Data Protection Policy

National Bank of Malawi plc is committed to protecting the privacy and security of personal data in accordance with applicable data protection laws and regulations. This Data Protection Policy outlines how we collect, use, and safeguard your personal information when you use any of our services.

1. Data Collection

The Bank shall collect the following information from data subjects:

  • Personal Information
    Name, age, date of birth, location, phone number, Identity, and/or email address as per the regulatory requirement.
  • Device Information
    Device type, operating system version, subscriber identity (i.e. Internal Mobile Subscriber Identity), unique device identifiers when you accept our terms and conditions. This only applies when you are using our mobile services.

2. Transparency

At the time of collecting data, the Bank shall provide the following information to the data subject:

  1.  the purposes for collecting and processing the personal data,
  2. The legal basis for processing the personal data,
  3. The contact details of the Bank or its representative,
  4. Where possible, the storage period for the personal data,
  5. The existence of automated decision making, including profiling,
  6. The rights of the data subject in relation to their data as provided for in Part IV of the Data Protection Act,
  7. The right to lodge a complaint with the Malawi Communications Regulatory Authority, and
  8. Whether the Bank intends to transfer the personal data outside Malawi.

Where the Bank obtains personal data of a data subject from a person other than the data subject, it shall, within fourteen days, provide information specified in Clause 2.1 to the data subject.

3. Consent

  • the Bank will obtain explicit and freely given consent from data subjects, or, where the data subject has no capacity to provide consent, another natural person who has authority to provide consent on behalf of the subject as his/her legal guardian.
  • Consent can be withdrawn at any time. Such withdrawal shall, where practicable, be in the same manner the consent was provided.

4. Use of Information

The Bank shall use the collected data for the following purposes:

  1. To provide and improve its services,
  2. To personalize the data subject’s experience,
  3. To communicate with the data subject,
  4. To analyze app usage and improve the Bank’s app's performance, or
  5. To prevent fraud.

5. Processing of Sensitive Personal Data

1. The Bank shall not process sensitive personal data of a data subject unless:

  1. The data subject has provided consent to the processing of the data for a specific purpose,
  2. The processing of the data is necessary to protect the interest of the data subject,
  3. The processing of the data is necessary for the purpose of exercising or performing a right or obligation of the Bank of data subject under a written law or a court order, the processing of the data is in the interest of public health,
  4. The processing of the data is for public interest,
  5. The processing of the data is necessary for the establishment, exercise or defence of a legal claim, obtaining legal advice or conduct of legal proceedings,
  6. The processing of the data is necessary for the purpose of archiving the data for public interest or for research or statistical purposes, or
  7. The data subject has intentionally made the data public.

2. Where sensitive personal data is processed, the Bank shall put in place appropriate measures to safeguard the fundamental rights and interests of the data subject.
3. For purposes of this section, sensitive personal data shall mean personal data relating to a natural person’s biometric data, race or ethnic origin, religious or other beliefs relating to the freedom of conscience of a person, health status, political opinion or affiliation, and such data as the Minister responsible may prescribe.

6. Data Sharing

  • The Bank shall not sell, trade, or otherwise transfer a data subject’s personal information to third parties. However, the Bank may share the information if required by law or regulation.
  • The Bank shall not transfer personal data from Malawi to another country or an international organisation unless the recipient of the data is subject to a law, a binding corporate rule, a personal data protection contractual clause, code of conduct, or certification mechanism that affords as adequate level of protection of personal data in accordance with sections 39 (2) and (3) of the Data Protection Act or the transfer in done in accordance with section 39 (4) of the Act.

7. Data Security

7.1 The Bank shall implement reasonable security measures to protect a data subject’s data from unauthorized access, unauthorized or unlawful processing, alteration, disclosure, accidental loss, damage, or destruction.

7.2 The Bank shall implement appropriate technical and organizational measures to ensure the security of personal data under its control whilst taking into account:

  1. The cost of technology,
  2. The nature, scope, context and purpose of processing personal data,’
  3. The degree of likelihood of harm to a data subject that could result from loss, disclosure or other misuse of personal data, and
  4. The retention period of the personal data.

7.3 Personal data will be stored securely, and access will be restricted to authorized personnel only.

7.4 Data will be encrypted and pseudonymized both in transit and at rest where applicable.
7.5 The Bank shall develop and implement procedures to restore availability and access to personal data in a timely manner in the event of physical or technical accident.
7.6 The Bank will conduct periodic risk assessment of the data processing system and service including, without limitation, where the processing involves the
      transmission of personal data over an electronic communication network.
7.7 The Bank shall conduct regular testing, assessment and evaluation of the effectiveness of the measures implemented under this Clause against current and evolving risks.
7.8 The Bank shall conduct regular updates of the measures implemented under this    clause and introduce new measures to address any shortcomings in effectiveness identified and address evolving risks.
7.9 In the event of a data breach, the Bank will

  1. promptly assess and mitigate the impact of the breach.
  2. notify affected data subjects within seventy-two hours, where the breach is of high risk to rights and freedoms of the data subject.
  3. Notify the Malawi Communications Regulatory Authority and other relevant authorities within seventy-two hours of becoming aware of the breach outlining the following
    1. a description of the nature of the personal data breach
    2. where possible, a description of the categories of personal data affected by the breach,
    3. where possible, the number of data subjects affected by the breach,
    4. a description of the measures taken or proposed to be taken by the Bank to address the breach, and
    5. the name and contact details of the data protection officer of the Bank.
  4. Where it is practically not possible to provide the information within the prescribed period, provide the information as soon as it becomes available.
  5. keep a record of the breach where required by law.

8. Data Retention

8.1 Personal data will be retained for no longer than necessary for the purposes for  which it was collected, and in accordance with applicable laws and regulations.
8.2 Where data is stored for a longer period for purposes of archiving for public interest or for research or statistical purposes, the personal data will, where appropriate, be pseudonymized.

9. Data Subject Rights

9.1 The data subjects have the following rights regarding their personal data as provided for in Part IV of the Data Protection Act:

  1. Right to Access the personal data,
  2. Right to Rectification of the personal data,
  3. Right to Erasure of the personal data,
  4. Right to Data Portability
  5. Right to Object
  6. Right to Restriction of Processing
  7. Subject to Section 25 (2) of the Data Protection Act, right not to be subject to automated decision-making.

9.2 The above rights shall be restricted where the processing of the personal data is for the purpose of:

  1. National security, including safeguarding against and the prevention of a threat to national security,
  2. The prevention, investigation, detection or prosecution of a criminal offence or the execution of a criminal penalty,
  3. Pursuing a national economic or financial interest, including monetary, budgetary or taxation matter,
  4. Public health,
  5. Social security,
  6. Judicial proceedings,
  7. The investigation, detection and prosecution of ethics for a regulated profession,
  8. Monitoring, inspection or exercise of a regulatory function by a public authority,
  9. Protecting the data subject or the rights and freedoms of another natural person, or
  10. The enforcement pf a civil law claim.

Provided that the Bank shall not process personal data of a data subject relating to a criminal offence, conviction, or security measure imposed on the data subject unless:

  1. The processing is authorized by a written law and the law provides for necessary safeguards for the rights and freedoms of the data subject, or
  2. The processing is carried out under the control of an organ of Government or other official authority.

10. Data Protection Impact Assessment

10.1 Where the processing of personal data is likely to be of high risk to the rights and freedoms of the data subject by virtues of the nature of the data and the scope, context and purpose of the processing, the Bank shall, prior to processing, carry out a data protection impact assessment.

10.2 Notwithstanding Clause 10.1 above, the Bank shall conduct a data protection impact assessment:

  1. Where the personal data will be processed using an automated processing system, including profiling,
  2. Where sensitive personal data or personal data relating to a criminal offence or conviction will be processed on a large scale,
  3. Where there will be systematic monitoring of a publicly accessible area on a large scale, or
  4. In any circumstance prescribed by Malawi Communications Regulatory Authority, by a notice published in the Gazette.

10.3 The data protection impact assessment shall contain:

  1. A systematic description of the envisaged personal data processing,
  2. The purpose of the processing of the personal data,
  3. Where applicable, the legitimate interest pursued by the Bank or third party, as the case may be,
  4. An assessment of the necessity and proportionality of the processing of the personal data, in relation to the purpose of processing the data,
  5. An assessment of the risk to the rights and freedoms of the subject,
  6. The measures envisaged to be put in place to address the risk, taking into account the rights, and legitimate interests of the data subject and any other natural persons concerned, and
  7. Any other information as may be prescribed by the Malawi Communications Regulatory Authority.

10.4 The Bank shall submit the data impact assessment report to the Malawi Communications Regulatory Authority prior to the processing of the personal data.
10.5 Where there is a change in the risk represented in the data protection impact assessment report, the Bank shall carry out a review of the risk to assess if the processing of the personal data is being done in accordance with the data protection impact assessment.

11. Compliance with Laws
The Bank shall comply with all relevant data protection laws and regulations applicable in the regions where its service operates.

12. Changes to the Policy
The Bank shall at any time update this Data Protection Policy. Any changes will be communicated through updates or our website.

13. Contact Details
The contact details for any questions or concerns in respect of this Policy shall be This email address is being protected from spambots. You need JavaScript enabled to view it.

14. Effective Date
This Data Protection Policy is effective from 1st December 2023.

15. Review
This Policy shall be reviewed every three years or earlier as and when required when there are significant changes in data protection laws or other significant events.

mission-vision

 Vision

To be the most successful financial institution in Malawi with an internationally visible presence.

Mission Statement

To provide outstanding and inclusive financial solutions that deliver sustained stakeholder value.