Contact The Finance Shop

Privacy Policy – General Data Protection Regulation (GDPR)


The General Data Protection Regulation (GDPR) is effective from May 25th 2018. This is the first revision of data protection rights and responsibilities at European level since 1995. The GDPR amends existing data protection law in Ireland and creates enhanced accountability and transparency obligations for all companies who process personal data whilst granting new and enhanced rights for individuals.

In order to provide Financial Advice for our clients we firstly complete a Factfind where we gather personal data. When we have considered all the information we will make recommendations. A recommendation might be to commence an Insurance contract such as a Life Assurance, Pension, Savings or Investment contract.

In this example The Finance Shop becomes the Data Controller and the client becomes a Data Subject. The Finance Shop will only ever use your data to provide advice and arrange products with product providers on your behalf.

There are three separate actions in this process and the Data Controller we have should have policies in place to ensure that the rights of the Data Subject are upheld.

a) gather personal data
b) store this personal data
c) share your personal data to a third party such as an insurance company

Gathering Personal Data
We can only gather store and share your personal data with your prior consent. There is a declaration on our Factfind document that seeks your permission to contact other professional advisors such as accountants and solicitors if we require data from other sources or advisors.

Storing Personal Data
We will store your Personal Data on paper and computer files. At this time we do not use an external client management system (CMS) so we do not store your data on any external storage medium.

The Finance Shop will not hold your data for any longer than is necessary. The time span will depend on

a) the type of product or service we provide for you
b) regulatory rules or the potential existence of legal disputes

There is a legal term called Statute of Limitations which imposes a limit on the right of action so that after the prescribed period any action will be “time barred”. In contract law this is 6 years. If we arrange a contract on your behalf we will hold you file for a further 6 years after the contract has ceased.


Sharing Personal Data
We will keep your personal data confidential but may share it with third parties where necessary to arrange products or services on your behalf. We may also share your data with regulatory or government bodies when required.

International Sharing of Data
We do not envisage a situation where we would share your data with organisation outside of the state. Perhaps reasons may occur in the future and if so we will make you aware of this.

Data Protection Rights of a Data Subject

Access – you have the right to be informed of how we collect, share and use your personal data and to request a copy of the data we hold about you.

Rectification – You have the right to have inaccurate information corrected and incomplete information updated.

Erasure – Under certain circumstances you have the right to have your data or a portion of it deleted.

Restriction – Under certain circumstances you have the right to have the use of your data restricted.

Objection – Under certain circumstances you have the right to object to the processing of your data.

Portability – You have the right to have the data we hold about you transferred to another organisation.

Complaints – You have the right to complain to the office of the Data Protection Commissioner at:

Office of the Data Protection Commissioner
Canal House
Station Road
Portarlington
Co. Laois
R32 AP23

Mandatory Notification of Data Breaches
Data Controllers have a mandatory obligation to report breaches to the supervisory authority within 72 hours (unless the breach is unlikely to result in a risk to the rights of the data subjects (ie. encrypted or anonymised).

Data Controllers will also have to notify the data subjects where a data breach will have a possible adverse impact for the Data Subject.

Data Controllers must keep records of al data breaches