Terms & Conditions
The General Data Protection Regulation (GDPR) very significantly increases the obligations and responsibilities for organisations and businesses around how we collect, use and protect personal information. At the centre of the new law is a requirement for organisations and businesses, like ours, to be fully transparent about how we are using and safeguarding your personal information, and also to be able to demonstrate how we are accountable for any data processing activities that we undertake.
This is our guide to how personal data is managed by Orca Financial Group, so please read it carefully.
As both a controller and processor of information, data privacy is taken very seriously in Orca Financial Group. It is important that you know exactly what we do with the personal data that you and others provide to us, why we gather it and what it means to you. This document outlines our approach to Data Privacy to fulfil our obligations under the General Data Protection Regulation [GDPR]. We also welcome it as an opportunity to reassure you of the importance we place on keeping your personal data secure, and of the strict guidelines we apply to its use.
GDPR Article 4(7): ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
GDPR Article 4(8): ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
GDPR Article 4(1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The GDPR also extends the definition of “special categories of data” (i.e. sensitive data) to include, in addition to data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life, “genetic data” and “biometric data” with more stringent conditions in place for the processing of such data.
In Orca Financial Group, we want you to be clear on:
• Who we are
• The information we collect about you
• When and how we collect information about you
• How we use your information*
• How we use analytics and automated processing platforms
• Who we share your information with
• How long we hold your information for
• Implications of not providing personal information
• The legal basis for using your information
• Processing your information outside Europe
• How to exercise your personal information rights
• How you should contact us
• Changes to this notice.
• This notice applies to all of the third party processors and platforms that we use, on your behalf, along with our own internal services. Your contract terms and conditions will specify which of the relevant third party processors or services that will apply to you. If you have any questions about how your information is gathered, stored, shared or used, please contact our Data Protection Officer. You have a number of rights in relation to your information, including the right to object to processing of your personal information for direct marketing or where the legal basis for our use of your data is our legitimate business interests or performance of a task in the public.
1. Who we are
Throughout this document, “we”, “us”, “our” and “ours” refers to Orca Financial Group and/or the team that works within the company.
We have a registered address at:
The Grange, Stillorgan Road, Blackrock, Co. Dublin.
2. The information that we collect about you
As both a controller and processor of information there are a number of reasons for gathering data about you. For instance, we need to know how to get in touch with you, we need to be certain of your identity and we need to understand your brand requirements, so we can offer you products and services that give you the best possible customer experience. This information that we collect falls into various categories:
Identity & contact information;
Name, contact details, marital status, online user identities (such as your Twitter handle, Facebook profile, LinkedIn profile and internet protocol addresses as well as cookie identifiers), security details to protect identity, email address, work and personal phone numbers.
Financial details and circumstances;
As a processor we my be required to collect bank account details, personal or company guarantees, applications and administration records, your employment status and authorised signatory details.
Information you provide us, as your designated processor, about others or others provide us about you;
If you give us information about someone else (for example, information about one of your customers or suppliers), or someone gives us information about you, we may add it to any personal information we already hold and we will use it in the ways described in this Data Protection Policy. Before you disclose information to us about another person, you should be sure that you have their agreement to do so. You should also show them this Data Protection Policy. You need to ensure they confirm that they know you are sharing their personal information with us for the purposes described in this Data Protection Policy.
Special categories of sensitive data;
We may hold information about you which includes sensitive personal data, such as criminal conviction information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships, health or sex life data. We will only hold this data when we need to for the purposes of the services we provide to you or where we have a legal obligation to do so. Examples of when we use this type of data include:
• If you have criminal convictions, we may process this information in the context of compliance with anti-money laundering obligations
• Information about you provided by others
• If you give us information about someone else, or someone gives us information about you
• Information which you have consented to us using
• Your agreement to allow us contact you through certain channels to offer you relevant services
• Information from online activities
• We collect information about your internet browser settings or otherwise Internet Protocol (IP) and other relevant information to help us identify your geographic location when providing you with our services
• Other personal information
• Information in relation to data access, correction, restriction, deletion, porting requests and complaints.
As both a controller and processor there are times when we may collect and use your information even though you are not a customer of ours. For example, you may be a supplier or a third party representative of one of our customers, or you may be in the process of engaging with one of our customers. In these cases, your own circumstances may have a material impact on the ability of our customers to perform their obligations to us, and we will need to consider these. If so, we will apply the principles outlined in this Data Protection Policy when dealing with your information.
As a processor of data there are circumstances where we act on behalf of a controller who is required to process data from underage subjects. Therefore we must ensure that our controller or our company has adequate systems in place to verify individual ages and gather consent from guardians. The GDPR introduces special protections for children’s data, particularly in the context of social media and commercial internet services. The state will define the age up to which an organisation must obtain consent from a guardian before processing a child’s data. The GDPR and the Irish Data Protection Bill 2018 defines a child as being anyone under the age of thirteen . It should be noted that consent needs to be verifiable, and therefore communicated to your underage customers in language they can understand.
3. When and how we collect information about you
As you use our services, the third party affiliated products that we use or if you make enquiries and engage with us, information is gathered about you. We may also collect information about you from other people and other parties, for example, when you are named in an application, from publicly available websites and from additional sources where you have chosen to make your information available, such as social media sites.
In our roles as both a controller and processor we collect information about you:
• When you ask us to provide you with certain products and services. For example, third party analytical products or platforms may require us to collect relevant information from you
• When you use our website, the sites we manage and the online services provided by us including mobile applications
• When you or others give us information verbally or in writing. This information may be on application forms, in records of your interactions with us or if you make a complaint
• When you use our third party products or our internal services, we gather details about you
• From information publicly available about you – for example in trade directories, online forums, websites, Facebook, LinkedIn, Twitter, YouTube or other social media platforms
• When you make information about yourself publicly available on your social media accounts or where you choose to make information available to us through your social media account, and where it is appropriate for us to use it, this information can help enable us to do things like:
• Improve our service. For example – identifying common service issues
• Personalise your online experience with us, including through the use of videos or apps
• Contact you through the social media services, and
• From your online activities with third parties where you have given us your consent. For example, by consenting to our use of certain cookies or other location tracking technologies
• From data reference agencies, data registration agencies, fraud prevention agencies or public agencies such as company registration authorities, the Companies Registration Office or judgement registries.
4. How we use your information
Whether we’re using it to confirm your identity, to help in the processing of a third party product, avail of an internal service or to improve your experiences with us, your information is always handled with care and the principles outlined in this Data Protection Policy are always applied.
We use your information:
• So that we may provide third party product providers services to you, and to fulfil our contract with you
• In order to provide third party product providers services to you, and to fulfil our contract with you, we use your information to establish your eligibility for our third party providers products and services
• Manage and administer your accounts, so that our partners may provide you with their relevant services. For example, if you have a requirement for an online analytical platform, we may need to share your personal information with other service providers who, in turn, also hold a charge on your personal information
• Process your applications for credit services
• Should the need arise, to run loyalty and reward programmes that you may have signed up to
• Contact you by post, phone, text message, email and social media, but not in a way contrary to your instructions to us or contrary to law
• Recover bad debts you may owe us
• Manage and respond to a complaint.
GDPR Article 32-34: In this case businesses should make sure that they have the right procedures in place to detect, report and investigate a personal data breach. The GDPR brings into play, the concept of mandatory breach notifications, which will be new to many organisations. All breaches must be reported to the Data Protection Commissioner [DPC], typically within 72 hours, unless the data was anonymised or encrypted. In practice this will mean that most data breaches must be reported to the DPC. Breaches that are likely to bring harm to an individual (such as identity theft or breach of confidentiality) must also be reported to the individuals concerned. We recommend that now is the time to assess the types of data you hold and document which ones which fall within the notification requirement in the event of a breach. Larger organisations will need to develop policies and procedures for managing data breaches, both at central or local level. As a processor we are only obliged to report data breaches to our own relevant controllers that we represent.
• To manage our business for our legitimate interests
• In order to manage our business we may use your information to carry out credit management checks;
• Provide service information, to improve our service quality and for training purposes
• Conduct marketing activities and market research. For example, running competitions, promotions and direct marketing (provided that you have not objected to us using your details in this way), and research, including customer surveys, analytics and related activities
• To run our business on a day to day basis which includes carrying out strategic planning and business portfolio management
• Compile and process your information for statistical or research purposes (including, in some cases, making your data anonymous) in order to help us understand trends in customer behaviours and to understand our industry better
• Protect our business, reputation, resources and equipment, manage network and information security (for example, developing, testing and auditing our website and other systems, dealing with accidental events or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services) and prevent and detect fraud, dishonesty and other crimes. For example, to prevent someone trying to steal your identity
• Manage and administer our companies legal and compliance affairs, including compliance with regulatory guidance and voluntary codes of practice to which we have committed
• Enable our company team members to share or access your information for internal administrative purposes, statistical or research purposes (including making your data anonymous) to help us understand trends in customer behaviour, for helping us to understand our risks better and for the purposes set out in this Data Privacy Notice, but not for the purposes of direct marketing where you have objected to this
• The directors of the company may in the future wish to sell, transfer or merge part or all of their share holding in the business or assets or to buy a new business or the assets of another business or enter into a merger with another business. If so, we may disclose your personal information under strict duties of confidentiality to a potential buyer, merger partner or seller and their advisers, so long as they agree to keep it confidential and to use it only to consider the possible transaction. If the transaction goes ahead, the buyers or merger partner may use or disclose your personal information in the same way as set out in this Data Protection Policy
• To comply with our legal obligations.
• We need to use your information to comply with legal obligations which include complying with your information rights;
• Providing you with statutory and regulatory information and statements
• Establishing your identity and business status in order to comply with the law and regulation concerning taxation and the prevention of fraud
• Reporting to and, where relevant, conducting searches with industry based regulatory bodies
• Complying with court orders arising in civil or criminal proceedings
• Performing a task carried out in the public interest
• Where you have given us permission, which you may withdraw at any time.
• In the case where you have given us permission, which you can withdraw at any time, we may;
• Send electronic messages to you about third party product providers and our own internal service offerings from our company and our selected and trusted partners
• Share your data with third parties so that they may send you electronic messaging about their own products and offers
• Use special categories of data, or sensitive data
• Use information you have made public and combine with this with the activities outlined above
• When we ask for your consent, we will provide you with more information on how we will use your data in reliance on that consent, including in relation to third parties or our processors that we would like your consent to share your data with.
5. How we use analytics and automated processing platforms
We use automated statistical analysis of the information that we collect about you as part of our business as both a controller and processor of data, through;
• Analysis of your information, that helps us to make digital marketing related decisions
• When you apply for one of our clients services online, for example a product or service, we may evaluate the application using statistical analysis to determine whether or not the product best meets your needs
• To decide the type of service suitable for you, or to decide other terms, for example; the minimum amount you need to secure a clients product when you want buy something financed by them
• This credit standing generally takes account of information from three sources;
• Information you provide during your application
• Information that may be provided by credit reference agencies or credit registers, and
• Information that may already be held about you by our company.
• Automated analysis of our customer and supplier information, including your information, as a whole helps us to manage our business for our legitimate interests. It enables us to;
• Make more informed business decisions, including improving the quality of third party products or processors and internal services that we can offer. This includes information for the purposes of direct marketing, unless you have objected to us using your details in this way
• Test and maintain the stability and performance of our systems
• Carry out long-term statistical modelling, provided that such modelling does not affect any decision we make about you.
• Automated analysis of your information also enables us to monitor administrative processes and helps us to form a single view of your relationship with both Aster and that of our customers. This is intended to help us to manage and build our relationship with you and is an important part of managing our business in our legitimate interests. For example; it enables us to develop personalised information for you on behalf of our clients in real-time based on your personal circumstances. In essence, providing you with relevant information when you log into any appropriate online accounts so that you may maximise your experience.
• Automated analysis of your information assists us to comply with our legal obligations
• There are also certain automated analyses of your information that we will only carry out where you have given us your consent, which you can withdraw at any time
• We will only automatically process your information to enable us to undertake the following activities where we have your consent
• Send electronic messages to you about third party products or processors and our internal service offerings from Aster and/or our selected trusted partners
• Share your data with third parties so that they may send you electronic messaging about their own products and service offerings
• Use sensitive categories of data, as set out in data protection legislation
• Use information you have made public and combine this with the activities outlined above.
6. Who we share your information with
We only share your information with a select number of individuals and companies, and only as necessary. Sharing can occur in the following circumstances, with the following people or our authorised representatives:
• Third parties we need to share your information with in order to obtain information regarding our digital marketing, development and brand design related activities
• We may disclose your information within our company to our staff and other third party processors for administration, regulatory, customer care and service purposes, and in some cases to investigate or prevent fraud
• Companies that provide support services for the purposes of protecting our legitimate interests
• Your personal information remains protected when our service providers use it. We only permit third party service providers to use your information in accordance with our instructions, and we ensure that they have appropriate measures in place to protect your information
• Our service providers include marketing and market research companies, analytics companies, IT and telecommunication service providers, software development contractors, data processors, computer maintenance contractors, printing companies, file storage companies, custodians and providers of administration services, archiving services suppliers, accounting and advice agencies, auditors and consultants, including legal advisors
• We may also share information with the following third party providers to help us manage our business for our legitimate interests;
• Trade associations and professional bodies, non-statutory bodies and members of trade associations or organisations
• Persons making an enquiry or complaint
• Business partners and joint ventures, for example, where we have an arrangement with one of our other customers. In such cases, we, our business partners or those involved in the joint venture will let you know that your information is being shared and who it is being shared with.
• Statutory, regulatory bodies and law enforcement authorities. These include the Data Protection Commission, An Garda Síochána/police authorities/enforcement agencies, Revenue Commissioners, Criminal Assets Bureau, US, EU and other designated authorities in connection with combating cyber and other serious crimes as well as fraud prevention agencies.
7. How long we hold your information for
The length of time we hold your data depends on a number of factors, such as regulatory rules and the type of service that we have provided to you. Those factors include:
• The type of brand design service that we have provided to you. For example, we may keep data relating to an ongoing web development contract for a longer period compared to data regarding a single brand design related job
• If we are engaged within a fixed term financial contract
• Whether you and us are in a legal or some other type of dispute with another person or each other
• The type of data we hold about you
• Whether you or a regulatory authority asks us to keep it for a valid reason
• Whether we use your data for long-term statistical modelling, provided that such modelling does not affect any decision we make about you
• As a general rule, we keep your information for a specified period after the date on which a brand design related transaction has completed or you cease to be a customer. In most cases this period is seven years.
8. Implications of not providing personal information
Sharing information with us is in both your interest and ours as we need your information in order to:
• Provide our third party processors and internal services to you in order to fulfil our contract with you
• Manage our business for our legitimate interests
• Comply with our legal obligations
• Of course, you can choose not to share information, but doing so may limit the services we are able to provide to you
• We may not be able to provide you with certain third party related processors products and internal services that you request
• We may not be able to continue to provide you with or renew existing third party related processors products and internal services
• We may not be able to assess your suitability for a third party related processorsproducts and internal service, or, where relevant, give you a recommendation to provide you with additional services
• When we request information, we will tell you if providing it is a contractual requirement or not, and whether or not we need it to comply with our legal obligations.
9. The legal basis for using your information
We will use your data and share that data where:
• It’s use is necessary in relation to a service or a contract that you have entered into or because you have asked for something to be done so you can enter into a contract with us
• It’s use is in accordance with our legitimate interests outlined in this notice
• It’s use is necessary because of a legal obligation that applies to us, except an obligation imposed by a contract. An example of this would be us sharing your information with the IEDR
• You have consented or explicitly consented to the using of your data, including special categories of data, in a specific way
• It’s use is necessary to protect your “vital interests”
• In exceptional circumstances we may use and/or disclose information, including special categories of data, we hold about you to identify, locate or protect you, for example, if it comes to our attention that you are in imminent physical danger and this information is requested by An Garda Síochána or your relative
• Where you have made clearly sensitive categories of data about yourself public
• Where the processing of special categories of data is necessary for the establishment, exercise or defence of legal claims
• Where authorised by law or regulation, we may undertake processing of special categories of data for a substantial public interest
• Where the processing of criminal conviction data is authorised by EU or local law.
10. Processing your information outside Europe
Your information is stored on secure systems within our premises and with providers of secure information storage. We may transfer or allow the transfer of information about you and your third party products and services with us to some of our selected service providers and other organisations outside the European Economic Area (EEA), but only if they agree to act solely on our instructions and protect your information to the same standard that applies in the EEA. It must also be noted that, those external organisations may process and store your personal information abroad and may disclose it to foreign authorities to help them in their fight against cyber crime and terrorism. In all cases we will use ‘zero knowledge’transfer platforms that are provided by our third parties processors.
Using companies to process your information outside the EEA;
Some of our service providers, for example IT, telecommunication, custodians and providers of administration services, analytical agents and contractors are based outside of the EEA. Where we authorise the processing or transfer of your personal information outside of the EEA, we require your personal information to be protected to at least Irish standards and include the following data protection transfer mechanisms:
• Adherence to the EU/US Privacy Shield. You can find more information on the EU/US Privacy Shield at www.privacyshield.gov including a list of all organisations that have signed up to the EU/US Privacy Shield framework.
11. How to exercise your personal information rights
Providing and holding personal information comes with significant rights on your part and significant obligations on ours. You have several rights in relation to how we use your information. If you make your request electronically, we will, where possible, provide the relevant information electronically unless you ask us otherwise. In these cases you have the right to:
• Find out if we use your information, to access your information and to receive copies of the information we have about you
• Request that inaccurate information is corrected and incomplete information updated
• Object to particular uses of your personal data where the legal basis for our use of your data is our legitimate business interests (for example, profiling we carry out for our legitimate business interests) or the performance of a task in the public interest. However, doing so may have an impact on the services and third party products we can or are willing to provide
• Object to use of your personal data for direct marketing purposes. If you object to this use, we will stop using your data for direct marketing purposes
• Have your data deleted or its use restricted. You have a right to this under certain circumstances. For example, where you withdraw consent you gave us previously and there is no other legal basis for us to retain it, or where you object to our use of your personal information for particular legitimate business interests
• Withdraw consent at any time, where any processing is based on consent. If you withdraw your consent, it will not affect the lawfulness of processing based on your consent before its withdrawal.
• We are obliged to respond without undue delay. In most instances, we will respond within one calendar month.
• If we are unable to deal with your request fully within a calendar month (due to the complexity or number of requests), we may extend this period by a further calendar month. Should this be necessary, we will explain the reasons why. If you make your request electronically, we will, where possible, provide the relevant information electronically unless you ask us otherwise
• You have the right to complain to the Data Protection Commission or another supervisory authority.
You can contact the Office of the Data Protection Commissioner at:
Data Protection Commission,
Canal House, Station Road,
Portarlington, R32 AP23, Co. Laois.
Telephone: +353 (0)761 104 800 or Lo Call Number 1890 252 231
12. How you should contact us
If you have any questions about how your personal data is gathered, stored, shared or used, or if you wish to exercise any of your data rights, please contact our Data Protection Officer [DPO] at: Telephone: +353 (0)86 824 6888
eMail: generaldataprotection@[domain address].ie or by visiting our office at The Grange, Stillorgan Road, Blackrock, Co. Dublin
13. Changes to this notice
We will update this Data Protection Policy from time to time. Any changes will be communicated to you and made available on this page and, where appropriate, notified to you by eMail.