1.1 The Controller
When we reference “First Auto Finance”, “we”, “us” or “the Company” we are referring to First Auto Finance Ireland Limited.
First Auto Finance is the exclusive intermediary for Close Brothers Motor Finance in the Republic of Ireland.
First Auto Finance is a subsidiary of Finance Ireland Ltd.
We collect and use your personal data and where applicable this may include information related to your spouse/partner, directors, partners and owners (your “associates”). We are responsible for ensuring that we use your personal data in compliance with data protection law.
First Auto Finance is a Data Processor, processing applications and administering agreements as an intermediary for Close Brothers Motor Finance. In the event of a recoveries scenario, personal data is transferred by Close Brothers Motor Finance to First Auto Finance and First Auto Finance then becomes a Data controller at that point.
This notice applies to any personal data we receive from you, create or obtain from other sources and explains how it will be used by us. It is important that you take the time to read this notice so that you understand how we will use your personal data and your rights in relation to your personal data.
1.2 How you can contact us
Please contact us if you have any questions about our privacy notice or personal data we hold about you:
Write to us at our address:
Privacy, First Auto Finance Ireland Ltd, Clerkin House, 85 Pembroke Road, Ballsbridge, Dublin 4;
By telephone: 01 6470240 or
By e-mail: firstname.lastname@example.org
Please help us to keep your records up to date by notifying us of any changes to your personal details.
2. Personal data that we collect about you and your associates
Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We will collect and use the following personal data about you and your associates:
2.1 Information you give us
This is information about you and your associates that you give us by filling in forms or by corresponding with us by telephone, e-mail or otherwise. The information you give us may include your and your associates’ name, address, e-mail address and telephone number, date of birth, gender, marital status, financial information, occupation and employment history, health information, credit history, identification records, qualifications and details of income, assets, bank accounts, shares and other investments.
You must ensure that in respect of any information you provide us with, which does not relate to you (for example, information about your associates), you have provided the individual to whom the information relates with a copy of this Privacy Notice and obtained any necessary consents to disclose such information.
2.2 Information we collect or generate about you and your associates
Website Usage Information – Our website uses Google Analytics to automatically gather certain statistical information such as the number and frequency of visitors and their IP addresses. This information is used as aggregated statistical information about users, providing usage by IP address. This information helps us to measure how individuals use the website and our services, so that we can continually improve them.
We may record telephone conversations to process applications, manage facilities, resolve complaints, improve our service and for training, verification and quality assurance purposes.
2.4 Information we receive from other sources
Financial/Credit Information – We will use information provided by credit reference agencies and your professional advisors including accountants, if applicable, when assessing your application for finance and to verify your or, if applicable, your associates’ identity. Such information may include some details about your financial status, other credit you have taken out, any credit arrangements you have met or failed to meet, and any court judgments made against you.
Fraud Prevention Agencies – When verifying your identity as part of our application process, we may access information recorded by fraud prevention agencies within and outside Ireland. This may include information about any criminal convictions and any allegations regarding criminal activity that relate to you.
Intermediaries – We will receive information from dealers, brokers, introducers, this includes your personal details, contact details and relevant asset and financial details for the purposes of entering into and administering your agreement.
Public databases – we may obtain information about individuals from public databases. We use reputable sources including but not limited to the electoral register and Companies Registration Office. We employ appropriate measures to assure the quality of information which we collect.
2.5 Where you do not provide your Personal Data
If you do not provide us with your personal data we may not be able to provide you with our services or respond to any questions or requests you submit to us. We will tell you when we ask for personal data which is a contractual requirement or needed to comply with our legal obligations.
3. Purpose and Legal Basis for Processing
We will hold, process and may disclose personal data for the following purposes:
- to verify your identity and the information provided in the application form (including contacting you by telephone)
- to assess your suitability for the products and services that you have requested and decide whether to enter into an agreement with you;
- for making a credit check on you. Please see further details in section 4 below.
- to supply information to the Central Credit Register, when available, and to use the Central Credit Register when considering loan applications to determine your borrowing options and repayment capacity and/or facilitate other lending institutions to carry out similar checks. The Central Credit Register retains this information for inspection for a period of 5 years;
- we may use credit scoring techniques and automated decision making systems to either fully or partially assess your information. These credit scoring techniques and automated decision making systems may take into account any previous applications for finance, defaults or existing debt. The results of this decision may decide whether we provide you with our services or not. If you disagree with the results of an automated decision, you can request a review of your application;
- to manage, administer and take decisions regarding your agreement;
- to carry out our obligations arising from any agreements you enter into with us;
- to make payments;
- to recover monies;
- for enforcement purposes and as otherwise reasonably required for the administration of an agreement, facility or guarantee;
- for fraud prevention purposes, including information about any criminal convictions and any allegations regarding criminal activity that relate to you, subject to suitable and specific measures being taken to safeguard your fundamental rights and freedoms.
The processing of your personal data is necessary to perform a contract or enter into a contract with you.
- to allow us to detect and prevent fraudulent activity including sharing personal data with fraud prevention agencies;
- to allow us to detect and prevent money laundering activity or terrorist financing;
- to meet our legal and regulatory obligations;
- to conduct statistical analysis in order to improve our credit risk profile, tackle fraud, and improve our credit decisions. This may include statistical analysis on your personal data even if your application is declined by us or you decide not to complete your application with us;
- to comply with any legal or regulatory obligations;
- to provide you with information, products or services that you may request from us;
- to retain your personal data to make decisions on future applications for credit even if your current application is declined by us or you decide not to complete your current application with us (where allowed by law);
- to contact you via post, e-mail or telephone in relation to the administration of your account or to
- carry out quality control research;
- in order to identify and offer you tailored products and services that are suitable for you and improve our service;
- if we sell any of our business or assets, in which case we may disclose your personal data to the prospective buyer for due diligence purposes;
- if we are acquired by a third party, in which case personal data held by us about you will be disclosed to the third party buyer.
This use of the data is necessary for our legitimate interest in managing our business including legal, personnel, administrative and management purposes such as improving customer service, market research, quality assurance, training staff, and for the prevention and detection of crime provided our interest are not overridden by the data subject’s interest. Please note that in certain circumstances data subjects have a right to object to processing of their personal data where that processing is carried on for our legitimate interest.
- Where we are permitted to do so, to send promotional information about our products and services via methods such as e-mail, post, telephone.
- Where the data subject has given consent to the processing of their personal data for direct marketing – which they may withdraw at any time.
- Where your consent is not required and you have not objected, the use of the data is necessary for our legitimate interest in managing our business including legal, personnel, administrative and management purposes provided our interest are not overridden by the data subject’s interest. Please note that data subjects have a right to object to processing of their personal data where that for direct marketing.
4. Further details on Credit Searches, Scoring & Crime Prevention
We may carry out a search with a credit reference agency e.g. the Central Credit Register who will keep a record of our enquiry against your name and which may be linked to your associates (“associated records”). For the purposes of any application for products or services from us, you may be assessed with reference to “associated records”. Where any search or application is completed or agreement entered into involving joint parties, we may record details at credit reference agencies, as a result an “association” will be created that will link your financial records. Details of which credit reference agency we have used are available on request. We may also add to your or, if applicable, your business’s, record with the credit reference agencies details of your agreement with us, any payments you make under it and any default or failure to keep to its terms. These records will remain on the credit reference agencies’ files for 6 years after our agreement with you is settled or terminated whether settled by you or, if applicable, your business or by way of default. These credit reference agencies may create, or add to, their own record about you, or, if applicable, your business, details of our search and your application. This and other information about you or, if applicable, your business and those with whom you are linked financially may be used to make credit decisions about you or your business. Where personal data is shared with the Central Credit Register, the Central Credit Register will also share it with the Central Statistics Office (excluding PPSN, Eircode and contact numbers). For more information please see the Central Credit Register frequently asked questions here.
Please note that where your credit search was performed before October 2021, we may hold historical information about you that we obtained from the Irish Credit Bureau.
5. Sharing your personal data
We may disclose your personal data within the Finance Ireland Credit Solutions DAC group of companies and to third party service providers in the circumstances described below:
- to ensure the delivery or maintenance of products or services you have taken out with us;
- to ensure the safety and security of our data; and
- as part of our internal research and statistical analysis activity.
- we will take steps to ensure that the personal data is accessed only by personnel that have a need to do so for the purposes described in this Privacy Notice.
We may also share your personal data outside of the Finance Ireland group of companies:
- to an insurer or insurers for administration;
- to claims handlers and fraud prevention agencies;
- to any guarantor;
- to any funder in the event of securitisation;
- to any broker or introducer of an agreement with us;
- to tracing and repossession agents;
- if we sell or are considering selling any of our business or assets, to potential or actual buyers (and their officers, employees, agents and advisors);
- if we are acquired by a third party or a third party is considering acquiring us, to potential or actual buyers (and their officers, employees, agents and advisors);
- to third party agents or contractors (for example, the providers of our electronic data storage services or call centres) for the purposes of providing services to us; and
- with your consent, to third party affiliates who may wish to offer you products and services which may be of interest to you. These third parties will be subject to confidentiality requirements and they will only use your personal data as described in this Privacy Notice.
We may also share your personal data outside of the Finance Ireland Group to the extent required by law, for example if we are under a duty to disclose your personal data in order to comply with any legal obligation including but not limited to disclosures made to:
- Credit agencies;
- Companies Registration Office;
- Central Credit Register;
- Central Bank of Ireland;
- and to establish, exercise or defend our legal rights.
Transfer of personal data outside the European Economic Area
The information you provide to us will be transferred to and stored on our secure servers in the European Economic Area (“EEA”). However, from time to time, your personal data may be transferred to, stored in, or accessed from a destination outside the EEA e.g. the US.
Where we transfer your personal data outside the EEA, we will ensure that it is protected in a manner that is consistent with how your personal data will be protected by us in the EEA. This can be done in a number of ways, for instance:
- the country that we send the data to might be approved by the European Commission or a relevant data protection authority (Article 45 GDPR);
- the recipient might have signed up to a contract based on “model contractual clauses” approved by the European Commission, obliging them to protect your personal data (Article 46 GDPR); or
- where the recipient is located in the US, it might be a certified member of the EU-US Privacy Shield scheme (Article 46 GDPR).
In other circumstances the law may permit us to otherwise transfer your personal data outside the EEA. In all cases, however, we will ensure that any transfer of your personal data is compliant with data protection law.
You can obtain more details of the protection given to your personal data when it is transferred outside the EEA (including a copy of the standard data protection clauses which we have entered into with recipients of your personal data) by contacting us in accordance with the “Contact us” section 1.2.
7. How long we keep your personal data
How long we hold your personal data for will vary. The retention period will be determined by various criteria including:
the purpose for which we are using it – we will need to keep the data for as long as is necessary for that purpose; and
legal obligations – laws or regulation may set a minimum period for which we have to store your personal data e.g. Central Bank of Ireland codes and regulations, and Anti-Money Laundering Obligations
In accordance with the provisions of the Statute of Limitations if you are a customer we will retain your personal data for 7 years following the end of our relationship with you, unless we are required by law to keep it for a longer period of time (in which case, we will keep it until the expiry of the period required by law).
8. Your rights
You have several rights in relation to your personal data under applicable data protection law, which may be subject to certain limitations and restrictions. We will respond to any valid requests within one month, unless it is particularly complicated or you have made repeated requests in which case we will respond, at the latest, within three months. We will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay.
You will not be charged a fee to exercise any of your rights unless your request is clearly unfounded, repetitive or excessive, in which case we will charge a reasonable fee in the circumstances or refuse to act on the request.
If you wish to exercise any of these rights, please contact us (see section 1.2). We may request proof of identification to verify your request.
Right to withdraw consent
If we are processing your personal data on the legal basis of consent, you are entitled to withdraw your consent at any time (see Contact Us Section 1.2). However, the withdrawal of your consent will not invalidate any processing we carried out prior to your withdrawal and based on your consent.
Right of Access
You can request a copy of the personal data we hold about you.
Right to Rectification
You have the right to request that we correct any inaccuracies in the personal data we hold about you and complete any personal data where this is incomplete.
Right to Erasure (‘Right to be Forgotten’)
You have the right to request that your personal data be deleted in certain circumstances including where:
The personal data are no longer needed for the purpose for which they were collected;
You withdraw your consent (where the processing was based on consent);
You object to the processing and there are no overriding legitimate grounds justifying us processing the personal data (see Right to Object below);
The personal data have been unlawfully processed; or
To comply with a legal obligation. However, this right does not apply where, for example, the processing is necessary:
To comply with a legal obligation; or
For the establishment, exercise or defence of legal claims.
Right to Restriction of Processing
You can ask that we restrict your personal data (i.e., keep but not use) where:
The accuracy of the personal data is contested;
The processing is unlawful but you do not want it erased;
We no longer need the personal data but you require it for the establishment, exercise or defence of legal claims; or
You have objected to the processing and verification as to our overriding legitimate grounds is pending.
We can continue to use your personal data:
Where we have your consent to do so;
For the establishment, exercise or defence of legal claims;
To protect the rights of another; or
For reasons of important public interest.
Right to Data Portability
Where you have provided personal data to us, you have a right to receive such personal data back in a structured, commonly-used and machine-readable format, and to have those data transmitted to a third-party data controller without hindrance but in each case only where:
The processing is carried out by automated means; and
The processing is based on your consent or on the performance of a contract with you.
Right to Object
You have a right to object to the processing of your personal data in those cases where we are processing your personal data in reliance on our legitimate interests. In such a case we will stop processing your personal data unless we can demonstrate compelling legitimate interests which override your interests and you have a right to request information on the balancing test we have carried out. You also have the right to object where we are processing your personal data for direct marketing purposes.
You have a right not to be subjected to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affects you other than where the decision is:
Necessary for entering into a contract, or for performing a contract with you;
Based on your explicit consent – which you may withdraw at any time; or
Is authorised by EU or Member State law.
Where we base a decision solely on automated decision-making, you will always be entitled to have a person review the decision so that you can contest it and put your point of view and circumstances forward.
Right to Complain
You have the right to lodge a complaint with the Data Protection Authority, in particular in the Member State of your residence, place of work or place of an alleged infringement, if you consider that the processing of your personal data infringes the GDPR.
Please see the below contact details for the Irish Data Protection Commission:
Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28
Phone: +353 (0)761 104 800
9. Changes to our Privacy Notice
We keep our Privacy Notice under regular review. If we make any changes, we will post those changes here and update the “Last Updated” date at the bottom of this Privacy Notice. However, if we make material changes to our Privacy Notice we will notify you in writing such as by email or by means of a prominent notice on our website prior to the change becoming effective. Please check back frequently to see any updates or changes to our Privacy Notice.
Last Updated October 2021