Slide

BPL Privacy Notice

1. Who we are?

Banque Patronus Limitée (“BPL”) is a bank duly licensed under the laws of Mauritius (Business registration number C22192744) with its registered address at Hotel Avenue, 11th Floor, Bramer House Ebene, Cybercity, Republic of Mauritius and is registered as a data controller for the purposes of the Data Protection Act 2017.

2. Introduction

We respect the privacy of everyone to whom we provide our services. As a result, we would like to inform you regarding the way we would use your personal data. We recommend reading this Privacy Notice (hereafter the “Privacy Notice”) so that you may understand our approach towards the use of your personal data. By submitting your personal data to us, we will make sure that the required consent is obtained from you.

By using this website, you acknowledge that you have reviewed the terms of this Privacy Notice and agree that we may collect, use, and transfer your personal data in accordance therewith.

If you do not agree with these terms, you may choose not to provide any personal data, but this may impact our ability to support you as a customer.

This Privacy Notice forms part of our Terms and Conditions of Use, and same shall be governed by and construed in accordance with the relevant laws.

This Privacy Notice explains how we obtain, use, and disclose your personal data, as required by the European Union General Data Protection Regulation (hereafter the “GDPR”) and the Data Protection Act 2017 (hereafter the “DPA”). We are committed to protect your privacy and to ensure that your personal data is collected and used properly, lawfully, and openly.

2. Definitions & Interpretation

The definition and interpretation are for reference purposes:

Customer” – any individual with which the bank has a business relationship.

Consent” - Under data protection laws such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, consent is defined as any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them..

Data breach” - occurs when unauthorized individuals gain access to sensitive, protected, or confidential data.

Data controller”- it is the entity which has the primary responsibility for ensuring that personal data is handled in compliance with data protection laws and regulations with respect to data collection, use, storage, and sharing.

Data processor” - handles personal data for the data controller based on their instructions.

Data Protection Officer (DPO) - The DPO is the appointed officer by the data controller who oversees the organisation’s compliance with data protection laws and regulations.

Data Protection Laws” means Data Protection Act 2017, any regulations, and other amendments or applicable guidelines or practice issued by the Local Data Protection Office or other local and international authorities.

Data subject”- It relates to any identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person."

Data subject Rights” - Includes the right to access, rectification, erasure (right to be forgotten), and data portability.

GDPR” – General Data Protection Regulation (EU) 2016/679

Personal data” - Personal data means any information which identifies an individual person or from which an individual person is identifiable.

Third party” – means any person other than the customer and includes the persons listed in paragraph 6.

4. Collection of Personal data

We collect data directly from you where you provide us with your personal details, such as when you avail services or products from us or when you submit enquiries to or contact us. Where possible, we will inform you what data you are required to provide to us and what data is optional.

The types of personal data that are collected and processed may include:

Categories of Personal Data:
Details:
Contact details
First name, surname, username, user ID, postal address, current address, permanent address, email address, office phone, cell phone, fax number
Individual details
Sex(male/female), nationality, birth, age, language, qualifications, employment history, marital status, trade union membership, annual leave details, sick leave details, performance details
Identification details
Identification numbers issued by governmental bodies or agencies such as your passport number, identity card number, and driving license number
Financial information
Financial history, salary, pension, tax, bank details
Credit risk and anti-fraud details
Information which we need to collect to assess the risk in providing a product/service. This may include data relating to criminal convictions, credit history, purchase history, credit score, and information received from various anti-fraud databases or other special categories of personal data.
Special categories of personal data
Certain categories of personal data which have additional protection under the DPA and GDPR, namely biometric information or criminal convictions.

5. Processing of Personal Data

We will use your personal data only for the purposes for which it was collected or agreed with you or to reply to regulatory bodies, for instance:

  1. To carry out our obligations arising from any contracts and/or arrangements entered between you and us.
  2. To comply with legal and regulatory requirements.
  3. For audit and record keeping purposes.
  4. In connection with legal proceedings.
  5. To confirm and verify your identity for security purposes.
  6. To contact you regarding products and services (including those of relevant third parties) which may be of interest to you, provided you have previously requested a product or service from us, and the communication is relevant or related to that prior request and made within any timeframes established by applicable laws.
  7. To notify you about changes in our service.
  8. To respond to your queries or comments.
  9. To conduct market or customer satisfaction research or for statistical analysis.
  10. To analyze the effectiveness of our advertisements, competitions and promotion.
  11. To collect data about the device you are using to view the Bank’s website, such as your IP address or the type of Internet browser or operating system you are using, and link this to your personal data to ensure that the website presents the best web experience for you.
  12. To evaluate the use of the website, products and services.
  13. For monitoring and auditing website usage; and
  14. To assist with business development.

You can opt out of receiving communications from us at any time. Any direct marketing communications that we send to you will provide you with the data and means necessary to opt out.

6. Disclosure of Personal Data

We may disclose your personal data to our business partners who participate in the delivery of products or services to you. We have agreements in place to ensure that they comply with these privacy terms.

For the purposes listed above and in performance of the Bank’s duties, we may share your personal data with, and obtain data about you to:

  1. Regulatory authorities and any other official authorities.
  2. Third parties including data processors, lawyers, bankers and auditors who provide consultancy, banking, legal and accounting services; and,
  3. Credit institutions or credit reference agencies or any external service provider with which the Bank deals with, in context of providing services to the customer,
  4. Any other third party with whom your personal data is shared upon your request or consent.

7. International Transfer of Data

We may also disclose your data, where we have a duty or a right to disclose in terms of law or industry codes and where we believe it is necessary to protect our rights.

The Bank usually do not disclose your personal data to any other third party. However, in case there is a transfer of your data, the Bank would do the needful to be following the GDPR and the DPA.

8. Data Security

  1. We will use technical and organisational measures to safeguard your data and prevent data breach, and for that purpose, we will, on an ongoing basis, continue to review our security controls and internal compliance with internal policies to ensure that your personal data is secure.
  2. When we contract with third parties, we impose appropriate security, privacy, and confidentiality obligations on them to ensure that personal data that we remain responsible for, is kept secure and there is no loss, misuse, unauthorised access, disclosure or alteration to your personal data.
  3. We will ensure that anyone to whom we pass your personal data agrees to treat your data with the same level of protection as we are obliged to.
  4. Furthermore, data will be stored on secure servers & cloud storage, personal computers, mobile services, in secure cabinets and manual record-keeping systems.

9. Data Retention & Deletion

Data will be normally kept for a period of 7 years as per Bank of Mauritius guidelines. This will enable us to comply with legal and regulatory requirements or use it for our legitimate purposes.

Personal data will be retained if it is legally required for other legitimate purposes for example to respond to queries or complaints fraud, financial crime or responding to requests from regulators.

If we do not need to retain information for this period, we may destroy, delete, or anonymise it.

10. Data Subject Rights

Under the GDPR/DPA, as a Data subject, you have certain rights which we are duty-bound to inform you about. The rights available to you depend on our reason for processing your information.

10.1. Rights to access

  1. You have the right to request a copy of the personal data we hold about you. To do this, simply contact our Data Protection Officer and specify what data you would like. We will take all reasonable steps to confirm your identity before providing details of your personal data.
  2. You will not have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive

10.2 Rights to withdraw your consent

  1. You may withdraw your consent to the Bank as regards to the disclosure and processing of your personal data for any particular purpose(s) at any time. Should you avail yourself of this right, you will need to notify the Bank in writing. If you withdraw your consent, we may not be able to provide you with certain products or services and you will be informed accordingly.
  2. However, notwithstanding the withdrawal of your consent, your personal data may still be processed by the Bank in the performance of its statutory duties.

10.3 Rights to rectify

  1. You have the right to ask us to update or correct your personal data if you think it is inaccurate, incomplete, or outdated. We will take all reasonable steps to confirm your identity before making changes to personal data we may hold about you. We would appreciate it if you would take the necessary steps to keep your personal data accurate and up to date by notifying us of any change that we need to be aware of.

10.4 Rights to deletion & erasure

You have the right to ask us to delete your personal data in certain circumstances:

  1. When we no longer need your personal data.
  2. If you initially consented to the use of your personal data but have now withdrawn your consent.
  3. If you have objected to us using your personal data, and your interests outweigh ours.
  4. If we have collected or used your personal data unlawfully; and
  5. If we have a legal obligation to erase your data.

Where we collect personal data for a specific purpose, we will not keep it for longer than is necessary to fulfil that purpose, unless we must keep it for legitimate business or legal reasons. In order To protect data from accidental or malicious destruction, when we delete data from our services, we may not immediately delete residual copies from our servers or remove data from our backup systems.

10.5 Rights to restrict use of Data

You have the right to ask us to limit how we use your data. To exercise your right to restriction, simply contact our Data Protection Officer, say what data you want restricted and state your reasons. You may request us to restrict processing of your personal data in the following circumstances:

  1. If you have contested the accuracy of your personal data, for a period to enable us to verify the accuracy of the data.
  2. If you have made an objection to the use of your personal data.
  3. If we have processed your personal data unlawfully but you do not want it to be deleted.
  4. If we no longer need your personal data but you want us to keep it in order to create, exercise or defend legal claims.

10.6 Rights to object

You also have the right to object to us processing your personal data where your data is being used:

  1. For a task carried out in the public interest.
  2. For our legitimate interests.
  3. For scientific or historical research, or statistical purposes; or
  4. For direct marketing.

10.7 Rights to complain

If you have any questions on this Privacy notice or complaint regarding treatment of your privacy, pleased contact our Data protection officer.

You have the right to complain with the Data Commissioner through the Data Protection Office if you believe we have not handled your request in an appropriate manner.

11. How to contact us

We have appointed a Data Protection Officer (DPO) to oversee compliance with and questions in relation to this Privacy Notice. If you have any question about this Privacy Notice, including any request to exercise your legal rights, please contact our Data Protection Officer using the details set out below:

Data Protection Officer
Banque Patronus Limitée
Hotel Avenue 11th Floor, Bramer House
Ebene, Cybercity,
Republic of Mauritius

Disclaimer - Changes to this notice
This Privacy Notice may be updated from time to time, this version is dated August 2024.