Policy on Data Protection

Version 1.0: January 2025.

1. Introduction

Abia State SME Microfinance Bank is a Microfinance bank licensed by the Central Bank of Nigeria to provide banking services to a wide range of customers which includes individuals, small businesses, cooperative and trade associations, companies, and non-governmental institutions (NGOs). Our services are provided at our branches, rural agents and through electronic channels.

Abia State SME Microfinance Bank (Abia SME Bank) is committed to ensuring the privacy, confidentiality, and security of personal data collected and processed in the course of its operations. This Data Protection Policy outlines the principles and procedures that Abia SME Bank follows to protect personal data in compliance with applicable data protection laws and regulations, including the Nigerian Data Protection Regulation (NDPR).

2. Scope

This policy applies to all personal data collected, processed, stored, or transmitted by Abia SME Bank in the course of its operations. It applies to all employees, contractors, and third parties who handle personal data on behalf of Abia SME Bank, including but not limited to:

2.1 Employees

All permanent, temporary, and contract employees of Abia SME Bank who have access to personal data as part of their job responsibilities.

2.2 Contractors

Any external individuals or organisations engaged by Abia SME Bank to provide services involving the processing of personal data.

2.3 Third Parties

Any external entities, including partners, vendors, and service providers, who receive personal data from Abia SME Bank or process personal data on behalf of Abia SME Bank.

2.4 Individuals & Entities

All individuals and entities covered by this policy are required to comply with its provisions and applicable data protection laws and regulations.

3. Data Protection Principles

Abia SME Bank adheres to the following data protection principles:

3.1 Lawfulness, Fairness, and Transparency

Personal data is collected and processed lawfully, fairly, and transparently, with respect for the rights of data subjects. We are committed to ensuring that all personal data is collected and processed in accordance with applicable laws, regulations, and best practices.

  • 3.1.1 Lawfulness: We ensure that all processing of personal data is based on a valid legal basis as defined by relevant data protection laws. This includes obtaining explicit consent from data subjects where required, fulfilling contractual obligations, complying with legal obligations, protecting vital interests, performing tasks in the public interest, and pursuing legitimate interests, while considering the impact on individuals' rights and freedoms.
  • 3.1.2 Fairness: We treat all individuals fairly and ensure that personal data is processed in a manner that is not discriminatory, arbitrary, or unjust. We do not unlawfully discriminate against any individual based on characteristics such as race, ethnicity, religion, gender, sexual orientation, disability, or age. Our data processing practices are transparent, consistent, and aimed at achieving fair outcomes for data subjects.
  • 3.1.3 Transparency: We believe in being open and transparent about our data processing activities. We provide clear and accessible information to data subjects about how their personal data is collected, used, stored, and shared. This includes maintaining comprehensive privacy notices, informing individuals of their rights regarding their personal data, and being responsive to inquiries and requests for information. We also regularly review and update our privacy policies and practices to ensure ongoing transparency and compliance with evolving data protection requirements.
  • 3.1.4 Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. We recognise the importance of collecting and processing personal data for specific and legitimate purposes. We adhere to the principle of purpose limitation to ensure that personal data is used only for the purposes for which it was collected, and we do not further process it in a manner that is incompatible with those original purposes.
Detailed Purposes

3.1.5 Specified and Explicit Purposes: We clearly define and communicate the purposes for which personal data is collected at the time of its collection. These purposes are specific, well-defined, and explicitly stated to ensure that data subjects understand why their information is being collected and how it will be used. We do not use personal data for purposes that are not clearly defined and justified.

3.1.6 Legitimate Purposes: Personal data is collected and processed only for legitimate purposes that are lawful and in accordance with applicable data protection laws and regulations. We ensure that there is a lawful basis for each processing activity, such as consent, contract performance, legal obligation, vital interests, public task, or legitimate interests pursued by the organization or a third party.

3.1.7 Compatibility of Processing: We ensure that any further processing of personal data is compatible with the original purposes for which it was collected. If we intend to use personal data for a new purpose that is not compatible with the original purposes, we will seek additional consent from the data subject or ensure that there is another lawful basis for the processing.

3.1.8 Review and Justification: We regularly review our data processing activities to ensure that personal data is being used only for the specified and legitimate purposes. Any proposed changes to the purposes of processing are carefully evaluated and justified to ensure compliance with the principle of purpose limitation.

3.2 Data Minimization

Abia SME Bank collects and processes only the personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. We understand the importance of minimizing the collection and processing of personal data to reduce risks and protect the privacy rights of individuals. We adhere to the principle of data minimization to ensure that we only collect and process personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. By adhering to the principle of data minimization, Abia SME Bank ensures that personal data is collected and processed in a responsible and privacy-friendly manner.

  • 3.2.1 Adequacy: We collect and process personal data that is sufficient to achieve the specified purposes and objectives.
  • 3.2.2 Relevance: We only collect and process personal data that is relevant to the specified purposes for which it is processed.
  • 3.2.3 Necessity: We limit the collection and processing of personal data to what is strictly necessary.
  • 3.2.4 Regular Review: We regularly review our data processing activities to identify any unnecessary or redundant data being collected or processed.

3.3 Accuracy

Abia SME Bank takes reasonable steps to ensure that personal data is accurate, complete, and up-to-date. We are committed to ensuring the accuracy, completeness, and currency of the personal data we collect and process.

3.3.1 Data Verification: We implement procedures to verify the accuracy of personal data at the point of collection.

3.3.2 Regular Updates: We conduct regular reviews and updates of personal data to ensure its accuracy and completeness.

3.3.3 Data Integrity Checks: We employ technical measures and data validation processes to ensure the integrity of the data stored in our systems.

3.3.4 Responsibility Assignment: We designate specific personnel or teams responsible for overseeing data accuracy and integrity within our organization.

3.3.5 Data Subject Rights: We provide data subjects with mechanisms to review, verify, and update their personal data held by Abia SME Bank.

3.3.6 Employee Training: We provide training and awareness programs to our employees to emphasize the importance of data accuracy and educate them on best practices for data handling.

3.3.7 Documentations: We maintain records of data accuracy checks, updates, and corrections to demonstrate compliance with data protection regulations and internal policies.

3.4 Storage Limitation

Personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. Abia SME Bank recognizes the importance of storing personal data only for as long as necessary. To ensure compliance with data protection principles and regulations, including the NDPR, we adhere to the following practices:

  • 3.4.1 Purpose-Based Retention: Retaing data only for the duration necessary for collection purposes.
  • 3.4.2 Legal and Regulatory Requirements: Maintining awareness of legal retention requirements.
  • 3.4.3 Data Lifecycle Management: Implementing structured data lifecycle management across retention, archival, and disposal.
  • 3.4.4 Review and Purge: Conducting periodic reviews to assess ongoing relevance of stored data.
  • 3.4.5 Secure Storage: Storing data in encrypted databases, protected servers, and access-controlled systems.
  • 3.4.6 Data Minimization: Limiting storage volume to what is strictly necessary.
  • 3.4.7 Documentation and Accountability: Maintaining records of retention policies and procedures.

3.5 Integrity and Confidentiality

Personal data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

  • 3.5.1 Data Security Measures: We implement robust technical measures.
  • 3.5.2 Access Controls: Access strictly on least privilege basis.
  • 3.5.3 Confidentiality Agreements: Contractual obligations to maintain security and confidentiality.
  • 3.5.4 Data Encryption: Encrypted in transit and at rest.
  • 3.5.5 Data Integrity Checks: Verification throughout lifecycle.
  • 3.5.6 Incidence Response Plan: Timely response to mitigations mapping.
  • 3.5.7 Training and Awareness: Education on security responsibilities.
  • 3.5.8 Monitoring and Auditing: Regular tracking and log auditing.

3.6 Accountability

Abia SME Bank is accountable for complying with data protection laws and regulations and demonstrates compliance through appropriate measures.

  • 3.6.1 Data Protection Officer (DPO): Appointed Data Protection Officer.
  • 3.6.2 Data Protection Policies: Comprehensive procedures governing data processing.
  • 3.6.3 Data Protection Impact Assessments (DPIAs): Conducted for high risk activities.
  • 3.6.4 Record-Keeping: Maintained for transparency.
  • 3.6.5 Training and Awareness Program: Regular training schedules.
  • 3.6.6 Compliance Monitoring and Auditing: Internal audits and control effectiveness.
  • 3.6.7 Regular Engagement: Working with regulatory bodies proactively.
  • 3.6.8 Continuous Improvement: Constantly reviewing policies.

4. Data Collection and Processing

Abia SME Bank is committed to ensuring that personal data is collected and processed lawfully, fairly, and transparently. We make sure that our data collection and processing practices are consistent with the applicable laws, regulations, and industry standards.

  • 4.2.1 Law, Fairness and Transparency: Adherence to regulatory standards.
  • 4.2.2 Purpose Limitation: Specifi actions bounded by user consent where needed.
  • 4.2.3 Data Minimisation: Limiting excess data gathering.
  • 4.2.4 Accuracy: Reconfirmation of customer data regularly.
  • 4.2.5 Storage Limitation: Strict timelines and removal pipelines.
  • 4.2.6 Integrity and Confidentiality: Encryption and safe technical implementations.

5. Data Security

Abia SME Bank implements appropriate technical and organizational measures to ensure the security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Measures include encryption, access controls, regular data backups, and employee training on data protection best practices.

6. Data Subject Rights

Abia SME Bank respects the rights of data subjects, including the right to access, rectify, erase, restrict processing, and object to the processing of their personal data. Data subjects may exercise their rights by contacting Abia SME Bank's Data Protection Officer (DPO).

  • 6.1 Right to Access: Can request visibility of processed data.
  • 6.2 Right to Rectification: Can request correction of incorrect items.
  • 6.3 Right to Restrict Processing: Where accuracy is contested, subject controls.
  • 6.4 Right to Object to Processing: Direct marketing opt-out protections.

7. Data Breach Management

Abia SME Bank has procedures in place to detect, investigate, and respond to data breaches in accordance with applicable laws and regulations. Affected subjects will be notified across Discovery, Mitigation, Notifications, Communication, and Retrospectives respectively.

8. Data Protection Officer

Abia SME Bank has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with this policy and applicable data protection laws and regulations.

9. Compliance Monitoring and Review

Abia SME Bank shall regularly monitor compliance with this Data Protection Policy and review its effectiveness to ensure ongoing compliance with applicable data protection laws and regulations. Updates and revisions will be made as necessary.

10. Training and Awareness

Abia SME Bank provides training and awareness programs to employees, contractors, and third parties involved in the processing of personal data.

11. Policy Adoption and Communication

This Data Protection Policy is adopted by Abia SME Bank's management and communicated to all employees, contractors, and relevant stakeholders. It is publicly available on Abia SME Bank's website and accessible to data subjects upon request.

12. Contact Information

For inquiries or concerns regarding the processing of personal data by Abia SME Bank, data subjects may contact the Data Protection Officer (DPO).

Version 1.0: January 2025. By using this site, you agree to these terms.

See also

Customer service representative

Contact Us

Secure padlock on keyboard

Privacy Policy

Signing a document

Terms of Use

Stack of documents

Third-Party Code of Conduct

Stay Ahead of the Curve

Subscribe to our newsletter for exclusive financial insights, product updates, and market trends.