In 2019 Kenya enacted the Data Protection Act which Act seeks to protect the privacy of individuals by enforcing responsible processing of personal data. This includes embedding principles of lawful processing, minimising the collection of data, ensuring the accuracy of data and adopting security safeguards to protect personal data.
This policy covers data collected, received, processed and stored on the Bank’s owned physical and electronic databases and resource centre.
It shall apply to:
- 1. All Employees of Caritas Microfinance Bank Limited and all Bank’s associated parties such as Board Members, customers, agents, vendors, contractors and any other third party who handle and use Caritas MFB information (where Caritas MFB is the ‘Controller’ for the personal data being processed, be it in manual and automated forms or if others hold it on their systems on behalf of the Bank;
- 2. All personal data processing Caritas MFB carries out for others (where Caritas MFB is the ‘Processor’ for the personal data being processed); and
- 3. All formats, e.g., printed and digital information, text and images, documents and records, data, audio recordings, research publications and communication tools such as mobile applications, photos, videos, social and mainstream media.
The Definitions are as per the definitions in the Data Protection Act.
- i). Data controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data.
- ii). Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
- iii). Data subject means an identified or identifiable natural person who is the subject of personal data.
- iv). Personal data means any information relating to an identified or identifiable natural person.
- v). Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
- vi). Sensitive personal data means data that reveals the natural person’s race, health status, ethnic, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses’ sex, or the sexual orientation of the data subject.
- vii). Processing data means any operation or sets of operations performed on personal data whether or not by automated means, such as (a) collection, recording, organisation, structuring; (b) storage, adaptation or alteration; (c) retrieval, consultation or use; (d) disclosure by transmission, dissemination, or otherwise making available; or (e) alignment or combination, restriction, erasure or destruction.
- viii). Third party means any natural or legal person other than the user. Examples of third parties are national governments, international governmental or non-governmental organizations, private sector entities or individuals.
Caritas MFB will ensure that data is:
- – Processed lawfully, fairly and in a transparent manner and in line with the right to privacy.
- – Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with its intended purpose.
- – Not stored longer than is necessary for the purposes for which the data is processed.
- – Accurate and where necessary appropriately updated.
- – Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is to be processed.
- – Not transferred out of Kenya without proof of adequate data safeguards/ measures and consent from the data subject.
- – Processed in a manner that ensures its security with the use of all the necessary technical and organisational measures to safeguard t against unauthorised or unlawful processing and accidental loss, destruction, or damage.
Collection of Personal Data
Caritas MFB will only collect personal data about you insofar as is necessary to achieve the purposes set out in this privacy statement. Such information will be collected with both your knowledge and consent except where consent is legally not necessary.
We may collect and use personal information for the following business purposes or circumstances which list is not exhaustive:
- i). When you make an application to use any of our products or Services including online and mobile services.
- ii). To communicate and respond to your requests and inquiries.
- iii). To engage in transactions with third parties such as suppliers, agents and other business partners.
- iv). To analyse, develop, improve, and enhance the use, function and performance of our sites/ branches, products and services.
- v). When you make inquiries or raise a query or complaints.
- vi). In the event you have been identified as a next of kin by a third party including our employees.
- vii). To manage the security and operation of our sites/ branches/ premises, facilities, and networks and systems.
- viii). To comply with applicable laws and regulations and to operate our business.
- ix). Where you intend to work with the Bank as an employee or service provider.
- x). Where you attend any of our events or events where the Bank is one of the sponsors
- xi). Visit, access or use any of our online platforms/websites.
- xii). To market our products and services or related products and services, and to tailor our marketing and sales activities to your or your entity’s interests.
- xiii). To respond to or participate in a survey, marketing promotion, prize competition or special offers.
- xiv). When you engage our bancassurance services whether as a staff of customer
Nature Of Information Collected
We may collect personal information that includes but is not limited to the following:
- 1. Personal details – This includes your first, middle and last name. ID No or Passport number, income tax PIN number, date of birth and nationality. These are required to identify you as our customer.
- 2. Personal contact details – This includes your residential addresses, mailing address and contact details (phone number and email address).
- 3. Biometric Data – When necessary, with your consent or as otherwise permitted by applicable law, we process biometric date (Fingerprint) stored on your device to verify identity for mobile banking.
- 4. Location Data – We may request access or permission to track location-based information from your mobile device while you are using our mobile application to provide certain location-based services. If you wish to change our access or permissions, you may do so in your device settings.
- 5. Mobile Device Access – We may request access or permission to certain features from your mobile device including your contacts list (to make it easier and convenient for you to search through your contact list when sending money to mobile numbers), manage calls, photos and media and other features. If you wish to change our access or permissions, you may do so in your device settings.
- 6. Mobile Device Data – We automatically collect device information such as your mobile device ID for purposes of binding the app to your device for enhanced security.
- 7. Employment details – This includes the details of your current employer.
- 8. Banking information – account details of other financial institutions or Caritas Microfinance Bank, that you hold at the time you are filling this form.
- 9. Child’s details – The three names of the child who will have an account with Caritas Microfinance Bank, their birth certificate number, citizenship, and date of birth.
- 10. Personal details of the parent(s)/legal guardian(s) – This includes your first, middle and last name. ID No or Passport number, income tax PIN number, date of birth, nationality, passport photo and next of kin details. These are required to identify you as our customer.
- 11. Personal contact details of the parent(s)/legal guardian(s) – This includes your residential addresses, mailing address and contact details (phone number and email address).
- 12. Business or occupation of the parent(s)/legal guardian(s) – This includes the details of your employer or business you own and average monthly income.
- 13. Name of your employer, terms of employment and if on contract, expiry of the contract.
- 14. Your signature specimen.
- 15. Your credit or debit-card information, information about your bank account numbers and or other banking information.
- 16. Register your biometric information such as your voice, fingerprints etc, visit our branches.
- 17. Information as the various regulatory and investigatory agencies may from time to time require
- 18. Access to our premises/ building which have the Closed-Circuit Television (CCTV) cameras installed in strategic areas.
- 19. Your contact with us, such as when you: call us or interact with us through social media, email (we may record your conversations, social media, or other interactions with us), register your biometric information such as your voice, fingerprints etc.
- 20. Postal and courier services.
- 21. Information you provide to us for the purposes of attending meetings and events.
How we use the Information
- We use the information you have provided to provide services that you consent to on behalf of a minor.
- i). To provide you with your account’s statements and notifications of real time transactions made on your account if you consent.
- ii). We monitor accounts opened with us for any suspicious activities in line with CBK requirements.
- iii). To provide services that you consent to.
- iv). For Know Your Customer (KYC) purposes.
- v). Assessing the purpose and nature of your business or principal activity, your financial status and the capacity in which you are entering into the business relationship with us.
- vi). Communicate with and keep you informed about the products and/or services you have applied for.
- vii). Assessing your personal financial circumstances and needs depending on the nature of the services you will require from us.
- viii). Fraud prevention, detection, and investigation.
- ix). To undertake background checks where you have expressed interest to work with us.
- x). Keeping you informed generally about new and existing products and services, offers, promotions based on how you use our or third-party products and services unless you opt out of receiving such marketing messages (you may contact us at any time to opt out of receiving marketing messages).
- xi). Any other legal purposes.
Retention of Data
We guarantee that all personal data held by Caritas Microfinance Bank is stored in secure environments. This data will be deleted if it is no longer needed to provide any of our services to you. The retention period will vary based on both legal and operational requirements of the Bank and the banking prudential guidelines.
Security of your personal information
We haves implemented appropriate technical, physical, and organizational measures designed to protect your personal information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, as well as all other forms of unlawful processing.
Rights of the data subject/customer
You have multiple privacy rights, subject to applicable law, in respect of the information we process about you:
- 1. Right to ask and be informed of the data to be held by the Bank.
- 2. Right to Opt-out of our use or sharing of your personal information.
- 3. Right to have your information deleted or erased.
- 4. Right to have your information corrected.
- 5. Right to stop the Bank from using all or some of the information about you.
- 6. Right to access and/or have your information provided to you.
Sensitive personal information
We may collect Special Categories of Personal Data about you (this includes details about your race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including details of your children, parents, spouse or spouses, sex or sexual orientation and biometric data).
Legal basis for processing personal information
- – We rely on our legitimate interest in processing contact and related information about you in order to communicate adequately with you and to respond to your requests.
- – For purposes of performing contracts entered into by yourself and the Bank
- – In order to engage in transactions with customers, suppliers and business partners, and to process purchases and downloads of our products and services.
- – For the establishment, exercise, or defence of a legal claim.
- – Compliance with a mandatory legal obligation / regulation.
- – To analyse, develop, improve and optimize our sites, facilities, products and services, and to maintain the security of our sites, networks and systems.
Transfer of personal data
– The Bank may transfer your personal information for the purpose of effecting/implementing, administering, and securing any product or service that you have applied for or for other purpose set out in this privacy statement.
– We also share data with our controlled affiliates, business partners such as vendors ;when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our products; to comply with regulatory requirements and to protect the rights and property of the Bank and its customers.
– We may transfer or disclose the personal data we collect to regulatory, fiscal or supervisory authority, correspondent banks on transaction enquiries, third party contractors, subcontractors, and/or their subsidiaries and affiliates who provides support to us in providing our services. The third party providers may use their own third party subcontractors that have access to personal data (sub-processors). It is our policy to use only third party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by us, and to flow those same obligations down to their sub-processor.
– The Bank shall keep and maintain full and accurate records reflecting all phases of data management cycle, including records of data subjects’ consents and procedures for obtaining consent, where consent is the legal basis of processing.
The data transfer records shall include, at a minimum:
- a) the name and contact details of the individual entity authorizing the transfer.
- b) clear descriptions of the personal data types;
- c) data subject types.
- d) processing activities.
- e) processing purposes.
- f) third-party recipients of the personal data.
- g) personal data storage locations.
- h) personal data transfers.
- i) the personal data’s retention period; and
- j) a description of the security measures in place
Data protection agreement
The Bank will require all third parties to comply with this Policy through an agreement as part of the signing of partnership agreements. Such agreements will specify the specific purpose(s) and legitimate basis for the processing or transfer of personal data.
The agreement shall:
- address the purpose(s) for data transfer, specific data elements to be transferred as well as data protection and data security measures to be put in place.
- require the third party to undertake that its data protection and data security measures are in compliance with this Policy; and
- stimulate consultation, supervision, accountability and review mechanisms for the oversight of the transfer for the life of the agreement.
The Bank’s Data Protection Officer shall review and approve all data transfer agreements and maintain copies of final agreements.
There may be need to transfer your personal information outside the country from time to time where you are located. This includes countries that do not have laws that provide specific protection to your personal data. Where we send your information outside the country, we will make sure that there is proof of adequate data protection safeguards in the recipient country or consent from you on transfer of your personal information.
Data protection officer
The Bank has appointed a Data Protection Officer who will undertake an overall duty on data protection management for the Bank with the help of the above named individuals Should you have any queries, complaints or concerns regarding your personal data you may reach out directly to the Data Protection Officer through: firstname.lastname@example.org
We may store some information (using “cookies”) on your computer when you visit our websites. This will enable us to recognize you during subsequent visits. This will entail non-personal information (such as: the Internet Protocol (IP) address of your computer, the date and time of your visit, which pages you browsed and whether the pages have been delivered successfully. Cookies are also used for storing and honouring your preferences and settings, making it possible for you to sign in, providing interest-based advertising, eradicating fraud, product performance analysis, and for other legitimate purposes.
- – The Bank will maintain a register of all data breaches.
- – The Bank staff and volunteers will notify their managers as soon as possible upon becoming aware of a personal data breach.
- – The member of staff or volunteer will record the breach.
- – If a personal data breach is likely to result in personal injury or harm to a data subject, the Bank will communicate the personal data breach to the data subject upon undertaking all the necessary investigations, reporting the same to the Data Commissioner within the timelines stipulated in the Data Protection Act and take mitigating measures as appropriate without undue delay.