Full Data Protection Statement
1.1 The National Asset Management Agency (referred to in this Data Protection Statement as “NAMA”, “us” or “we”) is a State body which was established by the National Asset Management Agency Act 2009 (the “NAMA Act”) as a measure to address the serious threat to the economy and the stability of credit institutions in the State. This is achieved by, inter alia, acquiring eligible bank assets (loans and related security, primarily over property assets) from designated participating institutions (credit institutions who applied to partake in NAMA’s statutory scheme), dealing expeditiously with the assets acquired by it and protecting or otherwise enhancing the value of those assets, in the interest of and for the purposes of obtaining the best achievable financial return for the State.
1.2 NAMA is empowered under the NAMA Act to incorporate corporate subsidiaries, for specific purposes in relation to the achievement by NAMA of its statutory objectives and purposes. Each of these is referred to as a “NAMA group entity” in the NAMA Act and in this Data Protection Statement and to date, the following NAMA group entities have been incorporated:
(a) National Asset Loan Management Designated Activity Company. This company acquired bank assets from participating institutions and advances credit to NAMA’s borrowers;
(b) National Asset Management Agency Investment Designated Activity Company. This is the company through which private investors previously invested in NAMA;
(c) National Asset Management Designated Activity Company. This company is responsible for issuing the Government guaranteed debt instruments and the subordinated debt, which were used as consideration in acquiring bank assets from participating institutions;
(d) National Asset Management Group Services Designated Activity Company. This company is a holding company for four of the NAMA subsidiaries;
(e) National Asset Property Management Designated Activity Company. The purpose of this company is to take direct ownership of property assets if and when required;
(f) National Asset Management Services Designated Activity Company. This company acquired a 20% shareholding in a general partnership associated with a National Asset JV A Designated Activity Company investment;
(g) National Asset JV A Designated Activity Company. This company was established to facilitate NAMA entering into various investment venture transactions;
(h) National Asset North Quays Designated Activity Company. This company was established, inter alia, to hold freehold lands at North Wall Quay, Dublin acquired by NAMA;
(i) National Asset Residential Property Services Designated Activity Company. This company was established to acquire residential properties and to lease and ultimately sell these properties to approved housing bodies for social housing purposes;
(j) National Asset Leisure Holdings (In Liquidation). This company is the parent company of the two Portuguese companies referred to at (l) below;
(k) RLHC Resort Lazer SGPS SA and RLHC Resort Lazer II SGPS SA. These companies are wholly owned Portuguese subsidiaries of National Asset Leisure Holdings (In Liquidation), established to acquire and hold the certain operating companies with assets in Portugal;
1.3 Each NAMA group entity may share Personal Data with NAMA and other NAMA group entities and any reference to NAMA/us/we in this Data Protection Statement also includes these NAMA group entities.
1.4 While this Data Protection Statement applies to each NAMA group entity, NAMA has been designated as the contact point for the exercise by Data Subjects of their Data Subject Rights (see Section 6.3).
1.5 Pursuant to the NAMA Act, the National Treasury Management Agency (“NTMA”) assigns staff to NAMA and also provides NAMA with business and support services and IT systems.
2. Purpose of this Data Protection Statement
2.1 The purpose of this Data Protection Statement is to explain what Personal Data we Process and how and why we Process it. In addition, this Data Protection Statement outlines our duties and responsibilities regarding the protection of such Personal Data and the rights of data subjects in that respect.
2.2 This Data Protection Statement is not an exhaustive statement of our data protection practices. The manner in which we Process data will evolve over time and we will update this Statement from time to time to reflect changing practices. In addition, we operate a number of internal workplace policies and procedures which inter-relate with this Data Protection Statement. For example, NAMA has internal policies and procedures governing Personal Data Breach, Data Subjects’ Rights Requests and Data Retention.
2.3 In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Data Protection Statement by reference into various points of data capture used by us such as email correspondence, application forms and website forms.
2.4 A glossary of some of the data protection terms used throughout this Statement may be accessed in Annex 1.
3.1 The data Processing undertaken by NAMA and NAMA group entities is undertaken in fulfilment of the statutory functions and duties of NAMA.
3.2 When acting as a Data Controller, NAMA relies on Article 6(1)(e) of the GDPR, which permits Processing that is necessary for the performance of a task which is in the public interest, where such “public interest” is laid down in EU or Irish law, as the legal basis for most of its Processing. The Data Protection Act 2018 makes it clear that NAMA can rely on this public interest basis as a lawful basis for Processing Personal Data generally where the Processing is necessary for the performance of a function of a Data Controller conferred by or under an enactment. Where NAMA seeks to rely on this as the legal basis for Processing activities involving the sharing or transferring of Personal Data to another public body NAMA will ensure that the obligations under the Data Sharing and Governance Act 2019 are complied with in full.
3.3 Where Processing activities are not supported by a statutory basis, NAMA relies on alternative legal bases permitted by Data Protection Law. Article 6(1)(c) of the GDPR permits Processing that is necessary for compliance with a legal obligation to which a Data Controller is subject. An example of such an obligation includes the Processing required by NAMA to report to the Central Credit Register under the Credit Register Act 2013.
3.4 NAMA also relies on Article 6(1)(b) of the GDPR insofar as Processing is necessary for the performance of a contract to which a Data Subject is a party or in order to take steps at the request of a Data Subject prior to entering a contract. For example, this would apply where a NAMA group entity Processes Personal Data in the course of advancing new loans or while considering another form of credit decision.
3.5 Most of the Personal Data received by NAMA is received from Data Subjects themselves either directly, from third parties acting on their behalf or from participating institutions or third party service providers acting on NAMA’s behalf. Personal Data categories will typically include name, address, date of birth, contact details, bank account details and information contained in identity documentation provided to NAMA such as passports or driving licences. In addition, NAMA holds data that it associates directly with the Data Subject, for example a NAMA account or connection number, information in relation to loans and security. In addition to data provided by the Data Subject or created by NAMA, NAMA may supplement this data with information that is publicly available from other sources, for example, the companies registration office, the land registry or internet searches.
4.1 As mentioned in Section 3 of this Data Protection Statement, NAMA group entities largely rely on its obligations to comply with legal requirements (as provided for in Article 6(1)(c) of the GDPR) and the public interest provision provided for in Article 6(1)(e) of the GDPR as the legal basis for most of their Processing. In this regard NAMA and the NAMA group entities Process Personal Data for the purpose(s) of fulfilling our statutory functions and obligations under the NAMA Act and other applicable legislation.
4.2 The following are examples of the types of legal obligation and/or public interest Processing undertaken by NAMA group entities along with a description of the underlying statutory basis in Sections 10 and 11 of the NAMA Act (the examples cover many instances of processing activity undertaken by NAMA group entities but are not intended to be exhaustive):
| Statutory Function | Legislative Support | GDPR Lawful Basis for associated Data Processing activities |
| Processing of Personal Data in the context of acquiring eligible bank assets from designated participating institutions, dealing expeditiously with the assets acquired by NAMA and protecting or otherwise enhancing the value of those assets, in the interest of and for the purposes of obtaining the best achievable financial return for the State. | Section 10 of the NAMA Act provides: 10.— (1) NAMA’s purposes shall be to contribute to the achievement of the purposes specified in section 2 by— (a) the acquisition from participating institutions of such eligible bank assets as is appropriate, (b) dealing expeditiously with the assets acquired by it, and (c) protecting or otherwise enhancing the value of those assets, in the interests of the State. (2) So far as possible, NAMA shall, expeditiously and consistently with the achievement of the purposes specified in subsection (1), obtain the best achievable financial return for the State having regard to— (a) the cost to the Exchequer of acquiring bank assets and dealing with acquired bank assets, (b) NAMA’s cost of capital and other costs, and (c) any other factor which NAMA considers relevant to the achievement of its purposes. Section 11(1) of the NAMA Act provides, inter alia, that: 11.— (1) In order to achieve its purposes, NAMA shall perform the following functions: (a) acquire, in accordance with Part 6 , such eligible bank assets from participating institutions as it considers necessary or desirable for achieving its purposes; (b) hold, manage and realise acquired bank assets (including the collection of interest, principal and capital due, the taking or taking over of collateral where necessary and the provision of funds where appropriate); (c) perform such other functions, related to the management or realisation of acquired bank assets, as the Minister directs pursuant to section 14 ; (d) take all steps necessary or expedient to protect, enhance or realise the value of acquired bank assets, including— (i) the disposal of loans or portfolios of loans in the market for the best achievable price, (ii) the securitisation or refinancing of portfolios of loans, and (iii) holding, refinancing, realising and disposing of any relevant security. | Public interest and Legal obligatio |
5.1 NAMA does not ordinarily process any Special Categories of Data other than where such data (largely concerning health) has been provided directly to it by its borrowers (or parties acting on their behalf). In this regard, NAMA relies on the fact that the Processing of Special Categories of Data is permitted under several provisions of the GDPR and the Data Protection Acts 1988 to 2018.
6. Individual Data Subject Rights
6.1 Data Protection Laws provide certain rights in favour of Data Subjects. The rights in question (“Data Subject Rights”) are as follows:
(a) The right of a Data Subject to receive detailed information on the processing (by virtue of the transparency obligations on the Data Controller);
(b) The right of access to Personal Data including knowledge of whether or not the Data Subject’s Personal Data are being processed and, if so, having access to the Personal Data plus additional ancillary information. This includes information such as the purposes of the Processing, the categories of Personal Data concerned, the recipients or categories of recipient to whom the Personal Data have been or will be disclosed and retention periods;
(c) The right to rectify or erase Personal Data (right to be forgotten);
(d) The right to restrict Processing;
(e) The right of data portability; i.e. the right to receive Personal Data concerning the Data Subject in a structured, commonly used and machine readable format and have the right to transmit those data to another Data Controller. This right only applies to Personal Data which the Data Subject has provided to NAMA (and not to data which is received from third parties);
(f) The right of objection; and
(g) The right to object to automated decision making, including profiling.
6.2 Articles 17 and 20 of the GDPR state that the right to be forgotten and the right of data portability do not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller so these rights may not apply in some cases. In addition, NAMA does not carry out automated decision making.
6.3 Any Data Subject wishing to exercise their Data Subject Rights should write to the NAMA Data Protection Officer at:
| Address: | NAMA Data Protection Officer
NAMA Treasury Dock North Wall Quay Dublin 1 D01 A9T8 |
| Email: | dpo@nama.ie |
| Phone: | +353 1 238 5060 |
Your request will be dealt with in accordance with NAMA’s Data Subject Rights Request Procedure.
7. Data Security and Personal Data Breach
7.1 The NTMA, as a Data Processor for NAMA, provides IT system support to NAMA and has a suite of Information Security Policies and Procedures which are designed to ensure that appropriate technical and organisational measures are in place to protect information. These apply to all NAMA staff and are supplemented by NAMA’s System and Access Policy. These measures protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.
7.2 Article 34 of the GDPR obliges Data Controllers to notify the Data Protection Commission and affected Data Subjects in the case of certain types of personal data security breaches. NAMA has implemented a Personal Data Breach Procedure and we will manage a Personal Data Breach in accordance with this procedure.
8.1 From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process. For example, where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data.
8.2 We may also share Personal Data: (a) with another statutory body where there is a lawful basis or requirement to do so; (b) with selected third parties including contractors and sub-contractors (as appropriate); (c) bidders and purchasers of assets secured in favour of NAMA; and/or (d) if we are under a legal obligation to disclose Personal Data.
8.3 Where we enter into agreements with third parties to Process Personal Data on our behalf we will ensure that the appropriate contractual protections are in place to safeguard such Personal Data.
8.4 Examples of third parties to whom Personal Data have been or will be disclosed include:
- The Central Credit Register maintained by the Central Bank in respect of which NAMA must furnish credit and personal information in relation to its borrowers;
- Third parties seeking to acquire assets secured in favour of NAMA, in respect of which NAMA must furnish credit and asset related information to enable prospective purchasers carry out due diligence in relation to a proposed transaction; and
- External service providers, professional advisors and consultants to NAMA in order to support and advise NAMA in relation to the achievement of its statutory objectives and purposes.
9.1 We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed. Further details of the retention period for Personal Data are set out in our Records Management Policy which, in summary, provides as follows.
(a) NAMA deletes records on an ongoing basis where they are “transitory” in nature i.e. of no administrative, legal or historical value to NAMA. This category would include (for example) miscellaneous emails (e.g. out of office notices, all personnel notices, personal emails of former staff etc), draft documents, duplicates or rough notes that were superseded by a final official version;
(b) NAMA will generally preserve “non-transitory” records for a period of 7 years after the last NAMA activity on the file. For example, in the case of debtor records (including credit decisions), the 7 year period would run from the “connection exit date” while the timeframe would run from the project completion date for project-related records. Emails and other administrative records which have been saved on NAMA’s systems are also subject to the 7-year rule.
(c) NAMA will preserve legal records (e.g. title and security documents, signed contracts etc.) for so long as they are required for operational or legal reasons and other records that are deemed to be of long-term, public interest or historical value indefinitely. This category includes, for example, Board minutes, executive papers, NAMA policies and procedures and certain financial records.
(d) Exceptions to the deletion policy will be applied where records are the subject of litigation, a commission of investigation or an ongoing administrative process (e.g. an ongoing data subject access request, FOI request, grievance procedure, audit etc).
10. Data Transfers outside the EEA
10.1 From time to time we may need to transfer Personal Data outside of the European Economic Area (“EEA”). This transfer will occur in accordance with applicable Data Protection Law. We take reasonable steps to ensure that the Personal Data is treated securely (typically through the use of EU-approved Model Contract Clauses or as is otherwise permitted pursuant to Article 49 of the GDPR) and in accordance with this Data Protection Statement when transferred outside of the EEA.
10.2 Examples of data transfers outside of the EEA by NAMA include:
- The provision of credit and asset information to legal firms and other professional advisors in the United Kingdom, noting the European Commission has issued an adequacy decision in relation to the United Kingdom.
- The provision of credit and asset related information to legal firms based in the USA for the purpose of instigation or defending litigation claims in support of NAMA’s achievement of its statutory objectives and purposes; and
- The provision of credit and asset related information to third parties, located outside the EEA, for the purposes of their carrying out due diligence in relation to a proposed transaction.
11. Further Information/Complaints Procedure
11.1 You can ask a question or make a complaint about this Data Protection Statement and/or the Processing of your Personal Data by contacting the NAMA Data Protection Officer (DPO) at:
| Address: | NAMA Data Protection Officer
NAMA Treasury Dock North Wall Quay Dublin 1 D01 A9T8 |
| Email: | dpo@nama.ie |
| Phone: | +353 1 238 5060 |
11.2 While you may make a complaint in respect of our compliance with Data Protection Law to the Irish Data Protection Commission, we request that you contact the DPO in the first instance to give us the opportunity to address any concerns that you may have.
ANNEX 1
Glossary
In this Data Protection Statement, the terms below have the following meaning:
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller (for example, a loan servicer).
“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the Data Protection Acts 1988 to 2018 and any other laws which apply to the NAMA in relation to the Processing of Personal Data.
“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein, and Norway.
“Personal Data” is any information relating to a living individual which allows the identification of that individual. Personal Data can include:
- a name, an identification number;
- details about an individual’s address or contact details;
- data related to assets secured by a Data Subject in favour of NAMA;
- any other information that is specific to that individual.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.
“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.