The group will process the personal information of related persons as stated in this notice, thus references to “customer/s” in this notice will include related persons with the necessary amendments.

Privacy Notice

1. Introduction

FirstRand Limited (FirstRand or the group) follows a multi-branding approach. Some of the group’s major brands are shown below.

FirstRand’s simplified legal entity structure can be found on the group’s website at: https://www.firstrand.co.za/the-group/ownership-and-legal-structure/

2. Scope

This notice applies to the FirstRand group of companies as defined in the definitions section. The various companies in the group offer solutions that are financial and non-financial in nature. These solutions include transactional, lending, investment, insurance, telecommunication and consumer products, goods and services. In this notice solution means any product, service or goods offered by a group company whether financial or non-financial in nature.

3. Definitions

In this document, references to “FirstRand” or “the group” are to FirstRand Limited and its subsidiary companies, including divisions, segments, and business units. Certain subsidiary companies may be excluded from the group description for the purposes of this privacy notice (such as where the group is involved in private equity investments). Confirmation as to whether this privacy notice applies to a specific company (a registered legal entity) associated with the group can be sought through the contact details provided in this privacy notice. In this privacy notice, any reference to “the group” or “FirstRand” includes any one or more (if they are acting jointly) group companies and all affiliates, associates, cessionaries, delegates, successors in title or third parties (authorised agents and contractors), when such parties are acting as responsible parties, joint responsible parties or operators in terms of applicable privacy laws, unless stated otherwise.

In this notice, references to the group’s platform means the platform provided by a company within the group
which is a collection of capabilities, including that of the group’s agents and independent third-party service
providers.

For the purpose of this notice a “customer” includes:

  • prospective customers (persons who are interested in the group solutions or to whom the group may be offering or promoting products or services solutions);
  • new and existing customers (persons who have taken up group solutions );
  • previous customers (persons who previously had taken up group solutions ); and
  • users (persons who use group platforms, customer interfaces or channels).

Examples provided in this notice are for illustrative purposes and are not exhaustive.

4. Background and purpose of this notice

Protecting customers’ personal information is important to FirstRand. To do so, it follows general principles in accordance with applicable privacy laws.

The group has developed this group customer privacy notice (notice) to enable its customers to understand how the group collects, uses, and safeguards their personal information.

The group collects personal information about its customers. This includes what customers tell the group about themselves, what the group learns by having a customer or when a customer makes use of a solution or interacts with the group’s platform through various interfaces and channels, as well as the choices customers make about the marketing they elect to receive. This notice also outlines customers’ privacy rights and how the law protects customers.

In terms of applicable privacy laws, this notice may also apply on behalf of other third parties (such as authorised agents and contractors), acting on the group’s behalf when providing customers with solutions. If a FirstRand group business processes personal information for another party under a contract or a mandate, however, the other party’s privacy policy or notice will apply.

In this notice “process” means how the group collects, uses, stores, makes available, destroys, updates, discloses, or otherwise deals with customers’ personal information. The group respects customers’ privacy and will treat their personal information confidentially.

The group may combine customers’ personal information (across the group’s platform, interfaces, channels or companies) and use the combined personal information for any of the purposes stated in this notice.

VERY IMPORTANT: If customers use the group’s platform, group solutions or service channels (including both assisted and unassisted interactions), or by accepting any rules, agreement, contract, mandate or annexure with the group, or by utilising any solutions offered by the group, customers agree that in order to:

  • conclude and fulfil contractual terms or obligations to a customer;
  • comply with obligations imposed by law; or
  • to protect or pursue customers’, the group’s, or a third party’s legitimate interests, including designing and offering solutions that best meet customers’ needs;

customers’ personal information may be processed through centralised functions and systems across companies in the group and may be used for the purposes, in the manner, and with the appropriate controls as set out in this notice.

Where it is necessary to obtain consent for processing, the group will seek customers’ consent separately. Customers should read the consent request carefully as it may limit their rights. A customer may maintain their consent preferences on the group’s platform. Details on how to change customer preferences are available on the various group apps and websites.

NOTE: As the group has operations in a number of countries, this notice will apply to the processing of personal information by any entity in the group in any country, and the processing of customers’ personal information may be conducted outside the borders of South Africa but will be processed according to the requirements and safeguards of applicable privacy law or privacy rules that bind the group. If a group entity has its own privacy notice, that privacy notice would take precedence over this notice.

The group may change this notice from time to time if required by law or its business practices. Where the change is material, the group will notify customers and will allow a reasonable period for customers to raise any objections before the change is made. Please note that the group may not be able to continue a relationship with a customer or provide customers with certain solutions or permit access to the group’s platform if they do not agree to the changes.

The latest version of the notice displayed on FirstRand’s website will apply to customers’ interactions with the group and is available at: https://www.firstrand.co.za/investors/esg-resource-hub/policies-and-practices/.

5. Responsible parties

The group has several responsible parties. These parties or companies are responsible for determining why and how the group will use customers’ personal information. When a customer uses the group’s platform, the responsible party would be the company within the group that provides the platform, acting jointly with the other companies in the group. Similarly, when a customer uses a solution provided by any group entity, the responsible party will be the entity which the customer engages to take up the solution, acting jointly with the other entities in the group. It will be clear to customers from the documentation they receive when using or taking up a solution, or interacting with the group’s platform, who the responsible party is and who should be contacted in the first instance.

Customers can contact the various responsible parties in the group through the applicable business, details of which are set out below.

fnbpaia@fnb.co.za
rmbprivacy.office@rmb.co.za
privacy@wesbank.co.za
dlashburtonsacompliance@ashburton.co.za
fnbpaia@fnb.co.za
compliance@motovantage.co.za


6. What is personal information?

Personal information refers to any information that identifies a customer or specifically relates to a customer. Personal information includes, but is not limited to, the following information about a customer:

  • marital status (married, single, divorced); national origin; age; language; birth; education;
  • financial history (e.g. income, expenses, obligations, assets and liabilities or buying, investing, lending, insurance, banking and money management behaviour or goals and needs based on, amongst others, account transactions);
  • employment history and current employment status (for example when a customer applies for credit);
  • gender or sex (for statistical purposes as required by the law);
  • identifying number (e.g. an account number, identity number or passport number);
  • e-mail address; physical address (e.g. residential address, work address or physical location); telephone number;
  • information about a customer’s location (e.g. geolocation or GPS location);
  • online identifiers (e.g. cookies, online analytical identifier numbers, internet protocol (IP) addresses, device fingerprints, device ID); social media profiles;
  • biometric information (e.g. fingerprints, signature, facial biometrics or voice);
  • race (for statistical purposes as required by the law);
  • physical health; mental health; wellbeing; disability; religion; belief; conscience; culture;
  • medical history (e.g. HIV/AIDS status); criminal history; employment history;
  • personal views, preferences and opinions;
  • confidential correspondence; or
  • another’s views or opinions about a customer and a customer’s name also constitute personal information.

Depending on the applicable law of the country, a juristic entity (like a company) may also have personal information which is protectable in law and which may be processed in terms of this notice.

There is also a category of personal information called special personal information, which includes the following personal information about a customer:

  • religious and philosophical beliefs (for example where a customer enters a competition and is requested to express a philosophical view);
  • race (e.g. where a customer applies for a solution where the statistical information must be recorded);
  • ethnic origin;
  • trade union membership;
  • political beliefs;
  • health including physical or mental health, disability and medical history (e.g. where a customer applies for an insurance policy);
  • biometric information (e.g. to verify a customer’s identity); or
  • criminal behaviour where it relates to the alleged commission of any offence or the proceedings relating to that offence.

7. When will the group process customers’ personal information?

The group may process customers’ personal information for lawful purposes relating to its business if the following circumstances apply:

  • it is necessary to conclude or perform under a contract the group has with the customer or to provide the solution to the customer;
  • the law requires or permits it;
  • it is required to protect or pursue the customer’s, the group’s or a third party’s legitimate interest;
  • the customer has consented thereto;
  • a person legally authorised by the customer, the law or a court, has consented thereto; or
  • the customer is a child and a competent person (such as a parent or guardian) has consented thereto on their behalf.

8. When will the group process customers’ special personal information?

The group may process customers’ special personal information in the following circumstances, among others:

  • if the processing is needed to create, use or protect a right or obligation in law;
  • if the processing is for statistical or research purposes, and all legal conditions are met;
  • if the special personal information was made public by the customer;
  • if the processing is required by law;
  • if racial information is processed and the processing is required to identify the customer;
  • if health information is processed, and the processing is to determine a customer’s insurance risk, or to perform under an insurance policy, or to enforce an insurance right or obligation; or
  • if the customer has consented to the processing.

9. When and how will the group process the personal information of children?

A child is a person who is defined as a child by a country’s legislation, and who has not been recognised as an adult by the courts.

The group processes the personal information of children if the law permits this.

The group may process the personal information of children if any one or more of the following applies:

  • a person with the ability to sign legal agreements has consented to the processing, being the parent or guardian of the child;
  • the processing is needed to create, use or protect a right or obligation in law, such as where the child is an heir in a will, a beneficiary of a trust, a beneficiary of an insurance policy or an insured person in terms of an insurance policy;
  • the child’s personal information was made public by the child, with the consent of a person who can sign legal agreements;
  • the processing is for statistical or research purposes and all legal conditions are met;
  • where the child is legally old enough to open a bank account without assistance from their parent or guardian;
  • where the child is legally old enough to sign a document as a witness without assistance from their parent or guardian; or
  • where the child benefits from a bank account such as an investment or savings account and a person with the ability to sign legal agreements has consented to the processing.

10. When, and from where, does the group obtain personal information about customers?

The group collects information about customers:

  • directly from customers;
  • based on the customers’ use of the group’s platform (e.g. behavioural information derived from interaction and movements on the group’s platform);
  • based on customers’ use of group solutions or service channels (such as group websites, applications (apps) and ATMs, including both assisted and unassisted customer interactions) as applicable;
  • based on how customers engage or interact with the group, such as on social media, and through emails, letters, telephone calls and surveys;
  • based on a customer’s relationship with the group;
  • from public sources (such as newspapers, company registers, online search engines, deed registries, public posts on social media, public directories);
  • from technology, such as a customer’s access and use including both assisted and unassisted interactions (e.g. on the group’s websites and mobile apps) to access and engage with the group’s platform (this includes cookies and online or app analytics);
  • customers’ engagement with group advertising, marketing and public messaging; and
  • from third parties that the group interacts with for the purposes of conducting its business (such as approved business partners who are natural or juristic persons holding a business relationship with the group, where such relationship does not fall within the category of a supplier, employee or customer relationship, e.g. insurers, original equipment manufacturers (OEMs) and dealers to offer customers assets, insurance products or other value-added solutions), reward partners, list providers, marketing list or lead providers, the group’s customer loyalty rewards programmes’ retail and online partners, credit bureaux, regulators and government departments or service providers).

The group collects and processes customers’ personal information at the start of, and for the duration of their relationship with the group. The group may also process customers’ personal information when their relationship with the group has ended.

If the law requires the group to do so, it will ask for customer consent before collecting personal information about them from third parties. The third parties (which may include parties the group engages with as independent responsible parties, joint responsible parties or operators) from whom the group may collect customers’ personal information include, but are not limited to, the following:

  • members of the group, any connected companies, subsidiary companies, its associates, cessionaries, delegates, assignees, affiliates or successors in title and/or appointed third parties (such as its authorised agents, partners, contractors and suppliers) for any of the purposes identified in this notice;
  • the financial services and product providers within the group, including representatives and intermediaries;
  • the customer’s spouse, dependants, partners, employer, joint applicant, account or card holder, authorised signatories or mandated persons, beneficiaries and other similar sources;
  • people the customer has authorised to share their personal information, such as a person that makes a travel booking on their behalf, or a medical practitioner for insurance purposes;
  • attorneys, tracing agents, debt collectors and other persons that assist with the enforcement of agreements;
  • payment processing services providers, merchants, banks and other persons that assist with the processing of customers’ payment instructions, such as card scheme providers (including VISA or MasterCard);
  • insurers, brokers, other financial institutions or other organisations that assist with insurance and assurance underwriting, the providing of insurance and assurance policies and products, the assessment of insurance and assurance claims, and other related purposes;
  • law enforcement and fraud prevention agencies, and other persons tasked with the prevention and prosecution of crime;
  • regulatory authorities, industry ombuds, government departments, and local and international tax authorities;
  • credit bureaux;
  • financial services exchanges;
  • qualification information providers;
  • trustees, executors or curators appointed by a court of law;
  • payment or account verification service providers;
  • the group’s service providers, agents and subcontractors, such as couriers and other persons the group uses to offer and provide solutions to customers;
  • courts of law or tribunals;
  • participating partners, whether retail or online, in the group’s customer rewards programmes;
  • the group’s joint venture partners;
  • the group’s business partners;
  • marketing list or lead providers;
  • social media platforms;
  • the user of a sim card, who is not the subscriber of the sim card, where telecommunication services are provided; or
  • online search engine providers.

11. Reasons the group needs to process customers’ personal information

The group may process customers’ personal information for the reasons outlined below.

11.1 Contract

The group may process customers’ personal information if it is necessary to conclude or perform under a contract the group has with a customer or to provide a solution to a customer. This includes:

  • to assess and process applications for solutions;
  • to assess the group’s lending and insurance risks;
  • to conduct affordability assessments, credit assessments and credit scoring;
  • to conduct a needs analysis so that the correct solution meeting the customer’s needs and circumstances may be provided;
  • to provide a customer with solutions they have requested;
  • to open, manage and maintain customer accounts or relationships with the group;
  • to enable the group to deliver goods, documents or notices to customers;
  • to communicate with customers and carry out customer instructions and requests;
  • to respond to customer enquiries and complaints;
  • to enforce and collect on any agreement when a customer is in default or breach of the terms and conditions of the agreement, such as tracing a customer, or to institute legal proceedings against a customer. In such scenario the group may aggregate the contact details provided to any of the companies in the group to determine the customer’s most accurate contact details in order to enforce or collect on any agreement the customer has with the group;
  • to disclose and obtain personal information from credit bureaux regarding a customer’s credit history;
  • to meet record-keeping obligations;
  • to conduct market and behavioural research, including scoring and analysis to determine if a customer qualifies for solutions, or to determine a customer’s credit or insurance risk;
  • to enable customers to participate in and make use of value-added solutions;
  • to enable customers to participate in customer rewards programmes: determine customer qualification for participation, rewards points, rewards level, and monitor customer buying behaviour with the group’s rewards partners to allocate the correct points or inform customers of appropriate solutions they may be interested in, or to inform the group’s reward partners about a customer’s purchasing behaviour;
  • to enable the sale and purchase of and payment for goods in the group’s digital marketplaces;
  • travel bookings, payments and arrangements;
  • customer satisfaction surveys, promotional and other competitions;
  • insurance and assurance underwriting and administration;
  • to process or consider or assess insurance or assurance claims;
  • to provide insurance and assurance policies, products and related services;
  • security and identity verification, and to check the accuracy of customer personal information;
  • to provide telecommunication, data and SIM card products and services; or
  • for any other related purposes.

11.2 Law

The group may process customers’ personal information if the law requires or permits it. This includes:

  • to comply with legislative, regulatory, risk and compliance requirements (including directives, sanctions and rules);
  • to comply with voluntary and involuntary codes of conduct and industry agreements;
  • to ensure that customers are treated fairly and to comply with conduct standards issued by market conduct authorities;
  • to fulfil reporting requirements and information requests;
  • to process payment instruments and payment instructions (such as a debit order);
  • to create, manufacture and print payment instruments and payment devices (such as a debit card);
  • to meet record-keeping obligations;
  • to detect, prevent and report theft, fraud, money laundering, corruption and other crimes. This may include the processing of special personal information, such as alleged criminal behaviour or the supply of false, misleading or dishonest information when opening an account with the group, or avoiding liability by way of deception, to the extent allowable under applicable privacy laws. The Financial Intelligence Centre Act obliges the group to collect personal and special personal information from customers and other third parties, to process personal and special personal information and further process personal and special personal information for the purposes of financial crime detection, prevention and reporting. The processing of personal information and special personal information may happen when customers transact, establish a relationship with the group and when utilising group solutions;
  • to conduct market and behavioural research, including scoring and analysis to determine if a customer qualifies for solutions, or to determine a customer’s credit or insurance risk;
  • to enable customers to participate in and make use of value-added solutions (e.g. the payment of traffic fines, renewal of vehicle licences, etc.);
  • to enable customers to participate in customer rewards programmes: determine customer qualification for participation, rewards points, rewards level, and monitor customer buying behaviour with the group’s rewards partners to allocate the correct points or inform customers of appropriate solutions they may be interested in, or to inform the group’s reward partners about a customer’s purchasing behaviour;
  • for customer satisfaction surveys, promotional and other competitions;
  • to assess the group’s lending and insurance risks;
  • to conduct affordability assessments, credit assessments and credit scoring;
  • to disclose and obtain personal information from credit bureaux regarding a customer’s credit history;
  • to develop credit models and credit tools;
  • for insurance and assurance underwriting and administration;
  • to process or consider or assess insurance or assurance claims;
  • to provide insurance and assurance policies and products, and related services;
  • to give effect to and adhere to legislation governing various protected relationships (e.g. civil unions, marriages, customary marriages); or
  • for any other related purposes.

11.3 Legitimate interest

The group may process customers’ personal information in the daily management of its business and finances and to protect the group’s customers, employees, service providers and assets. It is to the group’s benefit to ensure that its procedures, policies and systems operate efficiently and effectively.

The group may process customers’ personal information to provide them with the most appropriate solutions and to develop and improve group solutions, business and its platform.

The group may process a customer’s personal information if it is required to protect or pursue their, the group’s or a third party’s legitimate interest. This includes:

  • to develop, implement, monitor and improve the group’s business processes, policies and systems;
  • to manage business continuity and emergencies;
  • to protect and enforce the group’s rights and remedies in the law;
  • to develop, test and improve solutions for customers, this may include connecting customer personal information with other personal information obtained from third parties or public records to better understand customer needs and develop solutions that meet these needs. The group may also consider customer actions, behaviour, preferences, expectations, feedback and financial history;
  • tailoring solutions which would include consideration of a customer’s use of third-party products, goods and services and marketing of appropriate solutions to the customer, including marketing on the group’s own or other websites, mobile apps and social media;
  • to market group solutions to customers via various means including on group and other websites and mobile apps including social media, as well as tele-, postal- and in-person marketing;
  • to market business partner solutions via various means;
  • to respond to customer enquiries and communications including the recording of engagements and analysing the quality of the group’s engagements with a customer;
  • to respond to complaints including analytics of complaints to understand trends and prevent future complaints and providing compensation where appropriate;
  • to enforce and collect on any agreement when a customer is in default or breach of the terms and conditions of the agreement, such as tracing the customer, or to institute legal proceedings against the customer. In such a scenario, the group may aggregate the contact details provided to any of the companies in the group to determine the customer’s most accurate contact details in order to enforce or collect on any agreement the customer has with the group;
  • to process payment instruments and payment instructions (such as a debit order);
  • to create, manufacture and print payment instruments and payment devices (such as a debit card);
  • to meet record-keeping obligations;
  • to fulfil reporting requirements and information requests;
  • to comply with voluntary and involuntary codes of conduct and industry agreements;
  • to detect, prevent and report theft, fraud, money laundering, corruption and other crimes. This may include the processing of special personal information, such as alleged criminal behaviour or the supply of false, misleading or dishonest information when opening an account with the group, or avoiding liability by way of deception, to the extent allowable under applicable privacy laws. This may also include the monitoring of the group’s buildings including CCTV cameras and access control;
  • to conduct market and behavioural research, including scoring and analysis to determine if a customer qualifies for solutions, or to determine a customer’s credit or insurance risk;
  • for statistical purposes, such as market segmentation or customer segments (that is placing customers in groups with similar customers based on their personal information);
  • to enable customers to participate in customer rewards programmes: determine customer qualification for participation, rewards points, rewards level, and monitor customer buying behaviour with the group’s rewards partners to allocate the correct points or inform customers of appropriate solutions they may be interested in, or to inform the group’s reward partners about a customer’s purchasing behaviour;
  • for customer satisfaction surveys, promotional and other competitions;
  • to assess the group’s lending and insurance risks;
  • to disclose and obtain personal information from credit bureaux regarding a customer’s credit history;
  • to develop credit models and credit tools;
  • for any other related purposes.

12. Why does the group further use or process customers’ personal information?

At the time that the group collects personal information from a customer, it will have a reason or purpose to collect that personal information. In certain circumstances, however, the group may use that same personal information for other purposes. The group will only do this where the law allows it to and the other purposes are compatible with the original purpose/s applicable when the group collected the customer’s personal information. The group may also need to request a customer’s specific consent for the further processing in limited circumstances. Examples of these other purposes are included in the list of purposes set out in section 11 above.

The group may also further use or process a customer’s personal information if:

  • the personal information about the customer was obtained from a public record, like the deed’s registry;
  • the customer made the personal information public, like on social media;
  • the personal information is used for historical, statistical or research purposes, the results will not identify the customer;
  • proceedings have started or are contemplated in a court or tribunal;
  • it is in the interest of national security;
  • if the group must adhere to the law, specifically tax legislation; or
  • the Information Regulator has exempted the processing.

The group may also further use or process a customer’s personal information if the customer has consented to it or in the instance of a child, a competent person has consented to it.

Any enquiries about the further processing of customer personal information can be made through the contact details of the customer’s solution provider or the group’s platform provider, as set out in the responsible parties table in section 5 of this notice.

13. Centralised processing

The group aims to create efficiencies in the way it processes information across the group. Customers’ personal information may therefore be processed through centralised group functions and systems, which includes the housing of their personal information in a centralised group data warehouse.

This centralised processing is structured to ensure efficient processing that benefits both the customer and the group. Such benefits include, but are not limited to:

  • improved information management, integrity and information security;
  • the leveraging of centralised crime and fraud prevention tools – this would include the processing of your personal information and special personal information across the companies in the group to prevent, detect and report on financial crimes and related matters in terms of the Financial Intelligence Centre Act;
  • better knowledge of a customer’s financial service needs so that appropriate solutions can be advertised and marketed to the customer;
  • a reduction in information management costs;
  • analytics, statistics and research, and
  • streamlined transfers of personal information for customers with solutions across different businesses or companies within the group.

Details of further interests which are promoted by the centralised processing can be found in section 11.3.

Should a customer wish to exercise their privacy rights in terms of personal information provided to a company in the group or enquire about the centralised processing procedure, enquiries can be made through the contact details of the customer’s solution provider or the group’s platform provider, as set out in the responsible parties table of this notice.

14. Enriching personal information

The group aims to provide our customers with solutions that are appropriate and reasonable considering the customer’s circumstances (such as financial position, employment status and various obligations) and needs.

The group may not always have sufficient personal information (obtained from companies within the group) about the customer to determine the suitability of solutions applied for, to determine which solutions are appropriate to offer proactively to customers or to assist customers with money management tips and advice. In these circumstances, the group may approach external persons for additional personal information if the law allows.

The group may (where the law allows) get, use, and share within the group customer personal information (such as what customers purchase and spend their money on; what insurance and investment products customers have and how customers meet their obligations under these products; whether customers have medical aid and how they are meeting their obligations regarding the medical aid; what customers’ salaries are), from the following persons in South Africa:

  • Retailers (including physical and online retailers like grocery, convenience, clothing and specialty retailers);
  • Telecommunication service providers (including those that provider or distribute airtime and / or data);
  • Long-term and short-term insurance providers (including the product suppliers, the intermediaries and the brokers);
  • Investment providers (including asset managers); and
  • Customer employers and payroll management companies for customer employers.

The purposes for which customer personal information may be used are:

  • To determine credit worthiness when applying for credit (which includes the validation of sources of income and income amounts) and to proactively provide suitable credit solutions.
  • To manage the credit solutions held with the group.
  • To underwrite long-term or short-term insurance policies when customers apply for it and to proactively provide customers with suitable insurance solutions.
  • To prevent, detect and report fraud and other crimes, which includes protecting customers and the group against fraud and other crimes.
  • To offer and provide customers with suitable group solutions, including credit, insurance, investment, transact and value-added solutions.
  • To place customers in the correct customer segment and therefore improve financial and non-financial guidance to customers from the group. 

15. How does the group use customers’ personal information for rewards?

The group collects personal information about customers from its partners, suppliers, customer loyalty rewards programmes’ retail, online and strategic partners (rewards partners) and service providers with which the group interacts for the purposes of its eBucks rewards programme.

The group will process customers’ personal information for the following reasons:

  • to determine customer qualification for participation in the eBucks rewards programme, rewards points, rewards level and benefits;
  • to inform the group’s reward partners about customers’ purchasing behaviour and to monitor customer buying behaviour with the group’s rewards partners to correctly allocate eBucks earned;
  • to provide rewards and benefits tailored to customer requirements and to treat customers in a more personal way;
  • to fulfil customers’ travel arrangements (flights, hotels and car hire) bookings with the groups’ service providers and deliver the solutions they have asked for;
  • to fulfil customers’ eBucks Shop purchases and instruct the group’s service providers to deliver the solutions the customer has asked for;
  • to fulfil customers’ requests for services provided by the group’s reward partners and/or the group's service providers;
  • to market the group’s rewards and the group’s rewards partners’ solutions to customers;
  • to market vehicle-related solution offers from the group or its business partners;
  • to improve the group’s websites, apps, solutions and rewards offerings;
  • to respond to customer enquiries and complaints;
  • to comply with legislative, regulatory, risk and compliance requirements (including directives, sanctions and rules);
  • to comply with voluntary and involuntary codes of conduct and industry agreements;
  • to fulfil reporting requirements and information requests;
  • to conduct market and behavioural research, including scoring and analysis to determine if a customer qualifies for rewards, benefits and solutions;
  • to develop, test and improve rewards and solutions for customers;
  • for statistical purposes, such as market segmentation;
  • to communicate with customers and carry out their instructions and requests;
  • for customer satisfaction surveys, promotional and other competitions; or
  • for any other related purposes.

16. How the group uses personal information for marketing?

  • The group may use prospective customers’ or customers’ personal information to market financial, insurance, investments and other related banking and other financial solutions to them.
  • The group will do this in person, by post, telephone, or electronic channels such as SMS, email or app notifications.
  • If a person is a prospective customer (not a group customer) or in any other instances where the law requires, the group will only market to them by electronic communications with their consent.
  • For the purposes of electronic marketing and this paragraph only, a group customer would be a person whose contact details were obtained in the context of the sale of the group’s solutions, including:
    • where the person agrees to a solution being provided to them and the group does not charge for that solution;
    • where the person started to apply or register for a solution but decided to not continue or cancel the transaction;
    • if the group or the person declined the offer of a solution made to or by the person; and
    • where the person concluded an agreement with the group regarding the solution offered to the person.
  • In all cases, a person can request the group to stop sending marketing communications to them at any time.
  • The person can also withdraw marketing consent or opt-out of marketing at any time. The group has various interfaces and channels that can be used to withdraw marketing consent or opt-out of marketing, e.g. for example, group websites or apps. 

17. When will the group use customers’ personal information to make automated decisions about them?

An automated decision is made when a customer’s personal information is analysed without human intervention in that decision-making process.

The group may use a customer’s personal information to make an automated decision as allowed by the law. An example of automated decision making is the approval or declining of a credit application when a customer applies for an overdraft or credit card, or the approval or declining of an insurance claim.

Customers have the right to query any such decisions made, and the group will:

  • provide the customer with sufficient information about the personal information which was used as well as how and why the group arrived at the decision; and
  • inform the customer of processes available to enable the customer to make representations relating to the automated decision-making and provide the customer a reasonable opportunity to make representations to the group.

18. When, how, and with whom does the group share customers’ personal information?

In general, the group will only share customers’ personal information if any one or more of the following apply:

  • if the customer has consented to this;
  • if it is necessary to conclude or perform under a contract the group has with the customer;
  • if the law requires it; or
  • if it is necessary to protect or pursue the customer’s, the group’s or a third party’s legitimate interest.

Where permitted, each entity in the group may share a customer’s personal information with the following persons, which may include parties that the group engages with as independent responsible parties, joint responsible parties or operators. These persons have an obligation to keep customers’ personal information secure and confidential:

  • other group entities, any connected companies, subsidiary companies, associates, cessionaries, delegates, assignees, affiliates or successors in title and/or appointed third parties (such as its authorised agents, partners, contractors and suppliers) for any of the purposes identified in this notice;
  • the financial services and products providers in the group, including representatives and intermediaries;
  • the group’s employees, as required by their employment conditions;
  • the customer’s spouse, dependants, partners, employer, joint applicant or account or card holders, authorised signatories or mandated persons, beneficiaries and other similar sources;
  • people the customer has authorised to obtain their personal information, such as a person that makes a travel booking on the customer’s behalf, or a medical practitioner for insurance purposes;
  • attorneys, tracing agents, debt collectors and other persons that assist with the enforcement of agreements;
  • payment processing services providers, merchants, banks and other persons that assist with the processing of customer payment instructions, such as card scheme providers (including VISA or MasterCard);
  • insurers, brokers, other financial institutions or other organisations that assist with insurance and assurance underwriting, the providing of insurance and assurance policies and products, the assessment of insurance and assurance claims, and other related purposes;
  • law enforcement and fraud prevention agencies, and other persons tasked with the prevention and prosecution of crime;
  • regulatory authorities, industry ombuds, government departments, and local and international tax authorities and other persons the law requires the group to share customer personal information with;
  • credit bureaux;
  • financial services exchanges;
  • qualification information providers;
  • trustees, executors or curators appointed by a court of law;
  • payment or account verification service providers;
  • the group’s service providers, agents and subcontractors, such as couriers and other persons the group uses to offer and provide solutions to customers;
  • persons to whom the group have ceded its rights or delegated its obligations to under agreements, such as where a business is sold;
  • courts of law or tribunals that require the personal information to adjudicate referrals, actions or applications;
  • the general public, where customers submit content to group social media sites such as a group business’s Facebook page;
  • participating partners in the group’s customer reward programmes, where customers purchase products and services or spend loyalty rewards;
  • the user of a SIM card, who is not the subscriber of the SIM card, where telecommunication services are provided; or
  • the group’s joint venture and business partners with which it has concluded business agreements.

19. When and how the group obtains and shares customers’ personal information from/with credit bureaux?

The group may obtain customers’ personal information from credit bureaux for any one or more of the following reasons:

  • if the customer requested the group to do so, or agreed that it may do so;
  • to verify a customer’s identity;
  • to obtain or verify a customer’s employment details;
  • to obtain and verify a customer’s marital status;
  • to obtain, verify, or update a customer’s contact or address details;
  • to obtain a credit report about a customer, which includes their credit history and credit score, when the customer applies for an agreement, a debt obligation or a credit agreement to prevent reckless lending or over-indebtedness;
  • to determine a customer’s credit risk;
  • for debt recovery;
  • to trace a customer’s whereabouts;
  • to update a customer’s contact details;
  • to conduct research, statistical analysis or system testing;
  • to determine the source(s) of a customer’s income;
  • to build credit scorecards which are used to evaluate credit applications;
  • to set the limit for the supply of an insurance policy;
  • to assess the application for insurance cover;
  • to obtain a customer’s contact details to enable the distribution of unclaimed benefits under an insurance policy; or
  • to determine which solutions to promote or to offer to a customer.

The group will share a customer’s personal information with the credit bureaux for, among others, any one or more of the following reasons:

  • to report the application for an agreement, a debt obligation or a credit agreement;
  • to report the opening of an agreement, a debt obligation or a credit agreement;
  • to report the termination of an agreement, a debt obligation or a credit agreement;
  • to report payment behaviour on an agreement, a debt obligation or a credit agreement; /or
  • to report non-compliance with an agreement, a debt obligation or a credit agreement, such as not paying in full or on time.

Customers should refer to their specific credit agreement with the group for further information.

Below are the contact details of the credit bureaux that the group interacts with:

TransUnion 0861 482 482
Consumer Profile Bureau (Pty) Ltd (CPB) 010 590 9505

Experian Information Solutions Inc.

- Johannesburg 


- Stellenbosch 

0861 10 56 65

011 799 3400

021 888 6000

Xpert Decision Systems (XDS) 0860 937 000
Compuscan 0861 51 41 31
VeriCred Credit Bureau (VCCB) 087 150 3601 or 087 803 4798

 

20. Under what circumstances will the group transfer customers’ personal information to other countries?

The group will only transfer a customer’s personal information to third parties in another country in any one or more of the following circumstances:

  • where a customer’s personal information will be adequately protected under the other country’s laws or an agreement with the third-party recipient;
  • where the transfer is necessary to enter into, or perform, under a contract with the customer or a contract with a third party that is in the customer’s interest;
  • where the customer has consented to the transfer; and/or
  • where it is not reasonably practical to obtain the customer’s consent, but the transfer is in the customer’s interest.

This transfer will happen within the requirements and safeguards of applicable laws or privacy rules that bind the group.

Where possible, the party processing a customer’s personal information in another country will agree to apply the same level of protection as available by law in the customer’s country, or if the other country’s laws provide better protection, the other country’s laws would be agreed to and applied.

An example of the group transferring a customer’s personal information to another country would be when a customer makes payments if they purchase goods or services in a foreign country or where personal information is stored with a cloud services provider and the servers are in a foreign country.

TAKE NOTE: As the group operates in several countries, customers’ personal information may be shared with group companies in other countries and processed in those countries under the privacy rules that bind the group.

21. Customers’ duties and rights regarding the personal information the group has about them

Customers must provide the group with proof of identity when enforcing the rights below and the group will then verify the identity of the customer.

Customers must inform the group when their personal information changes, as soon as possible after the change.

Customers warrant that when they provide the group with personal information of their spouse, dependants or any other person, they have permission from them to share their personal information with the group. The group will process the personal information of the customer’s spouse, dependent or any other person which the customer has shared with it as stated in this notice.

21.1 Right to access

Customers have the right to request access to the personal information the group has about them by contacting the group. This includes requesting:

  • confirmation that the group holds the customer’s personal information;
  • a copy or description of the record containing the customer’s personal information; and
  • the identity or categories of third parties who have had access to the customer’s personal information.

The group will attend to requests for access to personal information within a reasonable time and in alignment with the law. Customers may be required to pay a reasonable fee (aligned to the law) to receive copies or descriptions of records, or information about, third parties. The group will inform customers of the fee before attending to their request.

Customers should note that the law may limit their right to access information, e.g. information relating to the group’s intellectual property, competitively sensitive information or legally privileged information.

For South Africa, please refer to the group’s information manual prepared in accordance with Section 51 of the Promotion of Access to Information Act, No. 2 of 2000 (information manual) for further information on how customers can give effect to this right. The information manual is available on the group’s website at: https://www.firstrand.co.za/investors/governance-and-compliance/

In certain instances, customers can give effect to this right by making use of the group’s unassisted interfaces, e.g. using a group entity’s app or website to access the personal information the group holds about them.

21.2 Right to correction, deletion or destruction

Customers have the right to request the group to correct, delete or destroy the personal information it has about them if it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, obtained unlawfully, or if the group are no longer authorised to keep it. Customers must inform the group of their request in the prescribed form. Prescribed form 2 has been included as an annexure to this notice.

The group will take reasonable steps to determine if the personal information is correct and make any correction needed. It may take a reasonable time for the change to reflect on the group’s platform/systems. The group may request documents from the customer to verify the change in personal information.

A specific agreement that a customer has entered into with the group may determine how the customer must change their personal information provided at the time when they entered into the specific agreement. Customers must adhere to these requirements.

If the law requires the group to keep the personal information, it will not be deleted or destroyed upon the customer’s request. The deletion or destruction of certain personal information may lead to the termination of a customer’s relationship with the group.

The group may not be able to establish a relationship with a customer, continue a relationship with a customer, process a transaction or provide a customer with a solution, if the customer withhold or request deletion of personal information or special personal information required in terms of the Financial Intelligence Centre Act for financial crime prevention, detection and reporting purposes.

In certain instances, a customer can give effect to this right by making use of the groups’ unassisted interfaces, e.g. using a group app or website to correct their contact details.

21.3 Right to objection

Customers may object on reasonable grounds to the processing of their personal information where the processing is in their legitimate interest, the group’s legitimate interest or in the legitimate interest of another party.

Customers must inform the group of their objection in the prescribed form. Prescribed form 1 is included as an annexure to this notice.

The group will not be able to give effect to the customer’s objection if the processing of their personal information was and is permitted by law, the customer has provided consent to the processing and the group’s processing was conducted in line with their consent; or the processing is necessary to conclude or perform under a contract with the customer.

The group will also not be able to give effect to a customer’s objection if the objection is not based upon reasonable grounds and substantiated with appropriate evidence.

The group will provide customers with feedback regarding their objections.

21.4 Right to withdraw consent

Where a customer has provided their consent for the processing of their personal information, the customer may withdraw their consent. If they withdraw their consent, the group will explain the consequences to the customer. If a customer withdraws their consent, the group may not be able to provide certain solutions to the customer or provide the customer access to the group’s platform. The group will inform the customer if this is the case. The group may proceed to process customers’ personal information, even if they have withdrawn their consent, if the law permits or requires it. It may take a reasonable time for the change to reflect on the groups’ systems. During this time, the group may still process the customer’s personal information.

Customers can give effect to this right by making use of the group’s unassisted service channels, e.g. using a group app or website, or through an assisted interaction to update their consent preferences.

21.5 Right to complain

Customers have a right to file a complaint with the group or any regulator with jurisdiction (in South Africa customers can contact the Information Regulator) about an alleged contravention of the protection of their personal information. The group will address customer complaints as far as possible.

The contact details of the Information Regulator are provided below.

JD House,27 Stiemens Street
Braamfontein
Johannesburg
2001

P.O Box 31533
Braamfontein
Johannesburg
2017

Tel no. +27 (0)10 023 5200
Website: https://inforegulator.org.za
Complaints email: POPIAComplaints@inforegulator.org.za
General enquiries email: enquiries@inforegulator.org.za

22. How the group secures customers’ personal information

The group will take appropriate and reasonable technical and organisational steps to protect customers’ personal information in line with industry best practices. The group’s security measures, including physical, technological and procedural safeguards, will be appropriate and reasonable. This includes the following:

  • keeping group systems secure (such as monitoring access and usage);
  • storing group records securely;
  • controlling the access to group premises, systems and/or records; and
  • safely destroying or deleting records.

Customers can also protect their own personal information and can obtain more information in this regard by visiting the website or app of the relevant group entity that they have established a relationship with.

23. How long does the group keep customers’ personal information?

The group will keep customers’ personal information for as long as:

  • the law requires the group to keep it;
  • a contract between the customer and the group requires FirstRand to keep it;
  • the customer has consented to the group keeping it;
  • the group is required to keep it to achieve the purposes listed in this notice;
  • the group requires it for statistical or research purposes;
  • a code of conduct requires the group to keep it; and/or
  • the group requires it for lawful business purposes.

TAKE NOTE: The group may keep customers’ personal information even if they no longer have a relationship with the group or if they request the group to delete or destroy it, if the law permits or requires.

24 Cookies

A cookie is a small piece of data that is sent (usually in the form of a text file) from a website to the user’s device, such as a computer, smartphone or tablet. There are different types of cookies which serve different purposes, and this is fully explained in the group cookie notice available on FirstRand’s website. The purpose of a cookie is to provide a reliable mechanism to “remember” user behaviour (keeping track of previous actions), e.g. remembering the contents of an online shopping cart, and actions the user performed whilst browsing when not signed up or logged into their online account.

The group does not necessarily know the identity of the user of the device but does see the behaviour recorded on the device. Multiple users of the same device would not necessarily be distinguishable from one another. Cookies could, however, be used to identify the device and, if the device is linked to a specific user, the user would also be identifiable. For example, a device registered to an app (FNB, WesBank, RMB, etc.).

By using group websites or apps, customers agree that cookies may be forwarded from the relevant website or app to their computer or device. Certain cookies will enable the group to know that a customer has visited a website or app before and will identify the customer. The group may also use third-party or necessary cookies to prevent fraud.

Please refer to the FirstRand group cookie notice for further information. The group’s cookie notice is available on FirstRand’s website.

25. How the group processes personal information about persons related to a juristic person

If a customer is a juristic person, such as a company or close corporation, the group may collect and use personal information relating to the juristic person’s directors, officers, employees, beneficial owners, partners, shareholders, members, authorised signatories, representatives, agents, payers, payees, customers, guarantors, spouses of guarantors, sureties, spouses of sureties, other security providers and other persons related to the juristic person. These are related persons.

If customers provide the personal information of a related person to the group, they warrant that the related person is aware that they are sharing their personal information with the group, and that the related person has consented thereto.

The group will process the personal information of related persons as stated in this notice, thus references to “customer/s” in this notice will include related persons with the necessary amendments and limitations.

We believe in creating solid relationships and partnerships.

Contacts
Share
Required
Required
Required
Required
Optional