This Data Protection Policy sets out how The Sciart Finance Company Limited (“Sciart”) collects, uses,

stores, shares, and protects personal data in line with applicable laws and our commitment to privacy.

It is designed to ensure that:

• Personal data is handled responsibly and lawfully.

• Customers, employees, and partners understand their rights and obligations.

• Sciart complies with the Nigeria Data Protection Regulation (NDPR 2019), relevant international

standards, and internal policies.

This policy applies to:

• All staff, contractors, and agents of Sciart who handle personal data.

• All personal data collected and processed by Sciart in the course of business.

• All systems, digital platforms, and processes that involve personal data, whether operated

internally or by third parties on Sciart’s behalf.

 

This policy aligns with the following laws, regulations, and internal policies to ensure that Sciart protects

personal data consistently and lawfully:

 

2.1. Applicable Laws and Standards

• Nigeria Data Protection Regulation (NDPR), 2019

• NITDA Data Protection Guidance Note

• Central Bank of Nigeria (CBN) Guidelines on data handling, cybersecurity, and financial consumer

protection.

• Nigeria Cybercrimes (Prohibition, Prevention, etc.) Act, 2015

• ISO/IEC 27701:2019 – Privacy Information Management Standard

• ISO/IEC 27001:2022 – Information Security Management System (ISMS)

 

2.2. Internal Policies and Frameworks

This policy should be read in conjunction with the following approved internal policies:

• Know Your Customer (KYC) Policy

• Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) Policy

• Compliance Policy

• Whistleblowing Policy

• Conflict of Interest Policy

• Treasury Systems SOP

• FINCON SOP

• Business Continuity Management Framework (BCMF)4

• Code of Conduct and Ethics (Staff and Directors)

• Information Security Policy.

These documents collectively define Sciart’s approach to ethical, legal, and secure data handling across all

areas of the business.

 

For the purpose of this policy:

• Personal Data: Any information that can identify an individual, directly or indirectly — such as

name, phone number, ID number, address, or online identifier (e.g., IP address).

• Sensitive Personal Data: Includes health records, biometric data, financial data, or any

information that requires extra protection under law.

• Data Subject: The person whose personal data is being collected or processed — typically a

customer, staff member, vendor, or other individual.

• Processing: Any operation performed on personal data — including collection, storage, use,

sharing, transfer, or deletion.

• Consent: Clear and informed agreement by a data subject to allow the processing of their

personal data.

• Data Controller: Sciart — the party that determines why and how personal data is processed.

• Data Processor: Any third party or partner who processes personal data on behalf of Sciart.

• Data Protection Officer (DPO): The staff member responsible for overseeing Sciart’s compliance

with data protection laws and this policy.

• NDPR: Nigeria Data Protection Regulation, 2019 — the primary law governing personal data

protection in Nigeria.

• DPCO: Data Protection Compliance Organisation —a licensed firm that conducts data protection

audits and submits reports to NITDA.

• NITDA: National Information Technology Development Agency — the regulatory authority

responsible for enforcing the NDPR.

 

Everyone at Sciart has a role to play in protecting personal data. The responsibilities below ensure

accountability across all levels of the organization.

 

4.1. Board of Directors

• Approves this policy and any material updates.

• Appoints the Data Protection Officer (DPO).

• Oversees management’s efforts to comply with data protection laws.

• Receives regular reports on data protection risks and breaches.

 

4.2. Executive Management

• Implements this policy and ensures it is embedded in all operations.

• Allocates resources to support data protection efforts.

• Supports internal training and awareness across departments.

• Ensures relevant third parties and service providers comply with privacy standards.

 

4.3. Data Protection Officer (DPO)

• Leads Sciart’s compliance with NDPR and related regulations.

• Provides advice and guidance on data protection matters.

• Coordinates staff training and awareness.

• Serves as the contact point with NITDA and the designated DPCO.

• Monitors audits, impact assessments, and breach response actions.

• Reports data protection risks and incidents to Executive Management and the Board.

 

4.4. Heads of Department

• Ensure data handling in their departments complies with this policy.

• Support the DPO in implementing controls and training.

• Flag any data protection risks or incidents promptly.

 

4.5. All Staff

• Handle personal data with care and only as required for their roles.

• Follow this policy and related procedures.

• Report data breaches or suspected violations immediately to the DPO.

• Consequences of Non-Compliance: Any failure to comply with this policy whether through

negligence, wilful disregard, or repeated violationsmay result in disciplinary action in accordance

with the Company’s Code of Conduct, Staff Handbook, and applicable HR policies. In serious

cases, such action may include suspension, demotion, or termination of employment or

contract.

 

Sciart processes personal data in line with the principles set out in the Nigeria Data Protection Regulation

(NDPR). These principles guide all data handling activities across the company:

 

i. Lawfulness, Fairness, and Transparency: We process personal data only when there is a legal

basis to do so. We are open and honest with individuals about how their data is used.

ii. Purpose Limitation: We collect and use personal data only for specific, clear, and lawful

purposes. We do not use data for any other reason without the data subject’s consent or legal

justification.6

iii. Data Minimization: We collect only the data we need. We avoid collecting or storing excess

information that is not necessary for the intended purpose.

iv. Accuracy: We make sure the personal data we hold is accurate and up to date. Individuals can

request corrections at any time.

v. Storage Limitation: We keep personal data only for as long as needed to fulfil the purpose for

which it was collected, unless the law requires a longer retention period.

vi. Integrity and Confidentiality (Security): We protect personal data from unauthorized access,

use, loss, or damage using appropriate technical and organizational measures.

vii. Accountability: We take responsibility for how we handle personal data and maintain records

to show compliance with this policy and applicable regulations.

 

Sciart only processes personal data when there is a valid legal reason to do so, in line with the NDPR. We

rely on one or more of the following lawful bases:

i. Consent: We collect and use personal data with the clear and informed consent of the data

subject, especially for marketing, optional services, and certain third-party data sharing.

ii. Contractual Necessity: We process personal data as needed to enter into or carry out a

contract; for example, to open an account, deliver services, or respond to instructions from

the data subject.

iii. Legal Obligation: We process data when required by law, including obligations to regulators,

tax authorities, law enforcement, or court orders.

iv. Vital Interests: In rare cases, we may process personal data to protect someone’s life or

safety; for example, during a medical emergency.

v. Public Interest: We may process personal data if required for public interest reasons under

Nigerian law or to carry out a task authorized by law.

vi. Legitimate Interests: We may process personal data when it is necessary for Sciart’s

legitimate business needs such as risk management, fraud prevention, or internal reporting

provided it does not override the rights and freedoms of the data subject.

 

Consent is a key part of Sciart’s data protection approach. We ensure that consent is obtained, managed,

and respected in line with regulatory requirements.

 

7.1. How We Obtain Consent

• We request consent in a clear, plain-language format — separate from other terms and

conditions.

• Consent is always freely given, specific, informed, and unambiguous.7

• For digital platforms, consent is collected through affirmative actions (e.g., checking a box or

clicking “I agree”).

 

7.2. When Consent is Required

We seek consent before:

• Collecting personal data not necessary for a contract or legal obligation.

• Sending marketing messages or promotional content.

• Sharing personal data with third parties not involved in service delivery.

• Processing sensitive personal data (e.g. health, biometrics).

 

7.3. Withdrawing Consent

• Data subjects may withdraw their consent at any time by contacting us at

dataprotection@sciartfinance.com.

• We will stop processing the data unless there is a lawful reason to continue (e.g., legal obligation

or overriding legitimate interest).

• We will explain the impact of withdrawal, especially if it affects service delivery.

 

7.4. Keeping a Record of Consent

Sciart maintains a secure, auditable record of:

• When consent was given

• What the individual was told

• How the consent was given (e.g., form, email, online)

• Any withdrawal of consent

 

At Sciart, we respect and uphold the rights of individuals (data subjects) whose personal data we collect

and process. These rights are protected under the Nigeria Data Protection Regulation (NDPR).

Data subjects may exercise any of the rights below by sending a request to

dataprotection@sciartfinance.com.

 

i. Right to Access: You have the right to request and receive a copy of the personal data we hold

about you, along with an explanation of how it is used.

ii. Right to Rectification: You can ask us to correct or update inaccurate or incomplete personal

information.

iii. Right to Withdraw Consent: Where we rely on your consent to process your data, you may

withdraw it at any time. We will inform you if the withdrawal affects any service.

iv. Right to Object: You can object to the use of your personal data for direct marketing or other

uses based on our legitimate interests.

v. Right to Restrict Processing: You may request that we restrict the use of your personal data;

for example, while a correction or objection is being reviewed.

vi. Right to Data Portability: You may request that we send your personal data to you or another

organization in a structured, machine-readable format, where feasible.

vii. Right to Erasure (Right to be Forgotten): In certain cases, you can ask us to delete your

personal data, especially where it is no longer needed or consent has been withdrawn.

viii. Right to Lodge a Complaint: You have the right to file a complaint with the National Information

Technology Development Agency (NITDA) or another relevant authority if you believe your

rights have been violated.

 

Sciart only collects personal data when there is a clear and lawful reason to do so. We ensure that the

information we collect is relevant, necessary, and used responsibly.

 

9.1. Why We Collect Personal Data

We collect personal data for the following purposes:

• To verify identity and address

• To process customer applications and instructions

• To provide and manage our financial products and services

• To meet legal and regulatory requirements (e.g., KYC, AML)

• To assess creditworthiness and manage risk

• To protect Sciart from fraud and misuse

• To improve customer experience and develop new services

• To communicate with customers, including marketing (with consent)

• To manage staff and employment processes

 

9.2. Types of Personal Data We May Collect

Depending on the purpose, we may collect:

• Identification: Name, date of birth, ID numbers, photo, signature

• Contact: Address, phone number, email

• Demographic: Gender, marital status, nationality

• Financial: Income sources, account activity, credit history

• Employment: Employer name, job title, work address and history

• Family: Next of kin, spouse and dependents (where required)

• Device and usage: IP address, mobile device ID, online activity

• Biometric or health information: If required for specific services and with consent

 

9.3. How We Collect Data

We may collect data:

• Directly from you through forms, applications, emails, or digital channels

• From third parties such as credit bureaus, regulators, employers, or references

• From publicly available sources

• Through your use of our websites, apps, or digital platforms

We do not collect more information than we need, and we never collect sensitive data without clear

justification and consent.

 

Sciart is committed to protecting the privacy of children and young persons.

 

i. Minimum Age for Data Collection: We do not knowingly collect personal data from anyone

under the age of 18, unless such information is provided by a parent or legal guardian.

ii. Parental Consent Required: Where services involve minors (e.g., in joint accounts,

guardianship, or scholarship-related products), we require documented consent from a parent

or guardian before collecting or using the child’s data.

iii. Right to Erasure: If we discover that we have collected personal data from a child without

appropriate consent, we will take immediate steps to delete the information from our systems.

 

Sciart may use automated systems to support some of its processes — especially for efficiency, risk

control, and consistent service delivery.

 

11.1. Where We Use Automation

Automated processing may be used in areas such as:

• Credit scoring and loan approvals

• Fraud detection and transaction monitoring

• KYC and risk classification

• Customer profiling for service personalization

 

11.2. Your Rights

If a decision that significantly affects you is made solely through automated means, you have the right to:

• Request human intervention or review

• Express your point of view

• Contest the decision

To exercise this right, please contact dataprotection@sciartfinance.com.

 

11.3. Safeguards in Place10

We ensure that all automated decisions are:

• Based on lawful processing grounds

• Fair, transparent, and regularly reviewed for accuracy

• Supported by secure systems and monitored by trained staff.

 

Sciart does not sell personal data. We only share personal data when it is lawful, necessary, and protected

by appropriate safeguards.

 

12.1. When We Share Personal Data

We may share data with third parties under the following conditions:

• With your consent

• To fulfil our contractual obligations to you

• To comply with legal or regulatory requirements

• To protect Sciart’s legitimate interests (e.g. fraud prevention or legal claims).

 

12.2. Who We May Share With

Personal data may be shared with:

• Sciart staff and departments that need access to perform their duties

• Regulators (e.g., CBN, NITDA, NDIC), law enforcement, or tax authorities

• Credit bureaus and risk assessment agencies

• Auditors, legal advisers, and external consultants

• Payment processors, cloud service providers, and core banking vendors

• Debt recovery firms or insurance partners, where applicable

• Third-party partners helping us deliver services (e.g., digital platforms, logistics, outsourced

processors).

 

12.3. How We Protect Shared Data

We ensure all third parties:

• Sign appropriate data protection agreements

• Are vetted for security, legal, and reputational risk

• Follow clear instructions and comply with our privacy standards

• Do not use the data for any purpose other than what is agreed

Sciart remains accountable for how third-party service providers handle personal data shared with

them.

 

Sciart may transfer personal data to other countries in the course of its operations — for example, when

using cloud platforms or external service providers based outside Nigeria.

We ensure that such transfers are lawful, secure, and respectful of your privacy.

 

13.1. When We Transfer Data Abroad

Data may be transferred outside Nigeria when:

• It is necessary to deliver a service or process a transaction

• It is required by law or regulation

• You have given explicit consent

• It is in the vital or public interest(e.g., fraud response, international legal requests)

 

13.2. Countries with Adequate Protection

We only transfer data to countries that:

• Are on the NITDA whitelist of jurisdictions with adequate data protection laws, or

• Have signed agreements with Sciart guaranteeing equivalent safeguards

 

13.3. Transfers to Non-Whitelisted Countries

If data must be sent to a country not on the NITDA whitelist, we will:

• Obtain prior approval from NITDA and the Office of the Attorney General of the Federation

• Ensure protective measures are in place (e.g., Standard Contractual Clauses or binding

agreements)

• Inform affected individuals where appropriate

 

13.4. Your Rights Remain Protected

Regardless of where your data is processed, we take steps to ensure it receives the same level of

protection as required under Nigerian law.

 

At Sciart, we take data security seriously. We apply strong safeguards — technical and organizational —

to protect personal data from loss, misuse, unauthorized access, or disclosure.

 

14.1. Physical and Operational Controls

We secure data through:

• Controlled office access and visitor logs

• Locked storage for physical files

• Restricted access to sensitive areas

 

14.2. Technical Safeguards

We protect digital data using:

• Encryption (at rest and in transit)12

• Firewalls and anti-malware systems

• Two-factor authentication (2FA) and strong password protocols

• Role-based access controls across systems

• Secure backup and disaster recovery systems

 

14.3. User Awareness and Behaviour

We train employees to:

• Recognize and report phishing and data risks

• Handle personal data responsibly in their roles

• Avoid sharing passwords or sensitive data unnecessarily

• Follow approved device and email usage guidelines

 

14.4. Third-Party and System Safeguards

We require service providers and software vendors to:

• Comply with Sciart’s security and privacy standards

• Sign data processing or confidentiality agreements

• Undergo risk and access reviews periodically

 

14.5. Shared Responsibility

Employees and users of our platforms are responsible for protecting their credentials — including

PINs, passwords, tokens, and any access devices issued.

 

Sciart retains personal data only for as long as necessary to meet legal, regulatory, and business needs.

When data is no longer required, we dispose of it securely.

 

15.1. How Long We Keep Data

We retain personal data based on:

• Legal and regulatory requirements (e.g., CBN, NDPR, tax laws)

• The nature of the product or service provided

• Risk management and audit requirements

• Ongoing business or contractual needs

A data retention schedule will guide how long different types of data are kept. This schedule is

maintained by the Data Protection Officer and reviewed annually.

 

15.2. Secure Disposal of Data

When data is no longer needed, we ensure it is destroyed in a way that prevents recovery or misuse.

This includes:

• Shredding of physical records

• Permanent deletion of electronic files13

• Use of secure wiping or data destruction tools

• Ensuring vendors handling disposal comply with our security standards

 

15.3. Monitoring and Review

We review retention practices regularly and update controls where needed. All departments must

follow the retention and disposal guidelines relevant to their functions.

 

Despite our best efforts, data breaches can occur. Sciart has procedures in place to detect, investigate,

contain, and report personal data breaches quickly and effectively.

 

16.1. What is a Data Breach?

A data breach is any confirmed or suspected incident that results in:

• Unauthorized access to personal data

• Loss, theft, or destruction of personal data

• Disclosure of personal data to an unauthorized party

• Accidental or unlawful alteration of data

 

16.2. Immediate Actions

If a breach is suspected or confirmed:

• Staff must immediately reportit to the Data Protection Officer (DPO)

• The DPO will lead an investigation to assess the nature, scope, and impact

 

16.3. Breach Response Steps

• Confirm and document the breach

• Contain the breach and prevent further exposure

• Assess risks to affected individuals and systems

• Notify senior management and relevant units

• Report the breach to NITDA (within 72 hours, if required)

• Inform affected individuals if their rights or freedoms are at risk

• Implement corrective actions to prevent recurrence

 

16.4. Internal Roles

The DPO coordinates breach response across:

• Technology and Systems teams

• Legal and Compliance

• Affected business units

 

16.5. Documentation

All breaches- confirmed or suspected- are logged in Sciart’s Breach Register, including details of

actions taken, outcomes, and lessons learned.

 

Sciart conducts Data Protection Impact Assessments (DPIAs) to evaluate and manage privacy risks when

introducing new products, technologies, or processes that involve personal data.

 

17.1. When a DPIA is Required

A DPIA is mandatory for:

• New projects involving large-scale or sensitive personal data

• Use of automated decision-making or profiling tools

• Introduction of new digital systems that collect customer data

• High-risk data sharing with third parties or across borders

• What Constitutes High-Risk Processing

• For the purposes of this policy, “high-risk” processing refers to activities that:

– Involve processing of sensitive personal data (e.g., biometrics, health, financial history)

– Affect a large number of individuals (typically 1,000+ data subjects)

– Include systematic monitoring or profiling of individuals

– Introduce new technologies that significantly alter the nature of data use

These thresholds are guided by NDPR expectations and Sciart’s internal risk assessment

matrix.

 

17.2. What a DPIA Covers

A DPIA includes:

• The nature, scope, and purpose of the data processing

• Assessment of risks to data subjects’ rights and freedoms

• Measures to mitigate identified risks

• Legal basis for the processing

• Consultation with the DPO and, if necessary, external advisors

 

17.3. Who is Responsible

• Project owners must engage the Data Protection Officer early in the planning process

• The DPO leads the DPIA process and reviews all assessments for adequacy

• Executive Management must approve mitigation measures before rollout

 

17.4. Record Keeping

All DPIAs are documented and stored in a central registry maintained by the DPO and may be

reviewed by regulators upon request.

 

At Sciart, we believe that strong data protection begins with informed people. We provide regular training

and awareness programs to ensure staff understand their responsibilities.

 

18.1. Who Receives Training

• All new employees during onboarding

• All staff annually as part of mandatory refresher training

• Targeted teams (e.g., Operations, IT, Compliance, Sales) receive enhanced or role-specific

sessions

 

18.2. What Training Covers

• The core principles of data protection

• How to identify and handle personal data

• Recognizing data breaches and responding appropriately

• Safe use of systems, email, and digital tools

• Confidentiality and acceptable use policies

• Real-life examples of risks and controls

 

18.3. Delivery Channels

Training may be delivered via:

• In-person workshops or onboarding sessions

• E-learning modules through Sciart’s Training Hub

• Periodic awareness campaigns (e.g., posters, reminders, quizzes)

• Live demos or brown-bag sessions for high-risk departments

 

18.4. Tracking and Compliance

• Participation in training is monitored and logged

• Completion is required for continued access to systems

• Non-compliance is escalated to the relevant department head or HR

 

Sciart regularly reviews its data protection practices to ensure compliance, identify gaps, and strengthen

controls.

 

19.1. Annual NDPR Audit

In line with the NDPR, Sciart:

• Engages a licensed Data Protection Compliance Organisation (DPCO) to conduct an

independent audit annually

• Submits the certified audit report to NITDA within the required timeframe

• Reviews findings with Executive Management and the Board, and implements corrective actions

 

19.2. Internal Monitoring

The Data Protection Officer (DPO) oversees ongoing compliance by:

• Reviewing high-risk processes and departments

• Spot-checking data access and usage logs

• Ensuring corrective actions are completed after incidents or audits

• Updating policies and procedures as needed

 

19.3. Third-Party Monitoring

Where third parties process data on behalf of Sciart:

• They are subject to compliance reviews and monitoring

• Audit rights are included in contracts where appropriate

• Serious non-compliance may result in suspension or termination of engagement

 

19.4. Continuous Improvement

Insights from audits and monitoring are used to:

• Enhance staff training

• Update controls and systems

• Refine risk assessments and mitigation plans

 

Sciart uses cookies and similar tracking technologies to improve your experience when you use our

websites, apps, and online platforms.

 

20.1. What are Cookies?

Cookies are small data files stored on your device when you visit a website. They help websites

remember your preferences, login details, and browsing behaviour.

 

20.2. Why We Use Cookies

We use cookies to:

• Enable essential website functions (e.g., login, navigation)

• Remember user preferences (e.g., language settings)

• Analyse website traffic and performance

• Improve content and user experience

• Detect and prevent fraud or misuse

 

20.3. Types of Cookies We May Use

• Strictly Necessary Cookies: Required for our website to function properly

• Performance Cookies: Help us understand how visitors use our site

• Functionality Cookies: Remember your preferences for convenience

• Targeting Cookies: Used for delivering relevant advertisements (only with consent)

 

20.4. Managing Your Cookie Preferences

• You can control or delete cookies through your browser settings

• Some cookies are essential and may affect functionality if disabled

• For marketing or non-essential cookies, we will request your consent before enabling them

 

20.5. Third-Party Cookies

Some third-party services (e.g., analytics, advertising tools) may place cookies when you interact

with our website. These are governed by their own privacy and cookie policies.

 

Sciart reviews this Data Protection Policy regularly to ensure it remains effective, accurate, and aligned

with current laws, regulations, and operational realities.

 

21.1. Review Frequency

• The policy is reviewed at least once a year

• Interim reviews may occur if there are:

– Changes in data protection laws or guidance

– Introduction of new systems or services

– Major incidents or audit findings

 

21.2. Responsibility

• The Data Protection Officer (DPO) is responsible for initiating and coordinating the review

process

• Updates are reviewed by Executive Management and approved by the Board of Directors

 

21.3. Communication of Updates

Any updates to this policy will be:

– Communicated to staff through internal channels

– Shared with relevant third parties as needed

– Published on Sciart’s website for transparency