Privacy Policy
We take the protection of your personal data very seriously and process your data in accordance with the Irish Data Protection Act 2018 (“DPA”) and the General Data Protection Regulation (“GDPR”).
With the help of this Privacy Policy, we inform you comprehensively about the processing of your personal data by us and the rights to which you are entitled.
Personal data is information that makes it possible to identify a natural person. This includes, your name, date of birth, address, telephone number, e-mail address, but also your IP address. Anonymous data as such only exists if no personal reference to the user can be made.
The Data Controller
In accordance with the DPA and the GDPR, the person responsible for processing of personal data when using the website is:
PensionsVault is a registered trading name of Centric Pensions Ltd
Centric Pensions Ltd
Registered in Ireland 681895
51 Bracken Road, Sandyford, Dublin D18
Web: www.centric.ie
Phone: +353 1 90 11336
E-Mail: info@centric.ie
Categories of data subjects and types of data processed
During the course of using our website and services, we process the following types of data from visitors and users:
PensionsVault financial data
PensionsVault has the facility for users to upload personal financial data for the purposes of keeping a track of their various pension entitlements. Data is uploaded by the user at their digression and own responsibility. In addition, as a part of our service, detailed in the user terms and conditions, we provide users with a half yearly update of their pension values on the platform. These values are obtained from your pension provider and are securely stored in your personal vault. You can choose to opt out of this information being updated at any time by contacting us in writing with your request.
Purpose of the processing
The Purpose of processing personal data are:
Relevant legal basis
In accordance with the DPA and the GDPR, the following legal basis, unless specifically described below apply to the processing of your personal data:
Security of your personal data
We take appropriate technical and organisational measures in accordance with Art. 32 GDPR, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access to, input, disclosure, ensuring availability and segregation of the data. We also have procedures in place to ensure the exercise of data subjects' rights, deletion of data and response to data compromise. Furthermore, we already take the protection of personal data into account during the development and selection of hardware, software and procedures, in accordance with the principle of data protection through technology design and through data protection-friendly default settings (Art. 25 GDPR).
Cooperation with processors and third parties
If, in the course of our processing, we disclose data to other persons and companies, transmit it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g. if a transmission of the data to third parties, such as to payment service providers, is necessary for the performance of the contract, you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.). If we commission third parties to process data on the basis of a so-called "order processing agreement", this is done on the basis of Art. 28 GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside the Ireland or the European Economic Area (EEA)) or if this is done in the context of using third-party services or disclosing or transferring data to third parties, this is only done if it is done in order to fulfil our (pre-) contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or allow the processing of data in a third country if the special requirements of Art. 44 ff. GDPR are met. This means, for example, that the processing is carried out on the basis of special guarantees, such as the officially recognised determination of a level of data protection corresponding to that of the Ireland or the European Union or compliance with officially recognised special contractual obligations (so-called "standard contractual clauses").
Your rights
These rights are standardised in both the DPA and GDPR. This includes:
Please contact us at any time with questions and suggestions regarding data protection and to enforce your rights as a data subject.
The Data Protection Commissioner (DPC) is the relevant data protection supervisory authority in Ireland. The DPC is located at Canal House, Station Road, Portarlington, Co. Laois, R32 AP23,
Phone +353 (0761) 104 800 / Email: infor@dataprotection.ie. We would, however, appreciate the chance to deal with your concerns before you approach the DPC.
Cookies
Cookies" are small files that are stored on your device. Different information can be stored within the cookies. We may use temporary and permanent cookies and will explain this in our Cookie Policy. The legal basis for the use of cookies is either your consent or our legitimate interest.
Deletion of data
The data processed by us will be deleted or its processing restricted in accordance with Articles 17 and 18 GDPR. Unless expressly stated in this data protection declaration, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e., the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.
Business-related processing
In addition, we process:
of our customers, prospective customers for the purpose of providing contractual services, service and customer care, marketing, advertising, and market research.
Contractual services
We process the data of our customers within the scope of our contractual services. In doing so, we process information for example
As a matter of principle, we do not process special categories of personal data, unless these are components of commissioned processing. The purpose of the processing is the provision of contractual services, billing, and our customer service. We process data that is necessary for the justification and fulfilment of contractual services and point out the necessity of their disclosure. Disclosure to external parties only takes place if it is necessary in the context of the service.
When processing the data provided to us within the scope of providing our services, we act in accordance with the instructions of the client as well as the legal requirements of order processing pursuant to Art. 28 GDPR and do not process the data for any other purposes than those specified in the services.
We delete the data after the expiry of the statutory warranty and comparable obligations. The necessity of storing the data is reviewed every three years; in the case of statutory archiving obligations, the deletion takes place after their expiry (6 years).
In the case of data disclosed to us by the user within the scope of a services, we delete the data in accordance with the specifications of the services, in principle after the end of the services.
Use of PensionsVault
Once registered with our application, you are entitled to maintain use of the PensionsVault platform as long as you are a client of the nominated adviser on the account. If you registered as a part of membership of an occupational pension, you are also entitled to maintain use of the platform, even when you leave service of your current employer, as you are still registered with the nominated adviser.
Access to your information
This platform is a shared platform between a user and the registered financial adviser who has provided the platform. The platform allows for the sharing of information and documents to facilitate effective pension planning and communication. Data and documents uploaded to the platform by the user will be visible by your nominated adviser. If you do not want your adviser to see data or documents that you upload to the platform please contact us by sending a request to hello@pensionsvault.ie.
Administration, financial accounting, office organisation, contact management
We process data within the scope of administrative tasks as well as organisation of our business, financial accounting, and compliance with legal obligations, such as archiving.
In doing so, we process the same data that we process in the context of providing our contractual services. The purpose and our interest in the processing lies in the administration, financial accounting, office organisation, and archiving of data, i.e., tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services.
The deletion of data with regard to contractual services and contractual communication corresponds to the information mentioned in these processing activities.
In this context, we disclose or transmit data to the tax authorities, consultants such as tax advisors or auditors as well as other fee offices and payment service providers.
Furthermore, we store information on suppliers, organisers, and other business partners on the basis of our business interests, e.g., for the purpose of contacting them at a later date. This data, most of which is company-related, is stored permanently.
Contact
Once subscribed to PensionsVault messages, documents and notifications can be posted in your Vault and you will receive an email to your registered email address advising of the new posting. You may also be notified by WhatsApp.
When contacting us (e.g., via e-mail, phone or social media), the user's details are processed for the purpose of handling the request and its processing. The user's details may be stored in a customer relationship management system or comparable enquiry organisation. We delete the enquiries if they are no longer necessary. We review the necessity every two years; furthermore, the legal archiving obligations apply.
Data storage
Subscribers to the PensionsVault platform have their own secure account where their personal data is stored Users can request a copy of this at any stage and/or request to have all data records deleted. Requests should be made in writing to Centric Pension Ltd. Personal data for the PensionsVault platform is encrypted and held in a secure cloud-based web centre within the EU. The web centre is owned and operated by Amazon as a part of their AWS (Amazon Web Services), which maintain the highest storage security controls available. Access to this facility is only available in encrypted format from our IT provider, Square Root Solutions/Imperiot IT Software No personal data is held outside the EEA.
Hosting
The hosting services used by us for the purpose of operating this website is Amazon Web Services (AWS) located at One Burlington Plaza, Burlington Road, Dublin 4, Ireland. In doing so Amazon Web Services (AWS), process inventory data, contact data, content data, contract data, usage data, meta data and communication data of customers, interested parties and visitors of our website on the basis of our legitimate interests in an efficient and secure provision of the website in conjunction with the provision of contractual services and the conclusion of the contract for our services, including but not limited to our services).
Collection of access data and log files
We, or rather Amazon Web Services (AWS), collect data on every access to our website on the basis of our legitimate interest. The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.
Log file information is stored for security reasons (e.g., for the clarification of abuse or fraud) for a maximum of 7 days and then deleted. Data whose further storage is necessary for evidentiary purposes is exempt from deletion until the respective incident is finally clarified.
Data Breaches/Notification
Databases or data sets that include Personal Data may be breached inadvertently or through wrongful intrusion. Upon becoming aware of a data breach, we will notify all affected individuals whose Personal Data may have been compromised, and the notice will be accompanied by a description of action being taken to reconcile any damage as a result of the data breach. Notices will be provided as expeditiously as possible after which the breach was discovered.
Children’s Privacy
Our services are restricted to users who are 18 years of age or older. We do not knowingly collect personal data from anyone under the age of 18. If you suspect that a user is under the age of 18, please contact us.
Changes
Because we’re always looking for new and innovative ways to improve our website and services, this policy may change over time. We will notify you before any material changes take effect so that you have time to review the changes.