DATA PRIVACY STATEMENT

1 INTRODUCTION AND GENERAL TERMS

Kenya Post Office Savings Bank relies on the goodwill and trust of the public. We are committed to safeguarding your personal data. When you provide us with your personal data, we are legally obliged to use the personal data in line with all laws concerning the protection of personal data, including the Data Protection Act 2019 (the “Data Protection Act” or the “DPA”). We are also bound by banking sector rules of confidentiality.

Please read this Data Privacy Statement carefully to understand our personal data management practices. This Data Privacy Statement explains:

• What personal data we process;
• How we use the personal data;
• Why we need the personal data;
• Who we will share your personal data with;
• Your rights and how to exercise them;
• When we will use your personal data to contact you; and
• How to contact us.

2 WHAT PERSONAL DATA DOES THE BANK COLLECT?

We may collect the following from you:

2.1 Identification Information

Individual Accounts (Adults): We collect basic identifying documents such as passports, national IDs, military IDs or driver’s licenses. In addition, we collect your KRA PIN.

Individual Accounts (Minors): We collect basic identification information in the form of a Birth Certificate. We also collect basic identifying documents of the parent/guardian such as a national ID, passport, military ID or driver’s license. In addition, we collect the KRA PIN of the parent/guardian.

Incorporated and Unincorporated Bodies: We collect and verify the identities of the shareholders, beneficiaries, partners, trustees and directors of an entity.

2.2 Contact Information

If you enter your contact details in any of the Bank’s forms, the Bank will use this information to contact you. This includes your postal address, phone number, email address or mobile number.

2.3 Transaction Information

In the course of our relationship with you, we will receive instructions from you to provide certain services. We will process your transaction information under your instructions, including your bank account number, credit or debit card number, financial history, payments you make and receive, instructions relating to payment-initiation services etc. We will also collect information about any other Bank products and services you currently have, or have had in the past.

2.4 Credit Information

We will from time to time consult third parties for information relating to your credit history. We will only collect credit information from licensed credit rating bureau.

2.5 Digital Information

We process your digital information such as your IP address, the device type used to access the service and the duration for which your session lasted when you use our digital services. Such digital information will be collected by our systems and processed in line with our IT Policy and our Cookie Policy. We shall, however, ask for your consent to prior to placing cookies on your devices.

2.6 Surveillance Data

Our premises are always under CCTV surveillance in order to aid in the prevention, detection and investigation of any criminal activity. We may also monitor and record any communications between you and us, including phone calls, for quality control and training purposes.

3 DO YOU COLLECT DATA FROM ANY OTHER SOURCES?

We may collect personal data from other sources such as:
• Licensed credit rating bureau;
• Fraud prevention agencies;
• Employers;
• People appointed to act on your behalf;
• Other banks and financial institutions;
• Publicly available sources, such as media stories and online registers or directories.

4 WHAT LEGAL BASIS DOES THE BANK HAVE TO COLLECT MY DATA?

The Bank may only process your personal data where there is a lawful basis to do so.

Information Lawful basis Identification Information

• Required in order for the Bank to enter into a contract with you. It also enables the Bank to verify your instructions and act on them accordingly
• Required to meet our reporting requirements under local and international laws.
• PProtects the legitimate interests of the Bank, as it enables us to detect, prevent and investigate fraud, money laundering and other crimes.

Contact Information

• Required for the Bank to verify your instructions and act on them accordingly.
• Required to communicate with you on the provision of our services to you, to help you manage your account and to keep you updated on developments affecting your account.
• Required to meet our reporting requirements under local and international laws.
• Protects the legitimate interests of the Bank as it enables us to provide you with information about our products and services that you may be interested in. We will make sure your consent is obtained prior to sharing any marketing material.

Transaction Information

• Required in order for the Bank to provide you with the services you require.
• Required to meet our reporting requirements under local and international laws.
• Protects the legitimate interests of the Bank as it enables the bank to detect, prevent and investigate fraud, money laundering and other crimes.
• Protects the legitimate interests of the Bank as it enables us to optimize our products depending on your needs and usage patterns.
• Your transaction information may be aggregated and processed in an unidentifiable form for purposes of statistical analysis and market research. With your consent, our analysis of your spending patterns may be used to market certain products and services to you. You may withdraw your consent to such marketing at any time after giving it.

Credit Information

• Protects the legitimate interests of the Bank as it enables us to better provide credit services in a more cost effective manner by allowing us to provide better lending rates to customers with a proven history of repaying their outstanding loans. It also enables us to run our business with care and prudence by making sure assets are protected.

Digital Information

• Required in order for the Bank to provide you with the services you require.
• Protects the legitimate interests of the Bank for cyber security purposes and enables the Bank to optimize our products depending on your needs and usage patterns.

Surveillance Data

• Protects the legitimate interests of the Bank in detecting and preventing crime.
• Protects the legitimate interests of the Bank as it enables us to monitor complaints, train our staff and be more responsive to your needs.

5 HOW LONG WILL MY DATA BE HELD?

Your personal data will be held for as long as you are a customer of the Bank. Once you cease to be a customer, we will only retain the personal data necessary for the purposes of:

1. Establishing or defending a legal claim;
2. Fulfilling a legal obligation;
3. Fraud monitoring; or
4. Business analysis or audit purposes.

We may, however, retain any derivative information (such as statistical data and analytics) for an indefinite amount of time on the condition that such data will have all personal markers removed and your personal data will be unidentifiable.

6 YOUR RIGHTS AND HOW TO EXERCISE THEM

You have rights when it comes to how we handle your personal data. These include rights to:

i. Receive certain information about our processing activities;
ii. Request access to your personal data that we hold;
iii. Ask us to erase your personal data if it is no longer necessary for the reason for which it was collected;
iv. Ask us to rectify inaccurate personal data or to complete incomplete personal data;
v. Restrict processing in specific circumstances;
vi. request information on the safeguards adopted by the Bank when your personal data is transferred outside of the Kenya;
vii. be notified of a personal data breach which is likely to result in high risk to your rights and freedoms;
viii. withdraw consent to receiving marketing material at any time;
and
ix. receive or ask for your personal data to be transferred to a third party in a commonly used, machine-readable format.

You can exercise your rights by making a written request to us. Your request will be promptly attended to. Where we are unable to honor your request due to the nature of the processing or to protect our own legitimate interests, we shall inform you of the reason for our denial of your request.

7 WILL I BE SUBJECT TO ANY AUTOMATED DECISION
MAKING?

We may use automated decision-making to evaluate certain aspects relating to you, in particular to analyze or predict aspects concerning your economic situation, credit limits, money laundering involvement, political exposure, payment reliability, behavior and dormant account status. Any decision the Bank makes based on automated processing will be reviewed by a bank official in order to avoid algorithm bias and similar loopholes. We will let you know of this and will give you an opportunity to request for a review of any decision made by automated means. 

We may also use automated decision making for marketing purposes to choose personalized offers, discounts or recommendations to send you.

8 WILL I BE CONTACTED FOR MARKETING PURPOSES?

The Bank will only contact you for marketing purposes where you have provided us with freely given consent to do so. We may market our services through post, telephone, text message and any other digital methods that may become available in the future. Consent will be sought before any such marketing applications commence.

9 WILL THE BANK SHARE MY PERSONAL DATA WITH ANYONE
ELSE?

The Bank may, from time to time, share your personal data with third parties. Such disclosures will be done in accordance with the law and, where necessary, with your consent. Below are some of the circumstances under which your personal data may be shared: 

The Government (and Government Agencies): Your personal data may be shared with law enforcement agencies, revenue collection agencies and other regulatory bodies where such disclosure is mandated by the law. 

Credit Rating Bureaux: Your credit information may be shared with licensed Credit Rating Bureaux. 

Other Financial Institutions: Your personal data may be shared with other financial institutions for the purposes of performing certain transactions in which you are involved. 

Court Orders: Your personal data may be shared in the event that a court order is obtained requiring that such information be shared. 

Service Providers: Your personal information may be disclosed to our service providers where necessary to provide certain services to you or to protect the legitimate interests of the Bank (including in the enforcement of a legal claim). 

The Bank will not, under any circumstances share with, or sell your personal data to, any third party for marketing purposes and you will not receive offers from other companies or organizations as a result of sharing your personal data with us.

10 WHERE WE STORE YOUR PERSONAL DATA AND WHERE
SUCH DATA MAY BE TRANSFERRED OUTSIDE KENYA

Your data shall be stored in Kenya. It may sometimes be necessary to transfer personal data to third parties overseas, such as service providers, associated organizations, partners and agents. This will only be done where the transfer is necessary to enable us to:

• perform our obligations under a contract between the Bank and yourself;
• assist in any matter of public interest;
• sue or defend ourselves from a lawsuit or exercise a legal claim; or
• protect your life or that of somebody else.

Your personal data shall only be shared outside of Kenya under an agreement with the third party whereby the third party will uphold certain minimum data protection standards and in accordance with any guidelines issued by the Kenyan Data Commissioner. Once we have received your personal data, we will use strict procedures and security features to prevent unauthorized access.

11 HOW MAY I EXERCISE MY RIGHTS?

If you wish to exercise any of your rights under the Data Protection Act, please contact us. You may:

• Call us on +254 020 2803110 or 0722243942
• Email us at malliteo@postbank.co.ke
• Write to us at: P.O.BOX 30311-00100 NAIROBI

12 OUR DATA PROTECTION OFFICER

We have a Data Protection Officer that is responsible for overseeing our data protection initiatives. Please contact the Data Protection Officer with any questions about the operation of this Data Privacy Statement.

Email Address: malliteo@postbank.co.ke
Contact Number: +254 020 2803110

The Bank reserves the right to change this statement at any time.