Privacy

Privacy Notice

Overview

We take your privacy seriously and only process your personal information to make your experience better. In accordance with NDP Act/GAID and any applicable laws or regulations, continuing to use this platform indicates your consent to the processing of your personal data by the Company, its subsidiaries and partners as detailed in our Privacy Policy.

Who We Are

Consolidated Hallmark Insurance Ltd is a Subsidiary of Consolidated Hallmark Holdings Plc. The Company is licensed by the Insurance Regulator, the National Insurance Commission (NAICOM).

Nature of Personal Data We Collect and Process

The Company collects the following personal data and non-personal data directly from you when you register your personal details on our Site:

  • contact details such as your full name, postal addresses, phone numbers and email addresses;
  • demographic information such as your date of birth and gender;
  • online registration information such as your password and other authentication information;
  • payment details such as your credit card information and billing address;
  • in certain cases, your marketing preferences.
  • We automatically collect and store certain types of information regarding your use of our Site including information about your searches, views, downloads and purchases.

Cookies

Cookies enable us to distinguish you from other users of our website, which helps us to provide you with an improved browsing experience. For more information about cookies and how we use them, please read our Cookie Policy by below on this same page.

Use of Your Personal Data

We may use your personal data collected on our Site:

  • to register and onboard you as a new user.
  • to process and respond to your needs on our platform.
  • to manage your relationship with us.
  • to improve our website functionalities, products and services.
  • to comply with our legal and regulatory obligations, including verifying your identity where necessary.
  • to prevent, detect and manage risk against fraud and illegal activities.
  • any other purpose that we disclose to you in the course of providing products and services to you.

Legal Basis for the processing of Your Personal Data

We are committed to ensuring that we legally process your personal data in our custody.

Consolidated Hallmark Insurance Ltd shall only process your personal data if at least one of the following conditions apply:

  • you have given your consent to the processing of his/her personal data for one or more specific purposes;
  • the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which Consolidated Hallmark Insurance Ltd is subject;
  • processing is necessary in order to protect your vital interests or that of another natural person;
  • processing is necessary for the purpose of the legitimate interest pursued by Consolidated Hallmark Insurance Ltd, or by a third party to whom the data is disclosed subject to certain conditions; and
  • processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in Consolidated Hallmark Insurance Ltd.

Sharing Your Personal Data with Third-Parties

We may need to share your personal data with third-parties under the following circumstances:

  1. to enable provide our services to you, end to end.
  2. to analyze data, provide marketing assistance, process payments, transmit content, and provide customer service.
  3. to comply with applicable laws and regulations or to respond to valid legal process, including from law enforcement or other government agencies.
  4. to protect the rights of our customers, operate and maintain the security of our systems and network to ensure the preservation of life and property and prevention of fraud and cyberattack.
  5. to protect the rights or property of Consolidated Hallmark Holdings Plc or others, including enforcing our agreements, terms, and policies.

Transfer of Personal Data Abroad

Consolidated Hallmark Insurance Ltd shall implement appropriate safeguards to ensure the security of personal data to be transferred to a foreign country in compliance with the provision of the Nigeria Data Protection Act 2023 (“NDPA”) and the General Application and Implementation Directive, 2025 (“GAID”) or any other applicable data protection legislation. In particular, we shall, among other things, enter into Data Processing Agreements with the recipients of such personal data in the foreign country to ensure protection of your personal data.

Where personal data is to be transferred to a recipient in a foreign country deemed to have inadequate data protection laws, Consolidated Hallmark Insurance Ltd will take all necessary steps to ensure that informed consent is obtained from you, and you are aware of the risks inherent including ensuring that personal data is transmitted in a safe and secure manner.

Data Security & Retention

We take the security of your personal data in our possession seriously. In line with our commitment to protect your personal data in our possession, we have developed appropriate organizational, technical and physical measures to protect the personal data you provide, or we collect against unauthorized access, loss or theft, as well as against any risk of loss, disclosure, copying, misuse or modification. Such measures include but are not limited to the use of secure servers, firewall, multiple factor authentication security, data anonymization and pseudonymization (as may be necessary), data encryption and granting access on a need-to-know basis only to employees in order to perform their job responsibilities.

CHH will only retain your personal data under the following circumstances:

  • as long as reasonably necessary for the purpose of providing our services to you; and
  • for the period needed to comply with our legal and statutory obligations under applicable law.

    What are your Rights in relation to Our Collection and Processing of your Personal Data

    Users of our Site are entitled to exercise the following rights in relation to their personal data collected and processed by CHH:

  • right to withdraw consent in relation to the processing of their personal data;
  • right to be informed regarding their personal data;
  • right to request for and access any personal data collected and stored by CHH;
  • right to request the deletion of their data;
  • right to be informed about appropriate safeguards in place where data is transferred abroad;
  • right to request rectification of personal data which is stored by CHH;
  • right to request the transmission of data from CHH to a third party (right to the portability of data);
  • right to object to automated decision making and processing;
  • right to object to direct marketing;
  • right to request the processing of their information; and
  • right to lodge a complaint with the NDPC.

Review of Our Privacy Notice

We may need to review and make necessary updates, modifications or amendments to our Privacy Notice to ensure compliance with applicable data protection legislations including the NDP Act/GAID or as a result of changes in our systems and processes arising from the use of technology. We will notify you of any material changes in the way we collect and process your personal data on our Site by placing a notice online or via email. Your continuous use of our services after such notice, will be construed as your consent to carry on with the processing of your personal data.

Dispute Resolution & Complaint Handling Mechanism

In line with our objective of creating a rewarding customer experience on our website and mobile application, Consolidated Hallmark Insurance Ltd has developed a dispute resolution and complaint handling process to ensure the effective management and timely resolution of all complaints relating to this Privacy Notice. In the event that you have any complaint regarding this Privacy Notice, please send us an email via rfalana@chhplc.com. We will investigate and work towards ensuring the prompt resolution of all disputes and complaints relating to the use and disclosure of personal data in line with the provisions of the NDP Act/GAID.

In the event that the outcome of the resolution of your complaint is unsatisfactory, you are at liberty to lodge a complaint to the Nigeria Data Protection Commission (NDPC).

 

Contact Details of Our Data Protection Officer (DPO)

In the event that you have any questions or inquiries relating to the collection and processing of your personal data on our Site or the exercise of your rights as a data subject under the NDP Act/GAID, please send an email to our DPO via email atrfalana@chhplc.com.

 

Cookies Policy

This Cookie Notice explains how we use cookies and the choices you have. Except as otherwise stated in this notice, the relevant company’s privacy notice, which can be found on our Privacy Notice above, will apply to our processing of the data that we collect via cookies including your rights regarding your personal data.

What are Cookies?

Cookies are small packets of information stored by your browser when you visit certain sites, including our site. Cookies are generally used by sites to improve your user experience by enabling that site to ‘remember’ you, either strictly for the duration of your visit (using a “Session” cookie which is erased when you close your browser) or for repeat visits (using a “Permanent” cookie).

Please be advised that in some countries data such as cookie IDs and IP-/MAC- addresses are considered to be personal data. To the extent we process such data that is considered personal data, this will be done in accordance with our Privacy Notice.

Third Parties & Information Sharing

Our sites may include links to third party sites, plug-ins and applications. Using these facilities may allow third parties to collect or share data about you. Where you have opted-in to Functional Cookies, Performance Cookies and Targeting Cookies, it may be possible for third party sites to track your browsing behaviour when you leave our site. You are able to opt-out of these cookies at any time.  For more information on these cookies, you can access granular details relating to each of the cookies, the categories, descriptions, types (first or third party) and lifespans.

For help and advice on how to do this, please follow the instructions in the ‘How to reject cookies’ section below.

Our Site uses the following types of cookies:

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personal data.

Functional Cookies

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal data but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

How to reject Cookies

If you don’t want to receive cookies, you can update your settings in our cookie management portal here:

Cookies Settings

You can click on the Cookies Settings tab at the bottom page of our website to update your preferences. Alternatively, you can also alter your browser settings. The procedure for doing so varies from one browser application to another. If you wish to reject cookies from our site, but wish to accept those from other sites, you may choose the option in your browser settings to receive a notice before a cookie is stored on your device.

By disabling cookies, you may be prevented from accessing some features of our site or certain content or functionality may not be available.

 

Cookies List

Strictly Necessary Cookies

These cookies are essential for the operation of the website and cannot be disabled.

Cookie Name Provider Purpose Duration
PHPSESSID Consolidated Hallmark Insurance Plc Maintains user session state across pages Session
cookie_consent Consolidated Hallmark Insurance Plc Records the user’s cookie consent preferences 12 months
csrf_token Consolidated Hallmark Insurance Plc Protects the website against cross-site request forgery Session

2. Functional Cookies

Cookie Name Provider Purpose Duration
language Consolidated Hallmark Insurance Plc Stores the user’s preferred language 12 months
user_preferences Consolidated Hallmark Insurance Plc Remembers user interface and display preferences 12 months

 

3. Analytics / Performance Cookies

Cookie Name Provider Purpose Duration
_ga Google Analytics Distinguishes users for statistical
analysis		 2 years
_gid Google Analytics Tracks user interactions and website
usage		 24 hours
_gat Google Analytics Limits data collection on high-traffic
pages		 1 minute

 

4. Advertising / Targeting Cookies

Cookie Name Provider Purpose Duration
_fbp Meta (Facebook) Tracks visits for targeted advertising
and analytics		 3 months
ads/ga-audiences Google Re-engages users based on website
interactions		 Session

 

Users may accept or reject non-essential cookies at any time through the cookie banner or browser settings. Strictly necessary cookies are required for the website to function and do not require consent.

 

Data Protection Policy

1.   Introduction

As part of our operations, Consolidated Hallmark Holdings Plc and its Subsidiaries (hereinafter referred to as “CHH” or “the Company”) collects and processes certain types of information (such as name, telephone numbers, address, etc.) of individuals that makes them easily identifiable. These individuals include current, past and prospective employees, merchants, suppliers/vendors, customers of merchants and other individuals whom the Company communicates or deals with, jointly and/or severally (“Data Subjects”).

Maintaining the Data Subject’s trust and confidence requires that Data Subjects do not suffer negative consequences/effects as a result of providing the Company with their Personal Data. To this end, the Company is firmly committed to complying with applicable data protection laws, regulations, rules and principles to ensure security of Personal Data handled by the Company. This Data Privacy & Protection Policy (“Policy”) describes the minimum standards that must be strictly adhered to regarding the collection, use and disclosure of Personal Data and indicates that the Company is dedicated to processing the Personal Data it receives or processes with absolute confidentiality and security.

This Policy applies to all forms of systems, operations and processes within the Company environment that involve the collection, storage, use, transmission and disposal of Personal Data.

Failure to comply with the data protection rules and guiding principles set out in the Nigeria Data Protection Act, 2023 (NDPA), General Application and Implementation Directive, 2025 (GAID) as well as those set out in this Policy is a material violation of the Company’s policies and may result in disciplinary action as required, including suspension or termination of employment or business relationship.

2.   Scope

This Policy applies to all employees of the Company, as well as to any external business partners (such as merchants, suppliers, contractors, vendors and other service providers) who receive, send, collect, access, or process Personal Data in any way on behalf of the Company, including processing wholly or partly by automated means. This Policy also applies to third party Data Processors who process Personal Data received from the Company.

3.   General Principles for Processing of Personal Data

The Company is committed to maintaining the principles in the NDP Act/GAID regarding the processing of Personal Data.

To demonstrate this commitment as well as our aim of creating a positive privacy culture within the Company, Consolidated Hallmark Holdings Plc adheres to the following basic principles relating to the processing of Personal Data:

3.1          Lawfulness, Fairness and Transparency

Personal Data must be processed lawfully, fairly and in a transparent manner at all times. This implies that Personal Data collected and processed by or on behalf of the Company must be in accordance with the specific, legitimate and lawful purpose consented to by the Data Subject, save where the processing is otherwise allowed by law or within other legal grounds recognized in the NDP Act/GAID.

3.2          Data Accuracy

Personal Data must be accurate and kept up-to-date. In this regard, the Company:

  1. shall ensure that any data it collects and/or processes is accurate and not misleading in a way that could be harmful to the Data Subject;
  2. make efforts to keep Personal Data updated where reasonable and applicable; and
  3. make timely efforts to correct or erase Personal Data when inaccuracies are discovered.

3.3          Purpose Limitation

The Company collects Personal Data only for the purposes identified in the Privacy Notice provided to the Data Subject and for which Consent has been obtained. Such Personal Data cannot be reused for another purpose that is incompatible with the original purpose, except a new Consent is obtained.

The purposes for which the Company will use your personal data includes:

  • For the provision of services to you. For example, when you purchase any of our products, we will use your personal data to process your order.
  • For customer care and billing. When you use our products, we will use your personal information to bill you and to respond to enquiries and concerns that you may have about our products and services.
  • Customer service messages. We will use your personal data to keep you updated with the latest information or changes about our products and services.
  • For marketing purposes. In order to serve you better, will use your personal data to market our products and services to you.

3.4          Data Minimization

  • The Company limits Personal Data collection and usage to datathat is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed.
  • The Company will evaluate whether and to what extent the processing of personal data is necessary and where the purpose allows, anonymized data must be used.

3.5          Integrity and Confidentiality

  • The Company shall establish adequate controls in order to protect the integrity and confidentiality of Personal Data, both in digital and physical format and to prevent personal datafrom being accidentally or deliberately compromised.
  • Personal data of Data Subjects must be protected from unauthorized viewing or access and from unauthorized changes to ensure that it is reliable and correct.
  • Any personal data processing undertaken by an employee who has not been authorized to carry such out as part of their legitimate duties is un-authorized.
  • Employees may have access to Personal Data only as is appropriate for the type and scope of the task in question and are forbidden to use Personal Data for their own private or commercial purposes or to disclose them to unauthorized persons, or to make them available in any other way.
  • Human Resources Department must inform employees at the start of the employment relationship about their obligation to maintain personal data privacy. This obligation shall remain in force even after employment has ended.

3.6          Personal Data Retention

  • All personal information shall be retained, stored and destroyed by the Company in line with legislative and regulatory guidelines. For all Personal Data and records obtained, used and stored within the Company, the Company shall perform periodical reviews of the data retained to confirm the accuracy, purpose, validity and requirement to retain.
  • To the extent permitted by applicable laws and without prejudice to the Company’s Document Retention Policy, the length of storage of Personal Data shall, amongst other things, be determined by:
  • the contract terms agreed between the Company and the Data Subject or as long as it is needed for the purpose for which it was obtained; or
  • whether the transaction or relationship has statutory implication or a required retention period; or
  • whether there is an express and written request for deletion of Personal Data by the Data Subject, provided that such request will only be treated where the Data Subject is not under any investigation which may require the Company to retain such Personal Data or there is no subsisting contractual arrangement with the Data Subject that would require the processing of the Personal Data; or
  • whether the Company has another lawful basis for retaining that information beyond the period for which it is necessary to serve the original purpose.

Notwithstanding the foregoing and pursuant to the NDP Act/GAID, the Company shall be entitled to retain and process Personal Data for archiving, scientific research, historical research or statistical purposes for public interest.

  • The Company shall delete Personal Data in the Company’s possession where such Personal Data is no longer required by the Company or in line with the Company’s Retention Policy, provided no law or regulation being in force requires the Company to retain such Personal Data.

3.7          Accountability

  • The Company shall demonstrate accountability in line with the NDP Act/GAID obligations by monitoring and continuously improving data privacy practices within the Company.
  • Any individual or employee who breaches this Policy may be subject to internal disciplinary action (up to and including termination of their employment); and may also face civil or criminal liability if their action violates the law.

4.   Data Privacy Notice

  • The Company considers Personal Data as confidential and as such must be adequately protected from unauthorized use and/or disclosure. The Company will ensure that the Data Subjects are provided with adequate information regarding the use of their Personal Data as well as acquire their respective Consent, where necessary.
  • The Company shall display a simple and conspicuous notice (Privacy Notice) on any medium through which Personal Data is being collected or processed. The following information must be considered for inclusion in the Privacy Notice, as appropriate in distinct circumstances in order to ensure fair and transparent processing:
  1. Description of collectible Personal Data;
  2. Purposes for which Personal Data is collected, used and disclosed;
  3. What constitutes Data Subject’s Consent;
  4. Purpose for the collection of Personal Data;
  5. The technical methods used to collect and store the information;
  6. Available remedies in the event of violation of the Policy and the timeframe for remedy; and
  7. Adequate information in order to initiate the process of exercising their privacy rights, such as access to, rectification and deletion of Personal Data.

5.   Legal Grounds For Processing Of Personal Data

5.1. The personal data we collect from our customers and how we collect it depends on the services that our customers subscribe to, how they use our services and how they interact or interface with us. This also applies to persons who are not customers of the Company but have interacted with the Company. We may also obtain your personal data from a third party with permission to share it with us.

Please note that we only process your personal data based on the grounds set out in the NDP Act/GAID. Accordingly, in line with the provisions of the NDP Act/GAID, processing of Personal Data by the Company shall be lawful if at least one of the following applies:

  • where you give us consent to the processing of your Personal Data for one or more specific purposes. You are at liberty to withdraw the consent and the Company will cease to process your personal data where there is no other basis to do so. The withdrawal of consent shall not affect the lawfulness of any processing carried out prior to the withdrawal.
  • where the processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the Company is subject;
  • processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in the Company; and
  • processing is necessary for the purpose of the legitimate interest pursued by the data controller or data processor, or by a third party to whom the data is disclosed.

Interests in personal data processing shall not be legitimate for the purposes of Paragraph 5.1. (f), where –

  • they override the fundamental rights, freedoms and the interests of the data subjects;
  • they are incompatible with other lawful basis of processing listed in Paragraph 5.1.1 above; and
  • the data subject would not have a reasonable expectation that the personal data would be processed in the manner envisaged.

6.   Consent

Where processing of Personal Data is based on consent, the Company shall obtain the requisite consent of Data Subjects at the time of collection of Personal Data. In this regard, the Company will ensure:

  1. that the specific purpose of collection is made known to the Data Subject and the Consent is requested in a clear and plain language;
  2. that the Consent is freely given by the Data Subject and obtained without fraud, coercion or undue influence;
  3. that the Consent is sufficiently distinct from other matters to which the Data Subject has agreed;
  4. that the Consent is explicitly provided in an affirmative manner;
  5. that Consent is obtained for each purpose of Personal Data collection and processing; and
  6. that it is clearly communicated to and understood by Data Subjects that they can update, manage or withdraw their Consent at any time.
  • Valid Consent
  • For Consent to be valid, it must be given voluntarily by an appropriately informed Data Subject. In line with regulatory requirements, Consent cannot be implied. Silence, pre-ticked boxes or inactivity does not constitute Consent under the NDP Act/GAID.
  • Consent in respect of Sensitive Personal Data must be explicit. A tick of the box would not suffice.
  • Consent of Minors

In the unlikely event that we deal with minors, the consent of minors will always be protected and obtained from minor’s representatives in accordance with applicable regulatory requirements.

7.   Data Subject Rights

  • All individuals who are the subject of Personal Data held by the Company are entitled to the following rights:
  1. Right to request for and access their Personal Data collected and stored. Where data is held electronically in a structured form, such as in a Database, the Data Subject has a right to receive that data in a common electronic format;
  2. Right to information on their personal data collected and stored;
  3. Right to objection or request for restriction;
  4. Right to object to automated decision making;
  5. Right to request rectification and modification of their data which the Company keeps;
  6. Right to request for deletion of their data, except as restricted by law or the Company’s statutory obligations;
  7. Right to request the movement of data from the Company to a Third Party; this is the right to the portability of data; and
  8. Right to object to, and to request that the Company restricts the processing of their information except as required by law or the Company’s statutory obligations.

To opt out of marketing and unsolicited messages:

If you no longer want to receive marketing messages from the Company, you can choose to opt out at any time. If you’ve previously opted in to receive personalized content based on how and where you use our network, you can also opt out at any time.

These are various ways to opt out:

  • Contact our customer services team – see the contact us page;
  • Click the unsubscribe icon from our email; and
  • Disable push notification messages, including marketing messages, at any time in our apps by changing the notification settings on your device or by uninstalling the app.
  • The Company well-defined procedure regarding how to handle and answer Data Subject’s requests are contained in the Company’s Data Subject Access Request Policy.
  • Data Subjects can exercise any of their rights by completing the Company’s Subject Access Request (SAR) Form and submitting to the Company via rfalana@chhplc.com

8.   Transfer of Personal data

8.1     Third Party Processor within Nigeria

The Company may engage the services of third parties in order to process your Personal Data by collected by us. The processing by such third parties shall be governed by a written contract with the Company to ensure adequate protection and security measures are put in place by the third party for the protection of Personal Data in accordance with the terms of this Policy, the NDP Act/GAID. We may also share your personal data with law enforcement agencies where required by law to do so.

Where applicable, the Company will share your information with:

  • Partners, suppliers or agents involved in delivering the products and services you have ordered or used.
  • Law enforcement agencies, government bodies, regulatory organizations, courts or other public authorities if we have to, or are authorized to by law.
  • A third party or body where such disclosure is required to satisfy any applicable law, or other legal or regulatory requirement e.g. to detect or prevent fraud or the Company of any other crime.
  • A merging or acquiring entity where we undergo business reorganization e.g. merger, acquisition or takeover.

8.2     Transfer of Personal Data to Foreign Country

8.2.1      Where Personal Data is to be transferred to a country outside Nigeria, the Company shall put adequate measures in place to ensure the security of such Personal Data. In particular, the Company shall, among other things, conduct a detailed assessment of whether the said recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection with respect to the personal date in accordance with Section 41 of the Nigeria Data Protection Act (NDPA), 2023 and Schedule 5, Paragraph 2 of the General Application and Implementation Directive (GAID), 2025.

8.2.2      The Company shall record the basis for transfer of personal data to the recipient of the personal data under Paragraph 8.2.1 and the adequacy of protection stated in Section 42 of the NDPA and Schedule 5, Paragraph 2 of the (GAID), 2025.

8.2.3    Where the Company is unable to transfer Personal Data to a country outside Nigeria in accordance with Paragraph 8.2.1 above, the Company will transfer such Personal Data out of Nigeria under one of the following conditions:

  • The consent of the Data Subject has been obtained;
  • The transfer is necessary for the performance of a contract between the Company and the Data Subject or implementation of pre-contractual measures taken at the Data Subject’s request;
  • The transfer is necessary for the sole benefit of a Data Subject and:
  • it is not reasonably practicable to obtain the consent of the Data Subject to that transfer, and
  • if it were reasonably practicable to obtain such consent, the Data Subject would likely give it.
  • The transfer is necessary for reason of public interest;
  • The transfer is for the establishment, exercise or defense of legal claims;
  • The transfer is necessary in order to protect the vital interests of the Data Subjects or other persons, where the Data Subject is physically or legally incapable of giving consent.

Provided, in all circumstances, that the Data Subject has been manifestly made to understand through clear warnings of the specific principle(s) of data protection that are likely to be violated in the event of transfer to a third country, this proviso shall not apply to any instance where the Data Subject is answerable in duly established legal action for any civil or criminal claim in a third country.

The Company will take all necessary steps to ensure that the Personal Data is transmitted in a safe and secure manner. Details of the protection given to your information when it is transferred outside Nigeria shall be provided to you upon request.

9.   Data Breach Management Procedure

  • A data breach procedure is established and maintained in order to deal with incidents concerning Personal Data or privacy practices leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
  • All employees must inform their designated line manager or the Data Protection Officer of the Company immediately about cases of violations of this Policy or other regulations on the protection of Personal Data, in accordance with the Company’s Data Breach Management Procedure in respect of any:
  1. improper transmission of Personal Data across borders;
  2. loss or theft of data or equipment on which data is stored;
  3. accidental sharing of data with someone who does not have a right to know

this information;

  1. inappropriate access controls allowing unauthorized use;
  2. equipment failure;
  3. human error resulting in data being shared with someone who does not have a right to know; and
  4. cyber-attacks.
  • A data protection breach notification must be made immediately after any data breach to ensure that:
  1. immediate remedial steps can be taken in respect of the breach;
  2. any reporting duties to Nigeria Data Protection Commission (NDPC) or any other regulatory authority can be complied with,
  3. any affected Data Subject can be informed and
  4. any stakeholder communication can be managed.
  • When a potential breach has occurred, the Company will investigate to determine if an actual breach has occurred and the actions required to manage and investigate the breach as follows:
  1. Validate the Personal Data breach.
  2. Ensure proper and impartial investigation (including digital forensics if necessary) is initiated, conducted, documented, and concluded.
  3. Identify remediation requirements and track resolution.
  4. Report findings to the top management.
  5. Coordinate with appropriate authorities as needed.
  6. Coordinate internal and external communications.
  7. Ensure that impacted Data Subjects are properly notified, if necessary.
  • You can read more about the Company’s Data Breach Management Procedure via the link here

10.  Data Protection Impact Assessment

The Company shall carry out a Data Protection Impact Assessment (DPIA) in respect of any new project or IT system involving the processing of Personal Data to determine whenever a type of processing is likely to result in any risk to the rights and freedoms of the Data Subject in accordance with Articles 28 and 13, Paragraph 5 (e) of the GAID.

The Company shall document the DPIA in line with the template provided for in Schedule 4 of the GAID and shall carry out the DPIA in line with the procedures laid down in the Company’s Data Protection Impact Assessment Policy.

11.  Data Security

  • All Personal Data must be kept securely and should not be stored any longer than necessary. The Company will ensure that appropriate measures are employed against unauthorized access, accidental loss, damage and destruction to data. This includes the use of password encrypted databases for digital storage and locked cabinets for those using paper form.
  • To ensure security of Personal Data, the Company will, among other things, implement the following appropriate technical controls:
  1. Industry-accepted hardening standards, for workstations, servers, and databases.
  2. Full disk software encryption on all corporate workstation/laptops operating systems drives storing Personal and Personal/Sensitive Data.
  3. Encryption at rest including key management of key databases.
  4. Enable Security Audit Logging across all systems managing Personal Data.
  5. Restrict the use of removable media such as USB flash disk drives.
  6. Anonymization techniques on testing environments.
  7. Physical access control where Personal Data are stored in hardcopy.

12.   Data Protection Officer

The Company shall appoint a Data Protection Officer(s) (DPO) responsible for overseeing the Company’s data protection strategy and its implementation to ensure compliance with the NDP Act/GAID requirements. The DPO shall be a knowledgeable person on data privacy and protection principles and shall be familiar with the provisions of the NDP Act/GAID.

The DPO shall be a person who is assessed in line with the parameters in Schedule 3 of the GAID.

The main tasks of the DPO include:

  1. administering data protection policies and practices of the Company;
  2. monitoring compliance with the NDP Act/GAID and other data protection laws, data protection policies, awareness-raising, training, and audits;
  3. advice the business, management, employees and third parties who carry on processing activities of their obligations under the NDP Act/GAID;
  4. acts as a contact point for the Company;
  5. monitor and update the implementation of the data protection policies and practices of the Company and ensure compliance amongst all employees of the Company;
  6. ensure that a semi-annual Data Protection audit report is submitted to the Management of the Company;
  7. ensure that he/she vets and signs DPIAs upon completion;
  8. ensure that the Company undertakes a Data Impact Assessment and curb potential risk in the Company data processing operations; and
  9. maintain a database of all the Company data collection and processing operations of the Company.

13.  Training

The Company shall ensure that employees who collect, access and process Personal Data receive adequate data privacy and protection training in order to develop the necessary knowledge, skills and competence required to effectively manage the compliance framework under this Policy, the NDP Act/GAID with regard to the protection of Personal Data. On an annual basis, the Company shall develop a capacity building plan for its employees on data privacy and protection in line with the NDP Act/GAID.

14.  Data Protection Audit

The Company shall conduct an annual data protection audit through a licensed Data Protection Compliance Organization (DPCOs) to verify the Company’s compliance with the provisions of the NDP Act/GAID and other applicable data protection laws.

The audit report will be certified and filed by the DPCO to the NDPC as required under the NDP Act/Gaid.

15.  Related Policies and Procedures

This Policy shall be read in conjunction with the following policies and procedures of the Company:

  • Data Breach Management Policy ( here )
  • Document Retention Policy ( here)
  • Cookies Policy ( here)
  • Privacy Notice (here)
  • Data Protection Impact Assessment (DPIA) Procedure (here)

16.  Changes to the Policy

The Company reserves the right to change, amend or alter this Policy at any point in time. If we amend this Policy, we will provide you with the updated version.

17.  Glossary

‘‘Consent’’                         means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.

“Database”                       means a collection of data organized in a manner that allows access, retrieval, deletion and processing of that data; it includes but not limited to structured, unstructured, cached and file system type Databases.

“Data Processor               means a person or organization that processes Personal Data on behalf and on instructions of the Company.

“DPCO”                            means an organization registered by NDPC to provide data protection audit, compliance and training services to public and private organizations who process Personal Data in Nigeria.

“Data Subject”                  means any person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

“NDPA”                             means the Nigeria Data Protection Act, 2023.

‘‘GAID’’                             means General Application and Implementation Directive, 2025.

“Personal Data”               means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, Company details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.

Sensitive Personal Data”    means data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information.

  1. General Information

 

Title Data Privacy and Protection Policy
Status Mandatory
Issuing Department Risk and Compliance
Distribution/Target Audience All employees, including contracted staff, vendors/ suppliers and customers of the Company
Approver Management of the Company
Effective Date December, 2025
Version 1.0

 

18. POLICY APPROVAL

Approved by CHI Plc Management effective from 20th day of January 2021

 

Signed By:         sign

MANAGING DIRECTOR/CEO

200-310 desgn pdf| 400-101 ccie| 300-320 questions| 70-534 study guide| 117-303| AWS SYSOPS| ADM-201| EX200| 210-060| 70-534 pdf| 220-901 dumps| 300-101 vce| 300-070 ciptv1 dumps| 200-125 dumps| AWS SYSOPS| 300-075| EX200| 300-208| CABA| CSM-001| 70-347| 70-346| CSSLP| CWNA-106| 117-303| 70-483| adm-201 certification | 300-115 pdf| 300-101 route pdf| 210-065| 210-060| 70-534 practice test| 300-115| 300-101 dumps| 210-065| 210-060 pdf| aws sysops certification| 200-125 ccna exam cost| 300-101| 210-065| 810-403 study guide| 210-260 dumps| 1k0-001 polycom| 1z0-808 dumps| 98-365 study guide| 300-206 senss book| ex200 exam dump| 200-125 ccna pdf| 200-120 vce| cism vs cissp| 70-346 practice test| ex200 dumps| ex300 dumps| cissp salary| cissp-issap training| 100-105 icnd1| sy0-401 dump