Privacy Notice

In this privacy notice, ‘we’ us’ ‘our’ ‘ourselves’ and ‘The Bank’ mean:

CRDB Bank PLC, a fully-fledged commercial Bank established in 1996. The Bank was listed on the Dar es Salaam Stock Exchange (DSE) in June 2009. Currently operate four subsidiaries, CRDB Bank Burundi (S.A), CRDB Bank Congo S.A, CRDB Insurance Brokers Limited and CRDB Foundation.

The Bank is committed to protecting your privacy and ensuring the highest level of security for your personal information. This Privacy Notice explains the types of personal information we collect, how we use that information, who we share it with, and how we protect that information. It also provides information about your rights.

Please read the following carefully to understand our views and practices regarding your personal information.

1. Who are we?

Depending on which of our products and services you ask us about, buy or use, different subsidiaries within our organization will process your information. Generally, the Bank is dedicated to creating products and services that have clients’ needs in mind first. This ensures that our clients have peace of mind, stability, and confidence as we support them with tailor-made, excellent solutions so they can perform at their peak.

2. Scope of this Privacy Notice

This Privacy Notice applies to any individual located within or outside the United Republic of Tanzania who enquires about, purchases or makes use of our products and services provided by the Bank.

3. Ways in which we obtain personal information

We may collect information about you from the following sources:

  a)Information we receive from you

We obtain personal information about you through your interactions with us generally, including by telephone calls (which may be recorded, and you will be made aware of the recording before it happens), by email, via our websites, via applications (SimBanking) or other forms or face to face (e.g, in meetings). We collect personal information (such as your name, contact details, financial details, employment and education details, nationality, date and place of birth, marital status, passport or other identification details and details of visits to our premises) that you provide to us when you:

i). enquire about our products and services;

ii). submit applications to open an account, and

iii). subsequently correspond with us.

b). Information we collect about you

We collect information about you by monitoring your access to our premises (e.g, CCTV). We also collect information about how you interact with our website, including IP addresses or other device information (you’ll find more information about this in our Cookie Statement).

c). Information we receive from third parties

We receive information about you from third parties (e.g, credit reference agencies).

4. How do we use your personal information?

We process your personal information for the purposes set out in this notice. Different legal grounds apply depending on what category of personal information we process. Standard personal information is normally processed by us on the basis that it is necessary for the performance of a contract, our or a third parties’ legitimate interests, or law. Further information about this and special category processing grounds is set out below.

We process the following information:	For the following purpose(s):	Based on the following justification:
Name, ID Number, Nationality, Passport Information, Tax Details, Date of Birth, Place of Birth, Residential Address, Business Address, Occupation, Signature, Employment History, Education Background, Financial Details, Criminal Records	To facilitate our account opening process, our customer due diligence process and our vendor due diligence process, as well as to prevent fraud and abuse of our services.	Necessary to perform our contract, to comply with our regulatory requirements and more generally in order to pursue our legitimate interest (see below) of managing our administrative and business operations and complying with internal policies and procedures.
Financial and Transactional (e.g. details about your accounts with us and payments to and from your accounts with us)	To enable us to process your transactions. To fulfil our Regulatory Reporting processes and facilitate fraud case handling and reporting (where required)	Necessary to perform our contract and to comply with our regulatory requirements and more generally in order to pursue our legitimate interests (See below).
Telephone Calls	Monitoring of regulated activities, training and development	To comply with our regulatory requirements and to pursue our legitimate interest (see below) to enhance the quality of our service.
Particulars of any complaints	To facilitate complaints handling and reporting	To comply with our regulatory requirements

5. Legitimate interests

Legitimate interest is one of the legal reasons why we may process your personal information. We process your personal information for a number of legitimate interests, including managing all aspects of our relationship with you, for marketing, to help us improve our services and products, and in order to exercise our rights or handle claims. Taking into account your interests, rights and freedoms, legitimate interests which allow us to process your personal information include:

a). To manage our relationship with you, our business and third parties who provide products or services for us;

b). To make sure that complaints or queries are handled efficiently and to enhance our products and services;

c). To keep our records up to date and to provide you with marketing as allowed by law;

d). To develop and carry out marketing activities and to show you information that is of interest to you, based on our understanding of your preferences;

e). To monitor how well we are meeting our performance expectations in the delivery of our services (e.g, call recording);

f). To pursue our legitimate interest in managing the safety and security of our premises and services for the prevention, detection and prosecution of crime, security health and safety (e.g,  CCTV Video images);

g). To enforce or apply our website terms of use, our policy terms and conditions or other contracts, or to protect our (or our customers’ or other people’s) rights, property or safety;

h). To exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with; and

i). To take part in, or be the subject of, any sale, purchase, merger or takeover of all or part of our business.

6. Do we use your personal information for direct marketing?

With your permission, we may send you carefully selected information about our products and services. You have the right to opt out of receiving direct marketing at any time by contacting us via our call center agent.

7. With which third parties do we share your personal information?

We share your information for the purposes set out in this privacy policy, with the following categories of recipients :

1. The Bank’s group of companies: We share your personal information among our group of companies, including our branches and subsidiaries, in order to open your account with us, administer our services and products, provide you with customer support, process your payments, understand your preferences, send you information about products and services that may be of interest to you, and conduct the other activities described in this Privacy Notice.
2. Our service providers:We use other companies, agents or contractors to perform services on our behalf or to assist us with the provision of our services and products to you, including:
   1. Infrastructure and IT service providers, including for email archiving.
   2. Marketing, advertising and communications agencies.
   3. Credit reference agencies
   4. External auditors and consultants
   5. In the course of providing such services, these service providers may have access to your personal information. However, we will only provide our service providers with personal information which is necessary for them to perform their services, and we require them not to use your information for any other purpose. We will use our best efforts to ensure that all our service providers keep your personal information secure.
3. Third parties permitted by law: In certain circumstances, we may be required to disclose or share your personal information in order to comply with a legal or regulatory obligation (for example, we may be required to disclose personal information to the police, regulators, government agencies, court or any administrative authorities who have been empowered by the law to seek that information).
   1. We may also disclose your personal information to third parties where disclosure is both legally permissible and necessary to protect or defend our rights, matters of national security, law enforcement, to enforce our contracts or protect your rights or those of the public.
4. Third parties connected with business transfers:We may transfer your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition or transfer of assets, provided that the receiving party agrees to treat your personal information in a manner consistent with this Privacy Notice.

We will not sell your personal information to third parties.

Please note our website may, from time to time, contain links to and from the websites of our partners or affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we have no control over how they may use your personal information. You should check the privacy policies of third party websites before you submit any personal information to them. More information about these safeguards can be obtained by contacting:

Email: [email protected]

8. What are your rights?

The personal data protection law in United Republic of Tanzania provide individuals with the following rights:

a). Right of subject access: The right to make a written request for details of personal information we hold about you and to request a copy of that personal information.

b). Right to rectification: The right to have inaccurate information about you rectified.

c). Right to erasure: The right to have certain personal information about you erased.

d). Right to restriction of processing: The right to request that your personal information is only used for restricted purposes.

e). Right to object: The right to object to the use of personal information (including the right to object to marketing).

f). Right to data portability: The right to ask for personal information you have made available to us to be transferred to you or a third party.

g). Right to withdraw consent: You have the right to withdraw any consent you have given us to handle your personal information. If you withdraw your consent, this will not affect the lawfulness of use of your personal information prior to the withdrawal of your consent.

These rights may not apply in all cases. If we are not able to comply with your request, we will explain why. In response to a request, we will ask you to verify your identity if we need to, and to provide information that helps us to understand your request better. If you would like more information about your rights or to exercise any of your rights, please contact:

Email: [email protected]

You also have the right to lodge a complaint with the personal data protection commission, if you believe that we have not complied with applicable data protection laws.

How do we protect your personal information?

We have implemented technical and organisational controls to safeguard the personal information in our custody and control. Such measures include, for example,

• Limiting access to personal information only to employees and authorised service providers who need to know such information for the purposes described in this Privacy Notice;
• Adopting strong security protocols on networks and systems;
• Using email security settings when sending and/or receiving confidential emails;
• Applying physical access controls such as marking confidential documents clearly and prominently, restricting access to confidential documents on a need-to-know basis;
• Using privacy filters;
• Disposal of confidential documents that are no longer needed, through shredding or similar means;
• Using a mode of delivery or transmission of personal data that affords the appropriate level of security, confirming the intended recipient of personal data as well as other administrative, technical and physical safeguards.

While we endeavour to protect our systems, sites, operations and information against unauthorised access, use, modification and disclosure, due to the inherent nature of the Internet as an open global communications vehicle and other risk factors, we cannot guarantee that any information, during transmission or while stored on our systems, will be absolutely safe from intrusion by others, such as hackers.

9. How long do we keep your personal information?

We will only retain your personal data for as long as necessary for the purpose for which that data was collected and to the extent permitted by applicable laws.

10. How can you contact us?

If there are any questions or concerns regarding this Privacy Notice, please contact us as follows:

Email: [email protected]

11. Cookie Statement

In order to meet customer expectations and improve the services offered on our website, we employ the use of cookies. By accessing the bank’s website, you agreed to use cookies in agreement with CRDB Bank Plc Privacy Policy available on the bank’s website.

Most interactive websites use cookies to let us retrieve the user's details for each visit. Cookies are used by our website to enable the functionality of certain areas to make it easier for people visiting our website. By accepting these terms, you are also consenting to any of our affiliate/advertising partners who may also use cookies.

a) What are cookies?

Cookies are small text files stored in your computing or other electronic devices which allow us to remember you or other data about you. The cookies placed by our server are readable only by us, and cookies cannot access, read or modify any other data on an electronic device. All web-browsers offer the option to refuse any cookie, and if you refuse our cookie then we do not gather any information on that visitor.

b) How are cookies used?

Cookies are used for different purposes. We may employ cookies in order for our server to recognise a return visitor as a unique user including, without limitation, monitoring information relating to how a visitor arrives at the website, what kind of browser a visitor is on, what operating system a visitor is using, a visitor's IP address, and a visitor's click stream information and time stamp (for example, which pages they have viewed, the time the pages were accessed and the time spent per web page).

c) What types of cookies do we use?

We are using Targeting cookies : which collect information about your browsing habits in order to make advertising relevant to you and your interests.

d) What are your choices?

Should you wish to disable the cookies associated with these technologies, you may do so by changing the setting on your browser.

If you have any questions, suggestions, or comments about this Cookie Statement, send an email to [email protected]

Our data protection Privacy and Cookie Statement may also be amended from time to time, so visit this page regularly to stay up to date.