Data Privacy Statement

This policy explains how BPR Bank Rwanda Plc (referred to in this policy as BPR Bank, we or us) collects and uses information about you in the course of providing services to you. This includes when you use our website or our online services when you apply to become a customer and when we provide services to you as a customer.
We take our data protection obligations seriously and it is important to us that you understand how we use your personal data. This Privacy Policy sets out in detail the purposes for which we process your personal data, who we share it with, what rights you have in relation to that data and everything else that we think it is important for you to know.

This policy covers the following

What is Personal Information?
Whose Personal Information do we collect?
How do we collect your Personal Information?
What Information do we collect?
How do we use your personal information and what is our legal basis for doing so?
What happens if you do not provide the information which we request?
How do we share your personal information?

When do we transfer your data overseas?
For how long do we keep your personal information?
Your Rights in relation to your information
Right to Object
Exercising your Rights
Complaints
The table in section 4 of this policy provides an overview of the data that we collect. The table at section 5 of this policy provides an overview of the purposes for which we use that data, and the legal basis which permits us to use your information.

We keep this privacy policy up to date, so if there are any changes to the way in which your personal information is used this privacy policy will be updated and we will notify you of the changes.

Contact details

Our contact details are as follows.

Address: Data Protection Officer, BPR Bank RWANDA PLC, KN 67, Street 2, P.O. Box 1348, Kigali, Rwanda, Tel: +250 788 140 000 / 788 187 200, Email: [email protected]

We have appointed a Data Protection Officer. You can contact the Data Protection Officer using the following details: Email: [email protected]

What is personal information?

Personal information/person data refers to information about a person from which the person can be identified that is recorded in any form, it is any information that identifies you or “other third parties”. This could include information such as name, contact details, date of birth, medical information and bank account details.

Whose personal information do we collect?

We collect information about individual customers if you hold a personal account or a sole trader account. We also collect information about directors, shareholders employees and guarantors of our corporate customers. In this Privacy Policy we refer to all such individual as you.

How do we collect personal information?

We collect personal information about you from various sources including:

Employment details when onboarding new employees or during existing background checks.
Entry into our premises for any banking services journey
Onboarding of suppliers and agents
When you contact us directly through the account application process or during our business relationship with you or a customer you are connected to.
From other third parties when we carry out due diligence checks or ongoing monitoring – if we do this, we will inform you during the account application process of the exact checks that are carried ou

What information do we collect?

We collect the following categories of information about you:

We collect the following information directly from you

We collect the following information from third parties

Name

Sanctions information, if any

Title

PEP information, if any

Date of Birth

Mortality information, if any

Contact details such as current and previous address, contact number, email address

Bankruptcy/insolvency information, if any

Nationality

Information about criminal convictions and offences committed, if any

Citizenship Status

Telephone directory, if any

Employment Status

Adverse media information

Income Details

Credit history

Employer Contact Details

Directorship information in an entity

Marital Status

Persons of significant control in an entity

Dependents

Source of Funds and Source of Wealth

Visa Status

ID Document Number (usually passport or driving license)

Other bank account details

Voice recording (if you call our contact centre or one of our branches)

CCTV footage

Tax residency(ies)

Tax identification number(s)

National Insurance number

Birth details such as town/city/country of birth

Details of public position held if you are a Politically Exposed Person

Details of public positions held by your immediate family, i.e., spouse, partner, children and their spouses and partners, parent if they are Politically Exposed Persons

Residential property ownership status

Security information to enable you to access your account and verify your identity

Signatures

How do we use your information and what is our legal basis for doing so?

Under data protection legislation we are only permitted to use your personal information if we have a legal basis for doing so as set out in the data protection legislation. We rely on the following legal bases to use your information for business-related purposes.

Where we need to use your personal information in order to enter into a contract with you or to perform a contract with you to provide banking services.
Where we need to comply with a legal obligation.
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
In more limited circumstances we may also rely on the following legal bases.
Where we need to protect your interests (or someone else's interests).
Where it is needed in the public interest or for official purposes.
There are additional restrictions on the circumstances in which we are permitted to collect and use criminal conviction data. We may process criminal conviction information where we need to do so to comply with our regulatory obligations. In the table below we set out an explanation of the purposes for which we use your personal information and the legal bases that permit us to use your personal information for those purpose. Where appropriate, we have also identified our legitimate interests in processing your personal data.

We may process your personal information for more than one legal basis depending on the specific purpose for which we are using your personal data. Please contact us if you need details about the specific legal basis we are relying on to process your personal information where more than one ground has been set out in the table below

Purpose and/or activity

Legal basis for processing

Contractual necessity

To make decisions about providing credit to you or a customer you are connected to

Legitimate interests: carry out checks and use your information to make decisions about lending to a business to which you are connected.

To comply with our regulatory duties, including regulatory reporting

Legal obligation

To assess customer transactions from a finance, management and regulatory perspective

Legitimate interests: assess the nature of transactions being undertaken in order to make improvements to the way that we operate and to manage risks

For business management and planning purposes, including accounting, auditing and compliance with statutory record keeping requirements

Legal obligation

Legitimate interests: analyze the performance of our business and to assist with financial planning and decisions

For marketing purposes

Legitimate interests: promoting our products and services

To deal with legal disputes

Legitimate interests: to protect our legal position

For fraud and financial crime prevention

Legitimate interests: to protect our business and our customers against fraud and financial crime

To make/receive payments

Contractual necessity

What happens if you do not provide information that we request?

We need some information so that we can comply with our legal obligations. For example, we need information from you so that we can comply with our regulatory requirements to identify our customers and carry out anti-money laundering checks before we can offer our services to a new customer and during the customer relationship. We also need certain information to enable us to provide our services to you and perform our contract with you. For example, we need your contact information so that we can communicate with you about your account.

Where information is needed for these purposes if you do not provide it, we will not be able to provide services to you or the customer you are connected to (as applicable). If you do not provide information as requested during the course of our relationship with you/our customer, we may have to stop providing services to you/our customer (as applicable).

How do we share your personal information?

We share your personal information in the following ways.

We share customer information with other data processors so that they can provide us with IT services. We also share customer information for regulatory purposes, so that the Bank can comply with regulatory requirements. Further we do ensure there is an agreement between the bank and data processor to keep confidentiality and privacy.
When we use service providers to help us deliver our services to you or to administer your accounts, we share customer information with those service providers. This may include IT service providers, debt recovery agents and other service providers.
We share customer information with our regulators when we have a regulatory duty to do so.
We share customer information with the police and with criminal investigation agencies in Rwanda where necessary for the purposes of preventing, detecting or investigating crime.
In some circumstances we have legal obligations to report suspected criminal activities to relevant authorities. This includes where we suspect money laundering or other criminal activities.
We will disclose customer information when it is necessary to do so to protect the Bank's interests or to pursue a legal claim.
If you have a joint account or if you have authorized another person to act on your behalf, your information will be shared with the joint account holder or authorized user (as applicable).
We share your information with fraud prevention agencies. If you provide us with false or inaccurate information and fraud is identified, we will pass details of the fraud-to-fraud prevention agencies to prevent fraud and money laundering.
Credit reporting: "Where you apply for new products, we will share your information with a relevant Credit Reference Bureau (CRB) in order to assess whether you or your business can afford to make the repayments, to manage your account(s) with us, to confirm whether the information you provide is accurate and for fraud and crime prevention purposes.

During the course of your relationship with the Bank we will continue to exchange information about you with CRB, We will inform the CRB in respect of your repayment history or if you fail to repay in full or on time. In turn this information may be supplied by CRB to other organizations.

A CRB search request places a search footprint on your credit file which will be visible when you apply for a loan, credit card, mortgage or attempt to open another account. Where you have made a joint application, we will link your records and you should inform the other person of this before submitting the application.

If we sell any part of our business and/or integrate it with another organization your details may be disclosed to our advisers and to prospective purchasers or joint venture partners and their advisers. If this occurs the new owners of the business will only be permitted to use your information in the same or similar way as set out in this privacy policy.
Where we share your personal information with third parties, we ensure that we have appropriate measures in place to safeguard your personal information and to ensure that it is solely used for legitimate purposes in line with this Privacy Policy.

When do we transfer your information overseas?

When data is transferred to countries outside of RWANDA those countries may not offer an equivalent level of protection for personal information to the laws in RWANDA. Where this is the case, we will en
Obtain access to your personal information that we hold.
Request that your personal information is corrected if you believe it is incorrect, incomplete, or inaccurate,
Request that we erase your personal information in the following circumstances:

If BPR BANK RWANDA PLC is continuing to process personal data beyond the period when it is necessary to do so for the purpose for which it was originally collected.

If BPR BANK RWANDA PLC is relying on consent as the legal basis for processing and you withdraw consent (we do not usually rely on consent).

If BPR BANK RWANDA PLC is relying on legitimate interest as the legal basis for processing and you object to this processing and there is no overriding compelling ground which enables us to continue with the processing.

If the personal data has been processed unlawfully (i.e., in breach of the requirements of the data protection legislation)

If it is necessary to delete the personal data to comply with a legal obligation.

Ask us to restrict our data processing activities where you consider that:

Personal information is inaccurate.

Our processing of your personal information is unlawful.

Where we no longer need the personal information, but you require us to keep it to enable you to establish, exercise or defend a legal claim.

Where you have raised an objection to our use of your personal information.

Request a copy of certain personal information that you have provided to us in a commonly used electronic format. This right relates to personal information that you have provided to us that we need in order to perform our agreement with you and personal information where we are relying on consent to process your personal information; and

Not be subject to automated decisions which produce legal effects or similarly significant effects on you.

Right to object

You have a right to object to our processing of your personal information where we are relying on legitimate interests or exercise of a public interest task to make the processing lawful. If you raise an objection, we will carry out an assessment to determine whether we have an overriding legitimate ground which entitles us to continue to process your personal information.sure that appropriate safeguards are put in place to protect your personal information.

For how long do we keep your information?

As a general rule we keep your personal information for the duration of our contract with you or the customer to which you are connected (as applicable) and for a period of 10 years after that contract ends. However, where we have statutory obligations to keep personal information for a longer period or where we may need your information for a longer period in case of a legal claim, then the retention period may be longer.

Your rights in relation to your information

You have a number of rights in relation to your personal information, these include the right to:

Be informed about how we use your personal information.
Obtain access to your personal information that we hold.
Request that your personal information is corrected if you believe it is incorrect, incomplete, or inaccurate,
Request that we erase your personal information in the following circumstances:

If BPR BANK RWANDA PLC is continuing to process personal data beyond the period when it is necessary to do so for the purpose for which it was originally collected.

If BPR BANK RWANDA PLC is relying on consent as the legal basis for processing and you withdraw consent (we do not usually rely on consent).

If BPR BANK RWANDA PLC is relying on legitimate interest as the legal basis for processing and you object to this processing and there is no overriding compelling ground which enables us to continue with the processing.

If the personal data has been processed unlawfully (i.e., in breach of the requirements of the data protection legislation)

If it is necessary to delete the personal data to comply with a legal obligation.

Ask us to restrict our data processing activities where you consider that:

Personal information is inaccurate.

Our processing of your personal information is unlawful.

Where we no longer need the personal information, but you require us to keep it to enable you to establish, exercise or defend a legal claim.

Where you have raised an objection to our use of your personal information.

Request a copy of certain personal information that you have provided to us in a commonly used electronic format. This right relates to personal information that you have provided to us that we need in order to perform our agreement with you and personal information where we are relying on consent to process your personal information; and

Not be subject to automated decisions which produce legal effects or similarly significant effects on you.

Right to object

You have a right to object to our processing of your personal information where we are relying on legitimate interests or exercise of a public interest task to make the processing lawful. If you raise an objection, we will carry out an assessment to determine whether we have an overriding legitimate ground which entitles us to continue to process your personal information.

Exercising your rights

If you would like to exercise any of your rights or find out more, please contact Data Protection Officer, BPR Bank Rwanda PLC KN 67, Street 2, P.O. Box 1348, Kigali, Rwanda, Tel: +250 788 140 000 / 788 187 200, Email: [email protected]

Complaints

If you have any complaints about the way we use your personal information please contact Data Protection Officer, BPR Bank Rwanda Plc KN 67, Street 2, P.O. Box 1348, Kigali, Rwanda, Tel: +250 788 140 000 / 788 187 200, Email: [email protected] who will try to resolve the issue. If we cannot resolve your complaint, you have the right to complain to the data protection authority in Rwanda National Cyber Security Authority.