Our Binding Corporate Rules (BCR) binds Ecobank to protect user information consistently throughout Ecobank affiliates globally. The BCRs require that Ecobank entities observe the following processing principles for User Information:

• Process User Information fairly and lawfully
• Provide notice to Users about the processing of their personal information and their rights
• Collect User Information for specified, legitimate purposes and not process further in ways incompatible with those purposes
• Maintain User Information in adequate and relevant ways, in relation to the purposes for which they are collected
• Keep User Information accurate and up-to-date as reasonably possible
• Process User Information in a way that is relevant and not excessive for the purposes for which they are collected and used
• Store User Information for as long as necessary for the Services and
• Protect User Information with appropriate physical, technical and organisational security measures to prevent unauthorised access, unlawful processing and unauthorised or accidental loss, destruction and damage.

In addition to our BCRs, we monitor developments in global privacy regulations, such as the forthcoming GDPR regulation in Europe, and incorporate those requirements into our overall privacy programme and control environment as appropriate.

Laws around the world define sensitive information differently. In many African countries, sensitive information is defined in country laws and focuses on information that could be used to commit financial fraud or identity theft. In the EU, Sensitive Personal Definition includes types of information that could be used to discriminate against an individual, for example ethnic origin or political views.

Our Binding Corporate Rules (BCR) require us to not knowingly collect EU sensitive personal information from users or use it for our own purposes if it is voluntarily provided by users. Financial information that is provided to us to facilitate transactions on our sites is protected by a variety of technical, organisational and physical controls. We continually review and improve our security measures, such as our efforts to migrate to using HTTPS as described here on our technology blog.

We may disclose your personal information to other departments of Ecobank or to third parties. This disclosure may be required for us to provide you access to our services, to comply with our legal obligations, to enforce our user agreements, to facilitate our marketing and advertising activities, or to prevent, detect, mitigate, and investigate fraudulent or illegal activities related to our services.

We do not disclose your personal information to third parties for marketing and advertising purposes without your explicit consent.

We have training in place to help our technology engineers and administrators understand the privacy and security considerations throughout the product lifecycle (design through implementation). This includes concepts such as data minimisation, user transparency and choice, and privacy-respecting default settings. Checks have been embedded in our processes to validate the security controls prior to deploying products to our Users.

Further, Ecobank has Security and Privacy programs in order to embed security privacy knowledge in our products. Our training programmes are regularly d to take account of developments in privacy and information security.

Ecobank may share User Information with third party processors (such as service providers or vors). Contracts with third party processors require sufficient technical and organisational security measures, limit the use of User Information to purposes defined by the affiliates, and retain control of User Information where applicable.

Additionally, Ecobank will only transfer User Information of Users located in the EU to third party processors that provide an adequate level of protection when processing User Information (for instance by entering into contracts based on the model clauses for the transfer of EU User Information to processors established in third countries published by the European Commission). Agreements with third party processors provide for legal remedies in the event of a breach of the agreement.

To close your account with Ecobank, visit any of our branches or go to the product"s website and submit a request. We"ll remove your personal information, or make it anonymous, as soon as reasonably possible based on your account activity and in accordance with applicable law. We may an account closure or retain your information to conduct an investigation or if required by law.

We may also retain account information to do any of the following:

• Comply with law
• Prevent fraud
• Collect any fees owed
• Resolve disputes
• Troubleshoot problems
• Assist with investigations
• Enforce a site"s terms and conditions
• Comply with legal requirements
• Take other actions otherwise permitted by applicable law

Once we no longer have a need to retain information, it is erased in accordance with our retention and deletion policies.

Ecobank stores data primarily with eProcess International S.A.to provide the best service possible to our users. To ensure the integrity of our tems, we are unable to provide specific location details. Ecobank ensures compliance with regulatory and local laws in according to our Binding Corporate Rules (BCRs) and applies industry standard physical, technical, process, and business controls to ensure data is adequately protected and only accessed by authorised and authenticated parties.

A person who can be identified directly or indirectly by means of an identifier. For example, an identifier can be a national identifier, a credit card number, a username, or a web cookie.

Any personal information, including sensitive personal information, relating to a Data Subject. For example, address, date of birth, name, location and nationality.

An individual working for a Controller or a Processor with extensive knowledge of the data privacy laws and standards. The Data Protection Officer (DPO) shall advise the controller or the processor of their obligations according to the GDPR and monitor its implementation. The DPO acts as a liaison between the controller/processor and the supervisory authority.

A natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. For example, each Ecobank affiliate is a Controller.

A natural or legal person, agency or any other body which processes Personal Data on behalf of the Controller. A Processor can also be a cloud service provider or an outsourcing company. For example, eProcess International S.A. is a Processor for the Ecobank Group.

Any natural or legal person, agency or any other body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorised to process the data. For example, partners or subcontractors.

GDPR stands for General Data Protection Regulation and is the new European Union Regulation set to replace the Data Protection Directive (DPD) and The UK Data Protection Act 1998. After many years of debate it was approved by the EU Parliament on April 14th 2016 and involves the protection of personal data and the rights of individuals. Its aim is to ease the flow of personal data across the 28 EU member states.

Privacy applies to a consumer’s right to safeguard his or her information from any other parties. Confidentiality applies where someone trusted with information must safeguard this data from being released. Not all confidential data borders on privacy.

Opt-outs are opportunities for individuals to object to marketing approaches. Opt-ins gather the explicit consent of an individual to receive marketing approaches.

The GDPR applies to information that directly or indirectly could identify an individual. This includes information, such as names, addresses, phone numbers, date of birth, as well as IP addresses, cookie identifiers, device information, advertising identifiers, financial information, geo-location information, social media information, consumer preferences, etc.