Privacy Notice
Effective date – 08th March, 2024
Data Privacy Notice
Kenya Bankers Savings and Credit Co-operative Society Limited – The Kenya Bankers
1. Definition
TKB – refers to The Kenya Bankers
Applicable Law – All Acts of Parliament including regulations, rules, guidelines, guidance noted issued pursuant to the any Act of Parliament, legislative and regulatory requirements, and codes of practice applicable to the processing of personal data and/or applicable to a data controller or data processor as may be amended from time to time.
Personal Data – means any information relating to an identified or identifiable natural person.
Processing – means an operation or activity or set of operations or activities performed on personal data whether or not by automated means.
Processor – is a natural or legal person, authority, organization, or other agency that processes Personal Data on behalf of the Controller.
Controller – means the natural or legal person, authority, organization, or other agency that makes decisions individually or together with other parties regarding the purposes and means for processing Personal Data
Third Party – means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor, Sub-processor, and persons who, under the direct authority of the Controller, Processor or Sub-processor, are authorized to process Personal Data.
2. Privacy Notice Usefulness
This privacy notice explains how The Kenya Bankers (“we” or “our” or “us”), collect, use or disclose personal data online and offline in connection with the services we provide as defined in the Processing Activities and Legal Basis section below. We refer to the individuals whose personal data (as defined below) we process, such as individuals who work for or are otherwise engaged by, or interact with us, our clients and prospective clients, their affiliates or other third parties in connection with the services, as “you” in this notice. This notice also explains how we collect, use, share and protect personal data.
In this Privacy Notice, we shall inform you about the collection, use and processing of personal data when using our website https://www.kenyabankers.coop/ (hereinafter: “Website”), our web application (hereinafter: “Web App”) and our KB Connect (hereinafter: “App”; jointly called: “Services”). In so far as information refers exclusively to our Website, Web App or App, we shall explicitly point this out to you. In this context, personal data means all detailed information about personal or factual circumstances of a specific or identifiable natural person, such as e.g.name, telephone number or address.
In addition to that -if necessary for providing our services-we transfer personal data to other companies with other third parties who process your data permissibly (e.g., to execute orders or contracts or because of your given consent).
Furthermore, we process personal data coming from publicly accessible sources (e.g., credit records, trade registers, tax registers, media, press, internet). The collecting and processing of publicly available data is permitted. When using additional The Kenya Bankers products or products of our business partners additional personal data might be collected, processed, and stored.
3. Responsible Authority
The authority responsible for the collection, processing and use of personal data is:
Kenya Bankers Savings and Credit Cooperative Society Limited- The Kenya Bankers
Registration: C/S2299
The Kenya Bankers Center, 3rd Ngong Avenue
P.O. Box 73236 – 00200 Nairobi, Kenya
Tel: 254-0205146500
The Kenya Bankers has appointed a Data Protection Officer, who is accessible via dp@kenyabankers.coop.
4. The Data We Collect
The Kenya Bankers will collect, use, store and transfer different kinds of Personal Data about you which we have grouped as follows:
| Categories of Personal Data | Description | Personal Data |
|---|---|---|
| Personal Contact Data | An individual’s personal contact information | Name, username/alias, home address, home/personal phone number, personal email address billing address |
| Identity data | name, username or similar identifier, photo, marital status | |
| Date of Birth | An individual’s date of birth | Date of birth |
| Disability Data | Information regarding a person’s disabilities required to accommodate special needs | Disability data |
| Gender | Information regarding a person's gender | Gender |
| National Identifier | Information containing a person's country specific National Identifier | National Identity card/Passport, Visa, Alien ID |
| Online Identifier | A means of identifying an individual by associating informational traces an individual leaves when operating online | Cookies, pixel tags, web beacons, locally stored objects, unique device identifiers (for example Media Access Control (MAC) and Internet Protocol (IP) addresses, smart device information, mobile phone network information, your login identity data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our systems |
| Proof of Address | Information found on utility bills | Utility bills |
| Signature | Any symbol, character, sound or mark made by an individual with the intent to authenticate or authorize a transaction, agreement, or written or electronic document | eSignature, DocuSign, web signature, copy of written signature, ink signature |
| Unique Personal Identifier (Tax Identification Number) | Information containing a person's unique identifier for an Individual Tax Identification Number | Individual Tax Identification Number (“KRA PIN”) |
| Financial data | financial statements | Bank account number, bank balances, salary payments, digital wallets, card payment details and other electronic or non-electronic payment details. |
| Transaction data | Payment details | Payments to and from you and other details of products and services you have acquired from us and third parties. |
| Biographies | Information pertaining to an individual’s work history, professional experience, languages spoken, and/or education | Job history, professional experience (including company names and titles), education (schools, degrees), languages spoken, photograph |
| Profile | profile identification information | profile identification information, purchases or orders interests, preferences, feedback, and survey responses. |
| Direct marketing | Marketing and communications data | preferences in receiving marketing information from us and our third parties and your communication preferences. |
| Sensitive data | special categories of Personal Data | fingerprints, race, pregnancy status, ethnic or social origin, bank account number, bank balances, salary payments, digital wallets, card payment details |
5. Data processing purpose and legal basis
We process your personal data in accordance with the Data Protection Act No. 24 of 2019 if at least one of the following applies.
| Purpose | Reasons for Processing | Categories of Personal Data | Legal Basis |
|---|---|---|---|
| Anti-Money Laundering/ Know-your Customer Requirements | To comply with applicable AML/KYC laws and regulations, including identifying beneficial owners, conducting background checks, monitoring, and performing other checks to meet anti-terrorism financing legal requirements. As required by applicable laws, this may involve processing your political affiliations, criminal convictions, or allegations of offenses. |
Business Contact Data, Personal Contact Data, Date of Birth, Place of Birth, National Identifier, Visa, Passport, Nationality and Citizenship Data, Unique Personal Identifier (Driver's License, TIN), Signature, Proof of Address
Sensitive Personal Data Criminal Records Third Party Source: internet search providers and database providers specialized in intelligence used to verify and authenticate identities and intelligence on financial crimes |
Compliance with applicable laws rules and regulations for which The Kenya Bankers is in scope. |
| Account Opening |
● To obtain all enterprise and regulatory requirements for your onboarding, expansion of services and account maintenance. ● To obtain the necessary information to open accounts as required to enable your trading or other activities. |
Personal Contact Data, Business Contact Data |
Legitimate Interests To capture and maintain accurate data for your accounts |
| Regulatory and Compliance Obligations |
● To comply with applicable laws and regulations (including any legal or regulatory guidance, codes or opinions). ● To comply with sanctions procedures and other legal process and law enforcement requirements including any internal policies which are based on, or reflecting, legal or regulatory guidance, codes or opinions. ● To comply with non-financial regulatory reporting requirements established by regulators, tax authorities and government bodies across jurisdictions. |
Personal Data as relevant for each specific regulatory and compliance obligation. |
Legitimate Interests ● To implement internal controls ● To comply with reporting requirements of regulators, tax authorities and governmental bodies |
| Client Communications and Relationship Management |
● To directly communicate with you in order to help improve the products and services we provide, or in relation to a product or service in which you have expressed an interest, such as sharing of our case studies, capabilities materials, deal proposals, offers, market trends, insights, strategies and trade ideas. ● To handle your complaints. |
Business Contact Data |
Legitimate Interests ● To provide information to and to communicate with you regarding the services we provide or in relation to other services/products in which you have expressed an interest ● To handle any complaints in relation to the services we provide |
| Events Management and Execution |
● To register and confirm attendance at virtual or in-person events and conferences. ● To notify you about events for awareness, as part of our services to you. ● To facilitate event management, virtual or in-person. |
Business Contact Data, Signature, Personal Contact Data, Contact Data , |
Legitimate interest ● To accommodate requirements of events attendees whenever possible Consent ● To obtain consent Explicit Consent ● Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. |
| Legal and Compliance |
● To fulfil our legal and compliance-related obligations. ● To enforce our terms and conditions. ● To protect our operations. ● To protect our rights, privacy, or our property. ● To allow us to pursue available legal remedies, defend claims and limit the damages that we may sustain. |
Personal Data as relevant for each specific legal action, regulatory investigation, and/or other legal processes in question |
Legal obligations ● Such as complying with legal processes. Legitimate interests ● Such as enforcing terms and conditions, protecting trademarks and bringing or defending legal claims. |
| Readership |
● To protect our Intellectual Property (IP) ● To understand readership levels and use ● To fulfill our regulatory obligations ● To provide quotations for our products ● To ensure compliance with terms and conditions |
Readership Data including level of usage and research access |
Legal Obligation ● Complying with regulatory obligations Legitimate Interest ● For the purpose of, or as a result of, providing products and services to you or otherwise in connection with fulfilling your instructions ● Where it is necessary in connection with any contract that you enter into with us (including prior to entering into such contract with us) |
| Behalf of The Kenya Bankers | ● To safeguard industry practices | Personal Data as relevant |
Legal Obligation ● Complying with regulatory obligations ● Contractual obligation |
| Delivery of our Services |
● Data access and data transfer to credit agencies (e.g. Metropol) to determine credit risks. ● Examination and Optimization of processes concerning requirement analysis and customer approach including customer segmentation and calculation of probability of default and closure. ● Marketing or market and opinion analysis ● To ensure IT security ● To prevent criminal acts ● For business management and the development of services and products ● Risk management within The Kenya Bankers |
Personal Data as relevant |
Legal Obligation ● Complying with regulatory obligations ● Contractual obligation |
| Transaction services | To fulfil our legal, compliance and contractual related obligations | Personal Data as relevant |
Legitimate interest ● To accommodate requirements of the transaction whenever possible Consent ● To obtain consent Legal Obligation ● Complying with regulatory obligations ● Contractual obligation |
6. Marketing
We respect your preferences regarding the use of your Personal Data for marketing purposes. To ensure your control over your data, we have established the following mechanisms:
Promotional offers from us: We may use your identity, contact, technical, usage, and profile data to assess your preferences and interests. This helps us determine which products, services, and offers may be of interest to you. You will receive marketing communications from us if you have requested information or used our products and services unless you have opted out of receiving such information.
Third-party marketing: We may share your Personal Data with third parties for marketing purposes if we believe that the marketing information from such third parties will be relevant to you and if we have obtained your prior consent.
Opting Out: You can ask us or third parties to stop sending you marketing messages at any time by writing to us, logging into the relevant website to adjust your marketing preferences, following the opt-out links on any marketing message sent to you, or by contacting us through the provided contacts.
Please note that opting out of receiving marketing messages will not affect Personal Data provided to us as a result of product or service subscriptions, warranty registration, product or service experiences, or other transactions.
7. Transfer of Your Personal Data
The Kenya Bankers reserves the right to transfer your personal information to facilitate the execution, administration, and security of any product or service for which you have applied, or for any other purpose outlined in this privacy statement. Such transfers may involve disclosing personal data to regulatory or supervisory authorities, third-party contractors, subcontractors, as well as their subsidiaries and affiliates, who provide support to The Kenya Bankers in delivering its services.
These third-party providers may engage their own subcontractors with access to personal data (sub-processors). It is our policy to exclusively engage third-party providers bound by contractual obligations to maintain appropriate levels of security and confidentiality. They are obligated to process personal information solely as directed by The Kenya Bankers and are required to extend these same obligations to their sub-processors.
This ensures that your personal data is handled with the utmost care and in accordance with data protection regulations.
8. Cross Border Transmission
Your data is primarily stored in our data centers located within your country. However, there may be occasions when we need to transfer your personal information outside your country. This includes countries that may not have laws providing specific protection to your personal data.
When we transfer your information outside your country, we ensure that there are adequate data protection safeguards in place in the recipient country or we obtain your consent for the transfer of your personal information. Before transferring personal data outside your country, we ensure that the transfer complies with legal and regulatory standards.
9. Cookies
The Kenya Bankers uses cookies and similar technologies on our websites, apps, and in our emails. Cookies are small text files stored on your computer when you visit certain web pages. These cookies are used to enhance your online experience and provide personalized features.
Cookies perform various functions, such as allowing you to navigate between pages efficiently, remembering your preferences, and improving your overall online experience. They also help us understand how you interact with our emails, allowing us to improve our future email communications.
You can control and manage cookies in your browser settings. Most web browsers allow you to accept or decline cookies or to receive a notification when a cookie is placed on your device. You can also disable social plugins by adjusting your browser settings or by not interacting with the social media features on our website.
For more information on cookies, social plugins, and how we use them, please refer to the cookies and privacy policy on our websites and apps.
10. Other disclosures
The Kenya Bankers may disclose your personal information as required by law, to enforce agreements, or to protect the rights, property, or safety of The Kenya Bankers, its clients, customers, employees, or others.
The Kenya Bankers may disclose, respond, advise, exchange, and communicate personal data and/or information in its possession relating to you outside The Kenya Bankers. This includes personal data obtained before, during, or after the SACCO-customer relationship, provided that such personal information is treated confidentially by the recipient. The purposes for such disclosure may include:
- To any of The Kenya Bankers entity or subsidiary, including any officer, employee, agent, delegate, or director of The Kenya Bankers.
- To any debt collection agency subscribed to us, credit reference agency or bureau, rating agency, correspondents, insurer, or insurance broker, direct or indirect provider of credit protection, and fraud prevention agencies.
- To your legal representative and their legal advisers, upon your death or mental incapacity.
- To any person authorized to operate your account and to act on your behalf in giving instructions or to perform any other acts under any agreement or use any product.
- To any court, tribunal, regulator, enforcement agency, exchange body, tax authority, or any other authority (including any authority investigating an offense) or their agents.
- To public authorities and institutions (e.g., Regulatory Authority, Financial Authorities, Law Enforcement Agencies).
- To other credit and financial services institutes or similar institutions, to which we transmit personal data that are necessary for the performance and processing of the business relationship. For instance, external lawyers, auditors, valuers, survey agencies)
- To other companies we partner with for risk controlling due to legal or official obligation.
- To your employer whereby savings and loan repayments originate through payroll intervention.
- To service providers who are processing personal data on behalf of The Kenya Bankers. Where processing of personal data is carried out on behalf of The Kenya Bankers, we conclude a separate contract with the processor with respect to this processing.
11. Retention of Personal Data
The Kenya Bankers adheres to data protection regulations regarding the retention of your personal data. We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including the maintenance of an ongoing relationship with you.
Your personal data may be retained for up to seven (7) years, or as required by applicable laws and regulations. The Kenya Bankers has established specific records management and retention policies and procedures to ensure that personal data is securely deleted after a reasonable time.
12. Data Subject’s Rights
Subject to legal and contractual exceptions, you have rights under applicable laws regarding your Personal Data. These rights include:
- The right to be informed about the collection and processing of your personal information.
- The right to rectify inaccurate or incomplete personal data.
- The right to withdraw consent to the processing of your personal data. However, we may continue processing for legitimate interests or legal grounds.
- The right to object to processing of all or part of your personal data, except where obligated by law or entitled to do so.
- The right to request erasure of your personal data held by us unless we are entitled or obliged by law to retain it.
- The right to access your personal data in our possession.
- The right to not be subjected to profiling or automated decision making regarding your Personal Data, unless obligated by law or entitled to do so.
- The right to request your personal data to be processed in a restricted manner, unless entitled to or legally obliged.
- The right to data portability in a manner we deem appropriate, such as electronic format.
13. Exercising Your Data Protection Rights
We are committed to ensuring that you can easily exercise your data protection rights in compliance with applicable regulations. To exercise any of the above rights, you can make a request through the Contact Us page on the website, or by contacting our Data Protection Officer (DPO) using the contact details provided in this Privacy Notice. If you believe that we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with the appropriate regulatory authority.
We may need to request specific information from you to confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information to speed up our response.
We try to respond to all legitimate requests within a reasonable time. Occasionally, it could take us longer if your request is particularly complex or if you have made a number of requests. In such cases, we will notify you and keep you updated.
14. Security Assurance
We have implemented robust security measures to protect your Personal Data against unauthorized access, alteration, disclosure, or loss. Access to your Personal Data is restricted to employees, agents, contractors, and other third parties who have a legitimate business need to access this information. These individuals are bound by confidentiality obligations and will only process your Personal Data according to our instructions.
Furthermore, we have established procedures to address any suspected personal data breaches. In the event of a breach, where legally required, we will notify you and the relevant regulatory authorities.
15. Changes to This Privacy Notice
We reserve the right to update or modify this Privacy Notice at any time. We will notify you of any changes by posting the revised Privacy Notice on our website or through other appropriate means.