Purpose
The purpose of this Privacy Statement is to explain how we collect, use, store, and protect personal data or information in accordance with the Data Protection Act No. 5 of 2022, as amended from time to time.
The Ombudsman treats all personal data or information and sensitive personal information the Office of the Ombudsman collects through different channels as private and confidential.
The Ombudsman of Financial Services has a legal mandate in terms of the Financial Services Regulatory Authority Act of 2010 (FSRA Act), to resolve certain disputes in the financial services industry quickly and with minimum formality, in line with the FSRA Act, financial services laws (FSLs) and the Complaints Handling Procedure Guidelines of the Ombudsman of Financial Services, 2017.
To achieve its objectives, discharge its obligations and execute its functions, the Office of the Ombudsman, must collect and use data or information, including personal data or information as well as sensitive personal data as defined in the Data Protection Act, 2022.
““Personal data or information” means information about an identifiable individual that is recorded in any form, including without restricting the generality of the foregoing –
- Information relating to the race, national or ethnic origin, religion, age or marital status of the individual;
- Information relating to the education, or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
- Any unique identifying number, symbol or other particular assigned to the individual;
- the address, fingerprints or blood type of the individual;
- the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual;
- correspondence sent to a data controller by the individual that is expected to or implicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence; and
- the views or opinions of any other person about the individual.”
“Sensitive personal information” means –
- genetic data, data related to children, data related to offences, criminal sentences or security measure, biometric data as well as, if it is processed for what it reveals, personal information revealing racial or ethnic origin, political opinions or affiliations, religious or philosophical beliefs, affiliation, trade-union membership, gender and data concerning health or sex life; or
- any personal information otherwise considered by the laws of Eswatini as presenting a major risk to the rights and interests of the data subject, in particular unlawful or arbitrary discrimination.”
Right to Change this Privacy Statement
The Ombudsman may change this Privacy Statement to align with changes in the law or changes in technology which impact on how the Office of the Ombudsman processes your data or personal information. These changes and the latest versions will be published on the website.
Scope
This policy applies to all personal data or information collected through:
- Complaint submissions
- Website interactions
- Email, phone, and in-person communications
- Public consultations and outreach programs
- Referrals from Memorandum of Understanding (MOU) Partners
Collection of Personal Data or Information
Personal data or information is collected for purposes of fulfilling our legislative mandate and sector specific obligations.
The Office of the Ombudsman may collect information from multiple sources. These sources include:
- Other regulators: These regulators may be inside or outside of the Kingdom of Eswatini
- Media sources such as newspapers, social media and the broadcast news
- Law enforcement agencies, such as the Royal Eswatini Police Service (REPS)
- Members of the public
- Financial Services Providers
- Collaborating Partners
- Verification agencies
Why do we Collect Personal Data or Information?
We collect your personal data or information for reasons, that include:
- To process complaints in terms of the financial services laws and codes, guidelines, and any other relevant legislation and/or legal instruments.
- To analyse the suitability for the products and services rendered to consumers.
- To monitor financial services trends and market conduct risks.
- To identify possible contraventions of sector specific laws and codes.
- To manage the employment relationship where you are employed in a position within the Office of the Ombudsman.
- For processing your application where you have applied for a position tenable at the Office of the Ombudsman
What Personal Data or Information do we Collect?
A non-exhaustive list of personal data or information and sensitive personal information that may be collected and processed contains the following:
- Names, surname, marital status, nationality, sex, age, disability status, language, date of birth.
- Identifying number (employee number; company registration number, personal ID number).
- Email-address, physical address, telephone number, cell-phone number.
- Documentation such as marriage certificates, death certificates, policies, contracts, passport, minutes of meetings (copies of)
- Biometric information such as facial recognition, particularly in our employment processes.
- Educational, medical (physical health status, mental health status, well-being), financial, employment information
We may not be able to carry out our legislative mandate and provide our services to the public, employ you or procure your services without your personal information.
Publication and Access to Ombudsman of Financial Services Registers
The Ombudsman makes accessible certain data or information to the public on the website, such as determinations issued on complaints submitted to the Ombudsman. The accessible data or information includes, but is not limited to, the details of the complaint type and issues, information relating to a financial product, quantum, and the reasons for the resolution reached.
The Ombudsman will only make accessible limited data or information, through the published determinations and case studies; data or information that will allow the public the ability to gain an understanding of the responsibilities of financial services providers and consumers towards one another.
The Use of Third Parties
The Ombudsman will, from time to time, share your personal data or information or sensitive personal information with third parties. Personal information will only be disclosed if:
- It is necessary to fulfil our legislative mandate as provided for in the FSRA Act and any financial services law.
- For business purposes.
- The law requires it.
- We have a public duty to disclose the information.
- Your legitimate interests require disclosure.
- You have provided consent for us to disclose your information.
Third parties may include but are not limited to:
- Ombudsman service providers
- Other regulators (including foreign regulators)
- Law enforcement agencies
- Verification agents
- Memorandum of Understanding (MOU) Partners during a referral process
We request the third parties with whom we share information, to take adequate measures and comply with applicable data protection laws and protect the information we are disclosing to them. We do this through contractual arrangements with these third parties. We also take internal measures to ensure that the third parties we appoint have appropriate measures to protect the information we provide to them.
If you want to learn more about our internal measures, please contact the Data Protection Officer or the Ombudsman on the contact details provided in this statement.
Transborder information flows
Where necessary and appropriate, your personal data or information may be processed in other countries for:
- Business purposes, in instances where our third parties are located in countries outside of the Kingdom of Eswatini.
- Sharing with other regulators outside of the Kingdom of Eswatini
- Fulfilling a legislative mandate, or
- Law enforcement agencies for investigation purposes.
These countries may not have the same level of protection. However, before we transfer personal data or information outside the Kingdom of Eswatini, we have stringent processes to ensure that appropriate organisational and security safeguards are put in place to protect the personal data or information which includes contractual and internal due diligence measures.
Data Retention
The Ombudsman retains Personal Data or Information as long as it is necessary to comply with the legal obligations of the Ombudsman, resolve disputes, and provide the Ombudsman’s services. The Ombudsman will retain parties’ Personal Data or Information and Sensitive Personal Information for so long as it is needed to continue to provide our services. The Ombudsman may retain a parties’ Personal Data or Information and Sensitive Personal Information after their matter has been resolved or closed, if retention is reasonably necessary to comply with any other legal or regulatory requirements, to prevent fraud and abuse, or to enforce our Terms of Use. The Ombudsman may also retain Personal Data or Information and Sensitive Personal Information, for a limited period, if required by law.
Personal Data or Information Security
The OFS is committed to protecting your Personal Data or Information and Sensitive Personal Information through robust security measures. These include using advanced technologies, encryption, and access controls to safeguard Personal Data or Information against loss, misuse, and unauthorized access. We conduct regular audits and reviews to maintain high security standards. However, while we implement strong protections, we concede that there is no system that can guarantee complete security.
Your Rights
You have rights as the data subject which you can exercise in relation to the personal data or information we hold about you. The requests must be made in writing, to the Data Protection Officer or the Ombudsman, Nondumiso Simelane, at nsimelane@ombudsfs.org.sz or refer to our website for the Privacy Statement to confirm how we are processing personal information, please visit our website on www.ombudsfs.org.sz
You can exercise your right to:
- Request access to the information we hold about you. We may, if allowed by law, charge a fee for this.
- Request correction or deletion of Personal Data or Information and Sensitive Personal Information about the data subject in our possession or under our control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
- Request the destruction and deletion of your personal data or information and sensitive personal information that we are no longer authorised to retain.
- Object to the way in which we process your personal data or information and sensitive personal information.
- Complain to us about the way we use your personal data or information using the contact details of the Data Protection Officer or the Ombudsman. If you are not satisfied with how we handle your complaint, you can lodge a complaint with the Eswatini Data Protection Authority using their details provided in this statement.
- You have the right to query a decision that we make about some of our services that was made solely by automated means. You can do that by contacting the Data Protection Officer or the Ombudsman on the details provided in this statement.
It is important to note that the rights are not absolute and must be balanced against other competing rights. As such, they may be limited owing to the nature of our mandate. We may also rely on certain exceptions which may impact on your rights, for example, your right to object or the right of access to information. We will only do this where the interest we are mandated to protect outweighs, to a substantial degree, interference with your privacy. Where possible, in terms of law, we will explain the exception we are relying on and its impact on your rights.
Use and monitoring of electronic communications
It is important that we keep the public abreast of any development that has a public interest. As such we communicate with you and the public using different channels, including the media.
Retention of personal information
Our retention schedule and information policies define how long we keep all types of records, including any personal information and sensitive personal information we process in the different divisions. Personal information and sensitive personal information is retained and destroyed as required or authorised by law, and for defined purposes related to the activities of the Ombudsman.
How to contact us
If you have any queries, about our privacy notice and how we process your personal data or information, please contact the Ombudsman Data Protection Officer or Ombudsman, Nondumiso Simelane at nsimelane@ombudsfs.org.sz or info@ombudsfs.org.sz.
Physical address:
Office of the Ombudsman of Financial Services (OFS)
3rd Floor, West Wing, Ingcamu (PSPF) Building
Mhlambanyatsi Road
Mbabane
Postal Address:
P.O. Box 8490
Mbabane
H100
Eswatini
Eswatini Data Protection Authority
The contact details of the Data Protection Authority are as follows:
Physical Address:
Eswatini Communications Commission ESCCOM Offices
Portion 11 of Farm 850
MR103, Ezulwini
Opposite EPH
Postal Address:
P.O. Box 7811
Mbabane
H100
Eswatini
Telephone: +268 2406 7037
Email: dataprotection@esccom.org.sz
Website: www.edpa.org.sz
For complaints
Data subjects can lodge complaints on the website.
For data breaches
Entities can report data breaches on the website.
