The Register of Beneficial Ownership of Companies and Industrial and Provident Societies (hereafter referred to as the Register of Beneficial Owners or the “RBO”) is committed to protecting and securely processing personal data in accordance with all of our legal obligations, including compliance with the General Data Protection Regulation (the “GDPR”) and data protection laws (the “Data Protection Acts 1988 to 2018”).
We process personal data to meet our legal obligations under the Anti-Money Laundering Directives and legislation.
This policy sets out how we use and seek to protect the personal data that are processed to form the RBO register.
This policy applies to all personal data processed by the RBO.
This policy supplements other policies relating to data protection, and e-mail and systems use and may be supplemented or amended by additional policies and guidelines.
Irish companies have a statutory requirement to file their beneficial owner’s details with the Central Register of Beneficial Ownership (RBO). This legal requirement was introduced by the 4th Anti-Money Laundering Directive (4AMLD), which came into force on 25 June 2015. A further Directive known as the 5th Anti-Money Laundering Directive (5AMLD), came into effect on 09 July 2018, and includes a number of amendments aimed at strengthening the modernised EU anti-money laundering regime established under the previous Directive (i.e. the 4AMLD). The Directives aim at further contributing to the fight against money laundering and terrorism financing by strengthening the existing rules and making them more consistent across all EU Member States. The changes bring a more robust risk-based approach to improve the management of money laundering and terrorist financing risk.
One of the requirements under 4AMLD and 5AMLD has been the establishment of a central Register of Beneficial Owners or “RBO”. The Companies Registration Office (the “CRO”) has been appointed as the statutory body responsible for the establishment and maintenance of the RBO. This responsibility has been assigned to the CRO by the Department of Finance Statutory Instrument (S.I.) No. 110 of 2019. http://www.irishstatutebook.ie/eli/2019/si/110/made/en/pdf
For the purposes of the Anti-Money Laundering Regulations, the term “beneficial owner” is as defined in Article 3(6)(a) of 4AMLD and refers to the natural person(s) who ultimately owns or controls a legal entity through direct or indirect ownership of a sufficient percentage of the shares or voting rights or ownership interest in that company. Any person who holds or controls 25% or more of the company’s shares or voting rights (whether directly or indirectly) is automatically a beneficial owner. Companies are also obliged to register individuals who control the company “by other means”[1], which includes control through a shareholders’ agreement, the exercise of dominant influence or the power to appoint members of senior management.
[1] See Recital (12) – 5th Anti-Money Laundering Directive (5AMLD).
In general, it is expected that the personal data that will be recorded on the RBO will relate to company directors and shareholders.
The details of each beneficial owner must be entered into an on-line portal on the RBO website – www.rbo.gov.ie. There is no filing fee.
The information to be filed with the RBO in respect of each beneficial owner will include:
The purpose of the EU’s Anti Money Laundering Directives is to implement measures to counter money laundering and terrorist financing. In particular, (5AMLD) states:
“Accurate identification and verification of data of natural and legal persons is essential for fighting money laundering or terrorist financing. The need for accurate and up-to-date information on the beneficial owner is a key factor in tracing criminals who might otherwise be able to hide their identity behind a corporate structure”.
The RBO will gather certain specified data about people who are the beneficial owners of companies and industrial & provident societies in Ireland and provide access to these data to a number of relevant competent authorities engaged in the prevention, detection or investigation of possible money laundering or terrorist financing.
There will be two ways in which personal data on the Register of Beneficial Owners or the RBO can be accessed. These include:
Direct Sharing
The DOB (date of birth) and PPSN (i.e. Personal Public Service Number) of each beneficial owner will be shared with the Department of Social Protection (D/SP). This sharing of personal data is required in order to validate the accuracy of the data filed on the RBO. Once this validation process has been completed the PPSN will be converted by RBO into a “hashed” format using irreversible encryption software and stored in this format (i.e. an encrypted or “not visible to the eye” version of the PPSN [1]).
Other forms of access and inspection – A public Register
The Register of Beneficial Owners or RBO is a public register and as a result of this access to certain types of personal data on the Register will be made available to third parties. Access to, or inspection of the Register is provided for in the legislation (S.I. No. 110 of 2019) and is divided into two categories or “tiers”, i.e. Tier 1 – Unrestricted Access and Tier 2 – Restricted Access.
In general, RBO data will be made available to third parties as follows:-
Tier One Access: Unrestricted access to RBO data will be provided to:
The Garda Síochána, Revenue Commissioners, competent authority and CAB may disclose the information in the central register to any corresponding competent authorities of another Member State.
Tier Two Access: Restricted access to RBO data will be made available to:
What information will be disclosed?
All access to, or inspection of the Register is provided for in the legislation.
Tier One Access: Access to the following information will be provided under the “Unrestricted” route and will include:
Tier Two Access: Access to the following information will be provided under the “Restricted” route and will include:
Note: The Day of birth and Residential address of the beneficial owner will not be disclosed under the Tier Two Access – Restricted Access category.
This access is subject to data protection requirements as set out in the Data Protection Act 2018.
A fee may also be charged for access to or inspection of these data by designated persons and the general public.
Information relating to a minor who is a beneficial owner
Certain additional requirements will also apply to the access to, or inspection of the Register where such information relates to a minor who is a beneficial owner of a relevant entity.
In such cases, a designated person or member of the public shall not be permitted to have access to, or to inspect, any information in the central register in respect of a minor, unless they make a request in writing to the Registrar providing a summary of the grounds on which the designated person or member of the public considers it to be in the public interest to disclose this information. The Registrar will consider the written summary and then make a decision on whether to grant or refuse the access request.
[1] What is Hashing? Hashing involves generating a value or values from a string of text using a mathematical function. A formula generates the “hash”, which helps to protect the security of the PPSN against tampering or “hacking”.
[2] Within the meaning of Part 4 of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (No. 6 of 2010).
[3] Within the meaning of Part 4 of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (No. 6 of 2010).
The RBO will retain personal data for as long as they are needed to fulfil the purposes for which they was collected. The retention of these data will be in compliance with general data protection requirements as provided for under the General Data Protection Regulation (the “GDPR”) and the Data Protection Act 2018.
Personal data will be deleted from the Register in relation to a relevant entity if 10 years have elapsed from the dissolution (should such occur) of the relevant entity and, as soon as may be after that deletion, the Registrar will securely destruct that information.
It is important to note that the PPSN of a beneficial owner will not be disclosed by the Registrar of the RBO and that only a hashed[1] version of the PPSN will be stored by the RBO.
[1] The version (a “hashed” version) has been generated by the employment of a mathematical function; and the mathematical function, so employed, does not allow the PPS number to be determined from the hashed version.
The RBO adheres to the following principles of the General Data Protection Regulation (the “GDPR”) and Data Protection Acts 1988 to 2018 as set out below.
A Privacy Notice document is available to view on the RBO website and can be used in addition to this Policy to explain to data subjects (i.e. individuals) in this case beneficial owner(s) why and how their personal data are being processed.
Lawfulness, Fairness and Transparency
All personal data must be processed legally, and in a way, that is fair and transparent. The Data Subject (i.e. beneficial owner(s)) will be clearly informed about how their personal data are being processed by the RBO.
Collected for specific, explicit and legitimate purposes
The RBO will only collect the personal data of beneficial owner(s) for a specific purpose, and this purpose has been set out in this Policy as well as the Privacy Notice.
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
RBO will ensure that any personal data obtained in relation to a beneficial owner(s) will be adequate and relevant to the purpose(s) for which they are being processed. No unnecessary or additional personal data will be processed once the original purpose has been satisfied.
Accurate and, where necessary, kept up-to-date
Every effort will be made to ensure that all personal data collected are accurate. Personal data held on the RBO system will be updated periodically to ensure any inaccuracies are rectified. Where RBO is made aware of any inaccurate data, we will immediately review the issue. Personal data will be deleted from the Register in relation to a relevant entity if 10 years have elapsed from the dissolution (should such occur) of the relevant entity and, as soon as may be after that deletion, the Registrar will securely destroy that information.
Kept in a form which permits identification of data subjects for no longer than is necessary
Personal data will be retained for no longer than is necessary in light of the purposes for which those personal data were originally collected and processed. Personal data will be deleted from the Register in relation to a relevant entity if 10 years have elapsed from the dissolution (should such occur) of the relevant entity and, as soon as may be after that deletion, the Registrar will securely destroy that information.
Any unsolicited personal data received by RBO staff, via e-mail or post, will be securely deleted or destroyed as soon as possible after its receipt.
Processed in a manner that ensures appropriate security of personal data
All personal data will be processed safely and securely, to prevent unlawful or unauthorised processing, accidental or unlawful destruction, or accidental loss or damage to the data. RBO will conduct a periodic security review of its ICT systems to ensure that the appropriate measures are in place and are adhered to by all staff.
Accountability for the implementation of the above principles
As a Data Controller, RBO takes responsibility to adhere to the above principles at all times during the course of business. RBO will keep a record of all personal data collected, held or processed. The following details will be recorded in the RBO’s Privacy Statement:
Ms Heather Murray is the Data Protection Liaison Officer (“DPLO”) for the RBO.
The DPLO will be included in any matters involving data protection at the earliest possible stage, including privacy impact assessments, data processing activities that may affect beneficial owners (i.e. data subjects), and any incidents which may affect the integrity of personal data.
The DPLO can be contacted at dataprotection@rbo.gov.ie
The DPLO should be notified of data breaches immediately in line with Department of Enterprise, Trade and Employment (DETE) protocols in relation to DETE data breach management policies. The DPLO will then contact and consult RBO senior line management and the overall DETE Data Protection Officer, Ms. Celyna Coughlan.
You can submit a Subject Access Request (“SAR”) to obtain a copy of your own personal data held on the RBO to the DPLO at dataprotection@rbo.gov.ie.
You cannot request the personal data of another individual. You can download a copy of our SAR Form by accessing the data protection section of the RBO website – Data Protection – RBO or Data Protection Subject Access Request (SAR) Application Form – DETE (enterprise.gov.ie)
The General Data Protection Regulation introduces mandatory breach notifications.
What is a personal data breach?
A personal data breach is described as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Reporting a breach
The RBO treats personal data breaches very seriously. A record of any data breach that occurs, including a description of the breach, its effects and the remedial action(s) taken will be recorded in accordance with Article 33(5) of the General Data Protection Regulation. Where the personal data breach results in a high-risk to the rights and freedoms of an individual (i.e. the “data subject” or beneficial owner in this case), the RBO are obliged to inform the individuals affected without undue delay.
All RBO staff members have received data protection training specific to their role. This training will be periodically reviewed and refreshed to ensure continuing professional development in the area of data protection law and the General Data Protection Regulation compliance.
Methods of collecting, holding and processing personal data will be regularly evaluated and reviewed.
All staff members working on the RBO have been made fully aware of both their individual responsibilities and the RBO’s responsibilities under the General Data Protection Regulation (GDPR) and data protection laws and under this Policy.
Everyone who works for or with the Registrar of Beneficial Ownership (RBO) has some responsibility for ensuring personal data are collected, stored and handled appropriately. Each team that handles personal data must ensure that the data are handled and processed in line with this policy statement and data protection principles.
The following people have key areas of responsibility:
Data Controller:
The Data Controller and Registrar of Beneficial Ownership is Ms. Maureen O’Sullivan.
The Data Controller is responsible for:
The Data Controller can be contacted by writing to:
The Data Controller
Register of Beneficial Ownership
PO Box 178
Carlow
or by e-mail to: enquiries@rbo.gov.ie.
Business Process & Data Sharing Compliance Officer:
Assistant Registrar, Ms. Elaine Nolan, is responsible for ensuring that the RBO business processes and personal data handling regime are compliant with the General Data Protection Regulation. Ms Nolan is also the Compliance Officer for the purposes of the Data Sharing Agreement with the Department of Employment Affairs & Social Protection (DEASP).
Data Protection Liaison Officer (DPLO):
The RBO Data Protection Liaison Officer, Ms Heather Murray is responsible for:
The RBO Data Protection Liaison Officer can be contacted at: dataprotection@rbo.gov.ie.
The ICT Manager:
The ICT Manager, [ ] is responsible for:
The Law Enforcement Directive (the “LED”) allows competent authorities to disclose personal data to law enforcement agencies, such as FIUs and state competent authorities without the consent of the data subject (i.e. the individual) for law enforcement purposes. The LED was transposed into Irish domestic law by the Data Protection Act 2018 (see Part 5 of the Act – “Processing of Personal Data for Law Enforcement Purposes’).
Article 6(1)(c), GDPR, states that processing shall be lawful if the processing is necessary for compliance with a legal obligation to which the Controller is subject. The RBO Controller is required by 4AMLD and SI 110 of 2019 to disclose RBO data to certain parties. The consent of the data subject is therefore not required to the disclosure of their personal data to these parties.
Information is provided to Data Subjects by both Companies and their Presenters and by the Register of Beneficial Ownership (the RBO).
The Role of Companies and their Presenters:
The RBO will advise companies and their presenters that, as Data Controllers, they are legally obliged to inform their beneficial owners/data subjects that they are sharing their personal data with the RBO. This is a legal requirement.
The Role of the RBO:
The RBO aims to ensure that on foot of receipt of a Subject Access Request (SAR) from a Data Subject (i.e. an individual), information will be provided in relation to:
A copy of the RBO Privacy Notice is available on the RBO website – www.rbo.gov.ie.
A copy of this Statement is also available on the Register of Beneficial Ownership website at: www.rbo.gov.ie
Personal Data
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Subject
An individual who is the subject of the personal data.
Data Controller
‘Data controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law.
Data Processor
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Processing
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Supervisory Authority
This is the national body responsible for data protection. The supervisory authority for our organisation is the Data Protection Commission (the “DPC”).
Key details