DATA PRIVACY STATEMENT
PURPOSE AND SCOPE
Postbank Sacco (“We”) is committed to protecting the personal data of all our clients and other
data subjects (“You”)
This Privacy Statement (“Notice”) informs you of:
-
- Who we are.
- What personal information we collect about you.
- How we collect, use, store and share your personal data.
- Your privacy and other related rights under the provisions of the Data Protection Act
and Regulations. - How to contact us or the Office of the Data Protection Commissioner (ODPC) if you
have a complaint.
We are committed to preserving the privacy of your data so that we can: - Deliver high quality services to all our clients.
- At all times comply with the law and the various regulations that we are subject to.
- Preserve the confidentiality of your personal data.
- Meet the expectations of customers/clients.
- Protect our brand reputation.
We advise that you read and understand this Notice to ensure you are cognizant of how and for
what purposes we utilize your data.
WHO WE ARE
Postbank Sacco is a regulated non withdrawal deposit taking savings and credit cooperative
society limited company focused on serving the interests of members and stakeholders.
It is imperative to mention that for us to provide services that satisfactorily exceed your
expectations, we need to collect, use, and process or deal with, certain personal information
about you. When we do so we are subject to the provisions of the Kenya Data Protection Act,
2019.
This statement will apply where we are acting as a data controller in relation to your personal
data, and where we have a supervisory role in relation to how your personal data is collected,
stored, used and shared. As such, we are responsible as what is described as a ‘data controller’
of that personal information for the purposes of the Act, as we decide how to use that
information about you – hence, we are primarily responsible for that data; this may include your
name, date of birth, address, contact information, financial information, employment details
and electronic device identifiers, e.g. IP addresses.
Please note that ‘processing’ of your personal data within this context, refers to utilizing your
personal data by collecting it, using it, storing it, communicating it to other people (with your
consent or as part of our services to you) or deleting it.
Furthermore, the terms and provisions of this Notice may be changed, updated and amended
from time to time. If that happens, during the time when we are providing you with our products
and services, we will inform you of those changes.
YOUR PERSONAL DATA
While providing our services, we will collect some information about you, some of which will
be termed personal data. Personal data in the context of the Kenya Data Protection Act, 2019
is any information that may be used to positively identify an individual (natural person).
The personal information we will collect from you include:
-
- Your name and personal details, including your date of birth, your ID number and other
identification details. - Your contact details including address, telephone and or mobile number, and email
address. - Financial details relating to you, including details of your bank account and your
financial history in the process of Loans appraisal. - Transactional history details (for example, account and Mpesa statements).
- Proof of income (such as payslips or bank statements) if you provide these when
applying for a particular product with the Sacco.
Please take note that any information which we possess about you is collected directly from
you through your interactions with our services. This may be through your visits to our Sacco
Office on 13th floor of Postbank House, through our online platforms (Official website, Sacco
Portal and USSD platform), contacting us via email, letters, telephone or through our official
WhatsApp group channel.
There are other instances in which we will collect information about you from other sources if
need arises. Examples of these sources include;
- Your name and personal details, including your date of birth, your ID number and other
-
- People appointed to act on your behalf (e.g., agents, lawyers).
- From third parties with whom you have a relationship, including banks and employers.
- Credit reference bureaus (who may check their information against other databases –
public or private – they have access to). - Fraud prevention and investigative agencies.
- Publicly available sources, such as land and companies’ registries, online registers or
directories.
This information is needed so that we can provide effective and efficient Sacco products and
services to you. If you do not provide the personal data asked for, we may be delayed or
prevented from providing such products and services.
Please note that it is paramount that we keep your information as accurate and as current as
possible. We ask that you keep us informed if any changes occur regarding your personal data
during the tenure of your relationship with the Sacco.
- PERSONAL DATA BELONGING TO CHILDREN
From time to time, the Sacco may provide services and products which are principally aimed
at children.
Please note that we do not intentionally process personal data relating to children without the
verifiable consent of their parent/s or legal guardian. If we become aware that we have inadvertently collected personal data of a child/minor without verifiable consent, we will take appropriate measures to delete that information as soon as possible.
We encourage parents and guardians to be involved in their children’s online activities and to monitor and supervise their children’s use of our website or services.
In the event you are a child, or if you represent the interests of a child, and you wish to seek
further clarification on how we use your data, please reach out to us using the details in the
Complaints section, and we will be able to advise further. - SENSITIVE PERSONAL DATA
Sensitive personal data includes details about your race or ethnicity, conscience, belief, sex
life, sexual orientation, health and genetic data. Please note that we only process such data
where necessary and where it is most relevant.
It is important that you take note that such data will only be used if it is deemed necessary for
the public interest, as part of a legal proceeding, or if we have obtained explicit and verifiable
consent from you. We ensure that all legal requirements are met when handling this kind of
information. - PURPOSES FOR USE OF YOUR INFORMATION
We only collect your personal information for the purposes for which it was collected, or where
we have a proper reason for using it.
Such proper reason or legal basis for processing such data include:- Where you have given explicit consent to the use of your personal data for one or more
specific purposes. This may include marketing or advertising purposes. Please note that
you may withdraw your consent at any time as set out in this Notice – and withdrawn
consent does not affect the legality of data processed prior to such withdrawal. - Where the use is necessary for the performance of a contract to which you are party to,
or to take steps at your request prior to entering a contract. - Where the use is necessary for compliance with a legal obligation that we are subject
to, including preventing fraud, money laundering or SASRA regulatory obligations. - Where the use is necessary to protect your vital interests or those of another person.
- Where the use is necessary for the performance of a task carried out in the public
interest, or in the exercise of official authority vested on us. In the case of sensitive
personal data, it is in the substantial public interest (e.g., to support you if you are or
become a vulnerable member). - Where the use is necessary for the purposes of our legitimate interests or those of a third
party, except where those interests are overridden by your interests or fundamental
rights and freedoms.
As such, it is purely on a legal and lawful purpose that we collect your personal information.
In this context, such purposes include: - To provide and avail our Sacco products and services to you.
- To prevent fraud and money-laundering, and to verify and confirm your identity before
we provide services to you as part of the KYC requirements. - To communicate with you.
- To protect our Sacco business interests and to prevent fraud.
- To meet obligations, we have under any laws, rules and regulations that apply to any of
the products and services we provide to you. - To keep you informed about products and services you hold with us and to send you
information about products or services (including those of other partners) which may
be of interest to you.
The following key areas goes a step further to highlight how your personal data may be utilized and the lawful bases that the purpose for use are anchored upon.Consent – Some of the services provided based on your consent include;
➢ Keeping in touch with you about your Shares, Savings and
Credit facilities (Loans) and providing you with information
regarding our relationship with you.
➢ Updating you about the services we offer, including
information about new Sacco products, promotions and
rewards, and other services we have that may interest you.
Performance of contractual obligations
Our contractual obligations may include;
➢ Keeping you updated about your Shares, Savings and Credit
facilities (Loans) and other related information involving our
relationship with you.
➢ Responding to your complaints, feedback comments and
reviews about our services.
➢ Handling enquiries, providing statements and providing you
with further information you request from us regarding the
Sacco products or services you have with us.
➢ Complying with specific Sacco product requirements e.g.,
loans, securities, accounts and share deposits.
➢ Exercising rights that we have under any agreement we have
with you, including collecting and or receiving debts
repayments, handling guarantorships, securities and
debentures, providing support in the execution of transactions.
Legal Obligations ➢ Completing our contractual obligations owed to you by managing your account/s with us; providing services to you;
communicating to you regarding your account/s and other
related information regarding your relationship with us;
handling enquiries and complaints and other requests you may
have.
➢ Detecting, investigating, preventing, and prosecuting
fraudulent activities. This includes but not limited to identity
checks.
➢ Sharing your information with other institutions such as the
relevant regulatory agencies, law enforcement, tax authorities,
fraud prevention agencies and credit reference bureaus on need
basis.
➢ Conducting technical assessments such as system tests as well
as profile analysis, including behavioural scoring, and
creditworthiness scoring.
➢ Recording your image on our CCTV surveillance system when
you visit our office premises at Postbank House 13th floor.
Legitimate Interest – These include;
➢ Assisting in opening and managing your accounts and
maintaining our relationship with you – We are able to fulfil
our legitimate interest of protecting our Sacco business
interests as well as our customers’ interests
➢ Updating you about the Sacco products and services we offer
you as our member, as well as information about products,
services, rewards, offers and promotions (including those from
our partners) that may interest you – it’s in our legitimate
interest to share information with you about Sacco products or
services that may be relevant and beneficial to you. You can
always opt-out from any marketing messages we send out as
set out in this Notice.
➢ Sharing your information with relevant credit reference
bureaus, fraud prevention agencies – it’s in our legitimate
interest to carry out certain creditworthiness assessments so
that we can make responsible business decisions. We need to
make sure that we only provide certain Sacco products and
services to members if they are appropriate and to manage the
services we provide effectively, for instance, in cases where we
suspect potential repayment difficulties.
➢ Sharing your information with relevant regulatory agencies, tax
authorities, law enforcement agencies – it’s in our legitimate
interest to help prevent and detect criminal activitiesincluding
fraud and money laundering as provided for under the regulator
(SASRA), and to cooperate with lawful requests from
government agencies.
➢ Sharing your information with other third parties such as our
partners and service providers – it’s in our legitimate interest
to use other service providers to provide some services for us
and or on our behalf e.g. the Msacco platform for members.
➢ Conducting assessments, testing, analysis (including credit and
behaviour scoring) and market research, where we produce
reports and statistics to enhance our Sacco offerings and
maintain a competitive edge while ensuring a high level of
member satisfaction. When conducting analysis, we may
merge the information we possess with information obtained
from outside sources. – our legitimate interests are to
continually improve and innovate our operations, including the
development of new systems, products and services to achieve
high levels of member satisfaction. Most important to note is,
the resulting information we produce and share will not
identify you as an individual and cannot be attributed to you.
➢ Handling enquiries and complaints – it’s is well within our
legitimate interests to make sure that complaints are
investigated, resolved and prevented from reoccurring and
ensure you receive the best customer experience.
➢ Evaluating, developing and improving ourservicesto you – it’s
in our legitimate interest to constantly assess, enhance, or
upgrade our offerings and the user experiences on our platform
to ensure high levels of service to our members.
➢ Asserting and defending a legal claim – We have a legitimate
interest in protecting the Sacco from financial loss and
potential legal liability arising from the fallout.
➢ Collecting any debts you owe to us – it’s in our legitimate
interest to ensure the efficient and effective management of our
Sacco business operations, including protecting and recovering
owed debts and safeguarding our assets.
➢ Recording your image on our CCTV surveillance system when
you visit our office premises at the 13th floor of Postbank House - it’s in our legitimate interest to prevent criminal activity,
protect our Sacco business and comply with various laws and
regulations.
➢ Monitoring, recording and analysing any communications
between you and us, including phone calls – it’s in our
legitimate interest to verify your instructions to us, in order to
avoid and uncover fraud and other criminal activities
(including identity theft), to analyse, evaluate and enhance our
services to members and for training purposes, to enhance the
services we offer to our members and to secure our Sacco
business interests.
➢ Protecting our Sacco business interests and developing our
business strategies – it’s in our legitimate interest to ensure the
success and growth of the Sacco by safeguarding its assets,
managing its resources efficiently and effectively, and
planning for its future development. This involves analysing
market trends, member needs and preferences, and other
factors that could impact the Sacco business and making
informed decisions about the direction of the Sacco. By doing
so, the Sacco can remain competitive and provide a high level
of service to its members.HOW WE STORE YOUR PERSONAL INFORMATION
We will always keep your personal data secure.
We will ideally retain your information for a period of seven (7) years, during which we will implement security measures to protect your personal data from being lost, misused, or accessed without permission. We may hold your personal information for longer depending on the nature of your data and the purpose for which it was collected. Some of the instancesinclude legal hold – a process that the Sacco uses to preserve all forms of relevant information when litigation is reasonably anticipated. This would then require us to keep records for an undefined period.
Our retention of your personal information enables Postbank Sacco to comply with its regulatory obligations. Your personal information will only be accessible to those individuals
with a valid need to accessit, and appropriate measures will be taken to maintain confidentiality during processing.
When it is no longer necessary to retain your personal data, we will securely delete or anonymize it.
YOUR LEGAL RIGHTS
The Kenya Data Protection Act, 2019 offers you, the data subject, several rights in relation to
the personal data that we hold. These rights are afforded to you without charge and only by
virtue as you are having the status of a data subject (natural identifiable person).
As holders of your information, we are bound to respond to your requests within reasonable time limits.
These include: - Right to access – this encompasses the right to seek confirmation as to whether your
personal data is being processed, and, where that isthe case, access to that personal data
and various other information, including the purpose for the processing, with whom the
data is shared, and for how long the data will be retained. - Right to data portability – this right allows you to ask us to give you or a third party
an electronic copy of the personal data you have given us. - Right to rectification – this right provides you with the prerogative to ask us to correct
personal data we hold. - Right to restriction of processing – this right allows you to restrict how we use your
personal data. - Right of erasure – this provides you with the opportunity to ask us to delete your
personal data. - Right to object – you have the right to object to ways we are using your personal data.
- Right to object to any automated decision-making – This right has been elaborated
further in the ‘Automated decision-making’ section below. - Right to withdraw any permission you have previously given to allow us to use your information – This is elaborated in the ‘Withdrawal of Consent’ section below.
Your ability to exercise these rights may be influenced by several factors. In some cases, we may not be able to accede to your request due to a valid reason; or if the specific right is not
applicable to the information which we possess concerning you. - SHARING YOUR INFORMATION
We will from time to time share your information with third parties.
We will always ensure that those with whom it is shared with process it in an appropriate manner and take all necessary measures to protect it. In doing so we will impose contractual
obligations on all such parties to ensure that your personal data is kept secure. We will only ever allow others to handle your personal data if we are satisfied that their measures to protect your personal data are satisfactory.
Such parties and instances in which we may share your personal information include.
Government institutions/regulators (e.g., SASRA, KRA, EACC, CBK, FRC) and fraud
prevention agencies – We may share information with them to help fulfil their
lawful duties such as criminal investigations, or prevention of crime.
Credit Reference Bureau (CRB) – Our purpose for sharing your information with CRB is
for due diligence purposes such as identity and background checks while making
decisions about your ability to obtain credit.
Insurance providers – We may share personal data with insurance providers including underwriters, brokers, introducers, claims handlers and other such associated third parties to enable us to provide services requested.
Representatives/advisers – We may be obligated to share personal data with your
representatives/advisers (such as accountants, lawyers, and other professional advisers) who you have authorised to represent you, or any other person you have told us is authorised to give instructions, or use the account, products, or services,
on your behalf (such as under a power of attorney).
Third party payers – We may share your name with anyone paying money into your account to confirm payment is being made to the right account.
Payment-processing service providers – We may share personal data with paymentprocessing companies and other businesses that assist us in processing your payments, as well as financial institutions that are members of the payment schemes or involved in making payouts for specific types of payment.
Ourservice providers and agents (including their subcontractors) – We may share personal data with our service providers. For instance, where we pass your details to the Msacco mobile payment platform for the Sacco. - TRANSFER OF PERSONAL DATA OUTSIDE KENYA
We may be required to transfer your personal information outside Kenya to meet our legal and
or contractual obligations on a case-by-case basis.
In the event your personal information is required to be transferred outside Kenya, we are bound by the Kenya Data Protection Act to ensure that the entities to which we transfer your information adequately provide a reasonable, if not equivalent level of protection to your information as we do.
Any contract that we form with any such organizations will spell out conditions they need to meet to adequately protect the information they receive.
AUTOMATED DECISION MAKING
We implement automated decision-making processes using your personal information tailored
towards specific situations. Some of these situations work towards fulfilling legal or contractual obligations, as well as preventing occurrence of a crime/fraud.
Such situations may include:
i) When we are making decisions on what services are suitable to you based on your member portfolio; or whether to offer you credit, based on an assessment of your credit history.
ii) When conducting financial crime checks/fraud examination tests.
Further, we analyse and process your personal information and reconcile it to various factors based on your member portfolio which helps us provide personalized experience of services
unique to you as our valued member; We refer to this as profiling. This helps us provide incentives such as personalized offers/rewards and recommendations for a better experience
utilizing our services.
We have indicated that you have rights regarding automated decision making which has been
indicated in the ‘Your legal rights’ section in this Notice. Our contact information has been indicated in the Complaints section below in case you may need further clarification on this.
WITHDRAWAL OF CONSENT
You have the right to withdraw your consent for the processing of your personal data at any time.
To do so, please contact us using the details provided in the ’Complaints’ section below.
Please note that withdrawing your consent does not affect the lawfulness of any processing that was carried out before you withdrew your consent. Further, in some cases, we may be required to continue processing your personal data despite your withdrawal of consent, for example,
where we have a legal obligation to do so. The details regarding this have been reflected in the key areas in the ‘Purposes for use of your information’ section.
COOKIES
We may employ the use of cookies and similar technologies on our website and online member portal; Cookies are small text files that are stored on your computer or mobile device when you visit a website or use an online application. These cookies are then recognized by the website or online application upon subsequent visits.
The cookies are used as a means of information gathering and mainly aimed at curating your online experience by remembering your preferences, and letting you efficiently navigate between pages/modules; and above everything else, improving your whole online experience.
We have implemented a cookie policy on our website and online member portal which provides additional information about cookies, how and where we use them and how you can control
your preferences.
COMPLAINTS
Should you have any complaints or queries about anything relating to the privacy of your personal data, or any other data protection issues, please let us know through:
Address: Postbank Sacco, 13TH Floor Postbank House,
P.O Box 30313 – 00100.
Phone: 0716163034; 0707201309
Email: sacco@postbanksacco.co.ke; supervisory@postbanksacco.co.ke.
Additionally, you also have the right to make a complaint at any time to the ODPC, which is the supervisory authority for data protection issues in the Republic of Kenya. You may lodge
a complaint with the ODPC through: https://www.odpc.go.ke/file-lodge-a-complaint/
- Where you have given explicit consent to the use of your personal data for one or more