Privacy Statement:

Ráiteas Príobháideachais

Download the FSPO Privacy Statement as a PDF document

Introduction

This Privacy Statement provides guidance and information about the ways in which the Financial Services and Pensions Ombudsman ("FSPO") processes your personal data.

The FSPO ("we", "us", "our") is an independent statutory body with the principal function of investigating complaints relating to the conduct of financial service providers or pension providers. We may investigate complaints by informal means, mediation or by way of formal investigation. In carrying out our statutory functions and activities under the Financial Services and Pensions Ombudsman Act 2017 (the "Act") the FSPO engages with and may process personal data relating to various different external parties, both individuals and businesses. In particular, the FSPO obtains data from individuals who make complaints or queries to the FSPO. The FSPO also obtains data from businesses, companies, sole traders, partnerships, Government Departments, State bodies, State-sponsored bodies, regulatory authorities and other organisations, which may include personal data of individual contacts or officers of such entities.

We are committed to protecting and respecting your privacy. This Privacy Statement sets out how we process any personal data we collect from or about you in connection with the performance of our statutory functions and activities. Please read this Privacy Statement carefully to understand our treatment and use of personal data.

In this Privacy Statement, references to "you" mean the person whose personal information we process.

We will use your personal data only for the purposes and in the manner set out below. We do so in accordance with the Data Protection Acts 1988 to 2018, the General Data Protection Regulation (GDPR), the Law Enforcement Directive (i.e. Directive (EU) 2016/680) and any subsequent implementing legislation and amendments (collectively referred to in this Privacy Statement as "Data Protection Legislation".

Identity of the Controller

For the purposes of Data Protection Legislation, the Financial Services and Pensions Ombudsman is the data controller of personal data we collect about you. The FSPO is an independent body established under the Act, which has its address at Lincoln House, Lincoln Place, Dublin 2, D02 VH29.

Contact details of the Data Protection Officer

The contact details of the FSPO's Data Protection Officer are as follows:

Email address: dataprotection@fspo.ie

Address: Lincoln House, Lincoln Place, Dublin 2, D02 VH29

When Does This Privacy Statement Apply?

This Privacy Statement applies to personal data that we process about you in connection with the performance of the FSPO's statutory functions and activities. It applies whether personal data is obtained by the FSPO on a voluntary basis or as a result of the exercise of the FPSO's statutory powers.

Where Do We Obtain Your Personal Data From?

We obtain personal data from various sources. The following non-exhaustive methods of collection are an indication of ways in which we may obtain your personal data:

  • Some of the personal data we process is obtained from you when you provide it directly to the FSPO. For example, this may include, but is not limited to, when you submit a complaint or query to the FSPO.
  • In some situations, we may obtain your personal data from third parties. Please see the section on third-party data below, for more information.
  • We may also obtain personal data about you from other sources, including from the financial service provider or pension provider that you have complained to the FSPO about, or from their representative/s in the course of the performance of our statutory functions and activities.
  • While conducting our investigations, personal data may also be obtained from sources including, but not limited to, individuals, businesses, Government Departments, State bodies, State-sponsored bodies, regulatory authorities and/or other organisations who hold personal data relevant to the complaint being investigated.

In the section on third-party personal data below, we have set out the various categories of data we may process and how that personal data is obtained.

We may contact you for information in the performance of our functions. This contact will relate to the purposes referred to in this Privacy Statement and may include but is not limited to the following: to obtain information necessary to register a complaint; as part of the Dispute Resolution Service; as part of a complaint investigation; as part of an assessment of a complaint file; to gather information for reports and publications; and to respond to requests or queries.

Third Party Personal Data

Third party personal data is personal data belonging to a person who is not a party to your complaint. Third party personal data can include, but is not limited to, a name, an identification number or account number, an address, medical records or financial documentation of a third party.

When investigating a complaint, the FSPO can process data that is relevant and necessary for the investigation of that complaint. In this regard, please DO NOT include third party personal data, in the complaint form, in your correspondence to this office or in the documentation which you submit to support your complaint where it is not relevant and necessary to the consideration of your complaint.

It is a matter for the FSPO to decide whether the third party personal data is relevant and necessary to the investigation of your complaint. If you submit personal data belonging to a third party to the FSPO, you may be asked to set out why you believe this personal data is relevant and necessary to your complaint. The FSPO may request the following from you where you have submitted third party data:

  1. We may request that you provide written confirmation from the third party that they have obtained a copy of this Privacy Statement and that they consent to the processing of their data.
  2. We may request that the documents containing the third party data are submitted in a redacted form that ensures that no third party data is contained in the documentation.

If you submit third party data without a statement of relevance and/or written confirmation, we may not be able to process that personal data. This may lead to a delay in your complaint or query being progressed by this office. If we consider that processing the third party personal data is not relevant or necessary then we may delete or return the record containing the third party personal data.

How We Use Your Data

The personal data we collect from you or through our systems helps us to comply with our legal obligations and to carry out our statutory functions and activities. We only request data from you or from other sources which we need to investigate a complaint or in accordance with other statutory functions. We collect this information via our complaint form, written correspondence, telephone/video telephony communications or oral communications. We do not track, record or retain phone or video telephony conversations, however, we may keep a written note of your call. Voicemail messages are recorded. We may contact you by email, by letter, by telephone or SMS during the investigation of your complaint.

We routinely gather and publish complaint case studies in accordance with our legal obligations under the Act. We also publish legally binding decisions made on complaints against financial service providers in accordance with our legal obligation under Section 62 of the Act. We take great care to ensure that individuals are not identifiable in the publication of any legally binding decisions or complaint case studies.

The categories of personal data we collect, the basis of processing and the purposes of processing are detailed in the non-exhaustive table below.

Purpose of Processing Basis of processing Categories of Data
To register, assess, mediate, and investigate complaints GDPR Article 6(1)(c): Processing is necessary for compliance with a legal obligation to which the controller is subject ("Legal Obligation") GDPR Article 9 (2)(g): processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject ("Public Task") Personal data including: name, gender, occupation, job title, date of birth, account number, policy number ("Identification Information") address, telephone number, email address and Eircode ("Contact Information") financial information, medical information and employment information ("Other Information")
To process a query raised by you about our functions, complaints processes etc. Legal Obligation Public Task Identification Information and Contact Information, in so far as is necessary to respond to the query
For the purposes of legal proceedings, including any appeals or any other legal action concerning our decisions or procedures or acts of this office. Legal Obligation Public Task Identification Information, Contact Information and Other Information
For the purposes of adjusting our practices and improving the performance of our service. This could include customer surveys and marketing communications. Consent Contact Information, and Identification Information, in so far as is necessary for the purpose and in accordance with the consent
To fulfil our information provision obligations, including by co-operating with and exchanging information with other regulatory authorities or others, where it is permitted or required by law Legal Obligation Public Task Contact Information, Identification Information and Other Information
In relation to our offices and premises, to ensure security of our offices and premises and to enable us to investigate incidents that occur there. It is necessary in our legitimate interests for the security of our offices and premises. CCTV footage, visitor sign/in out records
To otherwise enable us to fulfil our regulatory and/or legal obligations and to perform our statutory functions and activities. Legal Obligation Public Task Contact Information, Identification Information and Other Information

Consent will rarely be considered to be a basis for processing personal data gathered or obtained by the FSPO on foot of its statutory functions and activities carried out pursuant to the Act. However, in some limited circumstances, we may request your explicit consent to process specific types of personal data.

Where special category data is processed by us for any of the purposes specified above, we will only use the information in the performance of the following functions: for dispute resolution purposes; to assess our jurisdiction to progress a complaint; to investigate complaints; and to respond to any queries, complaints, or requests received. Where we process special categories of personal data, we will only do so for compliance with a legal obligation to which we are subject, and where processing is necessary for reasons of substantial public interest

Sharing of Personal Data

We share all data collected with the parties to the complaint. When we collect personal data, including special category data, we will take the necessary measures to ensure that it is processed in accordance with Data Protection Legislation.

In certain circumstances, we share and/or are obliged to share your personal data with other parties in the course of the exercise of the FSPO's statutory functions and activities. Where this is done, we ensure the transfer is based on a Legal Obligation, a Public Task or the performance of a contract. These parties may include but are not limited to the following: the financial service provider or pension provider against which the complaint has been made, including a representative acting on that provider's behalf, another business or individual involved in the complaint (e.g. a broker, underwriter or lender), the Central Bank of Ireland, the Competition and Consumer Protection Commission, the Pensions Authority, other regulatory authorities, and others, where it is permitted or required by law, or where we have your consent.

We use service providers who provide services including but not limited to IT services and legal services. In providing the services, your personal data will, where required for the purposes of the service provided, be processed by the service provider on our behalf. The FSPO has written contracts in place with any service providers that processes your personal data on behalf of the FSPO. These contracts provide assurances regarding the protections that they give to your personal data and their compliance with our data security standards and international transfer restrictions.

Transfers Outside the European Economic Area

Your personal data may be transferred, stored and processed in one or more countries outside the European Economic Area ("EEA"), for example, when one of our service providers use employees, services or equipment based outside the EEA. For transfers of your personal data to third parties outside of the EEA, we take additional steps in line with Data Protection Legislation. We put in place adequate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercise of your rights, e.g. we will establish an adequate level of data protection through EU Standard Contractual Clauses based on the EU Commission's model clauses.

If you would like to see a copy of any relevant provisions, please contact us using the contact information below.

Retention of Data

We will keep personal data for as long as it is necessary to fulfil the purposes for which it was collected as described above and in accordance with our legal and regulatory obligations. This may mean that some information is held longer than other information.

Further information is set out in our Records Management Policy.

Confidentiality

The FSPO's complaint handling processes and procedures have been carefully developed to ensure the robust, fair, impartial and confidential investigation and adjudication of complaints. Both parties are required to respect the confidentiality of these processes. Details of a complaint are not permitted to be shared beyond the parties and their representatives.

CCTV

We have CCTV recording in operation at our offices for the safety and security of customers, staff and to assist in the prevention of security breaches.

Safeguarding Your Personal Data

We employ high standards of physical and technical security to protect the confidentiality of your personal data. All staff are aware of the standard of data security expected of them in the processing of personal data in relation to complaints. We have, in particular, taken appropriate security measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access.

Cookies

Our website (www.fspo.ie) has introduced cookies with effect from 01 January 2018. Our website uses both session cookies and persistent cookies. Within your browser you can choose whether you wish to accept cookies or not. Users can choose to set optional analytics cookies to help us improve our website. We don't set optional cookies unless you enable them. Please see our cookie policy at www.fspo.ie/cookies for further information.

Your Rights Under Data Protection Legislation

You may have various rights under Data Protection Legislation. These may include (as relevant):

Your right What does it mean? How do I execute this right? Conditions to exercise?
Right of access Subject to certain conditions, you are entitled to have access to your personal data which we hold (this is more commonly known as submitting a "data subject access request"). You can make a request for access to your personal data by completing and returning the FSPO’s Data Access Request form to our Data Protection Officer via email at dataprotection@fspo.ie or in writing to: Data Protection Officer, Financial Services and Pensions Ombudsman, Lincoln House, Lincoln Place, Dublin 2, D02 VH29. If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations. We must be able to verify your identity. Your request may not affect the rights and freedoms of others, e.g. privacy and confidentiality rights of other individuals and/or businesses. Data solely retained for data backup purposes is principally excluded.
Right of data portability Subject to certain conditions, you are entitled to receive the data which you have provided to us and which is processed by us by automated means, in a commonly-used machine readable format. Requests should be made to our Data Protection Officer via email at dataprotection@fspo.ie or in writing to: Data Protection Officer, Financial Services and Pensions Ombudsman, Lincoln House, Lincoln Place, Dublin 2, D02 VH29. If possible, you should specify the type of information you would like to receive to ensure that our disclosure is meeting your expectations. The GDPR does not establish a general right to data portability. This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (e.g. not for paper records). It affects only personal data that was "provided" by you. Hence, it does not, as a rule, apply to personal data that was created by us or supplied to the FSPO by any other individual and/or business.
Rights in relation to inaccurate personal or incomplete data You may challenge the accuracy or completeness of personal data which we process about you. If it is found that personal data is inaccurate, you are entitled to have the inaccurate data removed, corrected or completed, as appropriate. We encourage you to notify us of any inaccuracies regarding your personal data as soon as you become aware of them. Notifications should be made in writing to our Data Protection Officer via email at dataprotection@fspo.ie or in writing to: Data Protection Officer, Financial Services and Pensions Ombudsman, Lincoln House, Lincoln Place, Dublin 2, D02 VH29. This right only applies to your own personal data. When exercising this right, please be as specific as possible.
Right to object to or restrict our data processing Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data. Requests should be made to our Data Protection Officer via email at dataprotection@fspo.ie or in writing to: Data Protection Officer, Financial Services and Pensions Ombudsman, Lincoln House, Lincoln Place, Dublin 2, D02 VH29.   Objections must be based on grounds relating to your particular situation and should not be generic. We will no longer process your personal data unless we can demonstrate legitimate grounds to continue to do so under Data Protection Legislation. If your objection is successful it may be necessary to close your file, however, your data will be retained in line with our Records Management Policy and Retention Schedule.
Right to have personal data erased Subject to certain conditions, you are entitled, on certain grounds, to have your personal data erased (also known as the "right to be forgotten"), e.g. where you think that the information we are processing is inaccurate, or the processing is unlawful. Requests should be made to our Data Protection Officer via email at dataprotection@fspo.ie or in writing to: Data Protection Officer, Financial Services and Pensions Ombudsman, Lincoln House, Lincoln Place, Dublin 2, D02 VH29.   There are various lawful reasons why we may not be in a position to erase your personal data. This may apply (i) where we have to comply with a legal obligation, (ii) in case of exercising or defending legal claims, or (iii) where retention periods apply by law or our statutes or under the FSPO's internal Records Management Policy.
Right to withdrawal You have the right to withdraw your consent to any processing for which you have previously given that consent. Requests should be made to our Data Protection Officer via email at dataprotection@fspo.ie or in writing to: Data Protection Officer, Financial Services and Pensions Ombudsman, Lincoln House, Lincoln Place, Dublin 2, D02 VH29. If you withdraw your consent, this will only take effect for the future.

Complaint to Data Protection Commission

We hope you are satisfied with our use of your personal data. However, if you wish to make a complaint you may do so by contacting the Data Protection Commission at info@dataprotection.ie.

Changes to This Privacy Statement

We reserve the right to change this Privacy Statement at any time in our sole discretion. If we make any changes to this Privacy Statement we will publish any relevant changes on our website www.fspo.ie so that you can see how we process your personal data. By continuing your relationship with us after we post any such changes on our website, you accept and agree to this Privacy Statement, as modified.

This privacy statement was approved on 2 November 2021 and will be reviewed as required.

Contact Us

For further information or if you have any questions or queries about this Privacy Statement please contact us by:

Post: Financial Services and Pensions Ombudsman Lincoln House, Lincoln Place Dublin 2, D02 VH29

Tel: (01) 567 7000

Email: dataprotection@fspo.ie

Website: www.fspo.ie