RMB Ventures (Pty) Limited. Reg. No. 2004/005571/07. A member of the FirstRand Banking Group.
Copyright © RMB Ventures (Pty) Limited 2026 All rights reserved. Copyright © FirstRand All rights reserved.
RMB Ventures (Pty) Limited. Reg. No. 2004/005571/07. A member of the FirstRand Banking Group.
Copyright © RMB Ventures (Pty) Limited 2026 All rights reserved. Copyright © FirstRand All rights reserved.
FirstRand Limited (FirstRand or the group) follows a multi-branding approach. The logos of some of the group’s major brands are shown below.
A representation of FirstRand’s simplified legal entity structure can be found on the group’s website at https://www.firstrand.co.za/the-group/ownership-and-legal-structure/.
This notice applies to the FirstRand group of companies as defined in the definitions section. The various companies in the group offer financial and non-financial solutions. These solutions include transactional, lending, investment, insurance, telecommunication and consumer products, goods and services. In this notice, solution means any financial and non-financial product, service or goods offered by a group company.
WHAT IS “FIRSTRAND” OR “THE GROUP”?
In this notice, references to “FirstRand” or “the group” are to FirstRand Limited and its subsidiary companies, including divisions, segments and business units. Certain subsidiary companies may be excluded from the group description (such as where the group is involved in private equity investments). Confirmation as to whether this notice applies to a specific company (a registered legal entity) associated with the group can be sought through the contact details provided in this notice. In this notice, any reference to “the group” or “FirstRand” includes any one or more (if they are acting jointly) group companies and all affiliates, associates, cessionaries, delegates, successors in title or third parties (authorised agents and contractors), when such parties are acting as responsible parties, joint responsible parties or operators in terms of applicable privacy laws, unless stated otherwise.
WHAT IS THE “PLATFORM”?
In this notice, references to the group’s platform mean the platform provided by a company within the group which is a collection of service channels, solutions and interfaces (like apps and websites), including that of the group’s agents and independent third-party service providers.
WHO IS A CUSTOMER?
For this notice, the definition of a “customer” includes:
WHAT IS “PROCESS”?
In this notice “process” means how the group collects, uses, stores, makes available, destroys, updates, discloses or otherwise deals with customers’ personal information.
The examples provided in this notice are for illustrative purposes and are not exhaustive.
Protecting customers’ personal information is important to FirstRand and it follows general principles under applicable privacy laws.
This notice helps the group’s customers understand how the group collects, uses and safeguards their personal information. This notice also outlines customers’ privacy rights and how the law protects them.
The group collects personal information about its customers. This includes what customers tell the group about themselves, what the group learns from a customer or when a customer makes use of a solution or interacts with the group’s platform through various interfaces and service channels.
This notice may also apply to other parties (such as authorised agents and contractors) acting on the group’s behalf when providing customers with solutions, interfaces or service channels. If a FirstRand group business processes personal information for another party under a contract or a mandate, the other party’s privacy policy or notice will apply.
The group may combine customers’ personal information (across the group’s platform, interfaces, service channels or companies) and use the combined personal information for any of the purposes stated in this notice.
If a customer uses the group’s platform, group solutions or service channels and interfaces, or accepts any rules, agreements, contracts, mandates or annexures with the group, or uses any solutions offered by the group, the customer agrees to the processing by the group of the customer’s personal information as stated in this notice. Please note that the group may not be able to continue a relationship with a customer, provide a customer with certain solutions or permit access to the group’s platform (including service channels and interfaces) if the customer does not agree to the notice.
IMPORTANT:
Where it is necessary to obtain consent for processing, the group will seek a customer’s consent separately. Customers should read the consent request carefully as it may limit their rights. A customer may maintain their consent preferences, including their marketing preferences, at any time. A customer can maintain their consent preferences, including their marketing preferences (by giving or withdrawing the consent) on the group apps or websites, or through cellphone banking, contact centres or branches. The customer can also contact the responsible parties as listed in section 5.
NOTE: As the group has operations in several countries, this notice will apply to the processing of personal information by any entity in the group in any country. The processing of customers’ personal information may be conducted outside the borders of South Africa, but will be processed according to the requirements and safeguards of applicable privacy law or privacy rules that bind the group. If a group entity has its own notice, that notice would take precedence over this notice.
The group has several responsible parties. These companies are responsible for determining why and how the group will use customers’ personal information. When a customer uses the group’s platform, the responsible party would be the company within the group that provides the platform, acting jointly with the other companies in the group. Similarly, when a customer uses a solution provided by any group entity, the responsible party will be the entity which the customer engages to take up the solution, acting jointly with the other entities in the group.
Customers can contact the various responsible parties in the group through the applicable business, the email addresses of which are listed below.
 |
fnbpaia@fnb.co.za |
 |
rmbprivacy.office@rmb.co.za |
|
wesbankpaia@wesbank.co.za |
|
firstrandcosec@firstrand.co.za |
|
fnbpaia@fnb.co.za |
 |
compliance@motovantage.co.za |
FirstRand Bank Limited (the bank), is a registered bank in South Africa and a member of the Banking Association South Africa (BASA). As a BASA member, the bank is subject to the Code of Conduct for the Processing of Personal Information by the Banking Industry (the code). The bank will process customers’ personal information in terms of the code. A copy of the code can be found on the respective bank website.
Personal information refers to any information that identifies a customer or specifically relates to a customer. Personal information includes, but is not limited to, the following information about a customer:
|
Birth (e.g. date of birth) |
Education |
Language |
Age |
|---|---|---|---|
|
National origin |
Marital status (e.g. married, single, divorced) |
Financial history (e.g. income; expenses; financial obligations; assets and liabilities; buying, investing, lending, insurance, banking and money management behaviour; goals and needs) based on, among others, account transactions |
Employment history and current employment status (e.g. when a customer applies for credit) |
|
Gender or sex (e.g. for statistical purposes as required by the law) |
Identifying number (e.g. an account number, identity number or passport number) |
Email address, physical address (e.g. residential address, work address or physical location), telephone number |
Information about a customer’s location (e.g. geolocation or GPS location) |
|
Online identifiers (e.g. cookies, online analytical identifier numbers, internet protocol (IP) addresses, device fingerprints, device ID), social media profiles |
Biometric information (e.g. fingerprints, signature, facial biometrics or voice) |
Race (for statistical purposes as required by the law) |
Religion, belief, conscience, culture |
|
Physical health, mental health, wellbeing, disability |
Employment history |
Criminal history |
Medical history (e.g. HIV/Aids status) |
|
Personal views, preferences and opinions |
Confidential correspondence |
Views or opinions about a customer |
Customer’s name |
Depending on the applicable law of the country, a juristic entity (like a company) may also have personal information, which is protected by law and which may be processed in terms of this notice.
There is also a category of personal information called special personal information, which is considered more sensitive and is afforded additional protection in the law. Special personal information includes the following personal information about a customer:
|
Religious and philosophical beliefs (e.g. where a customer enters a competition and is requested to express a philosophical view) |
Race (e.g. where a customer applies for a solution where the statistical information must be recorded) |
Ethnic origin |
Trade union membership |
|
Political beliefs |
Health, including physical or mental health, disability and medical history (e.g. where a customer applies for an insurance policy) |
Biometric information (e.g. to verify a customer’s identity) |
Criminal behaviour where it relates to the alleged commission of any offence or the proceedings relating to that offence |
The group may process customers’ personal information for lawful purposes relating to its business if the following circumstances apply:
The group may process customers’ special personal information in the following circumstances, among others:
A child is a person who is defined as a child by a country’s legislation, and who has not been recognised as an adult by the courts.
The group processes the personal information of children if the law permits this.
If a customer gives the group the personal information of a child the customer confirms that the customer is permitted to act on behalf of the child and agrees to the processing of the child’s personal information in terms of this notice.
The group may process the personal information of a child if any one or more of the following applies:
The group collects information about customers:
The group collects and processes customers’ personal information at the start of and for the duration of their relationship with the group. The group may also process customers’ personal information when their relationship with the group has ended.
If the law requires the group to do so, it will ask for customer consent before collecting personal information about them from other parties.
The parties (which may include parties the group engages with as independent responsible parties, joint responsible parties or operators) from whom the group may collect customers’ personal information include, but are not limited to, the following:
Important: If the customer provides the group with personal information of other people the customer confirms that the customer is allowed to share it with the group and that the group may process the personal information in terms of this notice.
The group may process customers’ personal information for the reasons outlined below.
The group may process customers’ personal information if it is necessary to conclude or perform under a contract the group has with a customer, provide a solution to a customer or manage interactions with customers on the platform service channels and interfaces. This includes:
The group may process customers’ personal information if the law requires or permits it. A schedule of legislation which requires the group to process personal information is included on page 29 of this notice. The group may process customers’ personal information:
The group may process customers’ personal information in the daily management of its business and finances and to protect the group’s customers, employees, service providers and assets. It is to the group’s and its customers’ benefit to ensure that its procedures, policies and systems operate efficiently and effectively.
The group may process customers’ personal information to provide them with the most appropriate solutions, and to develop and improve group solutions, group business and the group’s platform. This includes communicating with customers about these solutions.
The group may process a customer’s personal information if it is required to protect or pursue their, the group’s or a third party’s legitimate interests. These include:
At the time that the group collects personal information from a customer, it will have a reason or purpose to collect that personal information, which includes all the purposes disclosed in this notice. The group may use that same personal information for other purposes. The group will only do this where the law allows it to and where the other purposes are compatible with the original purpose(s) applicable when the group collected the customer’s personal information as disclosed in this notice. Examples of these other purposes are included in the list of purposes set out in section 12 above.
The group may also need to request a customer’s specific consent for further processing in limited circumstances.
The group may also further use or process a customer’s personal information if:
The group may also further use or process a customer’s personal information if the customer has consented to it, or in the instance of a child, if a competent person has consented to it.
Any enquiries about the further processing of customer personal information can be made through the contact details of the customer’s solution provider or the group’s platform provider, as set out in the responsible parties table in section 5 of this notice.
The group aims to create efficiencies in the way it processes information across the group. Customers’ personal information may therefore be processed through centralised group functions and systems, which include the housing of personal information in centralised group data warehouses.
This centralised processing is structured to ensure efficient processing that benefits both the customer and the group. Such benefits include, but are not limited to:
Details of further interests which are promoted by the centralised processing can be found in section 12.
VERY IMPORTANT: If customers use the group’s platform, group solutions or service channels and interfaces (including both assisted (with help) and unassisted (without help) interactions), or by accepting any rules, agreements, contracts, mandates or annexures with the group, or by utilising any solutions offered by the group, customers agree to:
Customers’ personal information may be processed through centralised functions and systems across companies in the group and may be used for the purposes, in the manner and with the appropriate controls as set out in this notice.
The group aims to provide its customers with solutions that are appropriate and reasonable considering the customer’s circumstances (such as financial position (including income, deductions and expenses), employment status and various obligations), vulnerabilities and needs.
The group may not always have sufficient personal information (obtained from companies within the group or from the customer) about the customer to determine the suitability of solutions applied for, to determine which solutions are appropriate to offer proactively to customers or to assist customers with money management tips and advice. In these circumstances, the group may approach external persons for additional personal information.
The group may get, use and share within the group customer personal information (such as what customers purchase and spend their money on, which insurance and investment products customers have and how customers meet their obligations under these products, whether customers have medical aid and how they are meeting their obligations regarding the medical aid, and what customers’ salaries are) from the following entities in South Africa:
The purposes for which customer personal information may be used are:
The group collects personal information about customers from the partners; suppliers; customer loyalty rewards programmes’ retail, online and strategic partners (rewards partners) and service providers it interacts with in relation to its eBucks rewards programme.
The group will process customers’ personal information for the following reasons:
The group would like to keep its customers informed on solutions that may be of benefit to them. The group may use prospective customers’ or customers’ personal information to directly market financial and non-financial solutions to them.
The group aims to enhance the customer experience when using the group’s platform. In order to do so, the group processes customer personal information to provide customers with personalised and appropriate offers that may be of interest to them. These personalised and appropriate offers are part and parcel of the group’s platform and cannot be removed. If a customer does not want to receive these offers, they are requested to not use the group’s platform.
WHO IS A GROUP CUSTOMER AND WHAT DOES THE TERM MEAN?
For the purposes of electronic marketing (such as SMS, MMS, email, instant messaging or app notifications) and applicable to this section only, a group customer would be a person whose contact details were obtained during a sale of the group’s solutions, including an instance where the person agrees to a solution being provided to them and the group not charging for that solution; where the person started to apply or register for a solution but decided to not continue or cancelled the transaction; if the group or the person declined the offer of a solution made to or by the person; and where the person concluded an agreement with the group regarding the solution offered to them.
The group will use the personal information of these customers to communicate information about the group’s financial solutions.
If a customer uses the group’s platform, solutions or service channels and interfaces, or accepts any rules, agreements, contracts, mandates or annexures with the group, or uses any solutions offered by the group, the customer agrees to the processing by the group of their personal information for direct marketing of financial solutions (this includes transactional, lending, investment, insurance and related solutions).
If a person is a prospective customer (not a group customer) or in any other instances where the law requires, the group will only market to them by electronic communications with their consent.
IMPORTANT: HOW TO OPT OUT
A customer may maintain their consent preferences, including direct marketing consent preferences, on the group’s platform at any time. Details on how to change customer information and marketing preferences are available on the various group apps and websites. A customer can maintain their consent preferences (by giving or withdrawing their consent) by means of the group apps, websites, cellphone banking, contact centres or branches, or by contacting the responsible parties as per section 5.
For example: This can be done on the FNB app under My profile >My preferences >Marketing preferences and >Information preferences.
This section only applies to direct marketing by the group. It does not apply to other communications, including:
An automated decision is made when a customer’s personal information is analysed without human intervention in the decision-making process.
The group may use a customer’s personal information to make an automated decision as allowed by law. An example of automated decision-making is the approval or declining of a credit application when a customer applies for an overdraft or credit card, or the approval or declining of an insurance claim.
Customers have the right to query any such decisions made, and the group will:
In general, the group will only share customers’ personal information if any one or more of the following apply:
Where permitted, each entity in the group may share a customer’s personal information with the following persons, which may include parties that the group engages with as independent responsible parties, joint responsible parties or operators. These persons must keep customers’ personal information secure and confidential:
The group may obtain customers’ personal information from credit bureaux for any one or more of the following reasons:
The group will share a customer’s personal information with credit bureaux for, among others, any one or more of the following reasons:
Customers should refer to their specific credit agreement with the group for further information.
The group will only transfer a customer’s personal information to third parties in another country in any one or more of the following circumstances:
This transfer will happen within the requirements and safeguards of applicable laws or privacy rules that bind the group.
Where possible, the party processing a customer’s personal information in another country will agree to apply the same level of protection as available by law in the customer’s country, or if the other country’s laws provide better protection, the other country’s laws would be agreed to and applied.
An example of the group transferring a customer’s personal information to another country would be when a customer makes payments if they purchase goods or services in a foreign country, or where personal information is stored with a cloud services provider and the servers are in a foreign country.
TAKE NOTE: As the group operates in several countries, customers’ personal information may be shared with group companies in other countries and processed in those countries under the privacy rules that bind the group.
Customers must provide the group with proof of identity when enforcing the rights below. The group will then verify the identity of the customer. Customers must inform the group when their personal information changes, as soon as possible after the change.
IMPORTANT: Customers warrant that, when they provide the group with personal information regarding their spouse, dependants or any other person, they have permission from them to share their personal information with the group. The group will process the personal information of the customer’s spouse, dependant or any other person that the customer has shared with it as stated in this notice.
Customers have the right to request access to the personal information the group has about them by contacting the group. This includes requesting:
The group will address requests for access to personal information within a reasonable time and in alignment with the law. Customers may be required to pay a reasonable fee (aligned with the law) to receive copies or descriptions of records of, or information on, third parties. The group will inform customers of the fee before attending to their request.
Customers should note that the law may limit their right to access information, e.g. information relating to the group’s intellectual property, competitively sensitive information or legally privileged information.
For South Africa, please refer to the group’s information manual prepared under section 51 of the Promotion of Access to Information Act, No. 2 of 2000 (information manual) for further information on how customers can effect this right. The information manual is available on the group’s website at: https://www.firstrand.co.za/media/investors/policies-and-practice/pdf/firstrand-information-manual.pdf.
In certain instances, customers exercise this right by making use of the group’s unassisted (self-help) interfaces, e.g. using a group entity’s app or website to access the personal information the group holds about them (for example, on the FNB app under My profile).
Customers have the right to request the group to correct, delete or destroy the personal information it has about them if it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, obtained unlawfully, or if the group is no longer authorised to keep it. Customers must inform the group of their request in the prescribed form. Prescribed form 2 has been included as an annexure to this notice.
The group will take reasonable steps to determine if the personal information is correct and make any corrections needed. It may take a reasonable time for the change to reflect on the group’s platform/systems. The group may request documents from the customer to verify the change in personal information.
A specific agreement that a customer has entered into with the group may determine how they must amend their personal information provided at the time when they entered into the specific agreement. Customers are required to adhere to these requirements.
If the law requires the group to retain the personal information, it will not be deleted or destroyed upon the customer’s request. The deletion or destruction of certain personal information may lead to the termination of a customer’s relationship with the group.
The group may be unable to establish a relationship with a customer, continue a relationship with a customer, process a transaction or provide a customer with a solution if the customer withholds or requests the deletion of personal information or special personal information required in terms of the Financial Intelligence Centre Act for financial crime prevention, detection and reporting purposes.
In certain instances a customer can give effect to this right by making use of the group’s unassisted (self-help) interfaces, e.g. using a group app or website to correct their contact details.
Customers may object to the processing of their personal information on reasonable grounds where the processing is in their legitimate interest, the group’s legitimate interest or in the legitimate interest of another party.
Customers must inform the group of their objections in the prescribed form. Prescribed form 1 is included as an annexure to this notice.
The group will not be able to give effect to the customer’s objection if the processing of their personal information was and is permitted by law, the customer has provided consent to the processing and the group’s processing was conducted in line with their consent; or the processing is necessary to conclude or perform under a contract with the customer.
The group will also not be able to give effect to a customer’s objection if the objection is not based upon reasonable grounds and substantiated with appropriate evidence.
The group will provide customers with feedback regarding their objections.
Where a customer has provided their consent for the processing of their personal information, the customer may withdraw their consent. If they withdraw their consent, the group will explain the consequences to the customer. If a customer withdraws their consent, the group may not be able to provide certain solutions to the customer or provide the customer access to the group’s platform. The group will inform the customer if this is the case. The group may proceed to process customers’ personal information, even if they have withdrawn their consent, if the law permits or requires it. It may take a reasonable time for the change to reflect in the group’s systems. During this time, the group may still process the customer’s personal information.
IMPORTANT: HOW TO WITHDRAW CONSENT
A customer may maintain their consent preferences, including direct marketing consent preferences, at any time on the group’s platform. Details on how to change customer information and marketing preferences are available on the various group apps and websites. A customer can maintain their consent preferences (by giving or withdrawing the consent) by means of group apps, websites, cellphone banking, contact centres or branches, or by contacting the responsible parties as per section 5.
For example this can be done on the FNB app under My profile >My preferences >Marketing preferences and >Information preferences.
Customers have a right to file a complaint with the group or any regulator with jurisdiction (in South Africa customers can contact the Information Regulator) about an alleged contravention of the protection of their personal information. The group will address customer complaints as best possible.
The contact details of the Information Regulator are provided below.
|
Physical address: |
Postal address: |
|
|
JD House, 27 Stiemens Street Braamfontein Johannesburg 2001 |
P.O. Box 31533 Braamfontein Johannesburg 2017
|
Telephone number: +27 (0)10 023 5200 Website: https://inforegulator.org.za Complaints email address: POPIAComplaints@inforegulator.org.za General enquiries email address: enquiries@inforegulator.org.za |
FirstRand Bank Limited, a registered bank in South Africa and a member of the Banking Association South Africa, is subject to the Code of Conduct for the Processing of Personal Information by the Banking Industry. As such, privacy complaints may be referred to:
National Financial Ombud Scheme South Africa
|
NFO Johannesburg 110 Oxford Road Houghton Estate Johannesburg Gauteng 2198 |
NFO Cape Town Claremont Central Building 6th Floor 6 Vineyard Road, Claremont Western Cape 7700 |
Telephone number: 0860-800-900 Website: http://www.nfosa.co.za/ Email address: info@nfosa.co.za |
Customers have the right to take legal action, and in South Africa, request that the Information Regulator take legal action, for certain contraventions of the protection of their personal information.
The group will take appropriate and reasonable technical and organisational steps to protect customers’ personal information in line with industry best practices. The group’s security measures, including physical, technological and procedural safeguards, will be appropriate and reasonable. This includes the following:
Customers can also protect their personal information and can obtain more information in this regard by visiting the website or app of the relevant group entity that they have established a relationship with.
The group will keep customers’ personal information for as long as:
TAKE NOTE: The group may retain customers’ personal information even if they no longer have a relationship with the group or if they request the group to delete or destroy it, if the law permits or requires it.
Please refer to the FirstRand group cookie notice for further information. The group’s cookie notice is available on FirstRand’s website.
If a customer is a juristic person, such as a company or close corporation, the group may collect and use personal information relating to the juristic person’s directors, officers, employees, beneficial owners, partners, shareholders, members, authorised signatories, representatives, agents, payers, payees, customers, guarantors, spouses of guarantors, sureties, spouses of sureties, other security providers and other persons related to the juristic person. These are related persons.
If customers provide the personal information of a related person to the group, they warrant that the related person is aware that they are sharing their personal information with the group, and that the related person has consented thereto.
The group will process the personal information of related persons as stated in this notice. Therefore references to “customer(s)” in this notice will include related persons with the necessary amendments and limitations.
The companies in the group may cede, delegate or assign fully or partially their rights and obligations under this notice to another company. This assignment may take place without customer consent. Personal information related to a customer of the company may also be transferred to the other company. The other company will adhere to all privacy laws, all privacy undertakings the group has given and all processing and marketing consent preferences the customer has provided to the group (including opt-ins and opt-outs). The group will provide the customer with notification of this transfer of personal information.
The group may change this notice from time to time. The updated notice will become operative when published on the group’s websites. The latest version of the notice displayed on FirstRand’s website will apply to customers’ interactions with the group and the group’s processing of the customers’ personal information. It is available at https://www.firstrand.co.za/investors/esg-resource-hub/policies-and-practices/.
OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION IN TERMS OF SECTION 11(3) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013) REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2018 [Regulation 2]
REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION OR DESTROYING OR DELETION OF RECORD OF PERSONAL INFORMATION IN TERMS OF SECTION 24(1) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013) REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2018 [Regulation 3]
The group may process a customer’s personal information where the processing is required, permitted or contemplated in law. Below is a list of legislation which requires the group to process the personal information of customers. The list of legislation should be read to include all related subordinate legislation thereunder.