General Data Protection Regulation
Right to be Forgotten FAQs (Customer & Branch)
Customer
-
What is GDPR: Right to Erasure (Article 17)?
A Customer’s Right to Erasure (also known as a Customer’s Right to be Forgotten) relates to a customer having the right to request that their personal data be forgotten or erased from an organisation’s databases.
The GDPR regulation only relates to Natural Persons and their right to the protection of personal data (Article 1). This means that personal customers (and customers operating as a sole trader) can request a right to be forgotten but companies and corporations are not included.
For a customer, your Right to be Forgotten means that you have a right to request that AIB erase data related to you that we store and process.
-
What are the conditions in which my account is suitable for Erasure?
You may ask us to erase your personal information, or we may erase your personal information under the following conditions:
The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
You withdraw your consent where is no other legal ground for the processing;
You withdraw your consent for direct marketing purposes;
You withdraw your consent for processing a child’s data;
You object to automated decision making;
The personal data have been unlawfully processed;
The personal data have to be erased for compliance with a legal obligation.
-
Are there any exemptions to Right to Erasure?
Yes. There are some exemptions. If there is a legal basis for retaining the information, AIB will not be able to process your Right to be Forgotten. Some of these exemptions are:
Legislation requiring retention of data (for example, the Financial Ombudsman Act)
If your data is still subject to AIB’s Data Retention Schedule, which is the agreed period for which AIB can store information on any account, product or application once it has been closed.
You are still a customer with AIB and have open accounts that you are transacting on and products that you are using.
You have an ongoing application with AIB for a product or account.
You have a non-account holding relationship with the bank (e.g. trustee, guarantor, Power of Attorney, Assisted Decision Making Authority, Director of a Company, etc.).
If you are otherwise engaged with AIB, either directly or through a third party.
-
I have closed all my accounts with AIB and want to exercise my Right to be Forgotten, how can I do this?
You can do this by completing a Right to be Forgotten request form. Information on how you submit this request can be located below. Click here for the Right to be Forgotten Request form.
When submitting a Right to be Forgotten request, you must also present AIB with a valid proof of identity so that we can validate your request.
Please note, AIB will only be able to forget accounts or products that are outside AIB’s Data Retention schedules and those that do not fall into our list of exemptions. See below for list of exemptions.
-
What does it mean to be Forgotten?
The bank will no longer be associated with you as a person, depending on the nature of the request. This will mean that the bank will no longer have any access to your personal data previously held.
-
How can I submit my Right to be Forgotten request?
As a data subject, there are a few ways you can exercise your Right to be Forgotten.
Online at AIB.ie:
You can access the form on AIB.ie at XXX.
We will ask you a few short questions first - This is to help you determine whether your data held by AIB can be Forgotten. (See Why can’t AIB delete my data, when I have requested the Right to be Forgotten?)
The form can be downloaded and must be returned in person by you to any AIB Branch. You must also bring with you a valid proof of identity. (See What do I need to fill in on the Right to be Forgotten Form?)
In Branch:
Call into your local branch to speak to an AIB Sales and Services staff member about the Right to be Forgotten.
Forms to request a Right to be Forgotten will be available in your branch.
You will need to provide a copy of a valid proof of identity before we can accept the request. (See Acceptable Proof of Identity documents)
By Post:
Download the form on AIB.ie (See Online at AIB.ie).
Return the form with a copy of a valid proof of identity to AIB Customer Services etc.
We will let you know that we have received your request. (See How do I know AIB have received my request.
-
How long will it take to process my request?
This can vary depending on the complexity of the Right to be Forgotten request. We will process your request without undue delay.
-
If I am forgotten, can I bank with AIB again?
Yes, it will be possible to bank with AIB again, however, we will not be able to link your previous banking details with your new banking details. Instead, you will be considered a new AIB customer.
-
Will AIB let me know that my right has been exercised?
Yes, AIB will contact you to let you know that your request has been received and we are working on it. AIB will also contact you to confirm that your Right to be Forgotten request has been processed.
-
Can I change my mind once I submit my request?
No – once you have submitted your right to be forgotten request, AIB will not be able to cancel this request.
-
Once my data is erased, can it be reinstated?
No, once your data is erased. It cannot be reinstated.
-
Does AIB share my data with Third Parties? If so, what happens to my data when I request a Right to be Forgotten with AIB?
Yes, in certain circumstances, AIB will share your data with Third Parties, with your permission. Click here for more information on Third Parties and how they use your data. If you request a Right to be Forgotten request, AIB will contact any relevant third party and instruct them to erase your data that was generated through your activity with AIB.
Third Parties will then have the responsibility to erase this data on their systems, subject to their own eligibility criteria.
In the case that you have a relationship with a Third Party (e.g. a life insurance product with Irish life), you may have to contact the Third Party directly to exercise your Right to be Forgotten.
-
Will Right to be Forgotten affect my credit rating with the Irish Credit Bureau?
No. Your Right to be Forgotten will not impact your existing credit history.
AIB will only be able to forget accounts or products that are outside AIB’s Data Retention schedules and those that do not fall into our list of exemptions. See below for list of exemptions.
Accounts or products that can be forgotten will no longer be reported to the Irish Credit Bureau by AIB, as part of your credit history, so if removed, will not have an impact on your credit rating. For further information on how your credit rating is generated, please see www.icb.ie/credit_rating.
Staff RtF – Customer engagement
-
A customer raises a Right to be Forgotten request but has one open and one closed account, can we action this request?
Yes, you can action this request on a Part-Erasure basis.
You will need to check though that the closed account has been closed longer than 7 years (and so meets AIB’s Data Retention schedules).
If it does, this account may be a candidate for Erasure.
-
Who can request a Right to be Forgotten?
Any natural persons can request a Right to be Forgotten, i.e. only personal customers or business customers who act as sole traders.
There are exceptions around legal representatives including Power of Attorney, Assisted Decision Making Authority, solicitor or parent/guardian.
-
What information does the customer need to submit for a Right to be Forgotten?
The customer will need to provide an acceptable form of identification (see here for what is acceptable proof of identification), with the exception of Known to Branch which is not an acceptable form in this instance.
Customer signature will not be accepted as valid proof of authentication (except in special circumstances (immobile / out of country customers)
TIP: Use standard Branch procedures for establishing customer identity - their account number, name, address, date of birth.
-
Why do I need this information from a customer to carry out their Right to be Forgotten request?
We need this information so that when processing a Right to be Forgotten request, we can correctly identify the right Customer and locate them on Clientview (for example there may be multiple John Smiths who have had a relationship with AIB, but through using Address and Date of Birth, we can correctly identify the John Smith who has raised a Right to be Forgotten request).
-
My customer has an Irish Life product, how is their data erased on Irish Life? (insert product matrix)
In relation to Third Parties, any third party owned data will be subject to the decision of that third party in how they erase the data.
TIP: See table of Third Parties below
-
In what circumstances is a customer’s request considered as non-compliant for a Right to be Forgotten?
(a) Some common reasons for a request to be considered non-compliant are:
(i) Open Accounts (or closed accounts within retention)
(ii) Open or pending applications
(iii) Open Complaints (or complaints that are closed but still within retention)
(iv) Long term Credit products (for example Mortgage) because of FSO Act
(v) Guarantor or CJA Approved relationships
(b) TIP: For more information, check the full exclusions list located here.
-
What do I need to check to see if the customer’s request is valid?
You need to check the Identification and Validation procedure checklist located on Infobank here.
-
If the customer’s request is not valid for Right to be Forgotten, what is the process for communicating this to the customer?
Initial NBP Check: If customer is flagged as having any open accounts or products on NBP following the initial check, then the branch member should communicate to the customer that their request cannot be fulfilled, and should refer the customer to either visit www.aib.ie/GDPR or to contact AIB’s Group Privacy Office (GPO@aib.ie) for further information.
Note: If a customer still wants to proceed with their Right to be Forgotten request, the branch member should proceed with the submission as per normal procedure.
Post Submission: If the form has been submitted, and is identified as being non-compliant, AIB will write to the customer, explaining why their request cannot be processed.
-
Where can a customer go if they have additional questions?
You can direct customers to AIB’s Group Privacy Office. See contact details here (GPO@aib.ie).
-
How long does the Right to be Forgotten process take and when will the customer be notified?
(a) We will be notifying the customer that we will process their request without undue delay.
(b) Generally, this will mean the request should take approximately 30 calendar days. However, depending on the complexity of the request, it may take longer.
(c) An acknowledgement letter will be sent to the customer, on receipt of their request. This letter will contain information on the SLA. When talking to the customer in branch, you can reference without undue delay as a SLA.
-
Does the customer need to come back to the branch once the right has been exercised?
No, AIB will communicate to the customer by letter.
-
If a customer complains about the process, what do we do with this?
(a) Follow the standard process for Complaints raised by a Customer.
(b) Contact the Group Privacy Office for any GDPR/Erasure related issues.
(c) If the request has been processed and the customer information has been erased, a complaint can be raised using the Non Customer Complaint process.
-
Can a customer request a right to be forgotten for someone else?
(a) No, a customer can only raise a right to be forgotten request for themselves.
(b) The only exception is a legal agent acting on behalf of a customer (Power of Attorney, Assisted Decision Making Authority, solicitor or parent/guardian).
-
Can I track the progress of a customer’s request once I have submitted it from the branch?
Yes, request will be tracked through the Process Accelerator (PA) workflow tool. You can use the Where is My Process in BPM to review that status of these requests.
-
Can I accept a free form letter as a request from a customer?
No, a customer will need to complete a Right to be Forgotten request form. In the event that a customer writes into branch or AIB HQ, staff members will be instructed to respond by directing the customer to AIB.ie / GDPR / FAQs to download the Right to be Forgotten Request form. Customers will then follow procedures listed above.
-
Do I need Proof of Identity for a customer requesting the right to be forgotten?
Yes, any customer making a right to be forgotten request will need to present proof of identity. See above for ID&V procedure.
-
What do I do with the Right to be forgotten form that the customer has submitted?
(a) The form needs to be sent to the Rights Sustainment team in Customer Services, using the Blue Bag.
(b) TIP: In the coming months, you will be able to scan the form to Right to be Forgotten process, using the normal branch scanning.
(c) When scanning is in place, the original of the request can be….XXXX
-
Do I need to log an invalid right to be forgotten request?
No, a Customer will not be able to submit a form if they don’t pass first stages of checks.
-
I’m not sure if the customer has a valid Right to be Forgotten request – what do I do in this scenario?
(a) In this instance, first consult GDPR FAQs – Right to be Forgotten for Staff members.
(b) If you are still unsure, please submit the request to the Rights Sustainment team, using the normal process.
(c) Ensure that all mandatory fields are populated and that the customer provides contact details in the event that the rights team have further queries.
(d) TIP: The customer can still submit the form – application will be processed by the Rights Sustainment team, who can confirm if the request is invalid.
-
Where is the Right to be Forgotten form on aib.ie?
Click here to access the RtF form on aib.ie