This Privacy Policy (also known as “the Policy") applies to personal data of data subjects when processed by Nations Trust Bank PLC as a controller under the Personal Data Protection Act No.9 of 2022 (PDPA). This policy will explain the following:
- What information we collect about you
- How we use that information
- Who we share the information with
- When we might share the information
- What steps we take to make sure it stays private and secure
- When you make inquiries to obtain any product or service
- When you are a customer who has obtained any product or service from us
- After you cease to be a customer of Nations Trust Bank PLC
This policy may be updated from time to time with or without prior notice given to you.
When we use “we”, “us”, or “our” in this Policy, such terms refer to Nations Trust Bank PLC, who will be considered as a controller as per the PDPA.
According to the PDPA, a controller is an organization who decides, alone or jointly with others, the means and purposes of processing personal data. Essentially, we decide why and how personal data is processed. It is the controllers who are responsible for ensuring compliance with the PDPA.
Please refer to the section captioned “Get in Touch with Us” on how you can get in touch with us.
When we use “you” or “your” in this policy, this means:
- Any potential, existing or past customer of Nations Trust Bank PLC
- Any authorized person on the account of an existing or past customer
- Anyone who performs banking transactions on behalf of a potential, existing or past customer, such as but not limited to persons with Power of Attorney and executors
- Any visitor to our corporate website
- Any visitor to our official social media pages
In this policy, we consider you to be a “data subject”. A data subject is a person to whom the personal data relates to. This policy does not apply when we process data pertaining to legal persons such as corporates and companies and any other non-personal data.
When we say products or services, it means any product or service offered by us, such as savings accounts, current accounts, loans, credit cards, mortgages, investments and the like.
When dealing with you, we collect personal data that we believe to be relevant and required to understand your financial needs and to conduct our business, and the processing of such information shall be carried out in so far as permitted by applicable laws and regulations.
Generally, we collect personal information directly from you, such as when you apply for or request a product or service, when you participate in our marketing campaigns or surveys, in response to our advertising or direct mail or when you have other dealings with us. We may collect that information over the telephone or internet, in person (when you visit us at a Nations Trust Bank branch or through related agents) and when you write to us.
We source personal data about you from different sources such as:
- Directly from you or your financial advisers when you inquire, apply or use any of our products or services
- When you inquire, apply or use any of our products or services
- Third party sources, including publicly available sources such as social media or websites.
- When you interact with us using our website, mobile apps, or other communication channels
Whilst the type of information we process will depend on the interaction or transaction concerned, the following is a general list of information that we collect and process about you.
- Identity data such as full name, other names, date of birth, National Identity Card number, driver’s license number, passport number and any other information provided with National Identity Card, driver’s license, passport or any other document proving your identity, gender, nationality, signature.
- Contact data such as postal address, home phone number, mobile number(s), email address(es).
- Financial data such as employment status, remuneration details such as pay slips, details of employment or business, bank accounts at other banks.
- Market research such as information you submit when you respond to a market survey or questionnaire.
- Financial data such as products and services that you inquired, use or used, account numbers, financial transaction records from your accounts, your payment history, your ability to get and manage credit.
- Geographic information such as location tracking via apps or your preferred or account holding branches and ATMs you use.
- Preferences such as details of products or services you prefer and preferred communication methods.
- Information about your device such as device IP, device operating system, technical specifications of the device.
- Behavioral data such as how you engage or browse through our website and mobile applications and other sites you may visit including interactions via social media.
- Risk rating such as credit risk rating that we will gather based on your transactions, profiling based on transactional behaviour and underwriting information.
- Investigations data such as due diligence checks, sanctions and anti-money laundering checks, content and metadata related to relevant exchanges of information between and among individuals and/or organisations. This may include emails, voicemail and live chats.
- Records of correspondence such as voice or video recordings, email communications, chat or instant messaging communications, social media interactions and in-person discussions.
- Compliance information such as information about transaction details, identification of any suspicious and unusual activity and details of connected or related parties in your financial transactions and related activities.
- From employers and relatives as indicated by you in your application.
- From other organisations or companies as indicated by you in your application such as other banks or financial institutions with whom you maintain accounts.
- Credit Information Bureau of Sri Lanka.
- Sources that help us to prevent or detect fraud or illegal activity.
- Social media platforms that include your social media handles, communications and similar data.
- Login details when you log into apps.
- Cookies and related technologies are used on our websites and apps to identify you and record your preferences. Internet cookies are small pieces of data stored on a user's device by websites you visit, aggregate information on the individual pages accessed by you, average time spent on specific pages, identifying a user on his/her return to the page.
Generally, we collect, update and use personal data for the following reasons, depending on the specific transaction/interaction with you:
| Purpose | Description | Objective |
|---|---|---|
| To process your applications for account-based services and to deliver our products and services and provide access to online banking, phone banking and mobile banking applications. |
This includes validating your identity and obtain reports and assess your credit worthiness. To carry out our agreement with you, establish and manage your account or facility and carry out transactions you wish to make. This includes providing you with access to NTB online, digital and mobile platforms and applications. |
To perform our contract with you and to take such pre-contractual measures as necessary at your request. |
| To recover any funds or outstanding payments | We may use third party debt recovery agents to recover any money that are outstanding. Such agents may get in touch with you for recovery requirements. | To enforce our contract with you and for our legitimate interests. |
| Risk management | Your information will be used to assess, identify, and prevent financial, reputational, legal, compliance, or customer risks. This includes credit risk, traded risk, operational risk, and insurance risk, such as for underwriting or claims management purposes. | For our legitimate interests |
| Prevent and detect crimes |
Monitoring, mitigating, profiling and risk assessing for the prevention and detection of crimes such as fraud, money laundering and terrorist financing. This may include without limitation:
|
To comply with our legal and regulatory obligations. For our legitimate interests. For public interests. |
| Banking operations |
To enable the delivery and function of our banking services. This may include:
|
To enforce our contract with you. For our legitimate interests. To comply with applicable legal and regulatory requirements imposed on us by law. |
| Protection of our legal rights |
To protect or defend our rights recognised by law such as:
|
For our legitimate interests |
| Respond to legal obligations | To respond to an information request made by law enforcement agencies, any court or tribunal established by law and regulatory agencies such as the Central Bank of Sri Lanka, and legal bodies which may include without limitation the Financial Intelligence Unit, Right to Information Commission, Inland Revenue Department, Consumer Affairs Authority and Credit Information Bureau. We ensure information is disclosed only pursuant to a valid legal request per applicable laws and regulations. | To comply with legal obligations imposed on us by laws and regulations. |
|
Product or service improvement |
To identify improvements for our products and services so that we are better positioned to meet customer needs. We will offer services based on combined and analyzed data which may use transactional data such as spending patterns, payment history, or financial activities collected from your behaviour when using any of our products and services including digital and other platforms. The data we use will not reveal user identities. | For our legitimate interests. |
| Marketing including cross-selling and up-selling | To provide you with information about our products and services as well as those of our partners and other relevant 3rd parties via different communication channels such as post, email, phone calls, SMS, messaging apps, mobile application and secure messages, social media advertisements. |
With your consent as applicable. For our legitimate interests. |
| Data analytics | Analyse data to gain deeper insights into how our offerings are utilized, and to offer products and services that align with customer preferences, ensuring a more efficient and personalized experience, to enhance user satisfaction by delivering solutions that cater to specific needs. This may include analysis of transaction information, spending patterns, historic data analysis and comparison of user activity. |
For our legitimate interests. |
| To make decisions about you including profiling | We may use automated systems to help us make some of our decisions such as assessing your creditworthiness and risk when you seek a lending facility from us. We may also use automated systems to signal us any fraud or financial crimes or to identify if someone unauthorised is using your accounts/cards. | |
| Manage communications | We may store your communications with us made through phone calls, letters, emails, live chats, video chats and other kind of information to respond to queries and complaints, verify any instructions you have given to us, train our people, manage risk and prevent and detect fraud or other crimes. | For our legitimate interests. |
We store personal information in a combination of secure computer storage facilities and paper-based files and other records. We have taken several steps to protect the personal data we hold from misuse, loss and unauthorized access, modification or disclosure. We use industry accepted technology and security protocols so that we are satisfied that your information is transmitted and stored in a manner that ensures confidentiality, integrity and availability of your personal data.
We follow a data retention policy internally that specifies for how long we retain your data in an identifiable format to provide you with our products and services and manage our relationship with you. Generally, information relating to banking transactions are retained for six (6) years or specific periods as per legal and regulatory requirements from the time you cease to be our customer.
We may adopt a shorter retention period such as one (01) year or less in the following circumstances:
- Any records of communication with you
- Data stored on internet cookies
We may, however, keep your data for a longer period than six (06) years in the following circumstances:
- To respond to requests from regulators and law enforcement agencies
- To meet legal and regulatory requirements
- For research or statistical purposes
- To respond to ongoing disputes or litigation
We will delete or anonymize your personal information when it is no longer needed, or when we are no longer required or authorized to retain it
Your data will be kept confidential, but we may provide such information to third parties in the following circumstances:
- Where we have contracted an external organization to provide us with support services. This may include but is not limited to processing application or orders, marketing support, deliveries, market research and debt collection. These service providers may be located in or outside Sri Lanka.
- To comply with our legal and regulatory obligations.
- Where we suspect that unlawful activity has taken place or may take place and personal data is a necessary part of our investigation or reporting on such matter to necessary law enforcement or other lawful authorities. We also may disclose personal information about you in the following circumstances.
- Where you have a corporate or government issued credit card, we may exchange personal data with your respective employer or government agency.
- To our related companies to provide you with products and services you request and to inform you about other bank products and services.
- To credit reporting agencies in connection with us providing credit to you or recovering from you amounts that you owe under any contract you have with us. We impose strict requirements of security and confidentiality on all third parties as to how they handle personal information. We provide our outside contractors only with information they need to perform their services. They are not permitted to use the information for any purpose except to provide the service to us.
- To meet your request for services such as Foreign Exchange, managed fund investment and other services where we may use outsourced personnel.
- To anyone else you authorize us to disclose information to, from time to time.
Your personal data may be transferred to and stored in locations outside of Sri Lanka. This may include countries which may not have the same level of protection to personal data as provided under the PDPA. When we do transfer personal data out of Sri Lanka we will ensure that such a transfer is in line with applicable legal requirements under the PDPA and other applicable laws and ensure an adequate level of protection to your personal data.
You have the following rights under the PDPA that can be exercised in relation to how we process your personal data. To exercise any of the following rights, reach out to us via the contact details given below.
| Right | Description |
|---|---|
| Access | You can seek confirmation if we process any information about you and if so, you may request access to your personal data held by us. You may seek further information on any matter mentioned in this privacy notice in line with the bank’s privacy policy. |
| Object | You may raise an objection for processing your information to meet our legitimate interests or for public interest objectives. The objectives are set out in the privacy notice in line with the bank’s privacy policy. |
|
Withdraw Consent |
If we have sought your consent to process your data for a particular purpose, you may seek to withdraw that consent at any time. Withdrawal of consent will not invalidate any processing we have done up to the point of your withdrawal. |
| Rectification | You can request to rectify inaccurate data or complete any incomplete data. |
| Erasure | You may request to erase your personal data, if you find that we are processing your data in contravention to the PDPA, or you have withdrawn your consent at a prior occasion. We may also erase your data pursuant to a court order based on applicable laws. |
|
Automated Individual Decision Making |
If any decision that we have taken about you using automated means (without any human involvement) and such a decision has or is likely to create an irreversible and continuous impact on your rights and freedoms, you may ask us to review such a decision. |
| Exemptions | As per the PDPA, we are entitled to refuse a request, in view of certain grounds such as national security, public order, ongoing inquiry, investigation or procedure conducted under any written law, prevention, detection, investigation or prosecution of criminal offences, rights and freedom of others, our technical and operational feasibility to give effect to the right, our inability to establish your identity as the data subject, being subject to any requirement to process your data under any written law. |
|
Appeal to DPA |
If you are not happy with the response you may receive from us in relation to a request to exercise any of your above rights, you have the right to lodge an appeal to the Data Protection Authority of Sri Lanka. You will find their contact details and further information on how to lodge an appeal by visiting the official website: www.dpa.gov.lk |
If you need any further information or wish to exercise your rights, you may get in touch with us in the following manner:
- Via Nations Direct Mobile App, FriMi or Nations Direct Enterprise App
- By calling our hotline: (+94) 114 711411
- By walking into any of our branches: https://www.nationstrust.com/branches
- By contacting the Data Protection Officer, Nations Trust Bank PLC, Head Office, No. 46/58, Nawam Mawatha, Colombo 02
- By emailing us: customerservice@nationstrust.com
As we value you and the security of your personal information, we would like to make you aware of how to be smart in detecting phishing and scams that take place through email/social media.
Recognize the warning signs
There is a range of simple and effective ways to help protect yourself from phishing and scams. Our tips will help you learn to avoid scams, spot phishing, stay safe online, and keep your account and personal details private and secure.
Phishing: When a fraudster tries to get your private information via an email or a website. These details would allow them to access your account and make purchases without you knowing. We request you to watch out for the following:
- Emails requiring you to click on a link and drive you to a webpage that looks like a legitimate institution.
- Alarming messages saying your bill is past due and/or your account will be locked or closed unless you take action.
- Unexpected messages branded with corporate headers that upon inspection have typos and misspellings.
- Website URLs without HTTPS:// or the closed lock symbol next to it.
How to protect yourself
- Don't give out your PIN, password, log-in details or card details
- Don't give out your verification codes
- Always use Multi Factor Authentication (MFA) wherever its possible
- Always Log out of websites
- Keep your anti-virus software up to-date and install a desk top firewall
Vishing: When a fraudster attempts to steal your private information via a phone call, we request you to watch out for the following:
- Someone calls you asking to confirm your Account details
- Someone calls you asking for your PIN, Card details and/or Card security code
- Someone calls you asking for a verification code that has just been sent to you by email or SMS
- Someone asks you to act urgently, or tells you that unless you do something right away, your Account may be suspended or closed
How to protect yourself
- Never divulge your Account details or verification codes over the phone
- We will never ask for the 4-digit or 3-digit security code on your Card
- If something doesn't feel right, simply hang up, then call us on the number on the back of your Card
Smishing: When a fraudster tries to get your information via text, we request you to watch out for the following:
- A text message prompting you to click on a link. By clicking the link, fraudsters have an opportunity to install malware on your device
- Suspicious messages about purchases that you did not make
- Messages with account-related news, like offer of gift cards
Scams that are currently trending
Advance Fee Scams: The scammer contacts a person seeking an up-front fee for a gift, a prize or as a transit/clearance fee for a large package of goods or transfer of monies.
Investment and Romance Scams: Scammers contact a person via email or social media, offering/showing either a remarkable investment/business opportunity or personal interest - romantic or otherwise towards the victim.
Kindly report any suspicious activity/scams immediately to customerservice@nationstrust.com or our 24-hour Contact Centre on +94 (0)11 4 711411
Get in touch
