Privacy Notice

In this document, references to “FirstRand” or “the group” are to FirstRand Limited and its subsidiary companies, including divisions, segments and business units. Certain subsidiary companies may be excluded from the FirstRand group description for the purposes of this privacy notice (such as where the FirstRand group is involved in private equity investments). Confirmation as to whether this privacy notice applies to a specific company associated with the FirstRand group can be sought through the contact details provided in this privacy notice.

Any product, service or goods offered to a customer by any company in the FirstRand group of companies is referred to as a solution in this document.

Protecting customers’ personal information is important to FirstRand. To do so, it follows general principles in accordance with applicable privacy laws.

The group has developed this group customer privacy notice (notice) to enable its customers to understand how the group collects, uses and safeguards their personal information.

The group collects personal information about its customers. This includes what customers tell the group about themselves, what the group learns by having a customer or when a customer makes use of a solution, as well as the choices customers make about the marketing they elect to receive. This notice also outlines customers’ privacy rights and how the law protects customers.

In terms of applicable privacy laws, this notice may also apply on behalf of other third parties (such as authorised agents and contractors), acting on the group’s behalf when providing customers with solutions. If a FirstRand group business processes personal information for another party under a contract or a mandate, however, the other party’s privacy policy or notice will apply.

In this notice “process” means how the group collects, uses, stores, makes available, destroys, updates, discloses, or otherwise deals with customers’ personal information. As a general rule, the group will only process customers’ personal information if this is required to deliver or offer a solution to a customer. The group respects customers’ privacy and will treat their personal information confidentially.

The group may combine customers’ personal information and use the combined personal information for any of the purposes stated in this notice.

In this notice, any reference to “the group” or “FirstRand” includes any one or more (if they are acting jointly) of the above FirstRand companies, and all affiliates, associates, cessionaries, delegates, successors in title or third parties (authorised agents and contractors), when such parties are acting as responsible parties, joint responsible parties or operators in terms of applicable privacy laws, unless stated otherwise.

VERY IMPORTANT: If customers use group solutions and service channels (including both assisted and unassisted interactions), or by accepting any agreement, contract, mandate or annexure with the group or by utilising any solutions offered by the group, customers agree that in order to:

• conclude and fulfil contractual terms or obligations to a customer;
• comply with obligations imposed by law; or
• to protect or pursue customers’, the group’s, or a third party’s legitimate interests, including offering solutions that best meet customers’ needs;

customers’ personal information may be processed through centralised functions and systems across companies in the FirstRand group and may be used for the purposes, in the manner, and with the appropriate controls as set out in this notice.

Where it is necessary to obtain consent for processing, the group will seek customers’ consent separately. Customers should read the consent request carefully as it may limit their rights.

NOTE: As the FirstRand group has operations in a number of countries, this notice will apply to the processing of personal information by any member of FirstRand group in any country and the processing of customers’ personal information may be conducted outside the borders of South Africa, but will be processed according to the requirements and safeguards of applicable privacy law or privacy rules that bind the FirstRand group of companies.

The group may change this notice from time to time if required by law or its business practices. Where the change is material, the group will notify customers and will allow a reasonable period for customers to raise any objections before the change is made. Please note that the group may not be able to continue a relationship with a customer or provide customers with certain solutions if they do not agree to the changes.

The latest version of the notice displayed on FirstRand’s website will apply to customers’ interactions with the group and is available at: https://www.firstrand.co.za/investors/governance-and-compliance/.

• marital status (married, single, divorced); national origin; age; language; birth; education;
• financial history (e.g. income, expenses, obligations, assets and liabilities or buying, investing, lending, insurance, banking and money management behaviour or goals and needs based on, amongst others, account transactions);
• employment history and current employment status (for example when a customer applies for credit);
• gender or sex (for statistical purposes as required by the law);
• identifying number (e.g. an account number, identity number or passport number);
• e-mail address; physical address (e.g. residential address, work address or physical location);
• telephone number;
• information about a customer’s location (e.g. geolocation or GPS location);
• online identifiers; social media profiles;
• biometric information (e.g. fingerprints, signature or voice);
• race (for statistical purposes as required by the law);
• physical health; mental health; wellbeing; disability; religion; belief; conscience; culture;
• medical history (e.g. HIV/AIDS status); criminal history; employment history;
• personal views, preferences and opinions;
• confidential correspondence; or
• another’s views or opinions about a customer and a customer’s name also constitute personal information.

• religious and philosophical beliefs (for example where a customer enters a competition and is requested to express a philosophical view);
• race (e.g. where a customer applies for a solution where the statistical information must be recorded);
• ethnic origin;
• trade union membership;
• political beliefs;
• health including physical or mental health, disability and medical history (e.g. where a customer applies for an insurance policy);
• biometric information (e.g. to verify a customer’s identity); or
• criminal behaviour where it relates to the alleged commission of any offence or the proceedings relating to that offence.

• it is necessary to conclude or perform under a contract the group has with the customer or to provide the solution to the customer;
• the law requires or permits it;
• it is required to protect or pursue the customer’s, the group’s or a third party’s legitimate interest;
• the customer has consented thereto;
• a person legally authorised by the customer, the law or a court, has consented thereto; or
• the customer is a child and a competent person (such as a parent or guardian) has consented thereto on their behalf.

The group may process customers’ special personal information in the following circumstances, among others:

• if the processing is needed to create, use or protect a right or obligation in law;
• if the processing is for statistical or research purposes, and all legal conditions are met;
• if the special personal information was made public by the customer;
• if the processing is required by law;
• if racial information is processed and the processing is required to identify the customer;
• if health information is processed, and the processing is to determine a customer’s insurance risk, or to comply with an insurance policy, or to enforce an insurance right or obligation; or
• if the customer has consented to the processing.

• a person with the ability to sign legal agreements has consented to the processing, being the parent or guardian of the child;
• the processing is needed to create, use or protect a right or obligation in law, such as where the child is an heir in a will, a beneficiary of a trust, a beneficiary of an insurance policy or an insured person in terms of an insurance policy;
• the child’s personal information was made public by the child, with the consent of a person who can sign legal agreements;
• the processing is for statistical or research purposes and all legal conditions are met;
• where the child is legally old enough to open a bank account without assistance from their parent or guardian;
• where the child is legally old enough to sign a document as a witness without assistance from their parent or guardian; or
• where the child benefits from a bank account such as an investment or savings account and a person with the ability to sign legal agreements has consented to the processing.

We collect information about customers:

• directly from customers;
• based on customers’ use of group solutions or service channels (such as group websites, applications and ATMs, including both assisted and unassisted customer interactions) as applicable;
• based on how customers engage or interact with the group, such as on social media, and through emails, letters, telephone calls and surveys;
• based on a customer’s relationship with the group;
• from public sources (such as newspapers, company registers, online search engines, deed registries, public posts on social media);
• from technology, such as a customer’s access and use including both assisted and unassisted interactions (e.g. on the group’s websites and mobile applications) to access and engage with the group’s platform;
• customers’ engagement with group advertising, marketing and public messaging; and · from third parties that the group interacts with for the purposes of conducting its business (such as partners, reward partners, list providers, the group’s customer loyalty rewards programmes’ retail and online partners, credit bureaux, regulators and government departments or service providers).

The group collects and processes customers’ personal information at the start of, and for the duration of their relationship with the group. The group may also process customers’ personal information when their relationship with the group has ended.

If the law requires the group to do so, it will ask for customer consent before collecting personal information about them from third parties.

The third parties (which may include parties the group engages with as independent responsible parties, joint responsible parties or operators) from whom the group may collect customers’ personal information include, but are not limited to, the following:

• members of the group, any connected companies, subsidiary companies, its associates, cessionaries, delegates, assignees, affiliates or successors in title and/or appointed third parties (such as its authorised agents, partners, contractors and suppliers) for any of the purposes identified in this notice;
• the customer’s spouse, dependants, partners, employer, joint applicant or account holder and other similar sources;
• people the customer has authorised to share their personal information, such as a person that makes a travel booking on their behalf, or a medical practitioner for insurance purposes;
• attorneys, tracing agents, debt collectors and other persons that assist with the enforcement of agreements;
• payment processing services providers, merchants, banks and other persons that assist with the processing of customers’ payment instructions, such as card scheme providers (including VISA or MasterCard);
• insurers, brokers, other financial institutions or other organisations that assist with insurance and assurance underwriting, the providing of insurance and assurance policies and products, the assessment of insurance and assurance claims, and other related purposes;
• law enforcement and fraud prevention agencies, and other persons tasked with the prevention and prosecution of crime; · regulatory authorities, industry ombudsmen, government departments, and local and international tax authorities;
• credit bureaux;
• financial services exchanges;
• qualification information providers;
• trustees, executors or curators appointed by a court of law;
• cheque verification service providers;
• the group’s service providers, agents and subcontractors, such as couriers and other persons the group uses to offer and provide solutions to customers;
• courts of law or tribunals;
• participating partners, whether retail or online, in the group’s customer rewards programmes;
• the group’s joint venture partners;
• marketing list providers;
• social media platforms; or
• online search engine providers.

• assess and process applications for solutions;
• to assess the group’s lending and insurance risks;
• to conduct affordability assessments, credit assessments and credit scoring;
• to provide a customer with solutions they have requested;
• to open, manage and maintain customer accounts or relationships with the group;
• to enable the group to deliver goods, documents or notices to customers;
• to communicate with customers and carry out customer instructions and requests;
• to respond to customer enquiries and complaints;
• to enforce and collect on any agreement when a customer is in default or breach of the terms and conditions of the agreement, such as tracing a customer, or to institute legal proceedings against a customer. In such scenario the group may aggregate the contact details provided to any of the companies in the group to determine the customer’s most accurate contact details in order to enforce or collect on any agreement the customer has with the group;
• to disclose and obtain personal information from credit bureaux regarding a customer’s credit history;
• to meet record-keeping obligations;
• to conduct market and behavioural research, including scoring and analysis to determine if a customer qualifies for solutions, or to determine a customer’s credit or insurance risk;
• to enable customers to participate in and make use of value-added solutions;
• to enable customers to participate in customer rewards programmes: determine customer qualification for participation, rewards points, rewards level, and monitor customer buying behaviour with the group’s rewards partners to allocate the correct points or inform customers of appropriate solutions they may be interested in, or to inform the group’s reward partners about a customer’s purchasing behaviour;
• for customer satisfaction surveys, promotional and other competitions;
• for insurance and assurance underwriting and administration;
• to process or consider or assess insurance or assurance claims;
• to provide insurance and assurance policies and products, and related services;
• for security and identity verification, and to check the accuracy of customer personal information; or
• for any other related purposes.

• to comply with legislative, regulatory, risk and compliance requirements (including directives, sanctions and rules);
• to comply with voluntary and involuntary codes of conduct and industry agreements;
• to fulfil reporting requirements and information requests;
• to process payment instruments (such as a cheque) and payment instructions (such as a debit order);
• to create, manufacture and print payment instruments (such as a cheque) and payment devices (such as a debit card);
• to meet record-keeping obligations;
• to detect, prevent and report theft, fraud, money laundering, corruption and other crimes. This may include the processing of special personal information, such as alleged criminal behaviour or the supply of false, misleading or dishonest information when opening an account with the group, or avoiding liability by way of deception, to the extent allowable under applicable privacy laws;
• to conduct market and behavioural research, including scoring and analysis to determine if a customer qualifies for solutions, or to determine a customer’s credit or insurance risk;
• to enable customers to participate in and make use of value-added solutions;
• to enable customers to participate in customer rewards programmes: determine customer qualification for participation, rewards points, rewards level, and monitor customer buying behaviour with the group’s rewards partners to allocate the correct points or inform customers of appropriate solutions they may be interested in, or to inform the group’s reward partners about a customer’s purchasing behaviour;
• for customer satisfaction surveys, promotional and other competitions;
• to assess our lending and insurance risks;
• to conduct affordability assessments, credit assessments and credit scoring;
• to disclose and obtain personal information from credit bureaux regarding a customer’s credit history;
• to develop credit models and credit tools;
• for insurance and assurance underwriting and administration;
• to process or consider or assess insurance or assurance claims;
• to provide insurance and assurance policies and products, and related services; or
• for any other related purposes.

• to develop, implement, monitor and improve the group’s business processes, policies and systems;
• to manage business continuity and emergencies;
• to protect and enforce the group’s rights and remedies in the law;
• to develop, test and improve solutions for customers, this may include connecting customer personal information with other personal information obtained from third parties or public records to better understand customer needs and develop solutions that meet these needs. The group may also consider customer actions, behaviour, preferences, expectations, feedback and financial history;
• tailoring solutions which would include consideration of a customer’s use of third-party products, goods and services and marketing of appropriate solutions to the customer, including marketing on the group’s own or other websites, mobile apps and social media;
• to market group solutions to customers via various means including on group and other websites and mobile apps including social media;
• to respond to customer enquiries and communications including the recording of engagements and analysing the quality of the group’s engagements with a customer;
• to respond to complaints including analytics of complaints to understand trends and prevent future complaints and providing compensation where appropriate;
• to enforce and collect on any agreement when a customer is in default or breach of the terms and conditions of the agreement, such as tracing the customer, or to institute legal proceedings against the customer. In such a scenario, the group may aggregate the contact details provided to any of the companies in the group to determine the customer’s most accurate contact details in order to enforce or collect on any agreement the customer has with the group;
• to process payment instruments (such as a cheque) and payment instructions (such as a debit order);
• to create, manufacture and print payment instruments (such as a cheque) and payment devices (such as a debit card);
• to meet record-keeping obligations;
• to fulfil reporting requirements and information requests;
• to comply with voluntary and involuntary codes of conduct and industry agreements;
• to detect, prevent and report theft, fraud, money laundering, corruption and other crimes. This may include the processing of special personal information, such as alleged criminal behaviour or the supply of false, misleading or dishonest information when opening an account with the group, or avoiding liability by way of deception, to the extent allowable under applicable privacy laws. This may also include the monitoring of our buildings including CCTV cameras and access control;
• to conduct market and behavioural research, including scoring and analysis to determine if a customer qualifies for solutions, or to determine a customer’s credit or insurance risk;
• for statistical purposes, such as market segmentation or customer segments (that is placing customers in groups with similar customers based on their personal information);
• to enable customers to participate in customer rewards programmes: determine customer qualification for participation, rewards points, rewards level, and monitor customer buying behaviour with the group’s rewards partners to allocate the correct points or inform customers of appropriate solutions they may be interested in, or to inform the group’s reward partners about a customer’s purchasing behaviour;
• for customer satisfaction surveys, promotional and other competitions;
• to assess the group’s lending and insurance risks;
• to disclose and obtain personal information from credit bureaux regarding a customer’s credit history;
• to develop credit models and credit tools;
• for any other related purposes.

• the personal information about the customer was obtained from a public record, like the deed’s registry;
• the customer made the personal information public, like on social media;
• the personal information is used for historical, statistical or research purposes, the results will not identify the customer;
• proceedings have started or are contemplated in a court or tribunal;
• it is in the interest of national security;
• if the group must adhere to the law, specifically tax legislation; or
• the Information Regulator has exempted the processing.

• improved information management, integrity and information security;
• the leveraging of centralised crime and fraud prevention tools;
• better knowledge of a customer’s financial service needs so that appropriate solutions can be advertised and marketed to the customer;
• a reduction in information management costs; and
• streamlined transfers of personal information for customers with solutions across different businesses or companies within the group.

• to determine customer qualification for participation in the eBucks rewards programme, rewards points, rewards level and eBucks earn;
• to inform the group’s reward partners about customers’ purchasing behaviour and to monitor customer buying behaviour with the group’s rewards partners to allocate the correct earn;
• to provide rewards and solutions tailored to customer requirements and to treat customers in a more personal way;
• to fulfil customers’ travel arrangements (flights, hotels and car hire) bookings with the groups’ service providers and deliver the solutions they have asked for;
• to fulfil customers’ eBucks Shop purchases and instruct the group’s service providers to deliver the solutions the customer has asked for;
• to market the group’s rewards and the group’s rewards partners’ solutions to customers;
• to improve the group’s websites, applications, solutions and rewards offerings;
• to respond to customer enquiries and complaints;
• to comply with legislative, regulatory, risk and compliance requirements (including directives, sanctions and rules);
• to comply with voluntary and involuntary codes of conduct and industry agreements;
• to fulfil reporting requirements and information requests;
• to conduct market and behavioural research, including scoring and analysis to determine if a customer qualifies for rewards and solutions;
• to develop, test and improve rewards and solutions for customers;
• for statistical purposes, such as market segmentation;
• to communicate with customers and carry out their instructions and requests;
• for customer satisfaction surveys, promotional and other competitions; or
• for any other related purposes.

• The group will use customers’ personal information to market financial, insurance, investments and other related banking and financial solutions to them (e.g. bank accounts, insurance policies and credit).
• The bank may also market non-banking or non-financial solutions to customers (e.g. cell phone contracts and travel offers).
• The group will do this in person, by post, telephone, or electronic channels such as SMS, email and fax.
• If a person is not a group customer, or in any other instances where the law requires, the group will only market to them by electronic communications with their consent.
• In all cases, a person can request the group to stop sending marketing communications to them at any time.

• if the customer has consented to this;
• if it is necessary to conclude or perform under a contract the group has with the customer;
• if the law requires it; or
• if it is necessary to protect or pursue the customer’s, the group’s or a third party’s legitimate interest.

• members of the group, any connected companies, subsidiary companies, associates, cessionaries, delegates, assignees, affiliates or successors in title and/or appointed third parties (such as its authorised agents, partners, contractors and suppliers) for any of the purposes identified in this notice;
• the group’s employees, as required by their employment conditions;
• the customer’s spouse, dependants, partners, employer, joint applicant or account holder and other similar sources;
• people the customer has authorised to obtain their personal information, such as a person that makes a travel booking on the customer’s behalf, or a medical practitioner for insurance purposes;
• attorneys, tracing agents, debt collectors and other persons that assist with the enforcement of agreements;
• payment processing services providers, merchants, banks and other persons that assist with the processing of customer payment instructions, such as card scheme providers (including VISA or MasterCard);
• insurers, brokers, other financial institutions or other organisations that assist with insurance and assurance underwriting, the providing of insurance and assurance policies and products, the assessment of insurance and assurance claims, and other related purposes;
• law enforcement and fraud prevention agencies, and other persons tasked with the prevention and prosecution of crime;
• regulatory authorities, industry ombudsmen, government departments, and local and international tax authorities and other persons the law requires the group to share customer personal information with;
• credit bureaux;
• financial services exchanges;
• qualification information providers;
• trustees, executors or curators appointed by a court of law;
• cheque verification service providers;
• our service providers, agents and subcontractors, such as couriers and other persons the group uses to offer and provide solutions to customers;
• persons to whom the group have ceded its rights or delegated its obligations to under agreements, such as where a business is sold;
• courts of law or tribunals that require the personal information to adjudicate referrals, actions or applications;
• the general public, where customers submit content to group social media sites such as a group business’s Facebook page;
• participating partners in the group’s customer reward programmes, where customers purchase goods, products and service or spend loyalty rewards; or
• the group’s joint venture partners with which it has concluded business agreements.

• if the customer requested the group to do so, or agreed that it may do so;
• to verify a customer’s identity;
• to obtain or verify a customer’s employment details;
• to obtain and verify a customer’s marital status;
• to obtain, verify, or update a customer’s contact or address details;
• to obtain a credit report about a customer, which includes their credit history and credit score, when the customer applies for a credit agreement to prevent reckless lending or over-indebtedness;
• to determine a customer’s credit risk;
• for debt recovery;
• to trace a customer’s whereabouts;
• to update a customer’s contact details;
• to conduct research, statistical analysis or system testing;
• to determine the source(s) of a customer’s income;
• to build credit scorecards which are used to evaluate credit applications;
• to set the limit for the supply of an insurance policy;
• to assess the application for insurance cover;
• to obtain a customer’s contact details to enable the distribution of unclaimed benefits under an insurance policy; or
• to determine which solutions to promote or to offer to a customer.

• to report the application for a credit agreement;
• to report the opening of a credit agreement;
• to report the termination of a credit agreement;
• to report payment behaviour on a credit agreement; /or
• to report non-compliance with a credit agreement, such as not paying in full or on time.

• TransUnion: 0861 482 482
• Consumer Profile Bureau (Pty) Ltd: 010 590 9505
• Experian Information Solutions Inc: 0861 10 56 65
• Xpert Decision Systems (XDS): 0860 937 000
• Compuscan: 0861 51 41 31
• VeriCred Credit Bureau: 081 680 1080

• where a customer’s personal information will be adequately protected under the other country’s laws or an agreement with the third-party recipient;
• where the transfer is necessary to enter into, or perform, under a contract with the customer or a contract with a third party that is in the customer’s interest;
• where the customer has consented to the transfer; and/or
• where it is not reasonably practical to obtain the customer’s consent, but the transfer is in the customer’s interest.

• confirmation that the group holds the customer’s personal information;
• a copy or description of the record containing the customer’s personal information; and
• the identity or categories of third parties who have had access to the customer’s personal information.

• keeping group systems secure (such as monitoring access and usage);
• storing group records securely;
• controlling the access to group premises, systems and/or records; and · safely destroying or deleting records.

• the law requires the group to keep it;
• a contract between the customer and the group requires FirstRand to keep it;
• the customer has consented to the group keeping it;
• the group is required to keep it to achieve the purposes listed in this notice;
• the group requires it for statistical or research purposes;
• a code of conduct requires the group to keep it; and/or
• the group requires it for lawful business purposes.

• Another bank may ask the group, at the request of that bank’s customer or for the bank itself, to provide personal information about a customer’s financial position. This is done by issuing what is known as a banker’s reference and code. These banker’s references and codes are usually requested when a customer wishes to establish a relationship with the other bank or when a customer is applying for a trade account with another bank’s customer or if a customer is responding to a government tender.
• This relates to personal information about the customer’s financial position, which is based on how the customer managed their transactional account with the group. The personal information is provided in the form of a banker’s reference and code. The banker’s references and codes will only be provided with a customer’s express, implied, or tacit consent.
• Credit bureaux may also obtain, retain and disclose this personal information.