- This Privacy Notice explains what we do with your personal data from the start until the end of your relationship with the Development Bank of Jamaica Limited (“DBJ” or “us“, “our” or “we”).
- It describes how we collect, use, and process your personal data, and how, in doing so, we comply with our legal obligations to you under the Data Protection Act, 2020 (“DPA“). Your privacy is important to us, and we are committed to protecting and safeguarding your rights.
- Personal data, or personal information, means any information about an individual from which that person is identified or identifiable. It does not include data where the identity has been removed (anonymous data) but may include opinions in relation to a decision about you and will extend to data about a deceased person (up to thirty (30) years following death).
- This Privacy Notice applies to:
- a representative, director, officer, authorised signatory, agent or other natural person connected with an expert, consultant, contractor, DBJ client, tenderer or any other third party with whom we interact;
- a website user, visitor, service subscriber or survey respondent; or
- an applicant for a job at the DBJ (either as a member of staff or as an independent contractor).
- For the purpose of the DPA, the organisation responsible for your personal data is the Development Bank of Jamaica Limited, 11A – 15 Oxford Road, Kingston 5, St. Andrew, Jamaica.
- We have appointed a Data Protection Officer to respond to any requests for information from data subjects. If you have any questions about this Privacy Notice or how we handle your personal data, please contact the Data Protection Officer at dpo@dbankjm.com.
- The DBJ’s Data Protection Policy provides that the DBJ shall process personal data in accordance with the following principles:
- Lawfulness: personal data shall be processed in accordance with one of the express bases set out in any directive or procedure adopted by the DBJ in the implementation of the DBJ Personal Data Protection Policy;
- Purpose Limitation: personal data shall be collected for one or more specified and legitimate purposes, and not further processed in a manner that is incompatible with those purposes;
- Minimisation: we shall endeavour, to the extent reasonably practicable, to process personal data that is relevant and limited to what is necessary in relation to the purposes for which such data is processed;
- Fairness: we shall act with fairness when processing personal data;
- Transparency: we shall process personal data in a transparent manner, subject to legitimate expressly specified exceptions set out in the DPA and any directive or procedure adopted by the DBJ in the implementation of the DBJ Data Protection Policy;
- Security: personal data shall be protected by appropriate technical and organisational safeguards against unauthorised processing and against accidental loss, destruction or damage;
- Accuracy: we shall take measures to ensure that personal data we process is as accurate as possible and updated as necessary to fulfil the purposes for which it is processed; and
- Storage Limitation: DBJ shall retain personal data for the duration specified in its applicable retention schedule.
- DBJ shall process personal data for various purposes. These can include but are not limited to the following:
- recruitment processes;
- procurement procedures and award of contracts;
- performance of contracts;
- administering and managing our website/s;
- providing services to you;
- organising conferences, events and training;
- public relations activities for and on behalf of the bank; and
- client due diligence and Know-Your-Client (“KYC”) procedures;
- DBJ will only use your personal data for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
- This Privacy Notice is non-contractual and we may amend it from time to time. Please visit this Privacy Notice regularly if you want to stay up to date, as we will post any changes in our approach to data privacy here.
- If you are dissatisfied with any aspect of this Privacy Notice, you may have rights which we have described where relevant.
We collect data about you to enable us to ensure that our relationship runs smoothly. Depending on the relevant circumstances and applicable laws and requirements, we may collect some or all of the information which we have grouped below:
- Identity Data which includes your Name, Age/date of birth, Sex/gender, Current Job Title/Position, Nationality/Citizenship, copy of driver’s licence/passport, photographs
- Contact Data which includes your email address, telephone number, postal address, emergency contacts, and, where relevant, details of all dependents;
- Details of your Qualifications and Professional Life such as Educational details, employment history, your current employer, Referee details
- Financial information including banking information, listings of your assets, liabilities and cash flow;
- Criminal History including details of any criminal convictions and offences (where appropriate);
- CCTV footage and other information obtained through electronic means such as swipe card records;
- Extra information that you choose to tell us, your colleagues and referees choose to tell us about you, and that we find from other third party sources.
Please note that the above list of types of personal data collected is not exhaustive.
We collect your personal data in two primary ways:
- Personal data that you give to us; and
- Personal data that we receive from other sources.
Personal data you give to us
There are numerous ways that you can share your information with us. These include:
- When you complete job application forms or contact us with employment enquiries;
- When you complete a survey or a form (e.g. upon visiting our premises, or on dbankjm.com);
- When you liaise with a DBJ representative in the course of conducting a business relationship with DBJ;
- When you sign up for a DBJ organised event;
- When you register for our services or products via any DBJ portal, website or newsletter.
- When you contact us to complain about one of our projects as part of our Grievance Redress Mechanism (‘GRM’).
- When you contact us to request information as part of our Access to Information Policy; and
- When you contact us to request information or complain pursuant to the DPA.
Personal data we receive from other sources
We also receive personal data about you from other sources. These may include:
- When you apply for any of our loan or grant products through our network of AFIs and other intermediaries.
- Information obtained about you when we search third party sources such as LinkedIn and other job sites for potential candidates for your role;
- If you were referred to us through a recruitment agency, they may have shared personal data about you with us;
- Information obtained about you from third party service providers who undertook background checks about you on our behalf;
- Your referees may have disclosed personal data about you to us;
- Information obtained about you from the organisation you represent or of which you are a director, officer, shareholder or beneficial owner;
- Third party vendors/suppliers/service providers/platforms/microsite portals, used by us to fulfil our business purposes or support our business activities related to you and your interaction with us such as YouNoodle and Microsoft Forms.
- Other third parties (such as relevant public authorities or governments departments or agencies) who may share your personal data with us;
- Information obtained about you if a third party signs up for a DBJ organised event on your behalf or as a part of a group;
- Information obtained about you if a third party raises a complaint about a DBJ project on your behalf (as someone who is affected by the project) as part of the GRM; and
- Information obtained about you if your details are provided by a third party identifying you in a DBJ project complaint process as part of the GRM.
We will only process your personal data when we are permitted to do so by the DPA We will use your personal data in the following circumstances:
- Where we have (or are taking steps to enter into) a contractual relationship with you, to ensure the smooth running and performance of our relationship (including all of the activities that need to be undertaken in a usual relationship of that type).
- Where processing your personal data is necessary for compliance with a legal obligation to which we are subject.
- Where processing your personal data is necessary for the purposes of our legitimate interests and your rights and freedoms or legitimate interests are not prejudiced.
- Where processing your personal data is necessary: (i) for the performance of a task carried out by usin the public interest; (ii) in the exercise of ourstatutory function as a public authority and government company with public functions.
- To help us to otherwise comply with our policies, directives and procedures including the DPA in which event we have a legitimate interest to process the data.
Where you give us your consent to process your personal data.
- Where appropriate, we may share certain of your personal data, in various ways and for various reasons including (but not limited to) when we need to comply with our policies and procedures.
- Such sharing of personal data may be with the following categories of people:
- Our professional advisers;
- Individuals and organisations which hold information related to your reference or application to work with us, such as current or past employers, educators and examining bodies, immigration agencies and employment and recruitment agencies;
- Third parties, in order to comply with our obligations under our policies and procedures;
- Governmental authorities which have a right to receive the information including but not limited to the Financial Investigations Division;
- Third party service providers, including processors, which perform functions on our behalf (including insurance plan providers and professional advisers such as auditors)
- Third parties involved in, or assisting with, litigation (including legal advisers, witnesses, experts and judicial and quasi-judicial authorities); and
- Third parties who we have retained to provide services such as pre-employment checks to the extent that these checks are appropriate and in accordance with our policies and procedures, including the DPA.
- We want to make sure that your personal data is stored and transferred in a way which is secure. We will therefore only transfer data to third parties where they comply with a standard of protection of personal data equivalent to at least the level of protection established by the DPA and where such transfer does not breach the provisions of the DPA.
- We have put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal data. These include reasonable measures to deal with any suspected data breach.
- We are committed to the appropriate ongoing security and confidentiality of personal data by taking all reasonable and appropriate steps to protect the personal data that we hold from accidental or unauthorised destruction, loss, alteration, disclosure or access by unauthorised persons. We do this by having in place a range of appropriate technical and organisational measures.
- There is always risk involved in sending information through any channel over the internet. You send information over the internet entirely at your own risk. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted over the internet and we do not warrant the security of any information, including personal data, which you transmit to us over the internet.
- If you suspect any misuse or loss of or unauthorised access to your personal data please let us know immediately. If you think that we did not process your personal data in accordance with the DPA, you can submit a complaint to our Data Protection Officer at dpo@dbankjm.com.
- We may retain your personal data as long as it remains necessary in relation to the purposes for which we collected the information. The precise length of time will depend on the type of personal data, the purpose for which we have processed it and other obligations under our policies and procedures that may require us to retain it for certain minimum periods. For example, we may be required to retain certain data if it might be relevant to any potential litigation.
- Once we have determined that we no longer need to hold your personal data, we will delete it from our systems.
Please note that you have various rights to your personal data, which we have set out below.
Right to Access Personal Data
You may ask to obtain confirmation from us as to whether or not your personal data is being processed, and, where it is processed, to access certain relevant information about the data and the processing. You may also access your personal data processed by us. Your rights will be subject to the restrictions on the right to access under the DPA.
For more information about this right of access, and if you wish to submit a request to exercise your right of access, you may contact our Data Protection Officer at dpo@dbankjm.com.
Right to Rectification
In the event that you identify inaccuracies or incompleteness in the personal data that we holds about you, you have the right (i) to request that we rectify such inaccuracies; or (ii) to supplement the personal data, as appropriate, for completeness.
For more information about this right to rectification, and if you wish to submit a request to exercise your right to rectification, you may contact our Data Protection Officer at dpo@dbankjm.com.
Right to Prevent Processing
You may request that we desist or do not begin processing of your personal data if that processing is unlawful and for specific reasons, for example:
- where the processing is causing or is likely to cause unwarranted and substantial damage or distress to you or someone else;
- the personal data is not relevant for the processing purpose or is otherwise incomplete
- the processing is prohibited under any law; or
- the personal data has been retained longer than is permitted under any law/
For more information about this right to prevent processing, you may contact our Data Protection Officer at dpo@dbankjm.com.
Right in relation to Automated Decision-making
Automated decision making takes place when an electronic system uses personal information to make a decision without human intervention. These decisions can be based on factual data, as well as on digitally created profiles or inferred data. The DPA restricts solely automated decision making which includes profiling and which significantly affects you, the data subject.
While we may utilize automated decision making in vetting applications such as to the IGNITE Grant, no decision is made solely through this means or without meaningful human input. At this stage, we do not envisage that any decisions will be taken about you using solely automated decision making but will inform you if this is to change. You also have a right to ask us to reconsider any decision which is taken by such means as well as be informed as to the logic involved in the automated decision making. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during the period for which we hold your data.
In connection with the purposes described in this Privacy Notice, your personal data may be transferred to the following recipients located outside of your jurisdiction:
- To third parties (such as our advisers and suppliers to our business or providers of benefits); and
- To a cloud-based storage provider.
Please note that some of these third parties may, in turn, transfer your data internationally.
We want to make sure that your personal data is stored and transferred in a way which is secure. We will therefore only transfer data internationally to third parties where they comply with a standard of protection of personal data equivalent to at least the level of protection established by the DPA.
If you have any questions about this Privacy Notice, please contact us by email or postal mail as follows:
Data Protection Officer:
dpo@dbankjm.com
The Development Bank of Jamaica
11A-15 Oxford Road,
Kingston 5
Requests may be made in writing or by email – see How to Contact Us above. All requests will be recorded, and you may need to provide information to verify your identity and enable us to locate the information.