Our Privacy Notice

1. Introduction

  1. At Bank One Limited (“Bank One”), we are committed to protecting your privacy. This Website Privacy Notice explains how we process your data as per the Data Protection Act 2017 (hereafter the “DPA”).
  2. We take your privacy seriously and strive to ensure that your personal data is processed in a lawful, fair, and transparent manner. The purpose of this notice is to describe the way that we handle your personal information.
  3. This notice applies to all customers, website users, suppliers and merchants of Bank One.

2. Technical Terms

  1. We have tried to use simple and plain English as far as possible in this Privacy Notice. However, data protection is a complex subject and the use of technical terms from time to time is inevitable. We have therefore set out below definitions of the technical terms we have used in this document:
    • “Consent” means any freely given, specific, informed and unambiguous indication of the wishes of a data subject, either by a statement or a clear affirmative action, by which he signifies his agreement to personal data relating to him being processed.
    • “Controller” means a person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision making power with respect to the processing.
    • “Data subject” means an identified or identifiable individual, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. For the purpose of this Notice, data subjects include all living individuals about whom we hold personal data. A data subject need not be a Mauritian national or resident in Mauritius.
    • “Direct marketing” means the communication of any advertising or marketing material which is directed to any particular individual.
    • “Personal data” means any information relating to a data subject and more specifically: (i) data relating to a living individual who can be identified from that data, or (ii) data or other information about a living individual whose identity is apparent or can reasonably be ascertained from the data. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
    • “Processor” means any person who or public body which, processes personal data on behalf of the Company.
    • “Processing” means an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    • “Special categories of personal data”, in relation to a data subject, means personal data pertaining to: (a) his racial or ethnic origin; (b) his political opinion or adherence; (c) his religious or philosophical beliefs; (d) his membership of a trade union; (e) his physical or mental health or condition; (f) his sexual orientation, practices or preferences; (g) his genetic data or biometric data uniquely identifying him; (h) the commission or alleged to have been committed by him, the disposal of such proceedings or the sentence of any Court in the proceedings.

Download the Subject Access Request (Record)

3. Personal data we may collect about you

    1. Personal data is any data from which you can be identified and which relates to you.
    2. The type of data we collect will depend on the purpose for which it is collected and used. We will only collect data that we need for that purpose.
    3. We may collect your personal data in the following ways:
      -Directly from you (e.g., information you provide when undertaking our services).
      -Information made available when you interact with us (e.g. when you visit our online services, call us or visit one of our branches or ask about any of our products and services).
      -Information you share with us through our chatbot interactions.
      -Information available from your financial advisor, broker or intermediary the insurance company which provides the insurance policies we offer.
      -Publicly available sources.
      -Any other sources from which you have asked us to obtain information.
    4. The types of personal data that Bank One collects and processes may include:

 

Personal Data Involved
  • name, previous names, gender, date and place of birth;
  • address, email address, landline and mobile numbers;
  • photo ID, passport information, Tax Account Number, National ID card, nationality, birth certificate, death certificate, proof of address;
  • source of revenue, financial information;
  • KYC details on directors and authorised signatories;
  • Information we use to identify and authenticate you, e.g. your signature and your biometric information, such as your voice for voice ID, or additional information that we receive from external sources that we need for compliance purposes;
  • geographical location.

Personal Data Involved
  • information regarding your family members or other third parties who might be covered by or benefit from your insurance policy, or be financially dependent on you;
  • information which is relevant to your insurance policy including details of previous policies and claims history. This will depend on the type of policy that you have with us;
  • lifestyle information, e.g. your smoking status and alcohol consumption if you apply for a life insurance policy;
  • details about your physical or mental health which are relevant to your insurance policy or claim, e.g. if you make a claim we may ask for medical information relating to the claim;
  • details about your criminal convictions or related information. This will include information relating to offences or alleged offences;
  • information relating to your insurance application where you apply for a policy via a comparison website or aggregator;
  • information relating to your medical records, with your agreement;
  • information relating to your insurance claims history;
  • information from other parties involved in your insurance policy or claim;
  • information from publicly available sources;
  • any other information which is relevant to a claim that you make.

Personal Data Involved
  • Existing information provided upon account creation; login credentials for phone banking, online banking and/or mobile banking applications.

Personal Data Involved
  • contact details and name;
  • details of the services you receive and your preferences;
  • information and opinions expressed when participating in market research.

 

Personal Data Involved
  • Existing information on you, your financial information and information about your relationship with us, including the products and services you hold, the channels you use and your ways of interacting with us, your ability to obtain and manage your credit, your payment history, transaction records, market trades, payments into your account including salary details and information concerning complaints and disputes.

  • records of correspondence and other communications between us, including phone calls, email, live chat, instant messages and social media communications;
  • Name, email, conversation transcript, IP address and geographical location when you interact with us via our chatbot.

  • investigations data, e.g. due diligence checks, sanctions and anti-money laundering checks, external intelligence reports, content and metadata related to relevant exchanges of information between and among individuals and/or organisations, including emails, voicemail, live chat, etc.;
  • information from third party providers, e.g. information that helps us to combat fraud or that relates to your social interactions (including your communications via social media, between individuals, organisations, prospects and other stakeholders acquired from companies that collect combined information).

Personal Data Involved
  • Risk rating information, e.g. credit risk rating, transactional behaviour and underwriting information.

Personal Data Involved
  • information that we need to meet regulatory obligations, e.g. information about transaction details, detection of any suspicious and unusual activity and information about parties connected to you or these activities.

Personal Data Involved
  • Information which we need to collect to assess the risk in onboarding a supplier. This may include data relating to criminal convictions, and information received from various anti-fraud databases or other special categories of personal data;
  • In the case of representatives and UBOs of Bank One’s corporate shareholders, this may include data relating to credit history, source of wealth/ source of funds, purchase history, credit score, information required to fill in KYC forms, and information received from various anti-fraud databases, including whether you are a politically exposed person (PEP).

Personal Data Involved
  • Telephone recordings, Voice / video recording on platforms such as Teams, Webinars, recorded trainings;
  • voice recording via phone calls, face-to-face meetings;
  • personal data received from letters, emails, live chats, video chats, and other forms of communication;
  • other information such as phone numbers used to contact us and details about the devices or software employed.

Personal Data Involved
  • IP addresses, browser type and version, access time and length of access, page views, user activity, user consent status, user preferences such as language and video preferences and website usage in log files;
  • cookies and similar technologies we use to recognise you, remember your preferences and tailor the content we provide to you – our cookie policy contains more details about how we use cookies and can be found at www.bankone.mu/cookie-policy.

Personal Data Involved
  • Information recorded in Bank One’s visitors’ logbook (reason for visit, organisation name, identification measures used, date and time of visit), CCTV footage.
  1. Bank One may also process your information for the following purposes:
    – Marketing and Market research

    We may use your information to provide you with details about our products and services, as well as those offered by our partners and other relevant third parties. Marketing messages may be delivered through various channels, including post, email, telephone, text, or secure messaging.

    We may use your information for market research and to identify trends. Market research agencies acting on our behalf may get in touch with you by post, telephone, email or other methods of communication to invite you to take part in research. We will not invite you to take part in research using a particular communication method if you have expressly asked us not to get in touch that way. Any responses that you provide whilst participating in market research will be reported back to us anonymously unless you give us permission for your details to be shared.

    You have the option to alter your preferences regarding how you receive marketing messages or opt out of them entirely at any time. To make such adjustments, please reach out to us through our standard communication channels.

    If you decide not to receive marketing messages, please be aware that it may take a brief period for our systems and records to reflect your request. During this time, you may still receive such messages. Additionally, even if you opt out of marketing communications, we will continue to use your contact details to provide essential information, such as updates to your terms and conditions or to fulfil regulatory obligations.

    – Credit Reference Checks

    If you apply for new products or services (including credit such as a housing loan, lease facility, personal loan or credit card), we may perform credit and identity checks with the Mauritius Credit Information Bureau (MCIB). When you use our banking services, we may also make periodic searches at MCIB to manage your account with us.

    To do this, we will share your personal details with the MCIB, and they will provide us with the required information about you. This will include information from your credit application and about your financial situation and financial history. The MCIB will supply us with both public and shared credit information, financial situation, history and fraud prevention information.

    We may use this information to:

    • assess if we can offer you credit and whether you can afford to take the product you have applied for;
    • verify the accuracy of the data you have provided to us;
    • prevent criminal activity, fraud and money laundering;
    • manage your account(s);
    • trace and recover debts;
    • ensure any offers provided to you are appropriate to your circumstances.

    –  Risk Scoring

    To check your eligibility to receive a loan from Bank One, we will make use of a scoring system. The latter will mostly use similar data as available on core systems for existing clients. The remaining data needed is the same information that is presently collected through physical files and saved on the bank’s archive system.

    The personal data used for the scoring system includes information provided in your credit application, financial details and situation, and MCIB records, amongst others.

    Some scoring tools share data with third parties who use it in their worldwide database, such as Moody’s, in order to give a score or for calibration purposes.

    – Fraud Prevention Agencies

    We will carry out checks with fraud prevention agencies for the purposes of preventing fraud and money laundering, and to verify your identity before we provide products and services to you. These checks require us to process personal information about you.

    The personal information you provide or which we have collected from you, or received from third parties, will be used to carry out these checks in order to prevent fraud and money laundering, and to verify your identity.

    We will process personal information such as your name, address, date of birth, contact details, financial information, employment details, and device identifiers, e.g. IP address.

    Together with the fraud prevention agencies, we may also allow law enforcement agencies to access and use your personal data in order to detect, investigate and prevent crime.

    We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering and to verify your identity. This enables us to protect our business and to comply with laws that apply to us. This processing is also a contractual requirement of any of our products or services you use.
Fraud prevention agencies can hold your personal data for different periods of time. If they are concerned about a possible fraud or money laundering risk, your data can be held by them for up to six years.

    If we, or a fraud prevention agency, have reason to believe there is a fraud or money laundering risk, we may refuse to provide the services and credit you have requested. We may also stop providing existing products and services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies and may result in other organisations refusing to provide services to you. The information we hold about you could make it easier or harder for you to get credit in the future.

4. Legal Basis for Processing

  1. We process your personal data based on the following lawful basis:
    • Contractual Necessity: Processing is necessary for the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.
    • Legal Obligation: Processing is necessary to comply with a legal obligation.
    • Legitimate interest: Processing is necessary for our legitimate interests or the legitimate interests of a third party provided that such interests are not overridden by your rights and interests.
    • Public Interest: Processing is necessary for public interest, e.g., for the purpose of preventing or detecting crime.
  2. Sensitive data that are collected by Bank One qualify as special categories of personal data. This information, if processed, shall be done if the data has already been made public by data subjects or if the processing is necessary for:
    • the establishment, exercise or defence of a legal claim,
    • the purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject, or
    • the protection of the vital interests of the data subject.

5. How we make decisions about you?

  1. We may use automated systems to assist us in decision-making processes such as evaluating credit and conducting fraud and money laundering checks.
  2. For automated decision-making with respect to loan provisions, Bank One will make use of an automated system to assess the eligibility of customers to receive a loan from Bank One. The system will assess the personal data, such as KYC details, bank statements, and MCIB reports, amongst others, of the customers against set parameters to come to a decision. Based on the latter, the system will then decide whether the customer may be granted a loan or not.
  3. We may use technology developed in house or outsourced from third party service providers, that helps us identify the level of risk involved in customer or account activity, e.g., for credit, fraud, or financial crime reasons, or to identify if someone else is using your card without your permission.
  4. You have the right to obtain information about how we make these decisions. Additionally, you have the right to request human intervention and to challenge the decision. Further details can be found in the ‘Your rights’ section below.

6. Who has access to your personal data?

    1. Within Bank One
      Employees of Bank One who process your data will have access to it and are bound by strict confidentiality requirements.
    2. Sharing of Information
      We may share your information when:
      -Providing products or services you have requested (e.g., fulfilling a payment request).
      -Administering insurance policies or claims.
      -Fulfilling legal or public duties (e.g., fraud prevention, prevention of tax evasion and financial crime).
      -Handling regulatory reporting, litigation, or defending legal rights.
      -We have a legitimate business reason (e.g., risk management, identity verification).
      -We have your permission or if required by law.
    3. Third Party Access
        1. We may share your data with:-Our subcontractors, agents, or service providers.
          -Joint account holders, trustees, beneficiaries, or executors.
          -Guarantors or security providers.
          -Parties involved in your financial transactions.
          -Beneficiaries, intermediaries, and other financial entities
        2. Additional parties may include:
          -Fund managers, brokers, and entities interested in our services.
          -Parties involved in corporate restructuring or mergers.
          -Law enforcement, government bodies, and regulators.
          -Solicitors, surveyors, valuers, other lenders, conveyancers and third-party intermediaries
          -Dispute resolution bodies and fraud prevention agencies.
          -Our card processing supplier(s).

       For more details, contact our Data Protection Officer (DPO) – see section 17.2.

7. Your Rights

  1. As a data subject, have certain rights regarding your personal information:
    • Right to access: You can access the information we hold about you, and to obtain information about how we process it.
    • Right to withdraw consent: You can in some circumstances, withdraw your consent to our processing of your information, which you can do at any time. We may, however, continue to process your information if we have another legitimate reason for doing so.
    • Right to receive information: You have the right in some circumstances to receive certain information you have provided to us in an electronic format and/or request that we transmit it to a third party.
    • Right to rectification: You have the right to request that we rectify your information if it is inaccurate or incomplete.
    • Right to erasure: You have the right in some circumstances, to request that we erase your information. However, we may continue to retain your information if we are entitled or required to do so.
    • Right to object: You can restrict our processing of your information in some circumstances. Again, there may be situations where we are authorised to continue processing your information and/or to refuse such requests.
  2. To exercise your data subject rights, you may fill out the form provided on our website at Bank One – Homepage or submit a request via email at [email protected] from your registered email address with Bank One or visit one of our branches during business hours.
  3. You also have a right to lodge a complaint to the Mauritius Data Protection Office by visiting http://dataprotection.govmu.org, or to the data protection regulator in the country where you live or work.

8. Retention of your personal data

  1. The Bank keep your information in line with our data retention policy. For example, we will normally keep your core banking data for a period of ten years from the end of our relationship with you.
  2. This enables us to comply with legal and regulatory requirements or use it for our legitimate purposes such as managing your account and dealing with any disputes or concerns that may arise. We may need to retain your information for a longer period where it is required to comply with regulatory or legal requirements or where we may need it for other legitimate purposes, e.g., to help us respond to queries or complaints, fighting fraud and financial crime, responding to requests from regulators, etc. If we do not need to retain information for this period of time, we may destroy, delete or anonymise it sooner.
  3. Should you seek further information regarding the precise retention periods of your personal data, please do not hesitate to contact our designated Data Protection Officer as provided under section 12.

9. Security of your personal data

  1. We have put in place appropriate security measures to prevent your personal data from being subject to any accidental or unlawful destruction, loss, alteration, and any unauthorised disclosure or access.
  2. In the event there is a personal data breach at Bank One, we will handle the same as per our Confidential Information Disclosure Playbook to minimise the effects of the breach and ensure that the rights and freedoms of our employees are safeguarded and maintained.

10. Transfer of Personal Data Outside Mauritius

  1. Your personal data may be transferred to and processed outside Mauritius. These transfers would always be made in compliance with the DPA. Data transfers do remain subject to existing confidentiality obligations.
  2. If we transfer your data to other countries which provide a lower level of protection, we will ensure that there are appropriate safeguards in place concerning the protection of your data, such as by using appropriate contractual data processing agreements.

11. Your responsibilities

  1. You are responsible to ensure that the data you provide or make available to us, is honest, truthful, accurate and not misleading in any way. You must ensure that the data provided does not contain material that is obscene, defamatory, or infringing on any rights of any third party, does not contain malicious code, and is not otherwise legally actionable.
  2. Further, if you provide any data concerning any other person, such as a guarantor, you are responsible for providing any notices and obtaining any consent necessary for us to collect and use that data as described in this notice.

12. What we Need from You

  1. Bank One is committed to maintain your personal data up to date and we undertake necessary measures to ensure that the information in our records remains accurate.
  2. To further enhance the accuracy of your personal data, we kindly request you to promptly inform us of any changes at your earliest convenience. If you are providing information on behalf of another person (e.g., a joint account holder, beneficiary under an insurance policy, or a dependent), please guide them to read this notice.

13. General

  1. This notice is subject to changes to reflect changes in our practices or for legal, regulatory, or operational reasons. We thus encourage you to periodically review this notice to be informed of how we are using and protecting your personal data.
  2. We will notify you of significant changes by email or through automatic pop ups on our website and applications. This version was last updated on 20 January 2026.
  3. If you have any questions or concerns about this notice or its application, please contact the DPO at [email protected].

 

Last updated on :21 January, 2026