At OM Bank Limited, (referred to as "we," "us, "our", “OM Bank” or “the Bank”),  we are committed to protecting our customers’ (“your”) privacy and ensuring that your personal information is collected and used lawfully and transparently in compliance with applicable privacy laws and the Protection of Personal Information Act (“POPIA”).

This privacy notice enables you to understand how and why we collect, store, use, and/or share ("process") and protect your personal information when you:

• Visit our website at www.OMBank.co.za;
• Download and make use of our Banking application;
• Make use of our products and services; and
• Engage with us in other ways.

OM Bank Limited, with registration number 2021/570113/06, is a company registered in the Republic of South Africa and is a registered Bank and credit provider (NCRCP 17317) within the Old Mutual Limited Group of companies. The Old Mutual Limited Group of companies consists of various companies, including Old Mutual Life Assurance Company, Old Mutual Finance, Old Mutual Investments and Old Mutual Rewards.

This Notice is applicable in all instances where OM Bank determines the manner and purpose for which information is processed, i.e. when we are the Responsible Party. Where we refer to “customer” in this notice, it also includes potential customers who have provided us with their personal information upon application for a product or service. We may connect your personal information with other personal information obtained from third parties or public records and may use the combined personal information for any of the purposes stated in this policy.

Questions or concerns?

Reading this privacy notice will help you understand your privacy rights and choices. If you have any queries regarding our policies and practices, please contact us at privacy@ombank.co.za.

1. WHAT PERSONAL INFORMATION DO WE COLLECT?
2. WHY DO WE PROCESS YOUR INFORMATION?
3. WHAT LEGAL BASIS/ LAWFUL JUSTIFICATIONS DO WE RELY ON TO PROCESS YOUR INFORMATION?
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
5. WHEN WILL WE FURTHER PROCESS YOUR PERSONAL INFORMATION?
6. WHEN WILL WE PROCESS PERSONAL INFORMATION OF CHILDREN?
7. WHAT PERSONAL INFORMATION DO WE OBTAIN FROM AND SHARE WITH THE CREDIT BUREAUX?
8. WHEN WILL YOUR PERSONAL INFORMATION BE TRANSFERRED TO OTHER COUNTRIES?
9. HOW LONG DO WE KEEP YOUR INFORMATION?
10. HOW DO WE KEEP YOUR INFORMATION SAFE?
11. WHAT ARE YOUR PRIVACY RIGHTS?
12. DIRECT MARKETING
13. COOKIES AND DO NOT TRACK FEATURES
14. DO WE MAKE UPDATES TO THIS NOTICE?
15. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

We collect personal information from you and from other sources, such as:

• third parties (partners, service providers, reward partners, credit bureaux, other financial services providers, regulators, attorneys, tracing agents, debt collectors, government departments, regulatory authorities, ombuds, tax authorities, courts of law or tribunals, law enforcement and fraud prevention agencies);
• public sources (e.g. company registers, online search engines, deed registries);
• other companies within the Old Mutual Limited group;
• payment processing services providers, merchants, banks and other persons that assist with the processing of customers’ payment instructions, such as card scheme providers (e.g. Mastercard);
• marketing list providers.

If the law requires us to do so, we will ask for your consent before collecting personal information about you from third parties. We collect and process your personal information at the start of, and for the duration of your relationship with the Bank. We may also, if necessary, process your personal information when your relationship with the Bank has ended.

The personal information we collect includes:

• customer's name;
• identifying number (such as your identity number, tax number and account number);
• tax residency status;
• contact information, such as email address, residential address, telephone / mobile number;
• employment history and current employment status, occupation and industry (for example when a customer applies for credit);
• marital status (married, single, divorced); national origin; age; language; birth; education;
• information relating to the financial history of the customer;
• gender or sex (for statistical purposes as required by the law);
• personal views, preferences and opinions;
• information about a customer’s location (e.g. geolocation or GPS location);
• online identifiers, social media tags /profiles, identifiable device ID and IP address;
• correspondence sent by you to the Bank that is private or of a confidential nature;
• the views or opinions of another individual about a customer;
• product usage, financial and transaction information and credit risk profile.

When necessary, and as permitted by law, we process the following categories of special personal information:

• race (for statistical purposes as required by the law);
• ethnic origin;
• biometric information (e.g. to verify a customer’s identity);
• criminal history.

Information automatically collected: We automatically collect certain information when you visit, use, or navigate our banking application or website. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our services, and other technical information. This information is primarily collected and needed to maintain the security and operation of our services, and for our internal analytics and reporting purposes. We may also collect information through cookies and similar technologies. You can find out more about this below (clause 13) and in our Cookie Notice provided on our website.

We process your personal information to conclude or perform under a contract we have with you, to provide, improve, and administer our products and services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.

We process your personal information for a variety of reasons, including to:

• assess and process your application for a product or service;
• conduct affordability assessments, credit assessments and credit scoring;
• conduct and facilitate onboarding, account opening and authentication;
• conduct security and identity verification, and checking the accuracy of customer personal information;
• open, manage and maintain customer accounts or relationships; 
• provide, deliver and facilitate provision or delivery of products and services to you;  
• enable you to participate in and make use of value-added solutions;
• enable you to participate in customer rewards programmes;
• process your payment instructions;
• communicate with you and carry out your instructions and requests;
• respond to your enquiries, communications and complaints;
• send administrative and service communications to you;
• request feedback on our products and services;
• send you marketing, promotional communications; and promotional competitions;
• enforce and collect on an agreement where a customer is in default or breach;
• protect and enforce our rights and remedies in the law;
• protect our services and detect, prevent and report theft, fraud, money laundering, corruption and other crimes;
• meet record-keeping obligations;
• fulfil reporting requirements and information requests;
• conduct market and behavioral research to identify trends;
• determine the effectiveness of our marketing and promotional campaigns;
• develop, implement, monitor and improve our business processes, policies and systems;
• determine what products / services you hold with the Old Mutual Group;
• any other related purpose /reason.

We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e. legal basis) to do so under applicable law.

We may rely on the following legal bases to process your personal information:

• Conclusion or Performance of a Contract: We may process your personal information when it is necessary to fulfill our contractual obligations to you, including providing our products and services or at your request prior to entering into a contract with you.

• Law / Legal Obligations: We may process your personal information where the processing complies with an obligation imposed by law on us or it is necessary for compliance with our legal obligations, such as to:
  • cooperate with a law enforcement body or regulatory agency,
  • detecting, preventing and reporting theft, fraud, money laundering, corruption and other crimes;
  • comply with voluntary and involuntary codes of conduct and industry agreements;
  • fulfilling reporting requirements;
  • develop credit models and credit tools;
  • exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.

• Legitimate Interests: We may process your personal information when it is necessary to protect your legitimate interest or pursue our legitimate interests or those of a third party. We may process customers’ personal information to achieve our legitimate business interests in the daily management of our business, to provide you with the most appropriate products and services and to develop and improve our products and services. We will ensure that our legitimate  interests do not outweigh your interests and fundamental rights and freedoms.

• Consent: We may process your personal information if you have given us consent to use your personal information for a specific purpose. You have the right to withdraw your consent at any time.

In legal terms, we are generally the “Responsible Party”, since we determine the means and/or purposes of the personal information processing we perform. This privacy notice does not apply to the personal information we process as a “Operator” on behalf of our customers. In those situations, the customer that we provide services to and with whom we have entered into a data processing agreement is the “Responsible Party” responsible for your personal information, and we merely process your information on their behalf in accordance with their instructions.

We may share your personal information if the law requires it, if it is necessary to conclude or perform under a contract that we have with you, if it is necessary to protect or pursue your, or ours or a third parties' legitimate interest or if you have consented to this.

We may share your personal information with the following persons:

• Companies within the Old Mutual Group, subsidiary companies, associates, cessionaries, delegates, assignees, affiliates or successors in title and/or appointed third parties (such as its authorised agents, partners, contractors and suppliers) for any of the purposes identified in this notice;
• payment processing services providers, merchants, banks, card scheme providers and other persons that assist with the processing of customer payment instructions;
• credit bureaux;
• financial services exchanges;
• the group’s employees, as required by their employment conditions;
• courts of law or tribunals that require the personal information to adjudicate matters;
• trustees, executors or curators appointed by a court of law;
• attorneys, tracing agents, debt collectors and other persons that assist with the enforcement of agreements;
• regulatory authorities, industry ombuds, government departments, and local and international tax authorities and other persons the law requires us to share customer personal information with;
• law enforcement and fraud prevention agencies, and other persons tasked with the prevention and prosecution of crime;
• your spouse, dependents, partners, employer; 
• participating partners in the group’s customer reward programmes, where customers purchase goods, products and service or spend loyalty rewards;
• our business partners, service providers, agents and subcontractors, such as couriers and other persons that we use to offer and provide our products and services to customers. We have contracts in place with our partners / third parties, which ensures that your personal information is safeguarded and protected.

When we collect personal information, we will have a reason or purpose to collect that personal information. We may use that personal information for other purposes, where the law allows and where the other purpose is compatible with the original purpose of collection. We may, in certain limited circumstances, need to request and obtain your consent for further processing.

We may also further process your personal information if:

• The personal information is available in or derived from a public record or you have deliberately made the personal information public;
• The personal information is used for historical, statistical or research purposes and the results do not identify the customer;
• proceedings have started or are contemplated in a court or tribunal;
• it is in the interest of national security;
• we must adhere to the law, specifically tax legislation; or
• the Information Regulator has exempted the further processing.

A child is a person under the age of 18 years who is not legally allowed, without the assistance of a competent person, to take any action or decision in respect of any matter concerning themself. We will only process the personal information of children if the law allows us to do so.

We may process the personal information of children if:

• A competent person (such as a parent or guardian of the child) has provided prior consent for the processing;
• The processing is necessary for the establishment, exercise or defence of a right or obligation in law; or
• If the processing is of personal information which has deliberately been made public by the child, with the consent of a competent person;
• where the child is legally old enough to open a bank account without assistance from their parent or guardian; or
• where the child benefits from a bank account such as an investment or savings account and a person with the ability to sign legal agreements has consented to the processing.

We may obtain your personal information from the credit bureaux for the following reasons:

• if you requested us to do so, or agreed that it may do so;
• to verify your identity;
• to obtain or verify your employment details;
• to obtain and verify your marital status;
• to obtain, verify, or update your contact or address details;
• to obtain a credit report about you, which includes your credit history and credit score, when you apply for a credit agreement;
• to determine your credit risk;
• for debt recovery;
• to conduct research, statistical analysis or system testing;
• to determine the source(s) of a customer’s income;
• to build credit scorecards which are used to evaluate credit applications.

We will share your information with the credit bureaux for the following reasons:

• to comply with regulatory reporting requirements;
• to report the application for a credit agreement;
• to report the opening of a credit agreement;
• to report the termination of a credit agreement;
• to report payment behavior on a credit agreement; /or
• to report non-compliance with a credit agreement, such as not paying in full or on time.

We will only transfer your personal information to business partners or third parties in another country if:

• Your personal information will be adequately protected under the other country’s laws or an agreement with the third party recipient; or
• the transfer is necessary for the performance of a contract or for the implementation of pre-contractual measures taken in response to a request by you; or
• The transfer is necessary for the conclusion or performance of a contract concluded in your interest, between us and the third party; or
• You have consented to the transfer or
• Where it is not reasonably practical to obtain your consent, but the transfer is in your interest.

The business partner or third party processing personal information in another country will be required to agree to apply the same level of protection as available by South African law, or if the other country’s laws provide better protection, the other country’s laws would be agreed to and applied.

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal and regulatory requirements). We may keep your personal information even if you no longer have a relationship with the Bank, if the law permits or requires.

We have implemented appropriate and reasonable technical and organisational security measures designed to protect the security of any personal information we process.

We will, on an ongoing basis, continue to review our security controls and related processes to ensure that your personal information is secure. Our security policies and procedures cover:

• Physical security;
• Computer and network security;
• Access to personal information;
• Secure communications;
• Retention and disposal of information;
• Monitoring access and acceptable usage of personal information;
• Investigating and reacting to security incidents.

When we contract with third parties, we impose appropriate security, privacy and confidentiality obligations on them to ensure that personal information that we remain responsible for is kept secure.

We will take all reasonable steps to confirm your identity when you exercise your rights. Upon receiving your request, we will need to verify your identity to determine you are the same person about whom we have the information in our system. These verification efforts require us to ask you to provide information so that we can match it with information you have previously provided us. For instance, depending on the type of request you submit, we may ask you to provide certain information so that we can match the information you provide with the information we already have on our systems, or we may use other verification methods as the circumstances dictate.

Access to information

You have the right to request us to confirm whether or not we hold personal information about you. You also have the right to request a description or record of your personal information that we hold, including information about the identity of all third parties, or categories of third parties who have or have had access to your personal information.

We will attend to your requests for access to personal information within a reasonable time. You may be required to pay a fee to enable us to respond to your request. If so, will we inform you of the fee before providing the services and may also require a deposit.  

Your request for access will be assessed in accordance with the law (the Promotion of Access to Information Act), which may limit your right to access to information. Please view our PAIA Manual on the Bank’s website (www.OMBank.co.za).

Objection to processing

You have the right to object to the processing of your personal information where the processing is in your legitimate interest, the Bank’s legitimate interest or in the legitimate interest of a third party (to whom the personal information is supplied).

Please contact us on privacy@ombank.co.za and we will advise you of the process to follow and provide you with the prescribed form.

Correction, Deletion or Destruction of your personal information

You have the right to ask us to correct, delete or destroy the personal information we have about you if it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, obtained unlawfully, or if we are no longer authorised to keep it. We may request documentation from you to verify the personal information that you request to be corrected / updated. If the law requires us or allows us to keep your personal information, it will not be deleted or destroyed upon your request.

Please contact us on privacy@ombank.co.za and we will advise you of the process to follow and provide you with the prescribed form.

Right to withdraw consent

Where you have provided your consent for the processing of your personal information, you have the right to withdraw your consent. You may do this by contacting us on privacy@ombank.co.za.

In some circumstances, if you withdraw your consent we may not be able to provide you with certain products or services. We will communicate with you about how your request to withdraw consent will impact the product and services that we provide to you.

Automated decision making

We may use your personal information to make an automated decision as allowed by the law. Automated Decision Making refers to decisions made solely based on the automated processing of personal information using software, algorithms, artificial intelligence or machine learning that do not involve human intervention. You have the right to query any automated decisions we may make in a decision-making process where there is no human intervention.

Right to submit a complaint

You have the right to submit a complaint to the Bank or the Information Regulator.

If you have a concern or complaint about your privacy, please let us know and submit any complaints to the Bank on privacy@ombank.co.za.

The contact details of the Information Regulator are:

Website:                         https://inforegulator.org.za/

General enquiries:          enquiries@inforegulator.org.za

Complaints:                      POPIAComplaints@inforegulator.org.za

We may contact you periodically to provide information regarding our products and services, that may be of interest to you. If the law requires that we receive your consent before we send you certain types of marketing communications, we will only send such communications to you after receiving your consent.

If you do not wish to receive further marketing communications from us, you can click on the unsubscribe link in the marketing communication or contact us on privacy@ombank.co.za. You will then be removed from our marketing lists — however, we may still communicate with you, for example to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes.

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. Cookies are text files with small amounts of information that are downloaded to your device by your browser when you visit a website to remember information about you. We use cookies or similar technologies to remember your preferences, understand how you interact with our services or emails that we send you, maintain the security of our services, and administer, improve and promote our services. You can configure your browser to prevent cookies, but please note that disabling cookies may make some features or functionality unavailable to you. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice on our website.

We may update this privacy notice from time to time. The updated version will be indicated by an updated revised date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information.

If you have questions about this notice, you may contact us by email at privacy@ombank.co.za, or contact our service channel by phone at +27 8600 662265.

Responsible Party:          OM Bank Limited

Physical Address:            Mutual Park, Jan Smuts Drive, Pinelands, Western Cape, 7405