Privacy Policy

A. INTRODUCTION

SBM Bank (Kenya) Limited is a subsidiary of Mauritian based SBM Holdings. This Privacy Policy (“Policy”) describes how we protect your personal data, why we collect and how we process your personal data and how you can exercise your rights in relation to the personal data that we collect and process.

This privacy policy should be read together with our Terms and Conditions.

In case there is a conflict between the Terms and Conditions, this Privacy Policy shall prevail.

B. DEFINITIONS AND INTERPRETATION

• “SBMK,” “We,” “Us” “Bank” means SBM Bank (Kenya) Limited.
• “Personal Data” means any information relating to you or information that can be used to identify you as a unique individual..
• “Data Processing” means all the activities performed on your personal data including collecting, recording, organizing, sharing, storage, alteration, combination, restriction, erasure, destruction, among others.
• “You,”means-
  1. Customer: this is any person utilizing the Bank’s services.
  2. Any Service Provider who has signed an Agreement with the Bank to provide certain services.
  3. Any Visitor: this is a person who visits any of the Banks physical premises.

C. PERSONAL DATA COLLECTED

SBMK collects the following information with your knowledge and consent except in cases where prior consent cannot be obtained for real reasons and the processing of the data is permitted by law.

1. Identity data which includes name, username or similar identifier, Identity card/Passport number, KRA PIN number, photo, marital status, fingerprints, nationality, age, date of birth and gender, and any other similar information.
2. Contact data which includes residential address, postal address, physical address, email address and telephone numbers.
3. Financial data which includes any bank account details, card payment details and other electronic or non-electronic payment details.
4. Transaction data which includes details about payments to and from you and other details of products and services you have acquired from us.
5. Technical data which includes internet protocol (IP) address, your login identity data, browser type and version, time zone setting and location, browser plug-in types and versions, device information, operating system and platform, and other technology on the devices you use to access our systems.
6. Usage data which includes information about how you use our website, products, and services.
7. Marketing and communications data which includes your preferences in receiving marketing information from us and our third parties and your communication preferences.
8. Visitors’ personal information/identification details who visit any of our premises.
9. Biometric data such as images, voice and other similar information, surveillance footages by CCTV cameras on our premises.

D. HOW YOUR PERSONAL DATA IS COLLECTED

We collect and process data about you from the following sources:

a) Information you give us: This includes the personal data you provide when you:

1. Apply for or use our products or services.
2. Open an account(s) with us.
3. Subscribe to our services or publications.
4. Request marketing information to be sent to you.
5. Enter a competition, promotion, or survey; or
6. Give us feedback or contact us.
7. Pay using our services.

b) Information we collect about you: This includes information collected when you visit our website or utilize online or mobile banking. This data includes technical information, such as the Internet protocol (IP) address, your login information, browser type and version collected by use of cookies.

E. USE OF PERSONAL DATA COLLECTED

We use your personal data for the following purposes:

1. Verifying your identity information through publicly avaliable and/or restricted government databases to comply with applicable Know Your Customer (KYC) requirements.
2. Carrying out credit checks and credit scoring.
3. To comply with any legal, governmental, or regulatory requirement or for use by our lawyers in connection with any legal proceedings.
4. Assessing the purpose and nature of your business or principal activity, your financial status, and the capacity in which you are entering into the business relationship with us.
5. Creating a record of you on our systems to verify your identity, provide you with the products and/or services you have applied for from us.
6. Communicate with and keep you informed about the products and/or services you have applied for.
7. Assessing your personal financial circumstances and needs before providing advice to you.
8. Responding to any of your queries or concerns, we may record or monitor telephone calls between us so that we can check instructions and make sure that we are meetingour service standards.
9. To perform our obligations under a contractual arrangement with you.
10. Any purpose related to the prevention of financial crime, including sanctions screening, monitoring of anti-money laundering and any financing of terrorist activities.
11. In business practices including for quality control, training, and ensuring effective systems operations.
12. To understand how you use our products and services for purposes of developing or improving products and services.
13. To comply with any legal, governmental, or regulatory requirement or for use by our lawyers in connection with any legal proceedings and
14. For security purposes when accessing any of our buildings/premises.

F. DISCLOSURES

We may disclose your personal information where required by law, to enforce other agreements, or to protect the rights, property, or safety of our business, our clients, customers, employees, or others.

SBMK discloses your personal data to the following entities while ensuring proper security measures are in place and where applicable agreements to ensure the security measures are put in place:

1. a) Government (including law enforcement) authorities and regulators e.g. Central Bank of Kenya.
2. b) Other financial institutions through which your transactions are processed.
3. c) Other companies and financial institutions that we work with to provide services to you e.g. Credit card service providers technology service providers, credit reference bureaus, debt collection agencies and outsourced services vendors; fraud prevention/detection, private investigators, among others.
4. d) Third parties with accruing legal obligations e.g. Trustees and executors, guarantors, anyone holding a power of attorney to operate an account on your behalf and joint account holders.
5. e) Third parties who are service providers acting as processors, professional advisers including lawyers, bankers, auditors, and those who provide consultancy, banking, legal, insurance and accounting services.
6. f) Restricted or publicly accessible government repository as a verification procedure in compliance with regulations.
7. g) Regulatory authorities, police or security agencies, courts of law or statutory authorities in response to litigation and demand issued on legal/regulatory grounds in accordance with the law; and
8. h) Emergency and disaster response providers in cases where a person’s health and safety are at stake when an emergency call is made.

G. LEGAL BASIS FOR PROCESSING PERSONAL DATA

We process your data on the following legal basis:

1. a) For the performance of a contract which you are a party to.
2. b) For the compliance with legal obligations.
3. c) To protect your vital interests.
4. d) With your consent.
5. e) For public interests.
6. f) Where processing is necessary for the purposes of legitimate business interests pursued by SBMK or by a third party within the confines of the law.
7. g) For the establishment, exercise or defense of a legal claim.

H. CROSS-BORDER DATA TRANSFER

We may need to transfer or store your information in another jurisdiction to fulfil a legal obligation, for group operations and consolidation, for our legitimate interest and to protect the public interest.

If the other jurisdiction does not have the same level of protection for Personal Data, when we do process the data, we shall put in place appropriate safeguards e.g. contractual commitments to ensure the data is adequately protected.

Where third parties are based in other jurisdictions, their processing of your Personal Data will involve a transfer of data to their jurisdictions.

I. SECURITY MEASURES

We have put in place technical and operational measures to ensure integrity and confidentiality of your data through controls such as data encryption, access control, network security, secure data storage, secure application development, data anonymization, data minimization, data transfer security, regular security and patching as well as staff training and awareness.

J. RETENTION PERIOD

We retain personal data only for as long as reasonably necessary to fulfil the purposes for which it was collected. This includes meeting legal, regulatory, tax, accounting, or reporting requirements.

In determining the appropriate retention period for personal data, we consider the following factors:

1. a) The amount, nature and sensitivity of the personal data collected.
2. b) The potential risks of unauthorized use or disclosure of the personal data.
3. c) The specific purposes for which we process the personal data and whether those purposes can be achieved through alternative means.
4. d) Compliance with our internal policies and procedures.
5. e) The applicable legal, regulatory, tax, accounting or other requirements that dictate data retention periods.

In certain circumstances, we may retain personal data for a longer period if there is a complaint or a reasonable prospect of litigation related to our relationship with the individual. This extended retention allows us to address any legal claims or defend our legal rights effectively. When personal data is no longer needed and its retention period has expired, we ensure its secure disposal to prevent unauthorized access, loss, or disclosure.

Anonymized information that can no longer be associated with you may be held indefinitely.

K. DATA SUBJECT RIGHTS

Subject to legal and contractual exceptions, you have rights under data protection laws in relation to your personal data. These are listed below: -

1. a) Right to be informed that we are collecting personal data about you.
2. b) Right to access personal data that we hold about you and request for information about how we process it.
3. c) Right to request that we correct your personal data where it is inaccurate or incomplete.
4. d) Right to request that we erase your personal data noting that we may continue to retain your information if obligated by the law or entitled to do so.
5. e) Right to object and withdraw your consent to processing of your personal data. We may continue to process if we have a legitimate or legal reason to do so.
6. f) Right to request restricted processing of your personal data noting that we may be entitled or legally obligated to continue processing your data and refuse your request.
7. g) Right to request transfer of your personal data.

If you wish to exercise any of the rights set out above, please contact us on dpo@sbmbank.co.ke

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within reasonable time. Occasionally it could take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

L. CONTACT US

Please contact our Data Protection Officer through dpo@sbmbank.co.ke on any topic regarding this Data Privacy Policy.

M. AMENDMENT TO THIS STATEMENT

We reserve the right to amend or modify this Data Privacy Policy from time to time. Any modification or amendment to this Data Privacy Policy will take effect from the date of notification on the Bank website.