This statement describes how Pembeni Cash Limited (“PCL”), a duly registered data controller, protects the personal data it processes, why and how the Company collects and uses personal data and how data subjects can exercise their rights in relation to the processing of their personal data.Pembeni is committed to protecting the privacy and security of personal data relating to its customers and other individuals with whom the Company interacts with in accordance with Kenya’s Data Protection Act, the Central Bank of Kenya (CBK) guidelines, and other applicable laws and regulations.

This privacy statement should be read together with the General Terms and Conditions of Use for all applicable PCL’s products and services. For avoidance of doubt, where there is a conflict with regards to data matters, this privacy statement will prevail.

1. Definitions

• “PCL” and “the Company” means Pembeni Cash Limited and includes its successors in title and assigns, its affiliates and/or its subsidiaries as may from time to time be specified by the Company to you.
• “Data Subject” means a person to whom personal data relates i.e. customers or an employee(s) whose personal data is processed in the course of employment. In addition, a Data Subject could be:

• • Customer(s) – (which includes personal representatives and assignees) operating an Account held with the Company, and includes (where appropriate) any person the Data Subject authorizes to give instructions to the Company, the person who uses any of the Company’s products and services or accesses its platforms, including but not limited to the website and mobile money platforms. “Customer” shall include genders i.e. juristic/legal persons as registered and identifiable by their country of citizenship/residence.
  • Any agent, dealer and/or merchants who has signed an agreement with the Company, and is recognized as a power of attorney, merchant or agent in accordance with any applicable laws or Regulations.
  • Any visitor that is a natural person (including contractors/ subcontractors or any third parties) who gain access to any premises operated by the Company.
  • Any supplier/ service provider who has been contracted by the Company.
  • Any external lawyer who has tendered his/her application and/or signed a service level agreement with the Company.
  • Any valuer or auctioneer who has signed an agreement with the Company.
  • Any natural person engaged directly or indirectly in business with the Company.

• “Personal data” or “personal information” means: Information about any data subject, or information that identifies a natural human being as a unique individual, such as name/s and surname combined with the data subject’s physical address, contact details and/or passport/identity number.
• “Processing” collectively means handling, collecting, using, altering, merging, linking, organizing, disseminating, storing, protecting, retrieving, disclosing, erasing, archiving, destroying, or disposing of the customer’s personal information.
• “Sensitive personal information” includes but is not limited to data revealing a data subject’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including details of the Data Subject’s children, parents, spouse or spouses, sex or sexual orientation.

2. Collection of Personal Data

The Company will only collect personal data about Data Subjects where it is necessary to achieve the purposes set out in this privacy statement, and the contracts between the Company and the Data Subjects. The Company collects Data Subjects’ personal information with their knowledge and consent, with exception to cases where prior consent cannot be obtained for natural reasons, and the processing of the data is permitted by law.

Personal information may be given to or collected by the Company in writing as part of a written application form, contract, electronically (email), telephonically, online (www.pembenicash.com) or via App.

The Company will collect personal information from Data Subjects when they do any of the following:

• Make an application, buy or use any of PCL’s products and/or service or from third parties on the Company’s electronic and digital platforms.
• Use any of PCL’s product and/or service online, on a mobile or other device or in any of the Company’s branches or with any of PCL’s agents.
• Ask PCL for more information about a product or service or contact PCL with a query or a complaint.
• When a Data Subject visits or accesses any of PCL’s buildings/premises.
• Where a Data Subject has been identified as a next of kin by the Company’s customer(s) or employee(s).
• Where a Data Subject has applied for employment at PCL.
• Attend an event sponsored, hosted, organized or supported by PCL.
• Engage PCL as a supplier, agent, dealer or contractor.
• Visit, access or use any of PCL’s online platforms/ websites.
• Subscribe to any of PCL’s online services, Short Message Service (SMS), email or social media platforms.
• Respond to, express interest, or participate in a survey, promotion, competition or special offer.

PCL may also collect and share information from Data Subjects from other organizations, including but not limited to credit-reference bureaus (CRB), fraud prevention agencies, regulators, Government agencies and business directories;

1. When a Data Subject establishes a relationship with one or more of PCL’s staff and clients;
2. When PCL requires personal information from a Data Subject in order to fulfil a statutory or contractual requirement, or where such information is necessary to enter into a contract or is otherwise an obligation, the Company will endeavour to inform the Data Subject and indicate the consequences of failing to do so;
3. When a Data Subject makes an application or engages with PCL as a beneficiary of any of its social programmes.

The aforementioned examples are non-exhaustive, which is reflective of the varied nature of the personal information PCL may collect. The Company has employed the following security mechanisms to safeguard the Data Subject’s personal information in its possession:

1. Multifactor authentication that ensures secure digital transactions.
2. In-system encryption, anonymisation and pseudonymisation of data (as the case may require).
3. State of the art security and backup systems.

3. Information Collected

From individuals who are PCL’s customers and prospective customers, or are representatives of customers and prospective customers, the Company may collect personal information that includes but is not limited to the following:

• Identity information including title, name, photograph, marital status, nationality, occupation, residence, address, location, phone number, identity document type and number, date of birth, age, gender, email, social media addresses, introducer’s name and account number, next of kin name, address, mobile and email address, relationship.
• Name of the Data Subject’s employer, terms of employment and if on contract, expiry of the contract, and in certain circumstances, a copy of the contract or invoices from time to time.
• Estimated monthly income.
• In case of a student, the college or university and graduation date, and in some cases, letter from the University.
• Signature specimen.
• Credit or debit-card information, information about the Data Subject’s bank account numbers, and/or other banking information.
• Transaction information when Data Subject uses the Company’s electronic and digital platforms, branches, agents and/or contractors.
• Preferences for particular products and services, based on information provided by the Data Subject or from use of PCL’s network or third party products and services.
• Name, family details, age, profiling information such as level of education, bank account status, income brackets, etc. collected as part of surveys conducted by PCL and its agents on behalf of PCL.
• Contact records with the Company, such as when a Data Subjects: calls or interact with PCL through social media, email (the Company may record conversations, social media or other interactions), register the Customer’s biometric information such as voice, fingerprints etc, visit branches.
• Relevant information as required by regulatory Know Your Client (KYC) and/or Anti Money Laundering (AML) laws, regulations and guidelines, and as part of the Company’s client onboarding procedures. This may possibly include evidence of source of funds, at the outset of and possibly, from time to time, throughout the relationship with clients, which PCL may request and/or obtain from third party sources. The sources for such verification may include documentation, which the Company requests from a Data Subject or through the use of online or public sources, or both.
• The Company uses Closed Circuit Television (CCTV) surveillance recordings. CCTV Devices are installed at strategic locations to provide a safe and secure environment in all PCL branches and premises as a part of the Company’s commitment to security and crime prevention.
• PCL maintains a register of visitors in which the Company may collect and keep personal data such as names, company/institution details, telephone number, vehicle registration details, National ID number and device serial number and model (where Data Subjects visit the Company’s premises with devices e.g laptops). This information is collected for health, safety and security purposes.
• The Company collects and retains personal data (name, telephone number, and vehicle registration details) from Data Subjects when a request for a parking space in any of PCL premises is made. PCL uses the data provided to ensure effective car park management, health and safety compliance, for security purposes and inventory management.
• When a Data Subjects uses internet connection for guests and visitors, the Company collects Internet Protocol (IP) Addresses. The Company may record the device address and also log traffic information in the form of sites visited, duration and date sent/received.
• Information a Data Subject provides for the purposes of attending meetings and events.
• The Company may use a Data Subject’s medical information to manage its services and products delivery.
• Where a Data Subject uses their fingerprint/facial recognition option, the Company may collect and process the biometrics provided to authenticate transactions.
• The Company collects personal information when a Data Subject visits PCL for purposes of accident and incident reporting. PCL will collect personal data from the injured party or person suffering from ill health, such as, Name, Address, Age, next of kin, details of the incident to include any relevant medical history. The data is collected as PCL has a legal duty to document workplace incidents/accidents and to report certain types of accidents, injuries and dangerous occurrences arising out of its work activity to the relevant enforcing authority. Incidents and accidents will be investigated to establish what lessons can be learned to prevent such incidents/accidents recurring including introduction of additional safeguards, procedures, information instruction and training, or any combination of these. Monitoring is undertaken on an anonymized basis. The information is also retained in the event of any claims for damages.
• When a Data Subject visits the Company’s website, PCL may collect ID-type information: cookie ID, mobile ID, and IP address which is used for real-time processing in order to generate a visitor ID.
• Information that a Data Subject provides to the Company, and/or Correspondent institutions as part of the provision of Services to its customers, which depends on the nature of engagement with the customer.
• PCL may collect details of a minor which include name, date of birth, birth certificate number, relationship with the applicant and any other information relevant for the provision of PCL’s products and services. The Company will only process such data where parental or legal guardian consent has been given. PCL will also ensure that the processing of such data will be done in a manner that protects and advances the rights and best interests of the child.

4. Mailing lists

The Company collects information to enable improve its customer experience, and market its products and/or services, which may be of interest to Data Subjects. For this purpose, the Company may collect:

• Name and contact details.
• Other business information, such as job title and the company the Data Subject works for.
• Products and/or services that interest the Data Subject.
• Additional information may be collected, such as events Data Subjects attend.

5. Use of Personal Data

This privacy statement aims to give Data Subjects complete and transparent information on how PCL processes personal data. The Company is committed ensuring that personal information is processed in a way that is compatible with the specified, explicit, and legitimate purpose of collection.

Where personal data relates to a child, the Company will process the personal data only where parental or legal guardian consent has been provided. The processing of such data will be done in a manner that protects and advances the rights and best interests of the child.

The Company may use the collected personal data of Data Subjects for any of the following purposes, but are not limited to:

• Verifying identity information through publicly available and/or restricted Government databases to comply with applicable Know Your Customer (KYC) requirements.
• Assessing the purpose and nature of business or principal activity, financial status and the capacity in which the Data Subject is entering into the business relationship with the Company.
• Creating a record of the Data Subject on PCL’s system to verify identity, offer products and/or services that the Data Subject has applied for, either from the Company, or from third parties on its platforms.
• Communicate with and keep Data Subjects informed about the products and/or services offered.
• Verification of age and consent where the personal data relates to a child.
• Identifying a Data Subject and verifying their physical address.
• Identifying source(s) of income and similar information.
• Assessing personal financial circumstances and needs before providing financial advice.
• Responding to any queries or concerns, PCL may record or monitor telephone calls between the Company and Data Subject to check instructions and ensure that the Company is meeting its service standards.
• Carrying out credit checks and credit scoring.
• To perform obligations under a contractual arrangement.
• Fraud prevention, detection and investigation.
• Any purpose related to the prevention of financial crime, including sanctions screening, monitoring of anti-money laundering and any financing of terrorist activities.
• Further processing for historical, statistical or research, survey and other scientific or business purposes where the outcomes will not be published in an identifiable format.
• Provide aggregated data (which do not contain any information which may identify the Data Subject as an individual) to third parties for research and scientific purposes.
• In business practices including for quality control, training and ensuring effective systems operations.
• To understand how a Data Subject uses the Company’s products and services for purposes of developing or improving products and services.
• Administer services on any of PCL’s online platforms/ websites.
• To comply with any legal, governmental, or regulatory requirement or for use by the Company’s lawyers, auctioneers and contractors in connection with any legal proceedings.
• For purposes relating to the assignment, sale, or transfer of any of the Company’s businesses, legal entities or assets, in whole or in part, as part of corporate transactions.
• Keeping Data Subjects informed generally about new products and services and contacting them with offers or promotions based on how they use the Company’s or third-party products and services, unless the Data Subject opts out of receiving such marketing messages (you may contact PCL at any time to opt out of receiving marketing messages).
• Where the Data Subject has applied for employment at PCL, the Company may perform applicant screening and background checks, either internally or externally.
• Where the Data Subject is a PCL employee (including contractors), the Company creates an employment record of the Data Subject to facilitate continuous monitoring during employment with the Company.
• Where the Data Subject is a PCL director, the Company creates a record of the Data Subject as a director.
• Where the Data Subject is a supplier to PCL, the Company processes personal information for due diligence, risk assessment, administrative and payment purposes.
• For security purposes when accessing any of PCL buildings/ premises.
• Where the Data Subject attends an event sponsored, hosted or organized by PCL, the Company may take photos or videos of the event. These images or videos will be used to share news about the event, and may be used in press releases, printed publicly, and published on the Company’s website upon obtaining consent.

6. Sensitive (Special Categories) Data

The Company may collect Special Categories of Personal Data about the Data Subject (includes details about race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including details of their children, parents, spouse or spouses, sex or sexual orientation and biometric data). The Company will rely on any of the legal basis provided in clause 8 below for such collection.

7. Transfer of Personal Data

PCL may transfer personal information of Data Subjects for the purpose of effecting/implementing, administering, and securing any product or service that the Data Subject has applied for, or for other purpose set out in this privacy statement. PCL also shares data with PCL-controlled affiliates and subsidiaries; with agents working on the Company’s behalf; when required by law or to respond to legal process; to protect its customers; to protect lives; to maintain the security of its products; to comply with regulatory requirements and to protect the rights and property of PCL and its customers.

The Company may transfer or disclose the personal data it collects to regulatory, fiscal or supervisory authority, correspondent institutions on transaction enquiries, third party contractors, subcontractors, and/or their subsidiaries and affiliates who provides support to PCL in providing its products and services. The third-party providers may use their own third-party subcontractors that have access to personal data (sub-processors). The Company shall ensure that its third-party providers that have access to any Data Subject’s personal data comply with the requirements of the Data Protection Act in all respects and purposes. Further, the Company shall ensure that they process personal information only as instructed by PCL, and PCL shall only authorize the use of sub-contractors (on a case by case basis) that comply with the same obligations.

• Cross-border transfers

To enable the Company to perform its contractual obligation or secure the performance of a service, the Company may from time to time need to transfer personal information of Data Subjects outside the country. In so doing, the Company will endeavour to satisfy the Data subject and the ODPC that there is proof of adequate data protection safeguards in the recipient country and that the jurisdiction of the receiving country has commensurate data protection laws.

• Other Disclosures

The Company may disclose personal information of Data Subjects where required by law, to enforce other agreements, or to protect the rights, property, or safety of its business, clients, customers, employees, or others. PCL may disclose, respond, advise, exchange and communicate personal data and/or information in the Company’s possession relating to a Data Subject outside PCL, whether such personal data and/or information is obtained after a Data Subject ceases to be the Company’s customer, or during the continuance of the Company-customer relationship, or before such relationship was in contemplation, provided that such personal information is treated in confidence by the recipient:

• for fraud prevention, detection and investigation purposes.
• to licensed credit reference agencies or any other creditor if the Data Subject is in breach of their obligations to the Company, and for assessment of credit applications and for debt tracing.
• to licensed credit reference agencies or any other creditor for determining payment history.
• to the Company’s external lawyers, auditors, valuers, survey agencies, and sub-contractors, software developers or other persons acting as agents of the Company.
• to any person who may assume the Company’s rights within the confines of the law.
• to debt collection agencies.
• providing income tax-related information to tax authorities.
• to any regulatory, fiscal or supervisory authority, any local or international law enforcement agencies, Governmental agencies, so as to assist in the prevention, detection, investigation or prosecution of criminal activities, courts or arbitration tribunal where demand for any personal data and/or information is within the law.
• to the Company’s subsidiaries, affiliates and their branches and offices (together and individually).
• where the Company has a right or duty to disclose or is permitted or compelled to do so by law.
• for purposes of exercising any power, remedy, right, authority or discretion relevant to an existing contract with the Company and following the occurrence of an event of default, to any other person or third party as well.

8. Legal basis for the processing of personal data

PCL will process personal information from Data Subjects as permitted by the applicable Data Protection Law and its internal policies:

• For the performance of a product/service contract.
• Where processing is necessary for the purposes of legitimate business interest(s) pursued by the Company or by a third party within the confines of the law.
• For the establishment, exercise or defense of a legal claim.
• Compliance with a mandatory legal obligation to which it is subject to.
• With consent.
• Public interest.
• To protect the Data Subject’s vital interest or the vital interests of any person.

9. Direct Marketing

From time to time, the Company may also use personal information from Data Subjects to contact them for market research or to provide information about other services the Company believes would be of interest to the Data Subject. Data Subjects may be required to opt-in or give any other form of explicit consent before receiving marketing messages from the Company. PCL respects the Data Subject’s right to control their personal data depending on which of the Company’s products are used. Therefore, at a minimum, the Company will always provide the opportunity to opt-out of receiving such direct marketing or market research communications. The Data Subject may exercise this right to opt-out at any time.

10. Retention of Personal Data

PCL will retain personal data only for as long as it is necessary to achieve the purpose for which it was collected. The Company may retain personal data and/or information for a period of up to seven (7) years or as may be required by law and maintains specific records management and retention policies and procedures, so that personal data are deleted after a reasonable time according to the following retention criteria:

• Where the Company has an ongoing relationship with the Data Subject.
• To comply with a legal obligation to which it is subject to.
• Where retention is advisable to safeguard or improve the Company’s legal position.

11. Data Subject’s Rights

Data Subjects have the right (in the circumstances and under the conditions, and subject to the exceptions, set out in applicable law to:

• Be informed that the Company is collecting personal data about the Data Subject.
• Request access to their personal information that the Company has on record. This right entitles the Data Subject to know whether PCL holds their personal data, and if so, obtain information on, including a copy of that personal data.
• Request PCL to rectify any of their personal data that is incorrect or incomplete.
• Object to and withdraw their consent to processing of their personal data. This right entitles the Data Subject to request that PCL to stop processing their personal data. The withdrawal of consent shall not affect the lawfulness of processing based on prior consent before its withdrawal. The Company may also continue to process the Data Subject’s personal information if it has a legitimate or legal reason to do so.
• Request the erasure of personal data. This right entitles the Data Subject to request the erasure of their personal data, including where such personal data would no longer be necessary to achieve the purposes of products and services used and offered by the Company.
• Request the restriction of the processing of personal data: This right entitles the Data Subject to request that PCL only processes their personal data in limited circumstances, including with their consent.
• Request portability of personal data. This right entitles Data Subjects to receive a copy (in a structured, commonly used, and machine-readable format) of personal data that they have provided to PCL, or request PCL to transmit such personal data to another data controller in an electronic format.

12. The Use of Cookies

The Company may store some information (using “cookies”) on the Data Subject’s computer when they visit the Company’s websites and platforms. This enables PCL to recognize the Data Subject during subsequent visits. The type of information gathered is non-personal (such as the Internet Protocol (IP) address of the computer being used, the date and time of the visit, which pages were browsed and whether the pages have been delivered successfully. The Company may use cookies for storing and honoring preferences and settings, enabling the Data Subject to sign in, providing interest-based advertising, combating fraud, analyzing how PCL’s products perform, and fulfilling other legitimate purposes.

PCL may also use this data in aggregate form to develop bespoke services – tailored to the individual interests and needs of Data Subjects. Should Data Subjects choose to do so, it is possible (depending on the browser used), to be prompted before accepting any cookies, or to prevent the browser from accepting any cookies at all. This will however cause certain features of the web site not to be accessible.

13. Contact Us

Please contact the Company’s Data Protection Officer in case of any (i) questions or concerns about how PCL processes personal data or (ii) interest to exercise any of the Data Subject rights in relation to personal data on +254 769 269 606 or by writing to: privacy@pembenicash.com

14. Amendments to this Statement

PCL reserves the right to amend or modify this privacy statement from time to time and the Data Subject’s continued use of its products and services constitutes the agreement to be bound by the terms of any such amendment or variation. Data Subjects can access the most current version of the privacy statement from https://pembenicash.com and any amendment or modification to this statement will take effect from the date of notification on the PCL website.