Zambia National Commercial Bank PLC (“we”, “our”, or “the Bank”) is committed to protecting the privacy and security of personal data of individuals we engage with during our operations in Zambia, including customers and vendors. This Data Protection and Privacy Policy Statement (the Privacy Statement) explains how the Bank, as a Data Controller and Data Processor, collects, uses, discloses, transfers, protects and retains your personal data, when the Bank may disclose your personal data to third parties and when the Bank may transfer your personal data outside of Zambia in accordance with the Data Protection Act No. 3 of 2021 of the Laws of Zambia, other applicable laws and international best practices and standards.
This Privacy Statement also describes your rights regarding the personal data that we hold about you including how you can access, correct, and request erasure of your personal data. The Bank will only process your personal data in accordance with this Privacy Statement unless, otherwise required by applicable law. We take steps to ensure that the personal data that we collect about you is adequate, relevant, not excessive, and processed for limited purposes.
This Privacy Statement applies to personal data processed by Zambia National Commercial Bank PLC in Zambia, relating to Customers and Vendors (prospective, current and former).
To carry out our activities and obligations in our relationship with you, we may collect, store, and process the following categories of personal data:
a. Identification: names, contact details, ID numbers, nationality, date of birth, tax details, marital status
b. Employment: job titles, education, work history, salary, performance data
c. Security: access logs, CCTV images,
d. Financial: bank account details, transaction history, credit profile, tax details
e. Biometric: facial image, fingerprints, voice (where applicable)
f. Digital: IP address, device data, browser information
g. Contact: home address, email address, phone number
h. Credit History
The personal data listed above is necessary for us to administer our contractual relationship and failure to provide or allow us to process the required personal data may affect our ability to accomplish the purposes stated in this Privacy Statement.
We will collect most of the personal data that we process directly from you. In limited circumstances third parties may provide your personal data to us, such as former employers, regulators and credit reference agencies.
a. Under the Data Protection Act in Zambia, we process your data on the following bases:
a. With your express Consent, and
b. Where processing is necessary for the following reasons:
1. For performance of the contract with the Bank or taking steps prior to entering the contract
2. For compliance with legal obligation on the part of the Bank to protect your vital interests or those of another natural person
3. Performance of task carried out in public interest
4. For purposes of legitimate interests being pursued by the Bank or a third party provided such interests are not overridden by your fundamental rights and freedoms
b. Generally, we process personal data for the following purposes:
We will only disclose your personal data to third parties where required by law or to our employees, contractors, designated agents, or third-party service providers who require such information to assist us with performing our contractual obligations with you. Third-party service providers may include, but are not limited to, Credit or Debit card producers, insurance companies, and data storage or hosting providers. These third-party service providers may be located outside Zambia.
We require all our third-party service providers, by written contract, to implement appropriate security measures to protect your personal data consistent with our policies and any data security obligations applicable to us. We do not permit our third-party service providers who process your personal data on our behalf to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes in accordance with our instructions.
We may use your personal data to send you promotional information about banking products and services. We do so:
a. With your explicit consent, or
b. Zanaco’s legitimate interest.
You have the right to withdraw consent at any time by contacting us.
Where we use automated systems for decisions that significantly affect you — such as loan approvals or credit scoring — we:
a. Notify you of the logic involved
b. Allow you to request human review
c. Offer the right to contest the decision
These practices are subject to safeguards in accordance with Zambian data protection laws.
We may share your personal data with:
a. Regulatory bodies: Bank of Zambia, Financial Intelligence Centre (FIC), Zambia Revenue Authority (ZRA), NAPSA, among others
b. Service providers: IT providers, payment processors, cloud storage vendors, who are bound by Data Processing Agreements and confidentiality agreements to comply with the Data Protection Laws
c. Professional advisors: lawyers, auditors, compliance consultants
d. Credit reference bureaus and fraud prevention agencies
e. Law enforcement agencies, upon lawful request
Where permitted by applicable law, we may transfer the personal data we collect about you to other jurisdictions. Where personal data is legally transferred outside Zambia, we ensure:
a. The receiving party ensures an adequate level of data protection, and that
b. Standard contractual clauses and other safeguards are in place as permitted under the Zambian Data Protection Act.
We implement appropriate physical, technical and organizational security measures designed to secure your personal data against accidental loss and unauthorized access, use, alteration, or disclosure to protect your data, including:
a. Encryption of sensitive data
b. Access control and role-based permissions
c. Physical security of premises and data centers
d. Employee training and policies for all employees handling personal data
e. Regular IT risk assessments and penetration testing
In addition, we limit access to personal data to only those employees, agents, contractors, and other third parties that have a legitimate business need for such access. In the event of a data breach, we will notify you and the Data Protection Commissioner in accordance with the Data Protection.
Except as otherwise permitted or required by applicable law or regulation, we will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, as required to satisfy any legal, accounting, or reporting obligations, or as necessary to resolve disputes. To determine the appropriate retention period for personal data, we consider applicable legal requirements, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes we process your personal data for, and whether we can achieve those purposes through other means. We specify the retention periods for your personal data in our data retention policy.
Under some circumstances we may anonymize your personal data so that it can no longer be associated with you.
You have the following rights under the Law:
a. Right to be informed – To be informed about the collection and use of your Personal Data.
b. Right to access your data – To request access to and obtain a copy of your Personal Data. Zanaco may apply a fee for this.
c. Right to rectification – To request that Zanaco correct your Personal Data. This can be done at your nearest branch, through your relationship manager or the DPO.
d. Right to deletion (“right to be forgotten”) – To request Zanaco to delete your Personal Data if Zanaco no longer has a valid reason to retain and process, subject to all applicable laws.
e. Right to object to processing – To object to processing of your Personal Data in certain circumstances as defined by applicable laws.
f. Right to data portability – To request a copy of your Personal Data in a machine-readable format.
g. Right to Restrict processing – To restrict processing consent relating to your Personal Data in well-defined circumstances as defined by applicable laws.
h. Right to withdraw Consent -Where you have provided your consent to the collection, processing, or transfer of your personal data, you may have the legal right to withdraw your consent under certain circumstances.
The rights stated above may be exercised at reasonable frequency and without undue delay, at your nearest branch, through your Relationship Manager or by contacting our Data Protection Officer.
In the event of a Personal Data Breach (defined as a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data), Zanaco will notify the Data Protection Commissioner in accordance with the Data Protection Laws and internal Zanaco Policies.
If you have any questions about our processing of your personal data or would like to access your personal data or other requests, please contact us at:
Data Protection Officer
Zambia National Commercial Bank PLC
E-mail: [email protected]
Phone/Mobile: 260 211 425 650 / 0977915900
Address: Plot 2118 Chainda Place South End, Cairo Road Lusaka Zambia
For complaints, you may also contact:
Data Protection Commissioner
Maxwell House, Los Angeles Boulevard,
P. O. Box 50464, Lusaka, Zambia.
Website: www.dataprotection.gov.zm
If your queries are still not addressed to your satisfaction, you have the right to lodge a formal complaint through our Complaint Handling Process (Please refer to our complaint handling procedure).
We will address your concerns in accordance with Zanaco Data Protection and Privacy Policy, applicable law and international best practice relating to Data Protection.
We reserve the right to update and revise this Privacy Statement at any time, and we will provide you with the updated Privacy Statement when we make any updates. We may revise this Privacy Statement periodically. Any changes will be published on our website and, where appropriate, communicated to you directly. You are advised to visit this site regularly to check for any amendments. Changes to this policy become effective when published and will come into effect immediately.
