Caution

If you receive any calls (except from BoB Contact Center when you have lodged a concern with them +975 2 349903), SMS and Email asking for personal details such as Account number or ATM Card number, please do not share. Bank of Bhutan will never ask for personal details of clients. It’s all spam.

VERSION

Version:V 2.0
Date of version:8th October 2024
Created by:IS, Section Manager/DPO
Approved by:DPMC/ISSC
Distribution List:Public

VERSION CONTROL

VersionDate
130th August 2023
28th October 2024

1. INTRODUCTION

Bank of Bhutan (BoB) is committed to ensure the privacy of customer data and information; and to use personal information in a very judicious manner. The Bank is guided by the regulations and best practices in the area of data protection & privacy. If a customer provides certain information with which the customer can be identified personally, the information would be used only for the purpose for which it was submitted and in accordance with the Bank’s Data Privacy Policy approved by the DPMC (Data Protection Management Committee).

2. SCOPE AND COVERAGE

The Policy covers all users who interact with the Bank / Website / Digital Applications and whose personal information is collected / received / transmitted / processed / stored / dealt with and / or handled by the Bank. This Policy covers the “sensitive personal data or information” of customers, which are handled by the Bank in any form or mode.

3. COLLECTION OF DATA

The Bank collects and uses the financial and personal information from its customers as is required under various regulations and guidelines. Such information is collected and used for specific business purposes or for other related purposes or for a lawful purpose, to comply with the applicable laws and regulations.

BoB collects personal data for various purposes, including but not limited to:
– Opening and maintaining customer accounts.
– Processing transactions and providing banking services.
– Conducting due diligence and complying with legal obligations (e.g., anti-money laundering checks).
– Marketing products and services with customer consent.

Types of personal data collected may include, but not limited to:
– Name, address, date of birth, and identification numbers.
– Financial information such as account details, transaction history etc.
– Contact details, including email address and phone numbers.

4. CONSENT

By making available their personal information to the Bank, the customers are deemed to have provided their consent to the Bank to use all such information:

– To offer products or services requested or of interest.
– For verification and checks.
– To process applications, requests, transactions and maintain records for internal, legal, or regulatory purposes.
– For any other lawful purposes.

5. DATA USAGE

The Bank may use Personal Identifiable Information (PII) for the following purposes and/or for any other lawful purposes:
– Providing, maintaining, and improving banking services.
– Ensuring compliance with legal and regulatory requirements.
– Preventing fraud and managing security risks.
– Communicating with customers about account information, products, and services.
– Analysing trends and customer behaviour to enhance banking experiences.

6. COOKIES

Cookies and related technologies, such as tracking pixels etc. are tools used to collect information about users’ interactions with websites. These technologies help enhance user experience by remembering preferences, enabling functionalities, and personalising content. By using the Bank’s website and other digital platforms, the customers agrees that these types of cookies can be placed on their device. User is free to disable/ delete these cookies by changing their device / browser settings. The bank is not responsible for cookies placed in the device of user/s by any other website and information collected thereto.

7. DATA PROTECTION AND SHARING

BoB implements comprehensive security measures to protect personal data against unauthorized access, loss, or destruction. These measures include:
Masking: Use of masking technologies to secure data during transmission and storage.
Access Controls: Role-based access to personal data and strict authentication processes.
Regular Audits: Conducting regular security assessments and audits to identify and mitigate risks.

8. DATA SHARING AND DISCLOSURE

BoB does not sell or rent personal data. However, personal data may be shared with:
Service Providers: Third-party vendors and partners who assist in delivering our services, subject to confidentiality agreements.
Regulatory Authorities: Government agencies and regulators as required by law (RMA, ACC etc).
Business Transfers: In connection with mergers, acquisitions, or asset transfers, where personal data may be shared as part of due diligence.

9. THIRD-PARTY VENODR

BoB will ensure that all third-party vendors who handle personal data comply with this policy and relevant legal obligations. Contracts with third-party vendors will include specific data protection provisions to safeguard personal information.

10. CUSTOMER RIGHTS

Customers have rights concerning their personal data, including:
Access: Customers can request access to their personal data held by the bank.
Correction: Customers can request that inaccurate or incomplete data be corrected.
Deletion: In certain circumstances, customers can request the deletion of their personal data.
Objection: Customers can object or withdraw their consent to the processing of their data for specific purposes.
Portability: Customers may request the transfer of their data to another organisation where applicable.
Reporting: Lodge or report complaint to Information Security Officer (ISO) or DPO (Data Protection Officer).

11. LAWFULNESS, FAIRNESS AND TRANSPARENCY

Personal Data will be processed lawfully, fairly and in a transparent manner at all times. This implies that Personal Data collected and processed by or on behalf of the Bank will be in accordance with the specific, legitimate and lawful purpose consented to by the Data Subject, save where the processing is otherwise allowed by the law of the kingdom of Bhutan or by the regulatory authorities.

12. PII PERTAINING TO MINORS

BoB is committed to protecting the privacy of minors. In accordance with applicable laws, we do not collect or store personal identifiable information (PII) from individuals under the age of 18 without parental consent. This includes, but is not limited to, names, addresses, email addresses, and any other data that could be used to identify a minor. We encourage parents and guardians to monitor their children’s online activities and to help us maintain a safe digital environment.

13. RETENTION AND DISPOSAL

– The Bank will retain the information for so long as it is needed by the business. Since most of the information is in continuous use, it is retained on an indefinite basis or for such period as to satisfy legal, regulatory or accounting requirements.
– When the Bank finds that information collected or stored or transferred is no more in use and if there is no legal obligation to retain such information, the Bank will determine appropriate means to dispose or to de-identify personally identifiable information in a secure manner in keeping with its legal obligations.

14. NOTICE OF CHANGE

The Bank may, from time to time, change this policy. The effective date of this Policy, as stated below, indicates the last time this Policy was revised or materially changed.

Effective Date: 8 October 2024

QUESTIONS OR CONCERNS

Please contact the Data Privacy Officer/Information Security Officer at [email protected]