This Statement provides information on how The Co-operative Bank of Kenya Ltd (hereinafter “the Bank” approaches processing your personal data. Our focus and commitment to respecting your privacy and safeguarding your personal data remains stronger than ever.
Information that directly or indirectly identifies or says something about you is referred to as personal data. Examples include your name and address, and information such as your income. Information relating to a sole trader, commercial partnership or professional partnership is also considered personal data.
Processing means anything that can be done with personal data. This includes the collection, storage, use, transfer and removal of data.
Whose Personal Data does the Bank Process?
We process personal data if we have, want to have, or have had a business relationship with you, or if we have had contact with you.
The people whose personal data we process includes:
|Types of Data||What kind of data might be involved||Examples of how the Bank uses the data|
|Information that allows an individual to be identified directly or indirectly||Name, address, telephone number, e-mail address, information provided in your identity documents to fulfill the bank’s Know your customer (KYC) requirements||For identification purposes, to draw up an agreement / contract or to contact you|
|Information relating to or used for agreements / contracts or financial statements||Information about your financial situation, the products you have. Information used for obtaining finance||To assess credit worthiness, or to assess whether a product is suitable for you|
|Payment and transaction data||When a payment is made, information about the person you paid or who paid you, when the payment took place and what the balance in your account is||To ensure correct / timely processing of funds is performed. Also, for anti-money laundering / counter terrorism financing and sanctions monitoring. For your security and ours.|
|Special categories of personal data/Criminal data||Information concerning your health, information about criminal convictions, data which reveal your ethnic origin or political inclinations, Bio metric data||The bank processes biometric data for identification purposes. In the context of combating terrorism and tax obligations, we are required to record information about your country of birth. In addition, we may record special categories of data such as Criminal data in the context of Anti-Money Laundering|
|Recorded calls, documentation of e-mails and physical access, CCTV||Cookies, IP address and data relating to the device on which you use our online services or our website.||To enable our online services to be used and to combat fraud. To improve our website. For displaying targeted adverts or banners.Identifying customers after they have logged in by storing a temporary reference number of cookies so that the Bank web server can conduct a dialogue with the customer while simultaneously dealing with other customers.Allowing customers to carry information across pages of our site and avoid having to re-enter same information.Enabling the Bank to evaluate the effectiveness of its advertising and promotions.Enabling the Bank to produce statistical information (anonymous) which helps it to improve the structure and content of its web site.|
|Data we receive from Third Parties||Data may be obtained from Credit Reference Bureaus, Company Registry||We use this information to check Directors and credit rating details.|
|Data we share with Third parties||Financial information and transaction data upon request of the relevant enforcement agencies and regulator. Data we provide to other Businesses within the Group that we engage to help us provide services. Data you have asked us to share with another party. Information required to meet our regulator or legal reporting commitments.||We are required to provide specific data to tax authorities and to the regulator. You may also ask us to share specific data with a third party. We may be required to share with the relevant authorities and regulatory bodies as part of compliance with the Anti-Money Laundering, Counter Terrorism Financing and Fraud prevention laws and/or regulations.|
|Data we require to combat fraud, to ensure your security and ours, and to prevent money laundering and the financing of terrorism||The data we keep in our internal and external referral registers, sanction lists, location information, transaction data, identity information, camera images and payment details, cookies, IP address and data relating to the device on which you use online services.||In order to comply with legal obligations and prevent you, the financial sector, Cooperative bank or our employees from becoming the victims of fraud, for security reasons and to protect the financial markets, we might check whether you appear in our external or internal referral registers and we have to check whether your name appears in sanction lists. We may use your IP address, device details and cookies to combat online fraud (DDoS attacks) and botnets.|
We receive your personal data when you provide it to the bank, examples include when opening an account, getting into a contract with us(Loan), data you send to us in order that we can contact you and data arising from any group services that we provide.
We may also receive your data from business units within the Co-operative Bank of Kenya Ltd Group companies or from other financial institutions in the context of combating fraud, money laundering or terrorism. We may also receive data from others, such as suppliers or other parties we work with, or because you have given another party consent to share data with us.
We may also receive data from others, such as public sources like newspapers, public registers and websites.
We do not keep your data for any longer than necessary to fulfil the purposes for which we collected the data for. We have adopted a data retention policy. This policy specifies how long we keep data. In general we will keep your data for seven years following the termination of the relevant agreement or the ending of your business relationship with Cooperative Bank, unless there is a legal obligation to preserve the data longer e.g. if the regulator asks us to keep specific data for longer in the context of risk models. In some cases, we use shorter retention periods.
In specific situations, we may also keep data for longer than we are required by the retention period fixed by us. We will do this if, for example, the judicial authorities request camera images, in which case we will keep the images for longer than we usually do, or if you have submitted a complaint, in which case the underlying data must be kept for longer.
Once we no longer require the data for the purposes described before, we may keep the data for archiving purposes, in the event of legal proceedings, or for historic or scientific research purposes or statistical purposes.
We process special categories of personal data where this is permitted by law and consent is acquired, this may include use of Biometrics, criminal convictions etc. If you give us consent to record special categories of personal data relating to you, or you have made this information public yourself, we will only process the information if this is necessary so that we can provide our services. If you have given us consent to record special categories of personal data, you may withdraw that consent at any time. To do this, please contact your Relationship Manager or the contacts listed below.
2.4 Does the Bank use Automated Individual Decision-making including Profiling?
We will only decide based solely on automated processing including profiling which produces legal effects concerning you or significantly affects you, in case it is allowed by law and we have gained consent.
We do not envisage that any decisions will be taken about you that produces legal effects or significantly affects you.
Within Cooperative Bank your personal data can be accessed only by individuals who need to have access owing to their role and for official business purposes. All these people are bound by a duty of confidentiality.
If we want to use information for any purpose other than the purpose for which it was obtained, we may do this if the two purposes are closely related.
If there is not a sufficiently strong correlation between the purpose for which we obtained the data and the new purpose, we will ask you to give your consent. If you have given us consent, you may withdraw that consent at any time. To do this, please contact your Relationship Manager or the contacts listed below.
Within the Co-operative Bank of Kenya Ltd Group Companies Your personal data may be shared by Group Businesses, for example because you ask us to do this, or because you also purchase a product from a different division of the Bank. Information that has been used to establish your identity may also be used by another division of the Bank with which you want to do business.
Outside the Co-operative Bank of Kenya Ltd Group Companies We also transfer data if this is necessary in order to perform our agreements with you. For example, we use third parties such as SWIFT to enable you to make payments. Other Branches or Companies in the CO-OP Bank Group (i.e. Co-op Bank, its subsidiaries and affiliates), any regulatory, supervisory, governmental or quasi-governmental authority with jurisdiction over Co-op Bank Group members, any agent, contractor or third-party service provider, professional adviser or any other person under a duty of confidentiality to the Co-op Bank Group, credit reference agencies and, in the event of default, debt collection agencies, any actual or potential participant or sub-participant in, assignee or transferee of, any of the Co-op Bank Group’s rights and/or obligations in relation to you. These third parties are subject to supervision by their regulators.
If we transfer your data to other parties outside the Kenya, we take additional measures to protect your data. Cooperative bank may leverage on technologies such as Cloud, which may result in your data being shared and stored in different jurisdictions. However, in such cases the highest level of protection will always be embedded to safeguard your data.
a) Right to Access
You may ask through the branch or relationship manager to access all the information that we have and process in relation to you. The data protection office shall respond to such requests within 30days.
b) Right to be Forgotten
You may request that we erase data concerning yourself that we have captured, for example if you object to the processing of your personal data. Your interest must also be greater than the Bank’s interest in processing the data.
c) Right to Data Portability
You have the right to request the Bank to supply you with data that you previously provided to the Bank in the context of a contract with us or with your consent, in a structured, machine-readable format, or that we transfer such data to another party. If you ask us to transfer data directly to another party, we can do this only if this is technically feasible.
d) Right to Rectification
If you believe your personal data has been processed incorrectly or incompletely, you may request that we change or supplement the data.
e) Right to restriction of processing
You may request that we restrict the personal data relating to you that we process. This means that we will process fewer personal data relating to you.
f) Right to object to Direct Marketing
You have the right to request the bank to stop sending marketing communication. You can place your request to the Contact center or branch.
If you have any questions concerning the processing of personal data by us, please contact:
Your Relationship Manager or Branch with which you do business. In the case of matters concerning the exercising of your rights and other questions about the processing of your personal data kindly contact us on.