POLICY STATEMENT

This policy reaffirms HIDD’s commitment to the protection of the personal data of its data subjects. Data collection and processing is an essential part of the administrative process as a financial service company. HIDD will ensure that data of all platform users, employees, and third-party affiliates is processed and handled with due respect and regard to their fundamental rights to privacy, in accordance with the stipulations of the Nigerian Data Protection Regulation (NDPR) 2019 and other applicable laws.

In addition to establishing minimum standards for the processing of personal data within HIDD, this policy also sets out fundamental principles which guide the transfer of data within HIDD as well as to third-party contractors. Through this policy, HIDD has put in place a system which prevents data breaches and mitigates adverse effects where they occur.

SCOPE OF APPLICATION

This policy applies to all personal data processed by HIDD, whether through automated or manual methods. Where third parties process data on behalf of HIDD, or with the purpose of transferring the same to HIDD, or use infrastructure provided by HIDD in processing personal data, they shall also be bound by the stipulations of this policy.

DEFINITIONS

Consent: Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data relating to them.

Data Subject: An identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity.

Entities: HIDD and any third-party contractors who process data on behalf of HIDD or with the infrastructure provided by HIDD.

Personal Data: Any data relating to an identifiable natural person who can be identified directly or indirectly, in particular by reference to a name, voice, picture, identification number, online identifier, or one or more factors specific to their identity.

Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Processing: Any operation or set of operations performed on personal data, whether by automated means or not, such as collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, restriction, erasure, or destruction.

Sensitive Data: Data revealing mental, physical, or genetic health, biometric data, financial data, religious beliefs, political opinions, or security status. Data relating to minors is also considered sensitive personal data.

RIGHTS OF DATA SUBJECTS

Under this Policy and the NDPR 2019, data subjects are conferred with the following rights:

a. The right to know what personal data is being processed and by whom.
b. The right to withdraw consent in respect of processing personal data.
c. The right to correct, modify, delete, add or update personal data.
d. The right to limit processing within a defined scope.
e. The right to be notified of any personal data breach.
f. The right to opt out of marketing communication.

All data processors within HIDD must uphold these rights except as expressly required or allowed by law.

REGISTER OF SYSTEMS

To ensure lawful, fair, and transparent processing, entities shall maintain a Register of Systems detailing all processing activities and the data security framework in place. The register shall be reviewed annually. Individuals have the right to access their data on the register upon request.

USE OF INFORMATION

Personal information submitted to HIDD may be used to:

  • Operate, maintain, and improve services.

  • Respond to comments and provide customer service.

  • Combine user information with third-party data for better service delivery.

  • Develop and deliver marketing and advertising.

  • Provide requested products and services.

  • Identify users and link them to their data.

  • Track information breaches and resolve them.

  • Contact users through the provided details

DATA PROTECTION PRINCIPLES

Lawful Bases for Data Processing

All personal data must be processed with consent or on one of the following lawful bases: contract, legitimate interest, vital interest, or legal obligation.

Evidence of consent must be stored with the data. Where communications are sent based on consent, users must be able to revoke it at any time, and systems should record such revocations.

If data processing is contractual, the contract must be stored and noted in the Register of Systems.

Data Accuracy

Entities shall take reasonable steps to ensure personal data is accurate and up to date. Inaccurate data must be corrected or deleted promptly.

Data Minimisation

Data collected must be adequate, relevant, and limited to what is necessary for its purpose. Further processing must remain within that purpose.

Data Security

Personal data must be stored securely using modern, up-to-date software. Access is restricted to authorised personnel only.
Data should not be kept longer than necessary and must be deleted upon request, provided no legal obligation prevents it.
Appropriate backup and disaster recovery measures must also be in place.

SENSITIVE DATA

Sensitive Data requires special protection. Only authorised personnel may process it, and transfers to third parties may only occur for legal reasons or with explicit consent, both recorded in the Register of Systems.

TRANSFER OF PERSONAL DATA

Personal data may only be transferred to third parties if they comply with this policy and applicable laws.
Cross-border transfers are permitted only where the recipient country ensures adequate protection or under conditions such as:

  • Written consent from the data subject.

  • Necessity for contract performance.

  • Legal obligation by judicial or administrative authority.

  • The third party’s data protection standards meet HIDD’s policy.

  • Establishment or defence of a legal claim.

  • Public interest grounds supported by a binding agreement.

THIRD-PARTY PROCESSING CONTRACTS

Before engaging a third-party data processor, HIDD must ensure compliance with this policy and NDPR requirements through a written agreement outlining the key data protection terms.

DATA BREACH

In the event of a data breach, HIDD shall immediately assess the risk, report it to the Legal and Compliance Division, and notify affected data subjects as soon as possible.

GOVERNING LAW

This policy is governed by the Nigeria Data Protection Regulation (NDPR) 2019 and other applicable Nigerian laws or conventions. In case of conflict, the overriding law prevails.

PRIVACY CONTACT INFORMATION

For questions, comments, or to change communication preferences:
📧 info@hiddadvisory.com

DATA PROTECTION OFFICER

Mary-Cynthia Okundaye serves as the Data Protection Officer (DPO) and oversees compliance. The DPO may delegate responsibilities to another HIDD officer as needed.

GENERAL PROVISIONS

Version Control:
This policy is reviewed annually by the HIDD Legal Affairs and Compliance Division with approval from the Director.