Policies

Cookie Policy Customer Data Privacy Notice Data Protection Policy Employee and Job Applicant Data Privacy Notice Supplier Data Privacy Notice
Fees & Charges

Cookie Policy 

We use cookies to help improve your experience of our website at www.moco.ie. This cookie policy should be read in conjunction with MoCo's Data Protection Policy. It covers the use of cookies between your device and our website.

We also provide basic information on third-party services that we may use. These third parties may also use cookies as part of their provision of services. This policy does not cover any such cookies used by third parties.

You can choose not to allow cookies from us by instructing your browser to refuse cookies from www.moco.ie. In such a case, we may be unable to provide you with some of your desired content and services.

 

What is a cookie?  

A cookie is a small piece of data that a website stores on your device when you visit. It typically contains information about the website itself, a unique identifier that allows the site to recognize your web browser when you return, additional data that serves the cookie’s purpose and the lifespan of the cookie itself.

Cookies are used to enable certain features (e.g. logging in), track site usage (e.g. analytics), store your user settings (e.g. time zone, notification preferences) and to personalize your content (e.g. advertising, language).

Cookies that are set by the website you are visiting are usually referred to as first-party cookies. They typically only track your activity on that particular site.

Cookies set by other sites and companies (i.e. third parties) are called third-party cookies They can be used to track your usage on other websites that use the same third-party service.

The following categories of cookies are used: Necessary, Performance and Targeting. . You can individually activate and disable your cookie settings for non-essential cookies.

 

Cookie List

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

 

CookiesHostnameCookies usedDescription
OptanonAlertBoxClosedmoco.ieFirst PartyThis cookie is set by websites using certain versions of the cookie law compliance solution from OneTrust. It is set after visitors have seen a cookie information notice and in some cases only when they actively close the notice down. It enables the website not to show the message more than once to a user. The cookie has a one year lifespan and contains no personal information.
OptanonConsentmoco.ieFirst PartyThis cookie is set by the cookie compliance solution from OneTrust. It stores information about the categories of cookies the site uses and whether visitors have given or withdrawn consent for the use of each category. This enables site owners to prevent cookies in each category from being set in the users browser, when consent is not given. The cookie has a normal lifespan of one year, so that returning visitors to the site will have their preferences remembered. It contains no information that can identify the site visitor.
lvl1www.moco.ieFirst PartyThis cookie is used as an identifier to recognize multiple related requests from a user and assign them to a session.
lvl2www.moco.ieFirst PartyThis cookie is used as an identifier to recognize multiple related requests from a user and assign them to a session.

 

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

 

CookiesHostnameCookies usedDescription
_gamoco.ieFirst PartyThis cookie name is associated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
s_ccmoco.ieFirst PartyThis cookie is associated with the Adobe Site Catalyst. It determines whether cookies are enabled in the web browser.

 

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

 

CookiesHostnameCookies usedDescription
AMCVS_moco.ieFirst PartyThis is a pattern type cookie name associated with Adobe Marketing Cloud. It stores a unique visitor identifier, and uses an organisation identifier.
AMCV_moco.ieFirst PartyThis is a pattern type cookie name associated with Adobe Marketing Cloud. It stores a unique visitor identifier, and uses an organisation identifier to allow a company to track users across their domains and services.
everest_session_v2everesttech.netThird PartyThis domain is owned by Adobe. The main business activity is: Advertising
everest_g_v2everesttech.netThird PartyThis domain is owned by Adobe. The main business activity is: Advertising
demdexdemdex.netThird PartyThis cookie helps Adobe Audience Manger perform basic functions such as visitor identification, ID synchronization, segmentation, modeling, reporting, etc.
dpmdpm.demdex.netThird PartyThis domain is owned by Adobe Audience Manager. The main business activity is online profiling for targeted marketing.

Customer/Applicant Data Privacy Notice

 

BAWAG P.S.K. Bank für Arbeit und Wirtschaft und Österreichische Postsparkasse Aktiengesellschaft, trading as MoCo, is authorised by the Austrian Financial Markets Authority in Austria and is regulated by the Central Bank of Ireland for conduct of business rules. BAWAG is a stock corporation registered in Austria having its registered office at Wiedner Gürtel 11 1100, Vienna (with registration number 205340X) and having a registered branch in Ireland (with registration number 910053). Directors: A Abuzaakouk (US), E Sirucic (AT), S Shah (US), D O’Leary (US), A Wise (US) and G Jestaedt (GER). MoCo (“MoCo”, "we", "us", “our”), with its registered address at 7/8 Mount Street Upper, Dublin, D02 FT59, will collect and process personal information about our Customers and Applicants (defined below) for purposes connected to the provision of mortgage credit, and the ongoing servicing of mortgage credit accounts and agreements (the “Products and Services”). 

MoCo is a Data Controller as described in the Data Protection Act 2018 and EU Regulation 2016/679 (“General Data Protection Regulation” or “GDPR”) and therefore is responsible for your personal information. This Notice is intended to inform Customers or Applicants of MoCo, of the personal information we collect, and how we collect, use and share this information in the course of business. This Notice will cover: 

  • What personal information we collect and when and why we use it.
  • How we share personal information with our service providers, regulators and other third parties.
  • Explaining more about Direct Marketing, Profiling, and Automated Decision Making.
  • Transferring personal information globally.
  • How we protect and store personal information.
  • Legal rights available to help manage your privacy.
  • How you can contact us for more support.

We may amend this notice from time to time to keep it up to date with legal requirements and the way we operate our business. Please regularly check these pages for the latest version of this notice. If we make significant changes to this privacy notice, we will seek to inform you by notice on our website or email ("Notice of Change").

You might find external links to third party websites on our website. This privacy notice does not apply to your use of a third-party site.

Please read the following carefully to understand MoCo’s use of your personal data.

WHAT PERSONAL INFORMATION WE COLLECT AND WHEN AND WHY WE USE IT

In this section you can find out more about:

  • when we collect personal information 
  • the types of personal information we collect
  • how we use personal information
  • the legal basis for using personal information


When we collect information 

We collect information about you if you:

  • apply to avail of our Products and Services (“Applicant”) 
  • purchase our Products and Services (“Customer”)
  • are another relevant individual, i.e., non-customers. 

collectively ("you").

The types of personal information we collect if you apply for or purchase our Products and Services

  • Identification information: Name, date of birth, copy of identification, PPS number (or equivalent) and proof of PPSN (for example payslip, tax assessment, correspondence showing PPSN or medical card), valid passport, valid driver’s licence, nationality, home status address and proof of address.
  • Contact information: Contact details, online user identities, email address, work phone number, home phone number, mobile phone number.
  • Financial information: Bank account details, bank transaction details, credit/debit card transaction details, salary information, other income information, details of assets owned, details of outstanding debts, employment status, details of directorships held, details of shareholdings held, credit history, credit assessment records, life assurance information, home insurance information, pension and investment details, financial needs, tax status, tax residency, tax information.
  • Personal relationships: Marital status, family details, details of dependents, details of relationships with politically exposed persons, details of relationships with individuals on recognised sanction watchlists, financial links to other individuals, financial associates, financial dependents.
  • Special categories of data: We use biometric data, i.e. facial images, to verify your identification. We will only use this form of data for the purpose of verifying the identification of Customers, and only in relation to the Products and Services we are offering to the Customer. 
  • Property data, including ownership of property, planning permissions, planning applications, etc.
  • Contact details and marketing preferences which you have provided us with consent to collect and process.

Failure to provide us with information requested will negatively impact our ability to provide you with Products or Services.

The types of personal information we collect if you otherwise engage with us or our website

  • Information relating to any requests, complaints, data requests, etc. made by individuals.
  • We may record your phone calls and other communications with MoCo for the purposes of enhancing and monitoring the service provided.
  • If you engage with our website (www.moco.ie) or application portal, information regarding your internet activity using technology known as ‘cookies’, such as information about your internet browser, IP address and other relevant information to help us identify your location and preferences. For more information on how we use cookies, please see our Cookies Policy which is available on our website (www.moco.ie/policies).
  • Information regarding non-customers: On occasion, we may collect data regarding persons who are not Customers but are naturally linked to the Customer and their application for Products or Services, such as: beneficiaries, guarantors, directors, representatives, keyholders of properties for valuation purposes, etc. If you provide us with the personal information of an individual related to you or your application, you must present them with a copy of this Notice.

How we collect and use personal information 

Where you apply to avail of our Products and/or Services, we will collect personal information in advance of establishing a business relationship with you: 

  • From you: We will ask you, prior to establishing a business relationship to provide the above information either directly, or through third party intermediaries or credit service providers.
  • From external public interest databases: We may be provided with personal information from public databases such as the Central Credit Register, sanctions watchlists maintained by various governments or government sanctioned agencies, publicly available databases, property registration authorities, Companies Registration Office, politically exposed persons databases, fraud prevention agencies and tax authorities.
  • From other individuals: We may receive information relating to you from other individuals such as joint account holders, financial dependents, employers and guarantors. If you provide us with the personal information of an individual related to you or your application, you must present them with a copy of this Notice.
  • From third parties: We may be provided personal information on your behalf, for instance from your accountant, solicitor, broker and/or other relevant persons in connection with your application and from third party service providers involved in the arranging and provision of the Products and Services you request from us. We will only receive data from third parties on the basis that it is required to provide you with the Service or Product requested, or to fulfil our legal obligations. The third parties in question will be data processors acting on request of MoCo. We may also gather data relating to criminal convictions and offences from publicly available sources in order to comply with requirements under Anti-Money Laundering legislation.
  • If you contact us for any reason, we will collect information from you, e.g. queries, complaints, etc.
  • If you visit our website, from your online activities with third parties where you have given consent to use certain ‘cookies’. For more information on how we use cookies, please see our Cookies Policy which is available on our website (www.moco.ie/policies).

In addition, if you are our Customer, we will collect personal information both during the application stages and on an ongoing basis during the relationship in order to keep information up-to-date, in order to complete below activities relating our Products or Services and the ongoing monitoring of the Customer relationship with us:

  • To assess your eligibility for our Products and Services.
  • To manage and administer your accounts and provide access to your account.
  • To process credit applications.
  • To provide Products and Services and fulfil contractual agreements between MoCo and you. For instance, when you make transactions on your account, we will collect the relevant data involved in making that transaction, including payee personal details, bank account numbers, etc.
  • To carry out credit reviews to assess affordability in relation to Products and Services we provide, including providing and requesting your credit information to and from various credit agencies and registers.
  • To process payments relating to customer accounts, including collecting and enforcing debts and managing arrears.
  • To manage our business on a day-to-day basis, including strategic and management planning, audit purposes, behavioural analysis, operational risk data and IT systems and data risk management.
  • To protect our business and reputation, prevent fraud and detect other potential crimes and to manage our legal affairs.
  • To comply with legal and regulatory obligations, including, amongst others, relevant Data Protection, Anti-Money Laundering and Consumer Protection legislation. 
  • To provide information to, when required on a regular or ad-hoc basis, various regulatory bodies including, but not limited to, the Central Bank of Ireland, the European Central Bank, the Financial Market Authority in Austria, and various tax authorities.
  • To monitor and record dealings with you in order to enhance the service we provide.
  • To manage and monitor Customer queries and complaints.
  • To compile statistical data and aggregated data about Customers, products, services, customers transactional behaviour and geographical and other market metrics, to understand general trends or provide economic or research data. This analysis may be shared with third parties but, when shared, will only contain aggregated customer data and not information or data that can identify individual Customers.
  • To contact you in relation to your Product or Service, for example, when a fixed term is coming to an end, or there are issues with your account.
  • To assign, transfer, mortgage, charge, sub-mortgage, sub-charge, sub-participate, declare a trust over or otherwise grant interests in, or dispose of, allocate to a cover pool (a cover pool is a collection of mortgages to secure covered bonds) of the Secured Party or another entity or otherwise vest in any person the whole or any part of the Secured Liabilities or any benefit therein, the Mortgage, any other related Security and the whole or any part of its interest, rights and/or obligations in, under, over and to the Secured Liabilities, the Mortgage and any other related Security.
  • If you visit our website, to collect information on your online activities with third parties where you have given consent to use certain ‘cookies’. For more information, please see our Cookies Policy which is available on our website (www.moco.ie/policies).

The legal basis for using your personal information

We will collect and process information under the following legal bases: 

  • the individual has given consent to the processing of his or her personal information for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the Controller is subject;
  • processing is necessary in order to protect the vital interests of the individual or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal information.

 

IMPORTANT: Where we have obtained your consent as our legal basis to process your personal information, you have the right to withdraw consent at any time by emailing DataPrivacy@MoCo.iePlease note that in some instances, where you withdraw your consent this may negatively impact MoCo’s ability to provide you with Products or Services.

If you would like to find out more about the legal basis for which we process personal information, please contact us at DataPrivacy@MoCo.ie


 

SHARING PERSONAL INFORMATION WITH OUR SERVICE PROVIDERS, AND OTHER THIRD PARTIES

In this section you can find out more about how we share personal information:

  • with our parent company and other group companies;
  • with third parties that help us provide our Products and Services; and
  • our regulators.

We will only share your information with third-party service providers in order to enhance the efficiency and effectiveness of the Products and Services provided, including:

  1. with individuals, representatives, or entities authorised to receive information on your behalf, such as mortgage brokers/intermediaries, guarantors, legal advisors, attorneys, etc.
  2. with third parties who help manage our business and deliver our Products and Services. For instance, third parties who offer or introduce our Products and Services, or third parties who assist MoCo in the processing of credit applications, the provision of credit and the management of customer payments and accounts. These include credit service providers, identity verification software specialist, credit check specialists, credit reference agencies and organisations working to prevent fraud in financial services, valuation specialists, property and location specialists, conveyancing specialists and legal specialists. These third parties have agreed to confidentiality restrictions and use any personal information we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us.
  3. with other financial institutions involved in the payment processes relating to customer accounts.
  4. with our regulators, which may include law enforcement agencies, regulatory authorities, tax authorities, courts systems, data protection agencies, to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies.
  5. with companies that will help protect our legitimate interest, including providers of fraud detection software, debt collection agencies, auditors, legal advisors, providers of various background checks, etc.
  6. we may share in aggregate, statistical form, non-personal information regarding the visitors to our website, traffic patterns, and website usage with our partners, affiliates or advertisers.
  7.  To relevant individuals, financial and legal entities and regulatory authorities, if we assign, transfer, mortgage, charge, sub-mortgage, sub-charge, sub-participate, declare a trust over or otherwise grant interests in, or dispose of, allocate to a cover pool (a cover pool is a collection of mortgages to secure covered bonds) of the Secured Party or another entity or otherwise vest in any person the whole or any part of the Secured Liabilities or any benefit therein, the Mortgage, any other related Security and the whole or any part of its interest, rights and/or obligations in, under, over and to the Secured Liabilities, the Mortgage and any other related Security; and
  8. with our parent company and other group companies, to allow them to carry out the necessary activities to ensure compliance with their legal, regulatory and governance requirements.

  

 

EXPLAINING MORE ABOUT DIRECT MARKETING, PROFILING AND AUTOMATED DECISION MAKING

In this section you can find out more about 

  • how we use personal information to keep you up to date with our Products and Services
  • how you can manage your marketing preferences
  • when and how we undertake analytics
  • when and how we carry out automated decision making

 

How we use personal information to keep you up to date with our Products and Services

We may use personal information to let you know about Products and Services that we believe will be of interest to you. We may contact you by email or through other communication channels that we think you may find helpful. In all cases, we will respect your preferences for how you would like us to manage marketing activity with you. 

How you can manage your marketing preferences

To protect privacy rights and to ensure you have control over how we manage marketing with you:

  • we will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications which we believe may be of interest or relevance to you; 
  • you can ask us to stop direct marketing at any time - you can ask us to stop sending marketing emails, by following the 'unsubscribe' link you will find on all the email marketing messages we send you. Alternatively, you can contact us by emailing DataPrivacy@MoCo.iePlease specify whether you would like us to stop all forms of marketing or just a particular type (e.g. email); and  
  • you can change the way your browser manages cookies, which may be used to deliver online advertising, further details on managing cookies preferences are contained in our Cookies Policy available on our website.

We recommend you routinely review the privacy notices and preference settings that are available to you on any social media platforms as well as your preferences on our website.

When and how we undertake analytics

We may engage with third parties who will provide services to us, including data analysis, and we will work with a specific service provider to build a bespoke analytics platform for MoCo to collect and analyze information about our Products and Services, our customers, transactional data and trends of customers, and our website use, and provide MoCo with custom statistical, aggregated data-based reports about activities and trends from information received from applicants and applications.

Any information shared with MoCo’s service providers will be in an aggregated form.

When and how we carry out profiling / automated decision making

We may, at times, use automated systems to determine if a Customer qualifies for a certain Product or Service, or a Product or Service is suitable for them. 

If an automated decision taken, produces legal effects concerning an individual or similarly significantly affects an individual, the individual shall have the right not to be subject to a decision based solely on automated processing, including profiling.

This above right is not applicable if the processing -

  • is necessary for entering into, or performance of, a contract between the individual and MoCo;
  • is authorised by European Union or Member State law to which we are subject, and which also lays down suitable measures to safeguard the individual’s rights and freedoms and legitimate interests; or
  • is based on the individual’s explicit consent.

TRANSFERRING PERSONAL INFORMATION GLOBALLY

In this section you can find out more about:

  • transfer of your personal information outside of the European Economic Area (“EEA”).


If we need to transfer your personal information outside the EEA, we will ensure that an appropriate transfer mechanism under applicable data protection laws is in place and that the Processor, as defined in the GDPR, in the third country has appropriate safeguarding measures in place, and that enforceable individual rights and effective legal remedies for individuals are available.

None of our service providers are permitted to transfer personal information to a third country without our express, prior written consent. Where such transfers are permitted, we will ensure that these are covered by an agreement entered into by our service provider and the third party which contractually obliges both parties to ensure that personal information receives an adequate and consistent level of protection wherever it is transferred. 

HOW WE PROTECT AND STORE YOUR INFORMATION  

Security

We have implemented and maintain appropriate technical and organisational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, or the unauthorised disclosure or access to such information appropriate to the nature of the information concerned. Measures we take include placing confidentiality requirements on our staff members and service providers and destroying or permanently anonymising personal information if it is no longer needed for the purposes for which it was collected. As the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect user IDs and passwords please take appropriate measures to protect this information.

Storing your personal information

We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this notice. In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, accounting requirements. 

European legislation dictates that certain transactional and customer records must be kept for a specific amount of time after the relationship between us and the customer concludes.

In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.


 

LEGAL RIGHTS AVAILABLE TO HELP MANAGE YOUR PRIVACY

Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, you have certain rights in relation to your personal information which are listed here and explained further below:

  • To access personal information
  • To rectify / erase personal information
  • To restrict the processing of your personal information
  • To transfer your personal information
  • To object to the processing of personal information
  • To object to how we use your personal information for direct marketing purposes
  • To lodge a complaint with your local supervisory authority

We may ask you for additional information to confirm your identity and for security purposes before disclosing the personal information requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.

You can exercise your rights by contacting us at DataPrivacy@MoCo.ieSubject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request. 

  1. We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way. 

 

Right to access personal information 

You have a right to request that we provide you with a copy of your personal information that we hold, and you have the right to be informed of; (a) the source of your personal information; (b) the purposes, legal basis and methods of processing; (c) the controller’s identity; and (d) the entities or categories of entities to whom your personal information may be transferred.


Right to rectify or erase personal information 

You have a right to request that we rectify inaccurate personal information. We may seek to verify the accuracy of the personal information before rectifying it. 

You can also request that we erase your personal information in limited circumstances where:

  • it is no longer needed for the purposes for which it was collected; or
  • you have withdrawn your consent (where the data processing was based on consent); or
  • following a successful right to object (see right to object); or
  • it has been processed unlawfully; or
  • to comply with a legal obligation to which we are subject. 

We are not required to comply with your request to erase personal information if the processing of your personal information is necessary: 

  • for compliance with a legal obligation; or
  • for the establishment, exercise or defence of legal claims.


Right to restrict the processing of your personal information 

You can ask us to restrict your personal information, but only where:

  • its accuracy is contested, to allow us to verify its accuracy; or
  • the processing is unlawful, but you do not want it erased; or
  • it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or

  • you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal information following a request for restriction, where:

  • we have your consent; or

  • to establish, exercise or defend legal claims; or

  • to protect the rights of another natural or legal person. 


Right to transfer your personal information

You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where:

  • the processing is based on your consent or on the performance of a contract with you; and
  • the processing is carried out by automated means. 


Right to object to the processing of your personal information

You can object to any processing of your personal information which has our legitimate interests as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests. 

If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests on which MoCo can continue processing which override your rights and freedoms. 

 

Right to object to how we use your personal information for direct marketing purposes

You can request that we change the manner in which we contact you for marketing purposes or opt out of certain marketing communications and use of your information at any time by contacting DataPrivacy@MoCo.ie or by clicking on the “unsubscribe” link you will find on all marketing messages to you and requesting to be removed from future communications. Please specify whether you would like us to stop all forms of marketing or just a particular type (e.g. email).

You can also request that we not transfer your personal information to unaffiliated third parties for the purposes of direct marketing or any other purposes.


Right to lodge a complaint with your local supervisory authority

You also have a right to lodge a complaint with the Data Protection Commission if you have concerns about how we are processing your personal information.  You can find details of how to contact the Commission on their website:www.dataprotection.ie. 

We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time. 


 

CONTACT US

If you have any questions, concerns or complaints regarding our compliance with this notice, data protection laws, a query in relation to how we collect and process personal information, or if you wish to make a request in relation to the above or, please contact the individual responsible for data protection at MoCo, Niall Graham, clearly stating the circumstances of your query. The individual can be contacted in the following ways:

email addressDataPrivacy@MoCo.ie 

postal address7/8 Mount Street Upper, Dublin, D02 FT59

We will investigate and attempt to resolve complaints and disputes and will make every reasonable effort to honour your wish to exercise your rights as quickly as possible and, in any event, within the timescales provided by data protection laws.

You also have the right to lodge a formal complaint with the Data Protection Commission. You can find details of how to contact the Commission on their website: www.dataprotection.ie. We ask that you please attempt to resolve any issues with us before referring the matter to your local supervisory authority. 

Data Protection Policy

 

BAWAG P.S.K. Bank für Arbeit und Wirtschaft und Österreichische Postsparkasse Aktiengesellschaft, trading as MoCo (“MoCo”), is authorised by the Austrian Financial Markets Authority in Austria and is regulated by the Central Bank of Ireland for conduct of business rules. BAWAG is a stock corporation registered in Austria having its registered office at Wiedner Gürtel 11 1100, Vienna (with registration number 205340X) and having a registered branch in Ireland (with registration number 910053). Directors: A Abuzaakouk (US), E Sirucic (AT), S Shah (US), D O’Leary (US), A Wise (US) and G Jestaedt (GER). MoCo is subject to, and acts in accordance with, EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data, or General Data Protection Regulation (“GDPR”). 

 

GDPR specifies that Personal Data, which may be held on paper, on a computer, or on other media, is subject to certain legal safeguards, and misuse or unlawful processing of Personal Data can result in potential fines of up to €20m or 4% of turnover.

 

As such, MoCo has established this Data Protection Policy to establish rules for the protection of natural persons with regard to the processing of Personal Data, and rules relating to the free movement of Personal Data.

 

Scope 

 

This Policy applies to the processing of Personal Data MoCo collects from Data Subjects, or that is provided to MoCo by Data Subjects or collected from other sources.

 

For the purpose of this Policy, the term ‘Data Subjects’ refers to customers, staff, job applicants, contractors, directors, outsourcers, other third parties, or any living identified or identifiable individual about whom MoCo holds personal data.

 

This Policy applies to all staff and contractors of MoCo. 

 

MoCo is a Data Controller in relation to the relationship between MoCo and its Data Subjects.

 

The Head of Risk and Compliance is ultimately responsible for monitoring MoCo’s compliance with GDPR, and for ensuring all Data Users comply with this policy and any relevant Group policies. The Head of Risk and Compliance will ensure that there are appropriate practices, processes, controls and training in place to ensure compliance with the regulations. Any questions about the operation of this policy or any concerns that the policy is not being followed should be forwarded to the Head of Risk and Compliance immediately. 

 

Personal Data MoCo Collects 

 

MoCo collects Personal Data relating to:

 

Employee Personal Data

Personal details on employees and applicants for employment, including job applications, records of training, employee appraisals, salary information, bank details, social security number, etc.

 

Customer Personal Data

Identification, proof of address, financial information, financial history, proof of employment, employment history, family and next of kin details, etc. 

 

Suppliers/Service Providers Personal Data

Contact details, personal information (if required for due diligence or KYC purposes), etc. 

 

Reasons the Personal Data is Collected 

 

The following are some of the reasons for which MoCo collects the Personal Data mentioned above:

 

 

Employee Personal Data

  • To administer contracts of employment;

  • To manage employee benefits and entitlements;

  • To provide access to MoCo’s IT systems;

  • To manage MoCo’s hiring process;

  • Compliance with applicable laws, regulations, and rules; and

  • Protection of the legitimate interests of MoCo, including investigations of faults or frauds.

 

Customer Personal Data

  • Administration and management of customer relationships;

  • To perform required due diligence on customers;

  • To allow for fair and appropriate credit risk assessment of customers and fair and appropriate credit decisioning;

  • To allow for the establishment of an effective efficient method of credit repayment for customers;

  • Verification of customer identification;

  • To compile statistical and management information regarding products, services, customers and transactions;

  • To successfully deal with complaints, enquiries and errors; and

  • Compliance with applicable laws, regulations and rules (including anti-money laundering obligations).

 

Suppliers/Service Providers Personal Data

  • To administer the receipt of goods and services from suppliers;

  • To manage supplier relationships and payments; and

  • Compliance with applicable laws, regulations and rules.

 

In order to fulfil the above objectives and obligations, we may share the Personal Data we collect with corporate affiliates, Parent and Group companies, third parties acting on our behalf, or regulatory authorities. We will only share Personal Data with parties that have a requirement to protect Personal Data in accordance with relevant Data Protection Law. If you are not sure about whether a party meets this standard, do not share Personal Data with the party until receiving confirmation from the Head of Risk and Compliance. 

 

Processing of Criminal Data 

 

For Criminal Data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in Data Protection Law. These include:

  1. The Data Subject has given their Explicit Consent;
  2. Processing is necessary and proportionate for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
  3. Processing is necessary for the purpose of providing or obtaining legal advice or for the purpose of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings;
  4. Establishing, exercising or defending legal rights;
  5. Processing is necessary to prevent injury or other damage to the Data Subject or another person, or loss in respect of, or damage to, property or otherwise to protect the vital interests of the Data Subject or another person;
  6. Specific legal regulations provide for such processing.

 

Processing of Special Data 

 

Processing of special categories of data is generally prohibited by the GDPR. These categories include:

 

  • Racial or ethnic origin.

  • Political opinions.

  • Religious or philosophical beliefs.

  • Trade union membership.

  • Genetic data.

  • Biometric data.

  • Data concerning health.

  • Data concerning a natural person’s sex life or sexual orientation.

 

GDPR allows for processing of the above categories of data if one of the following circumstances applies:

  1. The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where European Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
  2. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  3. Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  4. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  5. Processing relates to personal data which are manifestly made public by the data subject;
  6. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  7. Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  8. Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in the GDPR;
  9. Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
  10. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

 

Automated Individual Decision-Making 

 

The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision:

  1. Is necessary for entering into, or performance of, a contract between the data subject and MoCo;
  2. Is authorised by Union or Member State law to which MoCo is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
  3. Is based on the Data Subject’s explicit consent.

 

In the cases referred to in points (1) and (3), MoCo shall implement suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of MoCo, to express his or her point of view and to contest the decision.

 

Any decisions referred to in this section shall not be based on special categories of personal data referred to in the section above, unless point explicit consent is given or the decision is made for reasons of substantial public interest, and suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests are in place.

 

Data Protection Principles

 

MoCo is responsible for, and must be able to demonstrate, compliance with the principles set out in the GDPR. These provide that Personal Data must be:

 

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

 

Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. the Data Subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

 

MoCo will keep, and regularly review, a Record of Processing Activities for all data processing it undertakes detailing the legal basis for processing.

 

Data Subject Rights and Requests  

 

Under GDPR, Data Subjects have the following rights regarding the processing of their Personal Data:

 

  1. Right of Access. Right to request and obtain from MoCo details of any Personal Data held relating to them and details of how it is being processed.
  2. Right to Rectification. The Data Subject can request any inaccurate Personal Data held by MoCo is amended without undue delay.
  3. Right to Erasure. The Data Subject has the right to request that Personal Data relating to them is erased without undue delay if the data is no longer necessary to be held, or was obtained illegally.
  4. Right to Restriction of Processing. The Data Subject has the right to request a restriction of processing on the grounds that the data is inaccurate; the processing is unlawful; or MoCo no longer requires to hold the Personal Data.
  5. Right to Object. The Data Subject can at any time object, on grounds relating to his or her particular situation, at any time to processing of Personal Data relating to them.

 

If any employee or director receives a Data Subject request from an individual in writing, verbally, electronically, or via another medium, they must pass it to the Head of Risk and Compliance immediately. All employees must be vigilant in confirming the identification of the individual making the data request.

 

The Firm will deal with Data Subject requests without undue delay and provide a response within one month, at the latest, of receiving the request. This period may extend to two months where requests are numerous or complex. All requests will be dealt with as per MoCo’s written Data Request Procedures.

 

Data Sharing 

 

MoCo is not permitted to share Personal Data with third parties unless safeguards and contractual arrangements have been put in place to protect that Personal Data.

 

MoCo will only share Personal Data with third parties, such as service providers, if:

  1. The Processor needs to know the information for the purpose of providing the contracted services;
  2. Sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s consent has been obtained;
  3. The Processor has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
  4. The Processor is processing Personal Data on behalf of MoCo; and
  5. The transfer complies with any applicable cross border transfer restrictions.

 

The GDPR restricts data transfers to third countries. MoCo will only transfer Personal Data to third countries, if the following conditions apply:

  1. The European Commission has deemed the country ensures an adequate level of protection. The European Commission maintain an updated list of approved third countries on their dedicated GDPR website; or
  2. MoCo has ensured that the Processor in the third country has appropriate safeguards in place, and that enforceable data subject rights and effective legal remedies for Data Subjects are available.

 

No Processor is permitted to transfer Personal Data to a third country without express, prior written consent from MoCo.

 

Data Processors  

 

Third parties that MoCo engage with to process Personal Data on behalf of MoCo are designated as Data Processors.

 

MoCo will only engage with Data Processors who provide sufficient guarantees to comply with GDPR and protect the rights of the Data Subject.

 

MoCo, or its Parent company, will enter into a written contract with all Data Processors which will set out the subject-matter, duration, nature and purpose of the processing, including the types of Personal Data to be processed.

 

MoCo will only allow for the processing of Personal Data on documented instruction from MoCo. Sub-contracting of Personal Data processing can only happen with prior written consent of MoCo.

 

All Data Processors will be required to inform MoCo immediately of any breach or potential breach of Data Protection regulations or contract terms relating to Data Protection.

 

Accountability  

 

MoCo is responsible for, and must be able to demonstrate, compliance with the GDPR and data protection principles.

 

MoCo will provide relevant Data Protection information and Data Privacy Notices to all Data Subjects.

 

MoCo will ensure that Data Protection clauses are inserted in all relevant third party or supplier contracts.

 

MoCo will integrate Data Protection into all relevant internal policies and procedures.

 

MoCo will provide regular training to employees on GDPR and the applicable policies and procedures including Data Subject rights, consent and Data Subject requests. MoCo will keep a record of all completed trainings.

 

Regular testing of policies, procedures and systems related to Data Protection will be undertaken by MoCo.

 

Data Protection Impact Assessment  

 

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, MoCo shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (“DPIA”). A single assessment may address a set of similar processing operations that present similar high risks.

 

The DPIA shall be conducted in conjunction with the Head of Risk and Compliance and the relevant business areas of MoCo.

 

A DPIA will in particular be required in the following cases:

  1. A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  2. Processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or
  3. A systematic monitoring of a publicly accessible area on a large scale.

 

The DPIA shall contain at minimum:

  1. A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  2. An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  3. An assessment of the risks to the rights and freedoms of Data Subjects; and
  4. The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of Data Subjects and other persons concerned.

 

Reporting a Personal Data Breach  

 

The GDPR requires notification of any Personal Data Breach to the applicable regulator. The applicable regulator in Ireland is the Data Protection Commission. 

 

The Head of Risk and Compliance will be responsible for reporting any necessary information or breaches to the Data Protection Commission, and to relevant individuals in Parent or Group companies. 

 

Appendix

 

Glossary

‘Personal Data’ means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

 

‘Processing’ means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

 

‘Restriction of Processing’ means the marking of stored Personal Data with the aim of limiting their processing in the future;

 

‘Profiling’ means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

 

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by European Union or Member State law;

 

‘Processor’ means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;

 

‘Third Party’ means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process Personal Data;

 

‘Consent’ of the Data Subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her;

 

‘Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

 

‘Genetic Data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

 

‘Biometric Data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

 

‘Data concerning health’ means Personal Data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

 

‘Cross-Border Processing’ means either:

  1. processing of Personal Data which takes place in the context of the activities of establishments in more than one Member State of a Controller or Processor in the Union where the Controller or Processor is established in more than one Member State; or
  2. processing of Personal Data which takes place in the context of the activities of a single establishment of a Controller or Processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

 

‘Relevant and Reasoned Objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the Controller or Processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;

Employee Data Privacy Notice

 

BAWAG P.S.K. Bank für Arbeit und Wirtschaft und Österreichische Postsparkasse Aktiengesellschaft, trading as MoCo, is authorised by the Austrian Financial Markets Authority in Austria and is regulated by the Central Bank of Ireland for conduct of business rules. BAWAG is a stock corporation registered in Austria having its registered office at Wiedner Gürtel 11 1100, Vienna (with registration number 205340X) and having a registered branch in Ireland (with registration number 910053). Directors: A Abuzaakouk (US), E Sirucic (AT), S Shah (US), D O’Leary (US), A Wise (US) and G Jestaedt (GER). MoCo (“MoCo”, "we", "us", “our”), with its registered address at 7/8 Mount Street Upper, Dublin, D02 FT59, will collect and process personal data about our employees, job applicants, contractors, trainees, apprentices, or other individuals who are contracted to work at MoCo (“Data Subjects”) in order to manage their application process, employment contract, appointment and the relationship between them and MoCo. 

MoCo is a Data Controller as described in the Data Protection Act 2018 and EU Regulation 2016/679 (“General Data Protection Regulation” or “GDPR”). This Notice is intended to inform Data Subjects of the personal data MoCo collects, how we process this data, and their rights in relation to the collection and processing of this personal data. This Notice will cover: 

  • What personal information we collect and when and why we use it.
  • How we share personal information with our service providers, regulators and other third parties.
  • Transferring personal information globally
  • How we protect and store personal information
  • Legal rights available to help manage your privacy
  • How you can contact us for more support

 

We may amend this notice from time to time to keep it up to date with legal requirements and the way we operate our business. Please regularly check these pages for the latest version of this notice. If we make significant changes to this privacy notice, we will seek to inform you by notice on our website or email ("Notice of Change").

 

Please read the following carefully to understand MoCo’s use of your personal data.

 

 

WHAT PERSONAL INFORMATION WE COLLECT AND WHEN AND WHY WE USE IT

In this section you can find out more about:

  • when we collect personal information 
  • the types of personal information we collect
  • how we use personal information 
  • the legal basis for using personal information

 

When we collect information

We collect information about you if you:

  • Apply for a job in MoCo.
  • Accept a job in MoCo and enter into a contract for employment.
  • Accept an apprenticeship or traineeship with MoCo.
  • Enter into any other related contractual relationship for the provision of services to MoCo.

Collectively (“you”)

 

The types of personal information we collect from you if you apply for/accept a position at MoCo

  • Data relating to your application (e.g. name, contact details, social media accounts, date of birth, nationality, employment history, references, interview notes, educational history, etc.) for the purpose processing your application. 
  • Details related to your appointment (address, copy of identification, PPS number, bank account details, tax information, fitness and probity checks, next of kin details, and related fees and expenses) for the purpose of MoCo entering into, and performing, a contract with you.
  • Data relating to MoCo’s statutory and legal obligations (including health and safety, anti-money laundering, prevention and detection of crime, etc.) in accordance with applicable law.
  • Data relating to the fulfilment of MoCo’s legitimate business needs and to ensure the adequacy of service provided to customers and third parties (including administering and monitoring use of IT and other business systems, monitoring use of company facilities, monitoring security, monitoring service delivery, fulfilling MoCo’s contractual obligations, data contained in MoCo’s documentation and reports, etc.)

 

MoCo may seek your specific consent for the processing of information for other purposes. You have the right to withdraw such consent at any time.

 

Failure to provide MoCo with data requested above will negatively impact MoCo’s ability to process your application or agree a contract with you.

 

How we collect personal information 

Where you apply for a position or are approached to apply for a position at MoCo, or are offered a contract of employment with MoCo, we will collect personal information in advance of establishing an employment relationship with you and during the course of the relationship: 

  • From you: We will ask you, prior to establishing a relationship, and during the relationship, to provide the above information directly.
  • From external public interest databases: We may be provided with personal information from public databases such as sanctions watchlists maintained by various governments or government sanctioned agencies, publicly available databases, Companies Registration Office, politically exposed persons databases, fraud prevention agencies, tax authorities and the Central Bank of Ireland.
  • From other individuals: We may receive information relating to you from other individuals such as previous employers, etc. If you provide us with the personal information of an individual related to you or your application, you must present them with a copy of this Notice.
  • From third party service providers: We may be provided personal information on your behalf from third party service providers involved in the arranging your application or employment process. We will only receive data from third parties on the basis that it is required for the process.
  • If you contact us for any reason, we will collect information from you, e.g. queries, complaints, etc.
  • From the use of the Firm’s IT systems and physical IT assets,
  • If you visit our website, from your online activities with third parties where you have given consent to use certain ‘cookies’. For more information on how we use cookies, please see our Cookies Policy which is available on our website.

 

What we will use the personal information for

  • To assess your job application.
  • To contact you in relation to your application or employment.
  • To provide you with a contract of employment.
  • To manage and administer system access accounts required for your employment.
  • To provide you with any form of remuneration, salary, bonus, or other benefits of your employment.
  • To evaluate your progress and performance.
  • To carry out fitness and probity reviews on you as required by relevant legislation. 
  • To protect MoCo’s legitimate business needs and to ensure the adequacy of service provided to employees and third parties (including administering and monitoring use of IT and other business systems, monitoring use of company facilities, monitoring security, monitoring service delivery, fulfilling MoCo’s contractual obligations, data contained in MoCo’s documentation and reports, etc.)
  • To ensure compliance with our statutory and legal obligations (including health and safety, anti-money laundering, prevention and detection of crime, audit requirements, regulatory inspections, etc.) in accordance with applicable law.

     

 

The legal basis for using your personal information

We will collect and process information under the following legal bases: 

  • the individual has given consent to the processing of his or her personal information for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the Controller is subject;
  • processing is necessary in order to protect the vital interests of the individual or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal information, in particular where the individual is a child.

IMPORTANT: Where we have obtained your consent as our legal basis to process your personal information, you have the right to withdraw consent at any time by emailing DataPrivacy@MoCo.ie

If you would like to find out more about the legal basis for which we process personal information please contact us at DataPrivacy@MoCo.ie



 

SHARING PERSONAL INFORMATION WITH OUR SERVICE PROVIDERS, AND OTHER THIRD PARTIES

In this section you can find out more about how we share personal information:

  • with third parties that help us provide our Products and Services; and
  • our regulators.

 

We will only share your information with third-party service providers in order to enhance the efficiency and effectiveness of the terms of your employment contract:

  • with third parties who help manage our business for instance, payroll providers, pension service providers, business partners, suppliers, etc. 
  • with other financial institutions involved in the payment processes relating to your employment.
  • with our regulators, which may include law enforcement agencies, regulatory authorities, tax authorities, courts systems, data protection agencies, to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies;
  • With BAWAG P.S.K and other group entities for the purposes of managing and monitoring your employment at MoCo;
  • with companies that will help protect our legitimate interest, including providers of fraud detection software, debt collection agencies, auditors, legal advisors, providers of various background checks, etc.

 

 

 

TRANSFERRING PERSONAL INFORMATION GLOBALLY

In this section you can find out more about:

  • transfer of your personal information outside of the European Economic Area (“EEA”).


If we need to transfer your personal information outside the EEA, we will ensure that an appropriate transfer mechanism under applicable data protection laws is in place and that the Processor, as defined in the GDPR, in the third country has appropriate safeguarding measures in place, and that enforceable individual rights and effective legal remedies for individuals are available.

None of our service providers are permitted to transfer personal information to a third country without our express, prior written consent. Where such transfers are permitted, we will ensure that these are covered by an agreement entered into by our service provider and the third party which contractually obliges both parties to ensure that personal information receives an adequate and consistent level of protection wherever it is transferred.

 

 

 

HOW WE PROTECT AND STORE YOUR INFORMATION 

Security

We have implemented and maintain appropriate technical and organisational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, or the unauthorised disclosure or access to such information appropriate to the nature of the information concerned. Measures we take include placing confidentiality requirements on our staff members and service providers and destroying or permanently anonymising personal information if it is no longer needed for the purposes for which it was collected. As the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect user IDs and passwords please take appropriate measures to protect this information.

Storing your personal information

We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this notice. In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, accounting requirements. 

In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.



 

LEGAL RIGHTS AVAILABLE TO HELP MANAGE YOUR PRIVACY

Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, you have certain rights in relation to your personal information which are listed here and explained further below:

  • To access personal information
  • To rectify / erase personal information
  • To restrict the processing of your personal information
  • To transfer your personal information
  • To object to the processing of personal information
  • To object to how we use your personal information for direct marketing purposes
  • To lodge a complaint with your local supervisory authority

We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal information requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.

You can exercise your rights by contacting us at DataPrivacy@MoCo.ie. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request. 

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way. 

 

 

Right to access personal information 

You have a right to request that we provide you with a copy of your personal information that we hold and you have the right to be informed of; (a) the source of your personal information; (b) the purposes, legal basis and methods of processing; (c) the controller’s identity; and (d) the entities or categories of entities to whom your personal information may be transferred.

 

Right to rectify or erase personal information 

You have a right to request that we rectify inaccurate personal information. We may seek to verify the accuracy of the personal information before rectifying it. 

You can also request that we erase your personal information in limited circumstances where:

  • it is no longer needed for the purposes for which it was collected; or
  • you have withdrawn your consent (where the data processing was based on consent); or
  • following a successful right to object (see right to object); or
  • it has been processed unlawfully; or
  • to comply with a legal obligation to which we are subject. 

We are not required to comply with your request to erase personal information if the processing of your personal information is necessary: 

  • for compliance with a legal obligation; or
  • for the establishment, exercise or defence of legal claims.

 

Right to restrict the processing of your personal information 

You can ask us to restrict your personal information, but only where:

  •  its accuracy is contested, to allow us to verify its accuracy; or

  •  the processing is unlawful, but you do not want it erased; or

  •  it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or

  • you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal information following a request for restriction, where:

  • we have your consent; or

  • to establish, exercise or defend legal claims; or

  • to protect the rights of another natural or legal person. 

 

Right to transfer your personal information

You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where:

  • the processing is based on your consent or on the performance of a contract with you; and
  • the processing is carried out by automated means. 

 

Right to object to the processing of your personal information

You can object to any processing of your personal information which has our legitimate interests as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests. 

If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests on which MoCo can continue processing which override your rights and freedoms. 

 

 

Right to lodge a complaint with your local supervisory authority

You also have a right to lodge a complaint with the Data Protection Commission if you have concerns about how we are processing your personal information.  You can find details of how to contact the Commission on their website: www.dataprotection.ie.

We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time. 



 

CONTACT US

If you have any questions, concerns or complaints regarding our compliance with this notice, data protection laws, a query in relation to how we collect and process personal information, or if you wish to make a request in relation to the above or, please contact the individual with responsibility for Data Protection at MoCo, Niall Graham, clearly stating the circumstances of your query. The individual can be contacted in the following ways:

email address: DataPrivacy@MoCo.ie

postal address: 7/8 Mount Street Upper, Dublin, D02 FT59

 

We will investigate and attempt to resolve complaints and disputes and will make every reasonable effort to honour your wish to exercise your rights as quickly as possible and, in any event, within the timescales provided by data protection laws.

You also have the right to lodge a formal complaint with the Data Protection Commission. You can find details of how to contact the Commission on their website: www.dataprotection.ie. We ask that you please attempt to resolve any issues with us before referring the matter to your local supervisory authority. 

Supplier Data Privacy Notice

 

BAWAG P.S.K. Bank für Arbeit und Wirtschaft und Österreichische Postsparkasse Aktiengesellschaft, trading as MoCo, is authorised by the Austrian Financial Markets Authority in Austria and is regulated by the Central Bank of Ireland for conduct of business rules. BAWAG is a stock corporation registered in Austria having its registered office at Wiedner Gürtel 11 1100, Vienna (with registration number 205340X) and having a registered branch in Ireland (with registration number 910053). Directors: A Abuzaakouk (US), E Sirucic (AT), S Shah (US), D O’Leary (US), A Wise (US) and G Jestaedt (GER). MoCo (“MoCo”, "we”, “us”, “our”), with its registered address at 7/8 Mount Street Upper, Dublin, D02 FT59, will collect and process personal data about our suppliers, business partners, and other third parties we do business with (“Data Subjects”) in order to manage the business relationship between them and MoCo. 

MoCo is a Data Controller as described in the Data Protection Act 2018 and EU Regulation 2016/679 (“General Data Protection Regulation” or “GDPR”). This Notice is intended to inform Data Subjects of the personal data MoCo collects, how MoCo processes this data, and their rights in relation to the collection and processing of this personal data. This Notice will cover: 

  • What personal information we collect and when and why we use it.
  • How we share personal information with our service providers, regulators and other third parties.
  • Transferring personal information globally
  • How we protect and store personal information
  • Legal rights available to help manage your privacy
  • How you can contact us for more support

 

We may amend this notice from time to time to keep it up to date with legal requirements and the way we operate our business. Please regularly check these pages for the latest version of this notice. If we make significant changes to this privacy notice, we will seek to inform you by notice on our website or email ("Notice of Change").

 

Please read the following carefully to understand MoCo’s use of your personal data.

 

 

WHAT PERSONAL INFORMATION WE COLLECT AND WHEN AND WHY WE USE IT

In this section you can find out more about:

  • when we collect personal information 
  • the types of personal information we collect
  • how we use personal information 
  • the legal basis for using personal information

 

When we collect information

We collect information about you if you:

  • Are a supplier or are an employee of a supplier, business partner or other third party that MoCo does business with

Collectively (“you”)

 

The types of personal information we collect from you 

  • Your contact details (e.g. name, contact numbers, email addresses, postal addresses, job position, etc.) for the purpose of contacting you in relation to services provided, etc. 
  • Financial details (bank account numbers, tax details, etc.) for the purpose of providing payment for services provided, etc.
  • Data relating to MoCo’s statutory and legal obligations (including health and safety, anti-money laundering, prevention and detection of crime, etc.) in accordance with applicable law.
  • Data relating to the fulfilment of MoCo’s legitimate business needs and to ensure the adequacy of service provided to customers and third parties (including administering and monitoring IT and other business systems, monitoring use of company facilities, monitoring security, monitoring service delivery, fulfilling MoCo’s contractual obligations, data contained in MoCo’s documentation and reports, etc.)

 

Failure to provide MoCo with data requested above will negatively impact MoCo’s ability to fulfil contractual obligations or terms of the related business relationship.

 

How we collect personal information 

Where you or your employer engage in a business relationship with MoCo or the sharing of the above personal data is required to satisfy any business relationship between you or your employer and MoCo, we will collect personal information:

  • From you: We will ask you, prior to establishing a relationship to provide the above information directly.
  • From your employer: your employer may provide us with your personal data if it is necessary for the fulfilment of the business relationship.
  • If you visit our website, from your online activities with third parties where you have given consent to use certain ‘cookies’. For more information, please see our Cookies Policy which is available on our website (www.moco.ie/policies).

 

What we will use the personal information for

  • To contact you in relation to the business relationship or services provided.
  • To manage and administer system access accounts required for the business relationship.
  • To provide you or your employer with any form of payment or remuneration related to services provided.
  • To protect MoCo’s legitimate business needs and to ensure the adequacy of service provided to customers, employees and third parties (including administering and monitoring IT and other business systems, monitoring use of company facilities, monitoring security, monitoring service delivery, fulfilling MoCo’s contractual obligations, data contained in MoCo’s documentation and reports, etc.)
  • To ensure compliance with our statutory and legal obligations (including health and safety, anti-money laundering, prevention and detection of crime, audit requirements, regulatory inspections, etc.) in accordance with applicable law.

 

The legal basis for using your personal information

We will collect and process information under the following legal bases: 

  • the individual has given consent to the processing of his or her personal information for one or more specific purposes, where necessary;
  • processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the Controller is subject;
  • processing is necessary in order to protect the vital interests of the individual or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal information, in particular where the individual is a child.

IMPORTANT: Where we have obtained your consent as our legal basis to process your personal information, you have the right to withdraw consent at any time by emailing DataPrivacy@MoCo.ie

If you would like to find out more about the legal basis for which we process personal information please contact us at DataPrivacy@MoCo.ie



 

SHARING PERSONAL INFORMATION WITH OUR SERVICE PROVIDERS, AND OTHER THIRD PARTIES

In this section you can find out more about how we share personal information:

  • with third parties that help us provide our Products and Services; and
  • our regulators.

 

We will only share your information with third-party service providers in order to enhance the efficiency and effectiveness of the business contract or services provided:

  1. with third parties who help manage our business. 
  2. with other financial institutions involved in the payment processes relating to your employment.
  3. with our regulators, which may include law enforcement agencies, regulatory authorities, tax authorities, courts systems, data protection agencies, to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies;
  4. with companies that will help protect our legitimate interest, including providers of fraud detection software, debt collection agencies, auditors, legal advisors, providers of various background checks, etc.

 

TRANSFERRING PERSONAL INFORMATION GLOBALLY

In this section you can find out more about:

  • transfer of your personal information outside of the European Economic Area (“EEA”).


 If we need to transfer your personal information outside the EEA, we will ensure that an appropriate transfer mechanism under applicable data protection laws is in place and that the Processor, as defined in the GDPR, in the third country has appropriate safeguarding measures in place, and that enforceable individual rights and effective legal remedies for individuals are available.

None of our service providers are permitted to transfer personal information to a third country without our express, prior written consent. Where such transfers are permitted, we will ensure that these are covered by an agreement entered into by our service provider and the third party which contractually obliges both parties to ensure that personal information receives an adequate and consistent level of protection wherever it is transferred.

 

 

HOW WE PROTECT AND STORE YOUR INFORMATION 

Security

We have implemented and maintain appropriate technical and organisational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, or the unauthorised disclosure or access to such information appropriate to the nature of the information concerned. Measures we take include placing confidentiality requirements on our staff members and service providers and destroying or permanently anonymising personal information if it is no longer needed for the purposes for which it was collected. As the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect user IDs and passwords please take appropriate measures to protect this information.

Storing your personal information

We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this notice. In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, accounting requirements. 

In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.



 

LEGAL RIGHTS AVAILABLE TO HELP MANAGE YOUR PRIVACY

Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, you have certain rights in relation to your personal information which are listed here and explained further below:

  • To access personal information
  • To rectify / erase personal information
  • To restrict the processing of your personal information
  • To transfer your personal information
  • To object to the processing of personal information
  • To object to how we use your personal information for direct marketing purposes
  • To lodge a complaint with your local supervisory authority

We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal information requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.

You can exercise your rights by contacting us at DataPrivacy@MoCo.ie. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request. 

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way. 

 
 

Right to access personal information 

You have a right to request that we provide you with a copy of your personal information that we hold and you have the right to be informed of; (a) the source of your personal information; (b) the purposes, legal basis and methods of processing; (c) the controller’s identity; and (d) the entities or categories of entities to whom your personal information may be transferred.

 

Right to rectify or erase personal information 

You have a right to request that we rectify inaccurate personal information. We may seek to verify the accuracy of the personal information before rectifying it. 

You can also request that we erase your personal information in limited circumstances where:

  • it is no longer needed for the purposes for which it was collected; or

  • you have withdrawn your consent (where the data processing was based on consent); or

  • following a successful right to object (see right to object); or

  • it has been processed unlawfully; or

  • to comply with a legal obligation to which we are subject. 

We are not required to comply with your request to erase personal information if the processing of your personal information is necessary: 

  • for compliance with a legal obligation; or

  • for the establishment, exercise or defence of legal claims.

 

Right to restrict the processing of your personal information 

You can ask us to restrict your personal information, but only where:

  • its accuracy is contested, to allow us to verify its accuracy; or

  • the processing is unlawful, but you do not want it erased; or

  • it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or

  • you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal information following a request for restriction, where:

  • we have your consent; or

  • to establish, exercise or defend legal claims; or

  • to protect the rights of another natural or legal person. 

 

Right to transfer your personal information

You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where:

  • the processing is based on your consent or on the performance of a contract with you; and
  • the processing is carried out by automated means. 

 

Right to object to the processing of your personal information

You can object to any processing of your personal information which has our legitimate interests as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests. 

If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests on which MoCo can continue processing which override your rights and freedoms. 

 

Right to lodge a complaint with your local supervisory authority

You also have a right to lodge a complaint with the Data Protection Commission if you have concerns about how we are processing your personal information.  You can find details of how to contact the Commission on their website: www.dataprotection.ie.

We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time. 


 

CONTACT US

If you have any questions, concerns or complaints regarding our compliance with this notice, data protection laws, a query in relation to how we collect and process personal information, or if you wish to make a request in relation to the above or, please contact the individual responsible for Data Protection Officer, Niall Graham, clearly stating the circumstances of your query. The individual can be contacted in the following ways:

email address: DataPrivacy@MoCo.ie

postal address: 7/8 Mount Street Upper, Dublin, D02 FT59

We will investigate and attempt to resolve complaints and disputes and will make every reasonable effort to honour your wish to exercise your rights as quickly as possible and, in any event, within the timescales provided by data protection laws.

You also have the right to lodge a formal complaint with the Data Protection Commission. You can find details of how to contact the Commission on their website: www.dataprotection.ie. We ask that you please attempt to resolve any issues with us before referring the matter to your local supervisory authority. 

Fees & Charges

 

Valuation fee

€169.00 

  
Release of deeds on Accountable Trust Receipt 

€50.00 

  
Security release fee 

€95.00 

  
BAWAG P.S.K. Bank für Arbeit und Wirtschaft und Österreichische Postsparkasse Aktiengesellschaft, trading as MoCo, is authorised by the Austrian Financial Markets Authority in Austria and is regulated by the Central Bank of Ireland for conduct of business rules. BAWAG is a stock corporation registered in Austria having its registered office at Wiedner Gürtel 11, 1100 Vienna (with registration number 205340X) and having a registered branch in Ireland (with registration number 910053). Directors: A Abuzaakouk (US), E Sirucic (AT), S Shah (US), D O´Leary (US), A Wise (US) and G Jestaedt (GER)