Pinnacle Financial Services
Privacy Policy

  1. Definitions

“Act” means the Malawi Data Protection Act, 2024, and any regulations or directives issued thereunder.
“Authority” means the Malawi Data Protection Authority (DPA).
“Data Subject” means an identified or identifiable natural person.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Sensitive Personal Data” includes data relating to race, ethnic origin, health status, biometric or genetic data, religious or philosophical beliefs, marital or family details, sex, sexual orientation, or financial information.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
“Controller” means Pinnacle Financial Services.
“Processor” means a third party processing personal data on behalf of Pinnacle.
“Responsible Person” means the Data Protection Officer (DPO).

  1. Purpose of this Policy

This Privacy Policy sets out how Pinnacle Financial Services (“Pinnacle”) collects, processes, stores, shares, and protects personal data in compliance with the Malawi Data Protection Act, 2024.

  1. Scope and Application

This Policy applies to all personal data processed by Pinnacle, regardless of format or storage location, and to all employees, directors, agents, contractors, and service providers acting on behalf of Pinnacle.

  1. Data Protection Officer

Pinnacle has appointed a Data Protection Officer responsible for overseeing compliance with data protection laws.

Contact:
Data Protection Officer
Email: trev@pinnacle.co.mw

  1. Changes to this Policy

This Policy shall be reviewed annually or when there are material changes in law or internal processes.

  1. Rights of Data Subjects

Data subjects have the right to:
• Be informed of data processing activities
• Access their personal data
• Request correction or deletion
• Object to processing
• Withdraw consent
• Lodge complaints with the Malawi Data Protection Authority

  1. Exercise of Rights

Rights may be exercised directly by the data subject, by a legal guardian, or by a duly authorized representative.

  1. Data Protection Principles

Personal data shall be processed lawfully, fairly, transparently, for specified purposes, limited to what is necessary, accurate, securely stored, and retained only as long as required.

  1. Lawful Basis for Processing

Processing shall be based on consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interests.

  1. Collection of Personal Data

Personal data shall be collected directly from data subjects or indirectly where permitted by law.

  1. Accuracy

Reasonable steps shall be taken to ensure personal data is accurate and up to date.

  1. Data Retention

Personal data shall be retained only for as long as necessary and securely deleted, anonymized, or pseudonymized thereafter.

  1. Security Measures

Appropriate technical and organizational measures shall be implemented to protect personal data, including access controls, encryption, backups, and impact assessments.

  1. Personal Data Breaches

Data breaches shall be assessed promptly and reported to the Malawi Data Protection Authority within 72 hours where required.

  1. Cross-Border Transfers

Personal data may be transferred outside Malawi only where:

  • Adequate data protection safeguards are in place; or
  • The transfer is permitted under the Act; or
  • The data subject has provided explicit consent.

Pinnacle shall ensure compliance with all cross-border transfer requirements prescribed by the Authority.