Metropol Uganda – Privacy Notice
T: +256 200 516 800
Helpdesk : +256 200 516 800
Disputes: +256 200 516 800
1. Introduction and scope
- Metropol Uganda Ltd (“Metropol”, “we”, “us” or “our”) is a credit bureau and information services provider. As an information services company, we collect, protect and provide quality consumer and business information, which means we look after vast volumes of Personal Data. We are committed to using Personal Data responsibly to make a positive difference to you, and society at large. We have provided this Privacy notice to communicate the processing activities which all data subjects can expect from us, how we secure your Personal Data, your rights under applicable data privacy legislation and how you can exercise these privacy rights. This notice is applicable in all instances where Metropol determines the manner and purpose for which information is processed, i.e. when we are the Data Controller.
- This notice applies to all Data Subjects which may include individuals, consumers, and clients (“Data Subject”, “You” or “your”) whose Personal Data is Processed by Metropol and explains how we collect, use and process your personal data as dictated by the circumstances of your relationship with us. As a registered credit bureau, regulated by Bank of Uganda, Metropol clients are business entities for the most part, who provide Metropol Personal Data, in line with CRB regulations to perform regulated credit bureau services.
- Unless otherwise stated in a contract, this notice does not form part of any contract you have concluded with us, although Metropol may refer to this privacy notice in your contract with Metropol. We may update this notice at any time but if we do so, we will make a copy of the amended notice available to you as soon as reasonably practical. We may also notify you in other ways from time to time about the processing of your Personal Data.
- We respect your right to privacy and are committed to being transparent about how we collect and use your Personal Data. Should you have any queries on this privacy notice or your privacy rights in general, you may contact our Data Privacy Office at firstname.lastname@example.org Should your query not be resolved to your satisfaction, you may contact Metropol Uganda Ltd at email@example.com.
2. Who is responsible for processing your Personal Data?
The Data Controller is Metropol Uganda CRB Ltd.
Metropol Uganda Ltd. Registered Office: Plot 9, Yusuf Lule Road P.O. Box 5999, Kampala- Uganda. Email: firstname.lastname@example.org Website: metropol.co.ug Tel: +256200516800
For any enquiries on this privacy notice, please contact our Data Privacy Office via: email@example.com
3. Our Privacy Principles
- Metropol strives to comply with all applicable Data Privacy legislation. To ensure we respect your right to Privacy, we endeavor to adhere to the following principles when processing Personal Data. Personal Data that we hold about you must be:
- used in a lawful, fair, and transparent manner;
- collected for lawful purposes and only used in processing activities that are compatible with the lawful purposes;
- limited to what is necessary for achieving lawful purposes;
- accurate and up to date;
- only retained for the period necessary to achieve our purposes for collection and meet any applicable legal obligations; and
- protected from unauthorized access, use or disclosure.
4. Key Data Privacy Terms To Interpret This Notice
- “Consumer Credit Information” means information concerning—
- An individual’s credit history, including previous credit applications, positive and negative information relating to credit agreements to which the person is or has been a party, pattern of payment or default under any such credit agreements, debt re- arrangement, financial malpractice and other matters within the scope of that person’s financial means, prospects, and obligations in terms of Section 78 (2) of the Financial Institutions Act No.2 of 2004 (FIA), Section 46 of the Microfinance Deposit Taking Institutions Act, 2003 (MDI Act) and Financial Institutions (Credit Reference Bureau) Regulations No 59 of 2005 (CRB Regulations), Credit Reference Bureau Operational Guidelines and Data Submission Manual as amended from time to time, incidence of enforcement actions with respect to any such credit agreement, the circumstances of termination of any such credit agreement, and related matters;
- “Information Incorporated in a consumer’s Credit Report” means all information which is included in consumers credit report, including;
4.2.1. Consumer Credit Information as defined in Section 4.1.1, including:
- credit account history/repayment profile which is a record of all your accounts with financial institutions and microfinance deposit taking Institutions and a history of how you pay including all credit accommodations e.g. overdrafts, guarantees, and bonds. Showing active accounts, not fully paid off, fully paid loans and default data.
- previous credit applications and rejection reasons where applicable
- financial malpractice including data related to financial malpractice or fraudulent activities
- identifying information such as your first name, surname, other names, identity number (s), physical and postal address, contact numbers (primary and secondary), marital status, past and current employer(s), and occupation;
- previous enquiries on your credit report by any authorised users permitted in terms of the FIA and CRB Regulations to use your credit report
- employment information relating to your previous and current employers, employee number, income bands, salary frequency and employment periods;
- information that is publicly available as permitted by law such as judgments, sequestrations, and rehabilitation;
- bounced cheques any information relating to cheques you have issued but have bounced.
- collateral information relating to any material collateral that is held on a credit account / facility.
- collateral credit guarantor where you have guaranteed repayment of a loan as a guarantor to another credit account.
- borrower stakeholder indicating your managerial, shareholder or director role in a business entity with credit obligations.
- “Data Controller” refers to the organisation(s) that determines the purposes and the manner for processing Personal Data i.e. determines how to collect, store, and use your Personal Data.
- “Data Subject(s)” refers to any individual(s) from whom or in respect of whom Personal Data has been requested, collected, collated, processed or stored.
- “Personal Data” refers to information about an identifiable person, which identifies or relates directly to you is referred as your Personal Data. Personal Data includes Consumer Credit Information.
- “Processing”, refers to the collection, receipt, recording, organisation, collation, storage, updating, amendment, retrieval, reading, analysing, use and/or sharing of
your Personal Data in the ways set out in this privacy notice. When we do one or more of these actions with your Personal Data, we are “Processing” your Personal Data.
- “Special Personal Data” categories of particularly sensitive Personal Data, such as your health or sexual life, religious or philosophical beliefs, political opinion, financial information and medical records, which require higher levels of protection. We minimise the processing Special Personal Data to what is strictly necessary to achieve a lawful purpose. We will only process Special Personal Data when we have a clear legal justification for processing as required by applicable laws and our internal policies. Metropol has implemented appropriate policies and safeguards to ensure we apply the strictest privacy standards when we process Special Personal Data.
5. Collecting your Personal Data
- When processing Personal Data of a consumer in terms of the CRB Regulations, Metropol limits the collection of Personal Data to include only what is permitted in terms of the CRB Regulations (both from a data field and data source perspective) and which is necessary to our clients for credit application to enable them to make meaningful and accurate decisions. We also collect Personal Data of our customers and vendors to comply with contractual obligations, legal requirements or for operational business purposes. Furthermore, we ensure that our retention policies are compliant with applicable legal requirements. Our sources of Personal Data are:
- The Data subject to whom the Personal Data relates;
- Financial institutions regulated by Bank of Uganda under the FIA and the MDI Act.
- Public Source, like courts of law;
- Business Entities e.g. Vendors;
- other registered credit bureaus.
6. Categories of Personal Data we process, and the purpose(s) for our processing
We need to collect and process certain client Personal Data to conduct our precontract vetting process, deliver the product(s) or service(s) requested and to facilitate the best possible experience when clients engage with us or use our products and services.
|Personal Data||Purpose for processing|
|Consumer Credit Information** relating to Data Subjects||Make, or assist in making or performing duties in terms of any agreement with clients, performing our duties and responsibilities as a registered credit bureau, as|
|well as complying with legal obligations relating to our business.|
|Information Incorporated in a consumer’s credit report**||To form a view of Data Subjects as individuals and to identify, develop or improve products in line with our operations as a credit bureau, that may be of interest to clients, by assisting clients in making credit decisions about consumers, carrying out market research, business and statistical analysis, performing administrative functions, performing duties in terms of any agreement with clients, operate and manage accounts and manage any application, agreement or correspondence data subjects may have with Metropol and complying with the Metropol’s regulatory and other legal obligations.|
|Payment details such as credit card, mobile money or debit card details, and the value of the transaction||To facilitate payment for our product(s) and services, where the services you request carry a cost.|
|Vendor / Supplier information including, name(s) and contact details, ID numbers, directors’ and senior managers’ information, banking details and other financial information.||Purpose includes verifying information and performing necessary checks, performing obligations in agreement with the vendor or managing the business relationships between the parties, payment of invoices and complying with the Metropol’s regulatory and other obligations.|
|Prospective client’s information including, name(s), contact numbers and/or e-mail address, directors’ and senior managers’ Information||Activities relating to the processing of a prospect’s information including verifying and updating information, pre-scoring / contractual precontract vetting.|
|Security information which may include security related verification questions.||To facilitate secure use of our platforms, to answer any queries you may have and effectively identify you when you contact us.|
** See definitions
We will only use your Personal Data for the purposes for which we collected it, or a purpose that is reasonably compatible with the original purposes for collection, as indicated above.
7. What is our legal basis for processing Personal Data?
- We will only process your Personal Data in accordance with applicable Data Privacy laws, which require that we must satisfy at least one prescribed legal basis for processing. Depending on the context of the processing activity, we rely on a number of different conditions for the activities we carry out. The legal basis we rely on include:
- where we need to perform under an agreement that we have concluded with our client, or to take steps at the request of the data subject e.g. to meet our obligations in terms of a contract we have concluded;
- where the law authorises or requires us to do so;
- processing for compliance with a legal obligation which the Data Subject is subject; or
- where you have consented to such processing;
- In rare cases, we may process your Personal Data where:
- we need to process for medical purposes
- we need to do so in the public interest;
- if it is necessary for national security; or
- the information is necessary for prevention, detection, investigation, prosecution or punishment of an offence or breach of law.
- Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your Personal Data.
8. Am I obliged to provide this Personal Data?
Below is an explanation of when the processing of your information is voluntary or mandatory, depending on the specific context.
- As a registered and regulated Credit Bureau, Metropol is required by law to collect and process your Consumer Credit Information (which qualifies as Personal Data) if you are a “consumer” under the CRB Regulations. In this instance you do not have to provide your Consumer Credit Information, as it will be collected directly from original sources of Consumer Credit Information. In such an instance, we are required to collect and process your Personal Data as provided for under the CRB regulations.
- When you engage with our website, staff, products, or services:
- Website: The collection of certain Personal Data via essential cookies is necessary for the effective functionality for our website. In these instances, we will communicate this to you when you first arrive at our website. We obtain your consent when we use non- essential cookies, or technology similar to cookies, and/or collect information about the device you use to access our website. Sometimes we work with third parties who carry out these activities on our behalf. You will be asked to consent to the use of non- essential cookies before using our website, but you are not obliged to provide such consent. The processing of information via non-essential cookies is voluntary i.e. based on your consent.
- Engagement with our staff: When you contact Metropol for assistance, we will ask you to provide some Personal Data such as a copy of your ID for verification purposes. The provision of this information is not mandatory but a failure to provide such information may negatively affect your ability to do business with Metropol, and / or the quality of service you receive.
- Products or services by Metropol: When you enquire about or apply for Metropol products or services, we will ask you to provide some Personal Data for us to enter into an agreement and provide the products and services accordingly. This information is necessary for us to manage our relationship and effectively meet our obligations. Failure to provide information needed may result in our inability to enter into an agreement and / or perform accordingly.
- Unless required by law (such as the CRB regulations), for national security, medical purposes, or to enter into / perform according to an agreement, all provision of Personal Data to Metropol is voluntary. In other instances, Metropol will only process Personal Data with informed consent (usually captured and produced by the entity instructing Metropol as a credit bureau). Consequences of not providing Personal Data or consent for certain types of processing include an inability to benefit from the proposed processing required by the relevant product or service. Where they may be any other consequences, those will be detailed in the specific request for consent.
9. The Security of your Personal Data
- We take the necessary technical and organisational measures to secure the integrity of information we are responsible for, using accepted technological standards to prevent unauthorised access to or disclosure of your Personal Data. We take all reasonable measures to protect your Personal Data from misuse, loss, alteration, or destruction.
- We have put in place appropriate security measures to protect your Personal Data from accidental loss, unauthorised use, alteration, access, or disclosure. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to access the information. They will only process your Personal Data on our instructions and are subject to a duty of confidentiality.
- We review our information collection, storage and processing practices, including physical security measures from time to time, to keep up to date with good industry practice and standards. Metropol has implemented procedures to address any suspected data breaches and will notify any applicable regulator of a breach where Metropol is legally required to do so within the period in which Metropol is required to issue such a notification. You will also be notified of any breach where the Regulator has requested Metropol to notify, in the manner directed by the Regulator.
10. Retention of Your Personal Data
- We will only retain your Personal Data for as long as necessary to achieve the purposes for which it was collected and processed. Meaning we will keep your Personal Data for as long as we need it to provide the Metropol products and services requested by our client (or by the data subject in limited instances) and no longer. We may also keep it to comply with our legal obligations, resolve any disputes and enforce our rights.
- Metropol retains your Personal Data in our credit information database in accordance with the data retention periods prescribed by the CRB Regulations and the Data Privacy laws of Uganda. For examples, the CRB Regulations require that we that we display and use various categories of your information only for the maximum periods prescribed.
- We retain certain elements of your information as long as is necessary, for the purpose of verifying the integrity of information that we may be required to process in the future or for information quality purposes (i.e. to prevent the re-loading of incorrect information). This information is securely stored and not used for any other purpose than information quality in support of our regulatory obligation to ensure the data we have is relevant and accurate and not duplicated.
- Our reasons for retention may vary from one record or piece of information to the next and depends on the purposes for the storage and related operational business requirements and / or legal obligations, therefore the amount of time we keep your Personal Data for may vary.
- In all cases, our need to use your Personal Data will be reassessed on a regular basis, and information which is no longer required for any purposes will be disposed of.
11. Sharing your Personal Data
- As a general rule, we will only share your Personal Data with those that need access to the information for us to achieve the purpose for which we have collected it, or to comply with an obligation imposed by law. Internally, we will only share your Personal Data on a “need-to-know” basis, i.e. with Employees who need access to the information to perform a task on our behalf.
- Internally, we will only share your Personal Data on a “need-to-know” basis, i.e. with parties who need access to the information to perform a task on our behalf, which includes:
- honoring credit report requests by yourself or your authorised agent or Bank of Uganda;
- investigating and resolving any disputed information on your credit report;
- Internally, we will only share your Personal Data on a “need-to-know” basis, i.e. with parties who need access to the information to perform a task on our behalf, which includes:
- data loading and management, to maintain the quality of our data
- managing any legal and court claims;
- other divisions or companies within the group of companies to which we belong so as to provide joint content and services like registration, for transactions and customer support, to help detect and prevent potentially illegal acts and violations of our policies, and to guide decisions about our products, services, and communications;
- our service providers under contract who help supply certain goods/services or help with parts of our business operations, including fraud prevention, bill collection, marketing, technology services (our contracts dictate that these goods suppliers or service providers only use your information in connection with the goods they supply or services they perform for us and not for their own benefit).
12. Transborder Flow of Information
- We store our Personal Data in Uganda.
- We may engage service providers to support our business and they may be based or use data centres outside of Uganda. Whenever your Personal Data is transferred across borders, it will be done in line with the requirements of and receive a similar level of protection as described in this notice and the Data Protection and Privacy Act.
13. Your rights
This section is only to be used to exercise your privacy rights as provided for in Privacy legislation. All credit bureau information is governed by the CRB Regulations, and any requests which relate to bureau information should be dealt with using the CRB Regulations.
- You may have rights under applicable Data Privacy laws in relation to your Personal Data, which you may exercise under certain circumstance. To exercise these rights, kindly select “click here” to access the prescribed form as provided for under each right below, fill it in its entirety and send to firstname.lastname@example.org. For hard copy exercise of your rights, you may also request the prescribed forms from the aforementioned email address or Metropol call centre (details found under the contact us now section) or reception. For information on the categories of Personal Data we process, please refer to paragraph 6 of this notice.
- You may have the right to:
- Request for confirmation of Personal Data we hold about. This right enables you to get confirmation on the categories of Information we hold about you.
We hold information on most consumers in Uganda. To confirm what categories of information we hold on you, please contact email@example.com to access a copy of your free credit report.
- Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data that Metropol has about you. “Click here” to request access the Personal Data we hold about you.
Should you wish to access credit bureau information as regulated by the CRB regulations, please contact mcrbdisputes@Metropol.co.ug a copy of your free credit report.
- Request correction of the Personal Data that we hold about you. This enables you to ensure that any incomplete or inaccurate data that the Metropol holds about is corrected. Kindly contact firstname.lastname@example.org , to request correction of your Personal Data.
This excludes any request relating to credit bureau information as regulated by the CRB Regulations. To dispute credit bureau information, please use email@example.com To Request erasure of your Personal Data. This enables you to request that Metropol delete or remove Personal Data where there is no lawful basis for us continuing to
process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (described below), or where we are required to erase or anonymise your Personal Data to comply with applicable law. Metropol may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you (for example where the data is processed in terms of the CRB Regulations), if applicable, at the time of your request. Please contact firstname.lastname@example.org to request an erasure of your Personal Data.
- Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services that you subscribe to, to you. We will advise you if this is the case at the time you withdraw your consent. Please note that we may continue to process your Personal Data in certain instances where we are not relying on your consent. Please contact our Data Privacy Office via contact details provided for below.
If you want to exercise any of these rights, please contact the Metropol Data Privacy Office via email@example.com
- We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.
- Should your request or dispute relate specifically to credit bureau information, please refer to the Bureau dispute process.
14. Maintenance of your Personal Data
- We encourage you to assist us in maintaining the accuracy of Personal Data by notifying us of any changes or by meeting your legal obligations regarding disputes logged.
- Where Personal Data is submitted to Metropol in terms of the CRB Regulations we cannot alter the information reported by providers of Personal Data unless the information is confirmed to be wrong or inaccurate by the provider of the Personal Data (this is because the CRB Regulations has a clear procedure for managing disputes and the provider of the Personal Data is the Data Controller, which includes responsible of maintaining the accuracy of the Personal Data).
- Where Metropol is the Data Controller, and you do not agree with the accuracy of your Personal Data that Metropol has on file, we have procedures to ensure that such information is verified, and, where appropriate, amended or corrected. Please refer to our privacy rights section above.
15. Queries and Complaints
- If you have questions about our privacy notice or wish to contact us, please contact our Information Officer at firstname.lastname@example.org. Our dedicated Data Privacy Office is available to attend to any query you may have.
- Should your query not be resolved to your satisfaction, you may contact Metropol Uganda at email@example.com.
- As we are a member of the Credit Bureau Association, you can also contact them. Their details are available online https://www.crbassociation.com/
- Where the above channels have not addressed your query or complaint appropriately, you have the right to make a complaint at any time to the government body/regulator responsible for the enforcement of Privacy laws (e.g. the information regulator in Uganda). Details of the relevant regulator may be accessed at the Personal Data Protection Office of Uganda or requested via firstname.lastname@example.org.