As well as being a primary piece of EU legislation, the General Data Protection Regulation (GDPR) (EU) 2016/679GDPR also provides that individual member states may enact their own legislation to give specific interpretation to the application of some of the provisions covered under the GDPR. In the Republic of Ireland, this is contained within the Data Protection Bill 2017.
Castlehaven Finance (CH) is committed to providing a transparent and straightforward funding solution that can be delivered within the required timescale for our clients. Our team of experienced property professionals are relationship driven and strive to make the borrowing process as simple as possible.
During the course of day-to-day business, CH needs to gather and use certain information about individuals. Such individuals can include customers, suppliers, business contacts, employees and other persons with which the organisation has a relationship, or may need to contact.
This Data Protection Policy (hereinafter referred to as the “Policy”) describes how personal data must be collected, handled and stored to meet the company’s data protection standards and to comply with the law.
This Policy has been established to ensure CH:
- Complies with data protection law and follows good practice;
- Protects the rights of staff, clients and associates;
- Is open about how it stores and processes individuals’ data; and
- Protects itself from the risks of a data breach.
The Policy is maintained by CH’s Data Protection Officer (DPO) and is approved by the Senior Management Team. The Policy will be reviewed and revised, as and when it becomes necessary, by the DPO to ensure continued alignment with legal developments and legislative obligations, while at the same time remaining appropriate to CH’s internal operations and risk management requirements.
Everyone who works for or with CH has responsibility for ensuring data is collected, stored and handled appropriately. All CH staff have a personal responsibility to ensure compliance with the principles of the applicable Data Protection legislation and to adhere to CH’s Policy.
Further comments or questions on the content of this Policy should be directed to the DPO. Any material changes to this Policy will require approval by the Senior Management Team.
The Data Protection Officer
As part of the GDPR, it is mandatory for CH to have a formally appointed DPO. The DPO’s role facilitates compliance with GDPR and ensures that, in carrying out CH’s day-to-day business, all personal data held and processed by CH, such as that belonging to internal staff, clients and third parties, is appropriately protected in accordance with such persons’ regulatory rights.
In line with Article 37(5) of the GDPR, the DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”. Furthermore, the DPO role cannot be assigned to someone where his or her other role(s) and their DPO duties present a conflict of interest.
Data Protection Principles
GDPR sets out eight principles governing the use of personal information, which must be complied with, unless an exemption applies.
These principles are in essence a code of good practice for processing personal data. They state that personal data must:
1. Be processed fairly and lawfully. This means CH must:
- Have legitimate grounds for collecting and using the personal data;
- Not use the data in ways that have unjustified adverse effects on the Individuals concerned;
- Be transparent about how it intends to use the data and give Individuals appropriate and fair processing notices when collecting their personal data;
- Handle individuals’ personal data only in ways they would reasonably expect;
- Make sure it does not do anything unlawful with the data.
2. Be obtained for one or more specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose or those purposes. This means that CH must:
- Be clear from the outset about why it is collecting personal data and what it intends to do with it;
- Comply with the fair processing requirements of the GDPR, including the duty to give clear and fair processing notices to Individuals when collecting their personal data;
- Comply with what the GDPR says about notifying the Information Commissioner;
- Ensure that if it wishes to use or disclose the personal data for any purpose that is additional to, or different from, the originally specified purpose, the new use of disclosure is fair.
3. Be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. As such, CH:
- May only hold personal data about an Individual that is sufficient for the purpose/purposes for which it is being requested;
- May not hold more information than needed for the applicable purpose/purposes.
4. Be accurate and, where necessary, kept up to date. Furthermore, CH will:
- Take reasonable steps to ensure the accuracy of any personal data it obtains;
- Ensure that the source of any personal data is clear;
- Carefully consider any challenges to the accuracy of information;
- Consider whether it is necessary to update the information.
5. Not be kept for longer than is necessary. In this regard, CH shall:
- Review the length of time it keeps personal data;
- Consider the purpose or purposes for which it holds the information in deciding whether (and for how long) to retain it;
- Securely delete information that is no longer needed;
- Update, archive or securely delete information if it goes out of date.
6. Be processed in accordance with the Data Protection Bill 2017 and GDPR, and in doing so accept that providers of personal data shall have:
- A right of access to a copy of the information held in their personal data file;
- A right to object to processing that is likely to cause or is causing damage or distress;
- A right to prevent processing for direct marketing;
- A right to object to decisions being taken by automated means;
- A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed;
- A right to claim compensation for damages caused as a result of a breach of the GDPR by CH.
7. Be protected in appropriate ways. Accordingly, CH shall:
- Design and organise security to fit the nature of the personal data it holds and the harm that may result from an information security breach;
- Be clear about who in the organisation is responsible for ensuring information security;
- Make sure it has the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff;
- Be ready to respond to any breach of security swiftly and effectively.
8. Not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Data Processing Principles
CH data processing under the GDPR will be lawful only if it satisfies one of the defined legal bases. The legal bases for lawful processing applicable to CH are:
- The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary for the purposes of the legitimate interests pursued by CH or by a third party.
The Rights of the Castlehaven Finance Data Subjects
Under the GDPR, notifying a breach in Personal Data is mandatory in all EU member states. A Data breach is likely to “result in a risk for the rights and freedoms of individuals”. Any data breach must be reported no less then 72 hours after CH first realises the breach has occurred. Data Subjects who have suffered this breach must be informed by the appointed CH DPO.
Right to Access
Data Subjects have the right to obtain any data that has been confirmed by CH to be theirs. In such cercumstances, CH shall provide a copy of the personal dat, free of charge, in an electronic format. CH shall provide data transparency to all Data Subjects and acknowledges the empowerment of Data Subjects under the GDPR.
Right to be Forgotten
Data Subjects may request that CH erase his/her personal data, prohibit CH from further dissemination of the data, and request that any third parties in receipt of their personal data halt the processing of same. CH may, in certain circumstances, retain some data to ensure compliance with other regulations, however where no such justification to retain data exists, the Data Subject’s right to be forgotten applies.
Independent Supervisory Authorities
Under the GDPR, each Member State will have one or more independent public authorities responsible for:
- Monitoring and the enforcing the application of the GDPR;
- Promoting public awareness of the rules and rights around data processing;
- Advising the government on data protection issues;
- Promoting awareness among controllers and processors of their obligations;
- Providing information to individuals about their data protection rights;
- Maintaining a list of processing operations requiring data protection impact assessment.
In Ireland, under the Data Protection Bill 2017, the Data Protection Commissioner, which was formerly responsible for supervising data protection, has been replaced with a Data Protection Commission.
The Data Protection Commission has the power to:
- Order CH to provide information as required in order to assess compliance with GDPR;
- Carry out investigations of CH in the form of data audits, including accessing CH’s premises;
- Order CH to change their processes in order to comply with Data Subject requests;
- Issue warnings to CH and can ban processing as well as commence legal proceedings against CH.
Privacy By Design
CH strives to implement appropriate and effective technical and organisational measures in order to meet the requirement of the GRDP and protect the rights of all CH Data Subjects. Accordingly, CH endeavours to only obtain, hold and process the data absolutely necessary for the completion of its duties (“data minimisation”), and limit access to personal data strictly to those needing to act out the processing.
Communication with Staff and Service Users
CH is committed to reviewing all current data privacy notices and alerting individuals to the collection of their data. In doing so, CH shall promptly identify and rectify any deviation found to exist between the extent of data collected versus that required to be processed.
In accordance with the GDPR, CH will notify its Data Subjects of our identity, our reasons for gathering data, the uses it will be put to, who it will be disclosed to, and whether the data is going to be transferred outside the EU.
What Data is Collected
CH may collect and use data about you even if you are not a client of CH but are working directly or indirectly with such a person, e.g. you may be a director, account holder, or representative of a CH client, or be a potential client seeking to avail of our services.
Data collected, used and held by CH may include information:
- To identify you, including your contact information;
- About your financial details/circumstances;
- About your business and financial associations;
- About you provided by others;
- You have otherwise consented to CH collecting and using.
Other than at the time of information being supplied directly by you to CH, the company may collect data:
Subsequent to, and from, your use of CH services and/or the CH website;
As and when provided to CH by third parties.
Why Data is Collected
CH collects data where it is necessary:
In order for the business to comply with statutory/corporate obligations in relation to the provision of its services (e.g. undertaking “know your client” (KYC) and anti-money laundering (AML) due diligence as part of its underwriting process, and reporting to the Central Credit Register, regulatory authorities and law enforcement as required during the course of any loan etc.);
For any other legitimate reason in relation to the management of an existing contract between CH and the data subject;
For operational purposes which are key to the management of our business, such as Customer Relationship Management (CRM).
In connection with the above, CH will often be required to share data with authorised representatives, including corporate partners and third party consultants employed by CH for the purpose of fulfilling its obligations under an agreed contract or service. This may also require CH to share data with parties outside of the Republic of Ireland – specifically, with associates based in the United Kingdom.
Marketing & Analytics
CH’s website features the use of ‘E-Marketing’ tools, which provide information about how the company builds relationships with its clients. With these tools, CH is also able to, and may, from time to time, send emails to users regarding how the business is operating. All users are given an “opt out“ option, should they wish not to avail of such communications, and are free to change their preferences is this regard at any time.
CH may analyse information about, and provided by, users of its website to:
- Help the company understand users’ needs and develop relationships with users;
- Help the company offer users product and service information deemed to be of interest to users;
- Determine the suitability of, or our willingness to provide, any of the company’s financial products in relation to users’ proposals;
- Assist in compliance checks, e.g. in respect of CH’s legal obligations in connection to money laundering and/or fraud.
Privacy – Non-Provision of Data
If CH requires personal data for the purpose of delivering its services and you decide not to provide CH with the required data, CH may not be able to:
- Provide information regarding the company’s service or products;
- Continue to provide information about services of interest;
- Renew the provision of existing contracted services.
Storage and Handling of Data
CH uses different storage methods for different types of data. Fundamentally, all CH data is stored electronically on a third party cloud-based storage platform, namely Microsoft Office 365 OneDrive. CH uses other Microsoft Office 365 packages/applications such as Microsoft Outlook to communicate and keep track of correspondence with data subjects.
Furthermore, in connection with Microsoft Office 365, CH uses Customer Relationship Management (CRM) software provided by Zoho to manage and organise the personal data it holds.
CH uses Adobe Acrobat software alongside Microsoft Office 365 to ensure all documentation containing personal data issued by CH is protected by encryption.
Hard copy backups of certain documents may also be created for CH’s sole use, which are stored in CH’s secure office premises.
Dispose of Data
CH adopts a rigorous clerical and electronic filing system in which the reviewing and updating of files, including the removal of those no longer deemed necessary, occurs regularly. Data that is no longer in use and deemed unneccessary for further holding will be disposed of by any of the following means, as appropriate:
- Shredding of hard copy documentation;
- Permanently deleting electronic files from Microsoft Office 365 OneDrive and Zoho CRM software;
- Permanently deleting email correspondence from from Microsoft Office Outlook.