Our privacy obligations

1. Is accountable for and processes personal information in compliance with the conditions and principles governing its lawful processing.
2. Collects personal information for specific and lawful purposes and does not further process personal information in a manner that is incompatible with those purposes.
3. Only processes personal information that is adequate, relevant and not deemed excessive for the purpose of the processing.
4. Processes personal information transparently, as described in our Privacy Notice, and in a manner that is fair and does not unreasonably infringe the privacy of the data subject.
5. Does not process personal information unless it is lawfully justified to do so.
6. Ceases to process personal information that a data subject has legitimately objected to immediately it receives the objection.
7. Collects personal information directly from the data subject where appropriate but may collect personal information from other sources, provided that it is permitted by law.
8. Safeguards the integrity and confidentiality of personal information against loss or damage, unlawful access, and unauthorised destruction, by applying appropriate, generally accepted and industry specific information security practices and procedures.
9. Binds third parties processing personal information on its behalf, by written contract, to establish and maintain appropriate security safeguards and comply with the principles described in this policy.
10. Has an incident management process that ensures timely notification of data protection authorities and, when needed, the data subjects of a compromise to their personal information, as required by law.
11. Takes reasonably practicable steps to ensure that the information is accurate and kept up to date.
12. Has a data subject servicing process for data subjects wishing to access their personal information and corrects or deletes information that is inaccurate, as required by law.
13. Has a data subject servicing process that facilitates data subject objections to the processing of their personal data as required by law.
14. Has a data subject servicing process that facilitates obtaining data subject consents and enabling the withdrawal of data subject consents.
15. Retains personal information as required contractually, or for lawful purposes, but not for longer than its intended purpose. The records which Capitec retains are described within the Addendum to the Capitec PAIA Manual https://www.capitecbank.co.za/globalassets/pages/documents-library/general/paia-manual-addendum.pdf. These categories of records are not exhaustive and are subject to change.
16. Limits processing of special personal information to where authorised to do so, as required by law and/or where using special personal information is generally accepted industry practice to, for example: authenticate individuals, prevent financial crimes, to enhance security controls, etc.
17. Will not use personal information for the purpose of unsolicited electronic communication, nor for automatic decision-making without human oversight, without the consent of the data subject.
18. Only transfers personal information across borders to jurisdictions that uphold the principles and conditions governing the protection of personal information established in the Republic of South Africa, or if the operator processing in a foreign jurisdiction gives sufficient contractual undertaking to protect the personal information or if the data subject has consented to the transfer.
19. Appoints suitably qualified individuals to serve as the Information Officer and Deputy Information Officers and ensure that they are authorised and empowered to fulfil the responsibilities stipulated in relevant legislation.

1. Is bound by written contract, to establish and maintain appropriate security safeguards and limit processing of relevant personal information in accordance with the agreement concluded with the third party, who is responsible for the personal information.
2. Safeguards the integrity and confidentiality of personal information against loss or damage, unlawful access and unauthorised destruction by applying appropriate, generally accepted and industry-specific information security practices and procedures.
3. Will notify the responsible party where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person.
4. Both Capitec and Sanlam act as operators for Centriq. The privacy policy for Sanlam and Centriq can be found on the following links:
   • Sanlam
   • Centriq

We have a dedicated team of professionals ensuring that our obligations in processing your personal information is met and that we hold ourselves accountable. This includes a privacy office, information and cyber security office, a compliance and risk department as well as a team of legal advisors. Here is our contact area for the privacy office: Privacy contacts | Privacy centre | Capitec Bank