IB Privacy Policy

Version 1.0
Issue date 22/09/2022
Date of next review
Responsible officer

1. Introduction

  • This Privacy Notice (hereafter as “Privacy Notice”) applies to the processing of personal data by Bank One Limited (hereafter as “Bank One”; “we”; “us” and “our”), of data subjects who use the Digital platforms (hereafter referred to as “Customers”; “you” or “your”).
  • Words used with respect to the Digital platforms in the present Privacy Notice shall have, except where not appropriate in the context, the meanings as described in the Terms and Conditions.
  • This notice applies where we are acting as a data controller with respect to the personal data of our Customers and Merchants. As data controller, we determine the purposes and means of the processing of that personal data.
  • We are committed to safeguarding the privacy of our Customers and Merchants. As a result, we would like to inform you regarding the way we would use your personal data, pursuant to the Data Protection Act 2017 (hereafter the “DPA”) and where applicable, the European Union General Data Protection Regulation 2016/679 (hereafter the “GDPR”) (the DPA and the GDPR being hereafter referred to as the “applicable data protection laws”).
  • Our Privacy Notice sets out the types of personal data we collect, how we collect and process that data, who we may share this information with and the rights you have in this respect.

 2. Who we are

  • Bank One is a top-tier banking institution incorporated in 2008 following a joint venture between Mauritian conglomerate CIEL Finance Ltd and Kenya-based I&M Holdings PLC. Leveraging on a team of talented professionals across its four main business segments namely Retail, Corporate, Private and International Banking, Bank One has strengthened its presence both locally and regionally whilst mastering the complexities of the different geographies and markets where it is present. For more information, please refer to the About Us section on our website at: https://bankone.mu/en/about-us/.
  • We are registered in Mauritius under registration number C40612.
  • Our principal place of business is at 16, Sir William Newton Street, Port Louis, Mauritius.

3. Technical terms

We have tried to use simple and plain English as far as possible in this Privacy Notice. However, data protection is a complex subject and the use of technical terms from time to time is inevitable. We have therefore set out below definitions of the technical terms we have used in this document:

  • Consent” means any freely given, specific, informed and unambiguous indication of the wishes of a data subject, either by a statement or a clear affirmative action, by which he signifies his agreement to personal data relating to him being processed.
  • Controller” means a person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision making power with respect to the processing.
  • Data subject” means an identified or identifiable individual, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. For the purpose of this Policy data subjects include all living individuals about whom we hold personal data. A data subject need not be a Mauritian national or resident in Mauritius.
  • Direct marketing” means the communication of any advertising or marketing material which is directed to any particular individual.
  • Personal data” means any information relating to a data subject and more specifically: (i) data relating to a living individual who can be identified from that data, or (ii) data or other information about a living individual whose identity is apparent or can reasonably be ascertained from the data. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
  • Processor” means any person who or public body which, processes personal data on behalf of the Company.
  • “Processing” means an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • “Special categories of personal data”, in relation to a data subject, means personal data pertaining to: (a) his racial or ethnic origin; (b) his political opinion or adherence; (c) his religious or philosophical beliefs; (d) his membership of a trade union; (e) his physical or mental health or condition; (f) his sexual orientation, practices or preferences; (g) his genetic data or biometric data uniquely identifying him; (h) the commission or alleged commission of an offence by him; (i) any proceedings for an offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any Court in the proceedings.

Download the Records Destruction Form

4. Personal data we may collect about you
  • The type of data we collect will depend on the purpose for which it is collected and used. We will only collect data that we need for that purpose.
  • We may collect your personal data in the following ways:
  1. When you give it to us directly for e.g. you use any of our services, you correspond with us and provide us with your information, when you visit our digital platforms
  2.  During your meetings and telephone conversations with our staff or when you visit our premises.
  3. When we obtain it indirectly for e.g., information is shared with us by third parties (such as your credit reference agencies and law enforcement authorities). In such a case, the third party must confirm that you have consented to the disclosure of your personal data to us.
  • The types of personal data that are collected and processed may include:
Categories of Personal Data Details
Contact details First name, surname (and any previous names), home/ business address, proof of address, email address, office phone number, cell phone number
Individual details Sex (male/female), nationality, photographs
Employment details Occupation and income, job title, company, occupational permit, business registration card and trade license, permit, or exemption certificate
National identification details Identification numbers issued by government bodies or agencies such as your passport number and identity card number and driving license number, specimen signature
Financial information Bank name, bank account number, transactional information on your accounts/dealings including income/ pay details on the digital platforms
IT information Information required to provide access to and for making use of digital platform, such as login information (username, user ID and password)
Information stored on our email server, demographic information such as preferences and interests.
Physical security information Information recorded in our visitors’ logbook (reason for visit, organisation name, identification measures used, date and time of visit – for COVID-19 protocols), CCTV footage
Voice Information Recorded telephone conversations with Bank One’s staff.
Special categories of personal data/ Data on vulnerable persons Biometric data in the form of photographs and voice recordings
Other Information about requests, queries and complaints
5. Cookies

We use cookies on the digital platforms. Insofar as those cookies are not strictly necessary for the provision of our website and services, we will ask you to consent to our use of cookies when you visit our website. Please refer to our Cookie Policy, available at the respective digital platform which covers in detail the aspects of cookie usage and the purposes for which we use cookies.

6. How we use your personal data
  1. Bank One will only use your personal data for the purposes for which it was collected or agreed with you.
  2. From time to time, we, or another entity with whom we have shared your personal data with your consent, may process your data on an automated basis with the aim of evaluating certain characteristics of yours (profiling) if you have provided your consent for such processing. Profiling is used to provide you with tailored information regarding the products and services offered by us. To this end, data analysis using third parties may be undertaken. This enables us to target appropriate communications and advertisements at you, including recommending products and services that we think might be suitable for you.
  3. We have set out below the legal basis of processing for each purpose. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your personal data.
Purpose of processing  Legal basis
For the purposes of contacting you through various channels such as email, phone, post, SMSor any other electronic means as appropriate for commercial events, offers and/or services or other marketing products which may be of interest to you Consent
For the purposes of subscribing to our email notifications or newsletters and offering you the opportunity to take part in competitions or promotions Consent
For the purposes of entering into an agreement with you regarding provision of products/services and to administer and manage our relationship with you. Process your personal information for ordinary business purposes, namely:

  • to open and maintain your account,
  • to give effect to transactions,
  • to administer claims where applicable,
  •  for the purpose of credit assessment, including conducting credit checks and setting credit limits, and
  • to manage our risks
 Performance of any contractual obligations towards you.
For the purposes of assessing the risk in providing a product or service and performing customer due diligence For compliance with a legal or regulatory obligation to which we are subject to, under for instance the relevant AML/CFT regulations and guidelines.
For the purposes of record keeping For compliance with a legal or regulatory obligation to which we are subject to, such as internal/external audit,proper maintenance of records relating to your transactions and retention periods, as per relevant AML/CFT regulations and guidelines for example
For the purposes of analysing the effectiveness of our services using your feedback Legitimate interests, namely of improving our services
For the purposes of ensuring the security of our information systems and maintaining back-ups of our databases For compliance with legal obligation
For the purposes of managing our relationships with customers, communicating with customers and keeping records of those communications Performance of any contractual obligations towards you.
For the purposes of confirming and verifying your identify when you request to access, rectify, restrict or delete the information we hold on you For compliance with a legal obligation to which we are subject to, that is, to verify the identity of a data subject who makes a subject rights request
For the purposes of replying to any requests, complaints, comment or enquiries you submit to us regarding our services and notifying you about changes to our service Performance of any contractual obligations towards you.
Processing CCTV footage captured on our premises for the purposes of:

  • protecting your personal safety when you are on our premises
 Legitimate interests of ensuring physical security on our premises.
For the purposes of conducting market or customer satisfaction research, for statistical analysis, or for analysing the effectiveness of our advertisements, and promotions Legitimate interests, namely the proper administration of our business
To record phone calls between customers and the bank for effective documentation of the business transaction Consent
  • In addition to the above-mentioned specific purposes for which we may process your personal data, we may also process any of your personal data where such processing is necessary for compliance with legal and regulatory requirements which apply to us, or when it is otherwise allowed by law, or when it is in connection with legal proceedings

 

7. Whether the supply of personal data is voluntary or mandatory

The provision of personal data is of course entirely voluntary. You are free to choose whether to provide your personal data to us or not. Please note however that if you choose not to provide your personal data to us, we may not be able to provide certain services to you or enter into a contractual relationship with you

 8. Disclosure of personal data
  • We may need to share your personal data with third parties which assist us in fulfilling our responsibilities regarding our business relationship with you and for the purposes listed above. Bank One may disclose your personal data to the following third parties:
  • We may make certain personal data available to third party service providers and agents who provide services to us (such as marketing tool providers, payment software providers, credit reference agencies, loyalty programme partners). When we share with these third parties, we do so on a need-to-know basis and under clear contractual terms and instructions for the processing of your personal data.
  •  We may also be required to disclose your personal data to other third parties such as lawyers, consultants, insurers, auditors as well as public and government authorities for purposes mentioned in Section 6 or where:
    1. We have a duty or a right to disclose in terms of law or for national security and/or law enforcement purposes;
    2. We believe it is necessary to protect our rights;
    3. We need to protect the rights, property or personal safety of any member of the public or a customer of our company or the interests of our company; or
    4. You have given your consent.
  • We may, from time to time, disclose your personal information, with your consent, to other companies with which we have partnered and after putting in place the necessary sharing agreements. The objective of this disclosure is to better identify your needs and provide tailor-made packages and services to you.
  • We require our service providers and other third parties to keep your personal data confidential and that they only use the personal data in furtherance of the specific purpose for which it was disclosed. We have written agreements in place with our processors to ensure that they comply with these privacy terms.
9. Personal data security
  • We are legally obliged to provide adequate protection for the personal data we hold. We have put in place appropriate security and organisational measures to prevent your personal data from being subject to any accidental or unlawful destruction, loss, alteration, and any unauthorised disclosure or access.
  • We have also put in place procedures to deal with any suspected data security breach and will notify you and the Data Protection Office of a suspected breach where we are legally required to do so.
  • We will, on an on-going basis, continue to review our security controls and related processes to ensure that your personal data is secure.
  • Our security policies and procedures cover, amongst others:
    • Access to personal data
    • Encryption
    • Password
    • Media Handling
    • Security Compliance
    • Network Control
    • Firewall
    • Backup of data
    • Incident management
    • Risk Assessment
    • Use and misuse of IT assets
    • Physical security
    • Antivirus
    • Audit Trail Logs
    • Outsourced Software Development
    • Third Party and Contract Management
  • When we contract with third parties, we impose appropriate security, privacy and confidentiality obligations on them to ensure that personal data that we remain responsible for is kept secure.
  • We will ensure that anyone to whom we pass your personal data agrees to treat your data with the same level of protection as we are obliged to.
10.  International transfers
  • We may transfer personal data outside Mauritius as may be necessary for the purposes mentioned above. If we transfer your personal data to other countries, we will ensure that there are appropriate safeguards in place with regards to the protection of your personal data.
  • Those transfers would always be made in compliance with the applicable data protection laws. Data transfers do not change any of our commitments to safeguard your privacy and your personal data remains subject to existing confidentiality obligations.
  • If you would like further details on the transfer of your personal data outside Mauritius, please contact our Data Protection Officer (hereafter “DPO”) by referring to Section 10.
11. Your data protection rights

Under the applicable data protection laws, you have rights we need to make you aware of and which are set out below. The rights available to you depend on our reason for processing your information. If you wish to exercise any of the said rights, we encourage you to contact our Data Protection Officer.

  1. Your right to erasure of your personal data

    You have the right to ask us to delete your personal data in certain circumstances:•When we no longer need your personal data;
    •If you initially consented to the use of your personal data, but have now withdrawn your consent;
    •If you have objected to us using your personal data, and your interests outweigh ours; and
    •If we have collected or used your personal data unlawfullyWhere we collect personal data for a specific purpose, we will not keep it for longer than is necessary to fulfil that purpose, unless we have to keep it for legitimate business or legal reasons. Upon the determined expiry date, we will securely destroy your personal data. Retention periods are indicated in Annex A’s Records Retention and Disposal Schedule. When we delete data from our servers, no residual copies remain on our servers. Data from our backup tapes are also deleted depending on the next scheduled backup overwrite which may be on a weekly, monthly or yearly basis in accordance with its configuration.You will understand that this right is not absolute and that it will not be applicable where the exceptions provided for by law apply, including where our processing of your personal data is necessary for the purpose of historical, statistical or scientific research or for compliance with a legal obligation or for the establishment, exercise or defence of a legal claim;
  2. Your right of access to your personal dataYou have the right to request a copy of the personal data we hold about you. In order to do so, simply contact our Data Protection Officer and specify in writing what data you would like to have access to. We will take all reasonable steps to confirm your identity before providing details of your personal data.You will not have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
  3. Your right to rectification of your personal data

    You have the right to ask us to update or correct your personal data if you think it is inaccurate or incomplete. We will take all reasonable steps to confirm your identity before making changes to personal data we may hold about you. We would appreciate it if you would take the necessary steps to keep your personal data accurate and up-to-date by notifying us of any changes we need to be aware of.
  4. Your right to restriction of processing

    You have the right to ask us to limit how we use your data. If necessary, you may also stop us from deleting your data. To exercise your right to restriction, simply contact our Data Protection Officer, say what data you want restricted and state your reasons. You may request us to restrict processing of your personal data in the following circumstances:
    – If you have contested the accuracy of your personal data, for a period to enable us to verify the accuracy of the data;
    – If you have made an objection to the use of your personal data;
    – If we have processed your personal data unlawfully but you do want it deleted;
    – If we no longer need your personal data but you want us to keep it in order to create, exercise or defend legal claims.
  5. Your right to object to processing

    You have the right to object in writing at any time to the processing of personal data concerning you unless we demonstrate competing legitimate grounds for the processing which override the data subject’s interests, rights and freedoms or for the establishment, exercise or defence of a legal claim.We currently process personal data for direct marketing. Where you object to the processing of your personal data for the purposes of direct marketing, your personal data shall no longer be processed for that purpose.
  6. Your right to data portabilityThe right to data portability allows you to ask for transfer of your personal data from one organisation to another, or to you. The right only applies if we are processing information based on your consent or performance of a contract with you, and the processing is automated. You can exercise this right with respect to information you have given us by contacting our DPC (refer to Section 10). We will ensure that your data is provided in a way that is accessible and machine-readable.

  7. Your right to withdraw consent

    To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

12. Changes to this privacy notice

We keep our privacy notice under regular review. We reserve the right to change our privacy notice at any time thus we encourage you to periodically review this notice to be informed of how we are using and protecting your personal data. We will notify you of significant changes by email or through automatic pop ups on our website and applications. This version was last updated on 22 September 2022.

13. Changes to this privacy notice
  • The primary point of contact for questions relating to this privacy notice, including any requests to exercise your legal rights, is our Data Protection can be contacted by email, at DPO@bankone.mu or the following physical address or telephone number
    BANK ONE
    16, Sir William Newton Street
    Port Louis, Mauritius
    Tel: 230 202 9200 / 202 9191
  • If you believe we have not handled your request in an appropriate manner, you have the right to file a complaint with the Data Protection Commissioner in Mauritius, whose contact details are as follows:
    Data Protection Office
    5th Floor, SICOM Tower, Wall Street, Ebene
    Email address: dpo@govmu.org
    Phone number: + 230 460 0253
    Fax: +230 489 7346

    The procedure to file a complaint with the Data Protection Commissioner is available on https://dataprotection.govmu.org/Pages/Home%20-%20Pages/Take%20Action/To-report-your-Complaint.aspx.

ANNEX A: RECORDS RETENTION AND DISPOSAL SCHEDULE

  1. Human Resources
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact Details, Individual Details and Identification Details Employee File
    Birth Certificate
    Marriage Certificate
    Qualification
    CV (Staff)
    NIC
    Attendance records
    Letters
    Training records    		 10 years Upon termination of employment contract
    CV (Candidates)
    Application Form
    Reference checks    		 1 year Upon rejection of job application
    Financial information Payroll records
    Bank Statements
    Personnel File    		 10 years Upon termination of employment contract
    Special Categories of personal data/ Data on vulnerable persons Certificate of Character 6 months From date record is created
    Psychometric Test Results 10 years (if candidate employed)
    1 Year (if candidate not employed)    		 Day that results are collected
  2. Information Security / IT & Digital Department
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact Detail Access Rights Reports 10 years From date record is created
    Voice/ Video information Voice recording (Phone Lines) 10 years On same day footage is recorded
    IT Information Log Files 10 years From date record is created
    Emails 10 years From date record is created
  3. Finance
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details, Financial information Statutory Reports
    Internal Management Reports    		 10 years From date record is created
    Staff refund 10 years Upon termination of employment contract
    Invoices (Suppliers) 10 years Upon termination of contract with supplier
  4. Marketing
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details    		 Contact Us Form
    Feedback Form
    Join Us Form
    Product Enquiry Form    		 10 years From date record is created
  5. Private Banking
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial information
    Credit risk and anti-fraud details    		 Account Opening Forms
    Credit Agreements
    KYC Documents    		 10 years Upon termination of contract
    Regulatory Reports 10 years From date record is created
  6. SME Banking
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    CContact details
    Identification details
    Financial information
    Credit risk and anti-fraud details    		 KYC Document
    Sanction Letter
    Credit Agreements
    Charge Documents    		 10 years Upon termination of contract
  7. Corporate Banking
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial information
    Credit risk and anti-fraud details    		 Account Opening Forms
    Loan Agreements
    Standing Orders    		 10 years Upon termination of contract
  8. Collection and Recoveries
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial information    		 Reports from PEX
    Reminder Letters
    Credit Cards    		 10 years Upon termination of contract
  9. Corporate Affairs
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial information
    ire
    		 KYC Documents
    Onboarding Questionnaire    		 10 years Upon termination of contract
  10. Compliance
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details    		 Account Opening Forms
    Confidentiality Clause    		 10 years Upon termination of contract
    Financial information
    Credit and Anti-Fraud details    		 KYC Documents
    Account Opening Forms    		 10 years Upon termination of contract
  11. Credit Administration
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial information
    Credit and Anti-Fraud details    		 Loan Agreements
    Security Documents
    KYC Documents
    MCIB Declaration Form    		 10 years Upon termination of contract
  12. Credit Risk
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial information
    Credit and Anti-Fraud details    		 Loan Application Forms
    KYC Documents
    Security Documents    		 10 years Upon termination of contract
    Regulatory Reports 10 years From date record is created
  13. Customer Service
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    		 Complaints Form
    Complaints Brochure
    Customer Satisfaction Survey    		 10 years Upon termination of contract
    Regulatory Reports 10 years From date record is created
  14. E-Commerce
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial information
    		 Application Forms (Account Opening, Account Maintenance,Internet Banking, Wire Transfer) 10 years Upon termination of contract
    Credit and Anti-Fraud details Regulatory Reports 10 years From date record is created
  15. Elite Banking
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial information
    Credit and Anti-Fraud details    		 Account Opening Form
    Personal Loan Application Form
    Card Application Form    		 10 years Upon termination of contract
  16. International Banking
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial information
    Credit and Anti-Fraud details    		 KYC Documents
    Application Forms (Account Opening, Internet Banking, Account Maintenance, Card Application)    		 10 years Upon termination of contract
  17. Internal Audit
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial information
    Credit and Anti-Fraud details    		 Listings
    Working Papers
    Regulatory Reports    		 10 years From date record is created
    Special Categories of Personal Data/ Personal data on vulnerable persons Regulatory Reports 10 years From date record is created
  18. Legal and Documentation
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Individual details
    Identification details    		 Sanction Letter
    Charge Instrument
    Credit Agreement
    Post-Approval Form
    Summary
    Lien Letter
    Repayment undertaking
    Personal Guarantee
    Lease Agreement
    Pledge of Investment
    Pari Passu Agreement
    Cession de Priorite Ag.
    Gage sans deplacement
    Assignment of insurance
    Erasure Letter
    Letter of no objection
    Letter to Notary
    Restructure Agreement
    Master Service Agreement
    Brokerage Services Agreement
    Business Introducer Agreement
    Custody Agreement
    Distribution Agreement
    External Asset Manager Agreement
    Escrow Agreement
    Global Master Repurchase Agreement
    Standby Letter of Credit    		 10 years Upon termination of contract
    Financial information
    Credit and Anti-Fraud details    		 Pledge of Investment 10 years Upon termination of contract
  19. Onboarding
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial information    		 Account Opening Forms
    Statement of Account
    Visa Letter    		 10 years Upon termination of contract
    Regulatory Reports 10 years From date record is created
  20. One Service
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial information
    Credit and Anti-Fraud details    		 Application Form (Card Processing) 10 years Upon termination of contract
    Regulatory Reports 10 years From date record is created
  21. Operational Risk
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial Information    		 Risk Assessment Reports 10 years From date record is created
    Credit and Anti-Fraud details
    Special Categories of Personal Data/Personal Data on Vulnerable Persons    		 Fraud Investigation Reports 10 years From date record is created
  22. Premises and Support/ Facilities
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details    		 NIC
    Passport
    Proof of Address
    Visitor’s Logbook    		 10 years From date record is created
    Financial information Onboarding Form 10 years From date record is created
  23. Regulatory Operations
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details    		 Passport
    NIC    		 10 years Upon termination of contract
    Financial information
    Credit and Anti-Fraud details    		 KYC Documents 10 years Upon termination of contract
    Regulatory Reports 10 years From date record is created
  24. Retail Banking and Contact Center
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial information
    Credit and Anti-Fraud details    		 Account Opening and Maintenance Forms
    Service Request Forms (EG, STO, DD)
    Credit Related Forms
    Product Related Forms
    Statutory Returns    		 10 years Upon termination of contract
  25. Transaction Processing Unit
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial information    		 Cheque Books
    Direct Debit Forms    		 10 years Upon termination of contractct
  26. Transformation Office
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact detail Change Initiation Form 10 years Upon termination of contract
    Individual details
    Identification details
    Financial information
    Credit and Anti-Fraud details    		 Customer List  10 years Upon termination of contract
  27. Treasury Back Office
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details    		 Regulatory Reporting
    Records on Deal Confirmation    		 10 years From date record is created
    Financial information Customer File (Treasury System)
    Dealing Mandate    		 10 years From date record is created
  28. Treasury Front Office
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Contact details
    Identification details
    Financial information    		 Customer File (Treasury System)
    Dealing Mandate    		 10 years From date record is created
  29. Premises & Supplier Management
    Categories of Personal Data Record type (containing personal data) Retention period Start of retention period
    Supplier Information Vendor Agreement 10 years Upon termination of contract
    Supporting documentation (Financial information, Business related support documents, etc.) 10 years Upon termination of contract
    Unsuccessful vendors information 1 year Upon completion of selection process
    Physical Security information CCTV Footage 90 Days On same day footage is recorded
    Visitors’ Logbook 90 Days From date record is created
    Intruder Alarms logs 90 Days From date record is created
    Access Control Logs 90 Days From date record is created