Data Protection Privacy Notice
This data protection notice provides information about the ways in which the Central Bank collects and uses personal data. For the purposes of data protection legislation, the data controller of your personal data is the Central Bank of Ireland, New Wapping Street, North Wall Quay, Dublin 1.
This notice applies to all personal data collected by the Central Bank in connection with the performance of its statutory functions and related purposes as outlined below. The Central Bank can receive the personal information directly from individuals or indirectly from another party (such as a regulated financial service provider). Separate data protection notices are included on:
These notices provide information relating to the processing of personal data by the Central Credit Register and the use of personal data provided to the Central Bank in connection with the purchase of collector coins and the deposit guarantee scheme respectively.
Collection and use of Personal Data to Perform Statutory Functions
As a central bank and financial services regulator, the Central Bank processes personal data to perform its functions under the EU Treaties, the ESCB Statute, the Central Bank Acts 1942 to 2015 and other provisions of financial services legislation. These functions include:
- Monetary policy and financial stability-related functions
- Collection of information for analysis or statistical purposes
- Resolution of regulated financial service providers
- Operation of deposit guarantee schemes or other compensation or customer protection schemes
- Protection of the best interests of consumers of financial services and regulation of financial service providers and markets
- Operation of the Central Credit Register.
The types of personal data processed by the Central Bank in order to perform its statutory functions are described in further detail below.
Individuals applying to the Central Bank for approval to perform a pre-approval controlled function (PCF) within a regulated financial service provider are required to submit an Individual Questionnaire (IQ) to the Central Bank. Completion of the IQ requires submission of personal data to the Central Bank, including the following:
- Name, address, contact details and passport number
- Details of professional experience and educational qualifications
- Information relating to criminal convictions and disciplinary proceedings
- Details of applicants’ shareholdings and business interests
- Details of applicants’ directorships and other senior positions.
The Central Bank processes this information and any other information relating to PCF role holders to perform its fitness and probity functions under Part 3 of the Central Bank Reform Act 2010 and, in particular, to assess the suitability of the applicant to perform the PCF role. If a PCF applicant does not provide the required information, the Central Bank will not be able to assess his or her application.
The Central Bank retain fitness and probity-related information for 30 years after the individual in question has vacated a PCF role.
The European Central Bank (ECB) is responsible for assessing the fitness and probity of the management board of, and key function holders with, significant credit institutions, as well as the management board of all credit institutions applying for authorisation. The Central Bank transmits such applications onwards to the ECB for assessment in accordance with Council Regulation (EU) No 1024/2013 (the SSM Regulation).
The Central Bank processes personal data of individuals such as staff members, shareholders and customers of financial service providers in connection with its regulation of financial service providers and markets. We process such personal data for numerous reasons, including the authorisation and ongoing supervision of regulated financial service providers, the regulation of financial markets and the investigation of the activities of unauthorised providers of financial services.
Individuals such as proposed acquirers of qualifying holdings in authorised entities or persons discharging managerial responsibilities (PDMRs) within an issuer are also obliged to provide certain personal data to the Central Bank under statute. Staff members of regulated financial service providers may also provide limited personal data to the Central Bank in connection with the submission of regulatory returns or other information on behalf of their employer e.g. for the purpose of uploading documents to the Central Bank’s Online Reporting System (ONR).
The Central Bank may also process personal data relating to controlled function (CF) role holders for purposes related to the supervision of the regulated financial service providers by which those CF role-holders are employed.
The Central Bank retains such data for as long as needed for the specific supervisory purposes for which it is collected. On request, we can provide information relating to the retention period for specific personal data.
The Central Bank may investigate regulated financial service providers or individuals within regulated financial service providers, where a concern arises that a breach of financial services law has been, or is being, committed. The purpose of such investigations is to allow the gathering of sufficient information to enable the Central Bank to determine whether any breach of financial services law has occurred and whether the imposition of sanctions may be appropriate.
In the course of an enforcement investigation process, the Central Bank may collect personal data under statutory powers including those under the Central Bank Reform Act 2010, the Central Bank (Supervision and Enforcement) Act 2013, assessor regimes or under securities markets legislation (e.g. market abuse legislation). This data may include personal data of individuals who are not the subject of the investigation. The Central Bank retains all information obtained in connection with an investigation for a period of 20 years after any related case is closed. Information collected for the purposes of market abuse investigations will be retained for a maximum period of five years after the case is closed.
Members of the public or other individuals may submit queries or provide feedback to the Central Bank. The Central Bank may use the personal data provided by such individuals to respond to their queries and, where appropriate, to investigate any issues raised. Investigation of such issues may require the disclosure of personal data to third parties such as another statutory body or a regulated financial service provider. The Central Bank retains such data for as long as needed for the purpose of investigating the issues that are raised. Information relating to the retention period for specific personal data can be made available on request. We may use feedback provided by members of the public on our facilities to enhance the user experience and improve those facilities (e.g. our visitor centre).
The Central Bank also collects and processes personal data provided by members of the public in connection with the exchange of damaged euro banknotes and coins, or Irish pound banknotes or coins in order to assess the relevant application and provide reimbursement to such persons. All applications for exchange of banknotes or coins are ordinarily retained for a period of one year but may be retained for an additional six years when details are captured incorrectly or in case of a payment settlement failure. The Central Bank may also forward details of such applications, including copies of ID received, to other authorities such as An Garda Síochána or the Revenue Commissioners.
Any information including personal data received by the Central Bank from a person making a protected disclosure (i.e. a whistle-blower) may be used by the Central Bank for the purpose of performing its statutory functions. The Central Bank is legally obliged to protect the identity of a person who makes a protected disclosure and not to disclose any information that might identify that person, subject to certain exceptions. The Central Bank retains information provided by whistle-blowers for a period of 30 years after any related case is closed.
For further detail about how the Central Bank handles information provided by whistle-blowers, see Protected Disclosures including Whistleblowing and Infringement Reports.
The Central Bank collects personal data from candidates for recruitment purposes. The information that the Central Bank may collect and hold about candidates includes:
- Name, address, telephone number(s) and email address
- Details of qualifications, skills, experience and employment history
- Details of current immigration status
- Details of criminal or pending criminal convictions in Ireland or any other jurisdiction
- Any additional information contained in a candidate’s CV such as referee information, disclosed at interview or otherwise provided to the Central Bank during the recruitment process.
The Central Bank needs to process data to decide whether to enter into a contract of employment with a particular candidate and may also process certain data to ensure that it is complying with its legal obligations. The Central Bank has a legitimate interest in processing personal data during the recruitment process and in keeping records of the process in order to manage the recruitment process, to assess and confirm a candidate's suitability for employment and decide to whom to offer a particular role. The Central Bank may also need to process candidates’ data to respond to and defend against legal claims.
For certain managerial positions, the candidate’s information may be provided to a third party service provider for the purpose of assessing the suitability for the role. In all other cases, the Central Bank will not share a candidate’s data with third parties, unless his or her application for employment is successful and an offer of employment is made to him or her. Once an offer of employment has been made to (and been accepted by) a candidate, that candidate’s personal data will be provided to An Gardaí Síochána for the purposes of vetting and the Central Bank may also contact previous employers named by that candidate as referees for the purpose of obtaining employment references. The candidate will also be required to provide medical information to the Central Bank’s occupational health provider for the purposes of assessing his or her capacity to work.
If a candidate’s application is unsuccessful, the Central Bank may keep his or her personal data on file for a period of 12 months.
Individuals accessing non-public areas within the Central Bank buildings will be required to provide their name, and to permit on-site security to view photographic ID for the purposes of identity verification. The Central Bank does not retain a copy of visitors’ photographic ID.
The Central Bank has installed CCTV systems at our premises for the purposes of public and staff safety, crime prevention and detection as well as to comply with standard business and insurance protocols. The increased video surveillance measures in place at our currency-related operations reflect the risks associated with the printing operations at the premises. CCTV cameras are located at access points, general reception areas, areas in front of elevator doors on each floor, car parks, shared areas and the exterior perimeter at Sandyford. Signage advises of areas covered by CCTV equipment. The Central Bank will only disclose CCTV images to others who intend to use the images for the purposes stated above.
Images captured by CCTV will generally be retained for a minimum period of 30 days, but could be retained for up to six months, depending on the level of activity on individual cameras. However, on occasion, there may be a need to keep images for longer, for example for the purposes of investigating a crime.
The Central Bank may process personal data submitted by tenderers to manage procurement award procedures and decide whether to enter into a contract with a particular tenderer. Personal data collected for this purpose may relate to the tenderer, its staff or its sub-contractors. Following finalisation of the procurement procedure in question and the entry into by the Central Bank of a contract with our chosen supplier(s), the Central Bank may process certain personal data in order to perform its obligations under that contract, such as arranging payment. We retain files relating to procurement procedures for a period of the current year plus six years.
Each time an individual uses the Central Bank website, cookies are automatically collected – a copy of our cookie notice is provided at the end of this notice.
Transfer of Personal Data
The Central Bank may transfer personal data to:
- Third parties, where required or permitted by law to do so
Third parties may include our service providers and statutory bodies, including An Garda Síochána, the Director of Corporate Enforcement, the Revenue Commissioners and the Competition and Consumer Protection Commission.
- The ECB in the context of the Single Supervisory Mechanism (SSM) or for the performance of ESCB-related tasks.
- Supervisory authorities in other EEA Member States for the purpose of performance of their functions.
- Supervisory authorities in countries outside of the EEA where permissible under data protection legislation.
This includes personal data on individuals obtained by the Central Bank as part of Fitness and Probity applications, authorisation process and personal data on individuals directly or indirectly connected to an enforcement investigation by supervisory authorities in countries outside of the EEA.
Depending on the country and authority, these transfers may be made under (a) an adequacy decision, i.e. where the European Commission had decided that the country or organisation ensures an adequate level of data protection, (b) an Administrative Arrangement such as the IOSCO Administrative Arrangement which has been agreed with the European Data Protection Board and the Data Protection Commission or (c) the Public Interest Derogation under Article 49 of the GDPR.
The Central Bank requires all third parties to respect the security and confidentiality of personal data disclosed to them. Third-party service providers may only process such personal data for specified purposes and in accordance with the Central Bank's instructions.
Your Rights
If your personal data is processed by the Central Bank, you have certain rights in relation to that data, which are outlined in summary form below. The Central Bank may require further information from you before we can respond to your request. The scope of certain rights may be subject to certain restrictions or exceptions provided for under data protection legislation.
You may exercise your rights by contacting our Data Protection Officer (dataprotection@centralbank.ie) or submitting the Subject Rights Request Form.
You have the right to receive a copy of the personal data the Central Bank holds about you as well as information about how it is used.
Applicability
This right is applicable at all times when the Central Bank holds your personal data.
You have the right to ask the Central Bank to correct personal data we hold about you where it is incorrect or incomplete.
Applicability
This right is applicable at all times when the Central Bank holds your personal data.
This right entitles you to require the erasure of your personal data from the Central Bank’s systems and records. However, this right applies only in certain circumstances (e.g. where the Central Bank no longer needs the personal data for the purpose for which we collected it or where you withdraw consent to our use of your personal data and where there is no other legal basis for continuing to use it).
Applicability
This right does not apply where personal data is required for the purpose of compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority. Therefore, this right is not applicable in respect of much of the personal data held by the Central Bank in the performance of its statutory functions.
This right entitles you to restrict the processing of your personal data by the Central Bank. Where this right is exercised, the Central Bank is still permitted to store your personal data but other use of the data is prohibited, save in certain limited circumstances.
Applicability
You can exercise this right if one of the following applies:
- You contest the accuracy of the personal data held about you and the CentralBank is verifying the accuracy of the data
- The personal data has been processed unlawfully and you oppose erasure and request restriction instead
- The Central Bank no longer needs the personal data but you need the data in connection with a legal claim
- You have objected to processing and the Central Bank is considering whether its legitimate grounds override your rights and interests.
This right allows you to obtain your personal data in a format that enables you to transfer that personal data to another organisation where the Central Bank is processing your personal data on the basis of consent or on the fulfilment of a contract and if processing is carried out by automated means. You may have the right to have your personal data transferred by us directly to the other organisation, if this is technically feasible.
Applicability
This right does not apply where personal data is required for the purpose of compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority. Therefore, this right is not applicable in respect of much of the personal data held by the Central Bank in the performance of its statutory functions.
You have the right to object to the Central Bank’s use of your personal data in certain circumstances. However, the Central Bank may continue to use your personal data, despite your objection, where there are compelling legitimate grounds to do so or we need to use your personal data in connection with any legal claims.
Applicability
This right applies where the Central Bank processes your personal data for the performance of a task carried out in the public interest or in the exercise of official authority or in pursuance of its legitimate interests.
You have the right not to be subject to a decision based solely on automated processing (without human involvement) where that decision produces a legal effect or otherwise significantly affects you.
Applicability
As the Central Bank currently does not make any automated decisions, this right is not applicable.
You have the right to withdraw your consent to the processing of your personal data by the Central Bank at any time. This will not affect the lawfulness of our processing before the withdrawal.
Applicability
This right only applies where the sole legal basis for processing your personal data is your consent.
You have the right to lodge a complaint with the Data Protection Commissioner if you think that the Central Bank has not processed your personal data in accordance with data protection legislation.
Applicability
This right applies at any time.
Cookie Notice
This cookie policy relates to our privacy practices in connection with the Central Bank of Ireland website. The Central Bank is not responsible for the content or privacy practices of other websites. Some technical terms used in this statement are explained at the end of this page.
If you have any questions, comments or concerns about this section you should contact our Media Relations Office on +353 (1) 224 6299 or media@centralbank.ie.
A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.
We use Google Analytics, a web analytics service provided by Google (Alphabet Inc.) to gather statistics on our website so that we can improve web services for our visitors. Google Analytics uses cookies to identify user sessions, which allows for the collection of important data about how our visitors are using the site.
Google Analytics uses only first-party cookies for data analysis. This means that the cookies are linked to our website domain(s), and we will only use that cookie data for statistical analysis related to your browsing behaviour on our websites. If you choose, you can opt out by turning off cookies in the preferences settings in your browser. Your IP address is also truncated by the last octet prior to its storage using the "_anonymizeIp()" method.
You can opt-out from being tracked by Google Analytics by downloading and installing Google Analytics Opt-out Browser Add-on (http://tools.google.com/dlpage/gaoptout?hl=en) for your current web browser.
The following functional cookies allow the website to remember choices you make to provide enhanced, more personal features and to display Central Bank content. The information these cookies collect may be anonymous. However, they could track your browsing activity on other websites. Please see details about controlling cookies in the next section. More information about these cookies are found in the relevant third party websites:
You can control and/or delete cookies as you wish – for details, see https://www.aboutcookies.org/. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.
Web browser
The piece of software you use to read web pages. Examples are Google Chrome, Microsoft Internet Explorer, Firefox, Mozilla, Safari and Opera.
IP address
The identifying details for your computer (or your internet company’s computer), expressed in "internet protocol" code (for example 192.168.72.34). Every computer connected to the web has a unique IP address, although the address may not be the same every time a connection is made.
Cookies
Small pieces of information, stored in simple text files, placed on your computer by a website. Cookies can be read by the website on your subsequent visits. The information stored in a cookie may relate to your browsing habits on the web page, or a unique identification number so that the website can "remember" you on your return visit. Generally speaking, cookies do not contain personal information from which you can be identified, unless you have furnished such information to the website.
Queries
Should you have any queries on any aspects of this data protection privacy notice, you may contact our Data Protection Officer via dataprotection@centralbank.ie. This notice may be updated from time to time.