stop using it for that purpose and we will not inform you about our other products and services unless you alter your preferences again in future.
Credit scoring and checks at credit reference agencies
This information is condensed. For further details about our sharing of your personal information with the credit reference agencies (CRAs) please contact us (details below).
We may use your personal information to help us assess your eligibility for credit as part of your application for credit and, if you obtain credit, in managing your Account, as well as to confirm and verify your identity and other details, and by entering into this Agreement you agree that we may:
(a) search your records at CRAs when you first enter into this Agreement and periodically during the term of this Agreement such as if you apply to increase the credit amount. These searches will tell us about your credit history. When the CRAs receive a search from us they will place a footprint on your credit file and in this way they will add to their record about you details of our search which will be seen by other organisations making searches (for example, other lenders or providers of credit). These details will be used by those other organisations when assessing your applications for credit. Credit searches and other personal information about you which we provide to the CRAs will be used by the CRAs and shared with those other organisations to trace your whereabouts, recover debts that you owe and to verify your identity. Records remain on file at the CRAs for 6 years after they are closed, whether settled by you or defaulted. We, the Intermediary and a Service Provider may use information about you and the conduct of your Account to help make credit, credit-related and Service-related decisions about you or to trace debt and to fight fraud, money-laundering, terrorism and other crimes and to keep to any laws or regulations in any country;
(b) use a credit scoring or other automated decision-making system (this means that we will do automated credit scoring using details obtained from you, the Intermediary, and from the CRAs, to make decisions without human intervention based on about whether or not you are likely to meet the repayments on your Account – we will do this when assessing your application for credit and periodically after that if you apply to increase your credit limit then a decision will be taken based on the credit score).
Linked records
If you tell us that you have a spouse or financial associate, which creates a joint financial unit in a similar way to a married couple – for example if you share the same address, we may search, link and/or record information at the CRAs about you both; link any individual identified as your financial associate in our own records, take both your and their information into account in future applications by either or both of you; and continue this linking until one of you notifies us that you are no longer in a financial unit together. Information held about you by CRAs may be linked to records relating to any such person. When we search for information about you at credit reference agencies we may also search for information about the people with whom you are linked, and use that information about you when deciding whether or not to go ahead with this Agreement. We may also use information about you when making a decision about a person with whom your records are linked.
Whether or not we go ahead with this Agreement your records may become linked to any person revealed to be linked to you by this Agreement (for example a joint applicant). When the CRAs receive a search from us they will link together your records and these links will remain on their files until such time as you or the other person successfully files for a disassociation at the CRAs. If your circumstances change such that you are no longer a financial unit with another person you should contact the CRAs about this.
Credit Reporting
Under the Credit Reporting Act 2013 lenders are required to provide personal and credit information for credit applications and credit agreements of €500 and above to the Central Credit Register. This information will be held on the Central Credit Register and may be used by other lenders when making decisions on your credit applications and credit agreements.
The following information must be provided by us to the Central Credit Register:
1. Forename;
2. Surname
3. Gender;
4. Date of Birth;
5. Address;
6. Postal Code
7. Eircode;
8. Personal Public Service Number;
9. Other Tax Reference Numbers;
10. Telephone Number (included);
11. Employment: Employment Status;
12. Employment: Occupation Category;
13. Institutional Sector; and
14. Subject Status.
Please note that additional information is required to be provided in the case of a self-employed individual. In the case of companies, certain prescribed information must be collated.
Obtaining details of credit reference agencies and copies of your data
You can contact us by writing to us at Premium Credit Ireland, Arena House, Arena Road, Sandyford Business Estate, Dublin 18 to request:
(a) details of the credit reference agencies we use (as mentioned above, you will need to contact the credit reference agency directly about the information they hold about you); and
(b) a copy of the personal information we hold about you (further details below on this – see “Your rights under applicable data protection law”).
Checks at fraud prevention agencies
We will check your personal information with fraud prevention agencies (FPAs) when you first enter into this Agreement and periodically during the term of this Agreement such as if you apply to increase the credit amount. If false or inaccurate information is provided and fraud is identified details will be passed to FPAs. Law enforcement agencies may access and use this information. We and other organisations may use this information to prevent crime including fraud and money laundering, for example when checking details on applications for credit related or other facilities, managing credit and debt related accounts or facilities and recovering debt.
Monitoring
We may monitor and record telephone calls and monitor email communications with you for the purpose of quality control, security and training, resolving complaints and/or to evidence the nature and contents of such conversations which is in our legitimate interests. In addition, we may do this where necessary for compliance with regulatory rules or self-regulatory practices or procedures relevant to our business and to prevent or detect crime.
Data anonymisation and use of aggregated information
We may convert your personal information into statistical or aggregated form to mean you are not identified or identifiable from it. We may use this aggregated data to conduct research and analysis and to produce statistical research and reports which is in our legitimate interests. For instance, this may help us to understand how many of our customers’ Accounts are in arrears at any given time. Aggregated data may be shared with our affiliates.
Who we may give your personal information to
We may give information about you, your Account (including, where relevant, the bank details we hold) and the conduct of your Account to credit reference agencies and fraud prevention agencies (see above), any Intermediary, any agent or administrator acting on our behalf, a Service Provider (this would include for instance third parties who supply products and services to us, for instance IT software providers and providers of IT support services), debt collection agents, any party to which we transfer, assign or charge this Agreement or our interest in this Agreement (or any party to who we are considering transferring, assigning or charging this Agreement or our interest in this Agreement) and their insurers and advisers, or any third party from whose bank accounts you make payments from under the Agreement (we may provide a copy of this Agreement to your bank, in this way, to evidence that we are able to take payment from your account). We may disclose your personal information where necessary to providers of indemnity insurance to our business.
We may also give information to the police, fraud prevention agencies or other regulatory authorities, government agencies if required to do so by law or where we are required to do so in response to requests from all such persons, or if you give us false or inaccurate information and we suspect fraud (further details above). We will disclose it where compelled to do by the Courts and for the administration of justice.
We may share your personal information with our professional advisors and our auditors.
If you have more than one agreement with us, we may hold and update information relating to your name, address and contact details on our central database and disclose such information to any organisation who submits an application for credit to us on your behalf for the purposes of such application and any related agreement, so they can update their records about you to continue providing you with services, identify products and services which might be suitable for you, recover amounts owing from you and to prevent fraud.
Transfers outside the EEA
We may transfer your personal information to countries outside of the European Economic Area (EEA) which do not have adequate protections for personal information under their own applicable laws. For instance, this may happen if we use service providers. Where we transfer your data outside the EEA we will only do so in accordance with our obligations under applicable data protection law. Steps will be taken to put in place safeguards (including around security) to protect your personal information when it is outside the EEA.
Safeguards may include the Standard Data Protection Clauses (also known as EU Model Clauses). You can find out what these are here: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm. Transfers may also happen based on the US Privacy Shield. Details here: https://www.privacyshield.gov/welcome. You can contact us for a copy of EU Model Clauses.
Retention period or criteria used to determine the retention period
We will keep your personal information for as long as we need it to fulfil the purposes for which it was collected (see above). We will keep certain personal information after that in order to comply with legal and regulatory requirements. The criteria we use to determine data retention periods for Personal Information includes the following:
- Retention in case of queries. We will retain your personal information in case of queries from you about your Account;
- Retention in case of claims. We will retain your personal information for the period in which you might bring claims against us in connection with this Agreement;
- Retention in accordance with legal and regulatory requirements. We will retain your personal information after the periods described above as necessary in order to comply with our regulatory compliance obligations.
If you would like further information about our data retention practices you can ask for this at any time (contact details below).
Your rights under applicable data protection law
There are various rights under data protection law and these will not always be relevant to you. We have described below what the rights are but please do be aware that they will not be engaged in all circumstances. If you wish to exercise any of these rights please contact us (details below).
- The right to obtain access to personal data that we hold about you and certain prescribed information about how we process it. This is more commonly known as submitting a “data subject access request” – you must do this in writing and the purpose of this right is to enable you to obtain confirmation that your data is being processed, access to your personal data, and other supplementary information about how it is processed, all this is to ensure you can be aware of and can verify the lawfulness of the processing.
- The right to obtain from us without undue delay the rectification of inaccurate personal information concerning yourself and to have incomplete personal data completed in certain circumstances.
- The right to obtain from us the erasure of personal information concerning yourself without undue delay in certain circumstances (also known as the “right to be forgotten”). This right is not absolute – it applies only in particular circumstances and where it does not apply any request for erasure will be rejected. Circumstances when it might apply include where the personal information is no longer necessary in relation to the purpose for which it was originally collected/processed, when consent is withdrawn (if relevant), when the individual objects to processing and there is no overriding legitimate interest for continuing the processing, if the personal information is unlawfully processed, or if the personal information has to be erased to comply with a legal obligation. Erasure requests will be refused where that is lawful and permitted under data protection law such as where the personal information has to be retained to comply with legal obligations or to exercise or defend legal claims.
- The right to obtain the restriction of processing of your personal information may be relevant if you contest the accuracy of your personal information and its accuracy is being verified; when the processing is unlawful and you request that use of the personal information is restricted and where you do not want erasure instead; or when we no longer need to process the personal information but you require the personal information to be retained in case of future legal claims.
- The right to data portability where the personal information is processed by us based on a consent or on a contract and by automated means (as relevant). This right allows individuals to obtain and reuse their personal information for their own purposes across different services without hindrance to usability. It is important to understand that this right is different from the right of access (see above) and this means that the types of information that you can receive through the right of portability are different to the types you could receive under the right of access. Under data portability you can only receive personal information where it is processed based on your consent or explicit consent in the case of special categories of personal information, or processing that is happening based on it being necessary for performance of a contract (such as this Agreement) or in order to take steps at your request prior to entering into a contract, and where the processing is carried out by automated means. This means that you are not able to obtain through the data portability right all of the personal information that you are able to obtain through the right of access.
- The right to object to processing of your personal information – this right allows individuals in certain circumstances to object to processing based on legitimate interests, including profiling based on legitimate interests; direct marketing; and processing for purposes of statistics.
- Rights relating to automated decision making about you including profiling (as relevant) if this has a legal or other significant effect on you as an individual – this right allows individuals in certain circumstances to access certain safeguards against the risk that a potentially damaging decision is taken without human intervention.
Contact us
If you have questions or queries about this data protection notice you can contact us by writing to us (see address above) or by telephone 0818 300095.
Our Data Protection Officer
To make a request for information or to enquire about the Data Protection Act, contact:
The Data Protection Officer
Premium Credit Limited,
Ermyn House, Ermyn Way,
Leatherhead, Surrey
KT22 8UX
Email: dataprotectionofficer@pcl.co.uk
Your right to lodge complaints with the data privacy supervisory authority
Please note that here we mean the Office of the Data Protection Commissioner (details below) – this is entirely distinct from the supervisory authority referenced in the Agreement.
Without prejudice to any other administrative or judicial remedy you might have, you have the right to lodge a complaint with the data protection supervisory authority in Ireland. You may do this if you consider that we have infringed the applicable data protection law. In Ireland, the supervisory authority who is empowered to investigate whether we are complying with the data protection law is called the Office of the Data Protection Commissioner. For more details including how to contact the Office of the Data Protection Commissioner please visit its website: https://www.dataprotection.ie