In accordance with the Regulation of the European Parliament and the Council 2016/679 of 04/27/2016 for the protection of personal data of the GDPR (General Data Protection Regulation).
1. Data Controller and Data Protection Officer.
The Data Controller is Reserve Interstate Bank with registered office at Windhoek Namibia, 46, Bismarck Street (the “Bank” or “RIB”).
The Data Protection Officer may be contacted at RIB, Data Protection Office, PO Box 90714 Windhoek Namibia, 46, Bismarck Street, e-mail: firstname.lastname@example.org
2. Purpose and legal basis of the processing.
RIB processes personal data of natural or legal persons and individual companies and / or self-employed professionals (“data subjects”) for the following purposes:
- To execute a contract to which the data subject is a party or to carry out pre-contractual activities on the data subject’s request. RIB shall process any data as required by contract. The provision of the data necessary for these purposes represents, according to the cases, a contractual obligation or a necessary requirement for conclusion of the contract or carry out the pre-contractual activities requested by the data subject: in the absence of these, the Bank will find it impossible to set up the relationship or to execute it;
- To fulfil RIB’s legal obligations (for example, obligations set out under the money laundering regulations, provisions imposed by Supervisory Authorities, the Judiciary, etc.). RIB shall process this information to comply with any common law or statutory obligation. The provision of the data necessary for these purposes represents a legal obligation; in the absence of them the Bank will find it impossible to set up relationships and may be subject to reporting requirements;
- Promote products and services of the Bank or of third-party companies, including market research. RIB shall only process data for this purpose if the relevant data subject has given his/her free consent that he/she may revoke at any time. The provision of the data necessary for these purposes is not obligatory and refusal to provide it shall not have any negative consequence, other than the impossibility of receiving commercial communications;
- Promote the sale of “dedicated” products/services of the Bank or third party companies, specifically identified through the profiling and analysis, including through the use of automated techniques and systems (for example big data), of information relating to preferences, habits, consumer choices, aimed at subdividing the data subjects into homogenous groups by behaviour or specific characteristics (client profiling) updated through the inclusion of data with information obtained from third parties (enhancement). RIB shall only process data for profiling purposes if the relevant data subject has given his/her free consent that he/she may revoke at any time. The provision of the data necessary for these purposes is not obligatory and refusal to provide it shall not have any negative consequence, other than the impossibility of receiving dedicated commercial communications.
3. Categories of data handled.
RIB processes personal data collected directly from the data subject or from third parties, which includes, by way of example, identification data (for example, surname, forename, address, date and place of birth), data relating to image (for example, identity card photo) and other data attributable to the above-mentioned categories.
The Bank does not request and does not process on its own initiative any sensitive data of Data Subjects(for example, data which reveals the racial or ethnic origin, political opinions, and religious or philosophical convictions, trade union membership, genetic data, biometric data aimed at identifying in an unequivocal way a physical person, data relating to health or to sexual activity or sexual orientation of the person). However, it is possible that, in order to execute specific requests for services and operations inherent in the relationship with the client (for example payment of dues to parties or unions, subscriptions to associations, etc.) it has to process this data. Because the Bank cannot intercept or refuse these requests, the contract proposal can only be accepted if the Data Subject has given their written consent to the above-mentioned processing. The data in question will be exclusively processed to execute the request from the client.
4. Receivers or categories of receivers of data.
The data subject’s personal data may become available to natural or legal persons with the title of controllers and to natural persons that process data to carry out the tasks assigned to them, including: RIB employees, secondees, temporary workers, interns, consultants and contractors.
The Bank – without the consent from the data subject being necessary – may communicate the personal data in its possession, to those organisations to whom this communication must be made in compliance with an obligation set out under the law, a regulation or community rules.
5. Rights of the data subjects.
The current regulations on data protection give specific rights to the data subject who, to exercise those rights, may address themselves directly and at any time to the Data Controller.
The rights that may be exercised by the data subject are described below:
- Right of access;
- Right to rectification;
- Right to erasure;
- Right to restrict processing;
- Right to data portability;
- Right to object.
The data subject may at any time amend their optional consent preferences.
Right of access.
The right to access sets out the possibility for the Data Subject to know what personal data concerning him or her are being processed by the Bank and to receive a copy of it (in the case of further copies being requested a contribution based on the costs incurred may be debited). The information provided include: the purposes of the processing, the categories of personal data concerned, where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period , as well as the guarantees applied in the case of transfer of data to a third country and the rights that may be exercised by the Data Subject will be detailed.
Right to rectification.
The right to correction allows the data subject to update or correct inaccurate or incomplete data held by the Bank relating to them.
Right to erasure (so-called “right to be forgotten”).
The right to be forgotten, allows the data subject to require the erasure of personal data concerning him or her in the following special cases:
- Personal data which are no longer necessary for the purposes for which they were collected and processed;
- The Data Subject withdraws the consent on which the processing is based, if there is no other legal basis for the processing;
- The Data Subject objects to the processing and there are no further legitimate ground for the processing carried out by the Data Controller:
- To pursue a legitimate interest of its own or third parties and there is no prevailing legal basis of the Data controller to proceed with the processing,
- For direct marketing purposes, including the profiling connected with that;
- The personal data of the data subject has been processed illegally;
- The personal data have to be erased for compliance with a legal obligation.
This right may be exercised even after withdrawal of consent.
Right of restriction.
A data subject may request the Bank to limit the way their data is processed under certain circumstances. The right of restriction of processing may be exercised by the data subject in the case of:
- The processing is unlawful, as an alternative to erasure of the data;
- Request for correction of the data (pending verification of the request);
- When an individual has objected to processing (pending verification by the Bank of the objection);
- Or when the Bank has no further need for the data but the data subject requires the personal data to establish, exercise, or defend legal claims.
With the exception of storage, where processing has been restricted any processing of the personal data is prohibited.
Right to portability.
The right to portability allows the data subject to receive the personal data concerning him or her, which he or she has provided to the Bank, for other purposes. Each data subject may ask to receive the personal data relating to them or to request its transfer to another data controller, in a structured format, in common use and legible.
Note, data portability only relates to personal data (for example, surname, forename, address, date and place of birth, residence), as well as a set of data generated by the transaction activity that the Bank has defined for each macro-category of product / service (for example, current or extinguished relationships, current account transactions). This right does not apply to non-automated processing (for example, paper files or records).
Right to object.
The right to object allows the data subject to object to the processing of their personal data in certain circumstances.
5.1 Exceptions to the exercise of the rights.
The regulations on data protection recognise specific exceptions in relation to the exercise of the Data Subject’s rights.
The Bank may continue to process personal data despite a data subject’s exercise of their rights if one or more of the following applicable conditions applies:
- Execution of a legal obligation applicable to the Bank;
- Resolution of litigation and / or disputes (own or of third parties);
- Internal and / or external investigations / inspections;
- Requests from national (local) and / or foreign public authorities;
- Reasons of relevant public interest;
- Execution of a contract in force between the bank and a third party;
- And/or any further blocking conditions / status of a technical nature identified by the Bank.
5.2. Procedure for exercising rights.
In order to exercise his/her rights, a data subject may contact the Bank at the email address email@example.com or make the request in writing to Reserve Interstate Bank, PO Box 90714 Windhoek Namibia, 46, Bismarck Street.
The period for the response is one (1) month, extended to two (2) months in cases of particular complexity; in these cases, the Bank shall provide at least one interim communication within one (1) month. In principle, the exercise of the rights is free; having assessed the complexity of dealing with the request and, in the case of clearly unfounded or excessive requests (including repeated requests) the Bank reserves the right to ask for a contribution.
The Bank has the right to ask for further information necessary for the purposes of identifying the requesting party.
6. Personal data storage periods.
RIB processes and keeps the personal data of the Data Subject throughout the period of the contractual relationship and for period after the contract is at an end, for the execution of the obligations inherent and consequent upon it, to respect the applicable legal and regulatory obligations, as well as for its own or third-party defence purposes, up to expiry of the period for storage of data. In particular, the period of storage of personal data of the Data Subject runs:
- For products / services included in the multi-contract: from extinction of the current account, independently of closure over time of other connected products / services;
- And/or for all other products / services regulated by specific contracts (for example, credit cards, loans): from the date of closure of the contractual relationship relating to the specific product / service.
RIB has the obligation to communicate the request for erasure to other data controllers who process personal data for which the Data Subject has requested erasure.
At the end of the storage period, the personal data referring to the Data Subject will be erased or kept in a form that does not allow the identification of the Data Subject, unless its further processing is necessary for one or more of the following purposes:
- Resolution of disputes and / or litigation commenced prior to expiry of the storage period;
- To follow up investigations / inspections by the functions of internal monitoring and or external authorities commenced before expiry of the preservation period;
- To comply with requests from national (local) and / or foreign public authorities sent / notified to the Bank prior to expiry of the preservation period.
7. Transfer of data to other countries.
Personal data may also be transferred to countries not belonging to the European Union or to the European Economic Area (so-called “Third-Party Countries”) recognised by the European Commission as having an adequate level protection of personal data. RIB shall only transfer data to other Third-Party Countries if such countries have an adequate level of protection of personal data compared to that of the European Union (for example, through the signing of the standard contractual clauses set out by the European commission) and the RIB suppliers located in the third-party country have agreed to appropriate measures so that the exercise of the rights of the Data Subject is protected.
8. Information note on the processing of data within the transfer activity of funds carried out by SWIFT.
To support international financial transactions (for example bank transfers abroad) and any specific operations in the national area (for example transfers in foreign currency and / or with a non-resident counterparty), requested by the Data Subject, it is necessary to use international messaging service handled by SWIFT, with registered office in Belgium (www.swift.com).
The Bank informs SWIFT (Controller of the S.WIFT Net Fin system) of the data necessary for execution of the transactions (for example, the names of the payee, the beneficiary and the respective banks, the bank details, the amount and, if stated, the reason for the payment).
9. Information note on the processing of data for navigation, cookies and data referring to the use of the Call Centre).
Furthermore, the systems and the procedures of the Bank’s Call Centre requires access to some data of the Data Subject (for example any remote number of the caller, duration of the call, and, subject to prior notice to the Data Subject, audio recording of the call).
For special orders and instructions from clients, as well as in relation to specific concrete requirements (such as for example those relating to security checks), the Bank may record the content of telephone conversations held, also for evidentiary purposes and for protection of rights in the case of dispute. In all these cases, the Data Subject shall be informed of these recordings at the start of the telephone conversation.
The full information note on the subject is available at the dedicated area on the website www.reserveinterstatebank.com
RIB reserves the right to make changes to this policy from to time to time. Please check back on the website to be aware of any updates.