Premier Bank Kenya Privacy Statement
1. Purpose and scope
Premier Bank Kenya (“PBK” or “We”) is committed to protecting the personal data of all our customers and other data subjects (“You”). This Privacy Notice (“Notice”) informs you of:
- Who we are;
- What personal information we collect about you;
- How we collect, use, store and share your personal data;
- Your privacy and other related rights under the provisions of the Kenya Data Protection Act, 2019 (Data Protection Act) and Regulations; and
- How to contact us or the Office of the Data Protection Commissioner (ODPC) if you have a complaint.
We are committed to preserving the privacy of your data so that we can:
- deliver services of a high quality to all our Customers;
- at all times comply with the law and the various regulations that we are subject to;
- preserve the confidentiality of your personal data;
- meet the expectations of Customers; and
- protect our reputation.
We advise that you read and understand this Notice as we want to be sure that you are fully cognizant of how and for what purposes your data is being used.
2. Who we are.
Premier Bank Kenya is a commercial bank licensed and regulated by the Central Bank of Kenya. Our Head Office is located at Mihrab Building, Mezzanine1, Ring Road, Kilimani; P.O Box 26219-00100 Nairobi, Kenya.
It is imperative that we mention that in order that we can provide services that satisfactorily exceed your expectations, we need to collect, use, and process or deal with, certain personal information about you. When we do so we are subject to the provisions of the Data Protection Act.
This statement will apply where we are acting as a data controller in relation to your personal data, and where we have a supervisory role in relation to how personal data is collected, stored, used and shared. As such, we are responsible as what is described as a ‘data controller’ of that personal information for the purposes of the Act, as we decide how to use that information about you – hence, we are primarily responsible for that data; this may include your name, date of birth, address, contact information, financial information, employment details and device identifiers, including IP addresses.
Do note that the ‘processing’ of your personal data within this context, we refer to using your personal data by collecting it, using it, storing it, communicating it to other people (with your consent or as part of our services to you) or deleting it.
Furthermore, the terms and provisions of this Notice may be changed, updated and amended from time to time. If that happens, during the time when we are providing you with our products and services, we will inform you of those changes.
3. Your personal data
While providing our services, we will collect some information about you, some of which will be termed personal data. Personal data is any information that may be used to identify an individual (natural person).
The personal information we will collect from you include:
- Your name and personal details, including your date of birth, your ID number and other identification details;
- Your contact details including address, telephone and or mobile number, and email address;
- Financial details relating to you, including details of your bank account if money is, or is likely to need to be, sent to you, billing information and debit / credit card details, and your financial history;
- Transactional history details (for example, payments you make and receive); and
- Proof of income (such as payslips or bank statements) if you provide these when you apply for a particular product.
Do note that any information that we possess about you is collected directly from you through your interactions with our services. This may be through your visits to our various branches and online platforms; contacting us by email, letters, telephone or through our website or social media handles; using our internet and mobile banking services through PBK’s mobile and Internet Banking applications.
There are other instances in which we will collect information about you from other sources if need arises. Examples of these sources include;
- people appointed to act on your behalf such as advisers, agents, joint account holders, lawyers;
- from third parties with whom you have a relationship, including banks, employers, and professional bodies;
- credit reference bureaus (who may check their information against other databases – public or private);
- fraud prevention agencies; and
- publicly available sources, such as land and companies’ registries, professional records, and other membership records; online registers or directories.
This information is needed so that we can provide effective and efficient products and services to you. If you do not provide the personal data asked for, we may be delayed or prevented from providing such products and services.
Please note that it is paramount that we try as much as possible to keep your information as accurate and as current as possible. We ask that you keep us informed if any changes occur regarding your personal data during the tenure of your relationship with us.
4. Facial Recognition Data and Biometric Information
We may collect and process biometric data specifically including facial recognition data through digital platforms or applications for the sole purpose of identity verification. This biometric processing involves comparing a live facial image with the image contained in a valid government-issued identification document.
This identity verification functionality is powered by an authorized digital identity verification service provider appointed by PBK. All biometric data is processed locally on the Customer’s device and no biometric data is transmitted to or stored on PBK’s servers or those of the service provider.
In compliance with the Data Protection Act, we affirm the following:
- Biometric data is processed exclusively for identity verification and regulatory compliance. It is not used for profiling, marketing, or any secondary purpose.
- We only collect data strictly necessary for the purpose of verification. No additional biometric identifiers are collected or retained.
- Facial recognition data is processed in real time and permanently discarded upon the completion of the verification session. PBK does not store, retain, or archive any biometric data.
- Technical and organisational measures are in place to ensure biometric data is securely processed and immediately destroyed.
5. Personal data belonging to children
PBK provides services and products which are principally aimed at children.
Please note that we do not intentionally process personal data relating to children without the verifiable consent of their parent/s or legal guardian. If we become aware that we have inadvertently collected personal data of a child/minor without verifiable consent, we will take appropriate measures to delete that information as soon as possible.
We encourage parents and guardians to be involved in their children’s online activities and to monitor and supervise their children’s use of our website or services.
In the event you are a child, or if you represent the interests of a child, and you wish to seek further clarification on how we use your data, please reach out to us using the details in Clause 15 on Complaints, and we will be able to advise further.
6. Sensitive personal data
Sensitive personal data includes details about your race or ethnicity, conscience, belief, sex life, sexual orientation, health and genetic data. Do note that we only process such data where necessary and where it is most relevant.
7. Purposes for use of your information.
We only collect your personal information for the following purposes:
- Where you have given consent to the use of your personal data for one or more specific purposes. Please note that you may withdraw your consent at any time as set out in this Notice. However, such withdrawn consent does not affect the legality of data processed prior to such withdrawal;
- Where the use is necessary for the performance of a contract to which you are party, or in order to take steps at your request prior to entering a contract;
- Where the use is necessary for compliance with a legal obligation that we are subject to, including preventing fraud, money laundering or regulatory obligations;
- Where the use is necessary to protect your vital interests or those of another person;
- Where the use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us. In the case of sensitive personal data, it is in the substantial public interest; and
- Where the use is necessary for the purposes of our legitimate interests or those of a third party, except where those interests are overridden by your interests or fundamental rights and freedoms.
Below is a detailed explanation of how personal data may be utilized and the lawful justification:
Legal/Lawful Basis | Purpose |
Consent | Some of the services provided based on your consent include;
➢ Keeping in touch with you about your account and providing you with information regarding our relationship with you. ➢ Updating you about the services we offer, including information about new products, promotions and rewards, and other services we have that may interest you. ➢ Utilizing your biometric information for our due diligence checks, such as fraud and money laundering checks and or authenticating and verifying your identity. |
Performance of
contractual obligations |
Our contractual obligations may include;
➢ Keeping you updated about your account and other related information involving our relationship with you. ➢ Responding to your complaints, comments, and reviews about our services. ➢ Handling enquiries, providing statements and providing you with further information you request from us regarding the products or services you have with us. ➢ Complying with specific banking product requirements e.g., loans, securities, accounts and deposits. ➢ Exercising rights that we have under any agreement we have with you, including collecting and or receiving debts, handling securities and debentures, providing support in the execution of transactions. |
Legal Obligations | ➢ Completing our contractual obligations owed to you by managing your account with us; providing services to you; communicating to you regarding your account and other related information regarding your relationship with us; handling enquiries and complaints and other requests you may have.
➢ Detecting, investigating, preventing, and prosecuting criminal activities. This includes fraud and anti-money laundering checks, checks for other crimes, and identity checks. ➢ Sharing your information with other institutions such as the relevant regulatory agencies, law enforcement, tax authorities, fraud prevention agencies and credit reference bureaus. ➢ Conducting technical assessments such as system tests as well as profile analysis, including behavioural scoring, and creditworthiness scoring. ➢ Recording your image on our CCTV surveillance systems when you visit our premises across our locations – head office, branches network and ATMs. |
Legitimate Interest | These include;
➢ Assisting in opening and managing your accounts and maintaining our relationship with you – We are able to fulfil our legitimate interest of protecting our business interests as well as our customers’ interests ➢ Updating you about the products and services we offer you as our customer, as well as information about products, services, rewards, offers, promotions and contests (including those from other companies) that may interest you – it’s in our legitimate interest to share information with you about products or services that may be relevant and beneficial to you. You can always opt-out from any marketing messages we send out as set out in this Notice ➢ Sharing your information with relevant credit reference bureaus, fraud prevention agencies – it’s in our legitimate interest to carry out certain creditworthiness assessments so that we can make responsible business decisions. We need to make sure that we only provide certain products and services to individuals if they are appropriate and to manage the services we provide effectively, for instance, in cases where we suspect potential payment difficulties. ➢ Sharing your information with relevant regulatory agencies, tax authorities, law enforcement agencies – it’s in our legitimate interest to help prevent and detect criminal activities including fraud and money laundering, and to cooperate with lawful requests from government agencies; ➢ Sharing your information with other third parties such as our partners and service providers – it’s in our legitimate interest to use other service providers to provide some services for us and or on our behalf; Conducting assessments, testing, analysis (including credit and behavioural scoring) and market research, where we produce reports and statistics to enhance our offerings and maintain a competitive edge while ensuring a high level of customer satisfaction. When conducting analysis, we may merge the information we possess with information obtained from outside sources. – our legitimate interests are to continually improve and innovate our operations, including the development of new systems, products and services to achieve high levels of customer satisfaction. Most important to note is, the resulting information we produce and share will not identify you as an individual and cannot be attributed to you; ➢ Handling enquiries and complaints – it’s is well within our legitimate interests to make sure that complaints are investigated, resolved and prevented from reoccurring and ensure you receive the best customer experience; ➢ Evaluating, developing and improving our services to you – it’s in our legitimate interest to constantly assess, enhance, or upgrade our offerings and the user experiences on our platforms to ensure high levels of service to our customers; ➢ Asserting and defending a legal claim – We have a legitimate interest in protecting the Bank from financial loss and potential legal liability arising from the fallout. ➢ Collecting any debts you owe to us – it’s in our legitimate interest to ensure the efficient and effective management of our business operations, including protecting and recovering owed debts and safeguarding our assets; ➢ Recording your image on our CCTV surveillance system when you visit our premises across our head office, branch network and ATMs – it’s in our legitimate interest to prevent criminal activity, protect our business and comply with various laws and regulations; ➢ Monitoring, recording and analyzing any communications between you and us, including phone calls – it’s in our legitimate interest to verify your instructions to us, in order to avoid and uncover fraud and other criminal activities (including identity theft), to analyze, evaluate and enhance our services to customers and for training purposes, to enhance the services we offer to our customers and to secure our business interests; ➢ Protecting our business interests and developing our business strategies – it’s in our legitimate interest to ensure the success and growth of the Bank, by safeguarding its assets, managing its resources efficiently and effectively, and planning for its future development. This involves analyzing market trends, customer needs and preferences, and other factors that could impact the business and making informed decisions about the direction of the company. By doing so, the Bank can remain competitive and provide a high level of service to its customers. |
8. How your personal information is stored
We will securely keep your personal data at all times.
We will ideally retain your information for a period of seven (7) years, during which we will implement security measures to protect your personal data from being lost, misused, or accessed without permission. We may hold your personal information for longer depending on the nature of your data and the purpose for which it was collected. Some of the instances include legal hold – a process that the Bank uses to preserve all forms of relevant information when litigation is reasonably anticipated. This would then require us to keep records for an undefined period.
Our retention of your personal information enables PBK to comply with its regulatory obligations. Your personal information will only be accessible to those individuals with a valid need to access it, and appropriate measures will be taken to maintain confidentiality during processing.
When it is no longer necessary to retain your personal data, we will securely delete or anonymize it.
9. Your legal rights
The Kenya Data Protection Act offers you, the data subject, several rights in relation to the personal data that we hold. These rights are afforded to you without charge and only by virtue as you are having the status of a data subject.
As holders of your information, we are bound to respond to your requests within reasonable time limits. These include:
- Right to access – this encompasses the right to seek confirmation as to whether your personal data is being processed, and, where that is the case, access to that personal data and various other information, including the purpose for the processing, with whom the data is shared, and for how long the data will be retained.
- Right to data portability – this right allows you to ask us to give you or a third party an electronic copy of the personal data you have given us.
- Right to rectification – this right provides you with the prerogative to ask us to correct personal data we hold.
- Right to restriction of processing – this right allows you to restrict how we use your personal data.
- Right of erasure – this provides you with the opportunity to ask us to delete personal data.
- Right to object – you have the right to object to ways we are using your personal data.
- Right to object to any automated decision-making – This right has been elaborated further in the ‘Automated decision-making’ section below.
- Right to withdraw any permission you have previously given to allow us to use your information – This is elaborated in the ‘Withdrawal of Consent’ section below.
Your ability to exercise these rights may be influenced by several factors. In some cases, we may not be able to accede to your request due to a valid reason; or if the specific right is not applicable to the information which we possess concerning you.
10. Sharing your information
We may share both biometric and non-biometric personal data only under lawful, limited, and clearly defined circumstances with third parties. We will ensure that recipients process it appropriately and take all necessary measures to protect it. In doing so, we will impose contractual obligations to ensure that your personal data is kept secure.
Such parties and instances in which we may share your personal information include:
- PBK’s branch network and subsidiaries with the aim to provide quality services to you. By sharing your information, we can provide services you request. This includes sharing for marketing purposes and internal reporting across our branch network.
- Courts, government institutions, regulators, law enforcement agencies cand fraud prevention agencies may be provided access to personal data, including biometric data where applicable, as required by law. Such disclosures may occur in response to lawful requests, court orders, or to support criminal investigations, detect or prevent crime, or fulfill other legal obligations.
- Credit Reference Bureau (CRB) to conduct identity and background checks when assessing your ability to obtain credit.
- Insurance providers including underwriters, brokers, introducers, claims handlers, and other associated third parties to enable the provision of requested services.
- Representatives or advisers (such as accountants, lawyers, and other professionals), or any person you have told us is authorized to give instructions or use the account, products, or services on your behalf.
- Individuals or entities paying money into your account to confirm that the payment is being directed to the correct recipient.
- Payment processors and businesses that assist with payment transactions, as well as with financial institutions involved in payment schemes or specific payout arrangements.
- Third party service providers contracted to support operational tasks such as vendors who print account statements or deliver debit/credit cards or cheque books.
- Prospective investor in the event of a merger, acquisition, or capital restructuring.
PBK does not sell, lease, or transfer your personal data whether biometric or non-biometric to third parties for advertising or promotional purposes without your express and informed consent.
11. Transfer of data outside Kenya
We may from time to time be required to transfer your personal information outside Kenya to meet our legal and or contractual obligations.
In the event your personal information is required to be transferred outside Kenya, we are bound by the Data Protection Act to ensure that the organizations to which we transfer your information adequately provide a reasonable, if not equivalent level of protection to your information as we do.
Any contract that we form with any such organization will spell out conditions they need to meet to adequately protect the information they receive.
12. Automated decision making
We implement automated decision-making processes using your personal information tailored towards specific situations. Some of these situations work towards fulfilling legal or contractual obligations, as well as preventing the occurrence of a crime.
Such situations may include:
- When we are making decisions on what services are suitable to you based on your customer portfolio; or whether to offer you credit, based on an assessment of your credit history.
- When conducting financial crime checks.
Further, we analyze and process your personal information and reconcile it to various factors based on your customer portfolio which helps us provide personalized experience of services unique to you as our valued customer; We refer to this as profiling. This helps us provide incentives such as personalized offers and recommendations for a better experience utilizing our services.
We have indicated that you have rights regarding automated decision making which has been indicated in the ‘Your legal rights’ section in this Notice. Our contact information has been indicated in the Complaints section below in case you may need further clarification on this.
13. Withdrawal of consent
You have the right to withdraw your consent for the processing of your personal data at any time.
To do so, please contact us using the details provided in the ’Complaints’ section below.
Please note that withdrawing your consent does not affect the lawfulness of any processing that was carried out before you withdrew your consent. Further, in some cases, we may be required to continue processing your personal data despite your withdrawal of consent, for example, where we have a legal obligation to do so. The details regarding this have been reflected in the table drawn in the ‘Purposes for use of your information’ section.
14. Cookies
We employ the use of cookies and similar technologies across our websites, applications and e-mails. Cookies are small text files that are stored on your computer or mobile device when you visit a website or use an application. These cookies are then recognized by the website or app upon subsequent visits.
We use cookies as a means of information gathering and mainly aimed at curating your online experience by remembering your preferences and letting you efficiently navigate between pages; and above everything else, improving your whole online experience.
We have implemented a cookie policy on our websites and applications which provides additional information about cookies, how and where we use them, and how you can control your preferences.
15. Complaints
Should you have any complaints or queries about anything relating to the privacy of your personal data, or any other data protection issues, please let us know through: Address: Premier Bank Kenya, Mihrab Building, Mez1, Ring Road, Kilimani; P.O Box 26219-00100.
Phone: 0202843000/0725843000
Email: dpo@premierbank.ke
Additionally, you also have the right to make a complaint at any time to the ODPC, which is the supervisory authority for data protection issues in the Republic of Kenya. You may lodge a complaint with the ODPC through: https://www.odpc.go.ke/file-a-complaint/