Who We Are
Keystone Bank Limited (“KBL”, “the Bank”, “we”, “our”, or “us”) is a financial institution licensed by the Central Bank of Nigeria to provide a broad range of banking and financial services to individuals, businesses, and institutions. As part of delivering these services, the Bank collects and processes personal data relating to customers, employees, vendors, job applicants, website visitors, and other individuals who interact with the Bank.
The Bank recognizes the importance of protecting personal data and is committed to ensuring that such data is processed lawfully, fairly, and transparently, and in accordance with applicable data protection laws and industry best practices.
Purpose of this Privacy Notice
This Privacy Notice explains how Keystone Bank collects, uses, stores, shares, and protects personal data obtained through our banking services, digital platforms, physical locations, and other interactions with individuals.
Specifically, this Notice outlines:
This Notice applies to all individuals whose personal data is processed by the Bank, including but not limited to customers, prospective customers, website visitors, social media users, job applicants, vendors, business partners, alumni, and visitors to our offices.
Applicable Data Protection Laws
The processing of personal data by Keystone Bank is governed by applicable data protection and privacy laws and regulations, including but not limited to the:
Where Keystone Bank processes personal data relating to individuals located outside Nigeria or where cross-border services are provided, the Bank may also comply with other applicable data protection laws and regulatory requirements.
Keystone Bank Limited collects and processes personal data in order to provide banking and related financial services, operate our business effectively, comply with legal and regulatory obligations, and improve our products and services. The type and amount of personal data we collect depends on the nature of the relationship or interaction you have with the Bank. This may include situations where you open or operate an account with us, use our digital platforms, apply for employment, participate in events or training programmes, visit our premises, interact with us through social media, or engage with us as a vendor, service provider, or business partner.
The personal data we collect may include identification information such as your full name, date of birth, gender, nationality, photograph, signature, and details of government-issued identification documents such as a National Identity Number, international passport, driver’s license, or voter’s card. In the course of providing banking services, we may also collect identification numbers such as the Bank Verification Number (BVN) or other identifiers required for regulatory compliance.
We may also collect contact information including residential or mailing addresses, email addresses, telephone numbers, and emergency contact details. Where you use the Bank’s products or services, we may collect financial and transactional information such as bank account details, transaction records, credit history, loan and repayment information, income details, employment information, investment records, and other financial data necessary for the provision and management of banking services.
In addition, Keystone Bank may collect employment or professional information, particularly in relation to job applicants, employees, vendors, or business partners. This may include information about your employer, job title, work contact details, professional qualifications, and employment history.
Where individuals interact with the Bank through our digital platforms, we may collect certain technical and digital information. This may include Internet Protocol (IP) addresses, device identifiers, browser type, log-in credentials for our digital banking services, website usage data, and information collected through cookies and similar technologies used to improve the functionality and security of our online services.
We may also collect records of communications and interactions with the Bank, including emails, call recordings, messages, complaints, feedback, or enquiries submitted through our customer service channels. Additionally, where individuals visit our offices or premises, we may collect access-related information such as visitor records, identification details used for access badges, Wi-Fi usage logs, and images captured through closed-circuit television (CCTV) systems for security purposes.
In some instances, Keystone Bank may obtain personal data from third-party sources where permitted by law. These sources may include credit bureaus, regulatory authorities, service providers, business partners, publicly available sources, or individuals acting on behalf of our customers in connection with the services we provide.
Sensitive Personal Data
In certain circumstances, Keystone Bank may process sensitive personal data where it is necessary for the provision of services, compliance with legal or regulatory obligations, or for the establishment, exercise, or defense of legal claims. Sensitive personal data may include biometric information such as fingerprints or facial recognition data used for identity verification, financial account or payment card details, and information relating to criminal background checks where required for employment screening or regulatory compliance.
The Bank processes such data only where permitted under applicable law, including the Nigeria Data Protection Act 2023, and applies enhanced safeguards to ensure that sensitive personal data is protected. Access to such data is restricted to authorized personnel, and appropriate technical and organizational measures are implemented to prevent unauthorized access, disclosure, alteration, or loss.
Keystone Bank Limited collects personal data through a variety of channels depending on how individuals interact with the Bank. Personal data may be obtained directly from individuals, through third parties, via digital platforms and systems, or from publicly available sources where permitted by law. The Bank ensures that all personal data is collected lawfully, fairly, and transparently in accordance with applicable data protection requirements.
Directly from Individuals
In many cases, Keystone Bank collects personal data directly from individuals when they interact with the Bank. This may occur when individuals open bank accounts, apply for financial products or services, complete forms, submit identification documents, register for events or training programmes, apply for employment opportunities, or communicate with the Bank through customer service channels. Personal data may also be collected when individuals correspond with the Bank through email, telephone calls, written correspondence, or in-person visits to the Bank’s offices or branches.
From Third Parties
The Bank may also obtain personal data from third-party sources where this is necessary to provide services, verify information, comply with regulatory obligations, or manage business relationships. Such third parties may include credit bureaus, identity verification service providers, regulators, financial institutions, business partners, vendors, recruitment agencies, or individuals acting on behalf of customers. In certain circumstances, personal data may also be provided to the Bank by customers in relation to other individuals, such as authorized representatives, guarantors, or contacts connected to a financial transaction or business relationship.
From Digital Channels
Where individuals access the Bank’s website, online banking platforms, mobile applications, or other digital services, Keystone Bank may automatically collect certain technical and usage-related information. This may include Internet Protocol (IP) addresses, device information, browser type, login information, pages visited, transaction activity on digital platforms, and other technical data generated during the use of our digital services. Such information helps the Bank maintain the security of its systems, improve the performance and functionality of its platforms, and enhance user experience.
From Publicly Available Sources
In some cases, Keystone Bank may collect personal data from publicly available sources where permitted by law. These sources may include publicly accessible registers, regulatory publications, professional networking platforms, media publications, corporate websites, and other publicly available records. Information obtained from such sources may be used for purposes such as identity verification, due diligence, fraud prevention, regulatory compliance, or maintaining business relationships.
All personal data collected by the Bank is processed in accordance with applicable data protection laws, including the Nigeria Data Protection Act 2023, and is handled in a manner that respects the rights and privacy of individuals.
Keystone Bank Limited processes personal data for a range of purposes necessary to provide banking and financial services, operate its business effectively, meet legal and regulatory obligations, and maintain the security and integrity of its systems. The Bank processes personal data only where there is a lawful basis to do so and ensures that such processing is limited to what is necessary for the relevant purpose.
Keystone Bank Limited processes personal data relating to different categories of individuals in the course of providing banking and financial services, managing its workforce, maintaining business relationships, and operating its digital and physical infrastructure. The categories of individuals whose personal data may be processed by the Bank include the following:
The Bank processes personal data relating to individuals who hold accounts with the Bank or who apply for or inquire about our financial products and services. This includes individuals who use services such as deposits, loans and advances, trade finance, investment products, transaction advisory services, digital banking platforms, and other financial services provided by the Bank.
Keystone Bank processes personal data relating to current employees, former employees, and individuals who apply for employment with the Bank. This includes information required for recruitment and selection processes, employee administration, payroll and benefits management, training and professional development, performance management, and compliance with employment-related legal obligations.
The Bank processes personal data relating to individuals who represent or work for vendors, contractors, consultants, suppliers, and other third parties that provide services to the Bank. This may include contact persons within vendor organizations, service delivery personnel, and individuals involved in contractual or operational engagements with the Bank.
Personal data may be processed in relation to individuals who interact with the Bank through its website, mobile applications, online banking platforms, or other digital channels. This includes users who browse the Bank’s website, register for or use digital banking services, subscribe to newsletters, or engage with the Bank through online forms, cookies, or analytics tools.
In the course of providing services to corporate and institutional clients, Keystone Bank may process personal data relating to individuals associated with those organizations. These individuals may include directors, beneficial owners, authorized signatories, guarantors, employees, representatives, or other persons identified in connection with the customer’s banking relationship or financial transactions.
The Bank may process personal data relating to individuals who visit its offices, branches, or other premises. This may include visitor identification information, access badge records, visitor log entries, and images captured through security systems such as closed-circuit television (CCTV). Such processing is primarily undertaken to ensure the security and safety of the Bank’s facilities, staff, customers, and visitors.
These categories are not exhaustive, and the Bank may process personal data relating to other individuals where necessary in connection with its operations, services, or legal obligations. All such processing is carried out in accordance with applicable data protection laws, including the Nigeria Data Protection Act 2023.
When you visit Keystone Bank’s website or use our digital platforms, we may collect certain information about you and your interaction with our online services. This information helps us operate our website effectively, enhance user experience, maintain the security of our systems, and better understand how our digital services are used. The information collected may include technical data about your device, browsing behaviour, and interactions with our online content.
Cookies and Tracking Technologies
When you access or browse our website, we may use cookies and similar tracking technologies to collect information about your device and how you interact with our website. Cookies are small text files stored on your device that help us recognize your browser, remember your preferences, and improve the functionality of our website. Through these technologies, we may collect information such as your Internet Protocol (IP) address, browser type, operating system, pages visited, time spent on the website, and other usage-related information. You may choose to manage or disable cookies through your browser settings, although doing so may affect the functionality of certain parts of the website. To read more about our cookies policy, please click Cookies Policy
Social Media Integrations
Our website and digital platforms may include features or content provided by social media platforms, such as sharing tools, embedded content, or links to our official social media pages. When you interact with these features, the relevant social media platforms may collect information about you and your interaction with the feature, particularly if you are logged into your social media account at the time. Your interaction with these features may, therefore, be governed by the privacy policies of the respective social media providers.
Website Analytics
We may use analytics tools to understand how you use our website and digital platforms. These tools collect information about how users access and navigate our website, including the pages you visit, the links you click, the duration of your visit, and other similar usage information. This information helps us analyze trends, improve the design and performance of our website, enhance security, and ensure that our digital services continue to meet the needs of users.
All information collected through our website and digital platforms is processed in accordance with applicable data protection laws, including the Nigeria Data Protection Act 2023.
Keystone Bank Limited processes personal data only where there is a lawful basis for doing so. In accordance with the Nigeria Data Protection Act 2023, the Bank relies on one or more of the following legal bases when collecting and using personal data.
Consent
In certain circumstances, Keystone Bank processes personal data based on your consent. This occurs where you have been clearly informed about the purpose of the processing and have voluntarily agreed to the use of your personal data for that purpose. For example, your consent may be obtained before sending certain marketing communications or where specific optional services require your approval. Where consent is the legal basis for processing, you have the right to withdraw your consent at any time, although such withdrawal will not affect the lawfulness of processing carried out before the withdrawal.
Contract
The Bank may process your personal data where it is necessary for the performance of a contract with you or in order to take steps at your request before entering into a contract. This includes situations where personal data is required to open and operate your bank account, process transactions, provide loans or other financial services, manage digital banking services, or otherwise fulfil the Bank’s contractual obligations to you.
Legal Obligation
Keystone Bank may process personal data where it is necessary to comply with legal or regulatory obligations imposed on the Bank. Such obligations may arise from laws, regulations, or directives issued by regulatory authorities such as the Central Bank of Nigeria and the Nigeria Data Protection Commission. Examples include compliance with anti-money laundering and counter-terrorism financing requirements, regulatory reporting obligations, record-keeping requirements, and other statutory duties applicable to financial institutions.
Legitimate Interests
In certain situations, Keystone Bank may process personal data where it is necessary for the purposes of the Bank’s legitimate interests or those of a third party, provided that such interests are not overridden by your fundamental rights and freedoms. These legitimate interests may include maintaining the security of the Bank’s systems and premises, preventing fraud, improving services, managing business operations, conducting internal analytics, or protecting the Bank’s legal and commercial interests. Where this legal basis is relied upon, the Bank takes appropriate steps to ensure that the processing is proportionate and that the privacy rights of individuals are adequately safeguarded.
Vital Interests
Personal data may be processed where such processing is necessary to protect the vital interests of the data subject or another individual. This lawful basis generally applies in situations where processing is required to protect an individual’s life, health, or safety, particularly in circumstances where the data subject is unable to provide consent.
Public Interest or Official Authority
The Bank may process personal data where such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Bank by law. This may include processing activities required to support public sector obligations, regulatory mandates, or other functions carried out in accordance with applicable laws and regulatory directives. Where this lawful basis is relied upon, the Bank shall ensure that the processing activity is authorized by law and carried out in accordance with applicable regulatory requirements.
Keystone Bank Limited may disclose personal data to third parties where necessary to provide banking services, comply with legal and regulatory obligations, support business operations, or protect the Bank and its customers from fraud and other risks. Such disclosures are carried out only where there is a lawful basis and appropriate safeguards are in place to protect personal data.
Regulators and Government Authorities
The Bank may disclose personal data to regulatory bodies, supervisory authorities, and government agencies where required to comply with applicable laws, regulations, or official requests. Such disclosures may occur in connection with regulatory reporting, audits, investigations, or compliance monitoring. Regulatory recipients may include authorities such as the Central Bank of Nigeria and the Nigeria Data Protection Commission, among others with lawful authority to request such information.
Service Providers
Keystone Bank may share personal data with third-party service providers who support the Bank in delivering its products and services or in carrying out operational functions. These service providers may include technology service providers, payment processing partners, cloud service providers, professional advisers, consultants, and other vendors engaged by the Bank. Such third parties are required to process personal data only in accordance with the Bank’s instructions and to implement appropriate security measures to protect the information.
Payment Networks and Financial Institutions
In order to process financial transactions and provide banking services, the Bank may disclose personal data to payment networks, clearing and settlement systems, correspondent banks, and other financial institutions involved in processing payments or facilitating financial transactions. These disclosures are necessary to complete transactions, verify account details, and ensure the proper functioning of financial systems.
Law Enforcement and Legal Proceedings
The Bank may disclose personal data to law enforcement agencies, courts, or other competent authorities where disclosure is required by law, court order, or legal process. Such disclosures may also occur where necessary to investigate or prevent fraud, financial crime, security incidents, or other unlawful activities, or where disclosure is required to establish, exercise, or defend legal rights.
Where personal data is disclosed to third parties, Keystone Bank takes reasonable steps to ensure that the information is handled securely and in accordance with applicable data protection laws.
In certain circumstances, Keystone Bank Limited may transfer personal data to recipients located outside Nigeria. Such transfers may occur where it is necessary to provide banking and financial services, support the Bank’s operational activities, use technology infrastructure hosted in other jurisdictions, or engage international service providers and partners.
Where personal data is transferred outside Nigeria, Keystone Bank takes appropriate steps to ensure that the transfer is carried out in accordance with applicable data protection laws.
These safeguards may include contractual arrangements requiring the recipient to implement appropriate technical and organizational measures to protect personal data, compliance with recognized international data protection standards, or other legally approved transfer mechanisms. Such measures are intended to ensure that personal data continues to be protected to a standard comparable to that required under applicable Nigerian data protection laws.
Cross-border transfers may occur, for example, where the Bank uses cloud-based technology services, engages international payment networks, works with global service providers, or communicates with correspondent financial institutions located outside Nigeria. In all such cases, Keystone Bank ensures that appropriate safeguards are in place to protect the confidentiality, integrity, and security of personal data.
Where required, the Bank may also conduct assessments to evaluate the adequacy of data protection measures implemented by recipients of personal data located outside Nigeria.
Keystone Bank Limited is committed to protecting personal data against unauthorized access, loss, misuse, alteration, or disclosure. The Bank implements appropriate technical, administrative, and organizational measures designed to safeguard personal data and ensure that it is processed in a secure manner.
These security measures include:
Despite the measures implemented by the Bank, no system of electronic transmission or storage is completely secure. However, Keystone Bank continually reviews and enhances its security practices to maintain a high level of protection for personal data in accordance with applicable laws and regulatory requirements, including the Nigeria Data Protection Act 2023.
Keystone Bank Limited retains personal data only for as long as it is necessary to fulfil the purposes for which the data was collected, including the provision of banking services, compliance with legal and regulatory obligations, resolution of disputes, enforcement of agreements, and the protection of the Bank’s legitimate interests.
The length of time for which personal data is retained depends on the nature of the data, the purpose for which it was collected, and the applicable legal or regulatory requirements. In many cases, financial institutions are required to retain certain records for specified periods in order to comply with laws, regulatory directives, audit requirements, and financial reporting obligations. These requirements may arise from regulations issued by authorities such as the Central Bank of Nigeria and other competent regulatory bodies.
Where personal data is no longer required for the purposes for which it was collected and there is no legal or regulatory requirement to retain it, Keystone Bank will take appropriate steps to securely delete, destroy, or anonymize the data in accordance with the Bank’s records management and data retention policies.
The Bank periodically reviews the personal data it holds to ensure that information is not retained for longer than necessary. Retention periods may vary depending on the type of data, the nature of the relationship with the individual, and the operational, legal, or regulatory obligations applicable to the Bank. All personal data retention practices are carried out in accordance with applicable data protection laws, including the Nigeria Data Protection Act 2023.
Our website and services are not directed at children under the age of 18. We do not knowingly collect, use, or process personal data from children without appropriate authorization. If we become aware that personal data relating to a child has been collected without verified parental or guardian consent, we will take reasonable steps to delete such information from our records as soon as possible.
Where the processing of a child’s personal data is necessary (for example, in connection with services requested by a parent or guardian), such processing will only occur with the consent of the child’s parent or legal guardian and in compliance with applicable data protection laws, including the Nigeria Data Protection Act 2023. Parents or guardians who believe that their child may have provided personal data through our website are encouraged to contact us so that appropriate action can be taken.
Under applicable data protection laws, including the Nigeria Data Protection Act 2023, you have certain rights regarding the personal data that Keystone Bank Limited holds about you. These rights are intended to give you greater control over how your personal data is collected, used, and managed.
Subject to applicable legal and regulatory limitations, your rights may include the following:
Right to be Informed
You have the right to be informed about how your personal data is collected, used, stored, and shared by the Bank. The Bank shall provide clear and accessible information regarding its data processing activities through privacy notices, policies, and other appropriate communication channels.
Right to Access
You have the right to request confirmation of whether Keystone Bank processes your personal data and to obtain access to the personal data held about you, including information about how it is used and shared.
Right to Rectification
You have the right to request that Keystone Bank corrects or updates any inaccurate, incomplete, or outdated personal data held about you.
Right to Erasure
In certain circumstances, you may request that the Bank deletes or removes your personal data where the data is no longer necessary for the purpose for which it was collected, or where processing is no longer lawful. However, this right may be limited where the Bank is required to retain the data for legal or regulatory purposes.
Right to Restrict Processing
You may request that the Bank limits the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where the processing is unlawful but you prefer that the data is restricted rather than deleted.
Right to Data Portability
Where applicable, you may request to receive certain personal data you have provided to the Bank in a structured, commonly used, and machine-readable format, and may request that such data be transferred to another service provider where technically feasible.
Right to Object to Processing
You have the right to object to the processing of your personal data in certain circumstances, particularly where the processing is based on the Bank’s legitimate interests or where your personal data is used for direct marketing purposes.
Right to Withdraw Consent
Where Keystone Bank relies on your consent as the legal basis for processing your personal data, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal.
To exercise any of these rights, you may contact Bank using the contact details provided in this Privacy Notice. Keystone Bank will consider and respond to such requests in accordance with applicable legal and regulatory requirements.
The Bank may use automated systems or tools to process personal data for specific operational or analytical purposes. Automated processing refers to processing activities carried out by technological systems without direct human intervention. Where applicable, the Bank may use automated processing for activities such as fraud detection, transaction monitoring, risk assessment, service personalization, or operational efficiency. Where automated decision-making significantly affects individuals, the Bank implements appropriate safeguards to ensure fairness and transparency. This may include human review of decisions where necessary and providing individuals with the opportunity to seek clarification or raise concerns about decisions that affect them.
If you have any concerns about how Keystone Bank Limited processes your personal data, you may contact the Bank to seek clarification or lodge a complaint. The Bank will review and address such concerns in accordance with its internal data protection and complaints handling procedures. If you are not satisfied with the Bank’s response, you may escalate your complaint to the Nigeria Data Protection Commission, which is responsible for overseeing compliance with the Nigeria Data Protection Act 2023.
Keystone Bank Limited may update or revise this Privacy Notice from time to time to reflect changes in our services, legal or regulatory requirements, or our data processing practices. Where such updates are made, the revised Privacy Notice will be published on the Bank’s website and will take effect from the date of publication.
We encourage you to review this Privacy Notice periodically to stay informed about how we protect and manage your personal data.
If you have any questions, requests, or concerns regarding this Privacy Notice or the processing of your personal data by Keystone Bank Limited, you may contact the Bank through the appropriate channels.
You may reach the Bank’s Data Protection or Contact Centre team using the contact details below or through your usual banking contact channels.
Data Protection Officer – dataprotectionoffice@keystonebankng.com
Contact Centre – contactcentre@keystonebankng.com
Where necessary, you may also contact the supervisory authority responsible for data protection in Nigeria, the Nigeria Data Protection Commission, for further information regarding your rights under the Nigeria Data Protection Act 2023.
You may submit a Data Subject Access Request (DSAR) to exercise your rights regarding the personal data held by Keystone Bank. This may include requests to access, correct, or delete your personal data, where applicable.
Requests can be submitted by completing the DSAR form available here. We assure you that all requests will be handled in accordance with the timelines stipulated by the Nigeria Data Protection Act 2023.