KE
RW
UG
GROUP
We are here to help
Introduction
NCBA Bank Tanzania Limited (including direct and indirect affiliates) respects your privacy and
is committed to protecting your personal data. This Privacy Policy (and any other documents
referred to in it) sets out the basis on which any personal data we collect from you, that you
provide to us, or that is otherwise made available to us will be processed by us.
This Privacy Policy will inform you as to how we look after your personal data when you hold
an account with us, use our products or services, or visit our website (regardless of where you
visit it from) and tells you about your privacy rights and how the law protects you. Please read
the following carefully to understand our views and practices regarding your personal data
and how we will treat it.
This Privacy Policy may be amended or updated from time to time to reflect changes in our
practices with respect to the processing of personal data, or changes in applicable law. It is
important that you read this Privacy Policy together with our terms and conditions, and any
other policies and notices we may provide on specific occasions when we are collecting or
processing personal data about you so that you are fully aware of how and why we are using
your data. This Privacy Policy supplements other notices and related policies and is not
intended to override them.
Definitions and Interpretation
a) For the purposes of this Privacy Policy, the following definitions apply:
i. “Applicable Law” means the Constitution of the United Republic of Tanzania, all Acts
of the Parliament, and any regulations, rules, guidelines, guidance notes issued
pursuant to any Act of the Parliament, legislative and regulatory requirements, and
codes of practice applicable to the processing of personal data and/or applicable
to a data controller or data processor as may be amended from time to time.
ii. “Personal Data” means any information relating to an identified or identifiable natural
person (hereinafter “Data Subject”). For clarity, an identifiable person is one who can
be identified, directly or indirectly, in particular by reference to an identifier such as
a name, an identification number, location data, an online identifier, or to one or
more factors specific to the physical, physiological, genetic, mental, economic,
cultural, or social identity of such a natural person.
iii. “Controller” means the natural or legal person, authority, organization or other
agency that makes decisions individually or together with other parties regarding the
purposes and means for processing personal data.
iv. “NCBA Bank Tanzania Limited” limited liability company incorporated under the
laws of Tanzania to conduct banking business (hereafter referred to as “NCBA”,
“we”, “us” or “our”) which expression shall include, unless the context requires
otherwise, its assigns, successors in title and or agents.
v. “Online and Mobile Banking Services” means the services we offer on our online and
mobile platforms.
vi. “Processing” means an operation or activity or set of operations or activities
performed on personal data whether or not by automated means.
vii. “Processor” is a natural or legal person, authority, organization or other agency
that processes Personal Data on behalf of the Controller.
viii. “Sub-processor” is the contractual partner of the Processor, engaged to carry
out specific processing activities on behalf of the Processor.
ix. “Third Party” means a natural or legal person, public authority, agency or body other
than the Data Subject, Controller, Processor, Sub-processor, and persons who, under
the direct authority of the Controller, Processor or Sub-processor, are authorized to
process Personal Data.
x. “Website” means the website of NCBA Bank Tanzania Limited which is accessible
through https://ncbagroup.co.tz/
b) In addition to the definitions above, unless the context requires otherwise:
i. Definitions of terms in our general terms and conditions shall be applicable to this
Policy.
ii. The singular shall include the plural and vice versa; and
iii. A reference to any one gender, whether masculine, feminine, includes the other;
and
iv. All the headings and sub-headings in this policy are for convenience only and are
not to be taken into account for the purpose of interpreting it.
The Data We Collect
a) We may collect, use, store and transfer different kinds of Personal Data about you which
we have grouped as follows:
i. Identity data which includes name, username or similar identifier, National
Identification Number (NIN), Identity card/Passport number, TIN number, photo, marital
status, property details, family details including names of your children and parents,
fingerprints, race, nationality, ethnic or social origin, color, age, title, date of birth and
gender, and any other similar information.
ii. Contact data which includes billing address, postal address, physical address, email
address and telephone numbers.
iii. Financial data which includes any bank account details, card payment details and
other electronic or non-electronic payment details.
iv. Transaction data which includes details about payments to and from you and other
details of products and services you have acquired from us.
v. Technical data which includes internet protocol (IP) address, your login identity data,
browser type and version, time zone setting and location, browser plug-in types and
versions, device information, operating system and platform, and other technology on
the devices you use to access our systems.
vi. Profile data which includes your profile identification information, purchases or orders
made by you, your interests, preferences, feedback and survey responses.
vii. Usage data which includes information about how you use our website, products and
services.
viii. Marketing and communications data which includes your preferences in receiving
marketing information from us and our third parties and your communication
preferences.
ix. Visitors’ personal information/identification details on our premises.
x. Biometric data such as fingerprints, images, voice and other similar information,
surveillance footage by CCTV cameras on our premises.
xi. Employment information such as employment history and educational background.
b) We also collect, use and share aggregated data such as statistical or demographic data.
Aggregated data could be derived from your personal data but is not considered
personal data in law as this data will not directly or indirectly reveal your identity. For
example, we may aggregate your usage data to calculate the percentage of users
accessing a specific website feature. However, if we combine or connect aggregated
data with your personal data so that it can directly or indirectly identify you, we treat the
combined data as personal data which will be used in accordance with this Privacy Policy.
c) Minor’s personal information is not collected/processed unless with the consent of a legal
guardian or parent.
How Your Personal Data Is Collected
We will collect and process data about you from the following sources:
a. Information you give us: This is information about you that you give us by filling in forms
that we give to you or by corresponding with us by phone, e-mail or otherwise. We use
different methods to collect data from and about you including through direct
interactions. This includes the personal data you provide when you:
i. Apply for or use our products or services.
ii. Open an account(s) with us.
iii. Subscribe to our services or publications.
iv. Request marketing information to be sent to you.
v. Enter a competition, promotion or survey.
vi. Give us feedback or contact us.
vii. Use NCBA guest/ visitor’s Wi-Fi on our premises; or
viii. Pay using our services.
b. Information we collect about you: With regard to each of your user visits to our website
and your use of the Online and Mobile Banking Services we will automatically collect
the following information:
i. Technical information, including the Internet protocol (IP) address used to
connect your computer or mobile phone to the Internet, your login information,
browser type and version, time zone setting, browser plug-in types and versions,
operating system and platform. We collect this personal data by using cookies,
server logs and other similar technologies. We may also receive technical data
about you if you visit other websites employing our cookies.
ii. Information about your visit, including the full Uniform Resource Locators (URL),
clickstream to, through and from our site (including date and time), products you viewed or searched for page response times, download errors, length of
visits to certain pages, page interaction information (such as scrolling, clicks,
and mouse-overs), methods used to browse away from the page and any
phone number used to call our customer service number; and
c. Information we receive from other sources:
i. We receive your Personal Data from third parties who provide it to us. We will
receive Personal Data about you from various third parties to whom you have
consented and public sources including but not limited to: companies registry,
lands registry and other government registries; service providers we interact or
integrate with now or in future; Integrated Personal Registration Systems,
Tanzania Revenue Authority, The Business Registrations and Licensing Agency
(BRELA) and the National Identification Authority (NIDA), Credit Reference
Bureau (CRB) etc.
ii. We may collect information about you from other publicly accessible sources
not listed above. We may also collect information about you from trusted
partners, not listed above, who provide us with information about potential
customers of our products and services.
iii. We receive your Personal Data from third parties, where you purchase any of
our products or services through such third parties; and
iv. We collect Personal Data that you manifestly choose to make public, including
via social media (e.g., we may collect information from your social media
profile(s) to the extent that you choose to make your profile publicly visible.
d. Our website may include links to third-party websites, plug-ins, cookies and
applications. Clicking on those links or enabling those connections may allow third
parties to collect or share data about you. We do not control these third-party websites
or influence the data collected and are not responsible for their privacy policies. When
you leave our website, we encourage you to read the privacy policy of every website
you visit and understand your rights therein.
e. When you visit one of our branches or facilities (hereinafter premises), your image may
be captured via one or more closed circuit television (CCTV) cameras located within
the premises. These images are collected mainly to help us address security issues. The
images may be used in the event of an incident occurring on one of our premises and
may help to clarify what happened. Our use of CCTV relies on the lawful basis of
legitimate interest to prevent crime and protect our employees, users and customers.
f. It is important that the Personal Data we hold about you is accurate and current. Please
keep us informed if your personal data changes during your relationship with us. In case
you wish to correct or update your Personal Data that we hold, you may do so by
visiting us at any of our branches, or writing to us at https://ncbagroup.co.tz/contact-us/.
How We Use Your Personal Data
A. We will only use your Personal Data where we have your consent or a legal basis to
process the same.
Where we need your consent to use your Personal Data for a specific purpose, you
have the right to choose whether to provide or withhold your consent. Providing your
consent means that you agree to your Personal Data being used for a specific purpose
as provided in this Privacy Policy. This allows us to deliver our services to you effectively,
including personalizing your experience and receiving relevant information, updates
and offerings. Where you withhold your consent, please note that this may limit or
affect your ability to access our products and services.
Most commonly, we will use your Personal Data in the following circumstances:
i. Where we need to undertake certain processes in order to enter an agreement
with you, and where we need to perform the agreement, we have entered
with you.
ii. Where it is necessary for our legitimate interests (or those of a third party) and
your interests and fundamental rights do not override those interests. Legitimate
Interest means the interest of our business in conducting and managing our
business to enable us to give you the best service or product and the best and
most secure experience. We make sure we consider and balance any potential
impact on you (both positive and negative) and your rights before we process
your personal data for our legitimate interests; and/or
iii. Where we need to comply with a legal obligation.
B. We have set out below, in a table format, a description of all the ways we plan to use
your Personal Data, and the basis we rely on to do so. We have also identified what
our legitimate interests are where appropriate. Note that we may process your Personal
Data for more than one lawful ground depending on the specific purpose for which
we are using your data.
How we use your Personal Data Lawful Basis for processing your Personal Data
Registration and Onboarding a. Compliance with a legal obligation
b. Processing is necessary for performance of
our contractual obligations to you or to take
steps to enter into an agreement with you.
c. Our legitimate interests to operate our
business and provide banking services to
you
d. We have obtained your prior consent to the
use and processing of your personal Data.
Provision of the Banking Services (including
processing transactions and operation of
accounts)
a. Compliance with a legal obligation
b. Processing is necessary for performance of
our contractual obligations to you
c. Our legitimate interests to operate our
business and provide banking services to
you
KYC, Fraud and Crime Prevention
a. Compliance with a legal obligation
b. Our legitimate interests to operate our
business and provide banking services to
you
Business Operation and Maintenance
(including operation of the Bank’s website
and other platforms, troubleshooting,
incident management, data analysis,
product and system testing, system
maintenance, support, reporting etc.)
a. Our legitimate interests to operate our
business and provide banking services to
you
Customer Relationship Management
(including notifying the client about their
use of the Bank’s products and services
and any changes to applicable Terms and
Conditions; responding to customer
enquiries, correspondence, technical
support requests and complaints handling
etc.)
a. Processing is necessary for performance of
our contractual obligations to you or to take
steps to enter into an agreement with you
b. Our legitimate interests to operate our
business and provide banking services to
you
c. We have obtained your prior consent to the
use and processing of your personal Data.
Business Development (including data
analytics to improve our website, API,
products, services, customer relationships
and experiences etc.)
a. Our legitimate interests to operate our
business and provide banking services to
you
b. We have obtained your prior consent to the
use and processing of your personal Data.
Business Management (including
preparing financial records, audits, testing,
compliance with our regulatory reporting
and other corporate governance
requirements.
a. Compliance with a legal obligation
b. Our legitimate interests to operate our
business and provide our services to you
Marketing (including marketing of our
products & services and
recommendations of other products &
services, promotions, campaigns etc.)
a. Our legitimate interests to operate our
business and provide banking services to
you
b. We have obtained your prior consent to the
use and processing of your personal Data.
C. We may collect special categories of Personal Data about you (this includes details
about your race or ethnicity, trade union membership, next of kin or family details,
information about your health, criminal convictions and offenses and biometric data.)
How we use your special category data Basis for processing your special category data
For Know Your Customer (KYC) formalities;
To carry out verification, anti-money
laundering and sanctions checks;
To detect, monitor, investigate and report
fraud and criminal activity;
To manage security, risk and crime
prevention for us and our customers by
way of ongoing due diligence, monitoring
and screening
a. We have obtained your prior consent to the
use and processing of your special
category data.
b. We have a legitimate interest in carrying out
the processing for the purpose of providing
products and services to you.
c. The processing of your special category
data is necessary for compliance with legal
and regulatory obligations.
d. The processing of the special category
data is vital in protecting public interests.
We may use your medical information to
manage our services and products to you
e.g. to apply for quotations for an
insurance product, postpone your debt
repayments etc.
a. The processing of the special category
data is vital in protecting public interests.
b. The processing is necessary to protect the
vital interests of any individual.
c. We have obtained your prior consent to the
use and processing of your special
category data.
Marketing
o We strive to provide you with choices regarding certain personal data uses, particularly
around marketing and advertising. We have established the following personal data
control mechanisms.
a. Promotional offers from us: We may use your identity, contact, technical, usage and
profile data to form a view on what we think you may want or need, or what may be
of interest to you. This is how we decide which products, services and offers may be
relevant to you. You will receive marketing communication from us if you have
requested information or used our products and services and did not opt out of
receiving such information.
b. Third-party marketing: we may share your Personal Data with any third party for
marketing purposes where we believe that the marketing information from such third
parties will be relevant to you and where we have obtained your prior consent.
o Opting Out
a. You can ask us or third parties to stop sending you marketing messages at any time
by writing to us or logging into the relevant website and checking or unchecking
relevant boxes to adjust your marketing preferences or by following the opt-out links
on any marketing message sent to you or by contacting us at any time through the
contacts provided.
b. Where you opt-out of receiving these marketing messages, this will not apply to
Personal Data provided to us as a result of product or service subscribed
How We Use “Cookies” on Our Website
a. We may place electronic “cookies” in the browser files of your computer when you
access our website. Cookies are pieces of information that our website transfers to
your computer to enable our systems to recognize your browser and to tailor the
information on our website to your interests. For example, if you previously visited our
website and inquired about services over the Website, cookies enable us to present
information tailored to your account and/or those particular interests the next time
you visit the Website. Moreover, we, or our third-party service providers or business
partners may place cookies on your computer’s hard drive that can be matched to
other personal information we maintain about you to pre-populate certain online
forms for your convenience. We also use cookies to analyze visitors’ use of our website.
This analysis helps us better understand which areas of our sites are most useful and
popular, to enable us to plan improvements and updates accordingly.
b. Many web browsers are automatically set to accept cookies. You may change your
computer’s web browser settings to either reject cookies or notify you when a cookie
is about to be placed on your computer. Please note, however, that rejecting cookies
while visiting our website may result in certain parts of the website not operating as
efficiently as if the cookies were allowed.
The Use of Hyperlinks
a. Other URLs may be referenced through hyperlinks on our website. Clicking on these
links may open webpages operated by third parties not associated with us. These
hyperlinks are for dissemination of information and for you to have a good user
experience.
b. By clicking on a hyperlink, you will leave the NCBA webpage and accordingly you
shall be subject to the terms of use, privacy and cookie policies of the other website
that you choose to visit. By navigating to an externally linked website on the NCBA
webpage, you will be exiting our website, and you will be exposed to new terms of
use, privacy policy and cookie policies of the website you have visited. We do not in
any way promote, recommend, endorse, guarantee or approve a third-party
products and services offered through hyperlinks for external webpages. Material or
content found in hyperlinks for external websites is not in our control and data
processing is in accordance to their privacy policy.
Change of Purpose
a. We will only use your Personal Data and special category data for the purposes for
which we collected it as indicated in this Privacy Policy or for reasons we give you
during the collection of the data.
b. If we need to use your Personal Data for an unrelated purpose, we will notify you and
seek your consent where necessary.
c. Please note that we may process your Personal Data without your knowledge or
consent if this is required or permitted by law.
Disclosure of Personal Information
a. We may disclose your Personal Data to other entities, the affiliates of NCBA, for
legitimate business purposes (including providing services to you and operating our
sites and systems), in accordance with applicable law. In addition, we may disclose
your Personal Data to:
i. Government (including law enforcement) authorities and regulators e.g. Bank
of Tanzania
ii. Other financial institutions through which your transactions are processed.
iii. Other companies and financial institutions that we work with to provide services
to you e.g. Credit card service providers, technology service providers, credit
reference bureaus, employers, debt collection agencies and outsourced
services vendors; fraud prevention/detection, private investigators, agencies
tasked with conducting surveys on behalf of NCBA Bank Tanzania Limited and
its affiliates
iv. Third parties with accruing legal obligations e.g. Trustees and executors,
guarantors, anyone holding a power of attorney to operate an account on your
behalf and joint account holders.
v. Third parties with reference to acquisition, merger, asset sales, restructuring or by
legal obligation or otherwise. We may also transfer your personal data to any of
our affiliates, new owners, successor entities, or in case of change of business;
your personal data may be used in the same way as in this Privacy Policy.
vi. Third parties who are service providers acting as processors, professional advisers
including lawyers, bankers, auditors and those who provide consultancy,
banking, legal, insurance and accounting services.
vii. Restricted or publicly accessible government repository as a verification
procedure in compliance with regulations
viii. Regulatory authorities, police or security agencies, courts of law or statutory
authorities in response to litigation and demand issued on legal/regulatory
grounds in accordance to the law
ix. Agencies tasked with conducting surveys on behalf of NCBA
x. Emergency and disaster response providers in cases where a person’s health and safety is at stake when an emergency call is made.
xi. Persons involved in delivering NCBA products and services you use or order
b. We require all third parties to respect the security of your Personal Data and to treat it
in accordance with the law. We do not allow our third-party service providers to use
your Personal Data for their own purposes and only permit them to process your
Personal Data for specified purposes and in accordance with our instructions.
Transfer of Your Personal Data Outside Tanzania
a. Any transfer of personal data outside Tanzania will be conducted in compliance with
applicable data protection laws. NCBA will ensure that adequate safeguards are in
place to protect your data during such transfers, which may include contractual
agreements with third parties to uphold data protection standards consistent with this
policy
b. We may need to transfer or store your information in another jurisdiction to fulfill a legal
obligation, for our legitimate interest and to protect the public interest.
c. Insofar as is required for providing our services, we use third party service providers
who are located outside Tanzania or store your information (including your sensitive
personal data) outside Tanzania, including in countries that may have different data
protection laws from those in Tanzania.
d. When we, or our permitted third parties transfer or store information outside Tanzania,
we or they will ensure that it is lawful and that it has an appropriate level of protection,
including transfer to jurisdictions that have established data protection laws, and
entering legally binding agreements to ensure the security of your Personal Data.
e. Where your information is transferred to affiliates of NCBA Bank Tanzania Limited in
other countries, we ensure that your Personal Data is protected by requiring that they
follow the same rules when processing your Personal Data.
f. We may also transfer your information across the country borders where you have
consented to the transfer.
g. If we transfer your information outside Tanzania in other circumstances (for example,
because we have to provide such information by law), we will use best endeavors to
put on place appropriate safeguards to ensure that your information remains
adequately protected.
How We Keep Your Information Secure
a. We have put in place appropriate security measures to prevent your Personal Data
from being lost, used or accessed in an unauthorized way, altered or disclosed. In
addition, we limit access to your Personal Data to those employees, agents,
contractors and other third parties who have a business need to know. They will only
process your Personal Data on our instructions, and they are subject to a duty of
confidentiality.
b. We have put in place procedures to deal with any suspected personal data breach
and will notify you and any applicable regulator of a breach where we are legally
required to do so.
How Long We Shall Retain Your Personal Data
a. We will only retain your Personal Data for as long as reasonably necessary to fulfill the
purposes we collected it for, including for the purposes of satisfying any legal,
regulatory, tax, accounting or reporting requirements. We may retain your Personal
Data as per the law and for a longer period in the event of a complaint or if we
reasonably believe there is a prospect of litigation in respect of our relationship with
you.
b. To determine the appropriate retention period for Personal Data, we consider the
amount, nature and sensitivity of the Personal Data, the potential risk of harm from
unauthorized use or disclosure of your Personal Data, the purposes for which we
process your Personal Data and whether we can achieve those purposes through
other means, and the applicable legal, regulatory, tax, accounting or other
requirements.
c. In some circumstances, we will anonymize your Personal Data (so that it can no longer
be associated with you) for research or statistical purposes, in which case we may use
this information indefinitely without further notice to you.
Data Subject’s Rights
a. Subject to legal and contractual exceptions, you have rights under applicable laws in
relation to your Personal Data. These are listed below:
i. Right to be informed that we are collecting your personal information and how
we are processing it.
ii. Right to rectify your personal data where it is inaccurate or incomplete.
iii. Right to withdraw your consent to processing of your personal data. However,
we may continue processing your personal data for legitimate interests or legal
grounds. Please note that your withdrawal will not affect the lawfulness of our
processing which was based on prior consent before your withdrawal. In some
instances, we will not be able to provide our products and services if you
withdraw your consent.
iv. Right to object to processing of all or part of your personal data. However, we
may decline your request if we are obliged by law or entitled to do so.
v. Right of erasure of your personal data held by us, noting that we may continue
to retain your information if we are entitled to do so or obliged by law.
vi. Right to access your personal data in our possession.
vii. Right to not be subjected to profiling or automated decision making in regards
to processing of your Personal Data. However, we may decline your request if
we are obliged by law or entitled to do so. If you are not satisfied with the
outcome of any decision please contact us as directed below.
viii. Right to request your personal data to be processed in a restricted manner. Note
that we may continue processing data and reject the request if we are entitled
to or are legally obliged; and
ix. Right to data portability in a manner we may deem appropriate such as
electronic format.
b. We may need to request specific information from you to help us confirm your identity
and ensure your right to access your Personal Data (or to exercise any of your other
rights). This is a security measure to ensure that Personal Data is not disclosed to any
person who has no right to receive it. We may also contact you to ask you for further
information in relation to your request to speed up our response.
c. To exercise these rights, please contact us through the details provided in this policy.
We will respond to your requests within 14 days unless we require additional time, in
which case we will notify you of the delay.
Collection of Personal Data From Children
Protecting the privacy of children is of utmost importance to us. NCBA only processes Personal
Data relating to minors as provided by their parents or legal guardians. The parents/legal
guardians provide their signature as authorization and/or consent for use of the minors’ details
for provision of the Bank’s products and services, or involvement in the Bank’s activities. If you
believe that we have inadvertently collected Personal Data relating to a minor, please
contact us using the contact details provided.
Compliance and Accountability
NCBA commits to regularly reviewing our compliance with the principles outlined in this Privacy
Policy. Any breaches or failures to comply with this policy will be investigated, and corrective
actions will be taken as necessary
NCBA reserves the right to discontinue any agreement in case of compliance failure for the
provisions in this Privacy Policy and decline any application for information that contradicts this
Privacy Policy.
Changes to This Privacy Policy
We shall modify or update this policy from time to time. The updated policy can be found at
https://ncbagroup.co.tz/privacy-policy/ .
In the event of significant changes to this Privacy Policy which affect your rights or how your
personal data is processed, we shall notify you via email or through a notice on our website at
least 30 days prior to the change taking effect, ensuring that you have ample time to review
and understand the impacts of such changes
Feedback Mechanism
The bank values your feedback regarding our privacy practices. Users can submit comments,
questions, or concerns about this Privacy Policy to our designated contact emails. We commit
to reviewing all feedback and will respond to inquiries within a reasonable timeframe.
How to Contact Us
In case you would like to contact us with reference to the terms of this privacy policy, or to
exercise any of your rights in relation to your Personal Data, you can reach us through the
below contacts.
NCBA Bank Tanzania Limited
Amani Place Building,
1st, 2nd & 10th Floor, Ohio Street.
P.O. Box 20268, Dar-es Salaam, Tanzania.
Tel: +255 22 2130113 | Fax: +255 22 2130116
Email: contact@ncbagroup.com or dataprotectionTZ@ncbagroup.com
Right to Appeal to Supervisory Authority
You have the right to make a complaint to the Tanzania Personal Data Protection Commission
(PDPC) in relation to the handling of your personal data, or to appeal against any decision
regarding your personal data through the below contacts:
Director General
Personal Data Protection Commission
P.O. Box 1105, UCSAF Building, Dodoma
Tel: +255 743 699 996
Email: dg@pdpc.go.tz
English 
Swahili