GRIFFIN FINANCE LIMITED
PRIVACY POLICY
1. Introduction/Scope
This Privacy Policy is prepared in accordance with the provisions of the Nigerian Data Protection Act (NDPA) and, by extension, the EU General Data Protection Regulation (GDPR) and. It sets out how Griffin Finance Limited, hereinafter called “GFL”, applies and complies with the principles of the regulations in processing the personal data of individuals, clients, vendors, and even third parties that interact with GFL.
For personal data of individuals, this document also highlights their rights and covers the data subject(s) whose personal data is collected and processed in compliance with the NDPA.
2. Roles and Responsibilities
GFL’s Data Protection Officer (DPO) is responsible for ensuring that this document is correct and up- to-date. The DPO also ensures that data subjects are duly notified prior to the collection and processing of their personal data by GFL, including data collected via the GFL’s website. All GFL employees/staff who interact with personal data must also ensure to follow the provisions in this policy document.
3. Policy Statement
3.1 Who We Are
GFL is a Finance House licensed by the Central Bank of Nigeria. Due to the nature of GFL’s business and the fact that GFL provides financial services across the country, GFL is mandated to collect and process personal data of its clients.
3.2 What Personal Data Do We Need?
The personal data we would collect and process, depending on the particular processing requirement, are under the following categories:
|
Personal Data Type |
Sources |
|
Identity Data |
Full Name, maiden name, marital status, title, biometric information, national identification number (NIN), passport details, driver’s licence details, date of birth, gender, address, employment details and citizenship. |
|
Contact Data |
Address, Email Address and Telephone Numbers Information received during contact with face- to-face meetings, phone calls, emails, letters and SMS |
|
Financial Data |
Bank account information, Bank verification Number (BVN), credit history, financial position, status and account number. |
|
Technical Data |
Internet protocol (IP) address, login data, details of browser and operating system, time zone setting and location, browser plug-in types and versions, platforms and other technology such as device id, geolocation, IP, model and user agent on the devices used to access GFL’s website. |
|
Profile Data |
Includes username and password. |
|
Job Application Data |
Data submitted throughout the recruitment process e.g. name, email address. Any personal information you provide to GFL as part of the recruitment process. |
|
Usage Data |
Includes information about how data subject uses our website, products and services. |
|
Marketing and Communications Data |
Information about data subject communications with GFL. Preferences in receiving marketing e-mails and consents given by data subject to GFL. |
|
Others |
CCTV/Video footage whenever you come into our premises and telephone conversations via calls made through any of our contact centre lines. |
Where the personal data we need to collect may fall under a special category of sensitive personal data, our lawful basis of processing will be the explicit consent of the data subject, compliance with a legal obligation, or for legal proceedings/advice.
3.3 Why Do We Need the Data?
GFL ensures that the personal data collected and processed is necessary for the purpose of collection and shall not collect or process more data than is reasonably required for a particular processing activity. In addition, every processing purpose has at least one lawful basis for processing to safeguard the rights of the data subjects, as listed below:
|
Purpose of Processing |
Lawful Basis of Processing |
|
Account creation, identity verification and maintenance of records |
Compliance with a legal obligation in which GFL is subject/contract. |
|
Vendor validation/information processing |
Contract |
|
Employment |
Contract |
Where Legitimate Interest is considered the legal basis for processing personal data, GFL shall follow the steps below in carrying out a Legitimate Interest Assessment.
1. Determine the Purpose for Processing
In carrying out the purpose test, GFL will establish the exact reason for the processing and how it benefits the organisation. Answers to the following shall be provided to determine the exact purpose for processing:
- Description of the processing objective
- The likelihood of meeting the objective and how to determine if the objective was met
- The benefit of the processing and the significance to the organisation
- Description of the possible impact of not processing and any other issues that might be relevant
- The benefit of the processing and the significance to the organisation.
2. Determine the Necessity of the Processing
GFL will establish why the processing must take place, how the processing relates to the expected benefits, and any other alternatives and why there were not considered.
3. Balance the identified interest with the Privacy Interest of the Data Subjects
The following questions will be addressed under the balance test:
- Who are the data subjects (category)?
- What is the relationship between GFL and the data subject
- What personal data is to be processed
- How will the processing impact the data subject
GFL records this information in line with this policy, data protection impact assessment, and data inventory.
4. Consent
GFL requires the explicit consent of customers, visitors, and other relevant stakeholders (“data subjects”) to process collected personal data. Visitors to GFL’s website are expected to read and understand the website privacy notice and then agree to the website’s terms of use; and by consenting to this privacy policy, data subjects are giving us the permission to use/process their personal data specifically for the purpose identified before collection.
If, for any reason, GFL is requesting sensitive personal data from data subjects, they will be rightly notified why and how the information will be used.
Where processing relates to a child under 18 years old, as in the case of NDPA or 16 years in the case of GDPR, GFL shall demonstrate that consent has been provided by the person who holds parental responsibility over the child.
You may withdraw consent at any time by requesting for Withdrawal of Consent form, following the GFL Withdrawal of Consent Procedure.
5. Disclosure
GFL will not pass on your personal data to third parties without first obtaining your consent.
Where there is a need for a third party to process the personal data of data subjects, GFL will enter into a Data Processing Agreement with the third party and be satisfied that the third party has adequate measures in place to protect the data against accidental or unauthorised access, use, disclosure, loss, or destruction.
6. Retention of Records
In compliance with the GDPR/NDPA data retention policy, GFL will process your personal data for the duration of your relationship with us and will retain the personal data for a period of 6 years.
This retention period has been established to enable us to use the personal data for the necessary legitimate purposes identified, in full compliance with the legal and regulatory requirements. When we no longer need to use your personal information, we will delete it from our systems and records, and/or take steps to encrypt it to protect your identity.
7. Data Subject Rights
Data subjects, according to the provision of the GDPR/NDPA, have certain rights. At any point while GFL is in possession of or processing your personal data, you, the data subject, have the right to:
- Request a copy of the information that we hold about you
- Correct the data that we hold about you that is inaccurate or incomplete
- Ask for the data we hold about you to be erased from our systems/record
- Restrict processing of your personal data where certain conditions apply
- Have the data we hold about you transferred to another organisation
- Object to certain types of processing like direct marketing
- Object to automated processing like profiling, as well as the right to be subject to the legal effects of automated processing or profiling
- Judicial review, in the event that GFL refuses your request under rights of access, we will provide you with a reason as to why.
All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data.
8. Complaints
If for any reason a data subject wishes to make a complaint about how GFL (or any of GFL’s third parties) processes their personal data, or how their complaint has been handled, they have the right to lodge a complaint directly with the Data Protection Officer of GFL.
Below is the detail for this contact:
|
|
Data Protection Officer (DPO) |
|
Email: |
|
|
Telephone: |
09139350341 |