This privacy statement describes how National Bank of Kenya Limited (“NBK”) protects the personal data it processes, why and how we collect and use your personal data and how you can exercise your rights in relation to the processing of your personal data.
This statement should be read together with the Terms and Conditions of Use for other NBK products and services. Where there is a conflict, this privacy statement will prevail.
1. DEFINITIONS
-
“NBK”, “we”, “our”, “ours” and “us” means National Bank of Kenya Limited and includes its successors in title and assigns, its affiliates and/or its subsidiaries as may from time to time be specified by the Bank to you.
-
“Personal data” means information that identifies you as a unique individual or any information that reveals the identity of an actual living person, includes information such as your name(s) identification numbers, account number, phone number, location, date of birth, email, IP address etc.
-
“Processing” collectively means handling, collecting, using, altering, merging, linking, organizing, disseminating, storing, protecting, retrieving, disclosing, erasing, archiving, destroying, or disposing of your personal data.
“Sensitive personal data” includes data revealing your race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including details of your children, parents, spouse or spouses, sex or sexual orientation.
-
“You” means:
- Customer – (which includes personal representatives and assigns) operating an account held with us and includes (where appropriate) any person you authorize to give us instructions, the person who uses any of our products and services or accesses our websites. “Customer” shall include both the masculine and the feminine gender as well as juristic person.
- Any agent, dealer and/or merchants who has signed an agreement with us and is recognized as a merchant or agent in accordance with any applicable laws or Regulations.
- Any visitor that is a person (including contractors/subcontractors or any third parties) who gains access to any NBK premises.
- Any supplier/ service provider who has been contracted by NBK.
- Any external lawyer who has tendered his/her application and/or signed a service level agreement with NBK.
- Any valuer or auctioneer who has signed an agreement with NBK.
The word “includes” means that what follows is not necessarily exhaustive and therefore the examples given are not the only things/situations included in the meaning or explanation of that text.
2. Collection of Personal Data
NBK will only collect personal data about you insofar as is necessary to achieve the purposes set out in this privacy statement. We collect your personal data with your knowledge and consent with exception to cases where prior consent cannot be obtained for real reasons and the processing of the data is permitted by law.
Personal data may be given to or collected by NBK in writing as part of a written application form, electronically (email), telephonically, online via the website or via App.
NBK will collect your personal data when you do any of the following:
- Make an application, buy or use any of our product and/or service or from third parties on our electronic and digital platforms.
- Use any of our product and/or service online, on a mobile or other device or in any of our branches or with any of our agents or merchants.
- Ask NBK for more information about a product or service or contact NBK with a query or a complaint;
- When you visit, access any of NBK buildings/ premises;
- Where you’ve been identified as a next of kin by our customer or employee;
- Where you have applied for employment at NBK;
- Attend an event sponsored by NBK;
- Make an application to NBK or interact with us a supplier, agent or dealer;
- Visit, access or use any of our online platforms/websites;
- Subscribe to any of our online services, Short Message Service (SMS), email or social media platforms;
- Respond to or participate in a survey, marketing promotion, prize competition or special offer;
- We may also collect your information from other organizations including credit-reference bureaus, fraud prevention agencies, government agencies and business directories;
- When you engage our insurance services or as a result of your relationship with one or more of our staff and client
- When we require personal data from you in order to fulfil a statutory or contractual requirement, or where such information is necessary to enter into a contract or is otherwise an obligation, we will inform you and indicate the consequences of failing to do so;
- When you make an application or engage with NBK as a beneficiary in any of our programs.
- When you engage our Natbank Trustee & Investment Services for investment needs.
These examples are non-exhaustive, which is reflective of the varied nature of the personal data we may collect.
What Information is Collected?
From individuals who are our customers and prospective customers, or are representatives of customers and prospective customers, we may collect personal data that includes but is not limited to the following:
- Your identity information, including your title, name, photograph, marital status, nationality, occupation/profession, residence, address, location, phone number, identity document type and number, date of birth, age, gender, your email, LinkedIn, Facebook, Instagram and Twitter address.
- Name of your employer, terms of employment and if on contract, expiry of the contract.
- Your estimated monthly income levels.
- If you are a student, your college or university and graduation date.
- Your signature specimen.
- Your credit or debit-card information, information about your bank account numbers
- Your transaction information when you use our electronic and digital platforms, branches, our agents and/or merchants.
- Your preferences for particular products and services, based on information provided by you or from your use of our network or third-party products and services.
- Your contact with us, such as when you call us or interact with us through social media, email (we may record your conversations, social media or other interactions with us), register your biometric information such as your voice, fingerprints etc, visit our branches.
- Relevant information as required by regulatory Know Your Client and/or Anti Money Laundering regulations and as part of our client intake procedures. This may possibly include evidence of source of funds, at the outset of and possibly from time to time throughout our relationship with clients, which we may request and/or obtain from third party sources. The sources for such verification may include documentation, which we request from you or through the use of online or public sources or both.
- We use Closed Circuit Television (CCTV) surveillance recordings. CCTV Devices are installed at strategic locations to provide a safe and secure environment in all our branches, NBK premises and ATMs as a part of our commitment to security and crime prevention.
- We maintain a register of visitors in which we collect and keep your personal data such as names, company/institution details, telephone number, vehicle registration details, National ID/ Passport number and device serial number and model (where you visit our premises with your personal devices e.g., laptops). This information is collected for health, safety and security purposes.
- We collect and retain your personal data (name, telephone number, and vehicle registration details) when you request for a parking space in any of our NBK premises. We use the data you provide to ensure effective car park management, health and safety compliance, for security purposes and inventory management.
- When you use NBK WIFI for guest and visitors, we collect email IDs and will provide username and password. We record the device address and also log traffic information in the form of sites visited, duration and date sent/received.
- Information you provide to us for the purposes of attending meetings and events.
- We may use your medical information to manage our services and products to you e.g., when you use our services designed for persons with disabilities such personalized services for the visually impaired.
- Where you use any of our voice recognition platforms/ video and voice recording or fingerprint recognition, we may collect and process your biometrics.
- We collect your personal data when you visit us for purposes of accident and incident reporting. NBK will collect personal data from the injured party or person suffering from ill health, such as, name, address, age, next of kin, details of the incident to include any relevant medical history. The data is collected as NBK has a legal duty to document workplace incidents/accidents and to report certain types of accidents, injuries and dangerous occurrences arising out of its work activity to the relevant enforcing authority. Incidents and accidents will be investigated to establish what lessons can be learned to prevent such incidents/accidents reoccurring including introduction of additional safeguards, procedures, information instruction and training, or any combination of these. Monitoring is undertaken but on an anonymised basis. The information is also retained in the event of any claims for damages.
- When you visit our website, we collect your ID-type information: cookie ID, mobile ID, IP address which is used for real-time processing in order to generate a visitor ID.
- Information that you provide to us and/or correspondent banks as part of the provision of services to you, which depends on the nature of your engagement.
- We may collect details of a minor which include name, date of birth, birth certificate number, relationship with the applicant and any other information relevant for the provision of our products and services. We will only process such data where parental or legal guardian consent has been given. We will also ensure that the processing of such data will be done in a manner that protects and advances the rights and best interests of the child.
Related Legal Entities
Corporate entities and clients form part of our client base. These legal entities are not data subjects (i.e., natural persons to whom personal data relates). However, as part of our engagement with these clients, we may receive personal data about individuals which may include but is not limited to:
- Full names
- Birth certificate number, national identity card number or passport number; personal identification number (PIN)
- Date of birth
- Postal and business address
- Residential address, telephone number and email address
- Occupation or profession
- Nature of ownership or control of the company
- Number of shares in the company
These examples are non-exhaustive, which is reflective of the varied nature of personal data and is assessed on case-by-case basis.
Mailing Lists
We also collect information to enable us to improve the customers experience and market our products and/or services, which may be of interest to you. For this purpose, we collect:
- Name and contact details.
- Other business information, such as job title and the company you work for.
- Products and/or services that interest you.
- Additional information may be collected, such as events you attend and if you provide it to us.
3. Use of Personal Data
This privacy statement aims to give you complete and transparent information on how NBK processes your personal data. We are committed to ensure that your personal data is processed in a way that is compatible with the specified, explicit, and legitimate purpose of collection.
Where personal data relates to a child, we will process the personal data only where parental or legal guardian consent has been given. The processing of such data will be done in a manner that protects and advances the rights and best interests of the child.
We may use personal data provided to us for any of the following purposes but are not limited to:
- Verifying your identity information through publicly available and/or restricted government databases to comply with applicable Know Your Customer (KYC) requirements.
- Assessing the purpose and nature of your business or principal activity, your financial status and the capacity in which you are entering into the business relationship with us.
- Creating a record of you on our system to verify your identity, provide you with the products and/or services you have applied for from us or from third parties on our ecommerce platforms.
- Communicate with and keep you informed about the products and/or services you have applied for.
- Verification of age and consent where the personal data relates to a child.
- Identifying you and verifying your physical address.
- Identifying your source of income and similar information.
- Assessing your personal financial circumstances and needs before providing advice to you.
- Responding to any of your queries or concerns, we may record or monitor telephone calls between us so that we can check instructions and make sure that we are meeting our service standards.
- Carrying out credit checks and credit scoring.
- To perform our obligations under a contractual arrangement with you.
- Fraud prevention, detection and investigation
- Any purpose related to the prevention of financial crime, including sanctions screening, monitoring of anti-money laundering and any financing of terrorist activities.
- Further processing for historical, statistical or research, survey and other scientific or business purposes where the outcomes will not be published in an identifiable format.
- Provide aggregated data (which do not contain any information which may identify you as an individual) to third parties for research and scientific purpose.
- In business practices including to quality control, training and ensuring effective systems operations.
- To understand how you use our products and services for purposes of developing or improving products and services.
- Administer any of our online platforms/websites.
- To comply with any legal, governmental, or regulatory requirement or for use by our lawyers in connection with any legal proceedings.
- For purposes relating to the assignment, sale, or transfer of any of our businesses, legal entities or assets, in whole or in part, as part of corporate transactions.
- Keeping you informed generally about new products and services and contacting you with offers or promotions based on how you use our or third-party products and services unless you opt out of receiving such marketing messages (you may contact NBK at any time to opt out of receiving marketing messages).
- Where you have applied for employment at NBK, we perform applicant screening and background checks.
- Where you are an NBK employee (including contractors), we create an employment record of you on our system to facilitate continuous monitoring during your employment with us.
- Where you are an NBK director, we create a record of you as a director on our system.
- Where you are a supplier to NBK, we process your personal data for due diligence, risk assessment, administrative and payment purposes.
- For security purposes when accessing any of NBK buildings/premises; and
- Where you attend an event sponsored by NBK, we will be taking photos or videos of the event. These images or videos will be used by us to share news about the event, and may be used in press releases, printed publicly, and published on our website.
4. Sensitive (Special Categories) Data
We may collect Sensitive Categories of Personal Data about you (this includes details about your race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including details of your children, parents, spouse or spouses, sex or sexual orientation and biometric data). We will rely on any of the legal basis provided in clause 6 below for such collection.
5. Transfer of Personal Data
NBK may transfer your personal data for the purpose of effecting/implementing, administering, and securing any product or service that you have applied for or for other purpose set out in this privacy statement. We also share data with NBK-controlled affiliates and subsidiaries; with vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our products; to comply with regulatory requirements and to protect the rights and property of NBK and its customers.
We may transfer or disclose the personal data we collect to regulatory, fiscal or supervisory authority, correspondent banks on transaction enquiries, third party contractors, subcontractors, and/or their subsidiaries and affiliates who provide support to NBK in providing its services. The third-party providers may use their own third-party subcontractors that have access to personal data (sub-processors). It is our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal data only as instructed by NBK, and to flow those same obligations down to their sub-processors.
- Cross-border (International) Transfers
From time to time, we may need to transfer your personal data outside the country you are located to provide a particular product or service. This includes countries that do not have laws that provide specific protection to your personal data.
Where we send your information outside the Republic of Kenya, we will make sure that your data is properly protected in accordance with the applicable Data Protection Laws. We shall ensure that there is proof of adequate data protection safeguards in the recipient country or consent from you on transfer of your personal data.
- Other Disclosures
We may also disclose your personal data where required by law, to enforce other agreements, or to protect the rights, property, or safety of our business, our clients, customers, employees, or others.
NBK may disclose, respond, advise, exchange and communicate personal data and/or information in the Bank’s possession relating to you outside NBK whether such personal data and/or information is obtained after you cease to be the Bank’s customer or during the continuance of the bank-customer relationship or before such relationship was in contemplation, provided that such personal data is treated in confidence by the recipient. We may disclose your information for the following purposes: -
- For fraud prevention, detection and investigation purposes.
- To licensed credit reference agencies or any other creditor if you are in breach of your obligations to the bank and for assessment of credit applications and for debt tracing.
- To licensed credit reference agencies or any other creditor for determining your payment history.
- To the bank’s external lawyers, auditors, valuers, survey agencies, and sub-contractors, software developers or other persons acting as agents of the bank.
- To any person who may assume the bank’s rights within the confines of the law.
- To debt collection agencies.
- Providing income tax-related information to tax authorities.
- To any regulatory, fiscal or supervisory authority, any local or international law enforcement agencies, governmental agencies so as to assist in the prevention, detection, investigation or prosecution of criminal activities, courts or arbitration tribunal where demand for any personal data and/or information is within the law.
- To the bank’s subsidiaries, affiliates and their branches and offices (together and individually).
- Where the bank has a right or duty to disclose or is permitted or compelled to do so by law.
- For purposes of exercising any power, remedy, right, authority or discretion relevant to an existing contract with the bank and following the occurrence of an event of default, to any other person or third party as well.
6. Legal Basis for the Processing of Personal Data
NBK will process your personal data as permitted by the applicable Data Protection Law as amended from time to time and its internal policies:
- For the performance of a product/service contract which you are party to;
- Where processing is necessary for the purposes of legitimate business interests pursued by NBK or by a third party within the confines of the law;
- For the establishment, exercise or defense of a legal claim;
- Compliance with a mandatory legal obligation to which it is subject to;
- With your consent;
- Public interest;
- To protect your vital interest or the vital interests of any person.
7. Direct Marketing
From time to time, we may also use your personal data to contact you for market research or to provide you with information about other services we think would be of interest to you. You may be required to opt-in or give any other form of explicit consent before receiving marketing messages from us. We respect your right to control your personal data depending on which of our products you use. Therefore, at a minimum, we will always give you the opportunity to opt-out of receiving such direct marketing or market research communications. You may exercise this right to opt-out at any time.
8. The Use of Cookies
We may store some information (using "cookies") on your computer when you visit our websites. This enables us to recognize you during subsequent visits. The type of information gathered is the Internet Protocol (IP) address of your computer, the date and time of your visit, which pages you browsed and whether the pages have been delivered successfully. We use cookies for storing and honoring your preferences and settings, enabling you to sign in, providing interest-based advertising, combating fraud, analyzing how our products perform, and fulfilling other legitimate purposes.
We may also use this data in aggregate form to develop customized services, tailored to your individual interests and needs. Should you choose to do so, it is possible (depending on the browser you are using), to be prompted before accepting any cookies, or to prevent your browser from accepting any cookies at all. This will however cause certain features of the web site not to be accessible.
9. Retention of Personal Data
NBK will retain your personal data only for as long as is reasonably necessary to achieve the purpose for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, the need to comply with our internal policy and the applicable legal, regulatory, tax, accounting or other requirements.
National Bank maintains specific Records Management and Data Retention Policies and Procedures, which guides how personal data is handled according to the following retention criteria:
- Where we have an ongoing relationship with you.
- To comply with a legal obligation to which it is subject.
- Where retention is advisable to safeguard or improve the Bank’s legal position.
10. Safeguarding and Protection of Information
We have put in place technical and operational measures to ensure integrity and confidentiality of your data via controls around: information classification, access control, cryptography, physical and environmental security and monitoring and compliance.
We also require third parties that engage with us follow appropriate standards of security and confidentiality.
11. Access to and Updating your Information
To update your information, please visit any of our branches or contact Customer Care Service via email on customercare@nationalbank.co.ke. or +254 (20) 282 8900, 0703088900 or 0732118900. You can change how we get in touch with you and your account details whenever you like.
12. Your Rights
You have the following rights as set out in the Kenya Data Protection Act, 2019 and Regulations as amended from time to time, subject to legal and contractual exceptions. These rights can be exercised in writing and submitted to NBK for action using this Form:
- Right to be informed
You have the right to be informed that we are collecting personal data about you.
- Request for access to personal data
You have the right to request access to your personal data that we have on record. This right entitles you to know whether NBK holds personal data of you and, if so, obtain information on and a copy of those personal data.
- Request for rectification
You have a right to request NBK to rectify any of your personal data that is incorrect or incomplete.
- Request for objection to processing
You have a right to object to and withdraw your consent to processing of your personal data. This right entitles you to request that NBK no longer processes your personal data. The withdrawal of your consent shall not affect the lawfulness of processing based on prior consent before its withdrawal. We may also continue to process your personal data if we have a legitimate or legal reason to do so.
- Request for erasure of personal data
You have a right to request the erasure of your personal data. This right entitles you to request the erasure of your personal data, including where such personal data would no longer be necessary to achieve the purposes.
- Request for restriction of processing
You have a right to request the restriction of the processing of your personal data. This right entitles you to request that NBK only processes your personal data in limited circumstances, including with your consent.
- Request for data portability
You have a right to request portability of your personal data. This right entitles you to receive a copy (in a structured, commonly used, and machine-readable format) of personal data that you have provided to NBK, or request NBK to transmit such personal data to another data controller in an electronic format.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within reasonable time. Occasionally it could take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
13. How to Complain
Please let us know if you are unhappy with how we have used your personal data. You can contact us using our Contact Form. You also have the right to complain to the regulator, and to lodge an appeal if you are not happy with the outcome of a complaint.
14. Contact Us
Please contact our Data Protection Officer if you (i) have any questions or concerns about how NBK processes your personal data or (ii) want to exercise any of your rights in relation to your personal data, on +254 (20) 282 8900, 0703088900 or 0732118900 or by writing to us on email: nbkdpo@nationalbank.co.ke
You may also write to:
Data Protection Officer
National Bank of Kenya
National Bank Building, Harambee Avenue
P.O. Box 72866 – 00200
Nairobi, Kenya
15. Amendments to this Statement
NBK reserves the right to amend or modify this privacy statement from time to time and your continued use of our products and services constitutes your agreement to be bound by the terms of any such amendment or variation. You can access the most current version of the privacy statement from www.nationalbank.co.ke and any amendment or modification to this statement will take effect from the date of notification on the NBK website.
Dated 3rd February, 2023