The Privacy Policy

This Privacy Policy regulates how United Bank for Africa Plc (Cameroon) (“UBA” or “the Bank”) can process the personal information of its customers.  

In line with the provisions of the General Data Protection Regulation (GDPR) of the European Union, and other applicable Data Privacy laws and regulations, UBA maintains the following privacy principles, which govern how we collect, use, record, organize, structure, store, adapt or alter, retrieve, consult, disclose, disseminate, align, combine, restrict, erase or destroy and generally manage your personal data (“processing” or “process” of your Personal Data”). 

Personal Data under this privacy policy is as defined by the General Data Protection Regulation (GDPR) of the European Union, and the National Data Protection Authorities (DPA),  which is the body empowered to make regulations or directives prescribing categories of sensitive personal data, further grounds for processing same, and the safeguards that must apply.

Basis for collecting and processing Personal Data by the Bank

The Bank processes your personal data relying on any of the following legal grounds:

• Where your Consent as the Data Subject has been obtained.
• Offering banking and allied services to the Data Subject.
• Offer of employment to the Data Subject. Where the processing of your personal data is necessary for the performance of a contract to which you are a party.
• For compliance with a legal obligation to which the data controller is subject.
• Where it is necessary to protect the vital interests of a person in line with Data Privacy regulations.
• Where it is necessary for the performance of a task carried out in the public interest.

Where it is in the legitimate interests of the Bank (except where the interests or rights and freedoms of the data subject override those interests)

Collection of Personal Information

UBA Plc (Cameroon) is a financial institution with an international banking license issued by the Bank Of Central African States (BEAC). Its Head office is situated at at Boulevard de la Liberté-Akwa, Douala, and it has a business presence in 19 African countries, including New York, the United Kingdom, France, and the UAE. 

As a responsible business, UBA is committed to complying with the relevant applicable data protection regulations when processing your personal data. 

The GDPR give you certain rights regarding our use of your personal data, including the right to: 

• Request access to the personal data we have collected about you to review, modify, or request deletion of your Personal Data.
• Request a copy of the Personal Data we have collected about you and correct any inaccuracies.
• Request that we cease processing your Personal Data.
• Lodge with a competent Data Protection Authority.
• Request for your personal data to be transferred to another organisation in a commonly used and machine-readable format.

Note that some laws or our requirement to comply with a Legal obligation to which the Bank is subject to may prevent us from providing access to your personal data or fully complying with your request, depending upon the circumstances and the request. For example, producing your information may reveal another person’s identity.

Thus, kindly note that we reserve the right to charge an appropriate fee for complying with your request where applicable law allows and/or deny your requests where they may be manifestly unfounded, excessive, or otherwise objectionable or unwarranted under applicable law. 

What do we need?

UBA will be known as the “controller” and “processor” of the personal data you provide to us.

• We may collect your information from our website visits, applications and channels, identification documents, curriculum vitae, personal financial statements, interactions with relationship managers, and other third parties.
• We collect and use the personal information you provide to us as part of our banking services (e.g., Name, Address, nationality, email, Phone number, ID Number, Bank Verification Number (BVN), and family-related information).
• We collect and use biometric information (e.g., Fingerprint – BVN verification used on our ATMs, POS, and other channels), IP address, device information, and location.
• We use financial information such as account balance, transaction history, and debit/credit card usage to provide you with banking services.
• We may also use information about any other UBA products and services you currently have, have applied for, or have previously held.
• We may also collect visual images and video footage when you visit our premises and ATMs and telephone conversations when you call any of our contact centre lines.
• We also collect data from prospective employees as part of our recruitment processes.
• We may also process sensitive personal information for specific and limited purposes, such as detecting and preventing financial crime or making our services accessible to customers. We will only process sensitive personal information where we have obtained your explicit consent or, where applicable, compliance with a legal obligation or for legal proceedings/advice.
• We collect this information to ensure you transact with us seamlessly and securely.

Please note that UBA will NEVER ask for personal banking information such as card details (CVV), PIN, Password, Secure Passcode, or Token number.

Why do we need it?

We require your basic personal data to provide you with the banking services you have engaged us for based on the requirements of the respective Central banks and/or governmental regulations, which align with the applicable Data Privacy regulations and our Data Privacy Framework/Policy.

What do we do with it?

We collect, store, and process some of your personal data as required by law to enable you to obtain banking services through us.

All the personal data that the Bank collects from you will be held and processed securely by our Facilities at Douala Headquarters or any of our subsidiaries and/or authorized service providers (third parties), where applicable. Your data will be confidential unless required by a Legal or regulatory requirement for the Banking services or where there is a legal basis for the processing of your processing of your personal data.

We will take all reasonable actions to ensure that the personal data of all customers and employees are handled securely and in a controlled manner. The Bank complies with the latest Information security standards such as PCI-DSS, ISO/IEC 27001:2022, etc.

How long do we keep it?

As a regulated financial services institution, we will retain your personal data as may be required by regulation in the country under consideration, after which it will be disposed of as required under the respective Government laws and Banking regulations.

Please note that regulations may require the Bank to retain your personal data for a specified period, even after the end of your banking relationship with us.

Sharing of Personal Data

Personal data may be shared with third parties and service providers to deliver our services to you in accordance with the General Data Protection Regulation (GDPR), and any applicable Data Protection Laws. 

In addition, we may disclose your personal data:

• If we are required to do so by law or legal process.
• To law enforcement authorities or other government officials.
• When we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity.
• If disclosure is necessary to protect the vital interests of a person.
• To enforce our Terms and Conditions.
• To protect our property, services, and legal rights.
• To support auditing, compliance, and corporate governance functions; or
• To comply with any applicable laws.

Data Security

At UBA, security is our top priority, and we always strive to ensure that your personal data is protected against unauthorized or accidental access. We maintain this commitment to data security by implementing appropriate physical, electronic, and managerial measures to safeguard and secure your personal data with us.

Our web servers are protected behind “firewalls”, and our systems are monitored to prevent unauthorized access. We will not send confidential information to you by ordinary email, as the security of ordinary email cannot be guaranteed.

All practical steps shall be taken to ensure that personal data will not be kept longer than necessary and that the Bank will comply with all statutory and regulatory requirements concerning the retention of personally identifiable information.

Our commitment to Data Security is paramount to us at UBA. Your personal data is kept secure in line with applicable Data Protection Regulations. Only our authorized staff, agents, and contractors (who have agreed to keep information secure and confidential) have access to this information.

Information Security Policy

UBA Cameroon is committed to ensuring the security of its information and information assets and has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC 27001:2022. The ISMS helps UBA to protect its information and information assets.

Top management of the bank demonstrates its commitment to information security by establishing information security objectives and policies and providing the needed resources to maintain and continuously improve information security in the bank.

The bank ensures compliance with all applicable information security regulations, standards, and contractual requirements.

Information Security Policy Statement

The Board and management of United Bank for Africa Cameroon are committed to preserving the confidentiality, integrity, and availability of all the physical and electronic information assets (data, resources) throughout the Bank in order to maintain its competitive edge, cash flow, profitability, legal, regulatory and contractual compliance, and corporate image.

This shall be accomplished through the establishment, operation, and continuous systematic review and improvement of a Bank Information Security Management policy that ensures that the information and information security requirements of the Bank remain aligned with the Bank’s goals and provide an enabling mechanism for information sharing, electronic communication, e-banking/commerce, social media and reducing information-related risks to acceptable levels.

The Bank’s strategic business plan and risk management framework shall at all times provide the context for identifying, assessing, and evaluating information-related risks as well as selecting control objectives and implementing supporting controls for the treatment of these risks.

In particular, business continuity and contingency plans, data backup and recovery procedures, control over malicious software and intruders, access control to systems and information security incident reporting and management are fundamental to the information security policy. Control objectives for each of these areas are addressed in the Information Security Manual and shall also be supported by specific, documented policies and procedures as appropriate.

The Information Security Management shall be responsible for the management and maintenance of the bank’s information security-related risk treatment plan. IT & Cybersecurity Steering Committee and Risk Management Committee shall support the implementation, operation, and maintenance of the ISMS framework and periodically review the information security policy.

All employees of the Bank, its engaged contract personnel, and 3rd party service providers shall be expected to comply with the information security policy. All personnel, and relevant external parties as appropriate, shall be provided with training, education, and awareness as appropriate towards this end.

The information security policy shall be subject to continuous, systematic review and improvement. The Bank is committed to achieving compliance and subsequent certification of its ISMS to the globally recognized ISO27001:2022 standard for enterprise information security management systems.

The information security policy shall be reviewed to respond to any changes in the risk assessment conducted or risk treatment plans developed at least annually.

The Board of Directors shall be the Owner of the information security policy and shall be responsible for ensuring that the information security policy document is reviewed in line with the requirements of the information security Manual.

• This information security policy was approved by the Board of Directors and is issued on a version-controlled basis under the signature of the Chairman of the Board.

Information Security and Data Privacy Objectives

To ensure that information security and data privacy are well managed within the Bank and that a management framework is established to initiate and control the implementation of Information Security and data privacy within the Bank.

To ensure that Management supports enterprise information security and data privacy management by, assigning security and data privacy roles, coordinating and reviewing the implementation of security and data privacy across the Bank, and presenting policies to the Board of Directors for approval through the Board Risk Management Committee.

To ensure that contacts with external security specialists or groups, including relevant authorities, are developed to keep up with industrial trends, monitor standards and assessment methods, and provide suitable liaison points when handling information security incidents.

To encourage a multi-disciplinary approach to information security and data privacy.

To maintain security over personal data, the Bank’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties

To ensure that the security of personal data, the Bank’s information and information processing facilities are not compromised by the introduction of external party products or services.

To ensure that access to personal data, the Bank’s information processing facilities, processing, and communication of the Bank’s information by external parties are controlled.

To ensure that business interactions with external parties that may require access to personal data, the Bank’s information and information processing facilities, or involve obtaining or providing a product/service from or to an external party are properly assessed for risk to determine security implications and control requirements.

Shared Responsibilities

UBA and its customers shall play an important role in protecting against online fraud. You should be careful that your bank account details, including your User ID and Password, are not compromised by ensuring you do not knowingly or accidentally share, provide, or facilitate unauthorized use. Please do not share your User ID and password or allow others to access or use them. UBA endeavors to put high-security standards in place to protect your interests.

You should safeguard your unique User ID and Password by keeping them secret and confidential. Never write them down or share these details with anyone.

You are responsible for informing us immediately if you think your User ID and password have been disclosed to a third party, are lost or stolen, and unauthorized transactions may have been conducted on your account.

Where you share the personal data of third parties with us, including your directors, officers, and authorized signatories (Data Subjects), you are responsible for and warrant that you shall obtain their written consent for the processing and transfer of their personal data for the purpose of your contract with us and the provision of banking services to you.

The consent of the parent or legal guardian of a child is mandatory. Age verification and consent are also required. This can be done using technology and Government identification documents.

Exemptions include the vital interest of a child, proceedings in court, education, medical or social care undertaken by a professional owing a duty of confidentiality.

Remedies for personal data violation

If your personal data is violated at any time, you can contact the Bank’s Data Protection Officer (DPO) at dataprotectionoffice@ubagroup.com.

• Within a reasonable timeframe of UBA receiving a complaint, UBA shall notify the Individual in line with data privacy requirements of either,

1. UBA’s position concerning the complaint and any action UBA has taken or will take in response; or,
2. When the individual will be informed of UBA’s position on the complaint in accordance with data privacy requirements

• Remedies shall include but are not limited to investigating and reporting to appropriate authorities, recovering the personal data, correcting it and enhancing controls around it.

Cross Border Transfer

Given the scope of our banking operations, we may process data in multiple locations and rely on legally provided mechanisms to lawfully transfer data across borders. In such cases:

• UBA shall not transfer your personal data to a foreign country or international organisation in contravention of the General Data Protection Regulation and other applicable Data Protection Laws.
• Please contact us if you want to know more about our Data Privacy policy and withdraw some or all of your consent. We will be more than glad to help you in accordance with the regulations.

Changes to Privacy Policy

We review this Privacy Policy regularly and reserve the right to make changes at any time to reflect changes in our business and legal requirements. We will post updates on our website (www.ubacameroon).

Privacy Contact Information

If you have any questions, concerns, or comments about our privacy policy, you may contact us using the information below:

• Data Protection Office, UBA

• Email: cfccameroon@ubagroup.com, dataprotectionoffice@ubagroup.com.
• Phone:  +237 233 506 782
• Head Office: Boulevard de la Liberté-Akwa, B.P. /P.O. Box 2088 – Douala

You may also engage the supervisory authority National Data Protection Authorities (DPAs) if you wish to complain about how UBA handles or has handled your personal data or have concerns about how your complaint has been handled.