KENYA WOMEN MICROFINANCE BANK AND KWFT BANCASSURANCE INTERMEDIARY LIMITED
Who We Are
1.1 We Kenya Women Microfinance Bank, (“KWFT”, “we,” “our” or “us”), are committed to protecting and respecting the privacy of our customers. This Privacy Notice applies to all persons using our services or website.
1.2 We recognize the expectations of its customers with regard to privacy confidentiality and security of their personal information that resides with the us. Keeping personal information of customers secure and using it solely for activities related to our services and preventing any misuse thereof is a top priority of the Bank. We have adopted this privacy Notice aimed at protecting the personal information entrusted and disclosed by the customers. This Privacy Notice governs our data collection, processing and usage of your data and it describes your choices regarding use, access and correction of your personal information.
DEFINITIONS
2.1 “Biodata” means Biographical information i.e., Personal information with regard to gender, nationality, contact information, physical location, and any other
2.2 “Data Controller” means the natural or legal person, authority, organization or other agency that makes decisions individually or together with other parties regarding the purposes and means for processing Personal Data.
2.3 “Data Protection Act” means the Data Protection Act no. 24 of 2019 under the laws of Kenya as amended.
2.4 “Personal Data” means any information identifying you or information relating to you that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data excludes anonymous data or data that has had the identity of you as an individual permanently removed.
2.5 “Data Processor” means a natural or legal person, authority, organization or other agency that processes Personal Data on behalf of the Data Controller.
2.6 “Responsible Person” means Data Protection Officer
Purpose
3.1 We established this Privacy Notice for the purposes of compliance with the applicable data protection laws in Kenya.
3.2 This Privacy Notice sets our standards towards the access and use of any personal data, or any other information provided from you or any other sources to us.
3.3 Please also read Terms and Conditions (“Terms”), which describe the terms under which you access and use our Services.
4 What Information We Collect About You
4.1 We are required to receive or collect some personal information to operate, provide, improve, understand, customize, support, and market our Services. This also includes when you apply for, install, access, or use our Services. The types of information we receive and collect depend on how you use our Services.
4.2 We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped as follows:
(a) Identification data which includes name, username or similar identifier, Identity card/Passport number, PIN number, photo, marital status, signature, fingerprints, race, nationality, ethnic or social origin, age, title, date of birth and gender, and any other similar information.
(b) Contact data which includes billing address, postal address, physical address, email address and telephone numbers.
(c) Financial data which includes any bank account details, card payment details and other electronic or non-electronic payment details.
(d) Transaction data which includes details about payments to and from you and other details of products and services you have acquired from us.
(e) Technical data which includes internet protocol (IP) address, your login identity data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our systems.
(f) Profile data which includes your profile identification information, purchases or orders made by you, your interests, preferences, feedback and survey responses.
(g) Usage data which includes information about how you use our website, products and services.
(h) Marketing and communications data which should you opt-in in to receiving marketing information from us and our third parties and your communication preferences.
(i) Customer support or Communication data including copies of your messages, and how to contact you so we can provide you with customer support.
5 When/How the Data is Collected
5.1 We will collect and process data about you from the following sources:
(a) This includes information you provide us: This is information about you that you give us by filling in application forms that We give to you or by corresponding with us by phone, e-mail or otherwise. We use different methods to collect data from and about you including through direct interactions. This includes the personal data you provide when you:
- Apply for our products or services.
- Open an account(s) with us.
- Subscribe to our services or publications.
- Download our mobile application.
- Request marketing information to be sent to you.
- Enter a competition, promotion or survey; or
- Give us feedback or contact us.
(b) Information we collect about you: With regard to each of your user visits to our Website and your use of the Online and Mobile Banking Services we will automatically collect the following information:
(c) Information we receive from other sources:
6 How We Use Your Information
6.1 We will only use your Personal Data where we have your consent or a legal basis to process the same. We will use your Personal Data in the following circumstances:
(a) To perform the contractual agreement, we are about to enter into or have entered into with you.
(b) For purposes of our legitimate interests (or those of a third party) in instances where your interests and fundamental rights do not override those interests. Legitimate interest refers to our interest in running and controlling our operations in order to provide the best service or product and the safest experience possible. Here we make sure to examine and balance any potential impact on you (both positive and negative) as well as your rights; and/or
(c) To comply with a legal obligation.
6.2 We may process your Personal Data for more than one lawful ground depending on the specific purpose for which we are processing your data. Additionally, we use your personal data as outlined below:
(a) To deliver, administer, and personalize our services for you as a customer.
(b) To manage risk, security and crime prevention which will include:
(c) To administer and protect our business and our website, ensure business continuity, manage complaints, undertake remediation activities and resolve queries (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).
(d) To study how our customers, use our products and services, communication about our products and services as well as testing of new products and managing our brand.
(e) To undertake surveys or reviews.
(f) To use data analytics to better understand your credit risk needs and preferences; to improve our website, products, services, marketing, customer relationships and experiences.
(g) To facilitate payment instructions and account information services regarding accounts you hold with other providers or where third-party providers request that we provide account information or payment instructions in relation to accounts you hold with us.
(h) To enforce our rights under the agreement with you for instance, debt recovery and indemnification.
(i) For Know Your Customer (KYC) formalities, we may review your political affiliations to determine politically exposed persons or criminal records to help prevent and detect criminal behaviour, postpone debt repayments and consider restructured repayments or for legal claims.
(j) We may use your medical information to manage our services and products to you e.g., with regards to our Banc Assurance Intermediary for insurance products.
(k) We may collect special categories of Personal Data about you including details about your race or nationality, information about your health, and biometric data.
7 To Whom We May Disclose Your Information
7.1 We may disclose your Personal Data to other entities with the affiliates of KWFT, for legitimate business purposes (including providing services to you and operating our sites and systems), in accordance with applicable law. In addition, we may disclose your Personal Data to:
(a) The Government (including law enforcement) authorities and regulators e.g. Central Bank of Kenya.
(b) Other financial institutions through which your transactions are processed.
(c) Other companies and financial institutions that we work with to provide services to you e.g., credit card service providers, mobile technology service providers, credit reference bureaus, employers, debt collection agencies and outsourced services vendors.
(d) Third parties with accruing legal obligations e.g., trustees and executors, guarantors, anyone holding a power of attorney to operate an account on your behalf and joint account holders.
(e) In the instance of a merger or acquisition. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this Privacy Notice; and
(f) Third parties who are service providers acting as data processors, professional advisers including lawyers, bankers, auditors and those who provide consultancy, banking, legal, insurance and accounting services.
7.2 All third parties are required to protect the security of your Personal Data and to treat it lawfully. We do not allow our third-party service providers to use your Personal Data for their own interests; instead, we only allow them to process it for certain purposes and according to our instructions.
8 Marketing
8.1 We strive ensure your consent regarding certain personal data uses, specifically in so farmas marketing and advertising. We have established the following personal data control mechanisms:
(a) Promotional offers from us: We may use your identity, contact, technical, usage and profile data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant to you. You will receive marketing communication from us if you have requested such information and provided express consent to receiving such information based on the use of our products and services.
(b) Third-party marketing: we may share your Personal Data with any third party for marketing purposes where we believe that the marketing information from such third parties will be relevant to you and where we have obtained your prior consent.
8.2 Opting Out
(a) You can ask us or third parties to stop sending you marketing messages at any time by writing to us or logging into the relevant website and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you or by contacting us at any time through the provided contacts.
(b) Where you opt-out of receiving these marketing messages, this will not apply to Personal Data provided to us as a result of product or service subscribed to, warranty registration, product or service experience or other transactions.
9 Data Retention Policy
9.1 We will only retain your Personal Data for as long as is reasonably required to fulfil the purpose for which it was obtained, including any legal, regulatory, tax, accounting, or reporting obligations. In the case of a complaint or if we reasonably believe there is a risk of litigation arising from our engagement with you, we may preserve your Personal Data for a longer length of time.
9.2 To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
9.3 Legally we are required to retain basic information about our customers (including contact, identity, financial and transaction data) for a minimum of seven years after they cease being customers. Our internal policy as amended from time to time may also require us to keep customer data for a longer period.
9.4 In some circumstances, we will de-identify your Personal Data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
10 Automated Decision Making
10.1 If you apply to us for a product e.g., for loan products, your application may be processed by an automated decision-making process which may carry out credit and affordability assessment checks to determine whether your application will be accepted. Where these automated processes suggest that your application should be rejected, we will manually review your application before making a final decision. We may also use automated processes to decide credit limits as well as credit scoring.
10.2 We may also carry out automated anti-money laundering and sanctions checks. This means that we may automatically decide that you pose a fraud or money laundering risk if the processing reveals your behaviour to be inconsistent with anti-money laundering requirements. If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk:
(a) We may refuse to provide the services you have requested, or we may stop providing existing services to you; and
(b) A record of any fraud or money laundering risk will be retained by the fraud prevention agencies.
10.3 If you have any questions about this, please contact us on the details set out below.
11 Data Involving Children
11.1 We do not knowingly collect personally identifiable information from anyone under the age of 18 without verification of parental consent. We additionally employ the use of agegating to ensure this. If we become aware that we have collected Personal Data from children without verification of parental consent, we shall take steps to securely dispose the information from our servers.
12 Change of purpose
12.1 We will only use your Personal Data and special category data for the purposes for which we collected it as indicated in this Privacy Notice or for reasons we give you during the collection of the data.
12.2 If we need to use your Personal Data for an unrelated purpose, we will notify you and seek your consent where necessary.
12.3 Please note that we may process your Personal Data without your knowledge or consent if this is required or permitted by law. (List permitted grounds)
13 Who We Share Your Personal Data With
13.1 We may need to transfer or store your information in another jurisdiction to fulfill a legal obligation, for our legitimate interest and to protect the public interest.
13.2 If the other jurisdiction does not have the same level of protection for Personal Data, when we do process the data, we shall put in place appropriate safeguards e.g., contractual commitments to ensure the data is adequately protected.
13.3 We ensure your Personal Data is protected by requiring all our related companies to follow the same rules when processing your Personal Data.
13.4 Where third parties are based in other jurisdictions, their processing of your Personal Data will involve a transfer of data to their jurisdictions.
14 How to Exercise Your Rights – You are in Charge
14.1 Subject to legal and contractual limitations as well as legitimate interests, you have rights under applicable laws in relation to your Personal Data. These are listed below:
(a) Right to access Personal Data that we hold about you.
(b) Right to request that we correct your Personal Data where it is inaccurate or incomplete.
(c) Right to request that we erase your Personal Data noting that we may continue to retain your information if obligated or entitled to do so.
(d) Right to object and withdraw your consent to the processing of your Personal Data.
(e) Right to request restricted processing of your Personal Data noting that we may be entitled to continue processing your data and refuse your request; and
(f) Right to request transfer of your personal data in a format we shall determine from time to time.
14.2 We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
14.3 We try to respond to all legitimate requests within reasonable time. Occasionally it could take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. To make a request click on this link KWFT-Data-Subject-Action-Request.docx.
15 How We Secure Your Data
15.1 We have put in place appropriate security measures to prevent your Personal Data from being lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality.
15.2 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
15.3 The collection of your personal data shall be adequate, relevant and limited to the strict minimum. Before processing personal data, we will determine whether and to what extent the processing of personal data is necessary to achieve the purpose for which it is performed.
16 Data Protection Officer
16.1 If you have any questions or concerns regarding this Privacy Notice or your rights related to protection of your personal information may be sent via email at dataprivacy@kwftbank.com or contact 0703 067 700 / 0730167 700 or at the following address:
Kenya Women Microfinance Bank
P.O Box 4179-00506,
Nairobi, Kenya.
16.2 In order to ensure effective and legal handling of our customers’ Information we have appointed a Data Protection Officer. you can reach our Data Protection Officer by sending an email at dataprivacy@kwftbank.com
17 Changes to This Privacy Notice
17.1 We reserve the right to modify, alter or otherwise update this Privacy Notice at any time, by either posting such changes, updates or modifying the Privacy Notice on our Website and/or mobile app. We will provide you with notice period of two months for any such changes to this Privacy Notice, by email at the same email address you have provided to us.
17.2 If we do not hear from you, your continued use of our services constitutes your acceptance of any amendment of this Privacy Notice.