Last reviewed on 22 February 2021
AfrAsia Bank Limited (we, us, our) is committed to safeguarding the privacy of your personal data.
We understand that the protection of your personal data is an essential requirement for you and that you expect us to handle your personal data according to high standards of privacy and security. This Privacy Statement aims to explain in a simple and transparent way what personal data we gather about you and how we process it. In this connection, we have prepared this Q & A to explain how we use and process your personal data.
What is personal data?
Personal data means any information which identifies an individual person or from which an individual person is identifiable.
What is a data subject, a data processor and a data controller?
- A data subject means an identified or identifiable individual person (i.e. human); in particular by reference to an identifier (such as a name or an identification number).
- A data controller determines the purposes and means of the processing of personal data. The data controller has decision making power in respect of the processing.
- A data processor is responsible for processing personal data on behalf of a data controller.
- In most cases, we are the data controller of personal data. There are certain instances where we act as data processor.
What personal data do we collect, have or compile about you?
Personal data that is typically collected and used by us includes but is not limited to the following:
- Your contact details, such as your name, your address(es), your telephone number(s) and email address(es);
- Other personal data about you, such as your personal information collected by us for our customer due diligence purposes e.g. your identity and/or passport documentation; proof of address documentation; source of wealth information; bank account, financial and tax information; transactional information on your accounts/dealings; your marital status; your gender; date and place of birth; your occupation and income including employment history; your dependants; your signature; photographs or other visual images of you; telephone conversations with our staff.
- Please note that the personal data set out above is an indicative list only and is not exhaustive.
Why do we collect and process your personal data?
We will only collect and use your personal data where we have lawful grounds and legitimate business reasons to do so.
We collect and process your personal data to:
- ensure our compliance with our regulatory obligations under the applicable anti-money laundering or other applicable laws and regulations;
- assess an application by you in respect of a loan, a debit card, and any other banking, investment or fiduciary products or services from us; and
- as is necessary for the performance of our obligations to you under the agreement you enter into with us at the time we on-board you, as may be amended in accordance with its terms.
As a result, the personal data you provide to us at any point, may be shared by us with one or more of the following organisations or persons:
- banking, regulatory, taxation, governmental or other investigatory authorities, a court or other authority of competent jurisdiction;
- other lending institutions;
- credit reporting agencies, such as the Mauritius Credit Information Bureau (MCIB);
- our affiliates, officers, directors, employees, professional advisers and auditors;
- any professional adviser and/or professional services business that you have been using to liaise with us;
- any parties that we work with to provide you with our products or services and to support our business; and
- any other party with whom you have consented that we may share your personal data with.
How do we collect your personal data?
Most of your personal data is collected at the time we on-board you as a customer. It may also be collected when there are changes to your personal data and our records need to be updated. We will mostly collect your personal data directly from you. In some cases, as and when required, we may also collect information about your credit exposure from credit reporting agencies or your tax related information under international agreements, such as your tax residency status, tax account number and may further request you to provide us with a self-certification certificate, where necessary.
Your personal data for marketing and communication purposes
We may from time to time use your personal data to send you information about our products, services and promotions and those of the entities within our group, which we believe may be of interest to you. At the time we on-board you, we will ask you to provide your express consent to being contacted for such purposes. If we do not have your consent to the processing of your personal data for marketing purposes, or if we have your consent and you subsequently notify us of the withdrawal of your consent, we will not send you any marketing correspondence.
You may change your mind and update your preferences at any time by notifying us.
For how long do we store your personal data?
We will only hold your personal data for as long as is necessary for the purposes for which it was obtained.
However, if we are obliged pursuant to our regulatory or statutory requirements to retain your personal data for a specified period of time, then we will retain your personal data for that minimum specified period.
Automated decision making and profiling
[We do not currently use any system pursuant to which your personal data is subjected to automated decision making or profiling. However, if this changes, it may affect the products and services we offer you and we will amend our Privacy Notice accordingly].
For information about cookies and how they're used on this website, visit our cookies page
Transfer of personal data outside Mauritius
Your personal data may be transferred to and stored in locations outside Mauritius. However, any such transfer does not affect our commitment to safeguard the privacy of your personal data and we will ensure that the transfer is lawful.
As data subject, you have a number of rights under applicable data protection laws in respect of your personal data, which include but are not limited to the following:
- Right of access to your personal data;
- Right to rectify inaccurate personal data;
- Right to erase your personal data if the continued processing of such data is not justified;
- Right to restrict the processing of your personal data;
- Right to object to processing of your personal data (including direct marketing);
- Right not to be subject to a decision based solely on automated processing of your personal data, including profiling, which produces legal effects concerning you or significantly affects you;
- Right to lodge a complaint with the Data Commissioner through the Data Protection Office.
Data Protection Act 2017 and the impact of GDPR in Mauritius
The Data Protection Act 2017 (DPA) has replaced the Data Protection Act 2004. This new law has been passed with the following aims (according to the Data Protection Office’s website):
- Strengthen the control and personal autonomy of data subjects over their personal data, thereby contributing to respect for their human rights and fundamental freedoms, in particular their right to privacy, in line with current relevant international standards, in particular the European Union’s General Data Protection Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR);
- Simplify the regulatory environment for business in our digital economy; and
- Promote the safe transfer of personal data to and from foreign jurisdictions, given the diversification, intensification and globalisation of data processing and personal data flows.
If you wish to obtain information about your rights under the new Data Protection legislation, please consult the Data Protection Office website: https://dataprotection.govmu.org/SitePages/Index.aspx
Your consent and your right to withdraw your consent
Your consent must be a freely given, specific, informed and unambiguous indication of your wishes to our collection, use or processing of your personal data, either by a statement or a clear affirmative action on your part.
We will process your personal data if you give us your consent in accordance with the law. Our account opening mandate and agreements (including our General Terms and Conditions) contain express provisions regarding your consent, pursuant to which you authorise us to process your personal data.
However, we will not be able to provide you certain products or services as a result of such withdrawal.
Notwithstanding the withdrawal of your consent, we may still continue to collect and process your personal data if we are obliged to do so pursuant to our regulatory or statutory requirements [or if this is necessary pursuant to a contract to which we are a party].
Nothing in this document shall be represented or construed as any representation, warranty or undertaking on our part or any of our officers, employees, directors, agents or affiliates. Accordingly, we do not give any representation, warranty or undertaking and we accept no responsibility or liability as to the accuracy, or completeness, of the information set out in this document. The information contained does not purport to be complete and is subject to change.
You are advised to rely on your independent appraisal of and investigations into the information provided, and we advise you to obtain legal advice if you have any concerns regarding your data protection rights.
Queries and complaints
If you have any queries or complaints in respect of your personal data, please contact our Data Protection Office:
Data Protection Office
4th Floor NeXTeracom Tower III
T: (+230) 403 5500
F: (+230) 468 1655