1. Executive Summary
1.1 The Strategic Banking Corporation of Ireland (referred to in this Data Protection Statement as “SBCI”, “us” or “we”) is committed to complying with our obligations in respect of the Processing of Personal Data under Data Protection Laws. The purpose of this Data Protection Statement (“Statement”) is to ensure that we meet our transparency obligations pursuant to the General Data Protection Regulation EU 2016/679 (“GDPR”) and the Data Protection Acts 1988-2018 (“DPA”), together “Data Protection Law”. The Statement sets out information about our duties and responsibilities regarding the protection of Personal Data.
1.2 This Statement has effect from 15 September 2023 and will be reviewed from time to time. The most up to date approved version is posted on the SBCI website. Previous versions are available on request.
1.3 A glossary of some of the data protection and other terms used throughout this Statement is set out in Annex 2.
2. About the SBCI
2.1 The objectives of the SBCI are, inter alia, to encourage the giving of credit in a prudent manner to enterprises and other persons in the State, in particular small and medium sized enterprises (“SMEs”), and facilitate the availability of credit in the State to benefit the economy and the economic well-being of the State.
The SBCI operates in the wholesale market, delivering funding to SMEs and other persons through a range of on-lenders including banks and non-bank finance providers. We avail of national and international sources of funding at competitive rates and procure the benefit of counter-guarantees for risk support. We have received financial support and funding from the European Investment Bank (“EIB”), the European Investment Fund (“EIF”), Kreditanstalt für Wiederaufbau (“KfW”), Council of Europe Development Bank (“CEB”), the Ireland Strategic Investment Fund (“ISIF”), the National Treasury Management Agency (“NTMA”), and certain Government Departments (collectively the “Funders”). Central to the activities of the SBCI is ensuring that the benefit of its support is delivered to the ultimate borrower.
2.2 The SBCI has developed three lines of business, details of which are set out below:
- (a) Lending: The SBCI serves as a wholesale on-lending financial institution with the aim of providing low cost, long-term wholesale finance to borrowers through suitable on-lenders with the benefit of the lower cost being passed through to the borrowers.
- (b) Risk-Sharing: The SBCI’s risk-sharing business provides partial credit guarantees to finance providers (our on-lenders) to facilitate the provision of credit to borrowers. The SBCI avails of and leverages risk capacity (counter-guarantees) from State and European supports to design financial products with the aim of making efficient use of its capital and enhancing access to finance for borrowers.
- (c) Service Provision: This line of business is supplementary to the SBCI’s two primary lines of business, Lending and Risk-Sharing. The SBCI is the operator of the schemes created under the Credit Guarantee Acts 2012, 2016 and 2020 (“Credit Guarantee Schemes” or “CGS”) on behalf of the Minister for Business, Enterprise and Innovation.
3. Purpose of this Statement
3.1 The purpose of this Statement is to explain what Personal Data we Process and how and why we Process it where you engage with the SBCI, whether as a customer, business partner, job candidate or generally as a member of the public. In addition, this Statement outlines our duties and responsibilities regarding the protection of such Personal Data and the rights of Data Subjects in that respect. Information on our website-related Processing activities is available in the SBCI Website Privacy and Cookies Policy.
3.2 This Statement is not an exhaustive statement of our data protection practices. The manner in which we Process data will evolve over time and we will update this Statement from time to time to reflect changing practices. In addition, we operate a number of internal workplace policies and procedures which interrelate with this Statement. For example, the SBCI has internal policies and procedures governing Personal Data Breaches, Data Subjects’ Rights and Data Retention.
3.3 In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Data Protection Statement by reference into various points of data capture used by us such as application forms and/or surveys.
4. The SBCI as a Data Controller
4.1 The SBCI is a statutory body established by the Strategic Banking Corporation of Ireland Act 2014 (“SBCI Act”). The Processing undertaken by the SBCI is undertaken in fulfilment of its statutory functions.
4.2 For the most part, the Personal Data Processed by the SBCI comprises personal information and financial information relating to a borrower’s business, which it has provided to its lenders (our on-lenders). The bank and non-bank on-lenders, through which we provide funding to borrowers, collect your Personal Data and Process it. We act as Data Controller in relation to that Personal Data.
4.3 In some instances, we may collect such Personal Data directly from you, including through the SBCI Customer Hub on the SBCI website, and we may also obtain it indirectly from other sources, including from on-lenders who are participating in the relevant scheme. The SBCI will act as a Data Controller in relation to the Personal Data you provide directly to us.
4.4 When acting as a Data Controller, the SBCI relies on relies on Art. 6(1)(e) of the GDPR, which permits Processing that is necessary for the performance of a task which is in the public interest, where such “public interest” is laid down in EU or Irish law, as the legal basis for most of its Processing.
Where Processing activities are not supported by a statutory basis, the SBCI relies on alternative legal bases permitted by Data Protection Law, including (i) Processing which is necessary for performance of a contract or in order to take steps at the request of the data subject prior to the potential entry into a contract, (ii) Processing necessary to comply with a legal obligation (other than a contract), and (iii) Processing based on consent. While the SBCI may not generally rely on its own legitimate interests as a lawful basis for Processing Personal Data, other parties, such as the on-lenders through which we provide funding to borrowers, may Process your Personal Data for their legitimate interests. Examples of how we use your Personal Data and the legal bases related to these uses are set out in Annex 1.
5. The SBCI as a Data Processor
5.1 In some cases, the SBCI acts as a Data Processor, under the instructions of a Data Controller, for example, when the SBCI acts as operator of the Credit Guarantee Schemes.
5.2 When acting as a Data Processor, the SBCI complies with the relevant obligations under Data Protection Law. These include ensuring that the Personal Data that is Processed by the SBCI on behalf of the relevant Data Controllers is subject to appropriate technical and organisational measures to ensure a level of security appropriate to the risk and ensuring that the Processing is underpinned by a contract which includes the data protection provisions prescribed in Data Protection Law.
6. The SBCI as a Joint Controller
6.1 The SBCI has social media accounts on the Facebook and Instagram platforms (the “SBCI Accounts”). Where you interact with the SBCI Accounts, your Personal Data will be Processed in accordance with the terms and conditions, privacy policies and data protection notices that are provided to you on the relevant social media platforms. To the extent that the SBCI and Meta Platforms Ireland Limited jointly determine the purposes and means of the Processing your Personal Data in connection with the SBCI Accounts, the SBCI and Meta Platforms Ireland Limited act as Joint Controllers in respect of any such Processing. The relevant terms governing this Joint Controller arrangement are available here.
7. Purposes of Processing
7.1 The primary purpose for which we use your Personal Data is to assess your eligibility for SBCI supported schemes and products. This means that the on-lenders (through which we provide funding to borrowers), and in some instances, the SBCI, will check whether you meet: (i) State Aid criteria, or (ii) the criteria demanded by our Funders.
7.2 Where Personal Data is submitted to the SBCI, your Personal Data and other information may be Processed automatically. However, any final decision about your eligibility for SBCI supported schemes and products involves human decision-making.
7.3 We will also Process Personal Data to perform anti-money laundering customer due diligence checks on the on-lenders through which we provide funding to borrowers.
7.4 We will Process Personal Data in connection with our applicant database, which is used to send communications to those persons who have applied for a SBCI supported scheme or product for the purposes of: (i) direct marketing of SBCI supported schemes and products; and (ii) to conduct market analysis and surveys.
7.5 We will Process Personal Data in connection with our advisor database which is used to send communications to those persons who have consented to receive surveys relating to the SME market for the purposes of: (i) conducting surveys relating to the SME market and (ii) forwarding the results of such surveys to relevant participants, if requested to do so.
7.6 We will Process Personal Data for the purpose of issuing shared marketing statements containing (i) information on SBCI supported schemes and products and (ii) information on financial services and supports provided by our Marketing Partners.
8. Special Categories of Personal Data
8.1 The SBCI processes Special Categories of Personal Data in limited circumstances. We do not usually seek this information from borrowers nor do we obtain it from third party sources. However, on an exceptions basis, we will Process this type of Personal Data where it is provided to us or our on-lenders on a voluntary basis by borrowers. For example, a borrower may advise us that they are unable to make repayments because of a health condition.
8.2 The SBCI will also Process data relating to criminal convictions and offence details on an exceptions basis for instance, if fraud prevention checks reveal a fraud in relation to a borrower application.
9. Disclosing Personal Data
9.1 From time to time, we will disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process, for example, where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data.
9.2 We will also share Personal Data: (a) with another statutory body where there is a lawful basis to do so(such as the Data Protection Commission in relation to complaint handling); (b) with selected third parties including contractors and sub-contractors (as appropriate), such as records management service providers; (c) with on-lenders through which we provide funding support to borrowers in order to take steps at your request prior to the potential entry into a contract (this may include Personal Data Processed in connection with the SBCI Customer Hub on the SBCI website); (d) if we are under a legal obligation to disclose Personal Data. This includes exchanging information with other organisations for the purposes of fraud prevention or investigation.
9.3 Where we enter into agreements with third parties to Process Personal Data on our behalf we ensure that the appropriate contractual protections are in place to safeguard such Personal Data.
9.4 Examples of third parties to whom Personal Data have been or will be disclosed include:
a) On-lenders through which we provide funding support to borrowers, including for the purpose of confirming your eligibility;
b) Government Departments including the Department of Enterprise, Trade and Employment (“DETE”) and the Department of Agriculture, Food and the Marine (“DAFM”), both of which are partners in SBCI schemes, including for audit and reporting purposes and in response to parliamentary questions;
c) Our Funders and their agents including in connection with audits and for the purpose of confirming your eligibility. Their agents include the European Court of Auditors, the European Commission (the “Commission”) and its agents, including the European Anti-Fraud Office and other European Union institutions or bodies which are authorised by applicable law to carry out audit and control activities. Such Personal Data may be held for a period of up to 10 years after the termination of the relevant agreements between the SBCI and its Funders.
d) Our professional advisors and our auditors;
e) Regulatory authorities, government agencies if required to do so by law or where we are required to do so in response to requests from all such bodies; and
f) Our service providers (including the NTMA) which acts as a Data Processor on our behalf.
g) Social media platforms where you interact with the SBCI Accounts.
10. Individual Data Subject Rights
10.1 Data Protection Laws provide certain rights in favour of Data Subjects. The rights in question (“Data Subject Rights”) are as follows:
- The right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Data Controller) and as provided through this Statement;
- The right of access to Personal Data including knowledge of whether or not the Data Subject’s Personal Data are being processed and, if so, having access to the Personal Data plus additional ancillary information. This includes information such as the purposes of the Processing, the categories of Personal Data concerned, the recipients or categories of recipient to whom the Personal Data have been or will be disclosed and retention periods;
- The right to rectify or erase Personal Data (right to be forgotten);
- The right to restrict Processing;
- The right of data portability, i.e. the right to receive Personal Data concerning the Data Subject in a structured, commonly used and machine-readable format and the right to have those data transmitted to another Data Controller. This right only applies to Personal Data which the Data Subject has provided to the SBCI (and not to data which is received from third parties).
- The right of objection;
- The right to object to automated decision making, including profiling; and
- The right to withdraw consent (in the limited cases where we rely on your consent to process your personal data), without affecting the lawfulness of processing based on consent before its withdrawal.
10.2 Some rights will not apply in some cases, and exemptions may apply to the exercise of your rights. For example, Articles 17 and 20 of the GDPR state that the right to be forgotten and the right of data portability do not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
10.3 Any Data Subject wishing to exercise their Data Subject Rights should write to the SBCI Data Protection Officer, Treasury Dock, 1 North Wall Quay, Dublin 1, D01 A9T8 or email firstname.lastname@example.org. Your request will be dealt with in accordance with the SBCI’s Data Subject Rights Requests Procedure.
10.4 Should you wish to exercise your right to verify, correct, delete or otherwise modify Personal Data relating to that held by our Funders or their agents, please address your request to the following:
- EIF: Attention of EIF Data Protection Officer, European Investment Fund, 37B avenue J.F. Kennedy, L-2968 Luxembourg, Grand Duchy of Luxembourg.
- EIB: Attention of EIB Data Protection Officer, European Investment Bank, 88-100, boulevard Konrad Adenauer, L-2950, Luxembourg, Grand Duchy of Luxembourg.
- European Commission: Attention of Data Protection Officer, European Data Protection Supervisor, Rue Wiertz 60, B 1047 Brussels, Belgium. By email: email@example.com.
- European Court of Auditors: Attention of Data Protection Officer, European Court of Auditors, 1615 Luxembourg, Luxembourg. By email: firstname.lastname@example.org.
- European Anti-Fraud Office: Attention of OLAF Data Protection Officer, European Commission - European Anti-Fraud Office, 1049 Brussels, Belgium. By email: OLAF-FMB-DPO@ec.europa.eu.
- KfW: Attention of Data Protection Officer, European Data Protection Supervisor, Rue Wiertz 60, B 1047 Brussels, Belgium.
- CEB: Attention of Chief Compliance Officer, Council of Europe Development Bank, 55 Avenue Kléber, 75116, Paris France. By email: email@example.com.
- DAFM: Attention of Data Protection Officer, Department of Agriculture, Food and the Marine, Grattan Business Park, Dublin Road, Portlaoise, Co Laois R32 K857. By email: firstname.lastname@example.org.
- DETE: Attention of Data Protection Officer, Department of Business, Enterprise and Innovation, 23 Kildare Street, Dublin 2, D02 TD30.
- ISIF: Attention of Data Protection Officer, Treasury Dock, North Wall Quay, Dublin 1, D01 A9T8. By email: email@example.com.
- NTMA: Attention of Data Protection Officer, Treasury Dock, North Wall Quay, Dublin 1, D01 A9T8. By email: firstname.lastname@example.org.
11. Data Security and Personal Data Breach
11.1 The NTMA as Data Processor for the SBCI, provides various supports to the SBCI and has a suite of Information Security Policies and Procedures which are designed to ensure that appropriate technical and organisational measures are in place to protect information. They are overseen by an IT Security Committee and apply to all SBCI staff. These measures protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. The SBCI has also implemented complementary policies and procedures in this regard.
These measures protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.
11.2 Articles 33 and 34 of the GDPR obliges Data Controllers to notify the Data Protection Commission and affected Data Subjects in the case of certain types of personal data breaches. The SBCI has implemented a Personal Data Breach Procedure and we will manage a Data Breach in accordance with this procedure.
12. Data Retention
12.1 We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data is Processed and in accordance with our Records Management Policy.
12.2 The SBCI is is required to keep records for prescribed periods of time, ranging up to 10 years (and in certain cases, permanently).Generally, how long we keep your Personal Data for depends on the data retention requirements of the parties who provide us with financial support (our Funders).
Further examples are set out below:
(1) in connection with our marketing database, whether you choose to opt out, in which circumstances your Personal Data shall be promptly deleted from our marketing database unless you specifically request its retention;
(2) in connection with our advisor database, a period of up to 5 years from 14 October 2019, unless you withdraw your consent before then;
(3) in connection with issuing shared marketing statements detailing information on both SBCI and our Marketing Partners, a period of up to 7 years after the end of the relevant SBCI scheme or product for which you applied, unless you withdraw your consent before then; and
(4) Personal data in relation to unsuccessful candidates and unsuccessful tenders are anonymised or deleted after 12 months.
(5) Final audit reports are retained permanently
(6) Board and Committee minutes are retained permanently
(7) In line with Government guidance and best practice, records relating to FOI requests, AIE requests and general queries are kept for 7 years after the complaint is closed (with records relating to general queries being anonymised thereafter), while responses to parliamentary queries are kept permanently.
(8) Records of calls are kept for up to 2 years for record-keeping and complaint management purposes.
(9) loan-related personal data, which is currently up to ten years after your agreement with the on-lender, through which funding was provided to you, ends.
We may need to keep personal data beyond the periods specified in our Records Management Policy to comply with legal and regulatory requirements or where there is an outstanding claim or dispute, which requires the further retention of personal data in connection with that claim.
12.3 Further details of the retention period for Personal Data are set out in our Records Management Policy. If you would like further information about our data retention practices, you may ask for this at any time by contacting the SBCI’s Data Protection Officer (contact details below).
13. Data Transfers outside the EEA
13.1 We will not in the normal course transfer your Personal Data outside the European Economic Area (EEA) save in exceptional circumstances and in all such cases, the transfer will occur in accordance with applicable Data Protection Law. We take reasonable steps to ensure that the Personal Data is treated securely (typically through the use of EU-approved Standard Contractual Clauses and related Transfer Impact Assessments) (you can find out what these are here: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm) and in accordance with this Data Protection Statement,when transferred outside of the EEA. You may request a copy of the EU Standard Contractual Clauses by contacting the SBCI’s Data Protection Officer (contact details below).
14. Further Information/Complaints Procedure
14.1 You can ask a question or make a complaint about this Statement and/or the Processing of your Personal Data by contacting the SBCI Data Protection Officer at email@example.com. While you may make a complaint in respect of our compliance with Data Protection Law to the Data Protection Commission (https://www.dataprotection.ie/), we request that you contact the SBCI Data Protection Officer in the first instance to give us the opportunity to address any concerns that you may have.
Date: Updated 15 September 2023
Purposes of Processing
The following are non-exhaustive examples of the types of Processing undertaken by the SBCI along with a description of the underlying statutory basis:
GDPR Lawful Basis
Associated Data Processing Activities
Art 6(1)(b) and Art 6(1)(e)
Processing that is necessary for performance of a contract or in relation to preparatory steps prior to entering into a contract
Processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Your Personal Data (including name, contact details, postal address, Eircode, email address, telephone number(s) and registration number) will be Processed to determine if your business is eligible for a SBCI supported scheme and/or product. Providing Personal Data to the SBCI for this purpose is a contractual requirement. The SBCI may also use your contact details to contact you in relation to your application for eligibility pre-clearance and for connected purposes.
Your Personal Data (including name, contact details, postal address, Eircode, email address and telephone number(s)) will be Processed through the SBCI Customer Hub on the SBCI website, to determine if your business is eligible for a SBCI supported scheme and/or product. The provision of Personal Data to the SBCI for this purpose is in order to take steps at your request prior to the potential entry into a contract.
In performing its statutory functions under the SBCI Act, the SBCI maintains an applicant database which is used to send communications to applicants for the purposes of: (i) direct marketing of SBCI schemes and/or products (which said schemes and/or products shall be similar to SBCI schemes and/or products which applicants have previously applied for); and (ii) to conduct market analysis and surveys related to applications for SBCI schemes and/or products. An appropriate marketing consent will also be obtained under the e-Privacy Regulations where Personal Data is used for such marketing purposes.
Art 6(1)(c) and Art 9(2)(f)
Processing that is necessary to comply with a legal obligation (other than a contractual obligation)
Processing that is necessary for the establishment, exercise or defence of legal claims
We may be required to Process your Personal Data in order to comply with a legal obligation such as (a) to process your request for information or when you exercise your rights against us under Data Protection Law; (b) for compliance with legal and regulatory requirements, including certain requirements to retain records; (c) for establishment and defence of legal rights; (d) for activities relating to the prevention, detection and investigation of crime; (e) to verify identity/ies including under anti-money laundering legislation; (f) to submit information to, and reports to Government Departments and/or EU institutions.
Processing that is based on your freely given, specific, informed and unambiguous consent
In certain circumstances we may rely on your consent to Process Personal Data such as where consent is provided to (i) participate in certain promotional activities in connection with our activities and/or the activities of our Marketing Partners, (ii) participate in surveys relating to the SME market and (iii) in relation to publication of your Personal Data. You are entitled to withdraw your consent at any time using the contact details above.
Processing that is necessary for the purposes of the legitimate interests pursued by the controller
Maintaining Records / Correspondence such as business contact information in relation to customers, business partners and other business contacts which is collected for the purposes of corresponding with them and for the purposes of records management.
Internal audits of the SBCI may necessitate the Processing of customer Personal Data.
Maintaining social media accounts to raise awareness of the SBCI schemes and to explain how they work.
Other parties, such as our Funders and on-lenders as a lawful basis for Processing Personal Data, to process your Personal Data for: (a) fraud prevention and security purposes; (b) management and audit of our business operations; (c) market research and analysis including developing statistics; (d) administering your account and to provide customer service and support functions including by website and/or telephone; and (e) for direct marketing (subject always to your consent, where that is required).
In this Data Protection Statement, the terms below have the following meaning:
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller (for example, a payroll service provider).
“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the Data Protection Acts 1988 to 2018 and any other laws which apply to the SBCI in relation to the Processing of Personal Data.
“Data Subject Rights” has the meaning given to that expression in paragraph 9 of this Statement.
e-Privacy Regulations” means S.I. No. 336/2011 – European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011.
“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein, and Norway.
“Joint Controller” means the entities which jointly determine the purposes and means of the Processing of Personal Data.
“Marketing Partners” means certain statutory agencies, including but not limited to EI, DETE, DAFM and Microfinance Ireland. An up-to-date list is available at: https:/sbci.gov.ie/our-marketing-partners
“Personal Data” is any information relating to a living individual (“Data Subject”) which allows the identification of that individual. Personal Data can include:
- a name, an identification number;
- details about an individual’s address or contact details;
- data related to the delivery of a service by the SBCI;
- any other information that is specific to that individual.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process”, and “Processed” are interpreted accordingly.
“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data for the purposes of uniquely identifying an individual (for example, fingerprints), health data and data concerning sex life or sexual orientation. Personal Data relating to criminal convictions or offences are also considered sensitive and specific restrictions apply to the processing of such data.
 Where information is shared with another public body and no other lawful basis exists, a data sharing agreement will be put in place.