This privacy statement describes how BPR Bank Rwanda Plc protects the personal data it processes, why and how we collect and use your personal data and how you can exercise your rights in relation to the processing of your personal data.
This privacy statement should be read together with the Terms and Conditions of Use for other BPR BANK products and services. Where there is a conflict, this privacy statement will prevail.
- “BPR BANK,” “We,” “our,” “ours,” and “us,” means BPR Bank Rwanda Plc and includes its successors in title and assigns, its affiliates as may from time to time be specified by the Bank to
- “Personal data” or “personal information” means: Information about you or information that identifies you directly or indirectly as a unique individual, such as your name/s, your physical address, contact details, passport/identity number, or one or more factors specific to your physical, psychological, genetic, mental, economic, cultural or social
- “Processing of personal data” collectively, whether or not by automated means, means recording, handling, collecting, using, altering, merging, linking, organizing, disseminating, storing, protecting, retrieving, disclosing, erasing, archiving, destroying, or disposing of your personal information.
- “Sensitive personal information” includes data revealing your race, health status, criminal records, medical records, social origin, , religious or philosophical beliefs, genetic data, biometric data, political opinion, property details, marital status, family details including details of your children, parents, spouse or spouses, sex or sexual
- “privacy” means your right to decide who can access your personal data and when, where, why and how it can be accessed.
- “personal data breach” this means a breach of personal data security leading to unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- “You” means:
- Customer – (which includes personal representatives and assigns) operating an Account held with us and includes (where appropriate) any person you authorize to give us instructions, the person who uses any of our products and services or accesses our websites. “Customer” shall include both the masculine and the feminine gender as well as juristic person.
- Any agent, dealer and/or merchants who has signed an agreement with us and is recognized as a merchant or agent in accordance with any applicable laws or Regulations.
- Any visitor that is a person (including contractors/subcontractors or any third parties) who gains access to any BPR BANK premises.
- Any supplier/ service provider who has been contracted by BPR BANK.
- Any external lawyer who has tendered his/her application and/or signed a service level agreement with BPR BANK.
- Any valuer or auctioneer who has signed an agreement with BPR BANK.
The word “includes” means that what follows is not necessarily exhaustive and therefore the examples given are not the only things/situations included in the meaning or explanation of that text.
2. Collection of Personal Data
BPR BANK will only collect personal data about you insofar as is necessary to achieve the purposes set out in this privacy statement. We collect your personal information with your knowledge and consent with exception to cases where prior consent cannot be obtained for real reasons and the processing of the data is permitted by law.
Personal information may be given to or collected by BPR BANK in writing as part of a written application form, electronically (email), telephonically, online (www.bpr.rw) or via App.
BPR BANK will collect your personal information when you do any of the following:
- Make an application, buy or use any of our product and/or service or from third parties on our electronic and digital
- Use any of our product and/or service online, on a mobile or other device or in any of our branches or with any of our agents or
- Ask BPR BANK for more information about a product or service or contact BPR BANK with a query or a complaint;
- When you visit, access any of BPR BANK buildings/ premises;
- Where you’ve been identified as a next of kin by our customer or employee;
- Where you have applied for employment at BPR BANK;
- Attend an event sponsored by BPR BANK;
- Make an application to BPR BANK or interact with us a supplier, agent or dealer;
- Visit, access or use any of our online platforms/websites;
- Subscribe to any of our online services, Short Message Service (SMS), email or social media platforms;
- Respond to or participate in a survey, marketing promotion, prize competition or special offer;
We may also collect your information from other organizations including credit-reference bureaus, fraud prevention agencies, government agencies and business directories;
- When you engage our insurance services or as a result of your relationship with one or more of our staff and clients;
- When we require personal information from you in order to fulfil a statutory or contractual requirement, or where such information is necessary to enter into a contract or is otherwise an obligation, we will inform you and indicate the consequences of failing to do so;
- When you make an application or engage with BPR BANK Foundation as a beneficiary in any of our programs.
These examples are non-exhaustive, which is reflective of the varied nature of the personal information we may collect.
What Information is collected?
From individuals who are our customers and prospective customers, or are representatives of customers and prospective customers, we may collect personal information that includes but is not limited to the following:
- Your identity information, including your title, name, photograph, marital Status, nationality, occupation, residence, address, location, phone number, identity document type and number, date of birth, age, gender, your email, Facebook and twitter address.
- Name of your employer, terms of employment and if on contract, expiry of the contract.
- Your estimated monthly income levels.
- If you are a student, your college or university and graduation date.
- Your signature specimen.
- Your credit or debit-card information, information about your bank account numbers and or other banking information.
- Your transaction information when you use our electronic and digital platforms, branches, our agents and/or merchants.
- Your preferences for particular products and services, based on information provided by you or from your use of our network or third party products and services.
- Name, family details, age, profiling information such as level of education, bank account status, income brackets, etc. collected as part of surveys conducted by us and our agents on behalf of BPR BANK.
- Your contact with us, such as when you: call us or interact with us through social media, email (we may record your conversations, social media or other interactions with us), register your biometric information such as your voice, fingerprints etc, visit our branches.
- Relevant information as required by regulatory Know Your Client and/or Anti Money Laundering regulations and as part of our client intake procedures. This may possibly include evidence of source of funds, at the outset of and possibly from time to time throughout our relationship with clients, which we may request and/or obtain from third party sources. The sources for such verification may include documentation, which we request from you or through the use of online or public sources or both.
- We use Closed Circuit Television (CCTV) surveillance recordings. CCTV Devices are installed at strategic locations to provide a safe and secure environment in all our branches, BPR BANK premises and ATMs as a part of our commitment to security and crime prevention.
- We maintain a register of visitors in which we collect and keep your personal data such as names, company/institution details, telephone number, vehicle registration details, National ID number and device serial number and model (where you visit our premises with your personal devices e.g. laptops). This information is collected for health, safety and security purposes.
- We collect and retain your personal data (name, telephone number, and vehicle registration details) when you request for a parking space in any of our BPR BANK premises. We use the data you provide to ensure effective car park management, health and safety compliance, for security purposes and inventory management.
- When you use BPR BANK WIFI for guest and visitors, we collect email IDs and will provide username and password. We record the device address and also log traffic information in the form of sites visited, duration and date sent/received.
- Information you provide to us for the purposes of attending meetings and events.
- We may use your medical information to manage our services and products to you e.g. when you use our services designed for persons with disabilities such as our braille watch for the visually impaired.
- Where you use our voice recognition platform (IVR Service) or fingerprint recognition we may collect and process your biometrics.
- We collect your personal information when you visit us for purposes of accident and incident reporting. BPR BANK will collect personal data from the injured party or person suffering from ill health, such as, Name, Address, Age, next of kin, details of the incident to include any relevant medical history. The data is collected as BPR BANK has a legal duty to document workplace incidents/accidents and to report certain types of accidents, injuries and dangerous occurrences arising out of its work activity to the relevant enforcing authority. Incidents and accidents will be investigated to establish what lessons can be learned to prevent such incidents/accidents reoccurring including introduction of additional safeguards, procedures, information instruction and training, or any combination of these. Monitoring is undertaken but on an anonymized basis. The information is also retained in the event of any claims for damages.
- When you visit our website, we collect your ID-type information: cookie ID, mobile ID, IP address which is used for real-time processing in order to generate a visitor ID.
- Information that you provide to us and/or Correspondent banks as part of the provision of Services to you, which depends on the nature of your engagement.
- We may collect details of a minor which include name, date of birth, birth certificate number, relationship with the applicant and any other information relevant for the provision of our products and services. We will only process such data where parental or legal guardian consent has been given. We will also ensure that the processing of such data will be done in a manner that protects and advances the rights and best interests of the child.
Related Legal Entities
Corporate entities and clients form part of our client base. These legal entities are not data subjects (i.e., natural persons to whom personal information relates). However, as part of our engagement with these clients, we may receive personal information about individuals which may include but is not limited to:
- Full names.
- Birth certificate number, national identity card number or passport number; personal identification number (PIN).
- Date of birth
- Postal and business address.
- Residential address, telephone number and email address.
- Occupation or profession.
- Nature of ownership or control of the company.
- Number of Shares in the company.
These examples are non-exhaustive, which is reflective of the varied nature of the personal information.
We also collect information to enable us improve the customers experience and market our products and/or services, which may be of interest to you. For this purpose, we collect:
- Name and contact details.
- Other business information, such as job title and the company you work for.
- Products and/or services that interest you.
- Additional information may be collected, such as events you attend and if you provide it to us.
3. Use of Personal Data
This privacy statement aims to give you complete and transparent information on how BPR BANK processes your personal data. We are committed to ensure that your personal information is processed in a way that is compatible with the specified, explicit, and legitimate purpose of collection.
Where personal data relates to a child, we will process the personal data only where parental or legal guardian consent has been given. The processing of such data will be done in a manner that protects and advances the rights and best interests of the child.
We may use personal data provided to us for any of the following purposes but are not limited to:
- Verifying your identity information through publicly available and/or restricted government databases to comply with applicable Know Your Customer (KYC) requirements.
- Assessing the purpose and nature of your business or principal activity, your financial status and the capacity in which you are entering into the business relationship with us.
- Creating a record of you on our system to verify your identity, provide you with the products and/or services you have applied for from us or from third parties on our ecommerce platforms.
- Communicate with and keep you informed about the products and/or services you have applied for.
- Verification of age and consent where the personal data relates to a child.
- Identifying you and verifying your physical address.
- Identifying your source of income and similar information.
- Assessing your personal financial circumstances and needs before providing advice to you.
- Responding to any of your queries or concerns, we may record or monitor telephone calls between us so that we can check instructions and make sure that we are meeting our service standards.
- Carrying out credit checks and credit scoring.
- To perform our obligations under a contractual arrangement with you.
- Fraud prevention, detection and investigation
- Any purpose related to the prevention of financial crime, including sanctions screening, monitoring of anti-money laundering and any financing of terrorist activities.
- Further processing for historical, statistical or research, survey and other scientific or business purposes where the outcomes will not be published in an identifiable format.
- Provide aggregated data (which do not contain any information which may identify you as an individual) to third parties for research and scientific purpose.
- In business practices including to quality control, training and ensuring effective systems operations.
- To understand how you use our products and services for purposes of developing or improving products and services.
- Administer any of our online platforms/websites.
- To comply with any legal, governmental, or regulatory requirement or for use by our lawyers in connection with any legal proceedings.
- For purposes relating to the assignment, sale, or transfer of any of our businesses, legal entities or assets, in whole or in part, as part of corporate transactions.
- Keeping you informed generally about new products and services and contacting you with offers or promotions based on how you use our or third-party products and services unless you opt out of receiving such marketing messages (you may contact BPR BANK at any time to opt out of receiving marketing messages).
- Where you have applied for employment at BPR BANK, we perform applicant screening and background checks.
- Where you are an BPR BANK employee (including contractors), we create an employment record of you on our system to facilitate continuous monitoring during your employment with us.
- Where you are a BPR BANK director, we create a record of you as a director on our system.
- Where you are a supplier to BPR BANK, we process your personal information for due diligence, risk assessment, administrative and payment purposes.
- For security purposes when accessing any of BPR BANK buildings/premises; and
- Where you attend an event sponsored by BPR BANK, we will be taking photos or videos of the event. These images or videos will be used by us to share news about the event, and may be used in press releases, printed publicly, and published on our website.
4. Sensitive (Special Categories) Data
We may collect Special Categories of Personal Data about you (this includes details about your race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including details of your children, parents, spouse or spouses, sex or sexual orientation and biometric data). We will rely on any of the legal basis provided in clause 6 below for such collection.
5. Transfer of Personal Data
BPR BANK may transfer your personal information for the purpose of effecting/implementing, administering, and securing any product or service that you have applied for or for other purpose set out in this privacy statement. We also share data with BPR BANK-controlled affiliates and KCB Group subsidiaries; with vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our products; to comply with regulatory requirements and to protect the rights and property of BPR BANK and its customers.
We may transfer or disclose the personal data we collect to regulatory, fiscal or supervisory authority, correspondent banks on transaction enquiries, third party contractors, subcontractors, and/or their subsidiaries and affiliates who provides support to BPR BANK in providing its services. The third-party providers may use their own third-party subcontractors that have access to personal data (sub-processors). It is our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by BPR BANK, and to flow those same obligations down to their sub-processors.
From time to time we may need to transfer your personal information outside the country where you are located. This includes countries that do not have laws that provide specific protection to your personal data.
Where we send your information outside the country, we will make sure that there is proof of adequate data protection safeguards in the recipient country or consent from you on transfer of your personal information unless otherwise provided by the law.
We also may disclose your personal information where required by law, to enforce other agreements, or to protect the rights, property, or safety of our business, our clients, customers, employees, or others.
BPR BANK may disclose, respond, advise, exchange and communicate personal data and/or information in the Bank’s possession relating to you outside BPR BANK whether such personal data and/or information is obtained after you cease to be the Bank’s customer or during the continuance of the bank-customer relationship or before such relationship was in contemplation, provided that such personal information is treated in confidence by the recipient:-
- For fraud prevention, detection and investigation purposes.
- To licensed credit reference agencies or any other creditor if you are in breach of your obligations to the Bank and for assessment of credit applications and for debt tracing.
- To licensed credit reference agencies or any other creditor for determining your payment history.
- To the Bank’s external lawyers, auditors, valuers, survey agencies, and sub-contractors, software developers or other persons acting as agents of the Bank.
- To any person who may assume the Bank’s rights within the confines of the law.
- To debt collection agencies.
- Providing income tax-related information to tax authorities.
- To any regulatory, fiscal or supervisory authority, any local or international law enforcement agencies, governmental agencies so as to assist in the prevention, detection, investigation or prosecution of criminal activities, courts or arbitration tribunal where demand for any personal data and/or information is within the law.
- To the Bank’s subsidiaries, affiliates and their branches and offices (together and individually).
- Where the Bank has a right or duty to disclose or is permitted or compelled to do so by law.
- For purposes of exercising any power, remedy, right, authority or discretion relevant to an existing contract with the Bank and following the occurrence of an Event of Default, to any other person or third party as well.
6. Legal basis for the processing of personal data
BPR BANK will process your personal information as permitted by the Law relating to the protection of personal data and privacy and its internal policies:
- For the performance of a product/service contract which you are party to;
- Where processing is necessary for the purposes of legitimate business interests pursued by BPR BANK or by a third party within the confines of the law;
- For the establishment, exercise or defense of a legal claim;
- Compliance with a mandatory legal obligation to which it is subject to;
- With your consent;
- Public interest;
- To protect your vital interest or the vital interests of any person.
7. Direct Marketing
From time to time, we may also use your personal information to contact you for market research or to provide you with information about other services we think would be of interest to you. You may be required to opt-in or give any other form of explicit consent before receiving marketing messages from us. We respect your right to control your personal data depending on which of our products you use.
Therefore, at a minimum, we will always give you the opportunity to opt-out of receiving such direct marketing or market research communications. You may exercise this right to opt-out at any time.
8. Retention of Personal Data
BPR BANK will retain your personal data only for as long as is necessary to achieve the purpose for which they were collected. We may retain your personal data and/or information for a period of up to seven (7) years or as may be required by law and maintain specific records management and retention policies and procedures, so that personal data are deleted after a reasonable time according to the following retention criteria:
- Where we have an ongoing relationship with you.
- To comply with a legal obligation to which it is subject.
- Where retention is advisable to safeguard or improve the Bank’s legal position.
9. Your rights
You have the right (in the circumstances and under the conditions, and subject to the exceptions, set out in applicable law to:
- Be informed that we are collecting personal data about you;
- Request access to your personal information that we have on record. This right entitles you to know whether BPR BANK holds personal data of you and, if so, obtain information on and a copy of those personal data.
- Request BPR BANK to rectify any of your personal data that is incorrect or incomplete.
- Object to and withdraw your consent to processing of your personal data. This right entitles you to request that BPR BANK no longer processes your personal data. The withdrawal of your consent shall not affect the lawfulness of processing based on prior consent before its withdrawal. We may also continue to process your personal information if we have a legitimate or legal reason to do so.
- Request the erasure of your personal data. This right entitles you to request the erasure of your personal data, including where such personal data would no longer be necessary to achieve the purposes.
- Request the restriction of the processing of your personal data: This right entitles you to request that BPR BANK only processes your personal data in limited circumstances, including with your consent.
Request portability of your personal data. This right entitles you to receive a copy (in a structured, commonly used, and machine-readable format) of personal data that you have provided to BPR BANK, or request BPR BANK to transmit such personal data to another data controller in an electronic format.
We may also use this data in aggregate form to develop customized services - tailored to your individual interests and needs. Should you choose to do so, it is possible (depending on the browser you are using), to be prompted before accepting any cookies, or to prevent your browser from accepting any cookies at all. This will however cause certain features of the web site not to be accessible.
11. Contact Us
Please contact our Data Protection Officer if you (i) have any questions or concerns about how BPR BANK processes your personal data or (ii) want to exercise any of your rights in relation to your personal data, on +250788140000 or +250788187200 or by writing to us on email: firstname.lastname@example.org.
12. Amendments to this Statement
BPR BANK reserves the right to amend or modify this privacy statement from time to time and your continued use of our products and services constitutes your agreement to be bound by the terms of any such amendment or variation. You can access the most current version of the privacy statement from www.bpr.rw and Any amendment or modification to this statement will take effect from the date of notification on the BPR BANK website.