Privacy Policy
- Introduction/Scope
This Privacy Policy document is prepared in accordance with the provisions of the Nigeria Data Protection Act (NDPA), and by extension, the EU General Data Protection Regulation (GDPR). It sets out how Zenith Bank PLC (“Zenith Bank”) applies and complies with the data privacy principles in processing the personal data of customers, staff, vendors, visitors, and even third parties that interact with Zenith Bank. Please note that we endeavour to continuously update these policies to ensure they align with best practices and meet transparency objectives.
For personal data of individuals, this document also highlights their rights and covers the data subject(s) whose personal data is collected and processed, in compliance with the NDPA.
This privacy policy describes why and how we collect and use personal information about our customers, clients, vendors, and visitors (data subjects). It also highlights with whom we might share Personal Information and how long we keep such information. It also makes data subjects aware of their rights under the regulation.
- Roles/Responsibilities
Zenith Bank Data Protection Officer (DPO) is responsible for ensuring that this document is correct and up-to-date. The DPO also ensures that data subjects are duly notified prior to the collection and processing of their personal data by Zenith Bank, including data collected via the Zenith Bank’s website. All Zenith Bank employees/staff who interact with personal data must also ensure to follow the provisions in this policy document.
- Policy Statement
Zenith Bank is committed to protecting the privacy and security of our personal data. We are responsible for determining how we hold and use personal information about our data subjects. According to the Nigeria Data Protection Act (NDPA), Zenith Bank PLC is required to notify data subjects of the information contained in this document.
3.1 About Zenith Bank PLC
Zenith Bank Plc is one of the largest financial service providers in Nigeria and Anglophone West Africa, duly licensed as a commercial bank by the Central Bank of Nigeria (CBN), the national banking regulator.
Zenith Bank is a reputable technology-driven financial institution that is recognized for innovation, superior performance, and creation of premium value for all stakeholders.
With branches and business offices scattered across prime commercial centres in Nigeria, Africa and United Kingdom, Zenith Bank is considered a leader in the deployment of various channels of banking technology, driven by a culture of excellence and strict adherence to national and global best practices, combining vision, skilful banking expertise, and cutting-edge technology to create products and services that anticipate and meet customers’ expectations while enabling businesses to thrive and grow wealth for customers.
Due to the nature of Zenith Bank’s business and the fact that Zenith Bank provides financial services across the globe, Zenith Bank is mandated to collect and process personal data of Nigerian individuals, as well as residents and citizens of other countries across the globe.
3.2 What Personal Data Do We Need?
The personal data we would collect and process, depending on the particular processing requirement, are under the following categories:
Data Type |
Description of Data |
Identity Data |
Full Name, maiden name, marital status, title, biometric information, national identification number (NIN), passport details, driver’s licence details, date of birth, gender, address, biometric, face ID, employment history and citizenship. |
Contact Data |
Address, Email Address and Telephone Numbers. Information received during contact with face-to-face meetings, phone calls, emails, letters and SMS. |
Financial Data |
Bank account information and bank statements, Bank verification Number (BVN), income and outgoings, financial position, status, and credit history, debit or credit card information and account number. |
Transaction Data |
Information regarding the products and services a data subject may have benefited from by using Zenith Bank Plc and any of its subsidiaries, transactional information in respect of products purchased. Location data of transactions where a data subject may have used their debit card. |
Technical Data |
Internet protocol (IP) address, login data, details of browser and operating system, time zone setting and location, browser plug-in types and versions, platforms and other technology such as device id, geolocation, IP, model and user agent on the devices used to access Zenith Bank’s website. |
Profile Data |
Includes username and password. |
Job Application Data |
Data submitted throughout the recruitment process e.g. name, email address. Any personal information you provide to Zenith Bank Plc as part of the recruitment process. |
Usage Data |
Includes information about how data subject uses our website, products and services. |
Marketing and Communications Data |
Information about data subject communications with Zenith Bank. Preferences in receiving marketing e-mails and consents given by data subject to Zenith Bank. |
Others |
CCTV/Video footage whenever you come into our premises or use our ATMs and telephone conversations via calls made through any of our contact centre lines. |
In respect of your data which may be collected by Zenith Bank, certain terms may specifically apply to Face Data and your biometrics. You should therefore note the following:
- Collection: Face Data and biometrics may be collected through various secure channels, such as mobile applications, ATM machines or other digital interfaces, only when explicitly authorised by the user.
- Use: Strictly used for predefined purposes such as identity verification, fraud prevention or for providing personalized banking services.
- Disclosure: Disclosed only to trusted entities like regulatory bodies, payment processing partners or third-party service providers with confidentiality agreements.
- Retention: Stored securely and retained only as long as necessary. Deleted when no longer required.
- User Consent: Collected only after users are informed and provide explicit consent.
Where special category data is involved, lawful basis will be explicit consent, legal obligation, or legal proceedings/advice.
- Why We Need the Data
Zenith Bank ensures that the personal data collected and processed is necessary for the purpose of collection, and shall not collect or process more data than is reasonably required for a particular processing activity.
- Legal Grounds for Processing
Zenith Bank identifies, establishes, defines, and documents the specific purpose of processing and the legal basis for processing personal data before any processing operation takes place under:
- Consent obtained from the data subject
- Performance of a contract
- Legal obligation
- Protection of vital interests
- Official authority or public interest
- National law
Purpose of Processing & Lawful Basis:
Purpose of Processing |
Lawful Basis |
Account creation, identity verification and maintenance of records |
Contract |
Vendor validation/information processing |
Contract |
Employment |
Contract |
- Processing of Personal Data Based on Consent
Where applicable, Zenith Bank will require explicit consent. Visitors must read and agree to the privacy policy before use.
If the data subject does not agree, services may not be accessible. For sensitive data, explicit notification and explanation will be given.
For children:
- NDPA age: under 18
- GDPR age: under 16
Consent must be from person with parental responsibility. Zenith Bank will verify age and authenticity.
6.1 Withdrawal of Consent
Consent may be withdrawn anytime via written request or Withdrawal of Consent form sent to:
dataprotectionoffice@zenithbank.com
[Click here to download the form]
In case of children, the holder of parental responsibility must make the request.
- Use of Cookies
Zenith Bank’s website uses cookies (e.g., Google Analytics) to:
- Recognize users
- Track website navigation
- Improve usability
- Analyze usage
- Manage the website
Users may disable cookies via browser settings, but it may affect functionality.
- Disclosure to Third-Parties
Zenith Bank will not disclose personal data without consent unless legally required. Where processing involves fraud prevention, legal obligations, or protection of rights, lawful grounds will be established.
Appropriate physical, technical, and organizational measures are in place, including encryption and anonymisation.
8.1 Cross-Border Transfers
Third parties abroad may receive personal data for processing. Zenith Bank will:
- Sign a Data Processing Agreement
- Obtain consent if purpose was not stated initially
- Ensure adequate protection standards are met
Data may be transferred if:
- The country has adequate protection
- A contract with NDPC-approved clauses exists
- Binding corporate rules apply
- Administrative arrangements are approved
- Retention of Records
Zenith Bank will retain personal data as long as necessary for service delivery and regulatory compliance.
- Retention considerations: purpose, type, lawful basis, data subject category
- Personal data retained up to 10 years
- Transaction data: retained for minimum 5 years
Data is securely archived or deleted when no longer needed.
- Data Subject Rights
Data subjects have the right to:
- Request access to personal data
- Request correction or deletion
- Restrict processing
- Transfer data
- Object to direct marketing
- Object to automated profiling
- File a complaint or seek judicial review
Requests can be submitted via:
dataprotectionoffice@zenithbank.com
[Click here to download DSAR form]
- Complaints
To file a complaint about how your data is handled, contact:
Supervisory Authority
dpo@ndpc.gov.ng
Data Protection Officer (DPO)
dataprotectionoffice@zenithbank.com