NBFIRA

3102595 / 3686100
Facebook Instagram Youtube Linkedin

RBSS Login

User

Privacy Policy

 Privacy Statement

Privacy Statement of Non-Bank Financial Institutions Regulatory Authority (NBFIRA)

Purpose

NBFIRA has a legal mandate in terms of the NBFIRA Act, 2023 for regulating the market conduct and the supervision of financial institutions. NBFIRA aims to enhance financial stability, safety and soundness of the Non-Bank Financial Institutions (NBFIs), fairness, efficiency and orderliness of the NBFIs to protect customers.

Furthermore, NBFIRA has a responsibility to ensure the highest standards of conduct of business by the NBFIs and reduction and deterrence of financial crim.

To achieve its objectives as set out above, NBFIRA must collect and use information, including personal data as defined in the Data Protection Act No. 18 of 2024. Personal data means information which alone or jointly with other factors identifies you as a person. This includes information such as your name, contact details, telephone number, biometric information, registration number and any other information we collect.

NBFIRA treats all personal data they collect through different channels as private and confidential.

The purpose of this Privacy Statement is to explain how and why we use your personal information.

Right to change this Privacy Statement

This Privacy Statement may be changed as part of monitoring and compliance to align with changes in the law or changes in technology which impact on how we process your personal data. These changes will be published on our websites to indicate newly adopted practices, and the latest version will replace previous versions.

Collection of Personal Data

Personal data is collected directly from you and may be collected indirectly from other external sources for purposes of fulfilling our regulatory mandate and sector specific obligations.

Due to the supervisory and enforcement nature of NBFIRA, we need to have a complete view of the markets we regulate, understand their behaviours and that of

consumers, be proactive and pre-emptive in effectively identifying risks that impacts on the achievement of our mandate. In order to effectively achieve this, NBFIRA must collect information from multiple sources, examples of other sources include:

  • Other regulators. These regulators may be inside or outside of Botswana
  • Media sources such as newspapers, social media and the broadcast news
  • Law enforcement agencies such as Botswana Police Service
  • Members of the public
  • Whistle-blowers
  • Credit bureaus
  • Our service providers
  • Verification agencies

Why do we collect Personal Data?

We collect your personal information for a number of reasons including the following:

  • To process your licence/registration application as required by the financial sector laws for which NBFIRA is the responsible authority.
  • Analyse your suitability for the products and services you apply for.
  • To monitor financial sector trends and emerging market conduct risks.
  • Supervising the business conduct of entities we regulate.
  • Identify possible contravention of sector specific laws.
  • Management of third-party relationships and facilitating payment where you are our service provider.
  • To manage the employment relationship where you are employed by us.
  • For processing your application where you have applied for employment with us

What Personal Data do we collect?

Each of our Departments collect and process different attributes of your personal data at specific points of our regulatory processes, to fulfil a regulatory mandate or for internal business purposes. Please see below a non-exhaustive list of personal data categories that we collect and process.

  • Identifying number (employee number; company registration numbers, identity number),
  • Email-addresses, physical address, telephone number
  • Names, surname, marital status, nationality, age, physical health status, well-being, disability status, language, date of birth. Some of the information may be more prevalent in our employment processes than in the core business divisions.
  • Biometric information such as fingerprinting, particularly in our employment processes.
  • Information on your race, ethnic or social origin, criminal recordings/proceedings.
  • Education, medical, financial, employment information

We may not be able to carry out our regulatory mandate and provide our services to the public, employ you or procure your services without your personal information.

Publication and access to NBFIRA registers

NBFIRA makes accessible certain information to the public on its website, such as lists of regulated entities and persons. The accessible information includes the details of the entity, its contact information, names of appointed compliance officers, key individuals, licensed products, list of approved nominees and holding companies.

We will only make accessible limited information that will allow the public the ability to verify licensed entities and persons and contact them for their financial needs, where necessary.

The use of Third Parties

We will from time to time share your personal information with third parties. We will only disclose your personal information if:

  • It is necessary to fulfil our regulatory mandate as provided for in NBFIRA Act
  • For business purposes
  • The law requires it
  • We have a public duty to disclose the information
  • Your legitimate interests require disclosure or
  • You have provided consent for us to disclose your information.

These third parties may include but not limited to:

  • NBFIRA service providers
  • Other regulators (including foreign regulators)
  • Law enforcement agencies
  • Verification agents

Where applicable, we request the third parties with whom we share information with, to take adequate measures and comply with applicable data protection laws and protect the information we are disclosing to them. We do this through contractual arrangements with these third parties. We also take internal measures to ensure that

the third parties we appoint have appropriate measures to protect the information we provide to them.

If you want to learn more about our internal measures, please contact Manager, Data Protection on the contact details provided in this notice.

Transborder information flows

Where necessary and appropriate, your personal data may be processed in other countries for:

  • Business purposes, in instances where our third parties are located in countries outside of Botswana.
  • Sharing with other regulators outside of Botswana for fulfilling a regulatory mandate or
  • Law enforcement agencies for investigation purposes.

These countries may not have the same level of protection. However, before we transfer personal information outside Botswana, we have stringent processes to ensure that appropriate organisational and security safeguards are put in place to protect the personal information which includes contractual and internal due diligence measures. This process will be communicated to data subjects and a copy of the personal data being transferred shall remain in Botswana for the period of processing.

Your Rights

You have rights as the data subject which you can exercise in relation to the personal data, we hold about you. The requests must be made in writing, please click here to access the applicable forms.

You can exercise your right to:

  • Request access to the information we hold about you. We may, if allowed by law, charge a fee for this.
  • Request correction or deletion of personal data about the data subject in our possession or under our control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
  • Request the destruction and deletion of your personal data that we are no longer authorised to retain.
  • Object to the way in which we process your personal data.
  • Complain to us about the way we use your personal data using the contact details of Manager, Data Protection. If you are not satisfied with how we handle
  • your complaint, you can lodge a complaint with the Information and Data Protection Commission using their details provided in this notice.
  • You have the right to query a decision that we make about some of our services that was made solely by automated means. You can do that by contacting Manager, Data Protection on the details provided in this notice.

It is important to note that the rights are not absolute and must be balanced against other competing rights. As such they may be limited owing to the nature of our public interest mandate.

We may also rely on certain exceptions which may impact on your rights, for example, your right to object or the right of access to information. We will only do this where the interest we are mandated to protect outweighs to a substantial degree interference with your privacy. Where possible in terms of law, we will explain the exception we are relying on and its impact on your rights.

Our Security Practices

Our security systems and controls are designed to maintain confidentiality, prevent loss, unauthorised access and damage to information by unauthorised parties.

Our cyber security strategy is aligned to industry standard frameworks to ensure effective cyber security risk management for the organisation. We conduct continuous security vulnerability assessments to improve our security posture and provide assurance to all our stakeholders.

Anonymous collection of data from use of our website

We monitor user experience while you are using our website and collect anonymous connection statistics through our monitoring solution. This is to improve our website service and add value to you when you visit our website.

Use of cookies on website

We use cookie technology on our website to enhance browsing experience. Cookies are small files which are stored on a user’s computer when you use our website. We have non-essential cookies that enable us to distinguish users, and strict transport security which allows a website to declare itself as a secure host. You can manage or disable cookies through your browser settings. For more information refer to our Cookie Notice.

Links to other websites on our website

Our website may have links to or from other websites of other regulatory bodies or standards that are not operated by NBFIRA.

We request that you read and familiarise yourself with the privacy and security policies of these websites as we are not responsible for the privacy and security of the websites mentioned.

Use and monitoring of electronic communications

It is important that we keep the public abreast of any development that has a public interest. As such we communicate with you and the public using different channels, including the media.

We may also monitor electronic communications of the industry we regulate to ensure that it complies with certain regulatory requirements such as your social media accounts.

Retention of Personal Data

Our retention schedule and information policies define how long we keep all types of records, including any personal information we process in the different divisions. Personal data is retained and destroyed as required or authorised by law, and for defined purposes related to the activities of NBFIRA.

How to contact us

If you have any queries, about our privacy notice and how we process your personal data, please contact the Manager, Data Protection at dataprotection@nbfira.org.bw

Physical address:

NBFIRA
3rd Floor, Exponential Building,
Plot 54351 New CBD, Off PG Matante Road,
Gaborone

Information and Data Protection Commission

The contact details of the Data Protection Commission are as follows:

Physical Address:

Finance House, House, Khama Crescent, 
Government Enclave,
Gaborone

Postal Address:

P/Bag 001,
Gaborone

Complaints email: krakgati@gov.bw

General enquiries email: krakgati@gov.bw / +267 3164464