Privacy Policy

We Rwanda Social Security Board, (“RSSB”, “we,” “our” or “us”), are committed to protecting and respecting the privacy of our members and other data subjects. This Privacy Notice applies to all persons using our services or website.

We recognize the expectations of our members and other data subjects regarding privacy confidentiality and security of their personal information that resides with us. Keeping personal information of members and other data subjects secure and using it solely for activities related to our services and preventing any misuse thereof is a top priority of the Organization. We have adopted this privacy Notice aimed at protecting the personal information entrusted and disclosed by members and other data subjects. This Privacy Notice governs our data collection, processing and usage of your data and it describes your choices regarding use, access, and correction of your personal information.

Definitions

"Biodata" means Biographical information i.e., Personal information regarding gender, nationality, contact information, physical location, and any other.

"Data Controller" means the natural or legal person, authority, organization, or other agency that makes decisions individually or together with other parties regarding the purposes and means for processing Personal Data.

"Data Protection Law" means the Data Protection Law n°058/2021 of 2021 under the laws of Rwanda as amended.

"Personal Data" means any information identifying you or information relating to you that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data excludes anonymous data or data that has had the identity of you as an individual permanently removed.

"Data Processor" means a natural or legal person, authority, organization, or other agency that processes Personal Data on behalf of the Data Controller.

"Responsible Person" means Data Protection Officer

1. Purpose

We established this Privacy Notice for the purposes of compliance with the applicable data protection laws in Rwanda.

This Privacy Notice sets our standards towards the access and use of any personal data, or any other information provided from you or any other sources to us.

Please also read Terms and Conditions ("Terms"), which describe the terms under which you access and use our Services.

2. What Information We Collect About You

We are required to receive or collect some personal information to operate, provide, improve, understand, customize, support, and market our Services. This also includes when you apply for, install, access, or use our Services. The types of information we receive and collect depend on how you use our Services.

We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped as follows:

  • Identification data which includes name, username or similar identifier, Identity card/Passport number, TIN number, photo, marital status, signature, fingerprints, nationality, next of kin information, age, title, date of birth and gender, and any other similar information.
  • Contact data which includes, postal address, physical address, email address and telephone numbers.
  • Financial data which includes any bank account details, and other electronic or non-electronic payment details.
  • Transaction data which includes details about payments to and from you and other details of products and services you have acquired from us.
  • Technical data which includes internet protocol (IP) address, your login identity data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our systems.
  • Profile data which includes your profile identification information, feedback and survey responses.
  • Usage data which includes information about how you use our website, products and services.
  • Marketing and communications data which should you opt-in in to receiving marketing information from us and our third parties and your communication preferences.
  • Customer support or Communication data including copies of your messages, and how to contact you so we can provide you with customer support.
  • Any other personal data not included above relevant in the provision of our services to you.

3. When the Data is Collected

We will collect and process data about you from the following sources:

We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped as follows:

  • This includes information you provide us: This is information about you that you give us by filling in application forms that we give to you or by corresponding with us by phone, e-mail or otherwise. We use different methods to collect data from and about you including through direct interactions. This includes the personal data you provide when you:
    • Apply for our products or services.
    • Register or subscribe to our services or publications.
    • Download our mobile application.
    • Request marketing information to be sent to you.
    • Survey
    • Give us feedback or contact us
  • Information we collect about you: With regard to each of your user visits to our website and your use of our Services we will automatically collect the following information:
    • Technical information, including the Internet protocol (IP) address used to connect your computer or mobile phone to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive technical data about you if you visit other websites employing our cookies.
    • Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed or searched for page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page and any phone number used to call our customer service number.
  • Information we receive from other sources:
    • We receive your Personal Data from third parties who provide it to us. We will receive Personal Data about you from various third parties to whom you have consented and public sources including but not limited to: companies registry, and other government registries; any service providers we interact or integrate with now or in future.
    • We may collect information about you from other publicly accessible sources not listed above. We may also collect information about you from trusted partners, not listed above, who provide us with information about potential members and other data subjects that use our products and services.

4. How We Will Use Your Information

We will only use your Personal Data where we have your consent or a legal basis to process the same.

We will use your Personal Data in the following circumstances:

  • To perform the contractual agreement, we are about to enter into or have entered into with you.
  • For purposes of our legitimate interests (or those of a third party) in instances where your interests and fundamental rights do not override those interests. Legitimate interest refers to our interest in running and controlling our operations in order to provide the best service or product and the safest experience possible. Here we make sure to examine and balance any potential impact on you (both positive and negative) as well as your rights; and/or
  • To comply with a legal obligation.

We may process your Personal Data for more than one lawful ground depending on the specific purpose for which we are processing your data. Additionally, we use your personal data as outlined below:

  • To deliver, administer, and personalize our services for you as a member.
  • To manage risk, security and crime prevention which will include:
    • Detection, prevention, investigation and reporting of fraud.
    • Security detection to verify your identity and to ensure compliance with Laws and regulations.
  • To administer and protect our business and our website, ensure business continuity, manage complaints, undertake remediation activities, and resolve queries (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
  • To study how our members and other data subjects use our products and services, communication about our products and services as well as testing of new products and managing our brand.
  • To undertake surveys or reviews
  • To use data analytics to better understand the savings and health status of members and beneficiaries needs and preferences; to improve our website, products, services, marketing, customer relationships and experiences.
  • Administration and Benefits: We use your personal data to administer social security benefits, including eligibility verification, processing of claims, and disbursement of payments.
  • To enforce our rights under the agreement with you for instance, debt recovery and indemnification.
  • For Know Your Customer (KYC) formalities.
  • We may collect special categories of Personal Data about you including details about your information about your health, and biometric data.
  • For research and statistical purposes.

5. To Whom We May Disclose Your Information

We may disclose your Personal Data to other entities with the affiliates of RSSB, for legitimate business purposes (including providing services to you and operating our sites and systems), in accordance with applicable law. In addition, we may disclose your Personal Data to:

  • The Government (including law enforcement), authorities and regulators.
  • Other financial institutions through which your transactions are processed.
  • Other companies and financial institutions that we work with to provide services to you e.g., mobile technology service providers, credit reference bureaus, employers, debt collection agencies and outsourced services vendors.
  • Third parties with accruing legal obligations e.g., trustees and executors, guarantors, anyone holding a power of attorney to operate on your behalf.
  • In the instance of a merger or acquisition. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this Privacy Notice; and
  • third parties who are service providers acting as data processors, professional advisers including lawyers, bankers, auditors, and those who provide consultancy, legal and insurance.

All third parties are required to protect the security of your Personal Data and to treat it lawfully. We do not allow our third-party service providers to use your Personal Data for their own interests; instead, we only allow them to process it for certain purposes and according to our instructions.

6. Marketing

We strive ensure your consent regarding certain personal data uses, specifically in so far as marketing and advertising. We have established the following personal data control mechanisms:

  • Mobilization from us: We may use your identity, contact, technical, usage and profile data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant to you. You will receive marketing communication from us if you have requested such information and provided express consent to receiving such information based on the use of our products and services.
  • Third-party marketing: we may share your Personal Data with any third party for marketing purposes where we believe that the marketing information from such third parties will be relevant to you and where we have obtained your prior consent.

6.1. Opting Out

We strive ensure your consent regarding certain personal data uses, specifically in so far as marketing and advertising. We have established the following personal data control mechanisms:

  • You can ask us or third parties to stop sending you marketing messages at any time by writing to us or logging into the relevant website and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you or by contacting us at any time through the provided contacts.
  • Where you opt out of receiving these marketing messages, this will not apply to Personal Data provided to us because of product or service subscribed to, warranty registration, product or service experience or other transactions.

7. Data Retention Policy

We will only retain your Personal Data for as long as is reasonably required to fulfil the purpose for which it was obtained, including any legal, regulatory, tax, accounting, or reporting obligations, in accordance with the RSSB Records and Archive Management Policy. In the case of a complaint or if we reasonably believe there is a risk of litigation arising from our engagement with you, we may preserve your Personal Data for a longer length of time.

To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.

Legally we are required to retain basic information about our members and other data subjects (including contact, identity, financial and transaction data) for a minimum of ten years after they cease being members and other data subjects. Our internal policy as amended from time to time may also require us to keep member data for a longer period.

In some circumstances, we will de-identify your Personal Data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

8. Automated Decision Making

RSSB incorporates automated decision-making process for eligibility checks where applicable. Where these automated processes suggest that your application should be rejected, we will manually review your application before making a final decision. If you have any questions about this, please contact us on the details set out below:  dpo@rssb.rw

9. Data Involving Children

We do not knowingly collect personally identifiable information from anyone under the age of 18 without verification of parental/legal guardian consent. We additionally employ the use of age-gating to ensure this. If we become aware that we have collected Personal Data from children without verification of parental/ legal guardian consent, we shall take steps to securely dispose the information from our servers.

10. Change of purpose

We will only use your Personal Data and special category data for the purposes for which we collected it as indicated in this Privacy Notice or for reasons we give you during the collection of the data. If we need to use your Personal Data for an unrelated purposes, we will notify you and seek your consent where necessary. Please note that we may process your Personal Data without your knowledge or consent if this is required or permitted by law.

11. Transfer Of Your Personal Data

We may need to transfer or store your information in another jurisdiction to fulfill a legal obligation, for our legitimate interest and to protect the public interest. If the other jurisdiction does not have the same level of protection for Personal Data, when we do process the data, we shall put in place appropriate safeguards e.g., contractual commitments to ensure the data is adequately protected. We ensure your Personal Data is protected by requiring all our related branches to follow the same rules when processing your Personal Data. Where third parties are based in other jurisdictions, their processing of your Personal Data will involve a transfer of data to their jurisdictions.

12. How to Exercise Your Rights

Subject to legal and contractual limitations as well as legitimate interests, you have rights under applicable laws in relation to your Personal Data. These are listed below:

We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped as follows:

  • Right to access Personal Data that we hold about you
  • Right to request that we correct your Personal Data where it is inaccurate or incomplete.
  • Right to request that we erase your Personal Data noting that we may continue to retain your information if obligated or entitled to do so.
  • Right to object and withdraw your consent to the processing of your Personal Data.
  • Right to request restricted processing of your Personal Data noting that we may be entitled to continue processing your data and refuse your request; and
  • Right to request transfer of your personal data in a format we shall determine from time to time.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within 30 days, as required by the law. Occasionally it could take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

13. How We Secure Your Data

We have put in place appropriate security measures to prevent your Personal Data from being lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your Personal Data to employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

The collection of your personal data shall be adequate, relevant and limited to the strict minimum. Before processing personal data, we will determine whether and to what extent the processing of personal data is necessary to achieve the purpose for which it is performed.

14. Data Protection Officer

If you have any questions or concerns regarding this Privacy Notice or your rights related to protection of your personal information may be sent via email at  dpo@rssb.rw  or at the following address:

Kiyovu, Nyarugenge

P.O Box 250/6655 Kigali-Rwanda

In order to ensure effective and legal handling of our members and other data subjects’ Information we have appointed a Data Protection Officer. you can reach our Data Protection Officer by sending an email at dpo@rssb.rw

15. Changes To This Privacy Notice

We reserve the right to modify, alter or otherwise update this Privacy Notice at any time, by either posting such changes, updates or modifying the Privacy Notice on our Website and/or mobile app. We will provide you with notice period of two months for any such changes to this Privacy Notice, by email at the same email address you have provided to us. If we do not hear from you, your continued use of our services constitutes your acceptance of any amendment of this Privacy Notice.