1. Executive Summary
1.1 The Strategic Banking Corporation of Ireland (referred to in this Data Protection Statement as “SBCI”, “us” or “we”) is committed to complying with our obligations in respect of the Processing of Personal Data under Data Protection Laws. The purpose of this Data Protection Statement (“Statement”) is to ensure that we meet our transparency obligations pursuant to the General Data Protection Regulation EU 2016/679 (“GDPR”) and the Data Protection Acts 1988-2018 (“DPA”), together “Data Protection Law”. The Statement sets out information about our duties and responsibilities regarding the protection of Personal Data.
1.2 This Statement has been adopted by SBCI with effect from 25 May 2018, which was the commencement date for the GDPR, was last updated on 14 October 2019, and will be reviewed from time to time. Some minor revisions were applied in November 2020, and in January 2021 it was amended to reflect the exit of the United Kingdom from the European Union. We will always post the most up to date version of this Statement on the SBCI website.
1.3 A glossary of some of the data protection and other terms used throughout this Statement is set out in Annex 2.
2. About the SBCI
2.1 The objectives of the SBCI are, inter alia, to encourage the giving of credit in a prudent manner to enterprises and other persons in the State, in particular small and medium sized enterprises (“SMEs”), and facilitate the availability of credit in the State to benefit the economy and the economic well-being of the State.
The SBCI operates in the wholesale market, delivering funding to SMEs and other persons through a range of on-lenders including banks and non-bank finance providers. We avail of national and international sources of funding at competitive rates and procure the benefit of counter-guarantees for risk support. We receive financial support and funding from the European Investment Bank (“EIB”), the European Investment Fund (“EIF”), Kreditanstalt für Wiederaufbau (“KfW”), Council of Europe Development Bank (“CEB”), the Ireland Strategic Investment Fund (“ISIF”), the National Treasury Management Agency (“NTMA”), and certain Government Departments (collectively the “Funders”). Central to the activities of the SBCI is ensuring that the benefit of its support is delivered to the ultimate borrower.
2.2 The SBCI has developed three lines of business, details of which are set out below:
(a) Lending: The SBCI serves as a wholesale on-lending financial institution with the aim of providing low cost, long-term wholesale finance to borrowers through suitable on-lenders with the benefit of the lower cost being passed through to the borrowers.
(b) Risk-Sharing: The SBCI’s risk-sharing business provides partial credit guarantees to finance providers (our on-lenders) to facilitate the provision of credit to borrowers. The SBCI avails of and leverages risk capacity (counter-guarantees) from State and European supports to design financial products with the aim of making efficient use of its capital and enhancing access to finance for borrowers.
(c) Service Provision: This line of business is supplementary to the SBCI’s two primary lines of business, Lending and Risk-Sharing. The SBCI is the operator of the schemes created under the Credit Guarantee Acts 2012, 2016 and 2020 (“Credit Guarantee Schemes” or “CGS”) on behalf of the Minister for Enterprise, Trade and Employment.
3. Purpose of this Statement
3.1 The purpose of this Statement is to explain what Personal Data we Process and how and why we Process it. In addition, this Statement outlines our duties and responsibilities regarding the protection of such Personal Data and the rights of Data Subjects in that respect.
3.2 This Statement is not an exhaustive statement of our data protection practices. The manner in which we Process data will evolve over time and we will update this Statement from time to time to reflect changing practices. In addition, we operate a number of internal workplace policies and procedures which interrelate with this Statement. For example, the SBCI has internal policies and procedures governing Personal Data Breaches, Data Subjects’ Rights and Data Retention.
3.3 In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Data Protection Statement by reference into various points of data capture used by us such as application forms and/or surveys.
4. The SBCI as a Data Controller
4.1 The SBCI is a statutory body established by the Strategic Banking Corporation of Ireland Act 2014 (“SBCI Act”). The Processing undertaken by the SBCI is undertaken in fulfilment of its statutory functions.
4.2 For the most part, the Personal Data Processed by the SBCI comprises personal information and financial information relating to a borrower’s business, which it has provided to its lenders (our on-lenders). The bank and non-bank on-lenders, through which we provide funding to borrowers, collect your Personal Data and Process it. We act as Data Controller in relation to that Personal Data.
4.3 In some instances, we may collect such Personal Data directly from you and we may also obtain it indirectly from other sources, including from on-lenders who are participating in the relevant scheme. The SBCI will act as a Data Controller in relation to the Personal Data you provide directly to us.
4.4 When acting as a Data Controller, the SBCI relies on a number of alternative legal bases permitted by Data Protection Law including (i) Processing which is necessary for performance of a contract, (ii) Processing necessary to comply with a legal obligation (other than a contract), (iii) Processing based on consent and (iv) Processing which is necessary in the exercise of its statutory functions. While the SBCI may not rely on its own legitimate interests as a lawful basis for Processing Personal Data, other parties, such as the on-lenders through which we provide funding to borrowers, may Process your Personal Data for their legitimate interests. Examples of how we use your Personal Data and the legal bases related to these uses are set out in Annex 1.
5. The SBCI as a Data Processor
5.1 In some cases, the SBCI acts as a Data Processor, under the instructions of a Data Controller, for example, when the SBCI acts as operator of the Credit Guarantee Schemes.
5.2 When acting as a Data Processor, the SBCI complies with the relevant obligations under Data Protection Law. These include ensuring that the Personal Data that is Processed by the SBCI on behalf of the relevant Data Controllers is subject to appropriate technical and organisational measures to ensure a level of security appropriate to the risk and ensuring that the Processing is underpinned by a contract which includes the data protection provisions prescribed in Data Protection Law.
6. Purposes of Processing
6.1 The primary purpose for which we use your Personal Data is to assess your eligibility for SBCI supported schemes and products. This means that the on-lenders (through which we provide funding to borrowers), and in some instances, the SBCI, will check whether you meet: (i) State Aid criteria, or (ii) the criteria demanded by our Funders.
6.2 Where Personal Data is submitted to the SBCI, your Personal Data and other information may be Processed automatically. However, any final decision about your eligibility for SBCI supported schemes and products involves human decision-making.
6.3 We may also Process Personal Data to perform anti-money laundering customer due diligence checks on the on-lenders through which we provide funding to borrowers.
6.4 We will Process Personal Data in connection with our applicant database which is used to send communications to those persons who have applied for a SBCI supported scheme or product for the purposes of: (i) direct marketing of SBCI supported schemes and products; and (ii) to conduct market analysis and surveys.
6.5 We will Process Personal Data in connection with our advisor database which is used to send communications to those persons who have consented to receive surveys relating to the SME market for the purposes of: (i) conducting surveys relating to the SME market and (ii) forwarding the results of such surveys to relevant participants, if requested to do so.
6.6 We will Process Personal Data for the purpose of issuing shared marketing statements containing (i) information on SBCI supported schemes and products and (ii) information on financial services and supports provided by our Marketing Partners.
7. Special Categories of Personal Data
7.1 The SBCI processes Special Categories of Personal Data in limited circumstances. We do not usually seek this information from borrowers nor do we obtain it from third party sources. However, on an exceptions basis, we may Process this type of Personal Data where it is provided to us or our on-lenders on a voluntary basis by borrowers. For example, a borrower may advise us that they are unable to make repayments because of a health condition.
7.2 The SBCI may Process data relating to criminal convictions and offence details on an exceptions basis for instance, if fraud prevention checks reveal a fraud in relation to a borrower application.
8. Disclosing Personal Data
8.1 From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process, for example, where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data.
8.2 We may also share Personal Data: (a) with another statutory body where there is a lawful basis to do so; (b) with selected third parties including contractors and sub-contractors (as appropriate); (c) if we are under a legal obligation to disclose Personal Data. This includes exchanging information with other organisations for the purposes of fraud prevention or investigation.
8.3 Where we enter into agreements with third parties to Process Personal Data on our behalf we will ensure that the appropriate contractual protections are in place to safeguard such Personal Data.
8.4 Examples of third parties to whom Personal Data have been or will be disclosed include:
- a) On-lenders through which we provide funding support to borrowers, including for the purpose of confirming your eligibility;
- b) Government Departments including the Department of Enterprise, Trade and Employment (“DETE") and the Department of Agriculture, Food and the Marine (“DAFM”), both of which are partners in SBCI schemes, including for reporting purposes and in response to parliamentary questions;
- c) Our Funders and their agents including for the purpose of confirming your eligibility. Their agents include the European Court of Auditors, the European Commission (the “Commission”) and its agents including the European Anti-Fraud Office and other European Union institutions or bodies which are authorised by applicable law to carry out audit and control activities. Such Personal Data may be held for a period of up to 10 years after the termination of the relevant agreements between the SBCI and its Funders.
- d) Our professional advisors and our auditors;
- e) Regulatory authorities, government agencies if required to do so by law or where we are required to do so in response to requests from all such bodies; and
- f) Our service providers (including the NTMA) who act as Data Processors on our behalf.
9. Individual Data Subject Rights
9.1 Data Protection Laws provide certain rights in favour of Data Subjects. The rights in question (“Data Subject Rights”) are as follows:
- (a) The right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Data Controller);
- (b) The right of access to Personal Data including knowledge of whether or not the Data Subject’s Personal Data are being processed and, if so, having access to the Personal Data plus additional ancillary
information. This includes information such as the purposes of the Processing, the categories of Personal Data concerned, the recipients or categories of recipient to whom the Personal Data have been or will be disclosed and retention periods;
- (c) The right to rectify or erase Personal Data (right to be forgotten);
- (d) The right to restrict Processing;
- (e) The right of data portability, i.e. the right to receive Personal Data concerning the Data Subject in a structured, commonly used and machine-readable format and the right to have those data transmitted to another Data Controller. This right only applies to Personal Data which the Data Subject has provided to the SBCI (and not to data which is received from third parties).
- (f) The right of objection; and
- (g) The right to object to automated decision making, including profiling.
9.2 Any Data Subject wishing to exercise their Data Subject Rights should write to the SBCI Data Protection Officer, Treasury Dock, 1 North Wall Quay, Dublin 1, D01 A9T8 or email email@example.com. Your request will be dealt with in accordance with the SBCI’s Data Subject Rights Requests Procedure.
9.3 Should you wish to exercise your right to verify, correct, delete or otherwise modify Personal Data relating to that held by our Funders or their agents, please address your request to the following:
- EIF: Attention of EIF Data Protection Officer, European Investment Fund, 37B avenue J.F. Kennedy, L-2968 Luxembourg, Grand Duchy of Luxembourg.
- EIB: Attention of EIB Data Protection Officer, European Investment Bank, 88-100, boulevard Konrad Adenauer, L-2950, Luxembourg, Grand Duchy of Luxembourg.
- European Commission: Attention of Data Protection Officer, European Data Protection Supervisor, Rue Wiertz 60, B 1047 Brussels, Belgium. By email: firstname.lastname@example.org.
- · European Court of Auditors: Attention of Data Protection Officer, European Court of Auditors, 1615 Luxembourg, Luxembourg. By email: email@example.com.
- European Anti-Fraud Office: Attention of OLAF Data Protection Officer, European Commission - European Anti-Fraud Office, 1049 Brussels, Belgium. By email: OLAF-FMB-DPO@ec.europa.eu.
- KfW: Attention of Data Protection Officer, European Data Protection Supervisor, Rue Wiertz 60, B 1047 Brussels, Belgium.
- CEB: Attention of Chief Compliance Officer, Council of Europe Development Bank, 55 Avenue Kléber, 75116, Paris France. By email: firstname.lastname@example.org.
- DAFM: Attention of Data Protection Officer, Department of Agriculture, Food and the Marine, Grattan Business Park, Dublin Road, Portlaoise, Co Laois R32 K857. By email: email@example.com.
- DETE: Attention of Data Protection Officer, Department of Enterprise, Trade and Employment, 23 Kildare Street, Dublin 2, D02 TD30.
- ISIF: Attention of Data Protection Officer, Treasury Dock, North Wall Quay, Dublin 1, D01 A9T8. By email: firstname.lastname@example.org.
- NTMA: Attention of Data Protection Officer, Treasury Dock, North Wall Quay, Dublin 1, D01 A9T8. By email: email@example.com.
10. Data Security and Personal Data Breach
10.1 The SBCI has implemented policies and procedures, which are designed to ensure that appropriate technical and organisational measures are in place to protect information. These measures protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.
10.2 Articles 33 and 34 of the GDPR obliges Data Controllers to notify the Data Protection Commission and affected Data Subjects in the case of certain types of personal data breaches. The SBCI has implemented a Personal Data Breach Procedure and we will manage a Data Breach in accordance with this procedure.
11. Data Retention
11.1 We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data is Processed. Generally, how long we keep your Personal Data for depends on: (1) the data retention requirements of the parties who provide us with financial support (our Funders); (2) in connection with our marketing database, whether you choose to opt out, in which circumstances your Personal Data shall be promptly deleted from our marketing database unless you specifically request its retention; (3) in connection with our advisor database, a period of up to 5 years from 14 October 2019, unless you withdraw your consent before then; (4) in connection with issuing shared marketing statements detailing information on both SBCI and our Marketing Partners, a period of up to 7 years after the end of the relevant SBCI scheme or product for which you applied, unless you withdraw your consent before then; and (5) our own data retention policy, which currently means up to ten years after your agreement with the on-lender, through which funding was provided to you, ends. We will keep certain Personal Data after that date to comply with legal and regulatory requirements.
11.2 Further details of the retention period for Personal Data are set out in our Records Management Policy. If you would like further information about our data retention practices, you may ask for this at any time by contacting the SBCI’s Data Protection Officer (contact details below).
12. Data Transfers outside the EEA
12.1 We will not in the normal course transfer your Personal Data outside the European Economic Area (EEA) save in exceptional circumstances and in all such cases, the transfer will occur in accordance with applicable Data Protection Law. We take reasonable steps to ensure that the Personal Data is treated securely (typically through the use of EU-approved Model Contract Clauses),you can find out what these are here: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm, and in accordance with this Data Protection Statement when transferred outside of the EEA. You may request a copy of the EU Model Clauses by contacting the SBCI’s Data Protection Officer (contact details below).
13. Further Information/Complaints Procedure
13.1 You can ask a question or make a complaint about this Statement and/or the Processing of your Personal Data by contacting the SBCI Data Protection Officer at firstname.lastname@example.org. While you may make a complaint in respect of our compliance with Data Protection Law to the Data Protection Commission (https://www.dataprotection.ie/), we request that you contact the SBCI Data Protection Officer in the first instance to give us the opportunity to address any concerns that you may have.
Date: Updated 12 January 2021
Purposes of Processing
The following are non-exhaustive examples of the types of Processing undertaken by the SBCI along with a description of the underlying statutory basis:
GDPR Lawful Basis
Associated Data Processing Activities
Processing that is necessary for performance of a contract or in relation to preparatory steps prior to entering into a contract:
Your Personal Data (including name, contact details, postal address, Eircode, email address, telephone number(s) and registration number) will be Processed to determine if your business is eligible for a SBCI supported scheme and/or product. Providing Personal Data to the SBCI for this purpose is a contractual requirement. The SBCI may also use your contact details to contact you in relation to your application for eligibility pre-clearance and for connected purposes.
Processing that is necessary to comply with a legal obligation (other than a contractual obligation)
We may be required to Process your Personal Data in order to comply with a legal obligation such as (a) to process your request for information or when you exercise your rights against us under Data Protection Law; (b) for compliance with legal and regulatory requirements, including certain requirements to retain records; (c) for establishment and defence of legal rights; (d) for activities relating to the prevention, detection and investigation of crime; (e) to verify identity/ies including under anti-money laundering legislation; (f) to submit information to, and reports to Government Departments and/or EU institutions.
Processing that is based on your freely given, specific, informed and unambiguous consent
In certain circumstances we may rely on your consent to Process Personal Data such as where consent is provided to (i) participate in certain promotional activities in connection with our activities and/or the activities of our Marketing Partners, (ii) participate in surveys relating to the SME market and (iii) in relation to publication of your Personal Data. You are entitled to withdraw your consent at any time using the contact details above.
Processing that is based on the SBCI’s statutory functions
In performing its statutory functions under the SBCI Act, the SBCI maintains an applicant database which is used to send communications to applicants for the purposes of: (i) direct marketing of SBCI schemes and/or products (which said schemes and/or products shall be similar to SBCI schemes and/or products which applicants have previously applied for); and (ii) to conduct market analysis and surveys related to applications for SBCI schemes and/or products. An appropriate marketing consent will also be obtained under the e-Privacy Regulations where Personal Data is used for such marketing purposes.
Processing that is necessary for legitimate interests
While the SBCI will not rely on its own legitimate interests as a lawful basis for Processing Personal Data, other parties, such as our Funders and on-lenders, may process your Personal Data for: (a) fraud prevention and security purposes; (b) management and audit of our business operations; (c) market research and analysis including developing statistics; (d) administering your account and to provide customer service and support functions including by website and/or telephone; and (e) for direct marketing (subject always to your consent, where that is required).
In this Data Protection Statement, the terms below have the following meaning:
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller (for example, a payroll service provider).
“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the Data Protection Acts 1988 to 2018 and any other laws which apply to the SBCI in relation to the Processing of Personal Data.
“Data Subject Rights” has the meaning given to that expression in paragraph 9 of this Statement.
e-Privacy Regulations” means S.I. No. 336/2011 – European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011.
“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein, and Norway.
“Marketing Partners” means certain statutory agencies, including but not limited to EI, DETE, DAFM and Microfinance Ireland. An up-to-date list is available at: https:/sbci.gov.ie/our-marketing-partners
“Personal Data” is any information relating to a living individual (“Data Subject”) which allows the identification of that individual. Personal Data can include:
• a name, an identification number;
• details about an individual’s address or contact details;
• data related to the delivery of a service by the SBCI;
• any other information that is specific to that individual.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process”, and “Processing” are interpreted accordingly.
“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.