Data Protection at AIB
Your information, our duty and your rights
We respect your information. On this page you will find out how we do that and what your rights are. We think it’s important that you read this page. It will tell you everything you need to know.
Overview of Data Protection
Frequently Asked Questions
-
What is GDPR?
GDPR is the General Data Protection Regulation. It comes into effect from 25 May 2018. It sets out a series of new EU laws concerning how data is processed and used. The objective of the regulation is to strengthen and standardise data protection laws for all EU citizens. These regulations will apply to any organisation that controls and/or processes data on behalf of an individual or group of individuals. Those responsible for adhering to these regulations include employees of the organisation, including contractors, consultants, agents and third parties who have access to data either directly or indirectly.
-
What does this mean for AIB Group?
We have always appreciated your trust in us to collect, process and protect your information. As a data controller and processor of your personal data, we will continue to
develop on our strong risk culture by acting responsibly and putting your security at the front of our priorities;
manage our controls, processes and systems to improve our level of customer service while providing you with the assurance that your information is safe and secure; and
conduct our business in a fair and transparent way and ensure we minimise the risk of unfair outcomes for our customers or impact on their data rights and freedoms.
Our Data Protection Notice and website explains how we collect personal information about you, how we use it and how you can interact with us about it.
-
Who we are?
When we talk about “AIB”, or “us” or “we” on our Data Protection Notice and this website, we are talking about Allied Irish Banks, p.l.c. and its subsidiaries, affiliates and their respective parent and subsidiary companies (including AIB, EBS, Haven and Goodbody).
We share your information within AIB Group to help us provide our services, comply with regulatory and legal requirements, and improve our products.
-
Data Protection Officer
Our Data Protection Officer oversees how we collect, use, share and protect your information to ensure your rights are fulfilled. You can contact our Data Protection Officer at DPO@aib.ie or by writing to them at Data Protection Officer, 2 Burlington Road, Dublin 4, D04 WV00.
-
How we collect information about you
We collect personal information from you, for example when you:
- open an account;
- make a deposit;
- apply for products and services;
- use your credit or debit card;
- complete transactions; or
- look for advice.
We also collect information through our website, apps, social media, discussion forums, market research and our CCTV footage.
We may source information about your assets or loans from reliable third party sources. For example, when you apply for a loan against a property, we will collect the energy rating information about the property from an online register (e.g. SEAI).
If you are a sole trader, or in a business partnership, we may also collect information about your company from your website(s). An example of this could be where we collect Environmental, Social and Governance information from your company’s published sustainability report.
How do AIB use social media information?
Our use of social media information is designed to deliver a better service for our customers.
At no point is your personal information used to track or follow you on social media.
We do not use personal information available on social media to make individual credit decisions.
Social media information is collected and used in three ways.
- Customer Service: As our customers’ adoption of social media channels continues to grow we aim to service customers where they choose to engage with us. You can choose to talk to us about customer service on Facebook, Twitter, LinkedIn, Instagram, etc. We sometimes ask you for your telephone number to help resolve your issues or log a complaint. We keep our online conversations with you to ensure that we can better service you in the future by understanding your previous needs. We do not use information collected from social media channels to identify you as our customer.
- Content Advertising: AIB uses the advertising platforms offered by various social networks to understand and reach out to broad groups of customers and potential customers with content advertising. No personal information is shared with or received from social networks as part of this process.
- Social Listening: Social listening involves using specific search tools on the internet to identify what people are saying about our industry and brand. This information is used to help us to better understand how we can improve our products and services. If your social media profile is private, your content cannot be searched. We do not use information collected from social media channels to identify you as our customer.
Further information on how we collect information online is detailed in our Privacy Statement and our Social Media Policy Statement.
We will sometimes record phone conversations and we will always let you know when we do this.
Depending on your product or service, we may collect information to identify you through voice, facial or fingerprint (biometric data) recognition technology. We always ask for your explicit consent to do this.
Our websites use ‘cookie’ technology. A cookie is a little piece of text that our server places on your device when you visit any of our websites or apps. They help us make the sites work better for you. Further information is available on our Cookie Policy.
When you apply to us for products and services, and during the time you use these, we carry out information searches and verify your identity. We do this by sending and receiving information about you to and from third parties including credit bodies, such as the Central Credit Register. We and these bodies may keep records of our searches whether or not the product or service goes ahead.
-
What information do we collect about you?
We use information about you to:
- provide relevant products and services;
- identify ways we can improve our products and services;
- maintain and monitor your products and services;
- protect your interests; and
- decide and recommend how our products and services might be suitable for you
To provide our products and services under the terms and conditions we agree between us, we need to collect and use personal information about you. If you do not provide this personal information, we may not be able to provide you with our products and services.
We analyse the information that we collect on you through your use of our products and services and on our social media, apps and websites. This helps us understand your financial behaviour, how we interact with you and our position in a market place.
Examples of how we use this information include helping protect you from financial crime, offering you products and services, personalising your experience and meeting our regulatory requirements. See Your information and third parties for further information on how we analyse your information.
We may report trends we see to third parties. These trend reports may include information about activity on devices, for example mobile phones, ATMs and self-service kiosks, or card spend in particular regions or industries. When we prepare these reports, we group customers’ information and remove any names. We do not share information in these reports that can identify you as a customer, such as your name, or account details.
We sometimes use technology to help us make decisions automatically. For example, when you apply for a loan online. Before we make a decision, we automatically score the information you give us, any information we already hold about you, and any information we may get from other sources. See Automated Decision Making section for further information.
All of our processing must be supported by a lawful basis, as discussed in our Meeting our legal and regulatory obligations section.
-
How do we share your information within AIB Group?
We share your information within AIB Group to help us provide our services, comply with regulatory and legal requirements, and improve our products.
For example, the European Banking Authority’s guidelines on Loan Origination and Monitoring require us to have a single, consistent view of our borrowers’ assets and liabilities throughout the AIB Group. When assessing and monitoring loans, we will access a Single Customer View of accounts our customers may have across the AIB Group, including AIB (ROI and UK), EBS and Haven. The account information that’s available will help us to more efficiently assess applications for new credit facilities, for example new loans or credit cards, as well as support our ongoing review of credit arrangements.
The Group entity you are engaging with remains the controller of your information and will facilitate you exercising any of your data protection rights. The Group entities together act as joint controllers for the Single Customer View.
-
Special categories of data
Under GDPR, there are special categories that require additional safeguards for processing. In some instances, we will require this information for processing or it may be volunteered by you. These data types and the reason we collect them are:
Special categories of data
Is this information required?
Biometric data – Fingerprints, Facial and voice recognition
Yes - We may collect information to identify you through voice, facial or fingerprint recognition technology.
We will always ask for your consent to do this.
Health data
Yes - We may collect health data from you when providing our products and services or to support you in times of financial difficulty or bereavement.
Racial or ethnic origin
No - We do not ask you to provide details of racial or ethnic origin to provide our products and services.
Political opinions
No - We do not ask you to provide political opinions to provide our products and services.
Religious or philosophical beliefs
No - We do not ask you to provide religious or philosophical beliefs to provide our products and services.
Trade union membership
No - We do not ask you to provide trade union membership to provide our products and services.
Genetic data
No - We do not ask you to provide genetic data to provide our products and services.
Sexual orientation
No - We do not ask you to provide sexual orientation to provide our products and services.
-
How we use your information
We use information about you to:
provide relevant products and services;
identify ways we can improve our products and services;
maintain and monitor your products and services;
protect your interests; and
decide and recommend how our products and services might be suitable for you
To provide our products and services under the terms and conditions we agree between us, we need to collect and use personal information about you. If you do not provide this personal information, we may not be able to provide you with our products and services.
We analyse the information that we collect on you through your use of our products and services and on our social media, apps and websites. This helps us understand your financial behaviour, how we interact with you and our position in a market place. We also use statistical modelling techniques to predict, for example, whether or not a product is relevant to your needs. Other examples of how we use this information include helping protect you from financial crime, offering you products and services and personalising your experience. See Your information and third parties for further information on how we analyse your information.
We may report trends we see to third parties. These trend reports may include information about activity on devices, for example mobile phones, ATMs and self-service kiosks, or card spend in particular regions or industries. When we prepare these reports, we group customers’ information and remove any names. We do not share information in these reports that can identify you as a customer, such as your name, or account details.
We sometimes use technology to help us make decisions automatically. For example, when you apply for a loan online. Before we make a decision, we automatically score the information you give us, any information we already hold about you, and any information we may get from other sources. See Automated Decision Making section for further information.
All of our processing must be supported by a lawful basis, as discussed in our Meeting our legal and regulatory obligations section.
-
Lawful basis for processing
Our legitimate interests –Legitimate interest means the interests of AIB Group in conducting and managing our business when providing products and services. The core legitimate interests of AIB Group are to provide the best customer service, introduce innovative products and services, and to protect our customers, employees and shareholders.
We will always assess whether the legitimate interest of AIB Group will adversely impact the rights and freedoms of the data subject prior to processing. We implement safeguards to ensure that the processing remains fair and balanced.
Our risk assessments help us understand what information we need, our business requirements, the impact on our customers and employees, alternative options for processing and how long we hold the information for.
Manage and understand risk
As a regulated financial institution, we must manage and understand our risk exposure to ensure our customers are protected and maintain a stable financial infrastructure.
We produce internal management information and models to understand risk across the bank, ensure necessary safeguards are in place and assess the design and effectiveness of these safeguards. We report this regularly to regulatory agencies.
Perform Credit, Anti-Money Laundering and Know Your Customer checks
To ensure responsible lending and offer you loans and mortgage products, we must perform a check to authenticate you and assess suitability for lending.
We may share information with credit reference agencies, fraud prevention agencies and centralised registers for these checks.
Manage our relationship with you
We keep our records up to date to contact you when required and provide the best customer service.
Analyse information and research your experiences dealing with us
We want to continually improve and better understand our customers. By collecting and analysing data from multiple sources, we can better understand the requirements of our customers and how we can improve products and service offerings.
This analysis also helps us run our business more efficiently and effectively.
We may report trends we see to third parties. These trend reports may include information about activity on devices, for example mobile phones, ATMs and self-service kiosks, or card spend in particular regions or industries. When we prepare these reports, we group customers’ information and remove any names. We do not share information in these reports that can identify you as a customer, such as your name, or account details.
Identify ways we can improve our products and services
We are always working to develop new products and innovative ways of bringing these to you.
We analyse the market and our customer base to better understand what people like and what people want from their bank. We do this by collecting data on your purchases, transactions, interactions with our website, apps, ATMs, self-service kiosks, and using customer surveys. We use this information to provide a more personalised service to our customers and improve their experience using our products.
Sharing your information with companies with whom we have a joint venture or working agreement
We may share your information with companies who we have a joint venture or working agreement with to help them provide products and services. See Your information and third parties for further information on this.
Prevent financial crime and cyber attacks
We continually monitor and analyse transactions, financial behaviour and electronic devices to detect and prevent financial crime and cyber-attacks. This enables us to protect and secure our customers information, our networks and our financial interests.
We share information with third parties to prevent financial crime, report fraud, manage our risks and protect both our interests.
Sell whole or part of our business
We may share information with third parties and their advisors who are interested in or participating in the sale, securitisation, merger, liquidation, receivership of all or part of our assets such as loan portfolios and subsidiary companies. For example, the information shared may be required by the third party to assess value, to perform due diligence and to facilitate the ongoing management of assets.
Internal management information
We produce internal management information to run our business and better understand customer needs. This information enables us to make informed decisions, develop our strategy and achieve our business strategies.
AIB places a strong focus on sustainability, to support our sustainable communities, so increasingly, we will gather and use Environmental, Social and Governance (ESG) information to help us understand and enable our business to be more sustainable. This includes understanding the purpose of finance we provide so that it can be classified to meet regulatory disclosure requirements.
-
Meeting our legal and regulatory obligations
To meet our regulatory and legal obligations, we collect some of your personal information, verify it, keep it up to date through regular checks, and delete it once we no longer have to keep it. We may also gather information about you from third parties to help us meet our obligations.
-
Credit searches
When you apply to us for products and services, and during the time you use these, we carry out information searches and verify your identity. We share your information with credit bodies such as the Central Credit Register (CCR).
When you enter into a credit agreement with us, this data is registered on the CCR database. Each month CCR receive an update for each open account. This builds up a credit history which indicates how you are meeting the repayment terms of any credit agreements you may have.
When you apply for credit from us, we may access the CCR’s database to get your credit report. You may have loans from more than one member and your credit report will include details of all registered loans, open and closed. Credit agreements are retained on the CCR database for five years after they are closed.
Equally, you may not have any credit history in the cases where you have not borrowed previously, or any credit agreements have been concluded for more than 5 years.
Central Credit Register (CCR)
The CCR was established by the Credit Reporting Act 2013 and is operated by the Central Bank of Ireland. It collects and stores personal and credit information on credit agreements of €500 or more for products such as loans, credit cards, overdrafts and mortgages. The aim of the CCR is to provide greater protection and promote greater financial stability by providing lenders with comprehensive information to support credit assessments.
When you apply for credit from us or enter into a credit agreement with us of €500 or more, this information will be reported to the CCR and then updated monthly while the credit agreement remains in place. Information sent to the CCR also includes your Personal Public Services Number (PPSN) or Tax Reference Number (TRN) which is collected to enable the CCR to complete accurate customer identification. From 30 September 2018, if you apply for credit from us of €2,000 or more, we are required by law to make an enquiry to the CCR about your credit history. Information about your credit agreements will remain on the CCR database for five years after the agreement ends.
Further information on the CCR is available at www.centralcreditregister.ie or www.aib.ie/ccr or by calling (lo call) 1890 100 050 or 01 2245500. You can also send a specific query to consumerinfo@centralcreditregister.ie.
-
Fraud Reporting Agencies
The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment.
If you do not provide the information we need, or help us keep it up to date, we may not be able to provide you with our products and services.
-
US Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standard (CRS)
Financial institutions in Ireland are required under legislation which incorporates the US Foreign Account Tax Compliance Act (FATCA) and the Organisation for Economic Cooperation and Development (OECD) Common Reporting Standard (CRS) into Irish law to seek answers to certain questions for purposes of identifying accounts that are reportable to Revenue for onward transmission to tax authorities in relevant jurisdiction(s).
Financial institutions in Ireland, such as AIB, are required to seek answers to questions regarding tax residency. If customers do not provide all of the information requested, we may not be able to proceed with opening the new account until the relevant information is provided and we may be obliged to include the account(s) details in the annual FATCA and CRS returns to Revenue. Further information is available here.
-
Consent
Sometimes we need your consent to use your personal information. For example, when we use sensitive personal information (known as "special category information" under GDPR) about you, such as medical or biometric data, we ask for your explicit consent.
We have controls to ensure that you are informed when making your decision and that you are aware that you can remove your consent at any time by contacting us. Our consent requests are built on the following principles:
Positive Action - Clear affirmative action is required. We will no longer use pre-ticked boxes, imply or assume consent in the event of no positive action from you.
Free will – Your consent must be freely given and not influenced by external factors.
Specific – We will be clear on what exactly we are asking your consent for.
Recorded – We will keep a record of your consent and how it was obtained.
Can be withdrawn at any time – We will stop data processing requiring your consent at any time you make valid request.
-
Direct Marketing
For direct marketing, we need your consent to make you aware of products and services which may be of interest to you. We may do this by phone, post, email, text or through other digital media.
You can decide how much direct marketing you want to accept when you apply for new products and services. You may also opt out by using the unsubscribe option in the communications you receive from us. In the unlikely event that this does not work you can contact us over the phone at 0818 724 724 or call into a branch. We respect your privacy and will honour your request promptly.
As part of our direct marketing, we analyse the information that we collect on you through your use of our products and services and on our social media, apps and websites. This helps us understand your financial behaviour, how we interact with you and our position in a market place. This enables us to personalise your experience and provide you with the most suitable products and services.
If we ever contact you to get your feedback on ways to improve our products and services, you have the choice to opt out.
-
How we keep your information safe
We protect your information with security measures under the laws that apply and we meet international standards. We keep our computers, files and buildings secure.
In addition to our technical controls, our Data Protection Officer oversees how we collect, use, share and protect your information to ensure your rights are fulfilled. Our Data Protection Officer advises on how we can best understand risks to your data rights and freedoms, implemented processes to protect these and has responsibility to report to the Data Protection Authorities if we are not meetings our obligation.
When you contact us to ask about your information, we may ask you to identify yourself. This is to help us protect your information.
-
How long we keep your personal information for
To meet our legal and regulatory obligations, we hold your information while you are a customer and for a period of time after that. To help you understand how long we hold some of your data for, we have summarised our internal retention schedules below. We hold all data while you are an active customer with us.
Please note that these retention periods are our policy but are also subject to legal, regulatory and business requirements, which may require us to hold the information for a longer period. For example, we must meet minimum retention standards for our Anti Money Laundering requirements. External agencies, such as the Financial Service and Pensions Ombudsman, can request we retain data for longer than our internal schedules. We must do this to protect both of our interests.
We continuously assess and delete data to ensure it not held for longer than necessary.
Document Type
Example Document
Retention Period
Account and service information
Account Opening documents
Account Records
Opening Customer/Business Relationship documentation
Signed Terms of Business/Engagement documents
Customer Information –non Criminal Justice Act documents.
Adherence to Law/Regulation documents – AML Report.
Credit Committee – Customer related decisions
Customer Complaints
Customer Instructions & Communications
Deceased Accounts
Security information
DIRT information
Non-Account Holder Customer AML & Anti-Terrorism Checks, Treasury Customer Deal Confirmations,
Treasury Customers Master Agreements
Treasury Customer Authorisation Forms
7 years after the customer relationship ends
Transactional information - Once off
Customer Orders/Instructions
Dockets & Vouchers,
MiFID Regulated Transaction documents
Cheques & Demand Drafts
Once-Off Transactions
7 Years after the transaction
Transactional information - Recurring
Standing Order & Direct Debit Mandates
Continuing Transactions
7 years after the cancellation or closure of the account
Revenue/Tax documentation
Tax Returns
Backup in relation to STA’s, encashment tax,
Correspondence files for Dividend Withholding Tax, Revenue Contracts Tax
Tax Relief at Source information
Special Tax Accounts
Special Savings Accounts
Qualifying Intermediaries
VAT correspondence dealing with VAT queries including VAT Audit files and information provided to Revenue
VAT recovery calculations, back up schedules and reconciliation files.
11 years after the date of the document
Confidential documents under seal
Agreements executed on behalf of Customer (Under Seal)
13 years after the date of the document
MiFID regulated investment firm records (Under Seal)
MiFID Regulated – Terms of Business/Engagement or Agreements (Under Seal)
Minimum 5 years after the date of the document (up to a maximum of 7 years)
Records which set out the respective rights and obligations of the investment firm and the client under an agreement to provide services, or the terms on which the firm provides services to the client, shall be retained for at least the duration of the relationship with the client.
Reportable Accidents and Health and Safety reports
Health and safety reports
10 years -
Your information and third parties
Sometimes we share your information with third parties.
For example to:
provide products, services and information;
analyse information;
research your experiences dealing with us;
collect debts;
sell your debts;
sell whole or part of our business;
prevent financial crime;
help trace, investigate and recover funds on your behalf;
trace information; and
protect both our interests.
Third parties we share information with can include:
Estate agencies
Credit bodies such as the Central Credit Register
Fraud prevention agencies
- Funding Companies such as the Strategic Banking Corporation of Ireland (SBCI)
- The First Home Shared Equity Scheme
Company search databases
Regulatory bodies including the Data Protection Commissioner and the Central Bank of Ireland.
Companies we have a joint venture or agreement to work with
Affinity Schemes e.g. AA Ireland, Irish National Teachers Organisation, Brown Thomas
Insurance companies
Government bodies including Revenue (Further information on tax reporting is available here)
Businesses that introduce you to us or we introduce you to
Cards/transaction processing
Market research companies
Financial advisors
Investment managers
Debt collection agencies
External consultancy firms including Legal, Accountancy, Compliance and other Professional Services
Any entity you request your data to be shared with
The third parties we share with may analyse the information that we collect about you through your use of your debit and credit card. The information we share may include what you spend on your debt and credit card, your age and your gender. We do not share information that can directly identify you as a customer, such as your name or account details. The third parties may combine this information with other information they hold. This aggregated information provides an understanding of financial and consumer trends with which we and those third parties may provide products and services.
We require that these third parties provide sufficient guarantees that the necessary safeguards and controls have been implemented to ensure there is no impact on your data rights and freedoms.
Third parties sometimes provide us with your information for example when making a card transaction online.
3D Secure, commonly known by its branded names like “Visa Secure/Verified by Visa” or “MasterCard Identity Check/MasterCard Securecode” is used to authenticate card transactions (Debit and Credit Cards) to reduce fraud and provide added security while shopping online. When shopping online a merchant may send supporting information as part of the transaction to allow us to assess the risk of the transaction and authenticate that it’s you.
The merchant is required to send us this supporting information as part of the 3D Secure service. The types of information shared are
Cardholder email address,
Billing address,
Browser IP Address,
Information on number of transactions on that site previously.
The purpose of this data is to help support and verify if it’s really you doing the transaction.
We also have to share information with third parties to meet any applicable law, regulation or lawful request. When we believe we have been given false or misleading information, or we suspect criminal activity we must record this and tell law enforcement agencies, which may be either in or outside Ireland.
-
Collecting and using information on people who are not customers of ours
Sometimes we may collect and use your information even though you are not a customer of ours.
For example, you may be a beneficiary, guarantor, director or representative of one of our customers; you may be processing debit and credit card transactions with our customers; you may be applying for our products or services or; your own circumstances may have a material effect on the ability of our customers to perform their obligations to us. We will process your information in accordance with this notice.
-
Sharing joint/ multi party account information with a Third Party Provider (TPP)
If you have a joint or multi-party account that is accessible online, each account holder can consent to a TPP accessing that account information. With the permission of just one account holder, AIB may allow a TPP access to joint/multi-party account information to fulfil its legal and contractual obligations, and it is up to the account holder who has given permission to the TPP to confirm that all other account holders are aware of and satisfied with such third party access.
If you have any concerns about the security of your account please phone our Customer Service team immediately on (0818) 724 724 or +353 1 771 2424.
-
International transfers of data
We may transfer your personal information outside of the European Economic Area (EEA) to help us provide your products and services such as where we share information with service providers in the United States or India. We will only transfer your information outside of the EEA where the same standard of data protection applies or appropriate safeguards are in place. This may include;
- transfers to countries approved by European Commission as having an adequate level of protection
- use of appropriate safeguards such as Binding Corporate Rules or Model Contractual Clauses
- transfers in line with the derogations for specific situations set out in Article 49 of the GDPR.
-
Your personal information rights
For more information on how you can exercise your rights please refer to our Data Protection Rights section here.
Whenever you contact us to ask about your information, we may ask you to identify yourself. This is to help protect your information.
Your right to obtain information cannot adversely affect the rights and freedoms of others. Therefore, we cannot provide information on other people without consent.
We generally do not charge you when you contact us to ask about your information. Under GDPR, if a request is deemed excessive or manifestly unfounded, we may charge a reasonable fee to cover the additional administrative costs or choose to refuse the requests.
-
Removing consent
You can change your mind wherever you have given us your consent, such as for direct marketing or processing your sensitive information, such as medical or biometric data. By contacting us at 0818 303 032, you can request that we no longer process data we require your consent for.
-
The right to lodge a complaint with a supervisory authority
If you have a complaint about the use of your personal information, please let a member of staff in your branch know, giving them the opportunity to put things right as quickly as possible. If you wish to make a complaint you may do so in person, by phone, in writing and by email. We will fully investigate all the complaints we receive. You may complain through our contact centre, our branches, our website, by phone, by email or in person at your branch. We ask that you supply as much information as possible to help us resolve your complaint quickly.
You can also contact the Office of the Data Protection Commissioner in Ireland on the below details:
Visit their website www.dataprotection.ie.
Email info@dataprotection.ie
Phone on +353 (0)57 8684800 or +353 (0)761 104 800
Write to Data Protection Office, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23. Or 21 Fitzwilliam Square, Dublin 2, D02 RD28, Ireland.
-
Automated decision making
We sometimes use technology to help us make decisions automatically. We use information provided directly by you, any information we may hold about you and information from third parties to make decisions that are efficient, quick, and fair based on the information provided.
You can request that a person is involved in an automated decision that affects your directly. Please see Your Rights section for further details.
Examples of automated decision making include:
Credit approval
When you apply for loan products or a credit card, we use multiple data sources to understand your ability to repay the loan and determine the credit limit of your card. This ensures responsible lending.
We use the information provided by you on the application and information from third parties including credit bodies such as the Central Credit Register.
The information we process for automated decisions include:
Income
Financial position
Transaction history
Employment details
Discretionary spending
Credit rating
Your other loans, mortgages and products
Analysis of this information helps us assess whether you can meet the loan payments. If your application is declined you will have the opportunity to appeal the decision, with any appeal reviewed by one of our lenders. This analysis also helps us assess an appropriate credit limit for your card. The initial credit limit decision is completed by our automated decision engines. If you are declined based on the automated criteria, you can ask that your credit limit is assessed manually by one of our staff.
Financial Crime
When using our products and services including our website and apps, we use technology to assess financial crime and cyber-attack risk in order to comply with our legal obligations and to protect your interests and our interests. This technology enables us to quickly determine if there are high risks associated with your device, location or transaction patterns to help prevent financial crime and cyber-attacks.
High risk threats are referred to our internal staff for investigation. We may need to automatically suspend account services if a threat or high risk is detected. -
Specific Product DPN's
Some of our products require their own specific Data Protection Notices. You can access the notices for these products by clicking on the product names below.
-
Updates to this notice
We will make changes to this notice from time to time, particularly when we change how we use your information, and change our technology and products. You can always find an up-to-date version of this notice on this website at www.aib.ie/dataprotection, on display at your local branch, or you can ask us for a copy.
The following substantive changes have been made to Section 2 of the Data Protection Notice as of 16th June 2020
Old Wording New Wording 2. Data Protection Officer
Our Data Protection Officer oversees how we collect, use, share and protect your information to ensure your rights are fulfilled. You can contact our Data Protection Officer at DPO@aib.ie or by writing to them at: Data Protection Officer, Bankcentre, Ballsbridge, Dublin 4.
2. Data Protection Officer
Our Data Protection Officer oversees how we collect, use, share and protect your information to ensure your rights are fulfilled. You can contact our Data Protection Officer at DPO@aib.ie or by writing to them at: Data Protection Officer, 2 Burlington Road, Dublin 4, D04 WV00.
-
Key Definitions:
Please see explanations below of some of the data protection terms used on this website.
Biometric Data – means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or finger print data.
Consent – of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data Controller – is a natural or legal person, public authority, agency or other body who determine the purpose and means of the processing - of personal data, where the purposes and means of such processing are determined by Union or Member State law. AIB are considered a data controller, as they process personal data on behalf of both their customers and their employees.
Data Processor – in relation to personal data, means any natural or legal person (other than an employee of the data controller), public authority, agency or another body who processes personal data under the direction of, and on behalf of a data controller. AIB is considered a data processor, as they process personal data on behalf of Third Parties. Additionally, Third Parties engaged by AIB to process personal data are considered data processors.
Data Protection Officer – The Data Protection Officer oversees how we collect, use, share and protect information.
Data Protection Regulation – means all legislation, regulation and applicable codes of practice relating to the processing, protection and privacy of personal data.
General Data Protection Regulation (‘GDPR’) – is a regulation intended to strengthen and unify data protection for all individuals within the European Union (‘EU’). The aim of the GDPR is to reinforce data protection rights of individuals and facilitate the free flow of personal data. It applies to all data controllers and processors established in the EU, as well as those established outside the EU that process the data of EU citizens.
Lawful basis - Processing of data is lawful only if and to the extent that at least one of the following applies:
a) Personal data processing is necessary to enter into or perform a contract with a data subject;
b) There is a legal obligation to the data controller for the personal data processing; data may be processed where AIB has a legitimate interest in processing the data.
c) AIB Group or our Third Parties have a legitimate interest in processing the data. This legitimate interest cannot over-ride the interests or fundamental rights of the data subject;
d) The data subject has provided consent to the processing of his or her personal data for one or more specific purposes;
e) Personal data processing protects the vital interests of the data subject; or
f) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Location Data – means any data processed indicating the geographical position of the terminal equipment of a user, including data relating to:
a) The latitude, longitude or altitude of the terminal equipment;
b) The direction of travel of the user; or
c) The time the location information was ‘recorded’
Personal Data / Data Subject – is any data relating to an identified or identifiable natural person (‘data subject’), who may be identified from the data either on its own (directly) or in conjunction with other data (indirectly), in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing – means obtaining, recording or holding the information or data, whether or not by automated means, or carrying out any operation or set of operations on the information including:
a) Collection of data
b) Organisation, adaption or alteration of the information or data
c) Retrieval, consultation or use of the information or data
d) Disclosure of the information, or data by transmission, dissemination or otherwise making available, or
e) Alignment, combination, blocking, erasure or destruction of the information or data
Recipient – means a natural or legal person, public authority, regulator, agency or another body, to which the personal data are disclosed, whether a Third Party or not. The processing of those data shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Special Categories of Personal Data – is data which relates to:
a) Racial or ethical origin, political opinions or religious or philosophical beliefs
b) Trade union membership
c) Biometric data (We may collect voice, facial or fingerprint information to identify data subjects)
d) Physical or mental health
e) Sexual Life/Orientation
f) Genetic data
Supervisory Authority – means an independent public authority which is established by a Member State. In the Republic of Ireland the Office of the Data Protection Commissioner (‘ODPC’) and in the UK the Information Commissioner’s Office (‘ICO’) are the public authorities established to monitor the application of Data Protection Law.
-
How we collect information about you
- an account;
- make a deposit;
- apply for products and services;
- use your credit or debit card;
- complete transactions; or
- look for advice.
We also collect information through our website, apps, social media, discussion forums, market research and our CCTV footage.
We may source information about your assets or loans from reliable third party sources. For example, when you apply for a loan against a property, we will collect the energy rating information about the property from an online register (e.g. SEAI).
If you are a sole trader, or in a business partnership, we may also collect information about your company from your website(s). An example of this could be where we collect Environmental, Social and Governance information from your company’s published sustainability report.
How do AIB use social media information?
Our use of social media information is designed to deliver a better service for our customers.
At no point is your personal information used to track or follow you on social media.
We do not use personal information available on social media to make individual credit decisions.
Social media information is collected and used in three ways.
- Customer Service: As our customers’ adoption of social media channels continues to grow we aim to service customers where they choose to engage with us. You can choose to talk to us about customer service on Facebook, Twitter, LinkedIn, Instagram, etc. We sometimes ask you for your telephone number to help resolve your issues or log a complaint. We keep our online conversations with you to ensure that we can better service you in the future by understanding your previous needs. We do not use information collected from social media channels to identify you as our customer.
- Content Advertising: AIB uses the advertising platforms offered by various social networks to understand and reach out to broad groups of customers and potential customers with content advertising. No personal information is shared with or received from social networks as part of this process.
- Social Listening: Social listening involves using specific search tools on the internet to identify what people are saying about our industry and brand. This information is used to help us to better understand how we can improve our products and services. If your social media profile is private, your content cannot be searched. We do not use information collected from social media channels to identify you as our customer.
Further information on how we collect information online is detailed in our Privacy Statement and our Social Media Policy Statement.
We will sometimes record phone conversations and we will always let you know when we do this.
Depending on your product or service, we may collect information to identify you through voice, facial or fingerprint (biometric data) recognition technology. We always ask for your explicit consent to do this.
Our websites use ‘cookie’ technology. A cookie is a little piece of text that our server places on your device when you visit any of our websites or apps. They help us make the sites work better for you. Further information is available on our Cookie Policy.
When you apply to us for products and services, and during the time you use these, we carry out information searches and verify your identity. We do this by sending and receiving information about you to and from third parties including credit bodies such as the Central Credit Register. We and these bodies may keep records of our searches whether or not the product or service goes ahead.
-
How we use your information
We use information about you to:
- provide relevant products and services;
- identify ways we can improve our products and services;
- maintain and monitor your products and services;
- protect your interests;
- decide and recommend how our products and services might be suitable for you; and
- complete the acquisition of assets.
To provide our products and services under the terms and conditions we agree between us, we need to collect and use personal information about you. If you do not provide this personal information, we may not be able to provide you with our products and services.
We analyse the information that we collect on you through your use of our products and services and on our social media, apps and websites. This helps us understand your financial behaviour, how we interact with you and our position in a market place.
Examples of how we use this information include helping protect you from financial crime, offering you products and services, personalising your experience and meeting our regulatory requirements. See Your information and third parties for further information on how we analyse your information.
We may report trends we see to third parties. These trend reports may include information about activity on devices, for example mobile phones, ATMs and self-service kiosks, or card spend in particular regions or industries. When we prepare these reports, we group customers’ information and remove any names. We do not share information in these reports that can identify you as a customer, such as your name, or account details.
We sometimes use technology to help us make decisions automatically. For example, when you apply for a loan online. Before we make a decision, we automatically score the information you give us, any information we already hold about you, and any information we may get from other sources. See Automated Decision Making section for further information.
All of our processing must be supported by a lawful basis, as discussed in our Meeting our legal and regulatory obligations section.