City & County Finance Data Protection Policy


1.Policy statement

1.1When we at City & County Finance Limited (the “Company” or “we”) receive personal details relating to an individual, we have a duty to keep these details private and safe. This is a legal “data protection” obligation. During the course of our business activities we may collect, store and process personal data about our customers, and other third parties, and we must recognise that the correct and lawful treatment of this data will maintain confidence in how City & County Finance Limited treats its customers’ private data and ensure that the Company is compliant with its legal obligations.

1.2This document sets out the principles the Company must follow when processing personal data to help ensure compliance with the General Data Protection Regulation (GDPR) EU 2016/679.  Data Users are obliged to comply with this policy when processing personal data on behalf of the Company.

2.About this policy

2.1The types of personal data that we may be required to handle include information about current and past customers, third party data and employee data. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the GDPR.

2.2This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.

2.3This policy sets out rules on data protection and the legal conditions that must be satisfied when we collect, handle, process, transfer and store personal data.

3.Definition of Terms used in this policy

3.1Data is information which is stored electronically, on a computer, or in paper-based structured filing systems.

3.2Data Subjects for the purpose of this policy include all living individuals about whom we hold personal data. All data subjects have legal rights in relation to their personal data.

3.3Personal Data means data relating to a living individual who can be identified directly from that data, or indirectly from that data in conjunction with other information.

3.4Data Controllers are the people who or organisations who, alone or jointly with others, determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for, and must be able to demonstrate compliance with the data protection principles. We are the data controller of all personal data used in our business for our own commercial purposes.

3.5Data Users are those of our employees whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.

3.6Data Processors include any person or organisation that processes personal data on our behalf and on our instructions.

3.7Processing is any activity that involves use of the personal data. It means carrying out any operation or set of operations on the data including collecting, recording, organising, structuring, storing, amending, retrieving, using, consulting, disclosing by transmission, disseminating or otherwise making available, combining, restricting, erasing or destroying it.

3.8Sensitive Personal Data includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or sexual life.

4.Data protection principles

4.1        As a data controller, we are responsible for, and must be able to demonstrate compliance with the following data protection principles.  These principles provide that personal data must be:

1.Obtained and processed fairly, transparently and lawfully

2.Collected for specific, explicit and legitimate purposes, and not further processed in a manner incompatible with those purposes

3.Adequate, relevant and not excessive

4.Accurate and up-to-date

5.Not kept for longer than necessary

6.Kept safe and secure

5.Fair, Transparent And Lawful processing

5.1The GDPR is not intended to prevent the processing of personal data, but to ensure that it is done fairly and transparently.

5.2For personal data to be processed fairly and transparently, we (as a data controller) must inform data subjects , when we collect personal data directly from them, about all of the following:

(a)That we are the data controller in regard to their data and our contact details;

(b)The purpose or purposes for which we intend to process the personal data and the legal basis;

(c)The legitimate interests pursued by us or by a third party and an explanation of those interests (where processing is based on this ground);

(d)Where the processing is based on consent, their right to withdraw it at any time;

(e)The third parties or categories of third parties, if any, to whom we will disclose the personal data;

(f)Details of any transfers out of the EEA, the safeguards we have in place and the means by which to obtain a copy of them;

(g)The data retention period or criteria used to determine same;

(h)The existence of the right to request access to their data; rectification or erasure of their data; restrict or object to processing, and the right to data portability;

(i)The right to complain to the Data Protection Commissioner if they are unhappy with how we are handling their data;

(j)Details of any automated decision-making, including profiling, and the logic involved, as well as the significance and consequences of such processing for the data subject; and

(k)Whether the provision of personal data is a statutory or contractual requirement, and the consequences of failing to provide such data.

5.3Where we intend to process the personal data for a further purpose, other than that for which the personal data were collected, we will provide the data subject prior to that further processing with information on that purpose.

5.4If we receive personal data about a data subject from other sources, we will provide the data subject with the information at clause 5.2, as well as the categories of personal data concerned, from which source the data originated and, if applicable, whether it came from publicly accessible sources. We will provide this information to the data subject within one month of obtaining the data; or at the time of the first communication to the data subject (where applicable), or if a disclosure to another recipient is envisaged, when the data are first disclosed.

5.5When processing personal data in the course of our business, we will ensure that these information requirements are met.

5.6For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the GDPR. These grounds include:

(a)where the data subject has given his/her free, informed and unambiguous consent; or

(b)if necessary for the performance of a contract with the data subject; or

(c)for compliance with a legal obligation to which the data controller is subject; or

(d)for the legitimate interests of the data controller or a third party to whom the data is disclosed, except where those interests are overridden by the interests of the data subject.

5.7The processing of sensitive personal data is prohibited unless one of another set of legal grounds set out in the GDPR applies including:

(a)the data subject has given his/her explicit consent; or

(b)the data have been made public by the data subject; or

(c)if necessary for the establishment or defence of legal claims; or

(d)to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving his/her consent.

6. Processing for limited purposes

6.1In the course of our business, we may collect and process the personal data set out in the schedule to this policy. This may include data we receive directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and data we receive from other sources (including, for example, business partners, sub-contractors, credit reference agencies and others).

6.2We will only process personal data for the specific purposes set out in the schedule or for any other purposes specifically permitted by the GDPR. We will notify those purposes to the data subject when we first collect the data or as soon as possible thereafter.

7. Adequate, relevant and not excessive

We will only collect personal data to the extent that it is required for the specific purpose(s) notified to the data subject.

8. Accurate and up-to-date data

We will ensure that personal data we hold is accurate and kept up-to-date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to amend or destroy inaccurate or out-of-date data.

9. Storage Limitation

We will not keep personal data for longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase the data from our systems when they are no longer required.

10. Processing in line with data subjects rights

10.1      As a data controller, we are required to process personal data in line with data subjects' rights, in particular their right to:

(a)Request access to a copy of any data we hold about them (see clause 13)

(b)Request any inaccurate or incomplete data to be rectified (see clause 8)

(c)Object to or request erasure or restriction of processing in specified circumstances

(d)Request a copy of the data they have provided to us and transmit those data to another controller without hindrance from us, or have the personal data transmitted directly from us to another controller, where technically feasible (i.e. right to data portability)

(e)Not to be subject to a decision based solely on automated processing, including profiling, which produces a legal effect or other significant effect on the data subject, except where the decision is necessary for the performance of a contract; authorised by law, or based on the data subject's consent

(f)Prevent the processing of their data for direct-marketing purposes

10.2      We will provide the data subject with information on action taken in response to the exercise of any of these rights without undue delay, and at the latest within one month of receipt of the data subject's request. This period may be extended by two further months where requests are numerous or complex.

11. Data Security

11.1We will process all personal data we hold in accordance with this Data Protection Policy and take appropriate technical and organisational security measures, taking into account the risks presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, or stored.

11.2Appropriate security measures include, where appropriate:

(a)The pseudonymisation and encryption of data

(b)The ability to ensure the ongoing confidentiality, integrity and availability and resilience of processing systems and services

(c)The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

(d)A process for testing, assessing and evaluating the effectiveness of technical and organismal measures for ensuring the security of the processing

11.3We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. 

11.4Security procedures include:

(a) Any stranger seen in entry-controlled areas should be reported.

(b)Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind (personal information is always considered confidential.)

(c)Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.

(d)Access. Security access code needed to access office

(e)Equipment. Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.

11.5Where processing is to be carried out on our behalf, we shall only engage processors who provide sufficient guarantees to implement appropriate technical and organisational security measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. 

11.6As a controller, we are required to enter into a written contract with the processor (including in electronic form), which will set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects.  The contract shall set out, in particular, the specific mandatory obligations of processors laid down in the GDPR, including to:

(a)Process the personal data only on documented instructions from the controller

(b)Ensure the processor's staff are committed to confidentiality

(c)Take all appropriate technical and organisational security measures

(d)Sub-contract only with prior written authorisation of the controller

(e)Assist the controller in complying with the rights of data subjects

(f)Assist the controller in complying with its data breach notification obligations

(g)Delete or return all personal data to the controller, if requested, at the end of the processing, and

(h)Make available to the controller all information necessary to demonstrate compliance with its processing obligations and allow audits, including inspections, to be conducted by the controller 

12.Transferring personal data to a country outside the eea

12.1We may transfer any personal data we hold to a country outside the European Economic Area ("EEA"), provided that we have informed data subjects of the transfer, the safeguards in place and the means by which to obtain a copy of them, and one of the following conditions applies:

(a)The non-EEA country to which the personal data are transferred ensures an adequate level of protection for the data subjects' rights and freedoms. The European Commission deems the following countries to have an adequate level of data protection: Switzerland, Guernsey, Argentina, Isle of Man, Faroe Islands, Jersey, Andorra, Israel, New Zealand and Uruguay.  The US is deemed as providing an adequate level of protection where the US recipient of the data is Privacy Shield certified.

(b)Adequate safeguards are in place, such as the Model Clauses; Binding Corporate Rules ("BCRs"); an approved code of conduct or approved certification mechanism with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

(c)The transfer is lawful pursuant to one of the derogations in the GDPR, including the data subject has given their explicit consent; the transfer is necessary for the performance of a contract; for public interest reasons; authorised by law; necessary for the defence of legal claims, or to protect the vital interests of the data subject.

(d)Where none of the above safeguards or derogations apply, a transfer to a non-EEA country may take place if the transfer is not repetitive, concerns only a limited number of data subjects, and is necessary for the legitimate interest of the controller which are not overridden by the rights of data subjects. The controller must inform the Data Protection Commissioner and the data subject of such a transfer, and the legitimate interests pursued.

13. Dealing with access requests

13.1Data subjects may make a request for information we hold about them. This request may be made in writing or orally.

13.2When receiving telephone enquiries, we will only disclose personal data we hold on our systems if the caller's identity can be verified. If their identity cannot be verified, we will request the caller to put their request in writing.

13.3Data users who receive a request should forward it to Doreen Murray.

13.4A data subject has a right of access to a copy of the personal data we hold about him/her, as well as the following information:

(a)The purposes of the processing

(b)The categories of the personal data concerned

(c)The recipient to whom the personal data have been or will be disclosed

(d)The data retention period or criteria used to determine same

(e)The existence if the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning that data subject or to object to such processing

(f)The right to lodge a complaint with the Data Protection Commissioner

(g)Where the personal data are not collected from the data subject any available information as to their source

(h)The existence of automated decision-making, including profiling; the logic involved, and the envisaged consequences of such processing for the data subject, and

(i)Where personal data are transferred out of the EEA, the data subject must be informed of the appropriate safeguards in place

13.5We will provide a copy of the personal data free of charge, but may charge a reasonable fee, based on administrative costs, for any further copies the data subject requests.

13.6Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information will be provided in a commonly used electronic form.

14. Changes to theis policy

We reserve the right to change this policy at any time. Where appropriate, we will notify data users of those changes by email.



Type of data

Data relating to the lessee of the motor vehicle including name, address, phone number, bank details, motor insurance details and place of work.





Type of data subject



Individuals who have sought finance for the purchase/lease of a motor vehicle. Employees of a company who have sought finance for the purchase / lease of a motor vehicle for that company.


Type of processing

Direct debit files prepared and sent to Bank of Ireland for processing




Purpose of processing

To collect payments for the instalments due on foot of lease agreements entered into with the data subjects.




Type of recipient to whom personal data is transferred

Bank of Ireland for processing of direct debits





Retention period

Data subject information will be held for a period of 6 years after the ending of the client relationship to take account of the Company’s responsibilities under the Statute of Limitations, the Central Bank of Ireland’s Consumer Protection Code and relevant provisions of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010.