DATA PROTECTION PRINCIPLES

Sciart adopts NDPR prescribed principles regarding the processing of personal data. Our collection and use of personal data at Sciart is guided by the following principles.

Transparency, Fairness and lawfulness
At Sciart, we ensure that handling and processing of personal data is done on lawful basis and in a fair and transparent manner. We must strive to provide our customers with peace of mind, knowing that their personal information is safe and secure in our hands.

Purpose Limitation
Sciart is committed to collecting and processing personal data for specific, clearly defined, and lawful purposes, for which we have obtained consent. We will not use or disclose personal information for any other purposes that are not in line with the original reason for which the data was obtained.

Data Minimization
Sciart minimizes the collection and usage of personal data to that which is relevant, adequate, and necessary for carrying out the purpose for which the data is processed. We will carefully evaluate the necessity of processing personal data and, when applicable, utilize anonymous data to minimize any potential impact on individuals' privacy.

Accuracy
Sciart will ensure the accuracy of personal data and enable it to be erased or corrected. Sciart will take active and ongoing measures to ensure that the personal data it holds is accurate and can be corrected if errors occur.

Storage Limitation: Sciart will keep personal data only for as long as necessary to achieve the purposes for which the data was collected.

Integrity and Confidentiality
Sciart is committed to ensuring the security, integrity and confidentiality of personal data through the use of technical and organizational measures. Only authorized employees will have access to personal data, and only for the specific tasks they need to perform. They are prohibited from using personal data for personal or commercial gain or disclosing it to unauthorized parties. Employees will be informed of their obligation to maintain personal data privacy at the start of their employment, and it will remain in force after their employment ends.

Accountability
Sciart takes responsibility for personal data collected and handled and ensures compliance with all the data protection principles. Any individual or employee who breaches the laid down Policy may be subject to internal disciplinary action (up to and including termination of their employment) and may also face civil or criminal liability if their action violates the law. When a potential breach has occurred, Sciart will investigate to determine if an actual breach has occurred, and the actions required to manage and investigate the breach as follows:

1. Validate the Personal Data breach.
2. Ensure proper and impartial investigation (including digital forensics if necessary) is initiated, conducted, documented, and concluded.
3. Identify remediation requirements and track resolution.
   Report findings to the top management.
   Coordinate with appropriate authorities as needed.
   Coordinate internal and external communications.
   Ensure that impacted Data Subjects are properly notified, if necessary.

CHILDREN’S DATA PRIVACY
Sciart will not knowingly collect personally identifiable information from anyone under the age of 18 except when such information is provided by a parent or legal guardian. Parents and guardians are advised of our Data Protection Policies accordingly. If we become aware that we have collected Personal Data from children without verification of parental consent, we will take steps to remove that information from our servers.

DATA COLLECTION AND USE
We will only collect and use your personal information where we have lawful and reasonable basis. This may include obtaining information from third parties and public sources, such as credit reporting agencies and government bodies. Data collected will only be used for the following purposes:

• Identity and address verification
• Executing customer instructions
• Offering and providing our products and services
• Improving our products and services
• Advertising our products and services
• Enhancing customer experience
• Complying with law and regulation
• Fulfilling contractual obligations
• Updating and enhancing our records
• Protecting Sciart’s interest against any abuse or misuse of our services and products
• Processing employment applications
• Providing information to Credit bureaux
• Managing our risks
• Recovering any debts owed to us
• Bespoke product development

Types of data we may collect include.

• Personal details such as your name, gender, date, and place of birth
• Contact details including address, phone number and e-mail
• Identity information including employment ID, driver’s license or passport information, tax identification, national identification or bank verification number
• Family information including information about parents, spouses, children and next of kin
• Work Information including work address and phone number, current and previous job details
• Financial information such as source(s) of income and annual income
• Account information including information about the beneficial owner of the account or other parties that are directly or indirectly associated with the account and its activities
• Other information that may be given to Sciart when filling specific forms or communicating with Sciart, whether face to face or by phone, e-mail, mobile or online banking applications or when answering any of our market research enquiries
• Other information that we may need on customers or any other third party in order to provide a specific product or service, including but not limited to, health information or family information
• Information that we have been asked or allowed to collect from other sources, such as other banks or third parties that you have dealt or still dealing with
• The views or opinions of another individual about the Person.

AUTOMATED DATA PROCESSING
Sciart may sometimes use automated systems and software in the process of offering products and services to you such as in making credit decisions or carrying out security checks. All automated processing is done under lawful basis. You may contact us to request that automated processing be further reviewed by a human being if you detect any inaccuracies in your personal data.

DATA RETENTION & DISPOSAL
Sciart retains personal data in line with legal, regulatory, and internal policy guidelines solely for business and operational purposes.
Sciart protects Personal Information on secure servers, physical locations, and cloud infrastructure for providing seamless services and ensuring business continuity. Data may be transferred to globally accepted vendors’ data centers. Sciart ensures data is handled securely and in accordance with the privacy policy when transferred to other locations.
Personal data, a highly sensitive and valuable asset, must be securely and meticulously disposed of in strict compliance with the National Data Protection Regulation (NDPR) and the Secure Disposal Procedure. This is imperative to safeguard the rights and freedoms of the data subjects, ensuring that their personal information is not mishandled or misused in any way. The use of advanced technologies, such as encryption and secure deletion methods, is essential to ensure the complete and irretrievable destruction of the data, leaving no trace of it behind. Furthermore, it is crucial to implement regular reviews and audits of the disposal process to ensure that it remains up-to-date and effective in protecting the data subjects’ rights and privacy.

DATA DISCLOSURE
Sciart will not share or sell your personally identifiable data to anyone unless;

• Consent has been obtained to share or disclose such personal information
• It is required by law to share or disclose such information
• It is necessary for the purpose of investigating, reporting and enforcing our rights where there has been a violation of our policies
• Disclosure is required for audit purposes
• Disclosure is reasonably necessary to enforce our terms and conditions or protect our operations or users.

Such information may only be shared with the following

• Sciart officers, employees, agents or directors in any jurisdiction.
• Regulatory agencies, Government Agencies and any persons to whom disclosure is allowed or required by local or foreign law, regulation.
• Professional advisers (including auditors), third party service providers, agents or independent contractors providing services to support Sciart’s business.
• Our strategic partners/service providers – for the purpose of improving and providing our products and services to you.
• A merchant or a member of a card association where the disclosure is in connection with use of a card
• Your legal representative and their legal advisers, and a member of your immediate family upon your death or mental incapacity for the purpose administration.
• Any security provider or any person authorised to operate your account and to act on your behalf in giving instructions, to perform any other acts under our banking agreement or use any product.
• Any debt collection agency, credit bureau or credit reference agency, rating agencies, correspondent and settlement banks, insurer or insurance, direct or indirect provider of credit protection and fraud prevention agencies.
• Any financial institution to conduct credit checks, anti-money laundering related checks, for fraud prevention and detection of crime purposes.
• Anyone we consider necessary to provide services in connection with a product.
• Any individual or entity involved or potentially involved with any of our responsibilities related to any banking agreement, such as assignees, novates, transferees (or any representative, employee, agent, or advisor of any of them); regardless of their location.
• Any third-party acquirer or target in the event of a sale, acquisition, or merger.

DATA TRANSFER
Sciart will ensure the security of personal data when transferring it to foreign countries or organizations by implementing adequate measures and checking that the countries are on the NITDA whitelist of countries with proper data protection laws. If the intended recipient is not on the whitelist, Sciart will seek approval from NITDA and the Office of the Attorney General of the Federation before transferring the data.
Any transfer of personal data must be in accordance with the provisions of the Nigeria Data Protection Regulation, 2019 (NDPR) and as such happen only in the following cases.

• Where consent of the Data Subject has been obtained;
• Where the transfer is necessary for the performance of a contract between Sciart and the Data Subject or implementation of pre-contractual measures taken at the Data Subject’s request;
• Where the transfer is necessary to conclude a contract between Sciart and a third party in the interest of the Data Subject;
• Where the transfer is necessary for reason of public interest;
  Where the transfer is for the establishment, exercise or defence of legal claims;
• Where the transfer is necessary in order to protect the vital interests of the Data Subjects or other persons, where the Data Subject is physically or legally incapable of giving consent.

DATA SECURITY
Sciart takes appropriate technical and organizational measures to prevent the loss, unauthorized access, misuse, modification, or disclosure of information under our control. Our measures cover physical, technological and procedural safeguards including;

• Encryption technology
  Access controls to buildings, systems and records
• Secure rooms and cabinets for file storage
• Safely destroying or deleting records.
• Training of employees who collect, access, and process confidential information to equip them with the necessary knowledge, skills and competence required to adhere to our privacy policies.
• Enlightening customers not to share their passwords or other authentication details to our products and services with anyone.

We require all parties including our staff and third parties processing data on our behalf to comply with relevant policies and guidelines to ensure that the information is protected in use, when stored and during transmission.
Where access and use of our electronic platforms require authentication of the user, the user shall be responsible for the use and safety of their authentication credential(s) including but not limited to Username, Personal Identification Number (PIN) and/or Password, One Time Passwords (OTP) and Tokens.

DATA PROTECTION AUDIT
Sciart will conduct an annual data protection audit through a licensed Data Protection Compliance Organization (DPCO) to verify its compliance with the provisions of the NDPR and other applicable data protection laws.
The audit report will be certified and filed by the DPCO to NITDA as required under the NDPR.

USE OF COOKIES
Cookies are small data files sent from our websites or apps to your device’s hard drive or browser, where they are stored. They contain information that personalizes your experience on our websites or apps and can enhance your browsing experience. Cookies also identify your device, such as your computer or smartphone.
By using our websites or apps, you consent to the receipt of cookies from these sites or apps on your device. These cookies allow us to recognize when you have visited our sites or apps before and identify you. They may also be used to prevent fraud.

CONSENT
You will be considered to have accepted this privacy policy and give your consent when you do the following;

• You use any product or service offered by Sciart.
• You complete any forms or registers issued by Sciart via any medium
• You access any service, content, features, technologies, or functions offered on any of our digital platforms.
• You interact with us by sending any communication, request or complaint to Sciart.
• We will ensure you understand and consent to any new ways in which your information is handled whenever we introduce any new products and services.

DATA SUBJECT’S RIGHTS
Data subjects have the rights to the following.

• The right to make a written request for details of their personal information held by Sciart.
• They may exercise this right by sending an email to dataprotection@sciartfinance.com
• The right to have inaccurate or incomplete information held by Sciart about them rectified.
• The right to withdraw consent at any time. Save where there is a legal or operational reason to continue with the processing of personal data, Sciart will immediately discontinue the processing of personal data upon receipt of a notice withdrawing consent.
• Such withdrawal may impact our ability to provide some products or services if your consent is mandatory for the execution of providing such services and same will be communicated to the data subject.
• The right to object on reasonable grounds to the use of personal information (including the right to object to marketing).
• The right to request that personal information is only used for restricted purposes.
• The right to ask for the personal information that has been made available to Sciart to be transferred to the data subject or a third party in electronic formats.
• The right to lodge a complaint with relevant regulatory authorities.

UPDATES ON DATA PROTECTION POLICY
We regularly review our policies, procedures, and processes to ensure proper management, protection, and processing of personal data.
We reserve the right to update this policy as needed to comply with legal, operational, and regulatory requirements. Any changes will be posted on our website, and we encourage you to check our website regularly to stay informed about our personal data protection policies.