Privacy Notice

A. Who we are

Old Mutual Life Assurance Company (Malawi) Limited, Old Mutual Pension Services Company, Old Mutual Investment Group Limited, Old Mutual Unit Trust Company (Malawi) Limited, Mthunzi Funeral Services Limited, MPICO plc and Old Mutual Finance Limited (collectively referred to as “Old Mutual”), are Data Controllers and Data Processors responsible for the collection and processing of personal data. This Privacy Notice describes how Old Mutual collects and processes personal data.

B. Our commitment to protecting your privacy

At Old Mutual, we take the protection of your personal information seriously. We are deeply committed to maintaining the confidentiality, integrity, and security of the data you entrust to us. Our privacy practices are guided by transparency, lawfullnes,s and accountability, and we strictly adhere to the provisions of the Data Protection Act 2024, the Electronic Transactions and Cyber Security Act 2016, and other relevant laws. We continuously review and strengthen our data protection measures to ensure your information is handled responsibly and lawfully, because your trust is our most valuable asset.

C. Legal bases for processing your data

We rely on the following legal bases to ensure that our data processing activities are lawful, fair, and transparent:

i. Consent: We process personal data based on your explicit consent, which you provide for one or more specific purposes. Consent must be freely given, informed, and specific, and you have the right to withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal. Where the personal data collected relates to a minor or otherwise legally incapable person, we will only process such data based on the consent of a parent, legal guardian, or other person lawfully authorised to act on their behalf. We put in place mechanisms to verify the age or capacity of the individual and the identity of the consenting parent or

guardian. Parents or guardians may exercise rights on behalf of the individual, including withdrawing consent or requesting access to or correction of the personal data collected. We ensure that appropriate safeguards are applied to protect the personal data of children and legally incapable persons.

ii. Contractual Necessity: Where processing is required to enter into or perform a contract with you, such as providing financial services, managing your account, or processing claims.

iii. Legal or Judicial Obligation: We may process personal data where required by, or under, any written law or pursuant to an order issued by a court of law. This includes compliance with statutory obligations, regulatory directives, or judicial proceedings that compel the disclosure or use of personal data.

iv. Public Authority Mandate: We may process personal data where such processing is expressly authorised by a written law and carried out by a competent public authority in furtherance of its legal mandate. This includes activities undertaken by regulatory bodies, law enforcement agencies, or other government institutions acting within the scope of their statutory powers.

v. Legitimate Interests: Where processing is necessary for our legitimate business interests, such as improving our services, preventing fraud, or ensuring network and information security, provided such interests are not overridden by your rights and freedoms.

vi. Vital Interests: In rare cases, we may process personal data to protect your life or the life of another individual.

vii. Public Interest or Official Authority: Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Old Mutual.

We ensure that your rights are respected and that appropriate safeguards are in place for each legal basis relied upon.

D. Purposes for which we may process your personal data

To enable us to fulfil the contract between us for the products or services you have

requested, we need to process your personal data for purposes including the following:

i. Processing applications for products and services, effecting payments, transactions, updating records, and completing transactions or requests.

ii. Providing and improving our products and services.

iii. Conducting automated decision-making and profiling, such as assessing suitability for products and services.

iv. Performing credit assessments, including conducting credit checks and setting credit limits.

v. Carrying out operational activities.

vi. Meeting legal and regulatory requirements.

vii. Helping to protect against fraud and other financial crimes.

viii. Underwriting purposes.

ix. Undertaking tracing activities where you are otherwise uncontactable.

x. Conducting sanctions screening against sanctions lists.

xi. Carrying out audits to ensure compliance, quality assurance, and risk management.

xii. Conducting investigations in relation to complaints, disputes, fraud, misconduct or regulatory breaches.

E. The type of information we collect

The provision of personal data is compulsory. Personal data that we will collect from you includes but is not limited to:

i. Full name.

ii. Identification Number.

iii. Date of Birth.

iv. Gender.

v. Contact details (including postal address, residential address, telephone number, email address).

vi. Employment and income details.

vii. Results of credit checks. 

Depending on the product or service offered, we will collect sensitive personal data such as:

i. Biometric data.

ii. Health status.

When you provide us with information about third parties (for example your spouse, beneficiaries and/or dependents), we will process their personal information to issue a policy/benefit and to pursue their legitimate interest. You warrant that when you give us personal information about third parties, this information is accurate and correct and you have received their permission to share their personal information with us for the purposes set out in this Privacy Notice.

F. Processing of sensitive personal data

Old Mutual shall not process sensitive personal data of a data subject unless one of the following condition applies:

i. The data subject has provided consent to the processing of the data for a specific purpose.

ii. The processing is necessary to protect the interest of the data subject.

iii. The processing is necessary for the purpose of exercising or performing a right or obligation of Old Mutual or the data subject under a written law or a court order.

iv. The processing is in the interest of public health.

v. The processing is for public interest.

vi. The processing is necessary for the establishment, exercise or defence of a legal claim, obtaining legal advice or conduct of a legal proceeding.

vii. The processing is necessary for the purpose of archiving the data for public interest or for research or statistical purposes.

viii. The data subject has intentionally made the data public.

G. How we collect your personal data

We may collect data:

i. Directly from you when you complete forms, submit applications or communicate with us.

ii. From third parties such as your employer, intermediaries, mobile network operators, public registers and credit reference agencies.

iii. From our affiliates within the Old Mutual (Malawi) Limited Group.

We have a duty to take all reasonably practicable steps to ensure your personal information is complete, accurate, not misleading and updated on a regular basis. To enable this, we will always try to obtain personal information from you directly, and we shall appreciate it if you would keep your personal information up to date and accurate. You can do so by contacting us at info@oldmutual.co.mw.

H. Recipients of your personal data

We may share your personal data with:

i. Other Old Mutual entities both within and outside Malawi.

ii. Service providers and business partners who process data on our behalf under strict contractual terms.

iii. Regulators, law enforcement, and other public authorities as required by law.

iv. Reinsurers and professional advisors.

I. Cross-Border transfers

Where your personal data is transferred outside Malawi, we will ensure that the recipient country, organization, or contractual arrangement offers an adequate level of protection in accordance with the Data Protection Act 2024.

J. Data retention

We will keep your personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by law, after which it will be securely deleted or anonymised.

K. Security of your information

We are legally obliged to provide adequate protection for the personal information we hold and to stop unauthorised access and use of personal information. We use physical, electronic, and organisational safeguards to protect your personal data in line with the Data Protection Act, 2024 and the Electronic Transactions and Cyber Security Act 2016. These measures are designed to prevent loss, misuse, unauthorised access, disclosure, alteration, or destruction of your information. Personal data will be stored securely, and access will be restricted to authorized personnel only. All of these people are bound by a duty of confidentiality.

L. Your rights

You have the right to:

i. Access your personal data.

ii. Request correction of inaccurate or incomplete data.

iii. Request deletion of your data in certain circumstances.

iv. Restrict processing of your data.

v. Object to processing, including for direct marketing.

vi. Request data portability.

vii. Withdraw consent at any time (without affecting prior lawful processing).

Requests or questions should be addressed to the Data Protection Officer using the contact details below.

M. Complaints

If you have any concerns about how we handle your personal data, please contact us first so we can try to resolve the matter promptly. If you are not satisfied with our response, you have the right to lodge a complaint with the Malawi Communication Regulatory Authority as the Data Protection Authority.

N. Changes to this Notice

We may update this Privacy Notice from time to time. The latest version will be available on our website or on request.

O. Ongoing financial services

Given our aim to provide you with ongoing financial services, we would like to use your information to keep you informed about other financial products and services which may be of particular interest to you, but only where you have provided your explicit consent. You may withdraw your consent at any time by following the unsubscribe instructions in our communications or by contacting us at info@oldmutual.co.mw.

P. How to contact us

Old Mutual is regulated by the Reserve Bank of Malawi. Please contact us if you have any questions about our Privacy Notice or information we hold about you:

i. Contact us through the Old Mutual toll line 329 from either TNM or Airtel line.

ii. Come into a branch.

iii. Contact us by email at info@oldmutual.co.mw.