d PRIVACY NOTICE - I&M Bank Uganda

Select Country

Select Country

What are you looking for?

Find out more about our products. Visit any I&M Bank Branch, Contact us through Tel: +256 417 719100, Toll Free: 0800144551 or email customerservice@imbank.co.ug

PRIVACY NOTICE

PRIVACY NOTICE

PRIVACY NOTICE

This privacy notice was last updated on 5th February 2025.

Protecting your personal data.

Introduction

This Privacy Notice (the “Notice”) governs how I&M Bank Limited (hereafter, “I&M Bank”), collects, uses, and discloses personal data from and about consumers of I&M Bank services, website and web applications that link to this Notice (collectively referred to as, the “Services”). This Privacy Notice covers any products or services our consumers have with us including accounts, loans, cards, investments and insurance, and these form part of the Services. Personal data in this context means information relating to an identified or identifiable natural person. Wherever the terms “You” or “Your” are used herein, this means you (consumer/individual), any authorized person on your account(s) and anyone who deals with us on your behalf including attorneys under a Power of Attorney, legal executors, personal representatives, beneficiaries and trustees. Wherever the terms “We” or “Us” are used herein, this means I&M Bank Limited, which is the primary data controller of your personal data. (The following subsidiary companies will act as data controllers where you hold a product or engage a service from them:  

What types of personal data do we collect?

We may collect the following types of personal data about you.
  • a personal banking client;
  • a representative of, or an individual directly or indirectly related to or associated with:
(i) a company, business or organisation that is our personal banking client; or (ii) a person or a company, business or organisation that has a relationship  with our personal banking client; or
  • a representative of, or an individual directly or indirectly related to or associated with:
(i) a company, business or organisation that is our business or corporate banking client; or (ii) a person or a company, business or organisation that has a relationship with our business or corporate banking client. Personal data we collect with respect to business and corporate client relationships is primarily limited to the information on directors and officers, other employees, direct and indirect beneficial owners and authorised persons we need to enable us to meet our due diligence obligations, signatory details and contact information of individuals we interact with to enable the provision of products and services to clients. If you give us someone else’s personal data, you must have their permission and explain to them how we’ll use it. We may, at our discretion, request you to provide proof of that person’s permission authorising you to share their personal data with us. We may collect the following types of personal data about you, as relevant and allowed by law:
  • Identification data – information that identifies (uniquely or semi uniquely) you. For example, your name, your date of birth, your gender, your user login credentials, your photographs, CCTV and video recordings of you and other identifiers, including official/government identifiers such as national identification number, passport number and tax identification number.
  • Contact data – information that allows addressing, sending or communicating a message to you. For example, your email address, your phone or mobile number and your residential or business address.
    • Professional data – information about your educational or professional background.
    • Geo-location data – information that provides or contains a device’s location. For example, your internet protocol (IP) address or your cookies identifier
    • Behavioural data – analytics information that describes your behavioural characteristics relating to your use of our products and services. For example, usual transactional activities, browsing behaviour on our websites and how you interact as a user of our products and services, or those provided by third-party organisations, such as our advertising partners and social media platform providers.
    • Personal relationship data – information about associations or close connections between individuals or entities that can determine your identity. For example, spouse or employer relationships etc.
    • Communications data – information relating to you contained in voice, messaging, email, live chats and other communications we have with you. For example, service requests.
  We may sometimes need to collect more sensitive personal data about you, but we only do this if it’s necessary and with your consent or were allowed by law. This sensitive personal data (sometimes known as special category personal data) may include things like:
    • Racial or ethnic origin data – information which reveals your racial or ethnic origin
    • Biometric data – information that identifies you physically. For example, facial recognition information, your fingerprint or voice recognition information
    • Health data – information relating to your health status. For example, disability information relevant to accessibility
    • Financial and commercial data – your account and transaction information or information that identifies your financial position and background, status and history as necessary to provide relevant products and services. For example, your debit or credit card details, your source of funds, your financial and credit rating history
    • Criminal convictions, proceedings or allegations data – information about criminal convictions or related information that we identify in relation to our financial crime prevention obligations, for example, details about any criminal convictions or related information. This includes details of offences or alleged offences or convictions.
  We usually get your personal data directly from you, but we may also obtain your personal data from other sources as necessary, depending on the relevant products and services that we are providing, including from:  
  • People you know – such as:
parents or guardians of minors. If you are a minor (normally this means if you are under 18 years old, but this might be younger depending on where you live), we will get your parent or guardian’s consent before collecting, using or sharing your personal data. If you have reason to believe that a child has provided personal data to us please contact us https://www.imbank.com/about-us/contact
    • and we will endeavour to delete that information from our databases.
    • your joint account holders
    • your referees
    • other people you appoint to act on your behalf.
 
  • Businesses and other organisations – such as:
    • your employer and/or company, business or organisation you represent or is related to you
    • other financial institutions and financial service providers
    • strategic referral partners, including business alliance, co-branding partners or other companies or organisations that the I&M Group cooperates with based on our contractual arrangements or other joint ventures to provide relevant third-party products and services
    • service partners, such as advertising and market research companies and social media platform providers
    • credit reference and fraud prevention agencies
    • regulatory and other entities with authority over the I&M Bank, such as tax authorities, law enforcement or authorities imposing financial sanctions.
 
  • Our corporate and business clients – where you receive the benefit of our services in relation to our contract with the company, business or organisation you interact with. For example, resolving payment disputes with our merchant clients.
 
  • Publicly available resources – such as online registers or directories or online publications, social media posts and other information that is publicly available
 

Cookies:

when you visit, browse, or use our websites, online banking or mobile applications, we may use cookies to automatically collect certain information from your device. We may use such information, where relevant, for internal analysis and troubleshooting, to recognise you and remember your preferences, to improve the quality of and to personalise our content and to determine the security status of your account. For more information on how we use cookies and how you can control them when visiting our websites, please see our website https://www.allaboutcookies.org/verify

Why do we collect your personal data?

We collect your personal data so that we can provide our products and services, manage our relationship with our clients and to operate our business. This is necessary when you hold your own bank account with us and when you represent, or are associated with, other individuals, companies, businesses or organisations who bank with us, for example, if you act as a guarantor, employee, shareholder, director, officer or authorised person. If you have or are associated with more than one account with I&M Bank, we may link all your accounts and personal data to enable us to have an overall picture of our client relationships. We generally process your personal data with your consent where required by law or where otherwise permitted or required by applicable laws, including for the following lawful reasons:  
  • Contract – when we’re performing contractual obligations
  • Legal Obligation – when we’re required to comply with laws and regulations
  • Legitimate Interest – when it’s within our legitimate interests for the purpose of processing.
  What we use your personal data for is often referred to as our purposes of processing and these are detailed below. We may not be able to offer or provide our products and services if you do not provide us with the necessary personal data or do not want us to process the personal data that we consider is necessary and/or is required to meet our legal and regulatory obligations.

Purposes of Processing

We process your personal data for the following purposes, as necessary to provide relevant products and services, depending on whether you have your own bank account with us or you represent, or are associated with, other individuals, companies, businesses or organisations who bank with us.  
  • Assessing and providing products and services to our clients (Legal basis: Contract, Legal Obligation or Legitimate Interest)
This includes:
    • assessing eligibility, merits and/or suitability of product and service applications for clients; we may retain a record of the application if our eligibility criteria are not met
    • assessing your suitability as an individual guarantor
    • conducting relevant due diligence and know-your-customer (KYC) checks as required by applicable laws
    • conducting credit checks and financial assessments as required by applicable laws and regulations
    • setting credit limits for clients
    • obtaining quotations, assisting with applications and interacting with strategic referral partners on behalf of clients for co-branding and other third-party products and services, such as insurance and wealth management products
    • opening accounts.
 
  • Managing banking relationships and administering client accounts (Legal basis: Contract, Legal Obligation or Legitimate Interest).
This includes:
    • establishing, continuing and managing client banking relationships and accounts with us or, where applicable, any member of the I&M Bank.
    • providing clients with appropriate access to our products and services, such as our online and mobile banking platforms
    • operating, providing, reviewing and evaluating the products and services, offered by or through us or any member of I&M Bank, to fulfil our contractual obligations with clients for products and services
    • effecting and verifying transactions and acting on instructions or requests, such as transferring money between accounts and making payments to third parties for clients.
    • maintaining up-to-date records of authorised persons and signature lists
    • maintaining statements detailing the amount of indebtedness owed by you to us and by us to you
    • administering, for example, credit facilities or loans for clients
    • maintaining contact information
    • responding to questions or managing any complaints, including monitoring social media conversations and posts to identify conversations, sentiments, and complaints about the I&M Bank.
    • issuing notifications about changes to the terms and conditions of our products and services
    • recording our communications for record-keeping and evidential purposes including online messages, email and telephone
    • contacting clients relating to the products and services we are providing.
 
  • Operating our business (Legal basis: Contract, Legal Obligation or Legitimate Interest)
  This includes:
    • managing authentication and user access controls for clients, for example, for online and mobile banking
    • audits of our business operations
    • creating and maintaining our credit scoring models relating to clients
    • conducting relevant credit management activities, which includes maintaining client credit history for present and future reference, updating credit bureaus and credit reference agencies and ensuring ongoing credit worthiness and credit checks.
    • assisting other banks and third parties recover funds that have entered client accounts as a result of erroneous payments.
    • engaging in business operational management, such as performing administrative tasks relating to the products and services we provide, monitoring and reporting of our financial portfolio, risk management activities, audits and ensuring operation and security of our communications and processing systems, systems development and testing, business planning and decision-making.
 
  • Improving our products and services to our clients (Legal basis: Legitimate Interest or Consent)
This includes:
    • developing, testing and analysing our systems, products and services
    • monitoring and recording our communications with you, for example, phone calls, for training and quality purposes.
    • conducting market research and customer satisfaction surveys
    • designing our products and services for your use, for example credit cards
    • conducting demographic analytics and gathering insights by aggregating data such as behavioural data from the use of our products and services and our applications to provide you with more tailored products and services.
For further information on direct marketing, please refer to ‘When do we conduct direct marketing?’ section.  
  • Keeping you and our people safe (Legal basis: Legal Obligation or Legitimate Interest)
This includes:
    • conducting identity verification security checks for building access
    • using CCTV surveillance recordings at our branches, premises and ATMs for the purposes of preventing and detecting fraud and/or other crimes, such as theft.
    • investigating and reporting on incidents or emergencies on our properties and premises
    • for the security of our systems and networks to keep your data safe and confidential
    • for other health and safety compliance purposes
    • monitoring social media conversations and posts to protect clients from sharing data publicly that could be used for fraud.
 
  • Detecting, investigating and preventing financial crimes (Legal basis: Contract, Legal Obligation or Legitimate Interest)
This includes:
    • meeting or complying with I&M Bank policies, including identifying individuals and performing investigative procedures, measures or arrangements for sharing data and information within the I&M Bank.
    • any other use of data and information in accordance with any group-wide programmes for compliance with sanction or prevention or detection of money laundering, terrorist financing or other unlawful activities
    • conducting identity verification security checks against government and other official centralised databases, as required by law
    • monitoring and recording voice and electronic communications and screening applications and transactions in connection with actual or suspected fraud, financial crime or other criminal activities, for example to detect unusual transaction behaviour
    • recording and monitoring voice and electronic communications with us, to the extent permitted by applicable laws, to ensure compliance with our legal and regulatory obligations and internal policies
    • conducting checks against government and non-government third parties’ fraud prevention and other financial crime prevention databases to prevent money laundering, terrorism, fraud and other financial crimes, to protect you, our clients and the integrity of the financial market. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies and may result in others refusing to provide services or employment to you.
 
  • Complying with applicable laws, regulations and other  requirements (Legal basis: Legal Obligation or Legitimate Interest)
This includes:
  • meeting or complying with I&M Bank policies, including identifying individuals and performing investigative procedures, measures or arrangements for sharing data and information within the I&M Bank.
  • complying with relevant local and foreign law, regulations, rules, directives, judgments or court orders, requests, guidelines, government sanctions, embargo, reporting requirements, restrictions, demands from or agreements with any authority (including domestic or foreign tax authorities), court or tribunal, enforcement agency or exchange body in any relevant jurisdiction where the I&M Bank Group operates. For example, we may share personal data relating to your personal bank account with a local tax authority in accordance with applicable laws or regulations. The local tax authority may share or may require us to share such information with other overseas tax authorities in accordance with applicable laws or regulations (for example, tax law and regulation relating to automatic exchange of financial account information). We may need to collect extra information from you for such purpose to comply with applicable laws or regulations
  • following any voluntary guidelines or recommendations as may be updated from time to time issued by legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers in any relevant jurisdiction where the I&M Bank Group operates.
 
  • Exercising I&M Bank legal rights and conducting legal proceedings (Legal basis: Legal Obligation or Legitimate Interest)
This includes:
  • tracing and exercising our rights and protecting ourselves against harm to our rights and interests
  • retaining records as may be necessary as evidence for any potential litigation or investigation
  • recovering debts and arrears
  • conducting litigation to enforce our rights or the rights of any other member of I&M Bank.
  • obtaining professional advice
  • investigating or making an insurance claim
  • responding to any insurance related matter, action or proceeding
  • defending or responding to any current or prospective legal, governmental or quasi-governmental, regulatory, or industry bodies or associations related matter, action or proceeding or for establishing, exercising or defending legal rights.
 
  • Facilitating I&M Bank mergers, acquisitions, and divestments (Legal basis: Legitimate Interest)
This includes:
  • evaluating our business and providing continuity of services to you after a transfer of our business because of a merger, acquisition, sale or divestment
  • enabling an actual or potential assignee of all or any part of our business and/or asset or participant or sub-participant of our rights in respect of the data subject, to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation.
 

When do we conduct direct marketing?

We may sometimes, and with your consent by providing additional privacy notice information as required by applicable laws, use your contact details to send you relevant marketing communications (such as by post, email, telephone, SMS, secure messages, mobile app or social media) for direct marketing purposes. We may send the following types of communications (unless you have informed us that you do not wish to receive such communications):
  • news, offers and promotions about our or other I&M Bank products and services
  • information about products and services from or relating to third parties, such as financial institutions, insurers, credit card companies, securities and investment, mobile wallets and digital payment services providers
  • details of our or relevant third-party reward, loyalty or privileges programmes and related services and products
  • information about products and services offered by our co-branding partners (the names of such co-branding partners can be found in the application form(s) for the relevant products and services, as the case may be)
  • market research and customer satisfaction surveys
  • information about our or relevant third-party competitions and lucky draws
  • appeals by us or relevant third parties for charitable and/or non-profit making donations, sponsorships and contributions; and
  • information and communication relating to our or relevant third-party seminars, webinars and other relevant events or opportunities.
We may conduct market research using demographic and insights analytics by aggregating the personal data that we hold about you to provide you with marketing communications, which are more relevant and tailored for you. We may share limited information about you with social media platform providers we engage with for the purpose of online social media advertising where you have permitted us and the social media platform provider(s) to use cookies that support our marketing on these platforms. For example, to check whether you have an account with social media platform providers to ask them to display more relevant marketing communication messages to you about our products and services or to exclude you from receiving advertisements for our products and services which you already use. For more information on how we use cookies in relation to marketing, please see our https://www.allaboutcookies.org/verify You may withdraw your consent or opt-out from receiving such marketing communications in accordance with your rights by contacting us using the details in the ‘How to get in touch’ section below.  

When do we use automated decision-making?

We may use the personal data we collect to conduct data analytics, including profiling and behavioural analysis, to make quicker automated decisions in our business operations and to evaluate your personal characteristics to predict outcomes and risks. We require that rules followed by such automated systems are designed to make fair and objective decisions. We may use artificial intelligence and machine learning to help improve our communications and client experience, make our business operational processes safer and more efficient and enable us to provide faster responses and improve turnaround time. For example, we may use automated decision-making for the following:
  • Client digital onboarding processes – account opening approval processes using electronic Know-Your-Customer (eKYC) checks by verifying the authenticity of scanned identification documents and a photo through biometric facial recognition and liveliness check
  • Operational efficiency – voice bots for call centre identification verification
  • Client engagement – client marketing campaigns and communications to recommend more tailored products and services based on insights from your personal data and your interactions with robot advisors and chatbots.
  • Risk management – monitoring of accounts and transactions to detect unusual activities to prevent fraud or money laundering, terrorism and other financial crimes (for example, detecting whether the use of your credit card may be fraudulent) and approval of loan applications and credit decisions based on credit – scoring models.
For further information on your rights in relation to automated decisions that affect you, please refer to the ‘What are your personal data protection rights?’ section.  

Who may we share your personal data with?

We may share your personal data within the I&M Bank. I&M Bank may share your personal data for the purposes of processing as set out in this privacy notice, including with our service providers, our business partners, other third parties and as required by law or requested by any authority.  Who these are depends on your interactions with us as an individual. We limit how, and with whom, we share your personal data and take steps to ensure your personal data is kept confidential and protected when we share it. We may share your personal data for our purposes of processing with the following, where relevant and allowed by law:
  • Other members of the I&M Bank.
  • Authorised third parties
    • legal guardians, joint account holders, actual or intended guarantors/sureties, trustees, beneficiaries, executors, legal representatives or authorised persons of our clients, any actual or potential participants or sub-participants in relation to any of our obligations in respect of any banking agreement, assignees, novates or transferees (or any officers, employees, agents or advisers of any of them)
    • any other person you have authorised us by your consent to share your personal data with.
  • Third parties that can verify your information
    • credit bureaus or credit reference agencies (including the operator of any centralised database used by credit reference agencies), credit protection providers, rating agencies, debt collection agencies, fraud prevention agencies and organisations
    • other non-government third parties’ that conduct financial crime prevention databases checks to prevent money laundering, terrorism, fraud and other financial crimes.
  • Our service partners
    • professional advisers, such as auditors, legal counsel, conveyancers and asset valuation specialists
    • insurers or insurance brokers
    • service providers, such as operational, administrative, data processing and other technology service providers, including anyone engaged or partnered with to analyse and facilitate improvements or enhancements in I&M Bank’s operations or provision of products and services
    • providers of professional services, such as market researchers, forensic investigators and management consultants
    • advertising companies and social media platform providers
    • third-party product providers, for example, securities and investments providers, fund managers and insurance companies
    • third-party service providers, such as telemarketing and direct sales agents and call centres.
  • Strategic referral partners
    • business alliance, co-branding partners or other companies or organisations that the I&M Bank cooperates with based on our contractual arrangements or other joint ventures to provide relevant third-party products and services
    • charitable and non-profit organisations.
  • Other financial services organisations
    • other financial institutions, such as merchant banks, correspondent banks or national banks
    • market infrastructure providers and securities clearing providers
    • payment service providers, including mobile wallet and digital payment service providers, merchants, merchant acquiring companies, credit card companies, payment processors and card association members, payment-initiation and card-based payment instrument service providers such as VISA and Mastercard
    • Account Information Service Providers (AISP)
    • any financial institution and merchant acquiring company with which you have or propose to have dealings.
  • Government authorities and law enforcement
    • as required by law or as requested by any authority, which includes any government, quasi-government, regulator, administrative, regulatory or supervisory body, court, tribunal, enforcement agency, exchange body or domestic or foreign tax authorities, having jurisdiction over any I&M Bank member whether within or outside your jurisdiction and whether that I&M Bank member has a relationship with you
    • self-regulatory or industry bodies or associations of financial services providers in any relevant jurisdiction where the I&M Bank Group operates.
  • Other third parties
    • the individual, company, business or organisation, as applicable, that you represent or is related to you
    • third parties in case of a merger, acquisition or divestment: if we transfer (or plan to transfer) or assign any part of our business or assets. If the transaction goes ahead, the interested party may use or disclose your personal information in the same way as set out in this privacy notice, and subsequently notify you of any changes they may make in terms with how they process your personal data
    • any other person under a duty of confidentiality to us, including any other members of the I&M Bank Group, which has undertaken to keep such information confidential.
 

Where do we transfer personal data?

Your personal data may be processed, stored, shared, transferred or disclosed by us within the I&M Bank or with other third parties for the purposes described in this privacy notice. We do this to operate effectively, efficiently and securely in facilitating transactions and providing products and services to our clients, to improve and support our processes and business operations and to comply with our legal and regulatory obligations. This may involve processing, storing, sharing, transferring or disclosing your personal data cross border to other jurisdictions. Where recipients of your personal data are in jurisdictions that are outside Uganda, we will ensure that the transfer of your personal data is subject to your consent. For further information on transfers of your personal data, you can contact us on https://www.imbankgroup.com/ke/about-us/contact/.  

How do we protect your personal data?

We take the privacy and security of your personal data very seriously. To protect your data, we have put in place a range of appropriate technical, physical and organisational measures to safeguard and keep your personal data confidential, for example, by using contracts with appropriate confidentiality, data protection and security terms in our arrangements with third parties. I&M Bank has implemented information security data privacy policies, including incident management and reporting procedures, rules and technical measures to protect personal data and to comply with legal and regulatory requirements. We train and require staff who access your personal data to comply with our data privacy and security standards. We require our service providers, or other third parties we engage with and to whom we disclose your personal data to implement similar confidentiality, data privacy and security standards and measures when they handle, access or process your personal data.  

How long do we keep your personal data?

For the purposes described in this privacy notice, we keep your personal data for business operational or legal reasons while you engage with us and may retain your personal data for a period afterwards, depending on the type of personal data, in accordance with our data retention policy and record management policy standards and as required by applicable laws and regulations. We will delete, anonymise, destroy and/or stop using personal data when we no longer need it.  

What are your personal data protection rights?

We respect your personal data, and you have the following rights about how we use your information:
  • Your right to access your data – you have the right to check whether we hold personal data about you, and you can ask us for a copy of such data and information on how we have used it.
  • Your right to correct your data – if your personal details have changed, or you believe we have incorrect or out-of-date information about you, you can ask us to update it.
  • Your right to delete your data – you can ask us to delete your personal data. However, we may need certain personal details to provide our products and services to you.
  • Your right to know third parties – you can ask us to disclose the identity of a third party who has or has had access to your personal data.
  • Your right to restrict or object to processing – you can ask us to stop using your data or change how we use it. However, we may need certain personal details to engage with you or provide our products and services to you.
  • Your right to object to automated decision making – you can ask us to review a decision made solely by automated processing if it negatively impacts you.
  • Your right to data portability – you can ask us to provide your personal data to another organisation in a format that can be easily read by machines.
  • Your right not to provide consent or to change or to withdraw consent already provided – we may from time to time ask for your consent to process your personal data. You can choose not to provide such consent or let us know at any time if you change your mind about the consent already provided. However, we may not be able to provide our products and services or engage with you without certain personal data.
  • Your right to withdraw from direct marketing – you can withdraw your consent and tell us to stop sending you marketing emails or invitations to surveys at any time.
  We will respond to requests to exercise your personal data rights in line with applicable laws. We may ask you to verify your identity before processing your request. If you have any questions about your rights, please contact us using the details below.

Accessibility

If you need this information in a different format, please contact us through any of our available channels or the link: https://www.imbankgroup.com/ke/about-us/contact/.

Acceptance

Your use of the Services signifies that you agree to the use of your personal data by I&M Bank for the specific purposes mentioned in this privacy notice. This Privacy Notice is communicated to you via our website, and you have made an informed decision to allow I&M Bank to process your personal data as set out herein.

DPO Contact Details

Telephone: +256 (0)417 719 400 Email: compliance@imbank.co.ug   I&M Bank(Uganda) Limited, Kingdom Kampala, Nile Avenue P.O. Box 3072, Kampala, Uganda.

Appendix

They include links to the Privacy Notices of the countries we have subsidiaries at and the General Data Protection Regulations (GDPR) which applies to European Union (EU) region as below.