Premier Bank Kenya Privacy Statement
1. Purpose and scope
Premier Bank Kenya (“PBK” or “We”) is committed to protecting the personal data of all our clients and other data subjects (“You”)
This Privacy Notice (“Notice”) informs you of:
- Who we are;
- What personal information we collect about you;
- How we collect, use, store and share your personal data;
- Your privacy and other related rights under the provisions of the Data Protection Act and Regulations; and
- How to contact us or the Office of the Data Protection Commissioner (ODPC) if you have a complaint.
We are committed to preserving the privacy of your data so that we can:
- deliver services of a high quality to all our clients;
- at all times comply with the law and the various regulations that we are subject to;
- preserve the confidentiality of your personal data;
- meet the expectations of customers/clients; and
- protect our reputation.
We advise that you read and understand this Notice as we want to be sure that you are fully cognizant of how and for what purposes your data is being used.
2. Who we are.
Premier Bank Kenya is a commercial bank licensed and regulated by the Central Bank of Kenya. Our Head Office is located at Mihrab Building, Mez1, Ring Road, Kilimani; P.O Box 26219-00100 Nairobi, Kenya.
It is imperative that we mention that in order that we can provide services that satisfactorily exceed your expectations, we need to collect, use, and process or deal with, certain personal information about you. When we do so we are subject to the provisions of the Kenya Data Protection Act, 2019.
This statement will apply where we are acting as a data controller in relation to your personal data, and where we have a supervisory role in relation to how personal data is collected, stored, used and shared. As such, we are responsible as what is described as a ‘data controller’ of that personal information for the purposes of the Act, as we decide how to use that information about you – hence, we are primarily responsible for that data; this may include your name, date of birth, address, contact information, financial information, employment details and device identifiers, including IP addresses.
Do note that the ‘processing’ of your personal data within this context, we refer to using your personal data by collecting it, using it, storing it, communicating it to other people (with your consent or as part of our services to you) or deleting it.
Furthermore, the terms and provisions of this Notice may be changed, updated and amended from time to time. If that happens, during the time when we are providing you with our products and services, we will inform you of those changes.
3. Your personal data
While providing our services, we will collect some information about you, some of which will be termed personal data. Personal data is any information that may be used to identify an individual (natural person).
The personal information we will collect from you include:
- Your name and personal details, including your date of birth, your ID number and other identification details;
- Your contact details including address, telephone and or mobile number, and email address;
- Financial details relating to you, including details of your bank account if money is, or is likely to need to be, sent to you, billing information and debit / credit card details, and your financial history;
- Transactional history details (for example, payments you make and receive); and
- Proof of income (such as payslips or bank statements) if you provide these when you apply for a particular product.
Do note that any information that we possess about you is collected directly from you through your interactions with our services. This may be through your visits to our various branches and online platforms; contacting us by email, letters, telephone or through our website or social media handles; using our internet and mobile banking services through the MyPremier Mobile and Internet Banking applications.
There are other instances in which we will collect information about you from other sources if need arises. Examples of these sources include;
- people appointed to act on your behalf (e.g., advisers, agents, joint account holders, lawyers);
- from third parties with whom you have a relationship, including banks, employers, and professional bodies;
- credit reference bureaus (who may check their information against other databases – public or private – they have access to);
- fraud prevention agencies; and
- publicly available sources, such as land and companies’ registries, professional records, and other membership records; online registers or directories.
This information is needed so that we can provide effective and efficient products and services to you. If you do not provide the personal data asked for, we may be delayed or prevented from providing such products and services.
Please note that it is paramount that we try as much as possible to keep your information as accurate and as current as possible. We ask that you keep us informed if any changes occur regarding your personal data during the tenure of your relationship with us.
4. Personal data belonging to children
The Bank provides services and products which are principally aimed at children.
Please note that we do not intentionally process personal data relating to children without the verifiable consent of their parent/s or legal guardian. If we become aware that we have inadvertently collected personal data of a child/minor without verifiable consent, we will take appropriate measures to delete that information as soon as possible.
We encourage parents and guardians to be involved in their children’s online activities and to monitor and supervise their children’s use of our website or services.
In the event you are a child, or if you represent the interests of a child, and you wish to seek further clarification on how we use your data, please reach out to us using the details in the Complaints section, and we will be able to advise further.
5. Sensitive personal data
Sensitive personal data includes details about your race or ethnicity, conscience, belief, sex life, sexual orientation, health and genetic data. Do note that we only process such data where necessary and where it is most relevant.
That said, it is important that you take note that such data will only be used if it is deemed necessary for the public interest, as part of a legal proceeding, or if we have obtained your explicit consent. We ensure that all legal requirements are met in the handling of this information.
6. Purposes for use of your information.
We only collect your personal information for the purposes for which it was collected, or where we have a proper reason for using it.
Such proper reason or legal basis for processing such data include:
- Where you have given consent to the use of your personal data for one or more specific purposes. This may include marketing or advertising purposes, for instance. Please note that you may withdraw your consent at any time as set out in this Notice – and withdrawn consent does not affect the legality of data processed prior to such withdrawal;
- Where the use is necessary for the performance of a contract to which you are party, or in order to take steps at your request prior to entering a contract;
- Where the use is necessary for compliance with a legal obligation that we are subject to, including preventing fraud, money laundering or regulatory obligations;
- Where the use is necessary to protect your vital interests or those of another person;
- Where the use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us. In the case of sensitive personal data, it is in the substantial public interest (e.g., to support you if you are or become a vulnerable customer); and
- Where the use is necessary for the purposes of our legitimate interests or those of a third party, except where those interests are overridden by your interests or fundamental rights and freedoms.
As such, it is purely on a legal and lawful purpose that we collect your personal information.
In this context, such purposes include:
- to provide and avail our products and services to you;
- to prevent fraud and money-laundering, and to verify and confirm your identity before we provide services to you;
- to communicate with you;
- to protect our business interests or to prevent fraud;
- to meet obligations, we have under any laws, rules, and regulations that apply to any of the products and services we provide to you; and
- to keep you informed about products and services you hold with us and to send you information about products or services (including those of other companies) which may be of interest to you.
The following table goes a step further in highlighting how your personal data may be utilized and the lawful bases that the purpose for use are founded upon.
7. How your personal information is stored
We will securely keep your personal data at all times.
We will ideally retain your information for a period of seven (7) years, during which we will implement security measures to protect your personal data from being lost, misused, or accessed without permission. We may hold your personal information for longer depending on the nature of your data and the purpose for which it was collected. Some of the instances include legal hold – a process that the Bank uses to preserve all forms of relevant information when litigation is reasonably anticipated. This would then require us to keep records for an undefined period.
Our retention of your personal information enables PBK to comply with its regulatory obligations. Your personal information will only be accessible to those individuals with a valid need to access it, and appropriate measures will be taken to maintain confidentiality during processing.
When it is no longer necessary to retain your personal data, we will securely delete or anonymize it.
8. Your legal rights
The Kenya Data Protection Act offers you, the data subject, several rights in relation to the personal data that we hold. These rights are afforded to you without charge and only by virtue as you are having the status of a data subject.
As holders of your information, we are bound to respond to your requests within reasonable time limits.
These include:
- Right to access – this encompasses the right to seek confirmation as to whether your personal data is being processed, and, where that is the case, access to that personal data and various other information, including the purpose for the processing, with whom the data is shared, and for how long the data will be retained.
- Right to data portability – this right allows you to ask us to give you or a third party an electronic copy of the personal data you have given us.
- Right to rectification – this right provides you with the prerogative to ask us to correct personal data we hold.
- Right to restriction of processing – this right allows you to restrict how we use your personal data.
- Right of erasure – this provides you with the opportunity to ask us to delete personal data.
- Right to object – you have the right to object to ways we are using your personal data.
- Right to object to any automated decision-making – This right has been elaborated further in the ‘Automated decision-making’ section below.
- Right to withdraw any permission you have previously given to allow us to use your information – This is elaborated in the ‘Withdrawal of Consent’ section below.
Your ability to exercise these rights may be influenced by several factors. In some cases, we may not be able to accede to your request due to a valid reason; or if the specific right is not applicable to the information which we possess concerning you.
9. Sharing your information
We will from time to time share your information with third parties.
We will always ensure that those with whom it is shared with process it in an appropriate manner and take all necessary measures to protect it. In doing so we will impose contractual obligations on all such parties to ensure that your personal data is kept secure. We will only ever allow others to handle your personal data if we are satisfied that their measures to protect your personal data are satisfactory.
Such parties and instances in which we may share your personal information include.
9.1. PBK’s branch network and subsidiaries – PBK aims to provide quality services to its customers. By sharing your information, we can provide services which you have requested. Purposes for sharing information include marketing purposes, for internal reporting on its customers within its branch network.
9.2. Government institutions/regulators (e.g., KRA, EACC, CBK, FRC) and fraud prevention agencies – We may share information with them to help fulfil their lawful duties such as criminal investigations, or prevention of crime.
9.3. Credit Reference Bureau (CRB) – Our purpose for sharing your information with CRB is for due diligence purposes such as identity and background checks while making decisions about your ability to obtain credit.
9.4. Insurance providers – We may share personal data with insurance providers including underwriters, brokers, introducers, claims handlers and other such associated third parties to enable us to provide services requested.
9.5. Representatives/advisers – We may be obligated to share personal data with your representatives/advisers (such as accountants, lawyers, and other professional advisers) who you have authorised to represent you, or any other person you have told us is authorised to give instructions, or use the account, products, or services, on your behalf (such as under a power of attorney).
9.6. Third party payers – We may share your name with anyone paying money into your account to confirm payment is being made to the right account.
9.7. Payment-processing service providers – We may share personal data with payment-processing companies and other businesses that assist us in processing your payments, as well as financial institutions that are members of the payment schemes (e.g., Visa) or involved in making payouts for specific types of payment.
9.8. Our service providers and agents (including their subcontractors) – We may share personal data with our service providers. For instance, where we pass your details to someone who will print your statements or deliver a debit/credit cards/cheque book.
10. Transfer of data outside Kenya
We may from time to time be required to transfer your personal information outside Kenya to meet our legal and or contractual obligations.
In the event your personal information is required to be transferred outside Kenya, we are bound by the Kenya Data Protection Act to ensure that the organisations to which we transfer your information adequately provide a reasonable, if not equivalent level of protection to your information as we do.
Any contract that we form with any such organizations will spell out conditions they need to meet to adequately protect the information they receive.
11. Automated decision making
We implement automated decision-making processes using your personal information tailored towards specific situations. Some of these situations work towards fulfilling legal or contractual obligations, as well as preventing occurrence of a crime.
Such situations may include:
- When we are making decisions on what services are suitable to you based on your customer portfolio; or whether to offer you credit, based on an assessment of your credit history.
- When conducting financial crime checks.
Further, we analyse and process your personal information and reconcile it to various factors based on your customer portfolio which helps us provide personalized experience of services unique to you as our valued customer; We refer to this as profiling. This helps us provide incentives such as personalized offers and recommendations for a better experience utilizing our services.
We have indicated that you have rights regarding automated decision making which has been indicated in the ‘Your legal rights’ section in this Notice. Our contact information has been indicated in the Complaints section below in case you may need further clarification on this.
12. Withdrawal of consent
You have the right to withdraw your consent for the processing of your personal data at any time.
To do so, please contact us using the details provided in the ’Complaints’ section below.
Please note that withdrawing your consent does not affect the lawfulness of any processing that was carried out before you withdrew your consent. Further, in some cases, we may be required to continue processing your personal data despite your withdrawal of consent, for example, where we have a legal obligation to do so. The details regarding this have been reflected in the table drawn in the ‘Purposes for use of your information’ section.
13. Cookies
We employ the use of cookies and similar technologies across our websites, applications and e-mails. Cookies are small text files that are stored on your computer or mobile device when you visit a website or use an application. These cookies are then recognized by the website or app upon subsequent visits.
We use cookies as a means of information gathering and mainly aimed at curating your online experience by remembering your preferences, and letting you efficiently navigate between pages; and above everything else, improving your whole online experience.
We have implemented a cookie policy on our websites and applications which provides additional information about cookies, how and where we use them, and how you can control your preferences.
14. Complaints
Should you have any complaints or queries about anything relating to the privacy of your personal data, or any other data protection issues, please let us know through:
Address: Premier Bank Kenya, Mihrab Building, Mez1, Ring Road, Kilimani;
P.O Box 26219-00100.
Phone: 0202843000/0725843000
Email: dpo@premierbank.ke
Additionally, you also have the right to make a complaint at any time to the ODPC, which is the supervisory authority for data protection issues in the Republic of Kenya. You may lodge a complaint with the ODPC through: https://www.odpc.go.ke/file-a-complaint/.