1. POLICY OVERVIEW
Ultraviolet Microfinance Bank Limited (hereinafter “UVMFB”), as a data collector/controller, is committed toconducting its business in accordance with the Nigeria Data Protection Regulation (NDPA) 2019, and other material guidelines relating to the protection of personal data and privacy of individuals to ensure compliance with the Data Protection requirements. Non- compliance may expose Ultraviolet MFB to complaints, regulatory actions, fines or/and reputational damage.
2. PURPOSE
- This Data Protection Policy states the basic principles of data protection for Ultraviolet Microfinance Bank Limited (“UVMFB”). Ensuring data protection is the foundation of trustworthy business relationships and the reputation of UVMFB as an attractive employer.
- The policy also guarantees that UVMFB processes personal data in a way that is consistent with all data protection and privacy guidelines, to protect the “rights and freedoms” of individuals, and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.
- It is designed to inform all stakeholders about their obligation to protect the privacy and security of personal data when collecting, storing, using personal data that is needed in order to carry out our business while complying with Data Protection Regulations and standards.
- It ensures the adequate level of data protection prescribed by the European Union Data Protection Directive and the Nigeria Data Protection Regulation 2019 for cross-border data transmission, including in countries that do not yet have adequate data protection laws.
3. DEFINITION OF TERMS
| TERMS | MEANING |
| Personal Data | A name, identification number, location data, and/or online identifier, including one or more specific factors such as physical, physiological, genetic, mental, economic, cultural or social identifiers relating to a natural person directly or indirectly. |
| Database | A collection of data organized in a manner that allows access, retrieval, deletion and processing of that data; it includes but not limited to structured, unstructured, cached and file system type Databases |
| TERMS | MEANING |
| Data Subject | Any living individual or natural person from whom personaldata is collected |
| Consent | Any specific, informed, and unambiguous indication of the data subject’s wishes that is freely given by a statement or by a clear affirmative action, which signifies agreement to the processing of his/her personal data. |
| Third Party | A natural or legal person, public authority, agency, vendor, contractor, or entity other than the data subject, who, under UVMFB’s authority, is authorised to process personal data. |
| Data Administrator | Any persons or organisation that processes data. |
| Data Controller | Any person who either alone, jointly with other persons or incommon with other persons or as a statutory body, determines the purposes for and the manner in which personal data is processed or is to be processed |
| Processing | Any operation or set of operations which is performed onpersonal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
| Data Protection Impact Assessment | A tool and process for assessing the protection impacts on data subjects in processing their personal data and for identifying remedial actions as necessary in order to avoid or minimize such |
| Data Protection Officer | An authorized staff of UVMFB who supervises, monitors and reports matters related to data protection and privacy in compliance with this Policy |
| Data Encryption | The process of converting data or information into a code to prevent unauthorised access by human and/or computer systems. Data encryption can be used during data storage or transmission and is typically used in conjunction withauthentication services to ensure that keys are only provided to, or used by, authorized users. |
| TERMS | MEANING |
| Personal Data Breach | A breach of data security leading to the accidental orunlawful/illegitimate access, destruction, loss, alteration,unauthorized disclosure of personal data that is beingtransferred, stored or otherwise processed |
| GDPR | General Data Protection Regulation It is a European Union (EU) that governs the way in which we can use, process, and store personal data (information about an identifiable, living person) |
| NDPR | Nigerian Data Protection Regulation, 2019 |
| UVMFB | Ultraviolet Microfinance Bank Limited |
4. POLICY STATEMENT
- The entire Management of UVMFB is committed to maintaining compliance with all relevant GDPR/NDPA and local laws with respect to personal data collected, as well as protection of the “rights and freedoms” of the data subject. The GDPR/NDPA and UVMFB’s data protection policy applies to all personal data processing functions, including those performed on customers’, employees’, Vendors’ and partners’ personal data, and any other personal data that UVMFB processes from any source. This policy also applies to all Employees/Staff and third parties of UVMFB.
- UVMFB’s Data Protection Officer is responsible for reviewing and updating the register in the light of any changes to UVMFB’s operations and activities, and to any additional requirements identified by means of data protection impact assessments. This register shall be made available on the supervisory regulator’s request.
- Third Parties working with or for UVMFB, and who have or may have access to personal data, will be expected tohave read, understood, and to comply with this policy. No third party may access personal data held by UVMFB without having first entered into a Data Confidentiality/Non-Disclosure Agreement, which imposes on the third-party obligations no less onerous than those to which UVMFB is committed, and which gives UVMFB the right to audit compliance with the agreement.
- Any breach of the GDPR/NDPA will be dealt with under UVMFB’s disciplinary procedure and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.
5. DATA PROTECTION PRINCIPLES
Ultraviolet Microfinance Bank Limited is committed to processing data in accordance with its responsibilities under the Nigeria Data Protection Regulation (2019).
Article 5 of the General Data Protection Regulation requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
6. GENERAL PROVISIONS
- This policy applies to all personal data processed by Ultraviolet Microfinance Bank Limited.
- The Data Protection Officer shall take responsibility for Ultraviolet Microfinance Bank Limited ongoing compliance with this policy.
- This policy shall be reviewed at least annually.
- Individuals have the right to access their data and any such requests made to Ultraviolet Microfinance Bank Limited shall be dealt with within two (2) weeks.
7. LAWFUL PURPOSES
- All data processed by Ultraviolet Microfinance Bank Limited must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in Ultraviolet Microfinance Bank Limited systems.
8. DATA MINIMIZATION
Ultraviolet Microfinance Bank Limited shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
9. ACCURACY
- Ultraviolet Microfinance Bank Limited shall take reasonable steps to ensure personal data is accurate.
- Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
10. ARCHIVING/REMOVAL
- To ensure that personal data is kept for no longer than necessary, Ultraviolet Microfinance Bank Limited shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
- The archiving policy shall consider what data should/must be retained, for how long, and why.
11. SECURITY
- Ultraviolet Microfinance Bank Limited shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
- Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
- When personal data is deleted this should be done safely such that the data is irrecoverable.
- Appropriate back-up and disaster recovery solutions shall be in place.
12. BREACH
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Ultraviolet Microfinance Bank Limited shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Nigeria Data Protection Bureau via info@ultravioletmfb.com
For more details, please address any questions, comments and requests regarding our data processing practices to our Data Protection Officer via info@ultravioletmfb.com
