Zambia · Privacy Policy

Privacy Policy

mytalu, as a registered Data Controller, takes the confidentiality and integrity of its customer data very seriously. We're committed to protecting your information.

← Back to Home Ask a Question
Overview

Data Protection at mytalu

How we handle, protect, and respect your personal information.

🛡️

Overview

As stewards of customer information, mytalu strives to ensure all data is protected from unauthorised access whilst also ensuring that relevant data is available when needed.

mytalu is also committed to ensuring that all personal data is handled in accordance with Data Protection laws, its principles, and any additional regulations and/or guidance laid out by the Zambian Government or the Bank of Zambia.

As part of its business operations, mytalu ensures the safe, secure, ethical, and fair use of all personal data and always upholds the highest standards of data handling. mytalu ensures that all employees understand, have access to, and can easily interpret its Data Protection policies and procedures.

⚖️

Governance

The Data Protection Act (DPA) regulates the processing of personal data, which includes organisation, altering, adapting, retrieving, consulting on, storing, using, disclosing, transmitting, disseminating, or destroying any such data. As such mytalu has put into place robust measures, policies, procedures, and controls concerning all aspects of personal data handling.

A Senior member of staff is the designated Data Protection Officer (DPO) responsible for ensuring customer information is processed and protected correctly.

As processors of personal information, mytalu is obligated under Data Protection laws to protect such information, and to obtain consent, use, process, store and destroy it, only in compliance with the provisions of the law.

Definitions

Understanding the Terms

Clear definitions of the data we protect.

Personal Data Definition

For clarity, information protected under Data Protection law is known as "Personal Data" and is defined as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Classifications

mytalu ensures that greater care and attention are given to personal data falling within what is classified in the category of special data. This is premised on the assumption that this type of information could be used in a negative or discriminatory way and is of a sensitive, personal nature to the persons it relates to.

  • Data classified in this category includes data concerning racial or ethnic origin, political opinions, religious or philosophical views, trade union membership, sexual orientation, and health, genetic and biometric data which is processed to uniquely identify an individual.
  • Personal data relating to criminal convictions and offences are not included in the special categories. However, similar extra safeguards apply to its processing.
Principles

Data Protection Principles

The core principles guiding how we handle your data.

Our Guiding Principles

mytalu has adopted the following Data Protection principles:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals.
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes.
  • Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.
  • Kept in a form which permits identification of data subjects (e.g. an individual, customer, employee etc.) for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the data protection law in order to safeguard the rights and freedoms of individuals.
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
Communications

Privacy & Security

How we communicate with you and protect your information.

Privacy & Electronic Communications

mytalu confirms that it complies with all regulations and laws made under the Data Protection Act and Electronic Communications Regulations with respect to any related business activity.

mytalu confirms that where individuals are concerned, only direct marketing media (emails, calls or postal) will be sent when solicited (for example, consent given by way of accepting terms and conditions which signifies agreement to their personal data being processed) and will retain proof of all such consent.

  • No marketing material is delivered using an automated calling system and no unsolicited tele-sales or marketing calls will be made.
  • Any calls made by mytalu will identify themselves and the firm, disclose the nature and purpose of the call, and provide a valid business address and contact telephone number if asked.
  • Any sales or marketing emails will identify the name of the firm, trading address, valid contact number, and contain an opt-out request for unsubscribing.

Information Security

Employees are aware that there are no second chances to prevent data security breaches and that when handling private information, mytalu has a corporate and ethical duty to always ensure information security and privacy.

Employees are fully aware of the threats to personal information and know that they can come from various sources and for different reasons.

Your Rights

Customer Data Protection Rights

Understanding and exercising your data rights.

Your Rights Include

  • Right of access — customers have the right to ask mytalu for copies of their personal information.
  • Right to rectification — customers have the right to ask mytalu to rectify personal information that customers consider inaccurate.
  • Right to erasure — customers have the right to ask mytalu to erase any stored personal information in certain circumstances.
  • Right to restriction of processing — customers have the right to ask mytalu to restrict the processing of personal information in certain circumstances.
  • Right to object to processing — customers have the right to ask mytalu to stop the processing of personal information in certain circumstances.
  • Right to object to automated decision-making — customers have the right not to be subject to a decision based solely on automated processing, including profiling.
  • Right to data portability — customers have the right to ask that mytalu transfer the personal information held on file to another organisation, or direct to the customer, in certain circumstances.

How Requests Are Handled

  • mytalu will not charge customers for exercising their rights, but customers will be required to provide additional information for mytalu to confirm the requestor's identity and ensure the right to access personal data.
  • This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
  • mytalu shall respond to the customer within one month of the request being made.
Data Handling

Collection & Storage

What data we collect and how we store it securely.

Privacy by Design

  • Privacy by Design is a technical and organisational measure put in place to minimise personal data processing.
  • Privacy by Default, where only data that is necessary is processed to an extent that is necessary and must only store data if necessary.
  • mytalu carries out privacy impact assessments on an annual basis to ensure the data is appropriately secure and only what is considered necessary is stored.

Data Collection & Storage

mytalu will collect and process the following information:

  • Personal identifiers, such as first name, last name, marital status/title, date of birth, photo, and gender.
  • Contact information, including home address, email address and telephone number.
  • Copies of any Government ID and documentation customers submit during the application process.
  • Transaction data, relating to the funds passed through mytalu products.

All data is collected with full consent of the customer. The customer provides consent when agreeing to the customer terms and conditions during the application process.

Special Category Data Handling

mytalu collects and processes Special Category Data. In relation to the data collected, mytalu ensures that:

  • Data is handled and protected according to its classification requirements.
  • Sensitive and non-sensitive data are not mixed in the same repository.
  • Security controls, including authentication, authorisation, data encryption, and auditing, are applied according to the highest classification of data in any given repository.
  • Unless essential for their role within mytalu, employees do not have direct administrative access to production data.
  • All processing of data has disable options, unless they are essential to achieve the business purpose of the data stored.
  • All access to production data is logged.
  • All production data has security monitoring enabled, including activity and file integrity monitoring, vulnerability scanning, and/or malware detection, as applicable.
Data Lifecycle

Purpose & Retention

Why we collect data and how long we keep it.

Purpose & Minimisation

mytalu shall ensure that all collected personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

mytalu has a legal and legitimate interest in collecting customer data. This means mytalu requires it for risk mitigation to conduct business and provide products and services in the most efficient, legal, and secure way.

mytalu only uses customer data in compliance with the provisions of the Law. Customer data is shared in the following instances:

  • Anyone who works for mytalu when needed for their role.
  • Any third-party organisation that supports mytalu's products and services.
  • Regulators, Fraud Prevention Authorities and other Law Enforcement Agencies where needed to protect against fraud, comply with anti-money laundering laws, or to confirm customer eligibility to use mytalu services.

To make sure the customer data held is up to date, mytalu will review and update the information every three years unless the customer in question is flagged for enhanced due diligence, where it will be done every twelve months.

Retention & Destruction

As part of its governance procedures, mytalu ensures the preservation of personal information, data, and documentation in compliance with the statutory confidentiality and data protection requirements.

Records relating to mytalu's compliance, legal and regulatory responsibilities will be retained for the minimum period stipulated by the Law. In some cases, this period may begin after the specific business relationship pertaining to the data has ended.

Once the minimum period has elapsed, any customer information concerning personal data will be destroyed in line with relevant data protection regulation(s)/laws.

  • A further period of retention may be permitted, if after a thorough assessment, mytalu believes this is justified for the prevention, detection or investigation of money laundering or terrorist financing, or the customer has given consent to the retention of their data.
  • After which, mytalu shall destroy any customer information concerning personal data retained.
  • Information will be made available to law enforcement on request.
Security

Standards & Processes

Our comprehensive approach to data protection.

Data Protection Standards

All mytalu employees, systems, and resources adhere to the following standards and processes to reduce the risk of data compromise events:

  • Implement and review controls designed to protect data from improper alteration or destruction.
  • Ensure that confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents.
  • Ensure mytalu customer data is segmented and only accessible to those authorised to access data.
  • All data is stored on encrypted platforms.
  • Encryption keys and machines that generate encryption keys are protected from unauthorised access, only accessible by privileged employees.
  • In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, mytalu shall promptly assess the risk to Customer's rights and freedoms, and if appropriate, report the breach to the relevant Regulatory Authorities.
  • Any breach will be reported to the relevant Regulatory Authorities within seventy-two hours of the event occurring.

Our Breach Response Commitment

Regarding mytalu's approach to data breaches, mytalu confirms that:

  • It is possible for mytalu to recognise or detect a data breach internally.
  • The severity of a data breach is not only about the loss or theft of personal data, but the possibility of the breach itself.
  • There is a response plan in place if any data breaches occur.
  • There is allocated responsibility for the DPO to manage the resolution of any data breaches.
  • There is allocated responsibility for the DPO to minimise the risk of any data breaches.
  • Employees know how to identify and escalate data breaches to the DPO.

In the Event of a Data Breach

mytalu will:

  • Inform any affected customers that a breach has occurred within seventy-two hours of it being discovered.
  • Notify the relevant Regulatory Authorities and inform them of the details.
  • Document the details of the breach and put measures in place to reduce the risk of repeat events.
Assessment

Data Protection Impact Assessment

How we identify and minimise data protection risks.

DPIA Process

A Data Protection Impact Assessment (DPIA) is a process mytalu implements to identify and minimise the data protection risks it faces.

mytalu will perform a DPIA for any change in a process which involves the processing of personal customer data.

The DPIA involves:

  • The nature, scope, context, and purposes of the processing.
  • An assessment of the necessity, proportionality, and compliance measures.
  • Identification and assessment of the risks to individuals.
  • Identification of any additional measures to mitigate risks.

To assess the level of risk, mytalu considers the likelihood and the severity of any impact on customers. If mytalu identifies a risk that it cannot mitigate, it will consult the relevant Data Protection Authority before starting the new processing methods.

Questions About Your Privacy?

We're here to help you understand your data rights.

View Terms → Contact Us