INTERNET BANKING

Need Help? NCBA CONNECT

Privacy Policy

NCBA GROUP PLC (including direct and indirect subsidiaries) respects your privacy and is committed to protecting your personal data. This privacy policy (and any other documents referred to on it) (Privacy Policy) sets out the basis on which any personal data we collect from you, that you provide to us, or that is otherwise made available to us will be processed by us.

PRIVACY POLICY

NCBA GROUP PLC (including direct and indirect subsidiaries) respects your privacy and is committed to protecting your personal data. This privacy policy (and any other documents referred to on it) (Privacy Policy) sets out the basis on which any personal data we collect from you, that you provide to us, or that is otherwise made available to us will be processed by us. This policy will inform you as to how we look after your personal data when you hold an account with us, use our products or services, or visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By accepting our terms and conditions you are accepting and consenting to the practices described in this policy.

This Privacy Policy may be amended or updated from time to time to reflect changes in our practices with respect to the processing of Personal Data, or changes in applicable law. It is important that you read this Privacy Policy together with any other privacy policy or processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them.

 

  1. DEFINITIONS AND INTERPRETATION.
  2. THE DATA WE COLLECT.
  3. HOW YOUR PERSONAL DATA IS COLLECTED.
  4. HOW WE USE YOUR PERSONAL DATA.
  5. MARKETING.
  6. HOW WE USE “COOKIES” ON OUR WEBSITE.
  7. CHANGE OF PURPOSE.
  8. WHO WE MIGHT SHARE YOUR PERSONAL DATA WITH.
  9. TRANSFER OF YOUR PERSONAL DATA.
  10. HOW WE KEEP YOUR INFORMATION SERCURE.
  11. HOW LONG WE SHALL RETAIN YOUR PERSONAL DATA.
  12. YOUR RIGHTS.
  13. CHANGES TO THIS PRIVACY POLICY.

 

  1. DEFINITIONS and interpretation
    • For the purposes of this Privacy Policy, the following definitions apply:
      • “Applicable Law” means the Constitution of the Republic of Kenya, all Acts of Parliament including regulations, rules, guidelines, guidance noted issued pursuant to the any Act of Parliament, legislative and regulatory requirements, and codes of practice applicable to the processing of personal data and/or applicable to a data controller or data processor as may be amended from time to time;
      • “Personal Data” means any information relating to an identified or identifiable natural person (hereinafter “Data Subject”). For clarity, an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of such a natural person;
      • “Controller” means the natural or legal person, authority, organization or other agency that makes decisions individually or together with other parties regarding the purposes and means for processing Personal Data;
      • “NCBA GROUP PLC” includes all the subsidiaries and affiliates of NCBA Group PLC (hereafter referred to as “we”, “us” or “our”);
      • “Processing” means an operation or activity or set of operations or activities performed on personal data whether or not by automated means;
      • “Processor” is a natural or legal person, authority, organization or other agency that processes Personal Data on behalf of the Controller.
      • “Sub-processor” is the contractual partner of the Processor, engaged to carry out specific processing activities on behalf of the Processor and/or Controller.
      • “Third Party” means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor, Sub-processor, and persons who, under the direct authority of the Controller, Processor or Sub-processor, are authorized to process Personal Data;
      • “Website” means the website of NCBA which is accessible through [https://ncbagroup.com/]; and
      • “Online and Mobile Banking Services” means the services we offer on our online and mobile platforms.
    • In addition to the definitions in clause 1.1, unless the context requires otherwise:
      • definitions of terms in our general terms and conditions shall be applicable to this policy;
      • the singular shall include the plural and vice versa; and
      • a reference to any one gender, whether masculine, feminine or neuter, includes the other two; and
      • all the headings and sub-headings in this policy are for convenience only and are not to be taken into account for the purposes of interpreting it.
  1. THE DATA WE COLLECT
    • We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped as follows:
      • Identity data which includes name, username or similar identifier, Identity card/Passport number, PIN number, photo, marital status, symbol, fingerprints, race, pregnancy status, nationality, ethnic or social origin, color, age, title, date of birth and gender, and any other similar information;
      • Contact data which includes billing address, postal address, physical address, email address and telephone numbers;
      • Financial data which includes any bank account details, card payment details and other electronic or non-electronic payment details;
      • Transaction data which includes details about payments to and from you and other details of products and services you have acquired from us;
      • Technical data which includes internet protocol (IP) address, your login identity data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our systems;
      • Profile data which includes your profile identification information, purchases or orders made by you, your interests, preferences, feedback and survey responses;
      • Usage data which includes information about how you use our website, products and services;
      • Marketing and communications data which includes your preferences in receiving marketing information from us and our third parties and your communication preferences;
    • We also collect, use and share aggregated data such as statistical or demographic data. Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.
  2. HOW YOUR PERSONAL DATA IS COLLECTED

We will collect and process data about you from the following sources:

  • Information you give us: This is information about you that you give us by filling in forms that we give to you or by corresponding with us by phone, e-mail or otherwise. We use different methods to collect data from and about you including through direct interactions. This includes the personal data you provide when you:
    • apply for our products or services;
    • open an account(s) with us;
    • subscribe to our services or publications;
    • request marketing information to be sent to you;
    • enter a competition, promotion or survey; or
    • give us feedback or contact us.
  • Information we collect about you: With regard to each of your user visits to our Website and your use of the Online and Mobile Banking Services we will automatically collect the following information:
    • technical information, including the Internet protocol (IP) address used to connect your computer or mobile phone to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive technical data about you if you visit other websites employing our cookies;
    • information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed or searched for’ page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page and any phone number used to call our customer service number; and
  • Information we receive from other sources:
    • we receive your Personal Data from third parties who provide it to us. We will receive Personal Data about you from various third parties to whom you have consented and public sources including but not limited to: companies registry, lands registry and other government registries; service providers we interact or integrate with now or in future; Integrated Personal Registration Systems, Kenya Revenue Authority and the National Transport and Safety Authority database.
    • we may collect information about you from other publicly accessible sources not listed above. We may also collect information about you from trusted partners, not listed above, who provide us with information about potential customers of our products and services;
    • we receive your Personal Data from third parties, where you purchase any of our products or services through such third parties; and
    • we collect Personal Data that you manifestly choose to make public, including via social media (e.g., we may collect information from your social media profile(s), to the extent that you choose to make your profile publicly visible.
  • Our Website may include links to third-party websites, plug-ins, cookies and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites or influence the data collected and are not responsible for their privacy policies. When you leave our Website, we encourage you to read the privacy policy of every website you visit and understand your rights therein.
  • It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. If case you wish to correct or update your Personal Data that we hold, you may do so by writing to us at contact@ncbagroup.com
  1. HOW WE USE YOUR PERSONAL DATA
    • We will only use your Personal Data where we have your consent or a legal basis to process the same. Most commonly, we will use your Personal Data in the following circumstances:
      • Where we need to perform the agreement we are about to enter into or have entered into with you;
      • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service or product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests; and/or
      • Where we need to comply with a legal obligation.
    • We have set out below, in a table format, a description of all the ways we plan to use your Personal Data, and the basis we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your Personal Data for more than one lawful ground depending on the specific purpose for which we are using your data.
 How we use your Personal Data  Basis for processing your Personal Data
To serve you as a customer; to provide, manage and personalize our services to you.  

The processing is necessary for compliance with our legal and contractual obligations to you or to take steps to enter into an agreement with you.

We have obtained your prior consent to the use and processing of your Personal Data.

We have a legitimate interest in carrying out the processing for the purpose of providing products and services to you.

The processing of your Personal Data is necessary for compliance with legal and regulatory obligations.

 

To manage our relationship with you which will include:

Notifying you about changes to our terms or privacy policy. To enable you to partake in a prize draw, competition or complete a survey.

 

The processing is necessary for compliance with our legal and contractual obligations to you or to take steps to enter into an agreement with you.

We have obtained your prior consent to the use and processing of your Personal Data.

We have a legitimate interest in carrying out the processing for the purpose of providing products and services to you.

The processing of your Personal Data is necessary for compliance with legal and regulatory obligations.

 

To manage risk, security and crime prevention which will include;

Detection, prevention, investigation and reporting of fraud and money laundering;

Security detection to verify your identity; Compliance with Laws and regulations.

 

The processing is necessary for compliance with our legal and contractual obligations to you or to take steps to enter into an agreement with you.

We have obtained your prior consent to the use and processing of your personal data.

The processing of your personal data is necessary for compliance with legal and regulatory obligations.

To administer and protect our business and our website, ensure business continuity, manage complaints, undertake remediation activities and resolve queries (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

The processing of your Personal Data is necessary for compliance with legal and regulatory obligations.

The Processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us

We have a legitimate interest in carrying out the Processing for the purpose of managing and operating our systems and ensuring the security of those systems.

To study how our customers use our products and services; Communication about our products and services; testing of new products and managing our brand

Asking you to leave a review or take a survey

The processing is necessary performance of our contractual obligations to you or to take steps to enter into an agreement with you.

We have obtained your prior consent to the use and processing of your Personal Data.

We have a legitimate interest in carrying out the processing for the purpose of providing products and services to you.

The processing of your Personal Data is necessary for compliance with legal and regulatory obligations.

To use data analytics to better understand your credit risk needs and preferences; to improve our website, products, services, marketing, customer relationships and experiences

The processing is necessary performance of our contractual obligations to you or to take steps to enter into an agreement with you.

We have obtained your prior consent to the use and processing of your Personal Data.

We have a legitimate interest in carrying out the processing for the purpose of providing products and services to you.

The processing of your Personal Data is necessary for compliance with legal and regulatory obligations.

To facilitate payment instructions and account information services regarding accounts you hold with other providers or where third-party providers request that we provide account information or payment instructions in relation to accounts you hold with us.

The processing is necessary performance of our contractual obligations to you or to take steps to enter into an agreement with you.

We have obtained your prior consent to the use and processing of your Personal Data.

We have a legitimate interest in carrying out the processing for the purpose of providing products and services to you.

The processing of your Personal Data is necessary for compliance with legal and regulatory obligations.

To enforce our rights under the agreement with you for instance, debt recovery and indemnification.

The processing is necessary performance of our contractual obligations to you or to take steps to enter into an agreement with you.

We have obtained your prior consent to the use and processing of your Personal Data.

We have a legitimate interest in carrying out the processing for the purpose of providing products and services to you.

The processing of your Personal Data is necessary for compliance with legal and regulatory obligations.

 

  • We may collect special categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, political opinions, trade union membership, information about your health, criminal convictions and offenses and biometric data.)

How we use your special category data

Basis for processing your special category data

For Know Your Customer (KYC) formalities, we may review your political affiliations to determine politically exposed persons or criminal records to help prevent and detect criminal behavior, postpone debt repayments and consider restructured repayments or for legal claims.

We have obtained your prior consent to the use and processing of your special category data.

We have a legitimate interest in carrying out the processing for the purpose of providing products and services to you.

The processing of your special category data is necessary for compliance with legal and regulatory obligations.

The processing of the special category data is vital in protecting public interests.

 

We may use your medical information to manage our services and products to you e.g. to apply for quotations for an insurance product, postpone your debt repayments etc.

The processing of the special category data is vital in protecting public interests.

The processing is necessary to protect the vital interests of any individual.

 

  1. Marketing
    • We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We have established the following personal data control mechanisms;
      • Promotional offers from us: We may use your identity, contact, technical, usage and profile data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant to you. You will receive marketing communication from us if you have requested information or used our products and services and not opted out of receiving such information.
      • Third-party marketing: we may share your Personal Data with any third party for marketing purposes where we believe that the marketing information from such third parties will be relevant to you and where we have obtained your prior consent.
    • Opting Out
      • You can ask us or third parties to stop sending you marketing messages at any time by writing to us or logging into the relevant website and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you or by contacting us at any time through the provided contacts.
      • Where you opt-out of receiving these marketing messages, this will not apply to Personal Data provided to us as a result of product or service subscribed to, warranty registration, product or service experience or other transactions.
  1. How We Use “Cookies” on Our Website
    • We may place electronic “cookies” in the browser files of your computer when you access our Website. Cookies are pieces of information that our website transfers to your computer to enable our systems to recognize your browser and to tailor the information on our Website to your interests. For example, if you previously visited our Website and inquired about particular services over the Website, cookies enable us to present information tailored to your account and/or those particular interests the next time you visit the Website. Moreover, we, or our third-party service providers or business partners may place cookies on your computer’s hard drive that can be matched to other personal information we maintain about you to pre-populate certain online forms for your convenience. We also use cookies to analyze visitors’ use of our Website. This analysis helps us better understand which areas of our sites are most useful and popular, to enable us to plan improvements and updates accordingly.
    • Many web browsers are automatically set to accept cookies. You may change your computer’s web browser settings to either reject cookies or notify you when a cookie is about to be placed on your computer. Please note, however, that rejecting cookies while visiting our Website may result in certain parts of the website not operating as efficiently as if the cookies were allowed.
  2. Change of purpose
    • We will only use your Personal Data and special category data for the purposes for which we collected it as indicated in this Privacy Policy or for reasons we give you during the collection of the data.
    • If we need to use your Personal Data for an unrelated purpose, we will notify you and seek your consent where necessary.
    • Please note that we may process your Personal Data without your knowledge or consent if this is required or permitted by law.
  3. WHO WE MIGHT SHARE YOUR PERSONAL DATA WITH
    • We may disclose your Personal Data to other entities with the affiliates of NCBA, for legitimate business purposes (including providing services to you and operating our sites and systems), in accordance with applicable law. In addition, we may disclose your Personal Data to:
      • Government (including law enforcement) authorities and regulators e.g. Central Bank of Kenya
      • other financial institutions through which your transactions are processed;
      • other companies and financial institutions that we work with to provide services to you e.g. credit card service providers, mobile technology service providers, credit reference bureaus, employers, debt collection agencies and outsourced services vendors;
      • third parties with accruing legal obligations e.g. trustees and executors, guarantors, anyone holding a power of attorney to operate an account on your behalf and joint account holders;
      • third parties to whom we may choose to sell, transfer or merge parts of our business, rights, duties or assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this Privacy Policy; and
      • third parties who are service providers acting as processors, professional advisers including lawyers, bankers, auditors and those who provide consultancy, banking, legal, insurance and accounting services.
    • We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
  4. TRANSFER OF YOUR PERSONAL DATA
    • We may need to transfer or store your information in another jurisdiction to fulfill a legal obligation, for our legitimate interest and to protect the public interest.
    • If the other jurisdiction does not have the same level of protection for Personal Data, when we do process the data, we shall put in place appropriate safeguards e.g. contractual commitments to ensure the data is adequately protected.
    • We ensure your Personal Data is protected by requiring all our related companies to follow the same rules when processing your Personal Data.
    • Where third parties are based in other jurisdictions, their processing of your Personal Data will involve a transfer of data to their jurisdictions.
  5. HOW WE KEEP YOUR INFORMATION SECURE
    • We have put in place appropriate security measures to prevent your Personal Data from being lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality.
    • We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
  6. HOW LONG WE SHALL RETAIN YOUR PERSONAL DATA
    • We will only retain your Personal Data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
    • To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
    • By law we have to keep basic information about our customers (including contact, identity, financial and transaction data) for a minimum of seven years after they cease being customers. Our internal policy as amended from time to time may also require us to keep customer data for a longer period.
    • In some circumstances, we will anonymize your Personal Data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
  7. YOUR RIGHTS
    • Subject to legal and contractual exceptions, you have rights under applicable laws in relation to your Personal Data. These are listed below:
      • right to access Personal Data that we hold about you;
      • right to request that we correct your Personal Data where it is inaccurate or incomplete;
      • right to request that we erase your Personal Data noting that we may continue to retain your information if obligated or entitled to do so;
      • right to object and withdraw your consent to the processing of your Personal Data. We may continue to process if we have a legitimate reason to do so;
      • right to request restricted processing of your Personal Data noting that we may be entitled to continue processing your data and refuse your request; and
      • right to request transfer of your personal data in a format we shall determine from time to time.
    • We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
    • We try to respond to all legitimate requests within reasonable time. Occasionally it could take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
  8. CHANGES TO THIS PRIVACY POLICY
    • A copy of this policy can be downloaded here https://ncbagroup.com/ We may modify or update this policy from time to time. Where the changes will have a fundamental impact on the nature of the processing of your data or your rights, we shall notify you in advance.

By enrolling for our services or entering into any contractual arrangements with us, you confirm that you have read, understood and accepted to be bound by the terms and conditions of this Privacy Policy.

HOW TO CONTACT US – if you would like to contact us on any topics in this privacy policy, you can call us on +254 (0) 20 2888 000 or e-mail us on contact@ncbagroup.com or submit a request via our digital platforms.

Last updated: 29th October 2019.