In accordance with the obligations bestowed on Data Controllers and Data Processors under the NDPR, this policy provides an overview of how TAJBank Limited ("we") process personal data we hold about individuals ("you"). Obtaining your information is imperative for our delivery of the highest level of service to you, but we are always also committed to safeguarding the privacy of your personal data. Additionally, this policy outlines the rights available to you under the NDPR.
What constitutes your consent?
Who is legally responsible for handling your personal data and who can you contact about this subject?
According to the NDPR, this responsibility rests upon the “Data Controller”, namely:
Plot 72 Ahmadu Bello Way
Central Business District,
Abuja Tel: +234-908-723-4421
If you have any general questions or concerns about this Policy or how we process your personal data, kindly contact our internal Data Protection Officer via the contact details above or this email address: Informationsecurity@tajbank.com
What personal data do we process and how do we obtain it?
Typically, we will hold data about you that is relevant to the business relationship we have with you and how you interact with us. We will directly obtain some of this information from you. We also process personal data from third parties, which may include your employer, financial institutions, publicly available sources (e.g. the press, registers of companies or assets, websites) and from providers of business-risk screening services, such as credit reference agencies, anti-fraud databases and sanctions lists.
Generally, we may process the following types of personal data:
- KYC (Know Your Customer) records, such as name, contact information, employment details, ID details, date and place of birth, source of wealth, relationships with public officials, criminal record.
- Records relating to our business relationship and relevant services, such as data derived from your usage of our IT platforms (website and mobile apps), from recorded telephone calls, from emails received from you and from your engagement with our marketing activities.
- Financial information, such as creditworthiness, bank account details, specimen signature, income, investments, assets and liabilities.
- Information from our social media sites, through your engagement with us on Facebook, Instagram, LinkedIn and Twitter. This includes your replies to our posts, your comments, enquiries and support messages. However, we will only ask for information required to help us be of service to you.
- Information relating to your job application with us, such as your education and employment history. As part of your application, you will be asked to provide your express consent to our use of this information to assess your application and any monitoring activities which may be required of us under applicable laws as an employer.
We may also carry out screening checks (reference, background and criminal record checks).
We may exchange your Personal Data with academic institutions, recruiters, health maintenance organisations, law enforcement agencies, referees and your previous employers. Without your Personal Data, we may not be able to process your application for positions with us.
Why do we collect your personal data?
We collect your personal data in order to facilitate and manage our relationship with you. Specifically, we may collect your personal data for the following purposes:
- For the performance of a contract:
In order for you to open and maintain an account with us, and have access to our products and services, we will need to process your personal data. We may also need to process your personal data to take steps at your request prior to entering a contract.
- For compliance with a legal obligation or acting in the public interest :
As a bank, we are subject to a number of statutory and regulatory obligations that may require us to collect, store or disclose personal data, such as for anti-money laundering purposes or to respond to investigations or disclosure orders from law enforcement agencies, our regulators, and tax or other public authorities.
- For the purposes of legitimate interests:
Where necessary, we will process your personal data to serve our legitimate interests or those of a third party. Such applicable cases include:
- Know Your Customer and creditworthiness checks
- Client and vendor relationship management
- Assessment, improvement and development of products and services
- Information security and building security, such as use of CCTV recording
- Managing the risks and optimising the efficiency of TAJBank operations
- Recording telephone calls and monitoring electronic communications for business and compliance purposes
- Prevention and detection of financial crime
- Evaluating, bringing or defending legal claims
- Assessment of proposed data subjects’ employability and other employee benefits-related purposes
- Marketing of our products and services. We will not send unsolicited marketing communications to you by SMS or email if you have not opted in to receive them. Additionally, you can withdraw your consent at any time and free of charge.
What are our collection methods?
We collect personal data through the following methods:
- Direct collection source:
- Know Your Customer (KYC) forms
- Compliant forms
- Enquiry forms
- Digital touch points
- Electronic means (emails, website and mobile apps)
- Employee engagement forms
- Third party data collection source:
- Individuals nominated and authorised by the data subject to engage us on his/her behalf
- Credit reference agencies
- Vendors engaged to conduct screening checks on newly employed staff before confirmation of appointment.
In the case of data obtained from third party source, a copy of your consent given to the third party to transfer your data to TAJBank shall suffice for our processing.
Record retention period ?
Sharing your personal data
We may share information about you with a range of third parties for our business purposes or as permitted/required by law. Such third parties may include: credit reference agencies, background screening providers, financial institutions, funds, payment recipients, payment and settlement infrastructure providers, exchanges, regulators, law enforcement agencies, courts, public authorities, our service providers, professional advisors, auditors, insurers and potential purchasers of elements of our business. These third parties could be located outside Nigeria. We will only disclose information about you with your consent, in line with the NDPR and client confidentiality obligations.
Transferring your data to other countries
Where necessary, in line with the purposes described in section 4 above, information relating to you may be transferred to countries outside Nigeria i.e. third countries. However, if we use service providers in a third country, they will be obligated to apply the same level of protection to your data as would be necessary in Nigeria. We enforce this through the inclusion of standard data protection clauses in our agreements with them. More importantly, we will only transfer your personal data to a third country in a way that is permitted under the NDPR.
What are your rights?
Under the NDPR, you are entitled to the following rights:
- Access Request
You have the right to access personal data relating to you. This enables you to receive a copy of the personal data we hold about you in electronic form, unless you want a paper copy which will attract a fee.
- Rectification Request
You have the right to ask us to correct your personal data if it is inaccurate and to have incomplete personal data updated without undue delay.
You have the right to ask us to erase your personal data if:
- Your personal data are no longer necessary for the purpose(s) they were collected for
- Your personal data have been unlawfully processed
- Your personal data must be erased to comply with a regulation
- You withdraw your consent for the processing of the personal data (and if this is the only basis on which we are processing your personal data)
- You object to processing that is based on our legitimate interests, provided there are no overriding legitimate grounds for continued processing, or
- You object to processing for direct marketing purposes.
If we have made the personal data concerned public, we will also take reasonable steps to inform other data controllers processing the data so they can seek to erase links to or copies of your personal data.
- You contest the accuracy of your personal data and we are in the process of verifying the Personal Data we hold
- The processing is unlawful, and you do not want us to erase your personal data
- We no longer need your personal data for the original purpose(s) of processing, but you need them to establish, exercise or defend legal claims and you do not want us to delete the Personal Data as a result, or
- You have objected to processing carried out because of our legitimate interests while we verify if our legitimate grounds override yours.
- Necessary to enter into a contract with you, or for the performance of your contract with us, or
- Permitted by regulations
To exercise any of these rights, please write to the Data Protection Officer via the contact details given in section 1 above.
How do we protect your personal data?
We maintain strict physical, electronic and procedural security measures designed to provide reasonable protection for your personal data in order to mitigate against loss, misuse, damage or unauthorised access. The security measures include firewalls, physical access controls to our premises, CCTV cameras for public safety and quality control as well as information access authorisation controls. While we are dedicated to securing our systems and services, you are responsible for securing and maintaining the privacy of your password(s) and account/profile registration information and verifying that the personal data we maintain about you is accurate and up to date. We will inform you of any breaches which may affect your personal data.
Remedies for violation and timeframe for remedy
In the event of violation of this policy, our Data Protection Officer shall within 7 days redress the violation. Where the violation pertains to the disclosure of your personal data without your consent, such information shall be retracted immediately, and confirmation of the retraction sent to the you within 48 hours of the redress.