1. Home
  2. Borrower Area
  3. Data Protection Statement

Data Protection Statement

This Data Protection Statement provides information about the ways in which the Central Bank of Ireland (the “Central Bank”) processes personal data supplied to the Central Credit Register.

The Central Credit Register has been established by the Central Bank under the Credit Reporting Act 2013 (the “2013 Act”) and associated regulations. It is a mandatory database of credit and personal information which facilitates credit reporting by lenders to the Central Credit Register and credit checking by lenders before granting credit under the 2013 Act.

For the purposes of data protection legislation, the data controller for personal data provided to the Central Credit Register is the Central Bank of Ireland, New Wapping Street, North Wall Quay, Dublin 1.

The Central Bank has contracted with CRIF Ireland Ltd, Adelphi Plaza, Georges Street Upper, Dun Laoghaire, Co. Dublin (a wholly owned subsidiary of CRIF S.p.A) to operate the Central Credit Register. CRIF Ireland Ltd is the Central Bank's data processor.

All information contained on the Central Credit Register is stored within the European Union. If a borrower requests a credit report from outside the European Union, we will respond as instructed by the borrower.

Collection and use of personal data

Under the 2013 Act, lenders are obliged to submit credit information and personal information to the Central Credit Register in respect of loan applications and loan agreements (read what's included).

In this context, personal information includes:

       (a) name

       (b) date of birth

       (c) gender

       (d) current and previous addresses

       (e) telephone number

       (f) personal public service number (PPSN)

Personal information is necessary to accurately identify borrowers and match their loans and loan applications, including loans that they may have with more than one lender.

Credit information, such as the type of loan a borrower has or has applied for, the amount borrowed or applied for, and other details in respect of loan agreements and loan applications including in respect of existing loan agreements, information relating to the performance by a borrower under the loan, is also submitted by lenders.

Credit information and the related personal information is stored securely on the Central Credit Register, to which access is strictly controlled in accordance with the 2013 Act.

This information will only be released in the following circumstances:

  • Where a lender or the borrower to whom the information relates requests access to information held on the Central Credit Register in accordance with the 2013 Act; 
  • Where the borrower to whom the information relates, consents to the release of this information to another person; or
  • As provided by the 2013 Act, the Data Protection Act 2018 or otherwise required or permitted by law or any other applicable legislation.

The Central Bank may also transfer information to state agencies and law enforcement bodies when it is required and considered necessary and proportionate to do so.

 

Period for which personal information can be held

Personal information stored on the Central Credit Register is removed when the last associated credit information has been deleted.

Credit information submitted by lenders in respect of new loan applications is held on the Central Credit Register for a period of 6 months from the date on which the information is entered on the Central Credit Register;

Credit information submitted by lenders in respect of loan agreements is held on the Central Credit Register for a maximum period of 5 years at any given time;

Where all liabilities under the loan agreement have been discharged, the credit information is held on the Central Credit Register for a period 5 years after the loan is discharged.

Personal information in the form of identification documents or contact details provided by you or any third party in the exercise by you of any of your rights, such as a request for a credit report, request for an amendment, placing an explanatory statement or notice of suspected impersonation are retained for a period of 5 years.

Personal information collected in operating the Central Credit Register may also be used to maintain accurate information on the Central Credit Register in accordance with applicable law, including the General Data Protection Regulation. Personal information provided by you in the exercise of any rights, such as your PPSN, address(es) which is not already on the Central Credit Register, may be added to the Central Credit Register to ensure the accuracy of the personal data held in relation to you.

You can apply to the Central Credit Register for a copy of your credit report.  A credit report contains a footprint. This is a record of all the dates that the credit report has been accessed. On the credit report provided to you the footprint contains a record of access in the last five years including the name of the enquiring party. On any credit report provided to a lender, the footprint will contain a record of access in the last two years but will not identify the enquiring party.

The Central Bank may use any information held on the Central Credit Register in the performance of any of its functions.  The information held on the Central Credit Register supports the Central Bank's obligations and functions including consumer protection, supervising the financial sector and ensuring financial stability. Any information transferred from the Central Credit Register to the Central Bank for use in the performance of any its obligations and functions is generally provided on a pseudonymised basis.

In August 2023, the Central Bank identified an issue which prevented the automatic deletion of certain data which was due to be removed from the CCR database. Further information is available at centralbank.ie. This issue has been corrected and the relevant deletion processes for CCR data are now operating as intended. In order to facilitate our investigation of this matter we will be retaining copies of certain CCR data related to this issue in a separate database. This database will not be utilised to generate credit reports and we intend to delete the database when our investigation has concluded.

Online is the fastest way to get a copy of your Credit Report.  Alternatively, to access your CCR data please contact ccrdataprotection@centralbank.ie.

 

Your Rights

Under the 2013 Act, you have the following rights in relation to information, including personal information, held on the Central Credit Register:

  • a right to insert an explanatory statement on your credit report;
  • a right to apply to have inaccurate, incomplete or not up-to-date information amended;
  • a right to report suspected impersonation;
  • a right to request a copy of your credit report (or consent to a third party requesting a credit report on your behalf). See our third party factsheet here.

You can apply for your credit report online

Under data protection legislation, you have the right to access personal data held in relation to you on the Central Credit Register and to apply to have inaccurate, incomplete or not up-to-date personal data rectified. You also have the right to request that access to your personal data be restricted while an amendment requested by you is under consideration by the Central Credit Register.

This website uses cookies. Cookies are small text files that can be placed onto your computer, smartphone or other device by this website. Read our full Privacy and Cookie Policy here.

 

Queries and complaints

Should you have any queries in respect of the Central Credit Register you can contact us. Alternatively, you can contact the Data Protection Officer of the Central Bank at dataprotection@centralbank.ie or read the Central Bank's Data Protection Privacy Notice.

Individuals also have the right to lodge a complaint with the Data Protection Commission at any time, if they think that personal data has been processed in a way that breaches data protection law. 

To access your CCR data please contact ccrdataprotection@centralbank.ie.

 

Data Protection Impact Assessment

The Central Bank has completed both a Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) over the course of the phased implementation of the Central Credit Register.

The purpose of the PIA and DPIA is to assess the impact that the introduction of the Central Credit Register will have on individual credit information subjects' privacy and data protection rights, and assist in the evaluation of potential solutions to those risks.

The executive summaries of the Privacy Impact Assessment and the Data Protection Impact Assessment provide assurance that we have addressed all identified risks. Redacted copies of the PIA and DPIA are also available.