Data Protection Statement
This Data Protection statement provides information about the ways in which the Central Credit Register and the Central Bank of Ireland processes personal data supplied to it by lenders in connection with loan applications and loan agreements for €500 or more.
For the purposes of data protection legislation, the data controller for personal data provided to the Central Credit Register is the Central Bank of Ireland, New Wapping Street, North Wall Quay, Dublin 1.
All information contained on the Central Credit Register is stored within the European Union. If a borrower requests a credit report from outside the European Union, we will respond as instructed by the borrower.
The Central Credit Register has been established by the Central Bank of Ireland, under the Credit Reporting Act 2013 as amended (the Act) and associated regulations. The Central Credit Register is a mandatory database of personal and credit information. The Central Bank has contracted with CRIF Ireland Ltd, Adelphi Plaza, Georges Street Upper, Dun Laoghaire, Co Dublin (a wholly owned subsidiary of CRIF S.p.A) to operate the Central Credit Register. CRIF Ireland Ltd is the Central Bank's data processor.
Collection and use of personal data
Under the Act, lenders are obliged to submit credit information and personal information on individual borrowers (read what's included) to the Central Credit Register. Personal information includes:
(b) date of birth
(d) current and previous addresses
(e) telephone number
(f) personal public service number (PPSN)
This information is necessary for the purposes of accurately identifying borrowers and matching their loans, including loans that they may have with more than one lender. This information is stored securely on the Central Credit Register and will be released only when a lender or the borrower to whom the information relates requests access; if the borrower to whom the information relates, consents to the release of this information to another person; as provided by the Credit Reporting Act 2013 as amended, the Data Protection Act 2018 or as required or permitted by law or any other applicable legislation. The Central Bank may also transfer information to state agencies and law enforcement bodies when it is considered necessary and proportionate to do so.
Personal data relating to a credit agreement will be held on the Central Credit Register for a period of 5 years. This 5-year period generally runs from the date of final repayment of the loan in question. It is important for the Central Bank to retain information in order to provide an accurate credit profile of a borrower. Read more information on Retention of Information.
Personal information in the form of Identification Documents provided in respect of the exercise of any of your rights, such as a request for a credit report, request for an amendment, placing an explanatory statement or notice of suspected impersonation are retained for a period of 5 years.
A credit report will also contain information on any credit applications submitted by a borrower, such as the type of loan applied for, and the amount requested. Information on credit applications is retained for a period for six months.
A credit report will also contain a footprint. This is a record of all the dates that a credit report has been requested, by whom and the type and purpose of the enquiry.
The Central Bank may use any information held on the Central Credit Register in the performance of any of its functions.
The information held on the Central Credit Register also supports the Central Bank's obligations and functions including consumer protection, supervising the financial sector and ensuring finacial stability.
Any personal information to be transferred from the Central Credit Register to the Central Bank will be provided on a pseudonymised basis only.
Under the Credit Reporting Act 2013 as amended, borrowers have the following rights in relation to information held on the Central Credit Register:
- a right to insert an explanatory statement on your credit report;
- a right to apply to have inaccurate, incomplete or not up-to-date information amended;
- a right to report suspected impersonation;
- a right to request a copy of your credit report.
Find out further information in relation to these rights. In order to request your credit report or to request a credit report on behalf of another person, you will need to furnish some identification documents.
Under data protection legislation, borrowers have the right to access personal data held in relation to them on the Central Credit Register and to apply to have inaccurate, incomplete or not up-to-date personal data rectified. Borrowers also have the right to request that access to their personal data be restricted while an amendment requested by that borrower is under consideration by the Central Credit Register.
Queries and complaints
Should you have any queries in respect of the Central Credit Register you can contact us. Alternatively, you can contact the Data Protection Officer of the Central Bank at email@example.com or read the Central Bank's Data Protection Statement. Individuals also have the right to lodge a complaint with the Data Protection Commission at any time.
Data Protection Impact Assessment
The Central Bank has completed both a Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) over the course of the phased implementation of the Central Credit Register.
The purpose of the PIA and DPIA is to assess the impact that the introduction of the Central Credit Register will have on individual credit information subjects' privacy and data protection rights, and assist in the evaluation of potential solutions to those risks.
The executive summaries of the Privacy Impact Assessment and the Data Protection Impact Assessment provide assurance that we have addressed all identified risks. Redacted copies of the PIA and DPIA are also available.