Privacy Policy
1. Introduction/Scope
This Privacy Policy document is prepared in accordance with the provisions of the Nigeria Data Protection Act (NDPA), and by extension, the EU General Data Protection Regulation (GDPR). It sets out how Zenith Bank PLC (“Zenith Bank”) applies and complies with the data privacy principles in processing the personal data of customers, staff, vendors, visitors, and even third parties that interact with Zenith Bank. Please note that we endeavour to continuously update these policies to ensure they align with best practices and meet transparency objectives.
For personal data of individuals, this document also highlights their rights and covers the data subject(s) whose personal data is collected and processed, in compliance with the NDPA.
This privacy policy describes why and how we collect and use personal information about our customers, clients, vendors, and visitors (data subjects). It also highlights with whom we might share Personal Information and how long we keep such information. It also makes data subjects aware of their rights under the regulation.
2. Roles/Responsibilities
Zenith Bank Data Protection Officer (DPO) is responsible for ensuring that this document is correct and up-to-date. The DPO also ensures that data subjects are duly notified prior to the collection and processing of their personal data by Zenit Bank, including data collected via the Zenith Bank’s website. All Zenith Bank employees/staff who interact with personal data must also ensure to follow the provisions in this policy document.
3. Policy Statement
Zenith Bank is committed to protecting the privacy and security of our personal data. We are responsible for determining how we hold and use personal information about our data subjects. According to the Nigeria Data Protection Act (NDPA), Zenith Bank PLC is required to notify data subjects of the information contained in this document.
3.1 About Zenith Bank PLC
Zenith Bank Plc is one of the largest financial service providers in Nigeria and Anglophone West Africa, duly licensed as a commercial bank by the Central Bank of Nigeria (CBN), the national banking regulator.
Zenith Bank is a reputable technology-driven financial institution that is recognized for innovation, superior performance, and creation of premium value for all stakeholders.
With branches and business offices scattered across prime commercial centres in Nigeria, Africa and United Kingdom, Zenith Bank is considered a leader in the deployment of various channels of banking technology, driven by a culture of excellence and strict adherence to national and global best practices, combining vision, skilful banking expertise, and cutting-edge technology to create products and services that anticipate and meet customers’ expectations while enabling businesses to thrive and grow wealth for customers.
Due to the nature of Zenith Bank’s business and the fact that Zenith Bank provides financial services across the globe, Zenith Bank is mandated to collect and process personal data of Nigerian individuals, as well as residents and ciitizens of other countries across the globe.
3.2 What Personal Data Do We Need?
The personal data we would collect and process, depending on the particular processing requirement, are under the following categories:
Data Type |
Description of Data |
Identity Data |
Full Name, maiden name, marital status, title, biometric information, national identification number (NIN), passport details, driver’s licence details, date of birth, gender, address, biometric, face ID, employment history and citizenship. |
Contact Data |
Address, Email Address and Telephone Numbers Information received during contact with face-to-face meetings, phone calls, emails, letters and SMS |
Financial Data |
Bank account information and bank statements, Bank verification Number (BVN), income and outgoings, financial position, status, and credit history, debit or credit card information and account number.
|
Transaction Data |
Information regarding the products and services a data subject may have benefited from by using Zenith Bank Plc and any of its subsidiaries, transactional information in respect of products purchased. Location data of transactions where a data subject may have used their debit card. |
Technical Data |
Internet protocol (IP) address, login data, details of browser and operating system, time zone setting and location, browser plug-in types and versions, platforms and other technology such as device id, geolocation, IP, model and user agent on the devices used to access Zenith Bank’s website. |
Profile Data |
includes username and password. |
Job Application Data
|
data submitted throughout the recruitment process eg: name, email address. Any personal information you provide to Zenith Bank Plc as part of the recruitment process. |
Usage Data |
includes information about how data subject uses our website, products and services |
Marketing and Communications Data |
Information about data subject communications with Zenith Bank. Preferences in receiving marketing e-mails and consents given by data subject to Zenith Bank. |
Others CCTV/Video footage whenever you come into our premises or use our ATMs and telephone conversations via calls made through any of our
contact centre lines
In respect of your data which may be collected by Zenith Bank, certain terms may specifically apply to Face Data and your biometrics. You should therefore note the following:
- Collection: Face Data and biometrics may be collected through various secure channels, such as mobile applications, ATM machines or other digital interfaces, only when explicitly authorised by the user.
- Use: Your Face Data and biometrics collected will be strictly used for predefined purposes such as identity verification, fraud prevention or for providing personalized banking services.
- Disclosure: Your Face Data and biometrics where required to be disclosed to third-party to enable us to provide services to you, will only be disclosed only to trusted entities like regulatory bodies, payment processing partners or third-party service providers with confidentiality agreements, obligations or undertakings in place.
- Retention: Unless the terms and conditions specific to any one or more of our applications otherwise provide in their terms and conditions that we shall not store your Dace Data and biometric information, your Face Data will be stored securely and retained only for the duration necessary to meet operational or legal requirements in respect of the service provided to you. When the data is no longer required or mandated by law to be retained, it will be deleted.
- User Consent: The applications provided by Zenith Bank will usually contain specific terms and conditions including but not limited to collection, use, disclosure and retention of your personal data. Before your personal data, including Face Data is collected or processed, users will be provided with information to enable them give informed consent and relevant permissions to access files, documents, applications or make use of services on users’ electronic devices.
Where the personal data we need to collect may fall under a special category of sensitive personal data, Zenith Bank’s lawful basis of processing will be the explicit consent of the individual, or where applicable, compliance with a legal obligation, or for legal proceedings/advice.
4. Why We Need the Data
Zenith Bank ensures that the personal data collected and processed is necessary for the purpose of collection, and shall not collect or process more data than is reasonably required for a particular processing activity.
5. Legal Grounds for Processing
Zenith Bank identifies, establishes, defines, and documents the specific purpose of processing and the legal basis for processing personal data (including any special categories of personal data processed) before any processing operation takes place under:
- Consent obtained from the data subject
- Performance of a contract where the data subject is a party
- Legal obligation that Zenith Bank is required to meet
- Protect the vital interests of the data subject, including the protection of rights and freedom of the Data Subject
- Official authority of Zenith Bank or to carry out the processing that is in the public interest
- National law such as biometric data.
In addition, every processing purpose has at least one lawful basis for processing to safeguard the rights of the data subjects, as listed below:
Purpose of Processing |
Lawful Basis of Processing |
Account creation, identity verification and maintenance of records |
Contract |
Vendor validation/information processing |
Contract |
Employment |
Contract |
6. Processing of Personal Data Based on Consent
Where apllicable, Zenith Bank will require the explicit consent of customers, visitors, and other relevant stakeholders to process collected personal data.
Visitors to Zenith Bank’s website are expected to read and understand the website privacy notice, and then agreeing to the website’s terms of use. And by consenting to the privacy policy, data subjects are giving Zenith bank the permission to use/process their personal data specifically for the purpose identified before collection.
On this ground, if any data subject (customer, client, visitor, vendor, staff, or thirdparty) does not agree to Zenith Bank collecting and processing their personal data, such individual is not allowed to enjoy Zenith Bank’s service(s) where applicable.
If, for any reason, Zenith Bank is requesting sensitive personal data from its stakeholders (external and internal), the individuals will be rightly notified why and how the information will be used.
Where processing relates to a child under 18 years old, as in the case of NDPA or 16 years in the case of GDPR, Zenith Bank shall demonstrate that consent has been provided by the person who holds parental responsibility over the child. Zenith Bank shall demonstrate that reasonable efforts have been made to verify the age of the child and establish the authenticity of the parental responsibility taking into consideration available technology.
6.1 Withdrawal of Consent
Irrespective of initial consent given, an individual can withdraw their consent at any time by making a withdrawal of consent request.
Zenith Bank demonstrates the data subject (customer, client, visitor, vendor, staff, or thirdparty) has withdrawn consent to the processing of his or her personal data with a written instruction from the data subject.
For child consent, Zenith Bank shall demonstrate that the holder of parental responsibility over the specified child has withdrawn consent via a written instruction from the parent. Zenith Bank will also demonstrate that reasonable efforts have been made to establish the authenticity of the parental responsibility, when withdrawing consent for the specified child, considering available technology.
Where applicable, the Data Protection Officer will inform the relevant process owner of this change, and the processing activities that relied upon the consent is stopped immediately, in accordance with the relevant process.
7. Use of Cookies
Zenith Bank’s website also use cookies provided by trusted third parties, such as Google Analytics, to help us understand and improve users experience on the website.
Zenith Bank may use the information obtained from use of our cookies to:
- Recognize a computer when a user visits Zenith Bank’s website
- Track whoever navigates the website
- Improve the website’s usability (including Live Chat application to answer questions a user may have in real time
- Analyze the use of its website - such as how many people visit it each day, and
- Manage the website
Users can disable cookies and prevent the setting of cookies by adjusting the settings on their browser. However, this is not recommended, as disabling cookies may also disable certain functionality and features of the site.
8. Disclosure to Third-Parties
Aside situations where Zenith Bank may be required to disclose personal data of individuals in accordance to a legal obligation in response to requests by government authorities or law courts on matters involving national security or law enforcement requirements, Zenith Bank will not pass on its data subjects’ personal data to third parties without first obtaining consent.
In situations where the processing of personal data will involve investigation of potential violations of Zenith Bank’s Terms of Service, fraud prevention/mitigation, security issues management, and the preservation of the rights and freedom of staff, customers, and clients, Zenith Bank shall establish an appropriate legal ground for such data transfers.
Zenith Bank has put in place, to the best of its ability and in line with standard global practices, physical, technical, and organisational measures (including secure encryption and anonymisation) to ensure the optimum protection of personal data, which also extends to data transferred or shared with third-parties.
8.1 Cross-Border Transfers
Zenith Bank may also engage third parties abroad (such as other banks, contractors, government-authorised agencies, etc.) that will receive personal data for certain purpose(s) as part of Zenith Bank’s processing activities and process them on Zenith Bank’s behalf. Where this is the case, Zenith Bank will enter into a Data Processing Agreement with the third party and also ask for consent if the purpose of processing was not initially stated on inception and be satisfied that the third party has adequate measures in place to protect the data against accidental or unauthorised access, use, disclosure, loss, or destruction.
In such a case where the disclosure is to third parties outside the jurisdiction of the NDPA, Zenith Bank will ensure that the third party meets the core global regulatory standards prior to the transfer. This may include transferring the personal data to the third party where Zenith Bank is satisfied that:
- the country of the recipient has adequate data protection controls established by legal or self-regulatory regime. However in a case not covered by an adequacy decision from the NDPC;
- It has a contract in place that uses existing data protection clauses with approval of NDPC to ensure adequate protection.
- It is making the transfer under approved binding corporate rules
- Provisions inserted into administrative arrangements between public authorities or bodies authorised by the supervisory authority NDPC.
9. Retention of Records
Zenith Bank stores a broad spectrum of personal information. All information Zenith Bank holds is stored and retained, stored and destroyed in compliance with NDPA’s guideline on the retention of records and personal data.
Zenith Bank will retain your personal data as long as the information is active on Zenith Bank’s systems and necessary for Zenith Bank’s service delivery purposes. This retention period is verified and established with special considerations to the following areas:
- The requirements of Zenith Bank
- The type of personal data
- The purpose of processing
- Lawful basis for processing
- The categories of data subjects
As a regulated financial services institution, Zenith Bank will retain your personal data for ten (10) years after exit of relationship by the data subject or as may be required by regulation.
Transaction documents/data will be retained for a miniumum period of five (5) years in line with CBN regulation.
When the personal data is no longer needed or beyond the stipulated retention period, Zenith Bank will delete or destroy it from it’s systems and records, or take steps to securely archive it while protecting your identity and privacy rights as the case may be.
10. Data Subject Rights
At any point while Zenith Bank is in possession of or processing personal data, the data subject, has the right to:
- Request a copy of the information that Zenith Bank holds about them
- Correct the data that is inaccurate or incomplete
- Ask for their data to be erased from Zenith Bank’s systems/records
- Restrict processing of their personal data where certain conditions apply
- Have their data transferred to another organisation
- Object to certain types of processing like direct marketing
- Object to automated processing like profiling, as well as the right to be subject to the legal effects of automated processing or profiling
- Complain and pursue judicial review in the event that Zenith Bank refuses their request under rights of access without a clear and justifiable reason as to why
11. Complaints
If for any reason a vendor/contractor, customer, or staff wishes to make a complaint about how Zenith Bank (or any of Zenith Bank’s third parties) handles or have handled their personal data, or how their complaint has been handled, they have the right to lodge a complaint directly with the supervisory authority and Zenith Bank Data Protection Officer.
Below are the details for each of these contacts:
Supervisory Authority
Email: dpo@ndpc.gov.ng
Data Protection Officer (DPO)
Email: dataprotectionoffice@zenithbank.com