Privacy policy
Introduction
Words used with respect to the pop Application in the present Privacy Notice shall have, except where not appropriate in the context, the meanings as described in the pop Terms and Conditions.
This notice applies where we are acting as a data controller with respect to the personal data of our Customers and Merchants. As data controller, we determine the purposes and means of the processing of that personal data.
We are committed to safeguarding the privacy of our Customers and Merchants. As a result, we would like to inform you regarding the way we would use your personal data, pursuant to the Data Protection Act 2017 (hereafter the “DPA”) and where applicable, the European Union General Data Protection Regulation 2016/679 (hereafter the “GDPR”) (the DPA and the GDPR being hereafter referred to as the “applicable data protection laws”).
Our Privacy Notice sets out the types of personal data we collect, how we collect and process that data, who we may share this information with and the rights you have in this respect.
Who we are
pop is the registered trademark in the name of Bank One Limited which will be used to identify the pop Application and pop Merchants.
Bank One is a top-tier banking institution incorporated in 2008 following a joint venture between Mauritian conglomerate CIEL Finance Ltd and Kenya-based I&M Holdings PLC. Leveraging on a team of talented professionals across its four main business segments namely Retail, Corporate, Private and International Banking, Bank One has strengthened its presence both locally and regionally whilst mastering the complexities of the different geographies and markets where it is present. For more information, please refer to the About Us section on our website at: https://bankone.mu/en/about-us/.
We are registered in Mauritius under registration number C40612.
Our principal place of business is at 16, Sir William Newton Street, Port Louis, Mauritius.
Technical terms
We have tried to use simple and plain English as far as possible in this Privacy Notice. However, data protection is a complex subject and the use of technical terms from time to time is inevitable. We have therefore set out below definitions of the technical terms we have used in this document:
“Consent” means any freely given, specific, informed and unambiguous indication of the wishes of a data subject, either by a statement or a clear affirmative action, by which he signifies his agreement to personal data relating to him being processed.
“Controller” means a person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision making power with respect to the processing.
“Data subject” means an identified or identifiable individual, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. For the purpose of this Policy data subjects include all living individuals about whom we hold personal data. A data subject need not be a Mauritian national or resident in Mauritius.
“Direct marketing” means the communication of any advertising or marketing material which is directed to any particular individual.
“Personal data” means any information relating to a data subject and more specifically: (i) data relating to a living individual who can be identified from that data, or (ii) data or other information about a living individual whose identity is apparent or can reasonably be ascertained from the data. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
“Processor” means any person who or public body which, processes personal data on behalf of the Company.
“Processing” means an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Special categories of personal data”, in relation to a data subject, means personal data pertaining to: (a) his racial or ethnic origin; (b) his political opinion or adherence; (c) his religious or philosophical beliefs; (d) his membership of a trade union; (e) his physical or mental health or condition; (f) his sexual orientation, practices or preferences; (g) his genetic data or biometric data uniquely identifying him; (h) the commission or alleged commission of an offence by him; (i) any proceedings for an offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any Court in the proceedings.
Personal data we may collect about you
The type of data we collect will depend on the purpose for which it is collected and used. We will only collect data that we need for that purpose.
The types of personal data that are collected and processed may include:
Categories of Personal Data | Details |
---|---|
Contact details | First name, surname (and any previous names), home/ business address, proof of address, email address, office phone number, cell phone number |
Individual details | Sex (male/female), nationality, photographs |
Employment details | Occupation and income, job title, company,
occupational permit, business registration card and
trade license, permit, or exemption certificate |
National identification details | Identification numbers issued by government bodies
or agencies such as your passport number and
identity card number and driving license number,
specimen signature |
Financial information | Bank name, bank account number, transactional
information on your accounts/dealings including
income/ pay details on pop Application or
pop Merchants |
IT information | Information required to provide access to and for
making use of pop Application or pop Merchants,
such as login information (username, user ID
and password)
Information stored on our email server,
demographic information such as preferences
and interests. |
Physical security information | Information recorded in our visitors’ logbook (reason
for visit, organisation name, identification measures
used, date and time of visit – for COVID-19 protocols),
CCTV footage |
Voice information | Recorded telephone conversations with
Bank One’s staff. |
Special categories of personal data/ Data on vulnerable persons | Biometric data in the form of photographs and
voice recordings |
Other | Information about requests, queries and complaints |
Cookies
We use cookies on the pop Website. Insofar as those cookies are not strictly necessary for the provision of our website and services, we will ask you to consent to our use of cookies when you visit our website. Please refer to our Cookie Policy, available at the pop Website which covers in detail the aspects of cookie usage and the purposes for which we use cookies.
How we use your personal data
From time to time, we, or another entity with whom we have shared your personal data with your consent, may process your data on an automated basis with the aim of evaluating certain characteristics of yours (profiling) if you have provided your consent for such processing. Profiling is used to provide you with tailored information regarding the products and services offered by us. To this end, data analysis using third parties may be undertaken. This enables us to target appropriate communications and advertisements at you, including recommending products and services that we think might be suitable for you.
We have set out below the legal basis of processing for each purpose. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your personal data.
Purpose of processing | Legal basis |
---|---|
For the purposes of contacting you through
various channels such as email, phone, post,
SMS or any other electronic means as
appropriate for commercial events, offers
and/or services or other marketing products
which may be of interest to you | Consent |
For the purposes of subscribing to our email
notifications or newsletters and offering you
the opportunity to take part in competitions
or promotions | Consent |
For the purposes of entering into an agreement
with you regarding provision of products/
services and to administer and manage our
relationship with you. Process your personal
information for ordinary business purposes,
namely:
• to open and maintain your account, • to give effect to transactions, • to administer claims where applicable, • for the purpose of credit assessment, including conducting credit checks and setting credit limits, and to manage our risks | Performance of any contractual obligations
towards you. |
For the purposes of assessing the risk in
providing a product or service and performing
customer due diligence | For compliance with a legal or regulatory
obligation to which we are subject to, under
for instance the relevant AML/CFT regulations
and guidelines. |
For the purposes of record keeping | For compliance with a legal or regulatory
obligation to which we are subject to, such as
internal/external audit,proper maintenance
of records relating to your transactions and
retention periods, as per relevant AML/CFT
regulations and guidelines for example. |
For the purposes of analysing the effectiveness
of our services using your feedback | Legitimate interests, namely of improving
our services |
For the purposes of ensuring the security of
our information systems and maintaining
back-ups of our databases | For compliance with legal obligation |
For the purposes of managing our relationships
with customers, communicating with customers
and keeping records of those communications | Performance of any contractual obligations
towards you. |
For the purposes of confirming and verifying
your identify when you request to access,
rectify, restrict or delete the information we
hold on you | For compliance with a legal obligation to
which we are subject to, that is, to verify the
identity of a data subject who makes a subject
rights request |
For the purposes of replying to any requests,
complaints, comment or enquiries you submit
to us regarding our services and notifying you
about changes to our service | Performance of any contractual obligations
towards you. |
Processing CCTV footage captured on our
premises for the purposes of:
• Protecting your personal safety when you
are on our premises | Legitimate interests of ensuring physical
security on our premises. |
For the purposes of conducting market or
customer satisfaction research, for statistical
analysis, or for analysing the effectiveness
of our advertisements, and promotions | Legitimate interests, namely the proper
administration of our business |
To record phone calls between customers and
the bank for effective documentation of the
business transaction | Consent |
In addition to the above-mentioned specific purposes for which we may process your personal data, we may also process any of your personal data where suchprocessing is necessary for compliance with legal and regulatory requirements which apply to us, or when it is otherwise allowed by law, or when it is in connectionwith legal proceedings.
Whether the supply of personal data is voluntary or mandatory
The provision of personal data is of course entirely voluntary. You are free to choose whether to provide your personal data to us or not. Please note however that if you choose not to provide your personal data to us, we may not be able to provide certain services to you or enter into a contractual relationship with you.
Disclosure of personal data
We may need to share your personal data with third parties which assist us in fulfilling our responsibilities regarding our business relationship with you and forthe purposes listed above. Bank One may disclose your personal data to the following third parties:
a) We may make certain personal data available to third party service providers and agents who provide services to us (such as marketing tool providers, payment software providers, credit reference agencies, loyalty programme partners). When we share with these third parties, we do so on a need-to-know basis and under clear contractual terms and instructions for the processing of your personal data.
b) We may also be required to disclose your personal data to other third parties such as lawyers, consultants, insurers, auditors as well as public and government authorities for purposes mentioned in Section 6 or where:
- We have a duty or a right to disclose in terms of law or for national security and/or law enforcement purposes;
- We believe it is necessary to protect our rights;
- We need to protect the rights, property or personal safety of any member of the public or a customer of our company or the interests of our company; or
- You have given your consent.
c) We may, from time to time, disclose your personal information, with your consent, to other companies with which we have partnered and after putting in place the necessary sharing agreements. The objective of this disclosure is to better identify your needs and provide tailor-made packages and services to you.
We require our service providers and other third parties to keep your personal data confidential and that they only use the personal data in furtherance of the specific purpose for which it was disclosed. We have written agreements in place with our processors to ensure that they comply with these privacy terms.
Personal data security
We have also put in place procedures to deal with any suspected data security breach and will notify you and the Data Protection Office of a suspected breach where we are legally required to do so.
We will, on an on-going basis, continue to review our security controls and related processes to ensure that your personal data is secure.
Our security policies and procedures cover, amongst others:
- Access to personal data
- Encryption
- Password
- Media Handling
- Security Compliance
- Network Control
- Firewall
- Backup of data
- Incident management
- Risk Assessment
- Use and misuse of IT assets
- Physical security
- Antivirus
- Audit Trail Logs
- Outsourced Software Development
- Third Party and Contract Management
When we contract with third parties, we impose appropriate security, privacy and confidentiality obligations on them to ensure that personal data that we remain responsible for is kept secure.
We will ensure that anyone to whom we pass your personal data agrees to treat your data with the same level of protection as we are obliged to.
International transfers
We may transfer personal data outside Mauritius as may be necessary for the purposes mentioned above. If we transfer your personal data to other countries, we will ensure that there are appropriate safeguards in place with regards to the protection of your personal data.
Those transfers would always be made in compliance with the applicable data protection laws. Data transfers do not change any of our commitments to safeguard your privacy and your personal data remains subject to existing confidentiality obligations.
If you would like further details on the transfer of your personal data outside Mauritius, please contact our Data Protection Officer (hereafter “DPO”) by referring to Section 10.
Your data protection rights
Under the applicable data protection laws, you have rights we need to make you aware of and which are set out below. The rights available to you depend on our reason for processing your information. If you wish to exercise any of the said rights, we encourage you to contact our Data Protection Officer.
Your right to erasure of your personal data
You have the right to ask us to delete your personal data in certain circumstances:
- When we no longer need your personal data;
- If you initially consented to the use of your personal data, but have now withdrawn your consent;
- If you have objected to us using your personal data, and your interests outweigh ours; and
- If we have collected or used your personal data unlawfully
Where we collect personal data for a specific purpose, we will not keep it for longer than is necessary to fulfil that purpose, unless we have to keep it for legitimate business or legal reasons. Upon the determined expiry date, we will securely destroy your personal data. Retention periods are indicated in Annex A’s Records Retention and Disposal Schedule. When we delete data from our servers, no residual copies remain on our servers. Data from our backup tapes are also deleted depending on the next scheduled backup overwrite which may be on a weekly, monthly or yearly basis in accordance with its configuration.
You will understand that this right is not absolute and that it will not be applicable where the exceptions provided for by law apply, including where our processing of your personal data is necessary for the purpose of historical, statistical or scientific research or for compliance with a legal obligation or for the establishment, exercise or defence of a legal claim;
Your right of access to your personal data
You have the right to request a copy of the personal data we hold about you. In order to do so, simply contact our Data Protection Officer and specify in writing what data you would like to have access to. We will take all reasonable steps to confirm your identity before providing details of your personal data.
You will not have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
Your right to restriction of processing
You have the right to ask us to limit how we use your data. If necessary, you may also stop us from deleting your data. To exercise your right to restriction, simply contact our Data Protection Officer, say what data you want restricted and state your reasons. You may request us to restrict processing of your personal data in the following circumstances:
- If you have contested the accuracy of your personal data, for a period to enable us to verify the accuracy of the data;
- If you have made an objection to the use of your personal data;
- If we have processed your personal data unlawfully but you do want it deleted;
- If we no longer need your personal data but you want us to keep it in order to create, exercise or defend legal claims.
Your right to object to processing
You have the right to object in writing at any time to the processing of personal data concerning you unless we demonstrate competing legitimate grounds for the processing which override the data subject’s interests, rights and freedoms or for the establishment, exercise or defence of a legal claim.
We currently process personal data for direct marketing. Where you object to the processing of your personal data for the purposes of direct marketing, your personal data shall no longer be processed for that purpose.
Your data to data portability
The right to data portability allows you to ask for transfer of your personal data from one organisation to another, or to you. The right only applies if we areprocessing information based on your consent or performance of a contract with you, and the processing is automated. You can exercise this right with respect toinformation you have given us by contacting our DPC (refer to Section 10). We will ensure that your data is provided in a way that is accessible and machine-readable.
Your right to withdraw consent
To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
Changes to this privacy notice
We keep our privacy notice under regular review. We reserve the right to change our privacy notice at any time thus we encourage you to periodically review this notice to be informed of how we are using and protecting your personal data. We will notify you of significant changes by email or through automatic pop-ups on our website and applications. This version was last updated on [INSERT DATE].
Contact details
The primary point of contact for questions relating to this privacy notice, including any requests to exercise your legal rights, is our Data Protection Officer who can be contacted by email, at DPO@bankone.mu or the following physical address or telephone number
BANK ONE 16, Sir William Newton Street Port Louis, Mauritius Tel: 230 202 9200 / 202 9191
If you believe we have not handled your request in an appropriate manner, you have the right to file a complaint with the Data Protection Commissioner in Mauritius, whose contact details are as follows:
Data Protection Office 5th Floor, SICOM Tower, Wall Street, Ebene Email address: dpo@govmu.org Phone number: + 230 460 0253 Fax: +230 489 7346
The procedure to file a complaint with the Data Protection Commissioner is available on https://dataprotection.govmu.org/Pages/Home%20-%20Pages/Take%20Action/To-report-your-Complaint.aspx.
Annex A: Records retention and disposal schedule
As a general rule, the maximum retention period is 7 years.
The table below sets specific retention requirements:
Categories of Personal Data | Purpose of processing | Retention period |
---|---|---|
Contact details, Individual details,
National Identification details | Account Opening and Maintenance | 7 years |
Data Subject Access Requests | 2 years after the Data Subject Access
Request has been closed | |
Customer Surveys | 7 years | |
Audit Reports | 7 years | |
Performance of Banking Agreements | 7 years | |
Handling Customer Complaints / Feedback | 7 years | |
Direct Marketing (via Email and SMS) | 7 years | |
Social Media Contests / Promotions | 7 years | |
Email / Newsletter subscription | 7 years | |
IT information | Internet Banking user registration | 7 years |
Monitoring Website Usage and Activity | Refer to our Cookie Policy for the full list of
Retention Period of all of our Cookies | |
Financial information, Credit risk
and Anti-Fraud Details | Performance of Banking Agreements | 7 years |
Account Opening and Maintenance | 7 years | |
Credit Assessment | 7 years | |
Customer Due Diligence / AML CFT Purposes | 7 years | |
Physical security information | Security/ Identifying disciplinary infringement/
Investigation, detection and prevention of crime | 90 days |
Voice information | Performance of Banking Agreements | 7 years |
Handling Customer Complaints / Feedback | 7 years | |
Special Categories of Personal Data/
Data on vulnerable persons | Account Opening and Maintenance | 7 years |
Performance of Banking Agreements | 7 years | |
Last updated: July 21, 2021