Data Protection Statement

Data Protection Statement

  • 1. Executive Summary
    • 1. Executive Summary

      1.1 The NTMA is a data controller of Personal Data for a wide range of statutory purposes, including when it is acting as the State Claims Agency and providing various schemes, funds and services such as State Savings, FDM, ISIF, NewERA and the NDFA. The NTMA also provides certain support services in its role as a data processor, acting on behalf of the National Asset Management Agency (“NAMA”), the Strategic Banking Corporation of Ireland (“SBCI”) and Home Building Finance Ireland (“HBFI”), (together the “Affiliate Agencies”).

      The NTMA is committed to complying with our obligations in respect of the processing of personal data under data protection laws. The purpose of this Data Protection Statement (“Statement”) is to ensure that we meet our transparency obligations pursuant to the General Data Protection Regulation EU 2016/679 (“GDPR”) and the Data Protection Acts 1988 – 2018 (“DPA”), together “Data Protection Law”. The Statement sets out information about our duties and responsibilities regarding the protection of Personal Data.

      1.2 This Statement has effect from 7 July 2022 and is reviewed from time to time [1]. The most up to date approved version is posted on the NTMA website. Previous versions are also available on the NTMA website.

      [1] The NTMA Data Protection Statement was originally drafted in May 2018 and was subsequently updated in September 2020.

  • 2. About the NTMA
    • 2. About the NTMA

      2.1 The National Treasury Management Agency (referred to in this Data Protection Statement as “NTMA”, “us” or “we) is a State body which operates

      2.2 with a commercial remit to provide asset and liability management services to Government. The NTMA manages a diverse range of businesses as further described below.

      2.3 Funding and Debt Management: The NTMA is responsible for borrowing on behalf of the Government and managing the National Debt in order to ensure liquidity for the Exchequer and to optimise the interest burden on the State over the medium term. This includes borrowing through the sale of retail products under the brand name State Savings, which is used to describe the range of savings products offered by the NTMA through its agents, An Post and the Prize Bond Company.

      2.4 Ireland Strategic Investment Fund: The NTMA controls and manages the Ireland Strategic Investment Fund, which has a statutory mandate to invest on a commercial basis in a manner designed to support economic activity and employment in the State.

      2.5 National Development Finance Agency: Acting as the National Development Finance Agency, the NTMA provides financial advisory, procurement and project delivery services to State authorities in respect of public infrastructure projects

      2.6 NewERA: Through NewERA, the NTMA provides a dedicated centre of corporate finance expertise to Government regarding their shareholdings in major commercial State bodies.

      2.7 State Claims Agency: The State Claims Agency (“SCA”) manages personal injury and third-party property damage claims against the State and delegated State authorities (hereinafter referred to as “DSA’s”) and provides related risk management functions. It manages claims for legal costs against the State and DSAs, however so incurred. The SCA also manages applications to the High Court for payment from the Insurance Compensation Fund (‘ICF’) by relevant insurers in liquidation, which includes the SCA carrying out audits to assess eligibility.

      2.8 In addition to the above functions, the NTMA assigns staff to NAMA, the SBCI and HBFI and also provides them with business and support services and systems. In this regard, the NTMA may act as a data processor.

  • 3. Purpose of this Data Protection Statement
    • 3. Purpose of this Data Protection Statement

      3.1 The purpose of this Data Protection Statement is to explain what Personal Data we Process and how and why we Process it where you engage with any of the businesses managed by the NTMA, whether as a job candidate, customer, business partner or generally as a member of the public. In addition, this Data Protection Statement outlines our duties and responsibilities regarding the protection of such Personal Data and the rights of data subjects in that respect. NTMA Employees may find information about our Processing of Personal Data in our dedicated Employee Data Protection Statement. Information on our website-related Processing activities is available in our NTMA Website Privacy and Cookies Policy.

      3.2 This Data Protection Statement is not an exhaustive statement of our data protection practices. The manner in which we Process data will evolve over time and we will update this Statement from time to time to reflect changing practices. In addition, we operate a number of internal workplace policies and procedures which inter-relate with this Data Protection Statement. For example, the NTMA has internal policies and procedures governing Personal Data Breaches, Data Subjects’ Rights, Information Security and Data Retention.

      3.3 In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Data Protection Statement by reference into various points of data capture used by us such as application forms and website forms.

      3.4 A glossary of some of the data protection terms used throughout this Statement may be accessed in Annex 2.

  • 4. The NTMA as a Data Controller
    • 4. The NTMA as a Data Controller

      4.1 The NTMA is a statutory body established by the National Treasury Management Agency Act 1990, as amended (“NTMA Acts”). The data Processing undertaken by the NTMA is undertaken in fulfilment of its statutory functions and duties.

      4.2 When acting as a Data Controller, the NTMA relies on Art. 6(1)(e) of the GDPR, which permits Processing that is necessary for the performance of a task which is in the public interest, where such “public interest” is laid down in EU or Irish law, as the legal basis for most of its Processing. Where Processing activities are not supported by a statutory basis, the NTMA relies on alternative legal bases permitted by Data Protection Law.

  • 5. The NTMA as a Data Processor
    • 5. The NTMA as a Data Processor

      5.1 In some cases, the NTMA acts as a Data Processor, under the instructions of a Data Controller, for example, when it is providing business and support services and systems to the Affiliate Agencies. The NTMA, acting as the State Claims Agency, is also a Data Processor in some instances where Delegated State Authorities choose to store their information within the National Incident Management System (the “NIMS System”). The NIMS system is a national end to end tool operated by the NTMA and used by DSAs to record and manage their risks.

      5.2 When acting as a Data Processor, the NTMA complies with the relevant obligations under Data Protection Law. These include ensuring that the data that is Processed by the NTMA on behalf of the relevant Data Controllers is subject to appropriate technical and organisational measures to ensure a level of security appropriate to the risk and ensuring that the Processing is underpinned by a contract which includes the data protection provisions prescribed in Data Protection Law.

  • 6. Purposes of Processing
    • 6. Purposes of Processing

      6.1 As mentioned in section 4.2 of this Data Protection Statement, the NTMA largely relies on the public interest provision provided for in Article 6(1)(e) of the GDPR as the legal basis for most of its Processing. In this regard we Process Personal Data for the purpose(s) of fulfilling our statutory functions and obligations under the NTMA Acts and other applicable legislation. Examples of the types of Processing undertaken by the NTMA along with a description of the underlying legal basis may be accessed in Annex 1 of this Data Protection Statement.

  • 7. Special Categories of Data
    • 7. Special Categories of Data

      7.1 The NTMA, when acting as the State Claims Agency, routinely processes Special Categories of Data (largely data concerning health, but it can also extend to other categories) in the discharge of its functions. In this regard, the State Claims Agency relies on the fact that the Processing of Special Categories of Data is permitted under several provisions of Data Protection Law, including the following:

      (a) Where it is necessary for the establishment, exercise or defence of legal claims and where it is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights;

      (b) Processing for reasons of substantial public interest;

      (c) In relation to the management of medical risk and medical claims, e.g. where it is necessary for the purposes of preventative or occupational medicine, to assess the working capacity of an employee, for the management of health or social care systems and services or for ensuring high standards of quality and safety of health care.

      7.2 The NTMA (excluding the State Claims Agency) processes Special Categories of Data in limited circumstances, typically related to the ordinary course of personnel administration.

  • 8. Individual Data Subject Rights
    • 8. Individual Data Subject Rights

      8.1 Data Protection Law provides certain rights in favour of Data Subjects. The rights in question (“Data Subject Rights”) are as follows:

      (a) The right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Data Controller);

      (b) The right of access to Personal Data including knowledge of whether or not the Data Subject’s Personal Data are being processed and, if so, having access to the Personal Data plus additional ancillary information. This includes information such as the purposes of the Processing, the categories of Personal Data concerned, the recipients or categories of recipient to whom the Personal Data have been or will be disclosed and retention periods;

      (c) The right to rectify Personal Data;

      (d) The right to erase Personal Data (right to be forgotten);

      (e) The right to restrict Processing;

      (f) The right of data portability, i.e. the right to receive Personal Data concerning the Data Subject in a structured, commonly used and machine-readable format and the right to have those data transmitted to another Data Controller. This right only applies to Personal Data which the Data Subject has provided to the NTMA (and not to data which is received from third parties).

      (g) The right of objection;

      (h) The right to object to automated decision making, including profiling; and.

      (i) The right to withdraw consent (in the limited cases where we rely on your consent to process your personal data), without affecting the lawfulness of processing based on consent before its withdrawal.

      8.2 Some rights will not apply in some cases, and exemptions may apply to the exercise of your rights. For example, Articles 17 and 20 of the GDPR state that the right to be forgotten and the right of data portability do not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.

      8.3 In certain limited circumstances, the NTMA may act as a joint controller, i.e. where the NTMA, in conjunction with another party, may jointly determine the purposes and means of processing of your personal data. For example, this is relevant in a public procurement context when the NTMA and the Office of Government Procurement (OGP) jointly process personal data as part of the conduct of public procurement competitions on the eTenders electronic tendering platform. Where any joint controller arrangement entered into by the NTMA is applicable to your Personal Data, you will be so informed, and the rights outlined above may be exercised against each of the controllers [2] .

      8.4 Any Data Subject wishing to exercise their Data Subject Rights should write to the NTMA Data Protection Officer, Treasury Dock, 1 North Wall Quay Dublin 1, D01 A9T8 or email dpo@ntma.ie. Your request will be dealt with in accordance with the NTMA’s Data Subject Rights Requests Procedure.

      [2] Art 26 GDPR

  • 9. Data Security and Personal Data Breach
    • 9. Data Security and Personal Data Breach

      9.1 The NTMA has a suite of Information Security Policies and Procedures which are designed to ensure that appropriate technical and organisational measures are in place to protect information. They are overseen by an IT Security Committee and apply to all NTMA staff. These measures protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.

      9.2 Articles 33 and 34 of the GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of personal data security breaches. The NTMA has implemented a Personal Data Breach Procedure and we will manage a Data Breach in accordance with this procedure.

  • 10. Disclosing Personal Data
    • 10. Disclosing Personal Data

      10.1 From time to time, we will disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process, for example, where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data.

      10.2 We will also share Personal Data: (a) with another statutory body[3] where there is a lawful basis to do so (such as the Data Protection Commission in relation to complaint handling); (b) with selected third parties including contractors and sub-contractors (as appropriate), such as records management service providers and banks; (c) if we are under a legal obligation to disclose Personal Data. This includes exchanging information with other organisations for the purposes of fraud prevention or investigation.

      10.3 Where we enter into agreements with third parties to Process Personal Data on our behalf, we will ensure that the appropriate contractual protections are in place to safeguard such Personal Data.

      10.4 Examples of third parties to whom Personal Data have been or will be disclosed include:

      • In respect of the personnel function, advisors and recruiters who must have access to personal data to perform their services.

      • In respect of State Savings products, An Post and the Prize Bond Company act as Data Processors for the NTMA, which is the Data Controller. Data gathered and maintained by An Post and the Prize Bond Company in this capacity is used for the purpose of administering the State Savings products and for disclosure to the Revenue Commissioners as required by law.

      • In respect of the State Claims Agency, disclosures are made for example to solicitors, barristers, expert witnesses, witnesses as to fact, private investigators, legal cost accountants, the judiciary, the Courts Service, insurers and other third parties named in proceedings, in order to process the claims to which the personal data relates, and also to insurers and other third parties named in proceedings. Disclosures will also be made to Riskonnect, a US based company, which provides the NIMS system used by the State Claims Agency and Delegated State Authorities.

      [3] Where information is shared with another public body and no other lawful basis exists, a data sharing agreement will be put in place, pursuant to the Data Sharing and Governance Act 2019

  • 11. Data Retention
    • 11. Data Retention

      11.1 We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed and in accordance with our Records Management Policy.

      11.2 The NTMA is required to keep records for prescribed periods of time, ranging up to 25 years (and in certain cases, permanently), for example:

      (a) For the purposes of handling potential claims and for record-keeping purposes:

      (i) Where an individual makes a complaint, we will hold records regarding the complaint for 3 years after the complaint is closed.

      (ii) Information relating to third parties (e.g. customers, service providers) is kept for up to 7 years following the conclusion of the business relationship.

      (iii) Personal data in relation to unsuccessful candidates and unsuccessful tenders is anonymised or deleted after 12 months.

      (b) The SCA holds records:

      (i) relating to claims, for 25 years (from the date a claim is finalised) to enable it to fulfil its statutory functions pursuant to the NTMA (Amendment) Act 2000 and the NTMA Amendment Act 2014 (“NTMA Acts”);

      (ii) relating to claims involving a Ward of Court, or, mental incapacitation for 100 years from the plaintiff’s date of birth to enable it to fulfil its statutory functions pursuant to the NTMA Acts.

      (iii) regarding SCA queries, for 8-15 years, to enable it to fulfil its statutory functions pursuant to the NTMA (Amendment) Act 2000 and the NTMA Amendment Act 2014.

      (iv) relating to its statutory involvement in applications to the High Court for payment from the ICF by insurers in liquidation, for 7 years after the insurance company liquidation is completed, to enable it fulfil its functions pursuant to the Insurance Act 1964 as amended by the Insurance (Amendment) Act 2011 and Insurance (Amendment) Act 2018 (together the “Insurance Acts”).

      (c) Accounting records are retained for 7 years before being archived, in accordance with the NTMA’s remit, in compliance with legal obligations and in line with the Government archiving practice.

      (d) Records regarding valid claims under the ELG scheme are kept indefinitely to defend any future challenge in relation to claims paid, while records regarding rejected claims are kept for 2 years.

      (e) In line with Government guidance and best practice, records relating to FOI requests, AIE requests and general queries are kept for 7 years after the complaint is closed (with records relating to general queries being anonymised thereafter), while responses to parliamentary queries are kept permanently.

      (f) Records of calls are kept for up to 2 years for record-keeping and complaint management purposes.

      (g) Records relating to non-employees who visit the NTMA and are entered into our Visitor Management System are kept for 28 days for security purposes.

      11.3 We may need to keep personal data beyond the periods specified in our Records Management Policy where there is an outstanding claim or dispute, which requires the further retention of personal data in connection with that claim.

  • 12. Data Transfers outside the EEA
    • 12. Data Transfers outside the EEA

      12.1 From time to time we will need to transfer Personal Data outside of the European Economic Area (“EEA”). This transfer will occur in accordance with applicable Data Protection Law. We take reasonable steps to ensure that the Personal Data is treated securely (typically through the use of EU-approved Standard Contractual Clauses and related Transfer Impact Assessments) and in accordance with this Data Protection Statement when transferred outside of the EEA.

      12.2 Examples of data transfers outside of the EEA by the NTMA include:

      • The State Claims Agency in carrying out its statutory duties frequently provides medical records and other information to experts in the UK, within the EEA and outside the EEA, such as in the USA, Australia, New Zealand, Switzerland, Israel and Gibraltar, for the purpose of obtaining expert reports on liability and other issues pertinent to claims.

      • In addition, in carrying out its statutory duties, the State Claims Agency provides medical records and other information to clinical staff who have moved abroad, e.g. to the UK, USA, Canada, Australia and the Far East for the purpose of obtaining witness statements in respect of claims, where such clinical staff provided professional medical services. Clinical experts and witnesses may also be provided with a copy of legal proceedings.

      • Data will also be processed by Riskonnect, a US based company, which provides the NIMS system used by the State Claims Agency and Delegated State Authorities. Categories include name, address/contact details, date of birth, employee information, gender, description of adverse incident, medical information, injury, healthcare number, nationality, witness details.

      • Personal data (including names and contact details) will be processed by service providers in the UK and India on behalf of the NTMA and the NDFA.

      • Personal data in relation to candidates for employment will be processed by service providers in the UK on behalf of the NTMA.

      (Note: although outside the EEA, the EU has provided an adequacy decision to the UK, i.e. it is deemed to provide the equivalent level of personal data protection as countries within the EEA).

  • 13. Further Information/Complaints Procedure
    • 13. Further Information/Complaints Procedure

      13.1 You can ask a question or make a complaint about this Data Protection Statement and/or the Processing of your Personal Data by contacting the NTMA Data Protection Officer at dpo@ntma.ie. While you may make a complaint in respect of our compliance with Data Protection Law to the Data Protection Commission, we request that you contact the NTMA DPO in the first instance to give us the opportunity to address any concerns that you may have.

  • Annex 1
    • Annex 1

      Purposes of Processing

      The following are non-exhaustive examples of the types of Processing undertaken by the NTMA along with a description of the underlying legal basis:

      Example of Function / Activity

      Description

      GDPR Lawful Basis for associated data Processing activities

      Funding and Debt Management

      Section 5 of the National Treasury Management Agency Act 1990 (“NTMA Act”) states that the ‘Government may by order delegate to the Agency the functions of the Minister specified in the First Schedule and any other functions of the Minister in relation to the management of the national debt or the borrowing of monies for the Exchequer that the Minister considers appropriate and are specified in the order.’ The First Schedule to the NTMA Act contains the list of functions delegated to the Agency. This list has been extended since 1990, to incorporate additional functions.

      The performance of the NTMA’s functions under the NTMA Act and the NTMA (Amendment) Acts requires personal data to be processed in a variety of ways, for example, recording of telephone calls with counterparties in respect of transaction and balance confirmations and query resolution.

      Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)

      Compliance

      The NTMA must process personal data to comply with a range of legal obligations.

      For example:

      The NTMA processes contact details and IDs for the purposes of fulfilling the NTMA’s mandate in accordance with the NTMA Act, and to comply with legal obligations, such as sanction checking.

      Personal data may be shared in response to parliamentary questions and requests made in accordance with the Freedom of Information Act 2014, the European Communities (Access to Information on the Environment) Regulations 2007 to 2018, and Dáil Standing Orders.

      In accordance with data protection law, the NTMA may also be required to share personal data with the Data Protection Commission to assist in the investigation of individuals’ complaints.

      Contact and bank details will be processed for the purpose of processing claims under the ELG Scheme in accordance with the Credit Institutions (Eligible Liabilities Guarantee) Scheme 2009.

      Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)

      Compliance with a legal obligation – Various sanction regime requirements

      State Savings

      State Savings products are offered by the Minister for Finance acting through the NTMA pursuant to the powers conferred on the NTMA by the NTMA Act and the National Treasury Management Agency Act 1990 (Delegation of and Declaration as to Functions) Order 1990 (S.I. No. 277 of 1990).

      Personal data such as contact details and financial details will be processed in a variety of ways for the purposes of offering State Savings products, e.g. in the course of handling complaints.

      Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)

      Ireland Strategic Investment Fund

      Under Sections 22 and 39 of the NTMA (Amendment) Act 2014, the NTMA is required to invest the assets under the management of ISIF in a manner “designed to support economic activity and employment in the State”.

      This will involve a variety of processing activities, including processing CV details on investee principals, shareholders and directors for due diligence purposes, in accordance with the NTMA Act.

      Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)

      State Claims Agency

      The SCA has, pursuant to the NTMA (Amendment) Acts 2000, NTMA (Amendment) Act 2014, the Insurance (Amendment) Act 2018 and SI No. 191/2018 the National Treasury Management Agency (Delegation of Claims for Costs Management Functions) Order 2018, a wide statutory remit including:

      • the management of claims and counter claims on behalf of delegated State Authorities (“DSAs”); the provision of risk management advice and assistance to DSAs on measures to be taken to mitigate the occurrence, or to reduce the incidence, of acts or omissions that may give rise to personal injury, property damage or clinical adverse events that could subsequently result in claims, with the aim of reducing future claims and litigation;
      • the management of claims for costs against the State; and
      • the provision of consultancy and advisory services to DSAs in respect of any matter to which the SCA’s functions relate.

      The SCA has, pursuant to the Insurance Act 1964 as amended by the Insurance (Amendment) Act 2011 and the Insurance (Amendment) Act 2018 (together the “Insurance Acts”), a statutory remit including;

      • The management of applications to the High Court for payment from the Insurance Compensation Fund (‘ICF’) by relevant insurers in liquidation. This includes the SCA carrying out audits to assess eligibility of claims, the preparation and making of applications to the High Court seeking approval for payment from the ICF and the payment of claimants and/or their legal representatives on receipt of the funds from the Central Bank of Ireland.

      Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller - Art 6(1)(e)

      Processing is necessary for compliance with a legal obligation to which the controller is subject and Section 49 Data Protection Act 2018
      Processing necessary for the defence of legal claims - Art 9 (2)(f) & Section 47 Data Protection Act 2018
      Consent is sought in limited circumstances, at certain times when seeking consent to take up a claimant’s medical records, as per Art 9 (2)(a)

      Public interest, where processing is necessary for reasons of public interest in the area of public health (see Section 7 in the text of the Statement above re Special Categories of Data) - Arts 9(2)(g), (h) and (i) and Section 53 Data Protection Act 2018
      Contractual performance

      NewERA

      The National Treasury Management Agency (Amendment) Act 2014 established NewERA in statute and introduced new requirements in relation to the corporate governance of certain State bodies designated in that Act.

      This will include processing CV information in relation to prospective directors of designated entities.

      Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)

      NDFA

      The NDFA was established on 1 January 2003 and its key functions are now mandated within the National Treasury Management Agency (Amendment) Act, 2014 and the Ministerial Guidelines issued by the Department of Public Expenditure and Reform, in consultation with the Department of Finance.

      This will include processing names, contact details and financial details in relation to contracts, taking site photographs, evaluating CV information for tenders, and processing personal injury reports provided by third parties as a requirement of contractual agreements, all in accordance with the NDFA functions under the NTMA Act.

      Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e), including substantial public interest - Art 9(2)(g)

      Processing necessary for the defence of legal claims - Art 9 (2)(f)

      Contractual performance

      Annual Statements of Interest by Designated Directors and Certain NTMA Employees

      Under the Ethics in Public Office Acts 1995 and 2001, certain “designated directors” and “holders of designated positions of employment” of public bodies are required to furnish an annual statement of interests to the Standards in Public Office Commission and/or the officer in the relevant body nominated by the Minister.

      Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)

      Candidate Data

      Name, contact details, CV information, psychometric data and interview notes will be processed to assess if a candidate is suitable for a role.

      Contract performance

      Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)

      Dormant Accounts

      Consent is obtained from relevant individuals in the event their data is required to be shared externally with a bank/insurer to remit money pursuant to the Dormant Accounts Acts 2001-2012 and the Unclaimed Life Assurance Policies Act 2003.

      Consent

      Maintaining Records / Correspondence

      Business contact information in relation to investors, primary dealers and other business contacts is collected for the purposes of corresponding with them and for the purposes of records management.

      Visitor Information is gathered in relation to visitors to Treasury Dock for security and record management purposes.

      Legitimate Interests

      Internal Audit

      Internal audits of individual business could necessitate the processing of client personal data.

      Legitimate Interests

      Support Services to NAMA

      Pursuant to section 41 of the National Asset Management Agency Act 2009, the NTMA is required to provide NAMA with “such business and support services and systems as the Board determines, acting upon the recommendation of the Chief Executive Officer of NAMA and after consultation with the Chief Executive of the NTMA, to be necessary or expedient for NAMA to perform its functions under this Act.” In the context of the data processing undertaken by the NTMA on behalf of NAMA, the NTMA acts as a Data Processor in performing certain of these relevant business and support services.

      Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)

      Support Services to the SBCI

      Pursuant to section 10 of the Strategic Banking Corporation of Ireland Act 2014, the NTMA is required to provide “such business and support services and systems as the SBCI determines, after consultation with the Chief Executive of the NTMA, from time to time, to be necessary or expedient for the SBCI to perform its functions.” In the context of the data processing undertaken by the NTMA, on behalf of the SBCI, the NTMA acts as a Data Processor in performing certain of these relevant business and support services.

      Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)

      Support Services to HBFI

      Pursuant to section 9 of the Home Building Finance Ireland Act 2018, the NTMA is required to provide “such business and support services and systems as HBFI determines, after consultation with the Chief Executive of the NTMA, from time to time, to be necessary or expedient for HBFI to perform its functions.” In the context of the data processing undertaken by the NTMA, on behalf of HBFI, the NTMA acts as a Data Processor in performing certain of these relevant business and support services.

      Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)

  • Annex 2
    • ANNEX 2

      Glossary

      In this Data Protection Statement, the terms below have the following meaning:

      Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

      Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.

      Data Processor” means the party that Processes Personal Data on behalf of the Data Controller (for example, a payroll service provider).

      Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the Data Protection Acts 1988 to 2018 and any other laws which apply to the NTMA in relation to the Processing of Personal Data.

      European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein, and Norway.

      Personal Data” is any information relating to a living individual (“Data Subject”) which allows the identification of that individual. Personal Data can include:

      • a name, an identification number;
      • details about an individual’s address or contact details;
      • data related to the delivery of a service by the NTMA, e.g. details of transactions with State Savings or of claims or incidents which are managed by the State Claims Agency;
      • any other information that is specific to that individual.

      Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.

      Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data for the purposes of uniquely identifying an individual (for example, fingerprints), health data, data concerning sex life or sexual orientation. Personal Data relating to criminal convictions or offences are also considered sensitive, and specific restrictions apply to the processing of such data.