Data Protection

The Data Protection Acts 1988 - 2018 (the “Data Protection Acts”) lay down strict rules about the way in which personal data (including special categories of personal data) are collected, accessed, used and disclosed. The Data Protection Acts also permit individuals to access their personal data on request, and confer on individuals the right to have their personal data amended if found to be incorrect. Further information regarding these rights can be found in the Data Protection Notice.

Inquiries about Data Subject Rights Requests should be made to Rights Management Requests, KBC Dublin Branch, Sandwith Street, Dublin 2.

(i) Making a Data Access Request (Article 15 General Data Protection Regulation (GDPR))

Under the Data Protection Acts, you may receive a copy of your personal data held by Exicon DAC (formerly KBC Bank Ireland DAC) or KBC Dublin Branch on request.

In order to respond to your request we require you to:

1. Download the Customer Request Form here* (pdf, 46 KB)
2. Complete, sign and date the Customer Request Form. Please be as specific as possible about the information you wish to access;
3. Post the Customer Request Form to Rights Management Requests, KBC Dublin Branch, Sandwith Street, Dublin 2 or email a copy of the completed signed form to rightsmanagement@kbc.com

*If you cannot download the Customer Request Form from the internet please contact us on 01-961 9800 and we can arrange  to post this form to you or write a letter to Rights Management Requests, KBC Dublin Branch, Sandwith Street, Dublin 2 requesting your personal data.

(ii) Responding to your Access Request

Once we have received your fully completed Customer Request Form or letter we shall respond to you within the statutory period of thirty (30) days.

If you are not satisfied with the outcome of your access request you are entitled to make a complaint to the Data Protection Commissioner who may investigate the matter for you. The Data Protection Commission website contains useful information on access requests and other data protection issues at www.dataprotection.ie.

You can download a copy of the Data Protection Notice (Updated 2023) here (pdf, 146KB).

You may receive a copy of your personal data held by Exicon or KBC Dublin Branch on request.

In order to respond to your request we require you to:

Send a written request by either downloading the Customer Request Form from the Data Protection section of our website or write a letter to Rights Management Requests, KBC Dublin Branch, Sandwith Street, Dublin 2 or email rightsmanagement@kbc.com requesting your personal data. If you cannot download the Customer Request Form we will arrange to post this form to you.

Complete, sign and date the Customer Request Form/letter. Please be as specific as possible about the information you wish to access.

Post the written instruction to Rights Management Requests, KBC Dublin Branch, Sandwith Street, Dublin 2 or email rightsmanagement@kbc.com.

How long certain personal information is stored depends on the nature of the information we hold and the purposes for which they are processed, including to provide our services and for other purposes such as:

• complying with legal obligations (for example, we are required to retain some customer information for a minimum of 6 years after the end of the customer relationship in accordance with the Central Bank of Ireland’s Consumer Protection Code or under anti-money laundering legislation);
• complying with retention obligations under legal or regulatory orders;
• to protect, enforce or defend our rights and property;
• to support operational retention needs (including to support the phased migration of data from KBC Bank Ireland DAC  (now Exicon DAC) to KBC Bank NV (acting through its branch in Ireland) [or other third party acquirer notified to you] and the operational wind-down of KBC Bank Ireland DAC (now Exicon DAC) systems);
• to the extent necessary to protect the integrity of our IT systems and the data stored on those systems where a phased data erasure process is not feasible from a technical or operational perspective in which case all data stored on the relevant Exicon/KBC system will be deleted once the last retention period for any data stored on that system has expired.

If the purpose for which the information was obtained has ceased and the personal information is no longer required, the personal information will be deleted or anonymised which means that your personal information is stripped of identifying characteristics or where it is required to be obtained for an additional period for operational reasons, security measures will be applied to prevent any further use of your personal information by the KBC Group other than its storage in a secure manner following which it will be deleted as explained above.

We are restricted in deleting certain applications as there are other statutory obligations imposed on us by law that we must also adhere to. Please rest assured that Exicon (formerly KBC Bank Ireland) has strict retention periods assigned to all personal data entrusted to us and this data will be retained in a safe and secure environment and will not be used for any other purpose before being permanently deleted.

The General Data Protection Regulation (GDPR) was implemented on the 25 May 2018. The law provides individuals with greater control over their personal data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organisations such as Exicon/KBC Dublin Branch. The GDPR also imposes greatly increased obligations on organisations that collect this data. Under the GDPR individuals have the significantly strengthened rights to:

• access personal information held about them by an organisation; have incorrect or incomplete data corrected;
• have their data erased, where, for example, the organisation has no legitimate reason for retaining the data;
  
• obtain their data from an organisation and to have that data transmitted electronically to another organisation in certain circumstances (known as Data Portability);
  
• object to the processing of their data by an organisation for certain purposes;
  
• not be subject to (with some exceptions) automated decision making, including profiling.
  

The Irish Data Protection Commission website (www.dataprotection.ie) has further information for individuals on the GDPR.

As a member of the KBC Group, Exicon (formerly KBC Bank Ireland) and KBC Dublin Branch sometimes shares personal information relating to its customers with other members of the KBC Group in order to carry out a number of key functions, for example, compliance and internal audit purposes, for internal reporting and ICT management

Exicon/KBC Dublin Branch also sometimes shares your personal information with trusted third parties who perform important functions for us based on our instructions and applying appropriate confidentiality and security measures. For example, we use third parties to help us detect, prevent, or otherwise address fraud, security or technical issues. We go into more detail about the reasons we share personal information with third parties in the Data Protection Notice.