Contents
3. How Long We Keep Information For
4. Security Of Personal Information
9. Transfers Outside Of The UK, EEA, Switzerland
12. Policy Review And Amendments
1. INTRODUCTION
We, Bank of Africa United Kingdom PLC (Hereinafter referred to ask “BOA UK” , “Bank”, “we”, “us”.) registered at 37 Sun Street, London, EC2M 2PL, United Kingdom take the protection of your personal data very seriously and strictly adhere to the rules laid out by data protection laws and the General Data Protection Regulation (GDPR-EU and GDPR-UK).
This privacy notice aims to give you information on how the Bank collects and processes your personal data through your interaction with our websites under the domain https://www.bankofafricaunitedkingdom.co.uk/, or by entering into a relationship with us, for the delivery of our services and to comply with our legal requirements.
2.WHO YOU ARE
The types of personal data we process, our purpose and the lawful basis for processing as well as how we make use of the data depends upon the relationship you have with us.
In the sections that follow we have outlined the type of personal data we collect and how we collect it, the purposes for which we process personal data and our lawful bases for our different relationships.
Please select the relevant section for you from the list below, based on the relationship you have with us:
- Clients and Shareholders/Guarantor’s/Director’s/UBOs/Staff or Representatives of Clients
- Lenders and Staff or Representative of Lenders
- Suppliers or Staff/Representative of Suppliers
- Recruitment Candidates
A) CLIENTS AND SHAREHOLDERS/GUARANTORS/DIRECTORS/UBOS/STAFF OR REPRESENTATIVES OF CLIENTS
1. WHY WE COLLECT YOUR PERSONAL INFORMATION
- To manage relationship with the clients and communicating with you (excluding communicating for the purposes of direct marketing)
-
To provide products and services including the client onboahrding process, signing of commercial contracts and NDAs, recording guarantees, correspondent banking set-up etc.
- To make and manage customer payments including creating bank statements and cash flow reporting.
- To manage and maintain fees, charges, interest and recover money that is owed to the Bank
- To manage and maintain fees, charges, interest and debt recovery.
- To identify, investigate and prevent financial crime including through generation of suspicious activity reports, conducting credit risk assessments
- To comply with laws and regulations that apply to the Bank and minimize and mitigate risk for the Bank including conducting client due diligence, fulfilling KYC requests, client financial analysis, carrying out politically exposed person (PEP) checks etc, file regulatory reports and SCV submissions, recording calls for prevention of market manipulations and insider trading.
- To reply to and manage complaints and to try to resolve them including managing litigations.
- To ensure that we carry our business in an effective and efficient manner such as through data quality assurance for reports.
- To allow controls to be performed by our internal audit and control functions including 2nd and 3rd lines of defence.
- To carry out our loan solutions and syndications processes including processing information memorandums, signing of NDAs for the creation of data rooms.
- To follow business opportunities (B2B Marketing)
2. LAWFUL BASIS OF PROCESSING PERSONAL INFORMATION
We only collect and use personal information about you when the law allows us to. Most commonly, we use it where:
- When it takes specific steps to enter in a contract or performs its contractual obligations such as providing Banking products to its customers.
- When it performs its legal or statutory obligations such as reporting to regulators or sanction screening.
- The Bank may process your personal information where it is in the Bank’s legitimate interest. The bank will ensure that, whilst it may pursue its legitimate interest, it puts systems and controls in place to safeguard the fundamental rights and freedom of the data subject. This may include processing your information to:
a. identify new business opportunities, to develop and manage a relationship with you;
b. mitigate and manage risk for the bank by completing credit risk analysis and
c. to process personal data for litigation purposes.
Where legitimate interest is identified as a lawful basis, we will undertake a legitimate interest assessment which is a three-part test covering:
The purpose test – to identify the legitimate interest
Necessity test – to consider if the processing is necessary for the purpose identified
Balancing test – considering the individual’s interests, rights or freedoms and whether these override the legitimate interests identified.
3. WHAT INFORMATION DO WE COLLECT AND WHERE FROM?
We collect your personal data through various sources or through our interactions and relationship with you. These include information you submit directly by completing forms, applications, or contacting the Bank via email, post or telephone; information that is provided to the Bank when it conducts identity and address checks; information that is received from companies that provide Politically Exposed Person (PEP) checks; information that is received from companies that carry out due diligence checks; data from agents and brokers that introduce potential clients to the Bank; businesses that provide the Bank with Debit Card facilities; payments and remittances received by the Bank.
The categories of personal information that we may collect, store and use about you include:
- Identity information such as title, first name, last name, maiden name, marital status, date of birth, gender, father’s name, ID number, nationality, passport details, national insurance number, signature, country of residence and country of tax residence.
- Professional information such as job title, company name, shareholding information
- Contact data which can include billing address, delivery address, email and telephone numbers.
- Financial data that may include bank account number, bank statement and bank balance, payment information, evaluation of assets.
- Transaction data which includes details about payments made through us and details of purchases made by you.
- Usage data which consists of information about how you use the Bank’s website, products and services.
- Data that is Open and data from Public Records which may provide us with any information that is openly available on the internet such as adverse media.
- Information about guarantors and personal guarantees.
- Call recordings.
3.1 Special Category Data
We collect the following special category data from you:
- Ethnicity and religion information for credit risk assessment.
- PEP Screening results (may reveal information about political beliefs.
We will only process special category data where we have an Article 9 exception allowing us to do so, in this case, where we have the explicit consent of the data subject as per Article 9 paragraph 2a of the GDPR and as per the substantial public interest condition in Article 9 paragraph 2g of the GDPR and the Data Protection Act 2018 schedule 1 condition 8 and 9.
For more information please see here
B) LENDERS AND STAFF OR REPRESENTATIVE OF LENDERS
1. WHY WE COLLECT YOUR PERSONAL INFORMATION
- For the purpose of managing our relationships and your accounts, communicating with you (excluding communicating for the purposes of direct marketing)
- For the facilitation of carrying out transactions
- To carry out our loan solutions and syndications processes including processing information memorandums, signing of NDAs for the creation of data rooms.
- To manage any possible litigation
- Call recordings.
2. LAWFUL BASIS OF PROCESSING PERSONAL INFORMATION
We only collect and use personal information about you when the law allows us to. Most commonly, we use it where:
- If the processing is necessary for compliance with a legal obligation to which the controller is subject.
- The Bank may process your personal information where it is in the Bank’s legitimate interest. The bank will ensure that, whilst it may pursue its legitimate interest, it puts systems and controls in place to safeguard the fundamental rights and freedom of the data subject. This may include processing your information to:
a. To develop and manage a relationship with you;
b. Facilitating the carrying out of transactions
c. To process personal data for litigation purposes.
Where legitimate interest is identified as a lawful basis, we will undertake a legitimate interest assessment which is a three-part test covering:
The purpose test – to identify the legitimate interest
Necessity test – to consider if the processing is necessary for the purpose identified
Balancing test – considering the individual’s interests, rights or freedoms and whether these override the legitimate interests identified.
3. WHAT INFORMATION DO WE COLLECT AND WHERE FROM?
We collect your personal data throughout our relationship with you, when carrying out transactions and when signing NDAs. We may collect and process the following information about you:
- Identity information such as first name, last name, signature.
- Professional information such as job title, company name.
- Contact data which can include email and telephone numbers.
For more information please see here.
C) SUPPLIER OR STAFF/REPRESENTATIVE OF SUPPLIERS
1. WHY WE COLLECT YOUR PERSONAL INFORMATION
- For the purpose of managing our relationships, communicating with you (excluding communicating for the purposes of direct marketing)
- For the issuing and tracking and invoices and where we need to perform the contract we have entered with you such as by making payments.
- To manage any possible litigation and storing commercial contracts.
- To carry out due-diligence checks prior to our engagement.
2. LAWFUL BASIS OF PROCESSING PERSONAL INFORMATION
We only collect and use personal information about you when the law allows us to. Most commonly, we use it where:
- If the processing is necessary for the performance of a contract.
- If the processing is necessary for compliance with a legal obligation to which the controller is subject.
- The Bank may process your personal information where it is in the Bank’s legitimate interest. The bank will ensure that, whilst it may pursue its legitimate interest, it puts systems and controls in place to safeguard the fundamental rights and freedom of the data subject. This may include processing your information to:
a. To develop and manage a relationship with you;
b. To carry out due diligence checks prior to our engagement
c. To process personal data for litigation purposes.
Where legitimate interest is identified as a lawful basis, we will undertake a legitimate interest assessment which is a three-part test covering:
The purpose test – to identify the legitimate interest
Necessity test – to consider if the processing is necessary for the purpose identified
Balancing test – considering the individual’s interests, rights or freedoms and whether these override the legitimate interests identified.
3. WHAT INFORMATION DO WE COLLECT AND WHERE FROM?
We collect your personal data through publicly available sources or referrals initially and through our relationship with you. We may collect and process the following information about you:
- Identification information such as name and surname
- Contact information such as email, telephone number
- Job Title, company address
- Bank details for expenses
For more information please see here.
1. WHY WE COLLECT YOUR PERSONAL INFORMATION
- For the purpose of managing our relationships, communicating with you (excluding communicating for the purposes of direct marketing) by email, SMS, post, fax and/or telephone, providing support services and complaint handling.
- For the purpose of carrying out our recruitment process and determine eligibility for the advertised role.
- For the purpose of onboarding you to the Bank if you are selected.
2. LAWFUL BASIS OF PROCESSING PERSONAL INFORMATION
We only collect and use personal information about you when the law allows us to. Most commonly, we use it where:
- If the processing is necessary for the performance of a contract.
- If the processing is necessary for compliance with a legal obligation to which the controller is subject.
3. WHAT INFORMATION DO WE COLLECT AND WHERE FROM?
We collect your personal data through your application and through using recruitment agencies. We may collect and process the following information about you:
- Identification information such as name and surname including any other listed on the CVs such as nationality
- Information available on CV or cover letters
- Contact information such as email addresses, postal address & telephone numbers
- Education history such as establishments attended and qualifications.
- Employment history
For more information please see here
3. HOW LONG WE KEEP INFORMATION FOR
Your personal data is only retained for the period that we need it for, or in accordance with laws, regulations and professional obligations that we are subject to. To determine the appropriate retention period for the collected personal data, we consider the amount, nature, and sensitivity of the data. All personal information collect has a defined retention period, which is in-line with our retention policy. If the personal data in no longer needed, the Bank may destroy, delete or anonymise it. If you would like to find out how long your information is being retained, please see "additional information", section 12 of this policy.
4. SECURITY OF PERSONAL INFORMATION
We take the responsibility for protecting your privacy very seriously and we will ensure your data is secured in accordance with our obligations under the Data Protection laws. We have in place technical and organisational measures to ensure personal information is secured and to prevent your personal data from being accessed in an unauthorised way, altered or disclosed. We have in place a robust access control policy which limits access to your personal data to those employees, contractors and other third parties who only have a business need to know. The processing of your personal data will only take place subject to our instruction.
We have policies and procedures to handle any potential data security breaches and data subjects, third parties and any applicable regulators will be notified where we are legally required to do so.
We have ensured that all employees have had information security and data protection training. If you would like more details of the security we have in place, please see "additional information", section 12 of this policy.
5. CHILDREN'S INFORMATION
We do not knowingly collect information on children. If you would like to find out more on how your children’s data may be retained, please see "additional information", section 12 of this policy.
6. YOUR INDIVIDUAL RIGHTS
In this Section, we have summarised the rights that you have under General Data Protection Regulation. Some of the rights are complex, and not all the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
Your principal rights under General Data Protection Regulation are:
- Right to Object
- Right of Access
- Right to be informed
- Right to Rectification
- Right to Erasure
- Right to Restrict Processing
- Right to Data Portability
- Right to Withdraw Consent
Data Subject Right |
Condition to Exercise |
Right to Object |
You can exercise this right if:
|
Right of Access |
|
Right to be Informed |
|
Right of Rectification |
|
Right to Erasure |
|
Right to Restrict Processing |
|
Right to Data Portability |
|
Right to Withdraw Consent |
37 Sun Street
|
The Bank will not ask for a fee to access any personal data. However, it may charge a reasonable fee if the request is clearly unfounded, repetitive or excessive. Alternatively, the Bank can refuse to comply with request in such circumstances. The Bank can request for more specific information to help confirm identity and to ensure the right to access your personal data. We may also contact you to ask for further information in relation to your request to speed up our response.
The Bank reserves the right to withhold any information if it has any adverse effects on the rights and freedoms of other data subjects. This means that revealing that information can be against the public or business interest.
We aim to ensure that we respond to all legitimate requests within one month. Occasionally it may take an additional two months if the request is particularly complex or multiple requests have been made. In this case, BOA UK will inform you and explain why such an extension is necessary.
If you have any question about these rights, please see "additional information", section 12 of this policy.
7. AUTOMATED DECISION MAKING
Your personal data is not used in any automated decision making (a decision made solely by automated means without any human involvement) or profiling (automated processing of personal data to evaluate certain conditions about an individual).
Where we make an automated decision which has a legal or substantially similar effect, you have the right to speak to us and we may then review the decision, provide a more detailed explanation and assess if the automated decision was made correctly.
8. COOKIES
We don’t currently operate any non-essential cookies on our website. We reserve the right to update this section should this change, we will notify you of such changes.
9. TRANSFERS TO THIRD PARTIES
BOA UK may disclose your personal data, listed in section 2 to some third parties to help us deliver our services/products. All third parties are contractually bound to protect the personal data we provide to them. We may use several or all of the following categories of recipients:
- Professional advisers including lawyers, auditors and insurers who provide consultancy, legal, insurance, and accounting services.
- Regulators and other authorities such as auditors based in the United Kingdom and other relevant jurisdictions who require reporting of processing activities in certain circumstances. reports
- BOA UK head offices, branches and subsidiaries.
- Business partners, suppliers, contractors for the performance of any contract we enter into with them or delivery of our products and services, or assisting with our legal obligations such as companies that provide due – diligence checks of our customers, companies that provide PEP checks of our customers, financial services companies that help us to prevent, detect and report fraudulent and criminal activities, agents and brokers that provide business to the Bank etc.
- Third parties that support us to provide products and services such as cloud-based software services including hosting providers such as Microsoft
- Parent Company in Morocco for credit risk assessments.
10. TRANSFERS OUTSIDE OF THE UK, EEA, SWITZERLAND
In this section, we provide information about the circumstances in which your personal data may be transferred and stored internationally.
If we any personal data internationally, will ensure that any personal information transferred will only be processed on our instruction and that information security at the highest standard would be used to protect any personal information as required by the Data Protection laws. International data transfers occurring within the Bank of Africa United Kingdom group are based on adequacy decisions.
We may also share your personal data with our parent company in Morocco, their subsidiary in Dubai and various other banks we work with. Where personal data is transferred internationally to a country without an adequacy decision, we will ensure appropriate safeguards are in place prior to the transfer. These could include:
Standard Contractual Clauses with/without ICO Addendum (Depending on the exporting party)
International Data Transfer Agreement
An exception as defined in Article 49 of the GDPR
For more information about transfers and safeguarding measures, please contact us using the information in section 12.
11. RIGHT TO COMPLAINT
We take any complaints about our collection and use of personal information very seriously.
If you think that our collection or use of personal information is unfair, misleading, or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.
To make a complaint, please contact us via email at Data.Protection@bankofafricauk.co.uk .
Alternatively, you can contact us:
By Post: London: 37 Sun Street, London, EC2M 2PL, United Kingdom
Paris: Les Collines de l'Arche Immeuble Madeleine D 76 rue de la Demi-Lune CS 90364
92 057 PARIS LADEFENSE CEDEX France
Switzerland: Bank of Africa United Kingdom plc Representative Office – Zurich Fraumünsterstrasse 15, 8001
Alternatively, you can make a complaint to your local data protection regulator:
United Kingdom (ICO) |
By Post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF By Website: Click Here By Email: Click Here By Phone: +44 (0) 303 123 1113 (Local rate) or +44 (0) 1625 545 745 (National rate) |
France (CNIL) |
By Website: Click Here. By Phone: +33 (0)1 53 73 22 22 |
Switzerland (FDPIC) |
By Website: Click Here. By Phone: +41 (0)58 462 43 95 |
12. ADDITIONAL INFORMATION
Your trust is important to us. That is why we are always available to talk with you at any time and answer any questions concerning how your data is processed. If you have any questions that could not be answered by this privacy policy or if you wish to receive more in-depth information about any topic within it, please contact our DPO and Compliance Team via email on Data.Protection@bankofafricauk.co.uk .
13. POLICY REVIEW AND AMENDMENTS
We keep this Policy under regular review. This Policy was last updated on 07/07/2023.
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.