Privacy Policy

Privacy Policy

Privacy statement of Gulf African Bank Kenya Limited, its subsidiaries and associate companies


Gulf African Bank Limited (“GAB”, “we”, “us” or “our”) is the controller of Personal Data or Personal Information and is fully committed to the safety and security of the operations of its website and internet based systems.

In this Privacy Statement, “Personal Data” or “Personal Information” means any information concerning an individual (“you” or “your”) from which the individual can be identified and “data subject” has the same meaning as “individual”. It comprises of identity data (includes first name, maiden name, last name, username or similar identifier, marital status, date of birth and gender); contact data (includes billing address, delivery address, email address and telephone numbers); financial data (includes bank account and payment card details); transaction data (includes details about payments to and from you and other details of products and services you have purchased from us); technical data (includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating systems and platform and other technology on the devices you use to access this website); profile data (includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses); usage data (includes information about how you use our products and services, website, cookies and our online or electronic banking services) and marketing and communications data (includes your preferences in receiving marketing from us and our third parties and your communication preferences).

Personal Data relating to Small and Medium Enterprises (SMEs), Retail and Corporate and Institutional Banking is limited to the information on directors, partners and officers, direct and indirect beneficial owners and authorised persons.

We will, in the event you have more than one account with us, link all your Personal Data.

Collection of Personal Data

We use diverse ways to collect data from and about you including through:

  1. Direct interactions. You may give us your identity, contact and financial data by filling forms or by corresponding with us by post, phone, email or otherwise. This includes Personal Data you provide when you:
  • apply for our products or services;
  • create an account on our website;
  • subscribe to any of our services;
  • enter a competition, promotion or survey;
  • request marketing to be sent to you; or
  • give us feedback or contact us.

2. Automated interactions. As you interact with our website, we will automatically collect technical data about your equipment, browsing actions and patterns. This will aid us in providing you with better products and services, to make decisions and to prevent money laundering, terrorism, fraud and other financial crimes. We collect this Personal Data by using cookies, server logs and other similar technologies.

3. Third parties or publicly available sources. We will receive Personal Data about you from various third parties and public sources such as credit reporting and government agencies.

4. Access to your Device’s phone book (contacts list). In order to customize and provide certain features with regard to Our Service, we will request access to your contact list.

Allow access to your Device’s contact list to facilitate a better banking experience and assist you easily transfer funds or make payments to your contacts.

By allowing access to your Device’s contact list, you can easily select recipients from your address book when making transactions. This streamlines the process, making it more convenient for you.

We will only access your contact list with your permission. We will not share your contact list with any third parties without your consent. We will only use your contact list for the purposes described in this Privacy Policy. You can enable or disable access to this information at any time, through your Device setting

Procession of Personal Data

We will use your Personal Data as the law allows us to which is in the following circumstances:

  1. Performance of any contract we are about to enter into or have entered into with you for our products and services. The procession of your Personal Data for this purpose shall include the following:
  • processing applications for products and services, effecting payments, transactions and completing instructions or requests;
  • providing products and services (including electronic banking services);
  • assessing suitability for products and services;
  • credit assessments including conducting credit checks and setting credit limits;
  • operational purposes;
  • statistical purposes;
  • establishment, continuation and management of banking relationships and accounts;
  • surveillance of premises and Automated Teller Machines (ATMs).

2. Compliance with a legal or regulatory obligation. This purpose entails:

  • the prevention, detection, investigation and prosecution of crime in any jurisdiction (including without limitation: money laundering, terrorism, fraud and other financial crime);
  • identity verification, government sanctions screening and due diligence checks; and
  • compliance with local or foreign law, regulations, directives, judgements or court orders, government sanctions or embargoes, reporting requirements under financial transactions legislation and demands of any authority, regulator, tribunal, enforcement agency or exchange body.

3. In our legitimate interest which includes the following scenarios

  • professional advice including in connection with any legal proceedings or prospective legal proceedings;
  • in effecting agreements between GAB and any authority, regulator or enforcement agency;
  • compliance with policies (including GAB’s policies) and good practice standards; and
  • any other scenarios in which we need to establish, exercise or defend our legal rights.

Below is a description of the ways we will use your Personal Data and the legal basis for such usage:


Type of data

Lawful basis for processing including basis of legitimate interest

To register you as a new customer

(a) Identity
(b) Contact

Performance of a contract with you

To process and deliver your request or instructions including:
(a) Manage payments, fees and charges
(b) Collect and recover money owed to us

(a) Identity
(b) Contact
(c) Financial
(d) Transaction
(e) Marketing and Communications

(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to recover debts due to us)

To manage our relationship with you which will include:
(a) Notifying you about changes to our terms or Privacy Statement
(b) Asking you to leave a review or take a survey

(a) Identity
(b) Contact
(c) Profile
(d) Marketing and Communications

(a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

To enable you to partake in a prize draw, competition or complete a survey

(a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications

(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

(a) Identity
(b) Contact
(c) Technical

(a) Necessary for our legitimate interests (for running our business, provision of administration and Information Technology services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation

To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you

(a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(f) Technical

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

To use data analytics to improve our website, products/services, marketing, customer relationships and experiences

(a) Technical
(b) Usage

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)

To make suggestions and recommendations to you about goods or services that may be of interest to you

(a) Identity
(b) Contact
(c) Technical
(d) Usage
(e) Profile
(f) Marketing and Communications

Necessary for our legitimate interests (to develop our products/services and grow our business)

We will use your Personal Data for the purposes described above. We will notify you in the event we need to use your Personal Data for an unrelated purpose and explain the legal basis which allows us to do so.

Please note that we may process your Personal Data without your knowledge or consent where the same is required or permitted by law.


We may use your identity, contact, technical, usage and profile data to form a view on what products, services and offers we think you may want or need, or what may be of interest to you.

You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and you have not opted out of receiving that marketing.

You can ask us to stop sending you marketing messages at any time by contact your branch or relationship manager.

Disclosure of Personal Data

GAB including its officers, employees, agents and advisors may disclose your Personal Data to any of the following parties for any of the purposes described in this Privacy Statement:

  1. Any of GAB’s entity in the world including any officer, employee, agent or director of GAB.
  2. Professional advisers, third party service providers, agents or independent contractors providing services to support GAB’s business.
  3. Our business partners who may provide their products or services to you.
  4. A merchant or a member of a card association where the disclosure is in connection with use of a card.
  5. Your legal representative and their legal advisers, upon your death or mental incapacity.
  6. Any person authorised to operate your account and to act on your behalf in giving instructions or to perform any other acts under any agreement or use any product.
  7. Any person to whom disclosure is allowed or required by local or foreign law, regulation or any other applicable instrument.
  8. Any court, tribunal, regulator, enforcement agency, exchange body, tax authority or any other authority (including any authority investigating an offence) or their agents.
  9. Any debt collection agency, credit reference agency or bureau, rating agency, correspondents, insurer or insurance broker, direct or indirect provider of credit protection and fraud prevention agencies.
  10. Any financial institution to conduct credit checks, anti-money laundering related check, for fraud prevention and detection of crime purposes.
  11. Anyone we consider necessary for provision of services in connection with our products.
  12. Any actual or potential participant or sub-participant in relation to any of our obligation with respect to any agreement, assignee, novatee or transferee (or any officer, employee, agent or adviser of any of them).

International Transfers

We may transfer your Personal Data outside Kenya either to carry out your instructions or for ordinary business purposes. In such cases, we will only process your Personal Data with your consent or where necessary, ask the party to whom we transfer your Personal Data to agree to our privacy principles, policies and practices.


We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to GAB’s employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.

Data Retention

We will only retain your Personal Data for as long as reasonably necessary to fulfill the purposes we collected it for, including for purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. This will be for seven (7) years from the end of your relationship with us. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation with respect to our relationship with you.

In some circumstances we will anonymise your Personal Data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.


To the extent permitted by law, we may record and monitor your electronic communications to ensure compliance with legal and regulatory obligations and internal policies.

We will monitor and analyse your account for credit, fraud, compliance and other risk-related purposes as required by law.

Social Media

We operate and communicate through our designated channels, pages and accounts on some social media sites to inform, help and engage with our customers.

We monitor and record comments and posts made about us on these channels so as to improve our services.

We are not responsible for any information posted on those sites other than the information posted by our designated officials. We do not endorse the social media sites themselves, or any information posted on them by third parties or other users.

We do not give investment, tax or other professional advice on social media sites.

When you engage with us through social media your Personal Data may be processed by the site owner. The said procession is outside our control and may be in a country outside Kenya that may have different privacy principles.

Social media sites are not appropriate forums to discuss our products, services or financial arrangements. We will not ask you to share personal, account or security information on social media sites.

We regularly update and monitor our social media accounts and welcome feedback and ideas sent to us through these channels. We try to join conversations whenever possible, but cannot guarantee that we will read or reply to all messages sent to our official social media accounts.

Your Legal Rights

You have the right to:

  • Request access to a copy of Personal Data processed by us in relation to you. GAB may charge a fee for this as permitted by law.
  • Request correction of the Personal Data we hold about you at your branch or through your relationship manager. Please note that we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your Personal Data where there is no good reason for us continuing to process it. Please note, however, that we may not always be able to comply with your request of erasure for specific legal purposes which will be notified to you, if applicable, at the time of your request.
  • Object to processing but this does not mean you get to decide how we process your Personal Data other than in relation to marketing. If you have any concerns about how we process your Personal Data, please discuss the same with your relationship manager. We will not offer the services or products you request or apply for if you do not want us to process the Personal Data we consider necessary.
  • Request us to restrict how we process your Personal Data.
  • Request the transfer of your Personal Data to you or a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Our Contacts

Please contact us at:
Gulf African Bank Limited
Geminia Insurance Plaza, Kilimanjaro Avenue, UpperHill
P.O Box number 43683-00100
Nairobi, Kenya.
Telephone: +254(0)711075000 Email address: [email protected]

Queries and Complaints

If you have any query or complaint relating to the procession of your Personal Data, please discuss the same at your branch or with your relationship manager or contact us through the address provided above.

Links to Other Sites

This website may contain links to web sites controlled or offered by third parties. GAB hereby disclaims liability for any information, materials, and products or services posted or offered at any of the third party sites linked to this web site. By creating a link to a third party web sites, GAB does not endorse or recommend any products or services offered, or information contained at that web site, nor is GAB liable for any failure of products or services offered or advertised at those sites. Such third party sites may have a privacy policy different from that of GAB or provide less security.

Additional Terms and Conditions

There may be specific terms and conditions that govern our products and services. Certain sections or pages on our website may also contain separate terms and conditions. Such other terms and conditions must be read in conjunction with this Privacy Statement.

Governing Law

This Privacy Statement is governed by all applicable laws of the Republic of Kenya.

Changes to this Privacy Statement

This Privacy Statement may be updated from time to time and you are advised to visit this site regularly to check for any amendments.

Get the latest news, straight to your inbox