1. Introduction

Sevenlocks BDC Limited is a CBN licensed bureau de change company that offers sales and purchase of foreign currencies to its customers. 

In order to fulfill its business mandate to its customers, employees and vendors, there is the need for the company to obtain and process personal data.  Such personal data include any offline or online data that makes an individual identifiable. 

Consequently, Sevenlocks BDC Limited is obligated to treat the personal information of every of its Data Subjects with utmost care and confidentiality. 

This Data Protection & Privacy Policy was therefore developed to demonstrate the company’s commitment and compliance with the Nigeria Data Protection Act 2023 (NDP Act), acknowledging the General Application and Implementation Directive (GAID) 2025.  

Ultimately, this policy is implemented to foster safe conduct of transactions involving the exchange of Personal Data and to carefully consider the material scope and the territorial scope of the NDP Act vis-à-vis its objectives before a decision affecting the fundamental right to privacy is taken. 

All employees are bound by this policy by owing a duty of care to data subjects, and to inevitably ensure that they collect and manage personal data with respect to the Data Subject’s rights. 

2. Data Protection Officer (DPO) Structure

Name of DPO: Abayomi Dare 

Phone no: 08096886623  

Job Description: 

• Responsible for the development and implementation of the Data Protection & Privacy Policy 
• Inform and advise Management and employees about their obligations in line with the NDPA and international privacy standards 
• Handle data privacy and subject access requests from Data Subjects 
• Prepare and follow schedules on organisation-wide, internal sensitisation and training on data privacy and protection in order to foster a culture of compliance with the NDP Act and best practices 
• Advise on Data Protection Impact Assessment conducted by the Risk Management Department 
• Compile and submit a data protection report semi-annually to management and a receiving officer (the Chief Compliance Officer) shall acknowledge receipt of the report which service as our Record of Processing Activities (RoPA).’ 
• Ensure that actual or suspected data breaches are duly identified and appropriately contained to mitigate the risk of future occurrences 
• Monitor company-wide compliance with the NDPA 
• Ensure filing NDP Act Compliance Audit Returns (CAR) with the Nigeria Data Protection Commission (NDPC) not later than the 31st of March of each year 
• Act as the main point of contact for NDPC 

3. Roles and Responsibilities of Employees and Directors

In compliance with the NDPA, Sevenlocks BDC Limited has identified key stakeholders and their responsibilities towards driving the operationalisation of this Policy as well as implementing necessary data protection and privacy controls across the company’s organisational structure. 

Board 

• Set the tone at the top on data protection and privacy 
• Approve all policies, programs and procedures regarding data protection and privacy compliance 
• Provide effective governance function on NDPA compliance obligations 

Management 

• Ensure that data protection objectives are established and are aligned with the strategic direction of the company 
• Ensure that the resources needed for the protection of personal data are available 
• Ensure that the company conforms with the NDPA and international data protection standards 

Employees 

• Fully comply with this policy in their daily operations 
• Adhere to data security procedures put in place by the company 
• Report any data breach to the DPO within 24 hours of being aware of it 

4. Data Protection Governing Principles

Sevenlocks BDC Limited shall ensure that it collects and processes personal data in accordance with the NDPA. Personal data will be handled with the greatest care and used only for legitimate and specified business purposes.  

The company will be guided by the following principles when handling personal data: 

1. Lawfulness, Fairness and Transparency 

Personal data will be processed in a lawful, fair and transparent manner. To achieve transparency, the company will ensure that information concerning the processing of Data Subjects’ personal data is communicated in clear and plain language on all its data collection mediums.  

The basis for processing data shall be based on at least one of the following: 

• The Data Subject has explicitly given consent to the processing of his/her personal data for one or more specific purposes; 
• Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract; 
• Processing is necessary for compliance with a legal obligation to which Sevenlocks BDC Limited is subject; 
• Processing is necessary in order to protect the vital interests of the Data Subject or another natural person; and  
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official public mandate vested in the company. 

1.  Reliance on Consent/Consent Management 

The NDPA mandates that consent provided by Data Subjects must be: 

• For a specific and unambiguous purpose 
• In accordance with supporting information provided to the data subject so that they can make an informed decision about whether to provide their consent for the particular processing; 
• Confirmed by a positive action, thus an act of silence, pre-ticked boxes or inactivity do not apply 
• Able to be withdrawn at any time, in a manner not complex than it was originally provided 

To effectively manage consent, Sevenlocks BDC Limited shall: 

• Ensure that consent request is prominent, concise, easy to understand and separate from other terms and conditions 
• Ensure that all consent obtained is voluntary, specific and informed. The specific purpose of personal data collection will be made known to Data Subjects 
• Operate an established and effective means of obtaining and managing the specific consent of Data Subjects (e.g. the addition of consent clause on all its data collection mediums) 
• Obtain the consent of Data Subjects only in respect of one or more specific data processing activities and ensure that given consent is not applied to other activities for which the Data Subject’s approval has not been provided.  
• Obtain and record the explicit consent required from data subjects for data processing activities which involve their sensitive personal data. 
• Retain records to support the granting of consent by Data Subjects.  
• Communicate to Data Subjects their right to amend or withdraw their consent at any time, the process for doing so, including any reference to statutory or legal obligations that may still apply even after the Data Subject has withdrawn their consent.  
• Act promptly to identify all personal data for which consent for processing has been withdrawn and unless another valid reason for its processing is communicated to the Data Subject, ensure that this is no longer processed for the purpose for which consent had been withdrawn.  
• Explain to Data Subjects that the withdrawal of consent does not affect the processing of personal data which had already taken place before the withdrawal.  
• Retain records to support the withdrawal of consent by Data Subjects. 

1. Reliance on Contract 

At the preliminary stage of a contract (i.e. Account Opening, Vendor Engagement etc) with a data subject, Sevenlocks BDC Limited will carry out data processing on the data subject for the purpose of due diligence. 

1. Reliance on Legal Obligation 

Sevenlocks BDC Limited data processing shall be guided by legal obligations which may include any one of the following;  

• a specific duty imposed by law;  
• an order of a court of competent jurisdiction; or  
• a responsibility incidental to an obligation imposed by law to carry out an act which requires the processing of personal data.   

Also. Sevenlocks BDC Limited will ensure data subject’s personal data in its possession shall abide by the principles of data protection set forth in section 24 of the NDP Act  

• Purpose Limitation  

Personal data will be collected and processed only to the extent needed to fulfill operational needs or to comply with any legal requirements. 

• Data Minimization 

Personal data that is processed will be relevant, adequate, in relation to the purpose for which the data was collected and in a limited capacity. 

• Accuracy  

Sevenlocks BDC Limited shall ensure the quality of personal data in its possession by maintaining accurate data that is constantly kept up to date and provide an opportunity for customers (data subject) to rectify their data/information through the filling of an account update form. We shall also adhere to the NDPC/NDP ACT-GAID/01/2025 Article 36(3) data rectification without the need to provide affidavit or newspaper publication provided the rectification is to bring  the data into alignment with the personal data relating to the data subject’s National Identification Number (NIN) 

• Storage Limitation 

Personal data of Data Subjects will be kept in a form that permits their identification for no longer than is necessary and for the purposes which the personal data are being processed.

• Integrity and Confidentiality   

The company shall ensure the protection of personal data in its possession by implementing appropriate technical and organisational measures to prevent data from being accidentally or deliberately compromised. 

Sevenlocks BDC Limited shall maintain data security by protecting the confidentiality, integrity and availability of Personal Data in its custody, defined as follows: 

• Confidentiality means that only people who have a need to know and are authorised to use the Personal Data can access it; 
• Integrity means that Personal Data is accurate and suitable for the purpose for which it is processed; and 
• Availability means that authorised users are able to access the Personal Data when they need it for authorised purposes. 
• Accountability 

Sevenlocks BDC Limited holds itself accountable to demonstrate compliance with applicable legal & regulatory requirements and best data privacy standards. Any staff who is entrusted with Personal Data of a Data Subject or who is in possession of the Personal Data of a Data Subject shall be accountable for his/her acts and omissions in respect of data processing. 

Sevenlocks BDC Limited owes a duty of care in respect of data processing, and shall demonstration accountability in respect of the principles contained in the NDP Act. 

1. Reliance on Vital Interest 

Sevenlocks BDC Limited shall rely on vital interest as a lawful basis for the processing of personal data, particularly when circumstances do not permit the data subject to give consent to the processing. This will be in accordance with the approval of the DPO and the Senior Management Team. 

The vital interest referred should be to preserve or protect the life or livelihood and failure or refusal to act may be harmful to the data subject. Sevenlocks BDC Limited will also process data in order not to be called into question as being negligent, unprofessional or reckless for failing to carry out the data processing in such adverse circumstance in which a vital interest is at jeopardy. 

We shall give account of the processing to the affected data subject, his or her representative in interest, or to a competent authority upon request. 

1. Reliance on Public Interest. 

Sevenlocks BDC Limited may process personal data to address public interest in circumstances where there is: 

• a public health or humanitarian emergency; or  
• there is a clear and present danger to public safety; or  

1. Reliance on Legimate Interest 

Sevenlocks BDC Limited shall cautiously consider legitimate interest as a lawful basis for data processing. The purpose of the data processing shall be communicated to data subject in a clear and simple to understand manner as well as obtaining the data subject consent for the processing.   

5. Data Security and Storage

In order to safeguard personal data of Data Subjects, the company has applied the following security measures: 

Network Access Control 

To prevent unauthorised access that may lead to data breach through the company’s network, only devices on Sevenlocks BDC Limited’s access control lists have the permission to utilise its network.  

Intrusion Prevention System 

The company has implemented an intrusion prevention system using a firewall solution. 
This is to protect its network and connected systems from malicious attacks and hacking from cybercriminals by filtering and blocking unwanted data packets from accessing its computer network.  

The solution has a pre-emptive approach to network security as it is able to identify potential threats and respond to them swiftly by actively blocking malicious network traffic through our Intrusion Prevention System (IPS) 

Endpoint Security System 

All company-owned computers (laptop and desktop) are protected by an endpoint protection solution that combines antimalware, Data Loss Prevention (DLP), application and device control as well as a host-based intrusion prevention system. 

The solution also offers website browsing protection and filtering as well as patch assessment to minimize damage from breaches and protect against ransomware. 

Offsite Protection 

All laptop computers are protected for offsite use, as the company supports remote working.  

Data Backup 

Data from the company’s core applications is backed up automatically on a real time basis. Backed up data can only be accessed by authorised personnel for control purposes. 

Physical Security 

To mitigate the threat of data loss that could arise from a physical breach, Sevenlocks BDC Limited has, apart from human security services, secured its entry point and others access points with an access control system. 

Fire alarm systems are also present in the case of arson or accidental fire outbreak. 

Documents stored in hard copies are secured in a fire-proof cabinet and accessible to only authorised personnel who keep logs of collected and returned documents. 

Sevenlocks BDC Limited’s IT Policy & Procedure applies to all personal data in its custody. 

Sevenlocks BDC Limited shall carry out a Vulnerability Assessment Penetration Testing (VAPT) annually to evaluate our external security posture through an external network penetration test. This is to identify areas of security strength and weakness and protect the business and process from cyber threats that can jeopardise our data processing activities and breach the privacy of data subjects. 

• Third Party Data Processing 

Sevenlocks BDC Limited may disclose Data Subject’s personal data to the following categories of third parties: 

• Service providers 
• Professional advisers: auditors; and legal advisers. 
• Persons legally authorised to act on the company’s behalf e.g.  External Solicitors, etc. 
• Selected third parties in connection with employee background screening, health maintenance and employee well-being survey. 
• Individuals nominated and authorised by the Data Subject to engage the company on his/her behalf. 
• Regulatory and law enforcement agencies.  
• Government and its agencies. 

Disclosures to third parties will be made only to the extent necessary for the specific purpose for which the data is provided. More essentially, third party data processors will be required to execute a third-party data processing agreement which they will be bound by. 

7. Data BreachNotification

All staff members are obligated to bring to the DPO’s notice any breach occurrence which shall in turn be reported to NDPC within 72 hours of knowledge of the breach. 

Also, Sevenlocks BDC Limited shall notify a data subject immediately after becoming aware of a personal data breach that may pose high risk to his or her privacy. This is the exercise a duty of care by providing immediate information on data breach to all relevant stakeholders to help curtail imminent data breaches. 

The notification of data breach to NDPC shall include the following information: 

1. A description of the circumstances of the loss or unauthorised access or disclosure;  
2. The date or time period during which the loss or unauthorised access or disclosure occurred;  
3. A description of the personal information involved in the loss or unauthorised access or disclosure;  
4. An assessment of the risk of harm to individuals as a result of the loss or unauthorised access or disclosure;  
5. An estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorised access or disclosure;  
6. A description of any steps the company has taken to reduce the risk of harm to individuals;  
7. A description of any steps the company has taken to notify individuals of the loss or unauthorised access or disclosure; and  
8. The name and contact information of the DPO in order to answer, on behalf of the company, the Agency’s questions about the loss of unauthorised access or disclosure. 
9. Internal Sanctions

All employees are enjoined to ensure that they do not indulge in activities that can result in the compromise or breach of data. In addition, it is the responsibility of everyone to adhere to the dictates of this policy. 

Failure to comply with this policy, whether or not intentional, will lead to disciplinary action (up to and including dismissal). 

9. Transfer to a Foreign Country

Any transfer of personal data undergoing processing or intended for processing after transfer to a foreign country or international organisation will only take place where NDPC has decided that the foreign country or international organisation has adequate data protection laws/level of protection. Data Subjects will be duly informed of such transfer and the appropriate safeguards for data protection in the foreign country. 

Where NDPC has not determined the adequacy of safeguards in a foreign country, personal information may be transferred to the foreign country only on one of the following conditions: 

1. The Data Subject has explicitly consented to the proposed transfer after having been informed of the possible risks of such transfers due to the absence of an adequacy decision, appropriate safeguards and alternatives. 
2. The transfer is for the performance of a contract between the Data Subject and Sevenlocks BDC Limited 
3. The transfer is for the performance of a contract concluded in the interest of the Data Subject between Sevenlocks BDC Limited and another natural or legal person. 
4. The transfer is for public interest. 
5. The transfer is for the establishment, exercise or defence of legal claim. 
6. The transfer is to protect the vital interest of the Data Subject or other persons, where the Data Subject is physically or legally incapable of giving consent. 
7. Receipt of the privacy policy of the international organisation to guarantee the protection of the personal data while in its custody. 

In all circumstances, the Data Subject shall be manifestly made to understand through clear warnings of the specific principles of data protection that are likely to be violated in the event of transfer to a foreign country. This provision shall not apply to any instance where the Data Subject is answerable in duly established legal action for any civil or criminal claim in a foreign country. 

10. Awareness and Training

Ultimately, employees are the most important element of the company’s commitment to the protection of Data Subjects’ personal data.  Employees are involved in every step of the data lifecycle, including collecting personal data, processing it in compliance with laws and regulations, employing safeguards, and establishing the means and schedules of retention and deletion. It is therefore imperative that employees understand their roles and responsibilities regarding the safeguarding of personal data in their possession. 

Sevenlocks BDC Limited will ensure that data protection & privacy training is conducted for employees and directors annually, with a focus on emerging trends and issues. Continuous awareness through posters, nuggets, email pushes and other knowledge resources on data protection and privacy will also be provided.  

11. Data Protection Impact Assessment (DPIA)

At the advent of any project, deployment of innovative processes or applications, of new technologies or organisational solutions that would involve processing sensitive/high risk data, Sevenlocks BDC Limited shall conduct a data protection impact assessment. This is to identify possible areas where breaches may occur, and device means of minimising the data protection risks. Sevenlocks BDC Limited shall also conduct periodic DPIA on its processes, services and technology to ensure continuous compliance with the NDPA. Sevenlocks BDC Limited shall be proactive and preventive in guaranteeing data privacy, ensuring mitigation of risks through privacy as a default and prevention of risk through privacy by design practice  

The DPIA shall take the following form: 

• Describe the nature, scope, context and purposes of the processing; 
• Access necessity, proportionality and compliance measures;  
• Identify and assess risks to Data Subjects; and 
• Identify any additional measures to mitigate those risks. 

The level of risk will be accessed by considering both the likelihood and the severity of any impact on the company’s Data Subjects. 

12. Internal Audit

In line with the provisions of the NDPA, Sevenlocks BDC Limited shall conduct a detailed annual internal audit of its data protection and privacy practices with at least each audit stating: 

• Personally identifiable information the company collects on employees and members of the public; 
• Any purpose for which the personally identifiable information is collected; 
• Any notice given to individuals regarding the collection and use of personal information relating to that individual; 
• Any access given to individuals to review, amend, correct, supplement, or delete personal information relating to that individual; 
• Whether or not consent is obtained from an individual before personally identifiable information is collected, used, transferred, or disclosed and any method used to obtain consent; 
• The company’s policies and practices for the proper use of personally identifiable information; 
• The company’s policies and procedures for privacy and data protection; 
• The company’s policies and procedures for monitoring and reporting violations of privacy and data protection policies; and 
• The company’s policies and procedures for assessing the impact of technologies on the stated privacy and security policies. 

Similarly, where the company processes the personal data of more than 2,000 data subjects annually, it shall conduct a Data Protection Audit through a licensed DPCO and submit the report to NDPC not later than 15th of March of every year. 

Similarly, Sevenlocks BDC Limited shall conduct a Data Protection Audit through a licensed DPCO and submit the report to NDPC not later than 15th of March of every year.