Plot 1. St. Mary's Catholic Parish Compound, Arthur Eze Avenue P.M.B 5021 Awka, Anambra State info@uzondumfb.com

Data Privacy And Protection Policy

1. INTRODUCTION

As part of our operations, Uzondu Microfinance Bank Limited (“Uzondu Microfinance Bank”) collects and processes certain types of information (such as name, telephone numbers, address etc.) of Bank customers that makes them easily identifiable. These customers include active and inactive customers alongside their next-of-kin and other individuals whom Uzondu Microfinance Bank communicate or deals with jointly and/or severally (“Data Subjects”).

Maintaining the Data Subject’s trust and confidence requires that Data Subjects do not suffer negative consequences/effects as a result of providing Uzondu Microfinance Bank with their Personal Data. To this end, Uzondu Microfinance Bank is firmly committed to complying with applicable data protection laws, regulations, rules and principles to ensure security of Personal data handled by the Bank. This Data Privacy & Protection Policy (“Policy”) describes the minimum standards that must be strictly adhered to regarding the collection, storage, use and disclosure of Personal data and indicates that Uzondu Microfinance Bank is dedicated to processing the Personal Data it receives or processes with absolute confidentiality and security.

This Policy applies to all forms of systems, operations and processes within the Uzondu Microfinance Bank environment that involves the collection, storage, use, transmission and disposal of customer data.

Failure to comply with the data protection rules and guiding principles set out in the Nigeria Data Protection Regulations 2019 (NDPR) as well as those set out in this Policy is a material violation of Uzondu Microfinance Bank’s policies and may result in disciplinary action as required, including suspension or termination of employment or business relationship.

2. SCOPE

3. GENERAL PRINCIPLES FOR PROCESSING OF PERSONAL DATA

To demonstrate this commitment as well as our aim of creating a positive privacy culture within the Bank, Uzondu Microfinance Bank adheres to the following basic principles relating to the processing of Personal data:

3.1 Lawfulness, Fairness and Transparency

3.2 Data Accuracy

1. a) shall ensure that any data it collects and/or processes is accurate and not misleading in a way that could be harmful to the Data Subject;
2. b) will make efforts to keep Personal data updated where reasonable and applicable;
3. c) will ensure timely efforts is made to correct or erase any personal data when inaccuracies are discovered.

3.3 Purpose Limitation

3.4 Data Minimization

3.4.2 Uzondu Microfinance Bank will evaluate whether and to what extent the processing of personal data is necessary and where the purpose allows, anonymized data must be used.

3.5 Integrity and Confidentiality

3.5.2 Personal data of Data Subjects must be protected from unauthorized viewing or access and from unauthorized changes to ensure that it is reliable and correct at all times.

3.5.3 Any personal data processing undertaken by an employee of the bank who has not been authorized to carry such out as part of their legitimate duties is un-authorized.

3.5.4 Employees may have access to Personal data only as is appropriate for their specified job function and scope of the task in question and are forbidden to use Personal data for their own private or commercial purposes or to disclose them to unauthorized persons, or to make them available in any other way.

3.5.5 Human Resources Department of the Bank must inform employees at the commencement of their employment about the obligation to maintain personal data privacy. This obligation shall remain in force even after their employment has ended.

3.6 Personal Data Retention

3.6.2 To the extent permitted by applicable laws and without prejudice to Uzondu Microfinance Bank’s Retention Policy, the length of storage of Personal Data shall, amongst other things, be determined by:

(a) the contract terms agreed between Uzondu Microfinance Bank and the Data Subject or as long as it is needed for the purpose for which it was obtained; or
(b) whether the transaction or relationship has statutory implication or a required retention period; or
(c) an express request for deletion by the Data Subject; except where such Data Subject is under an investigation or under a subsisting contract which may require further processing or where the data relates to criminal records; or
(d) whether Uzondu Microfinance Bank has another lawful basis for retaining that information beyond the period for which it is necessary to serve the original purpose.
Notwithstanding the foregoing and pursuant to the NDPR policy, Uzondu Microfinance Bank shall be entitled to retain and process Personal Data for archiving, CBN request, EFCC investigation or any other as may be required.

3.6.3 Uzondu Microfinance Bank would forthwith delete Personal Data in their possession where such Personal data is no longer required by Uzondu Microfinance Bank or in line with Uzondu Microfinance Bank’s Retention Policy, provided no law or regulation being in force requires Uzondu Microfinance Bank to retain such Personal data.

3.7 Accountability

3.7.2 Any individual or employee who breaches this Policy may be subject to internal disciplinary action (up to and including termination of their employment); and may also face civil or criminal liability if their action violates the law.

4. DATA PRIVACY NOTICE

4.2 Uzondu Microfinance Bank shall display a simple and conspicuous notice (Privacy Policy) on any medium through which the Customer data is being collected or processed. The following information must be considered for inclusion in the Privacy policy, as appropriate in distinct circumstances in order to ensure fair and transparent processing:

1. a) Description of collectible Customer Data
2. b) Purposes for which Customer Data is collected, used and disclosed
3. c) What constitutes Data Subject’s Consent
4. d) Purpose for the collection of Customer Data
5. e) The technical methods used to collect and store the information
6. f) Available remedies in the event of violation of the Policy and the timeframe for remedy.
7. g) Adequate information in order to initiate the process of exercising their privacy rights, such as access to, rectification and deletion of Customer Data.

5. PURPOSE AND CATEGORY OF DATA COLLECTED AND PROCESSED

·
• Communication data (e.g. name, telephone, e-mail, address, IP address);
·
• Key contract data (contractual relationship, product or contractual interest);
·
• Customer transaction history;
·
• Disclosed information (from third parties);
·
• Employee and prospective employee data collected for recruitment and onboarding purpose;

5.2. The following are methods adopted by Uzondu Microfinance Bank in the collection, verifiation and storage of Customer data –

·
• Cookies;
·
• Physical and Online Forms
·
• Biometric Tools

6. LEGAL GROUNDS FOR PROCESSING OF CUSTOMER DATA

In line with the provisions of the NDPR, processing of Customer Data by Uzondu Microfinance Bank shall be lawful if at least one of the following applies:
1. a) the Data Subject has given Consent to the processing of his/her Data for one or more specific purposes;
2. b) the processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
3. c) processing is necessary for compliance with a legal obligation to which Uzondu Microfinance Bank is subject to;
4. d) processing is necessary in order to protect the vital interests of the Data Subject or of another natural person, and
5. e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in Uzondu Microfinance Bank.

7. CONSENT

Where processing of Customer Data is based on consent, Uzondu Microfinance Bank shall obtain the requisite consent of Data Subjects at the time of collection of Customer Data. In this regard, Uzondu Microfinance Bank will ensure:
1. a) that the specific purpose of collection is made known to the Data Subject and the Consent is requested in a clear and plain language;
2. b) that the Consent is freely given by the Data Subject and obtained without fraud, coercion or undue influence;
3. c) that the Consent is sufficiently distinct from other matters to which the Data Subject has agreed;
4. d) that the Consent is explicitly provided in an affirmative manner;
5. e) that Consent is obtained for each purpose of Customer Data collection and processing; and
6. f) that it is clearly communicated to and understood by Data Subjects that they can update, manage or withdraw their Consent at any time.

7.1 Valid Consent

7.1.1 For Consent to be valid, it must be given voluntarily by an appropriately informed Data Subject. In line with regulatory requirements, Consent cannot be implied. Silence, pre-ticked boxes or inactivity does not constitute Consent under the NDPR.

7.1.2 Consent in respect of Sensitive Customer Data must be explicit. A tick of the box would not suffice.

7.2 Consent of Minors: The Consents of minors (under the age of 18) will always be protected and obtained from minor’s representatives e.g Parents in accordance with applicable regulatory requirements.

8. DATA SUBJECT RIGHTS

8.1 All individuals who are the subject of Customer Data held by Uzondu Microfinance Bank are entitled to the following rights:
1. a) Right to request for and access their Customer Data collected and stored. Where data is held electronically in a structured form, such as in a Database, the Data Subject has a right to receive that data in a common electronic format;
2. b) Right to information on their Customer data collected and stored;
3. c) Right to objection or request for restriction;
4. d) Right to object to automated decision making;
5. e) Right to request rectification and modification of their data which Uzondu Microfinance Bank keeps;
6. f) Right to request for deletion of their data, except as restricted by law or Uzondu Microfinance Bank’s statutory obligations;
7. g) Right to request the movement of data from Uzondu Microfinance Bank to a Third Party; this is the right to the portability of data; and
8. h) Right to object to, and to request that Uzondu Microfinance Bank restricts the processing of their information except as required by law or Uzondu Microfinance Bank’s statutory obligations

8.2 Uzondu Microfinance Bank’s well-defined procedure regarding how to handle and answer Data Subject’s requests are contained in Uzondu Microfinance Bank’s Data Subject Access Request Policy.

9. TRANSFER OF CUSTOMER DATA

9.1 Third Party Processor within Nigeria Uzondu Microfinance Bank may engage the services of third parties in order to process the Customer Data of Data Subjects collected by the Bank. The processing by such third parties shall be governed by a written contract with Uzondu Microfinance Bank to ensure adequate protection and security measures are put in place by the third party for the protection of Customer Data in accordance with the terms of this Policy and the NDPR.

8.2 Transfer of Customer Data to Foreign Country
8.2.1 Where Customer Data is to be transferred to a country outside Nigeria, Uzondu Microfinance Bank shall put adequate measures in place to ensure the security of such Customer Data. In particular, Uzondu Microfinance Bank shall, among other things, conduct a detailed assessment of whether the said country is on the National Information Technology Development Agency (NITDA) White List of Countries with adequate data protection laws.

9.2.2 Transfer of Customer Data out of Nigeria would be in accordance with the provisions of the NDPR. Uzondu Microfinance Bank will therefore only transfer Customer Data out of Nigeria on one of the following conditions:

1. a. The consent of the Data Subject has been obtained;
2. b. The transfer is necessary for the performance of a contract between Uzondu Microfinance Bank and the Data Subject or implementation of pre-contractual measures taken at the Data Subject’s request;
3. c. The transfer is necessary to conclude a contract between Uzondu Microfinance Bank and a third party in the interest of the Data Subject Uzondu Microfinance Bank;
4. d. The transfer is necessary for reason of public interest
5. e. The transfer is for the establishment, exercise or defence of legal claims.
6. f. The transfer is necessary in order to protect the vital interests of the Data Subjects or other persons, where the Data Subject is physically or legally incapable of giving consent.

Provided, in all circumstances, that the Data Subject has been manifestly made to understand through clear warnings of the specific principle(s) of data protection that are likely to be violated in the event of transfer to a third country, this proviso shall not apply to any instance where the Data Subject is answerable in duly established legal action for any civil or criminal claim in a third country.

Uzondu Microfinance Bank will take all necessary steps to ensure that the Customer Data is transmitted in a safe and secure manner. Details of the protection given to your information when it is transferred outside Nigeria shall be provided to you upon request.

9.2.3 Where the recipient country is not on the White List and none of the conditions stipulated in Section 8.2.2 of this Policy is met, Uzondu Microfinance Bank will engage with NITDA and the Office of the Honourable Attorney General of the Federation for approval with respect to such transfer.

10. DATA BREACH MANAGEMENT PROCEDURE

10.1 A data breach procedure is established and maintained in order to deal with incidents concerning Customer Data or privacy practices leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored or otherwise processed.

10.2 All employees must inform their designated line manager or the DPO of Uzondu Microfinance Bank immediately about cases of violations of this Policy or other regulations on the protection of Customer Data, in accordance with Uzondu Microfinance Bank’s Customer Data Breach Management Procedure in respect of any:

1. a) improper transmission of Customer Data across borders;
2. b) loss or theft of data or equipment on which data is stored;
3. c) accidental sharing of data with someone who does not have a right to know this information;
4. d) inappropriate access controls allowing unauthorized use
5. e) equipment failure;
6. f) human error resulting in data being shared with someone who does not have a right to know; and
7. g) hacking attack.

   10.3 A data protection breach notification must be made immediately after any data breach to ensure that:

   1. a) immediate remedial steps can be taken in respect of the breach;
   2. b) any reporting duties to NITDA or any other regulatory authority can be complied with;
   3. c) any affected Data Subject can be informed; and
   4. d) any stakeholder communication can be managed.

   10.4 When a potential breach has occurred, Uzondu Microfinance Bank will investigate to determine if an actual breach has occurred and the actions required to manage and investigate the breach as follows:

   1. a) Validate the Customer Data breach;
   2. b) Ensure proper and impartial investigation (including digital forensics if necessary) is initiated, conducted, documented, and concluded;
   3. c) Identify remediation requirements and track resolution;
   4. d) Report findings to the top management;
   5. e) Coordinate with appropriate authorities as needed;
   6. f) Coordinate internal and external communications; and
   7. g) Ensure that impacted Data Subjects are properly notified, if necessary.
   
   10.5 You can read more about Uzondu Microfinance Bank’s Customer Data Breach Management Procedure.

   11. DATA PROTECTION IMPACT ASSESSMENT

   Uzondu Microfinance Bank shall carry out a Data Protection Impact Assessment (DPIA) in respect of any new project or IT system involving the processing of Customer Data to determine whenever a type of processing is likely to result in any risk to the rights and freedoms of the Data Subject.

   Uzondu Microfinance Bank shall carry out the DPIA in line with the procedures laid down in the Uzondu Microfinance Bank Data Protection Impact Assessment Policy.

   12. DATA SECURITY

   12.1 All Customer Data must be kept securely and should not be stored any longer than necessary. Uzondu Microfinance Bank will ensure that appropriate measures are employed against unauthorized access, accidental loss, damage and destruction to data. This includes the use of password-encrypted databases for digital storage and locked cabinets for those using paper form.

   12.2 To ensure security of Customer Data, Uzondu Microfinance Bank will, among other things, implement the following appropriate technical controls: a) Industry-accepted hardening standards, for workstations, servers, and databases; b) Full disk software encryption on all corporate workstation/laptops operating systems drives storing Customer and Customer/Sensitive Data; c) Encryption at rest including key management of key databases; d) Enable Security Audit Logging across all systems managing Customer Data; e) Restrict the use of removable media such as USB flash, disk drives; f) Anonymization techniques on testing environments; and g) Physical access control where Customer Data are stored in hardcopy.

   13. DATA PROTECTION OFFICER

   An appointed Data Protection Officer(s) (DPO) responsible for overseeing the Bank’s data protection strategy and its implementation to ensure compliance with the NDPR requirements will be appointed by the Bank. The DPO is knowledgeable in data privacy and protection principles and is familiar with the provisions of the NDPR.

   The contact details of the Data Protection officer are as follows – The Data Protection Officer Uzondu Microfinance Bank Awka Anambra State, Nigeria. dataprotection@uzondumfb.com The main tasks of the DPO include: a) administering data protection policies and practices of Uzondu Microfinance Bank; b) monitoring compliance with the NDPR and other data protection laws, data protection policies, awareness-raising, training, and audits; c) advice the business, management, employees and third parties who carry on processing activities of their obligations under the NDPR; d) acts as a contact point for Uzondu Microfinance Bank; e) monitor and update the implementation of the data protection policies and practices of Uzondu Microfinance Bank and ensure compliance amongst all employees of Uzondu Microfinance Bank; f) ensure that Uzondu Microfinance Bank undertakes a Data Impact Assessment and curb potential risk in Uzondu Microfinance Bank data processing operations; and g) maintain a Database of all Uzondu Microfinance Bank data collection and processing operations of Uzondu Microfinance Bank.

   14. TRAINING

   Uzondu Microfinance Bank shall ensure that employees who collect, access and process Customer Data receive adequate data privacy and protection training in order to develop the necessary knowledge, skills and competence required to effectively manage the compliance framework under this Policy and the NDPR with regard to the protection of Customer Data. On an annual basis, Uzondu Microfinance Bank shall develop a capacity building plan for its employees on data privacy and protection in line with the NDPR.

   15. DATA PROTECTION AUDIT

   Uzondu Microfinance Bank shall conduct an annual data protection audit through a licensed Data Protection Compliance Organization (DPCOs) to verify Uzondu Microfinance Bank’s compliance with the provisions of the NDPR and other applicable data protection laws.

   The audit report will be certified and filed by the DPCO to NITDA as required under the NDPR.

   16. RELATED POLICIES AND PROCEDURES

   This Policy shall be read in conjunction with the following policies and procedures of Uzondu Microfinance Bank:

   • Customer Data Breach Management Policy; • IT Security Policy; • Document Retention Policy; • Cookies Policy; • Privacy Policy; and • Data Protection Impact Assessment Procedure.

   17. CHANGES TO THE POLICY

   Uzondu Microfinance Bank reserves the right to change, amend or alter this Policy at any point in time. If we amend this Policy, we will provide you with the updated version.

   18. GLOSSARY

   ‘‘Consent’’ means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of Customer Data relating to him or her.

   “Database” means a collection of data organized in a manner that allows access, retrieval, deletion and processing of that data; it includes but not limited to structured, unstructured, cached and file system type Databases.

   “Data Processor means a person or organization that processes Customer Data on behalf and on instructions of Uzondu Microfinance Bank.

   “DPCO” means an organization registered by NITDA to provide data protection audit, compliance and training services to public and private organizations who process Customer Data in Nigeria.

   “Data Subject” means any person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

   “NDPR” means the Nigerian Data Protection Regulation, 2019.

   “Customer Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Customer Identifiable Information (PII) and others.

   “Sensitive Customer Data” means data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive Customer information.