We collect personal data directly from the data subject through various sources, including, but not limited to National Identity Cards, Passports, Refugee/Alien Identity Cards, Driving License, Company/Business Legal documents, Property ownership documents and others.

We may also collect personal information about the client from public sources or legally recognized secondary sources such as government agencies.

Personal data collected is used to pursue the Banks legitimate business and other interests as listed below

• Provision of financial services and products to our clients for example opening & maintenance of account numbers, advance of credit facilities, insurance services and others.
• Communication with our clients about the Banks products & services. The Bank may send promotional materials or details by SMS, E-Mail, or post in order to update clients, service providers and business counterparties on any promotions, news, competitions or developments. Data subjects are advised to cautiously consider information disseminated on the open media Bank channels capable of being utilized by any person for example Facebook pages, Twitter handles and others.
• To manage, administer & improve our business through clients and service provider engagements and relationship management.
• For marketing, analysis & business development to ensure satisfactory service delivery
• To investigate and respond to complaints or incidents relating to the Bank or our business and to train staff to deal with complaints and maintain service quality.
• To comply with laws and regulation

In order to pursue the Banks legitimate interests and in cooperation with our regulators and other statutory authorities and for purposes of complying with local, foreign or international law, preventing and detecting financial and other crimes and regulatory breaches, and protecting our businesses and the integrity of the financial system, the Bank processes personal data collected for the below reasons.

• To monitor and analyze the use of our products and services for system administration, operation, testing & support purposes.
• To monitor and analyze the use of our products and services for risk assessment and control purposes, including but not limited to, detection, prevention, and investigation of fraud.
• To manage our information technology and to ensure the security of our systems.
• To establish, exercise and/or defend legal claims or rights and to protect, exercise, and enforce our rights, property, or safety, or to assist our clients, service providers or business counterparties to do the same.
• To cooperate with, respond to requests from, and to report transactions and/or other activity to government, tax or regulatory bodies, financial markets, brokers, Courts or other intermediaries or counterparties, or authorized third parties.
• To conduct compliance activities such as audit & reporting, assessing & managing risk, maintenance of accounting & tax records, fraud, Anti-Money Laundering (AML) prevention and measures relating to sanctions, Anti- Terrorism laws and fighting financial crime.
• To conduct due diligence activities such as Know Your Customer (KYC) screening (this includes identity verification & checks on address & contact details); Politically Exposed Persons (PEPs) which involves screening client records against internal and external databases to establish connections to PEPs; and sanctions screening which involves the screening of clients, service providers and business counterparties, and their representatives against published sanctions lists.
• To record and monitor telephone conversations to maintain service quality and security, and for fraud monitoring, complaints handling, disputes, potential and/or actual criminal activity. To the extent permitted by law, these recordings are the Banks sole property.

The Bank collects primary data upon the consent of the data subject and in accordance with the applicable laws, for the purpose of provision of products and services required.

In most cases, the Bank does not rely on consent of the data subject as the legal basis of processing personal data. If consent is a pre-condition for processing personal data, the Bank will make it clear at the time of requesting for consent.

The Bank discloses personal information for the reasons set out in section F as follows:

• To service providers, and other business counterparties in connection with the products and services that we provide.
• To the Bank group entities for purposes of managing Exim Bank (Uganda) Limited client, service provider and other business counterparty relationships.
• To counterparty banks, payment infrastructure providers and other persons from whom we receive, or to whom we make payments on our clients or service providers behalf.
• To export credit agencies, multilateral agencies, development finance institutions, other financial institutions, government authorities and their agents, insurers, due diligence service providers and credit assessors, in each case in connection with the products and services we provide, including financings.
• To service providers that provide application processing, fraud monitoring, call center and/or other customer services, hosting services and other technology and business process outsourcing services.
• To professional service providers, such as legal advisors, accountants, auditors, insurers, tax advisors and others alike.
• To competent regulatory, prosecuting, tax, courts/tribunals in any jurisdiction, government, law enforcement authorities and other persons involved in, or contemplating, legal proceedings.
• To prospective buyers as part of a sale, merger, or other disposal of any of our business or assets.
• To other persons where disclosure is required by law or to enable products and services to be provided to the data subject.

The Bank may share the data subjects personal data with foreign service providers to enable service delivery.

Data may only be shared with foreign service providers or business counterparties or in accordance with section F, where the legal framework regarding data privacy and protection is similar to the safeguards in Uganda, and upon execution of an agreement that covers protection and confidentiality of the shared data.

To ensure data accuracy & effective service delivery, data subject, customers and service providers should keep the Bank updated with any change in personal data details, at their own initiative or whenever called upon by the Bank.

The Banks security systems are designed to prevent loss, unauthorized access, damage and/or access to client personal information by unauthorized persons.

The data subject may

• Request the Bank for a copy of their personal data. This right does not extend to data processed by the Bank.
• Request the Bank to correct their personal data.
• Request for erasing of their personal data, subject to data retention obligation as by law established
• Restrict the processing of their personal data.

The Bank reserves the right to amend this privacy statement at any time and a new version will always be posted to the Banks website

The Bank advises clients to acquaint themselves with the Uganda Data Privacy and Protection Act which can be found at Data-Protection-and-Privacy-Act-2019.pdf (ict.go.ug)