Privacy Policy

This is the Privacy Notice of Penco Insurances Limited trading as Penco, Which Mortgage whose registered office is at The Black Church, St Mary’s Place, Dublin 7, and whose contact numbers are 01 882 6100 and 1800 20 30 35, and email addresses are [email protected] and [email protected]

This Privacy Notice sets out the processing of your personal data for the purposes of delivering our services, and the steps taken by Penco as a data controller to safeguard individuals’ rights under data protection legislation, specifically the General Data Protection Regulation (EU) 2016/679 and Data Protection Acts 1988-2018.



We collect personal data if you:


• Request a service from us, e.g. through our website, telephonically, by email.

• Register with or use any of our websites or online applications.

• Use our website and it installs cookies or other tracking technologies onto your device.

• Contact us with a complaint or query.



We collect the following data from you:


Contact and identifying information, e.g. name, address, contact details such as email, mobile, landline.

Unique identifiers, e.g. insurance policy numbers, pension scheme reference numbers.

Demographic details, e.g. age, gender, marital status, lifestyle and insurance requirements; date of birth, photo ID, as well as collecting personal information about you, we may also use personal information about other people, e.g. family members you wish to insure on a policy such as your children or spouse.

Family and beneficiary data, e.g. dependents, next of kin, power of attorney, enduring power of attorney, details of solicitor/accountant.

Employment information, e.g. role, employment status, salary information, employment benefits, and employment history.

Health information such as information relating to personal habits, e.g. smoking.

Financial details, e.g. bank account details, salary, tax code.

Claim data from you and any relevant third parties.

Marketing preferences. We will only send you direct marketing if you consent thereto.

Online information, e.g. information about your visits to our websites. See our Cookie Policy for full details

Criminal records information, e.g. driving licence record for penalty points information.

Calculators on our website. We use this data to perform calculations to prepare quotations for mortgages.

Cookies, pixel tags and other tracking technologies (collectively called “cookies”). We may use cookies on some pages of our website. See our Cookie Policy for full details



Purpose and legal basis for processing personal data


The personal data we collect from you will only be processed by us for specific and lawful purposes as outlined in this Privacy Notice. We will ensure that your data is processed fairly and lawfully.

We rely on the following legal bases to collect and use your personal data:

Performance of a contract - when we enter a contract with you, we will collect and use your personal data to enable us to fulfil that service which includes the use of firms that provide administration and processing services to use or on our behalf such as IT systems and administration services and other activities set out in this Notice.
To apply for any contract on your behalf, we process your personal data in connection with applying for contracts as instructed by you.
If you refuse to provide information that we reasonably require to provide the services, we may be unable to offer you the services and/or may terminate the services provided with immediate effect.

Legal Obligation - the use of some of your personal data is necessary for us to meet our legal obligations in respect of organisations that have a specific role laid out in law such as statutory bodies, regulatory authorities and other authorised bodies, e.g. pension contributions for Revenue Certificates, Regulatory purposes to the Central Bank.
We may provide your personal data to other organisations where we have a duty to or are permitted to disclose your personal information by law, e.g. if we receive a valid request from the Garda or other third party organisation in the interests of preventing and detecting crime.
If you refuse to provide information that we reasonably require to provide the services, we may be unable to offer you the services and/or may terminate the services provided with immediate effect.

Consent - sometimes we may rely on consent as a legal basis for processing your information, e.g. we rely on your consent to send direct marketing to you. We will ensure that we present this to you concisely. We will also ensure that we use clear and plain language and if you give us your consent you can withdraw this easily at any time.

Legitimate Interests - in the interest of our security and to improve our service, telephone calls you make to us may be monitored and/or recorded. This processing of your personal data is necessary to pursue our legitimate interest in the management and operation of our business.
Where we rely on this legal basis to collect and use your personal data, we shall take appropriate steps to ensure the processing does not infringe the rights and freedoms conferred to you under the applicable data privacy laws.



How we securely store your personal data


Personal data will be stored confidentially and securely as required by our Data Protection Procedures. The security of your personal data is important to us, we have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk. We have processes in place to protect your personal data from loss, unauthorised access, misuse, alteration and destruction.



How we share your data


When required, we make your information available to third parties with whom we have a relationship. Where that third party is providing services on our behalf, we will only provide those third parties (data processors) with information that is necessary for them to perform the services.

Insurance Partners where we need to manage the services provided to you such as product providers and reinsurer. You can refer to the privacy statements on their websites for more information about their privacy practices.

Vetting and risk management agencies such as credit reference, criminal record, fraud prevention, data validation and other professional advisory agencies, where necessary to prevent and detect fraud in the insurance industry and take steps to assess the risk in relation to prospective or existing services.

Public authorities, regulators and government bodies, where necessary for us to comply with our legal and regulatory obligations, or in connection with an investigation of suspected or actual illegal activity.

Third-party processors We outsource our processing operations to suppliers that process personal information on our behalf. Examples include IT service providers who manage our IT and back-office systems and telecommunications networks, and account and payroll services, CRM providers.

Internal and external auditors where necessary for the conduct of company audits or to investigate a complaint or security breach.



Processing personal data outside the EEA


Where personal data is processed in a country outside the EEA (a ‘third country’), we will ensure that it is done lawfully, i.e. there is an appropriate level of protection for the fundamental rights of the data subjects. We will therefore ensure that either the EU Commission has granted an adequacy decision in respect of the third country, or appropriate specified safeguards have been put in place, such as Standard Contractual Clauses (‘SCCs’) or Binding Corporate Rules (BCRs).

Data is processed in the United Kingdom and Canada. The European Commission has adopted adequacy decisions for transfers of personal data to the United Kingdom and Canada, which means that their data protection regimes are accepted as offering an adequate level of data protection.

Data is also processed in the United States of America, however, an adequacy decision has not been adopted for transfers of personal data to the United States of America. In the absence of an adequacy decision, the GDPR allows the transfer if the controller or processor has provided appropriate safeguards such as SCCs.



How long we retain your data


We shall not retain personal data for a longer period than necessary, in relation to the purposes for which the data was originally collected, except where it is required to be retained to meet other legislative or regulatory obligations. Data will never be retained on a “just in case” basis. We will, therefore, generally retain your data for a period of 6 years after the termination of your relationship with us.



Your rights under Data Protection Law


You have the following rights over the way we process your personal data.

Right of Access - you have the right to request a copy of the information that we hold about you, and the right to exercise that right easily and at reasonable intervals.

Consent - you may withdraw your consent to us processing your personal data at any time, when consent is the legal basis for the processing.

Right of rectification - you have a right to correct data that we hold about you that is inaccurate or incomplete.

Right to be forgotten - in certain circumstances you can ask for the data we hold about you to be erased from our records. The erasure of such data will be dependent on our other legal obligations, and whether the data is the subject of legal privilege.

Right to restriction of processing - you have the right to restrict the processing of your personal data if you are contesting the accuracy of the personal data; the personal data was processed unlawfully; you need to prevent the erasure of the personal data in order to comply with legal obligations; or you have objected to the processing of the personal data and wish to restrict the processing until a legal basis for continued processing has been verified.

Right of portability - where it is technical feasible, you have the right to have a readily accessible machine readable copy of your data transferred or moved to another data controller where we are processing your data based on your consent.

Right to object - you have the right to object to processing your personal data if we have processed your data based on a legitimate interest or for the exercise of our business and you believe the processing to be disproportionate or unfair to you, or the personal data was processed for the purposes of direct marketing or profiling related to direct marketing.



Complaints


If you wish to make a complaint about how your personal data is being processed by us or how your complaint has been handled, you have the right to lodge a complaint with our Data Protection Champion, who is responsible for Data Protection in Penco, and can be contacted directly here:

Email address: [email protected]
Phone number: 00353 01 882 6100

All queries pertaining to the collection and processing of your data should also be addressed to our Data Protection Champion by any of the above means.

You may also lodge a complaint with the Data Protection Commission (DPC) in Ireland, whose details are:

Data Protection Commission
21 Fitzwilliam Square South,
Dublin 2.
D02RD28
Web: www.dataprotection.ie
Email: [email protected]