SBM Holdings Ltd and its subsidiaries (The Group) are committed towards their valued customers in protecting and keeping the customers’ personal data confidential. With the enforcement of the Data Protection Act 2017 (the “DPA”) on 15 January 2018 and the coming into force of the General Data Protection Regulation (the “GDPR”) on 25 May 2018, the Group acknowledges that its valued customers may have many questions about these new laws and regulations. Therefore, to help our valued customers to better understand the aforementioned law and regulation, we have outlined some of the significant provisions below.
How will the GDPR and the DPA affect you?
1. Personal Data Processing
The processing of your personal data is conducted in compliance with the GDPR and the DPA. As such, the personal data are:
• Processed legally with a clear view as to how the information will be used in accordance with your rights;
• Collected for specified, explicit and legitimate purposes;
• Accurate and kept up to date;
• Retained for no longer than is necessary for the relevant purposes while taking into account of the legal requirement of the retention period of at least 7 years;
• Only processed if the data are kept appropriately secure.
2. Consent
Your consent for processing and maintaining their information requires some form of clear affirmative action and must be verifiable. This means that some form of record must be kept by the Group as to how and when consent was given. You have a right to withdraw consent at any time.This possibility should be made as easy as granting consent.
3. Right of Access
You have the right to know if their data is being processed or not. We shall supply a free copy of the processed data within one month upon written request of our customer. However, we reserve the right to charge a 'reasonable fee' if your requests are manifestly excessive or repetitive.
4. Right to be Informed
We must provide appropriate information on the processing procedure and be transparent as to how we use personal data (privacy notice). We must provide the information to you at the time information is obtained (if obtained directly) or within a reasonable period (if obtained indirectly) upon written request.
5. Right to Deletion
The customer may request to ‘be forgotten’ or be deleted from the database of the Group subject to exceptions, if the processing causes him or her damage or distress. However, there are some specific circumstances where the Group may reject the deletion request if such requests are not in line with other laws pertaining to record keeping public interest, historical, statistical or scientific research for the establishment exercise or defence of legal claim.
6. Right to Rectification
The customer has the duty to notify and update the Group of any change in the information maintained by it at any time.The personal data of the customers must be rectified if they are inaccurate or incomplete and the Group must inform any third parties accordingly if it has disclosed such data to them. Further, the Group will also have to inform its customers about the third parties (service providers; Data Processors) to whom the data have been disclosed.
7. Automated Decision-Making and Profiling
The customer has the right to decline any decision based solely on automated letter which have been generated without any human intervention. The customer must be able to:
1. Express his/her point of view;
2. Seek the assistance from an officer of the Bank; and
3. Obtain an explanation of the decision and challenge it
This right applies to all automated decision making, including profiling.
However, these rights will not apply if the decision is required by law or based on explicit consent.
8. Right to Object
You have the right to object, in writing, at any time to the processing of your personal data, to receiving e-mails pertaining to marketing or is causing, substantial distress or damage which is unwarranted. Upon receiving an objection in writing, the Bank shall stop processing the personal data immediately.
9. Data Breaches
A data breach occurs where there is an unauthorised disclosure or a loss of personal data. Any breach must be reported to the Data Protection Officer, dataprotection@sbmgroup.mu as soon as the breach is noted so that appropriate measures can be taken to recover or limit any damage.
The Group is bound by law to notify the Data Protection Office of any breach within 72 hours after becoming aware. Further, where a breach is likely to put a customer’s rights and freedoms at high risk, the Bank has the obligation to notify the person concerned directly.
Should you feel your rights have been breached by us, you may lodge a complaint with the Commissioner.