Privacy Notice

1. Overview of the Firstrand group

FirstRand Limited (FirstRand or the group) has a portfolio of integrated financial services businesses and operates in South Africa, certain markets in sub-Saharan Africa and the UK. Through its portfolio of separately branded financial services businesses, the group offers a universal set of transactional, lending, investment and insurance products and services.

FirstRand’s simplified legal entity structure can be found on the group’s website at: https://www.firstrand.co.za/the-group/ownership-and-legal-structure/

The FirstRand group follows a multi-branding approach. Some of the group’s major brands in South Africa are shown below.

2. Definitions

In this document, references to “FirstRand” or “the group” are to FirstRand Limited and its subsidiary companies, including divisions, segments and business units. Certain subsidiary companies may be excluded from the FirstRand group description for the purposes of this privacy notice (such as where the FirstRand group is involved in private equity investments). Confirmation as to whether this privacy notice applies to a specific company associated with the FirstRand group can be sought through the contact details provided in this privacy notice.

Any product, service or goods offered to a customer by any company in the FirstRand group of companies is referred to as a solution in this document.

3. Background and purpose of this notice

Protecting customers’ personal information is important to FirstRand. To do so, it follows general principles in accordance with applicable privacy laws.

The group has developed this group customer privacy notice (notice) to enable its customers to understand how the group collects, uses and safeguards their personal information.

The group collects personal information about its customers. This includes what customers tell the group about themselves, what the group learns by having a customer or when a customer makes use of a solution, as well as the choices customers make about the marketing they elect to receive. This notice also outlines customers’ privacy rights and how the law protects customers.

In terms of applicable privacy laws, this notice may also apply on behalf of other third parties (such as authorised agents and contractors), acting on the group’s behalf when providing customers with solutions. If a FirstRand group business processes personal information for another party under a contract or a mandate, however, the other party’s privacy policy or notice will apply.

In this notice “process” means how the group collects, uses, stores, makes available, destroys, updates, discloses, or otherwise deals with customers’ personal information. As a general rule, the group will only process customers’ personal information if this is required to deliver or offer a solution to a customer. The group respects customers’ privacy and will treat their personal information confidentially.

The group may combine customers’ personal information and use the combined personal information for any of the purposes stated in this notice.

In this notice, any reference to “the group” or “FirstRand” includes any one or more (if they are acting jointly) of the above FirstRand companies, and all affiliates, associates, cessionaries, delegates, successors in title or third parties (authorised agents and contractors), when such parties are acting as responsible parties, joint responsible parties or operators in terms of applicable privacy laws, unless stated otherwise.

VERY IMPORTANT: If customers use group solutions and service channels (including both assisted and unassisted interactions), or by accepting any agreement, contract, mandate or annexure with the group or by utilising any solutions offered by the group, customers agree that in order to:

  • conclude and fulfil contractual terms or obligations to a customer;
  • comply with obligations imposed by law; or
  • to protect or pursue customers’, the group’s, or a third party’s legitimate interests, including offering solutions that best meet customers’ needs;

Customers’ personal information may be processed through centralised functions and systems across companies in the FirstRand group and may be used for the purposes, in the manner, and with the appropriate controls as set out in this notice.

Where it is necessary to obtain consent for processing, the group will seek customers’ consent separately. Customers should read the consent request carefully as it may limit their rights.

NOTE: As the FirstRand group has operations in a number of countries, this notice will apply to the processing of personal information by any member of FirstRand group in any country and the processing of your personal information may be conducted outside the borders of South Africa, but will be processed according to the requirements and safeguards of applicable privacy law or privacy rules that bind the FirstRand group of companies.

The group may change this notice from time to time if required by law or its business practices. Where the change is material, the group will notify customers and will allow a reasonable period for customers to raise any objections before the change is made. Please note that the group may not be able to continue a relationship with a customer or provide customers with certain solutions if they do not agree to the changes.

The latest version of the notice displayed on FirstRand’s website will apply to customers’ interactions with the group and is available at: https://www.firstrand.co.za/investors/governance-and-compliance/.

4. Responsible parties

The group has several responsible parties. These parties or companies are responsible for determining why and how the group will use customers’ personal information. When a customer uses a solution of any group company, the responsible party will be the company which the customer engages to take up the solution, acting jointly with the other companies in the group. It will be clear to customers from the documentation they receive when using or taking up a solution who the responsible party is who should be contacted in the first instance.

Customers can contact the various responsible parties in the FirstRand group through the applicable business, details of which are set out below.

DPO@FNB.co.za
RMBPrivacy.Office@rmb.co.za
privacy@wesbank.co.za
query@ashburton.co.za
dpo@directaxis.co.za
MvDPO@motovantage.co.za


5. What is personal information?

Personal information refers to any information that identifies a customer or specifically relates to a customer. Personal information includes, but is not limited to, the following information about a customer:

  • marital status (married, single, divorced); national origin; age; language; birth; education;
  • financial history (e.g. income, expenses, obligations, assets and liabilities or buying, investing, lending, insurance, banking and money management behaviour or goals and needs based on, amongst others, account transactions);
  • employment history and your current employment status (for example when a customer applies for credit);
  • gender or sex (for statistical purposes as required by the law);
  • identifying number (e.g. an account number, identity number or passport number);
  • e-mail address; physical address (e.g. residential address, work address or physical location); telephone number;
  • information about your location (e.g. geolocation or GPS location);
  • online identifiers; social media profiles;
  • biometric information (e.g. fingerprints, signature or voice);
  • race (for statistical purposes as required by the law);
  • physical health; mental health; wellbeing; disability; religion; belief; conscience; culture;
  • medical history (e.g. HIV/AIDS status); criminal history; employment history;
  • personal views, preferences and opinions;
  • confidential correspondence; or
  • another’s views or opinions about a customer and a customer’s name also constitute personal information.

Depending on the applicable law of the country, a juristic entity (like a company) may also have personal information which is protectable in law and which may be processed in terms of this notice.

There is also a category of personal information called special personal information, which includes the following personal information about a customer:

  • religious and philosophical beliefs (for example where a customer enters a competition and is requested to express a philosophical view);
  • race (e.g. where a customer applies for a solution where the statistical information must be recorded);
  • ethnic origin;
  • trade union membership;
  • political beliefs;
  • health including physical or mental health, disability and medical history (e.g. where a customer applies for an insurance policy);
  • biometric information (e.g. to verify a customer’s identity); or
  • criminal behaviour where it relates to the alleged commission of any offence or the proceedings relating to that offence.

6. When will the group process your personal information?

The group may process customers’ personal information for lawful purposes relating to its business if the following circumstances apply:

  • it is necessary to conclude or perform under a contract the group has with the customer or to provide the solution to the customer;
  • the law requires or permits it;
  • it is required to protect or pursue the customer’s, the group’s or a third party’s legitimate interest;
  • the customer has consented thereto;
  • a person legally authorised by the customer, the law or a court, has consented thereto; or
  • the customer is a child and a competent person (such as a parent or guardian) has consented thereto on their behalf.

7. When will the group process customers' special personal information?

The group may process customers’ special personal information in the following circumstances, among others:

  • if the processing is needed to create, use or protect a right or obligation in law;
  • if the processing is for statistical or research purposes, and all legal conditions are met;
  • if the special personal information was made public by the customer;
  • if the processing is required by law;
  • if racial information is processed and the processing is required to identify the customer;
  • if health information is processed, and the processing is to determine a customer’s insurance risk, or to comply with an insurance policy, or to enforce an insurance right or obligation; or
  • if the customer has consented to the processing.

8. When and how will the group process the personal information of children?

A child is a person who is defined as a child by a country’s legislation, and who has not been recognised as an adult by the courts.

The group processes the personal information of children if the law permits this.

The group may process the personal information of children if any one or more of the following applies:

  • a person with the ability to sign legal agreements has consented to the processing, being the parent or guardian of the child;
  • the processing is needed to create, use or protect a right or obligation in law, such as where the child is an heir in a will, a beneficiary of a trust, a beneficiary of an insurance policy or an insured person in terms of an insurance policy;
  • the child’s personal information was made public by the child, with the consent of a person who can sign legal agreements;
  • the processing is for statistical or research purposes and all legal conditions are met;
  • where the child is legally old enough to open a bank account without assistance from their parent or guardian;
  • where the child is legally old enough to sign a document as a witness without assistance from their parent or guardian; or
  • where the child benefits from a bank account such as an investment or savings account and a person with the ability to sign legal agreements has consented to the processing.

9. When, and from where, does the group obtain personal information about customers?

We collect information about customers:

  • directly from customers;
  • based on customers’ use of group solutions or service channels (such as group websites, applications and ATMs, including both assisted and unassisted customer interactions) as applicable;
  • based on how customers engage or interact with the group, such as on social media, and through emails, letters, telephone calls and surveys;
  • based on a customer’s relationship with the group;
  • from public sources (such as newspapers, company registers, online search engines, deed registries, public posts on social media);
  • from technology, such as a customer’s access and use including both assisted and unassisted interactions (e.g. on the group’s websites and mobile applications) to access and engage with the group’s platform;
  • customers’ engagement with group advertising, marketing and public messaging; and
  • from third parties that the group interacts with for the purposes of conducting its business (such as partners, reward partners, list providers, the group’s customer loyalty rewards programmes’ retail and online partners, credit bureaux, regulators and government departments or service providers).

The group collects and processes customers’ personal information at the start of, and for the duration of their relationship with the group. The group may also process customers’ personal information when their relationship with the group has ended.

If the law requires the group to do so, it will ask for customer consent before collecting personal information about them from third parties.

The third parties (which may include parties the group engages with as independent responsible parties, joint responsible parties or operators) from whom the group may collect customers’ personal information include, but are not limited to, the following:

  • members of the group, any connected companies, subsidiary companies, its associates, cessionaries, delegates, assignees, affiliates or successors in title and/or appointed third parties (such as its authorised agents, partners, contractors and suppliers) for any of the purposes identified in this notice;
  • the customer’s spouse, dependants, partners, employer, joint applicant or account holder and other similar sources;
  • people the customer has authorised to share their personal information, such as a person that makes a travel booking on their behalf, or a medical practitioner for insurance purposes;
  • attorneys, tracing agents, debt collectors and other persons that assist with the enforcement of agreements;
  • payment processing services providers, merchants, banks and other persons that assist with the processing of customers’ payment instructions, such as card scheme providers (including VISA or MasterCard);
  • insurers, brokers, other financial institutions or other organisations that assist with insurance and assurance underwriting, the providing of insurance and assurance policies and products, the assessment of insurance and assurance claims, and other related purposes;
  • law enforcement and fraud prevention agencies, and other persons tasked with the prevention and prosecution of crime;
  • regulatory authorities, industry ombudsmen, government departments, and local and international tax authorities;
  • credit bureaux;
  • financial services exchanges;
  • qualification information providers;
  • trustees, executors or curators appointed by a court of law;
  • cheque verification service providers;
  • the group’s service providers, agents and subcontractors, such as couriers and other persons the group uses to offer and provide solutions to customers;
  • courts of law or tribunals;
  • participating partners, whether retail or online, in the group’s customer rewards programmes;
  • the group’s joint venture partners;
  • marketing list providers;
  • social media platforms; or
  • online search engine providers.

10. Reasons the group needs to process customers' personal information

The group may process customers’ personal information for the reasons outlined below.

10.1 Contract

The group may process customers’ personal information if it is necessary to conclude or perform under a contract the group has with a customer or to provide a solution to a customer. This includes:

  • assess and process applications for solutions;
  • to assess the group’s lending and insurance risks;
  • to conduct affordability assessments, credit assessments and credit scoring;
  • to provide a customer with solutions they have requested;
  • to open, manage and maintain customer accounts or relationships with the group;
  • to enable the group to deliver goods, documents or notices to customers;
  • to communicate with customers and carry out customer instructions and requests;
  • to respond to customer enquiries and complaints;
  • to enforce and collect on any agreement when a customer is in default or breach of the terms and conditions of the agreement, such as tracing a customer, or to institute legal proceedings against a customer. In such scenario the group may aggregate the contact details provided to any of the companies in the group to determine the customer’s most accurate contact details in order to enforce or collect on any agreement the customer has with the group;
  • to disclose and obtain personal information from credit bureaux regarding a customer’s credit history;
  • to meet record-keeping obligations;
  • to conduct market and behavioural research, including scoring and analysis to determine if a customer qualifies for solutions, or to determine a customer’s credit or insurance risk;
  • to enable customers to participate in and make use of value-added solutions;
  • to enable customers to participate in customer rewards programmes: determine customer qualification for participation, rewards points, rewards level, and monitor customer buying behaviour with the group’s rewards partners to allocate the correct points or inform customers of appropriate solutions they may be interested in, or to inform the group’s reward partners about a customer’s purchasing behaviour;
  • for customer satisfaction surveys, promotional and other competitions;
  • for insurance and assurance underwriting and administration;
  • to process or consider or assess insurance or assurance claims;
  • to provide insurance and assurance policies and products, and related services;
  • for security and identity verification, and to check the accuracy of customer personal information; or
  • for any other related purposes.

10.2 Law

The group may process customers’ personal information if the law requires or permits it. This includes:

  • to comply with legislative, regulatory, risk and compliance requirements (including directives, sanctions and rules);
  • to comply with voluntary and involuntary codes of conduct and industry agreements;
  • to fulfil reporting requirements and information requests;
  • to process payment instruments (such as a cheque) and payment instructions (such as a debit order);
  • to create, manufacture and print payment instruments (such as a cheque) and payment devices (such as a debit card);
  • to meet record-keeping obligations;
  • to detect, prevent and report theft, fraud, money laundering, corruption and other crimes. This may include the processing of special personal information, such as alleged criminal behaviour or the supply of false, misleading or dishonest information when opening an account with the group, or avoiding liability by way of deception, to the extent allowable under applicable privacy laws;
  • to conduct market and behavioural research, including scoring and analysis to determine if a customer qualifies for solutions, or to determine a customer’s credit or insurance risk;
  • to enable customers to participate in and make use of value-added solutions;
  • to enable customers to participate in customer rewards programmes: determine customer qualification for participation, rewards points, rewards level, and monitor customer buying behaviour with the group’s rewards partners to allocate the correct points or inform customers of appropriate solutions they may be interested in, or to inform the group’s reward partners about a customer’s purchasing behaviour;
  • for customer satisfaction surveys, promotional and other competitions;
  • to assess our lending and insurance risks;
  • to conduct affordability assessments, credit assessments and credit scoring;
  • to disclose and obtain personal information from credit bureaux regarding a customer’s credit history;
  • to develop credit models and credit tools;
  • for insurance and assurance underwriting and administration;
  • to process or consider or assess insurance or assurance claims;
  • to provide insurance and assurance policies and products, and related services; or
  • for any other related purposes.

10.3 Legitimate interest

The group may process customers’ personal information in the daily management of its business and finances and to protect the group’s customers, employees, service providers and assets. It is to the group’s benefit to ensure that its procedures, policies and systems operate efficiently and effectively.

The group may process customers’ personal information to provide them with the most appropriate solutions and to develop and improve solutions and the group’s business.

The group may process a customer’s personal information if it is required to protect or pursue their, the group’s or a third party’s legitimate interest. This includes:

  • to develop, implement, monitor and improve the group’s business processes, policies and systems;
  • to manage business continuity and emergencies;
  • to protect and enforce the group’s rights and remedies in the law;
  • to develop, test and improve solutions for customers, this may include connecting customer personal information with other personal information obtained from third parties or public records to better understand customer needs and develop solutions that meet these needs. The group may also consider customer actions, behaviour, preferences, expectations, feedback and financial history;
  • tailoring solutions which would include consideration of a customer’s use of third-party products, goods and services and marketing of appropriate solutions to the customer, including marketing on the group’s own or other websites, mobile apps and social media;
  • to market group solutions to customers via various means including on group and other websites and mobile apps including social media;
  • to respond to customer enquiries and communications including the recording of engagements and analysing the quality of the group’s engagements with a customer;
  • to respond to complaints including analytics of complaints to understand trends and prevent future complaints and providing compensation where appropriate;
  • to enforce and collect on any agreement when a customer is in default or breach of the terms and conditions of the agreement, such as tracing the customer, or to institute legal proceedings against the customer. In such a scenario, the group may aggregate the contact details provided to any of the companies in the group to determine the customer’s most accurate contact details in order to enforce or collect on any agreement the customer has with the group;
  • to process payment instruments (such as a cheque) and payment instructions (such as a debit order);
  • to create, manufacture and print payment instruments (such as a cheque) and payment devices (such as a debit card);
  • to meet record-keeping obligations;
  • to fulfil reporting requirements and information requests;
  • to comply with voluntary and involuntary codes of conduct and industry agreements;
  • to detect, prevent and report theft, fraud, money laundering, corruption and other crimes. This may include the processing of special personal information, such as alleged criminal behaviour or the supply of false, misleading or dishonest information when opening an account with the group, or avoiding liability by way of deception, to the extent allowable under applicable privacy laws. This may also include the monitoring of our buildings including CCTV cameras and access control;
  • to conduct market and behavioural research, including scoring and analysis to determine if a customer qualifies for solutions, or to determine a customer’s credit or insurance risk;
  • for statistical purposes, such as market segmentation or customer segments (that is placing customers in groups with similar customers based on their personal information);
  • to enable customers to participate in customer rewards programmes: determine customer qualification for participation, rewards points, rewards level, and monitor customer buying behaviour with the group’s rewards partners to allocate the correct points or inform customers of appropriate solutions they may be interested in, or to inform the group’s reward partners about a customer’s purchasing behaviour;
  • for customer satisfaction surveys, promotional and other competitions;
  • to assess the group’s lending and insurance risks;
  • to disclose and obtain personal information from credit bureaux regarding a customer’s credit history;
  • to develop credit models and credit tools;
  • for any other related purposes.

11. Why does the group further use or process customers' personal information?

At the time that the group collects personal information from a customer, it will have a reason or purpose to collect that personal information. In certain circumstances, however, the group may use that same personal information for other purposes. The group will only do this where the law allows it to and the other purposes are compatible with the original purpose/s applicable when the group collected the customer’s personal information. The group may also need to request a customer’s specific consent for the further processing in limited circumstances. Examples of these other purposes are included in the list of purposes set out in section 10 above.

The group may also further use or process a customer’s personal information if:

  • the personal information about the customer was obtained from a public record, like the deed’s registry;
  • the customer made the personal information public, like on social media;
  • the personal information is used for historical, statistical or research purposes, the results will not identify the customer;
  • proceedings have started or are contemplated in a court or tribunal;
  • it is in the interest of national security;
  • if the group must adhere to the law, specifically tax legislation; or
  • the Information Regulator has exempted the processing.

The group may also further use or process a customer’s personal information if the customer has consented to it or in the instance of a child, a competent person has consented to it.

Any enquiries about the further processing of customer personal information can be made through the contact details of your solution provider, as set out in the responsible parties table in section 3 of this notice.

12. Centralised processing

The group aims to create efficiencies in the way it processes information across the group. Your personal information may therefore be processed through centralised group functions and systems, which includes the housing of your personal information in a centralised group data warehouse.

This centralised processing is structured to ensure efficient processing that benefits both you and the group. Such benefits include, but are not limited to:

  • improved information management, integrity and information security;
  • the leveraging of centralised crime and fraud prevention tools;
  • better knowledge of a customer’s financial service needs so that appropriate solutions can be advertised and marketed to the customer;
  • a reduction in information management costs; and
  • streamlined transfers of personal information for customers with solutions across different businesses or companies within the group.

Details of further interests which are promoted by the centralised processing can be found in section 10.3.

Should a customer wish to exercise their privacy rights in terms of personal information provided to a company in the group or enquire about the centralised processing procedure, enquiries can be made through the contact details of the customer’s solution provider, as set out in the responsible parties table of this notice.

13. How does the group use customers' personal information for rewards?

The group collects personal information about customers from its partners, suppliers, customer loyalty rewards programmes’ retail, online and strategic partners (rewards partners) and service providers with which the group interacts for the purposes of its eBucks rewards programme.

The group will process customers’ personal information for the following reasons:

  • to determine customer qualification for participation in the eBucks rewards programme, rewards points, rewards level and eBucks earn;
  • to inform the group’s reward partners about customers’ purchasing behaviour and to monitor customer buying behaviour with the group’s rewards partners to allocate the correct earn;
  • to provide rewards and solutions tailored to customer requirements and to treat customers in a more personal way;
  • to fulfil customers’ travel arrangements (flights, hotels and car hire) bookings with the groups’ service providers and deliver the solutions they have asked for;
  • to fulfil customers’ eBucks Shop purchases and instruct the group’s service providers to deliver the solutions the customer has asked for;
  • to market the group’s rewards and the group’s rewards partners’ solutions to customers;
  • to improve the group’s websites, applications, solutions and rewards offerings;
  • to respond to customer enquiries and complaints;
  • to comply with legislative, regulatory, risk and compliance requirements (including directives, sanctions and rules);
  • to comply with voluntary and involuntary codes of conduct and industry agreements;
  • to fulfil reporting requirements and information requests;
  • to conduct market and behavioural research, including scoring and analysis to determine if a customer qualifies for rewards and solutions;
  • to develop, test and improve rewards and solutions for customers;
  • for statistical purposes, such as market segmentation;
  • to communicate with customers and carry out their instructions and requests;
  • for customer satisfaction surveys, promotional and other competitions; or
  • for any other related purposes.

14. How the group uses customers' personal information for marketing?

  • The group will use customers’ personal information to market financial, insurance, investments and other related banking and financial solutions to them (e.g. bank accounts, insurance policies and credit).
  • The bank may also market non-banking or non-financial solutions to customers (e.g. cell phone contracts and travel offers).
  • The group will do this in person, by post, telephone, or electronic channels such as SMS, email and fax.
  • If a person is not a group customer, or in any other instances where the law requires, the group will only market to them by electronic communications with their consent.
  • In all cases, a person can request the group to stop sending marketing communications to them at any time.

15. When will the group use customers' personal information to make automated decisions about them?

An automated decision is made when a customer’s personal information is analysed without human intervention in that decision-making process.

The group may use a customer’s personal information to make an automated decision as allowed by the law. An example of automated decision making is the approval or declining of a credit application when a customer applies for an overdraft or credit card, or the approval or declining of an insurance claim.

Customers have the right to query any such decisions made, and the group will provide reasons for the decisions as far as reasonably possible.

16. When, how, and with whom does the group share customers' personal information?

In general, the group will only share customers’ personal information if any one or more of the following apply:

  • if the customer has consented to this;
  • if it is necessary to conclude or perform under a contract we have with the customer;
  • if the law requires it; or
  • if it is necessary to protect or pursue the customer’s, the group’s or a third party’s legitimate interest.

Where required, each member of the group may share a customer’s personal information with the following persons, which may include parties that the group engages with as independent responsible parties, joint responsible parties or operators. These persons have an obligation to keep customers’ personal information secure and confidential:

  • members of the group, any connected companies, subsidiary companies, associates, cessionaries, delegates, assignees, affiliates or successors in title and/or appointed third parties (such as its authorised agents, partners, contractors and suppliers) for any of the purposes identified in this notice;
  • the group’s employees, as required by their employment conditions;
  • the customer’s spouse, dependants, partners, employer, joint applicant or account holder and other similar sources;
  • people the customer has authorised to obtain their personal information, such as a person that makes a travel booking on the customer’s behalf, or a medical practitioner for insurance purposes;
  • attorneys, tracing agents, debt collectors and other persons that assist with the enforcement of agreements;
  • payment processing services providers, merchants, banks and other persons that assist with the processing of customer payment instructions, such as card scheme providers (including VISA or MasterCard);
  • insurers, brokers, other financial institutions or other organisations that assist with insurance and assurance underwriting, the providing of insurance and assurance policies and products, the assessment of insurance and assurance claims, and other related purposes;
  • law enforcement and fraud prevention agencies, and other persons tasked with the prevention and prosecution of crime;
  • regulatory authorities, industry ombudsmen, government departments, and local and international tax authorities and other persons the law requires the group to share customer personal information with;
  • credit bureaux;
  • financial services exchanges;
  • qualification information providers;
  • trustees, executors or curators appointed by a court of law;
  • cheque verification service providers;
  • our service providers, agents and subcontractors, such as couriers and other persons the group uses to offer and provide solutions to customers;
  • persons to whom the group have ceded its rights or delegated its obligations to under agreements, such as where a business is sold;
  • courts of law or tribunals that require the personal information to adjudicate referrals, actions or applications;
  • the general public, where customers submit content to group social media sites such as a group business’s Facebook page;
  • participating partners in the group’s customer reward programmes, where customers purchase goods, products and service or spend loyalty rewards; or
  • the group’s joint venture partners with which it has concluded business agreements.

17. When and how the group obtains and shares customers' personal information from/with credit bureaux?

The group may obtain customers’ personal information from credit bureaux for any one or more of the following reasons:

  • if the customer requested the group to do so, or agreed that it may do so;
  • to verify a customer’s identity;
  • to obtain or verify a customer’s employment details;
  • to obtain and verify a customer’s marital status;
  • to obtain, verify, or update a customer’s contact or address details;
  • to obtain a credit report about a customer, which includes their credit history and credit score, when the customer applies for a credit agreement to prevent reckless lending or over-indebtedness;
  • to determine a customer’s credit risk;
  • for debt recovery;
  • to trace a customer’s whereabouts;
  • to update a customer’s contact details;
  • to conduct research, statistical analysis or system testing;
  • to determine the source(s) of a customer’s income;
  • to build credit scorecards which are used to evaluate credit applications;
  • to set the limit for the supply of an insurance policy;
  • to assess the application for insurance cover;
  • to obtain a customer’s contact details to enable the distribution of unclaimed benefits under an insurance policy; or
  • to determine which solutions to promote or to offer to a customer.

The group will share a customer’s personal information with the credit bureaux for, among others, any one or more of the following reasons:

  • to report the application for a credit agreement;
  • to report the opening of a credit agreement;
  • to report the termination of a credit agreement;
  • to report payment behaviour on a credit agreement; /or
  • to report non-compliance with a credit agreement, such as not paying in full or on time.

Customers should refer to their specific credit agreement with the group for further information.

Below are the contact details of the credit bureaux that the group interacts with:

TransUnion 0861 482 482
Consumer Profile Bureau (Pty) Ltd 010 590 9505
Experian Information Solutions Inc. 0861 10 56 65
Xpert Decision Systems (XDS) 0860 937 000
Compuscan 0861 51 41 31
VeriCred Credit Bureau 081 680 1080

18. Under what circumstances will the group transfer customers' personal information to other countries?

The group will only transfer a customer’s personal information to third parties in another country in any one or more of the following circumstances:

  • where a customer’s personal information will be adequately protected under the other country’s laws or an agreement with the third-party recipient;
  • where the transfer is necessary to enter into, or perform, under a contract with the customer or a contract with a third party that is in the customer’s interest;
  • where the customer has consented to the transfer; and/or
  • where it is not reasonably practical to obtain the customer’s consent, but the transfer is in the customer’s interest.

This transfer will happen within the requirements and safeguards of applicable laws or privacy rules that bind the group.

Where possible, the party processing a customer’s personal information in another country will agree to apply the same level of protection as available by law in the customer’s country, or if the other country’s laws provide better protection, the other country’s laws would be agreed to and applied.

An example of the group transferring a customer’s personal information to another country would be when a customer makes payments if they purchase goods or services in a foreign country.

TAKE NOTE: As the group operates in several countries, customers’ personal information may be shared with group companies in other countries and processed in those countries under the privacy rules that bind the group.

19. Customers' duties and rights regarding the personal information the group has about them

Customers must provide the group with proof of identity when enforcing the rights below.

Customers must inform the group when their personal information changes, as soon as possible after the change.

Customers warrant that when they provide the group with personal information of their spouse, dependants or any other person, they have permission from them to share their personal information with the group. The group will process the personal information of the customer’s spouse, dependent or any other person which the customer has shared with us as stated in this notice.

19.1 Right to access

Customers have the right to request access to the personal information the group has about them by contacting
the group. This includes requesting:

  • confirmation that the group holds the customer’s personal information;
  • a copy or description of the record containing the customer’s personal information; and
  • the identity or categories of third parties who have had access to the customer’s personal information.

The group will attend to requests for access to personal information within a reasonable time. Customers may be required to pay a reasonable fee to receive copies or descriptions of records, or information about, third parties. The group will inform customers of the fee before attending to their request.

Customers should note that the law may limit their right to access information.

Please refer to the group’s information manual prepared in accordance with Section 51 of the Promotion of Access to Information Act, No. 2 of 2000 (information manual) for further information on how customers can give effect to this right. The information manual is available on the group’s website at:
https://www.firstrand.co.za/investors/governance-and-compliance/

In certain instances, customers can give effect to this right by making use of the group’s unassisted interfaces, e.g. using a group app or website to access the personal information the group holds about them.

19.2 Right to correction, deletion or destruction

Customers have the right to request the group to correct, delete or destroy the personal information it has about them if it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, obtained unlawfully, or if the group are no longer authorised to keep it. Customers must inform the group of their request in the prescribed form. Prescribed form 2 has been included as an annexure to this notice.

The group will take reasonable steps to determine if the personal information is correct and make any correctionneeded. It may take a reasonable time for the change to reflect on the group’s platform/systems. The group may request documents from the customer to verify the change in personal information.

A specific agreement that a customer has entered into with the group may determine how the customer must change their personal information provided at the time when they entered into the specific agreement. Customers must adhere to these requirements.

If the law requires the group to keep the personal information, it will not be deleted or destroyed upon the customer’s request. The deletion or destruction of certain personal information may lead to the termination of a customer’s business relationship with the group.

In certain instances, a customer can give effect to this right by making use of the groups’ unassisted interfaces, e.g. using a group app or website to correct their contact details.

19.3 Right to objection

Customers may object on reasonable grounds to the processing of their personal information where the processing is in their legitimate interest, the group’s legitimate interest or in the legitimate interest of another party.

Customers must inform the group of their objection in the prescribed form. Prescribed form 1 is included as an annexure to this notice.

The group will not be able to give effect to the customer’s objection if the processing of their personal information was and is permitted by law, the customer has provided consent to the processing and the group’s processing was conducted in line with their consent; or the processing is necessary to conclude or perform under a contract with the customer.

The group will also not be able to give effect to a customer’s objection if the objection is not based upon reasonable grounds and substantiated with appropriate evidence.

The group will provide customers with feedback regarding their objections.

19.4 Right to withdraw consent

Where a customer has provided their consent for the processing of their personal information, the customer may withdraw their consent. If they withdraw their consent, the group will explain the consequences to the customer. If a customer withdraws their consent, the group may not be able to provide certain solutions to the customer. The group will inform the customer if this is the case. The group may proceed to process customers’ personal information, even if they have withdrawn their consent, if the law permits or requires it. It may a reasonable time for the change to reflect on the groups’ systems. During this time, the group may still process the customer’s personal information.

Customers can give effect to this right by making use of the group’s unassisted service channels, e.g. using a group app or website, or through an assisted interaction to update their consent preferences.

19.5 Right to complain

Customers have a right to file a complaint with the group or any regulator with jurisdiction (in South Africa customers can contact the Information Regulator) about an alleged contravention of the protection of their personal information. The group will address customer complaints as far as possible.

The contact details of the Information Regulator are provided below.

Mr Marks Thibela
Chief Executive Officer
Information Regulator (South Africa)

33 Hoofd Street
Forum III, 3rd Floor
Braampark

P.O Box 31533
Braamfontein
Johannesburg
2017

Tel no. +27 (0)10 023 5200
Cell no. +27 (0)82 746 4173
Website: https://justice.gov.za/inforeg/
Complaints email: complaints.IR@justice.gov.za
General enquiries email: inforeg@justice.gov.za

20. How the group secures customers' personal information

The group will take appropriate and reasonable technical and organisational steps to protect customers’ personal information in line with industry best practices. The group’s security measures, including physical, technological and procedural safeguards, will be appropriate and reasonable. This includes the following:

  • keeping group systems secure (such as monitoring access and usage);
  • storing group records securely;
  • controlling the access to group premises, systems and/or records; and
  • safely destroying or deleting records.

Customers can also protect their own personal information and can obtain more information in this regard by visiting the website of the relevant group business that they have established a business relationship with.

21. How long does the group keep customers' personal information?

  • The group will keep customers’ personal information for as long as:
    the law requires the group to keep it;
  • a contract between the customer and the group requires FirstRand to keep it;
  • the customer has consented to the group keeping it;
  • the group is required to keep it to achieve the purposes listed in this notice;
  • the group requires it for statistical or research purposes;
  • a code of conduct requires the group to keep it; and/or
  • the group requires it for lawful business purposes.

TAKE NOTE: The group may keep customers’ personal information even if they no longer have a relationship with the group or if they request the group to delete or destroy it, if the law permits or requires.

22. Cookies

A cookie is a small piece of data that is sent (usually in the form of a text file) from a website to the user’s device, such as a computer, smartphone or tablet. The purpose of a cookie is to provide a reliable mechanism to “remember” user behaviour (keeping track of previous actions), e.g. remembering the contents of an online shopping cart, and actions the user performed whilst browsing when not signed up or logged into their online account.

The group does not necessarily know the identity of the user of the device but does see the behaviour recorded on the device. Multiple users of the same device would not necessarily be distinguishable from one another. Cookies could, however, be used to identify the device and, if the device is linked to a specific user, the user would also be identifiable. For example, a device registered to an app (FNB, WesBank, RMB, etc.).

By using group websites or applications, customers agree that cookies may be forwarded from the relevant website or application to their computer or device. The cookie will enable the group to know that a customer has visited a website or application before and will identify the customer. The group may also use the cookie to prevent fraud.

Please refer to the FirstRand group cookie notice for further information. The group’s cookie notice is available on all group websites.

23. How the group processes personal information about persons related to a juristic person

If a customer is a juristic person, such as a company or close corporation, the group may collect and use personal information relating to the juristic person’s directors, officers, employees, beneficial owners, partners, shareholders, members, authorised signatories, representatives, agents, payers, payees, customers, guarantors, spouses of guarantors, sureties, spouses of sureties, other security providers and other persons related to the juristic person. These are related persons.

If customers provide the personal information of a related person to the group, they warrant that the related person is aware that they are sharing their personal information with the group, and that the related person has consented thereto.

The group will process the personal information of related persons as stated in this notice, thus references to “customer/s” in this notice will include related persons with the necessary amendments.

24. Personal information the group may share with other banks or request from other banks

  • Another bank may ask the group, at the request of that bank’s customer or for the bank itself, to provide personal information about a customer’s financial position. This is done by issuing what is known as a banker’s reference and code. These banker’s references and codes are usually requested when a customer wishes to establish a relationship with the other bank or when a customer is applying for a trade account with another bank’s customer or if a customer is responding to a government tender.
  • This relates to personal information about the customer’s financial position, which is based on how the customer managed their transactional account with the group. The personal information is provided in the form of a banker’s reference and code. The banker’s references and codes will only be provided with a customer’s express, implied, or tacit consent.
  • Credit bureaux may also obtain, retain and disclose this personal information.

RMB is a leading African Corporate and Investment Bank.

Contacts
Share
Required
Required
Required
Required
Optional

Featured