Data Protection

2. How can you control the personal information you have given to WP ?

When your personal information is handled in connection with a WP product or service, you are entitled to rely on a number of rights. These rights allow you to exercise meaningful control over the way in which your personal information is processed. You may execute any of these rights free of charge (in certain exceptional circumstances a reasonable fee may be charged or WP may refuse to act on the request) and we may ask you to verify your identity prior to proceeding with your instruction by way of requesting additional information/documentation from you.

Once we are satisfied that we have effectively verified your identity, we will respond to the majority of requests without undue delay and within a one month period i.e. 30 calendar days of receipt of the request.  WP will action your request to have your personal information corrected within 10 calendar days. These periods may be extended in exceptional circumstances and we will inform you where the extended period applies to you along with an explanation of the reasons for the extension. Further information on how you may execute these rights is outlined in the Data Protection section of woohoopay.com or alternatively by contacting us using the channels outlined in Section 2.6 below.

For example, you are entitled to:

2.1. Access your personal information

You can look to access the personal information we hold about you by contacting us with a data access request using the channels outlined in Section 2.6 below. We will endeavour to provide you with as complete a list of personal information as possible. However, it can happen that some personal information from back-up files, logs and stored records may not be included in that list as this information is not processed by WP on an ongoing basis and it is not therefore immediately available. For that reason, this personal information may not be communicated to you. However, this personal information remains subject to standard data maintenance procedures and will only be processed and retained in accordance with those procedures.

2.2. Correct/ restrict /delete your personal information

If you believe that certain personal information we hold about you is inaccurate or out of date, you can look for the information to be corrected at any time using the channels outlined in Section 2.6 below after we have verified the information. If you dispute the accuracy of information held, you can request that we restrict processing this information while your complaint is being examined. If you feel that we are processing certain information without a legitimate reason or that we are no longer entitled to use your personal information, you can also ask for that personal information to be deleted.

We are not under an obligation to rectify or delete your personal information where to do so would:

• prevent us from meeting our contractual obligations to you or,
• where WP is required or permitted to process your personal information for legal purposes or otherwise in accordance with our legal obligations.

We ask that you keep us informed of any relevant change in your personal circumstances to enable us to keep the information on our systems up to date and accurate.

2.3. Withdraw your consent

Whenever you have provided us with your consent to process your personal information, for example, so that we can contact you about one of our products or services, you have the right to withdraw that consent at any time through one of the channels identified at Section 2.6 below. If you withdraw consent to processing (and if there is no other justification for continuing to process your information), you are also entitled to request that your personal information is deleted. Withdrawing consent does not affect the lawfulness of any processing undertaken by us based on your consent before its withdrawal.

2.4. Object to your personal information being used for certain purposes

If you disagree with the way in which WP processes certain information based on its legitimate interest (see Section 3.3 for further details and examples), you can object to this through one of the channels identified at Section 2.6 below. In such cases we will provide you with details regarding the rationale for processing your personal information and we will stop processing the personal information under dispute if we cannot legitimately justify the reasons for processing within the agreed timeframe.

Some bank operations are fully automated, with no human intervention and may include taking decisions based solely on automated processing. For more details on how WP uses automated decision making see Section 6 below. If you disagree with the outcome of a fully automated decision making process, you can speak to a WP staff member to express your point of view and contest the decision using one of the contact channels identified at Section 2.6 below.

2.5. Request your personal information to be transferred electronically in electronic form

You can (in certain cases) request that your personal information is transferred to you electronically or to another service provider so that you can store and reuse your personal information for your own purposes across different services. We will not be in any way accountable or liable for any damage, loss or distress sustained, incurred or suffered by you and/or the designated service provider as a result of improper use of the personal information upon and after receipt from us.

2.6. How to exercise your rights.

You can exercise the rights outlined above free of charge by contacting us using any of the channels below:

• By dropping in to or calling your nearest  WP Hub.
• By contacting one of our Customer Service Representatives by phone on 1 211 8666 or by email at info@woohoopay.com.

We recommend that you provide as much detail as possible in your correspondence with us so that we can deal with your query promptly and efficiently. You may be asked to provide proof of identification and/or additional information in order to validate your identity when making such a request.

3. Why does WB collect and use your personal information?

We gather and process your personal information for a variety of reasons and rely on a number of different lawful purposes to use that information, for example, we use your personal information to process your applications, to help administer your products and services, to ensure we provide you with the best service possible, to prevent unauthorised access to your accounts and to meet our legal and regulatory obligations.

3.1. To comply with legal obligations

We are required to process your personal information to comply with certain legal obligations, for example:

3.1.1. To report and respond to queries and lawful requests raised by regulatory authorities, law enforcement and other government agencies such as the Central Bank of Ireland, the Competition and Consumer Protection Commission, the European Central Bank and An Garda Siochana.

3.1.2. To respond to requests from Irish Revenue in accordance with relevant tax legislation including queries relating to Deposit Interest Retention Tax (DIRT), Foreign Account Tax Compliance Act (FATCA), stamp duty and Common Reporting Standard (CRS) and under Notices of Attachment issued by Irish Revenue;

3.1.3. To verify the personal information provided to us and meet our legal and compliance obligations, including to prevent money laundering, tax avoidance, financing of terrorism and fraud. For example, we are required to identify you, verify your identity, check your activity and transactions and ascertain your money laundering risk profile;

3.1.4. To pass details of the originator or the payee to the receiving or transferring financial institution;

3.1.5. To supply information to the Central Credit Register and to use the Central Credit Register when considering loan applications to determine your borrowing options and repayment capacity and/ or facilitate other lending institutions to carry out similar checks. WP will continue to exchange information such as your loan balance, the term of your loan and any arrears or default in making payments on that loan, with the Central Credit Register throughout your time as a customer of WP. The information held about you on the Central Credit Register database may be accessed by other organisations who may choose to use it to make credit decisions about you. The Central Credit Register retains this information on its database for a period of 5 years after your agreement with WP ends.

3.1.6. to gather information about our customers’ knowledge and experience, financial capacity, investment objectives and attitude to risk/return in relation to the products offered prior to giving investment advice to those customers;

3.1.7. to meet regulatory information security & incident reporting requirements such as under the Directive on Security of Network and Information Systems (NIS Directive);

3.1.8. to cooperate and provide information requested as part of legal and/or regulatory investigations or proceedings and to comply with orders made in the context of civil or criminal proceedings.

3.1.9. to investigate allegations of fraud and prevent fraud by third parties or customers including to meet our fraud prevention obligations under the Payment Services Regulations.

3.1.10. to respond to requests we receive from authorised third party providers (also known as TPPs) to access your account information where you have provided consent to those parties to provide account information or payment services. We are not responsible for the TPP’s use of your account information. In this regard, you should review a copy of the data protection notice of any TPP you contract with; and

3.1.11 to supply information to the Irish Credit Bureau (ICB) and to use the ICB database when considering loan applications and throughout your time as a WP customer to determine your borrowing options and repayment capacity. You can find further information on the ICB in their Fair Processing Notice (pdf, 179 KB).

3.2. To enter into and perform a contract for a product or service

3.2.1. Before WP provides you with products or services, we have to gather some personal information to process your application and to assess the terms upon which we can enter into the contract with you. This includes, for instance, gathering and processing personal information for a loan application.

3.2.2. In order to open and manage your account(s), policies or other banking products or services and to maintain our relationship with you, we have to process your personal information. Examples of processing include the administration of accounts, payments, deposits, lending, credit decisions (including use of automated credit decision making processes, where appropriate). As part of this process, we may be required to pass some personal information to an intermediary or counterparty (e.g. if you perform a payment transaction, we pass information on the progress of the transaction to the payee concerned).

3.2.3. In addition, WP provides insurance services acting as an insurance intermediary, which means we are required to provide your personal information to our insurance partners Zurich Insurance plc and Irish Life Assurance plc in connection with the provision and administration of insurance products and related services. This type of information will only be obtained and processed where necessary to process your application, administer your account, investigate claims or to comply with a legal obligation.

3.2.4. For our investment products, we also use a trusted third party service provider as well as WP Securities NV to administer trades for investment products which means that we may share your personal information with the service provider to facilitate these transactions or to comply with a legal obligation.

3.2.5. WP works closely with WP Life and Pensions to offer you pension products, to provide quotes for those products and to help WP Life and Pensions manage and administer your pension products.

3.2.6. We gather and use account information from your accounts held with other banking service providers to respond to your requests for payment initiation services (which allows a third party to give us instructions to make payments from your account on your behalf) and account information services (which allows you to access your accounts with different providers in one location).

3.3. To enable WB to function as a business

3.3.1. In certain circumstances, we process your personal information on the basis of the legitimate interests of WP. In doing so, we ensure that the impact of the processing on your privacy is minimised and that there is a fair balance between the legitimate interests of WP and your privacy rights. If you disagree with your information being processed in this manner, you are entitled to exercise your right to object. Examples of situations in which your personal information is processed based on our legitimate interests, include:

• to enable us to manage, on a holistic basis, our relationship with you by maintaining a single view of your accounts and any products or services that we provide to you and any interaction with us. This enables us to create a profile for you and to assess your needs better;
• to carry out statistical analysis, market research and to develop predictive and analytical models for different purposes including risk analysis, process improvements, marketing and fraud analysis. By combining information available to us from different sources such as transaction information and publicly available data (for example, the Central Statistics Office, the Property Price Register) to develop analytical models WP can obtain data-driven insights which help to make strategic choices about the functioning of the bank, our relationship with you as our customer and the products and services which we believe will be of interest to you;
• to submit claims and/ or otherwise exercise rights under insurance policies entered into in favour of WB and to provide updates to insurers on an ongoing basis in connection with those policies;
• to investigate complaints and establish, exercise and safeguard our rights under any agreement with you, including where necessary to engage tracing agencies, to consult professional advisors authorised to act on behalf of WP, take enforcement action (e.g. debt collection) and to respond to claims made against WP;
• to undertake system testing to guarantee software code quality, in particular to:
  • to test software code changes;
  • to validate the stability of software changes and accept the software code changes and
  • to run technical tests, like performance, resilience, operational proving testing;
• to create efficiencies in bank processes for WP and for our customers, to measure our performance and to deliver other organisational benefits;
• to ensure appropriate information security and fraud prevention protections are in place and to safeguard customer accounts; and
• to provide aggregated reports to departments inside WP, to the WP Group (more details on sharing personal information with WP Group are contained in Section 7.1.2) or to other third parties such as the Central Bank of Ireland. These reports contain grouped information, such as the average number of current accounts held by people in a particular county. No individual information is shared as part of these reports. Aside from these aggregated reports, we also use more detailed reports internally within  which WP contain personal information dealing with customer applications for products and services in order to help us effectively manage our workflow of applications and customer requests.

3.4. Where you have provided consent

3.4.1. Marketing Consent: We use your personal information to make you aware of products and services which may be of interest to you. If you take a look at Section 5 below, you can find out more about how we would like to provide you with customised offers and personalised customer service. To be able to do this, we will ask you for your consent. You can at any time withdraw that consent through the contact channels set out in Section 2.6 above. Alternatively, you can review and make changes to your marketing preferences through WP Mobile Banking or Online Banking channels and more details regarding these options are set out in Section 5 below.

3.4.2. Biometric Consent: We can use image recognition software to verify your ID when you are looking to open an account through the WP Mobile Banking App and on woohoopay.com. This involves us using optical character technology to extract relevant information from your ID documents. In such cases, we will ask you for consent to process this biometric data. An alternative channel will be made available to you should you choose not to give your consent. We will only use your biometric data to fulfil this request. Depending on your device, you may choose to enable Touch ID with in the WP Mobile Banking App. WP does not store or otherwise use this fingerprint ID for any purpose. Depending on your device, you may wish to choose to enable fingerprint or facial recognition technology within the WP Mobile Banking App. WP does not store or otherwise use this technology for any purpose.

3.4.3. Sensitive Information Consent: We sometimes collect and process information on your health and other sensitive information (also known as special categories of information) which you share with us while applying for a product or service or when requesting a change to an existing product and service (for example, to apply for or get quotations for pension products).

3.4.4. Geolocation Consent: If you choose to use the WP Hub Locator service, you will be asked to consent to the use of your geolocation information to find the WP Hub nearest to you. In order to offer you this service, we use in device location services. Your geolocation information will only be used on a once off basis to indicate the WP Hub nearest to you. This information will not be used for any other purpose.

3.5 To protect the vital interests of you or others

3.5.1.In limited circumstances, we may use and/or share your personal information, including sensitive information, with a third party (such as a family member or An Garda Síochána) to protect your safety or the safety of others.

4. What kind of personal information does WP collect and how it is used?

The information we hold about you can vary depending on the products and services you use. This includes personal information which you give to us when you are looking for a quote for a product or service, personal information we collect automatically, for instance, your IP address and the date and time you accessed our services when you visit our websites or apps; and personal information we receive from other sources like credit referencing agencies. We may also collect your personal information from other banks and financial institutions (for example, when you have requested us to display those accounts on our mobile or online platforms.

Here is a more detailed look at the information we hold about you and how it is used by us:

5. How do we use personal information for direct marketing?

We would like to make you aware of products and services provided by us, other WP Group entities or our insurance partners which may be of interest to you. We can do this by using some of the personal information we hold about you to better understand your needs.

For example:

Based on your demographic or other personal information we may offer you products or services which are widely used by others in the same demographic group.

5.1 You can review and make changes to your marketing preferences at any time through the following options:

• via the customer contact channels outlined in Section 1.2 above;
• via the ‘My details’ section of the WP Mobile Banking App. Simply click on the ‘Stay Connected’ box on the bottom of your screen to access the ‘My details’ section; or
• via the ‘Personal Details’ section of WP Online Banking.

6. How does WP make use of Automated Decision Making?

We use automated decision making to enable us to deliver decisions within a shorter time frame and to improve the efficiency of our processes. Some WP bank operations are fully automated, with no human intervention and may include taking decisions based solely on automated processing. If you disagree with the outcome of a fully automated decision making process, you can speak to a WP staff member to express your point of view and contest the decision using, the customer contact channels outlined in Section 1.2 of this Data Protection Notice.

6.1. An example of where we use automated decision making is as part of our credit decision process, which involves assessing your application for credit, taking account of your current circumstances and evaluating your ability to meet the required repayments.

The decision process takes into account different types of information, for example:

• Information you have provided in your application such as the amount requested, the repayment period, the type of facility, your income, employment details, etc.;
• Your credit history with credit reference agencies such as the Central Credit Register; and
• Details of other credit facilities you may have (with WP or other financial institutions) such as loans, overdrafts, credit cards, etc.

WP uses this information to apply internal credit assessment rules in a consistent manner. This ensures that your application for credit is treated fairly, efficiently and that we believe you can afford the required repayments. WP reviews the automated credit decision making process on an ongoing basis to ensure that it remains fair, efficient and unbiased in order to better serve our customers. To ensure that our systems remain secure and to protect our commercial interests, we need to keep the finer details of how we apply the WP credit assessment rules confidential.

7. What about Security and Confidentiality?

WB uses a variety of security technologies and procedures to help protect your personal information from unauthorised access, use or disclosure. We also take steps to ensure that only persons with appropriate authorisation can access your personal information.

7.1. Who can access your personal information within WP and the WP Group

7.1.1. Only staff members who are suitably authorised can access your personal information if that information is relevant to the performance of their duties, whether it be in connection with the delivery of products or services or in accordance with legal or regulatory obligations. This may include, for example, staff members working in our Credit Department, Marketing Department, in any of the WP Hubs or customer services representatives you have dealings with.

7.1.2. As a member of the WP Group, WP sometimes shares personal information relating to its customers with other members of the WP Group for a variety of reasons, for example, to provide you with products and services, for marketing purposes, for internal reporting and where those companies provide services to us. By way of illustration, we use the services of the WP Shared Services Centre, a Cypriot branch of the WP Group, for financial reporting and information technology support services..

7.2. Security measures to safeguard your personal information

We use internal technical and organisational measures to protect your personal information from unauthorised access, to maintain data accuracy and to help ensure the appropriate use of your personal information. These security measures include encryption of your personal information, firewalls, intrusion detection systems, 24/7 physical protection of facilities where your personal information is stored, background checks for personnel that access physical facilities, and strong security procedures across all service operations. We use strong encryption algorithms for the transmission and storage of your Information. Further information regarding these security measures as well as steps you can take to protect your computer is contained in the Security and Fraud Awareness section of the wb.com website which is accessible at https://www.woohoobank.com/security.

7.3. Other restrictions on use of your personal information

WP does not collect personal information on children aged under 16, unless a parent or legal guardian has given his/her consent for this. WP will not sell or hire your personal information to third parties for their own use.

8. Who do we share your personal information with?

WP sometimes shares your personal information with trusted third parties who perform important functions for us based on our instructions and applying appropriate confidentiality and security measures. For example, we use third party service providers to send out marketing material on a product or service you may be interested in. We also use third parties to help us detect, prevent, or otherwise address fraud, security or technical issues. We go into more detail below about the reasons we share personal information with third parties.

8.1. We have set out below some examples of where WP shares your personal information:

• We work with providers of payment-processing services and other businesses such as the Belgium based Society for Worldwide Interbank Financial Telecommunications (SWIFT)  to help us process your payments as well as other financial institutions that are members of the payment schemes (for example, MasterCard).
• We engage the services of our insurance partners, Zurich Insurance plc and Irish Life Assurance plc., to provide and administer insurance and investment products and related services.
• We engage the services of specialist third party providers to provide the IT infrastructure and application used on the WP Mobile Banking App to administer the purchase and sale of investment products.
• When you apply for a product or service with us and throughout your time as a customer of WP, we undertake credit checks and report to credit reference agencies such as the Central Credit Register and the Irish Credit Bureau. Through these agencies we can check your credit history and debts. We also provide them with details regarding the products and services you have with us and we update them about your repayment record.
• We use printing and distribution agencies to communicate with you about our products and services.
• We undertake market research in conjunction with agencies such as Ipsos, Core Research and Kantar.
• We engage the services of solicitors, accountants, auditors, valuers, debt collection agencies and other consultants to act on our behalf.
• We work with advisors you have instructed to represent you, or any other person you have informed us is authorised to give instructions or to use the account or services on your behalf (such as under a power of attorney). In circumstances where a third party (individual or legal entity) guarantees or indemnifies your obligations to us, we may share relevant personal information relating to the account with that party.
• We work with certain relationship partners and agents, such as our approved panel of brokers, under a strict code of confidentiality.
• We are required to cooperate by law or otherwise through a legal process with Irish and EU regulatory and enforcement bodies such as the Central Bank of Ireland, an Garda Siochana, the courts, fraud prevention agencies or other bodies. We are also required to report personal and account information to Irish Revenue for interest reporting, CRS and FATCA purposes.
• We use the services of innovative and artificial intelligence led document. Recognition and interrogation services providers, such as ID Scan and Data Ireland to identify you for anti-money laundering purposes. We also use third parties for document extraction services for the WB Mobile Banking App and on some wwoohoopay.com applications to present customers with a quick and efficient method of completing part of an application form by extracting that information directly from identification documents.
• We work with companies that support WP to identify and analyse your user behaviour in our app and on our website, for example, Analytics Providers.
• We use specialist third parties such as LivePerson and Booking Bug to provide real-time customer engagement and appointment scheduling solutions on the WP website.
• We engage the services of ICT and information security service providers, such as Microsoft and IBM.
• We work with funding companies such as the Strategic Banking Corporation of Ireland (SBCI).
• We may share certain information about your account (e.g. account balance, transaction details) with third party providers (TPPs) where you have provided consent to those parties to provide you with account information or payment services.

8.1.1. We sometimes need to share information with organisations which are located or who otherwise undertake processing outside the EEA. This may mean, for example, that some of your personal information may be processed in countries such as India, Malaysia or the United States. We will however only transfer personal information to a country or territory outside of the EEA if

1. that country provides an adequate level of protection for personal information as set down by the European Commission; or
2. the transfer is made under a legally binding agreement which covers the EU requirements for the transfer of personal information to organisations outside of the EEA such as the model contractual clauses (also know as Standard Contractual Clauses) approved by the European Commission; or
3. Binding Corporate Rules or BCRs (a copy of the BCRs of Mastercard are available on request) or an equivalent framework; or
4. such other approved mechanism or model approved by the European Commission.

In the event that the United Kingdom exits the European Union (Brexit), WB will ensure that one or more of the protections outlined in this Section 8.1.1 shall apply to any such transfers from the EEA to the United Kingdom.

For more information about the European Commission’s decisions on the adequacy of the protection of personal information in countries outside the EEA, please visit: https://ec.europa.eu/info/law/law-topic/data-protection_en

8.1.2. We may disclose personal information relating to our customers to any third party in the event of a sale, transfer, assignment, disposal (or potential sale, transfer, assignment or disposal), merger, liquidation, receivership, of all, or substantially all or any part of the assets of WP.

We may use your personal information to facilitate a potential or actual transfer of any loan or product provided to you or in connection with a securitisation or other funding arrangement.

9. How long will we retain your personal information?

How long certain personal information is stored depends on the nature of the information we hold and the purposes for which they are processed. WP determines appropriate retention periods having regard to any statutory obligations imposed on us by law. For example, we are required to retain some customer information for 6 years after the end of the customer relationship in accordance the Consumer Protection Code and also to meet our obligations under anti-money laundering legislation.

If the purpose for which the information was obtained has ceased and the personal information is no longer required, the personal information will be deleted or anonymised which means that your personal information is stripped of all possible identifying characteristics. WP has put in place procedures to ensure that files are regularly purged and that personal information is not retained any longer than is necessary.

10. Updates to our Data Protection Notice

We keep this notice under regular review and from time to time will look to amend it to reflect changes to the way in which we are processing personal information. The most recent version will always be available at www.woohoopay.com/data-protection. We will inform you of material changes to the content of the Data Protection Notice through a notification posted on our website, Wp Mobile Banking App or other communication channels. You will also find more information about Irish and European data protection legislation on the Office of the Data Protection Commissioner’s website at https://dataprotection.ie/docs/Home/4.htm