It is expected that this Data Protection Policy will be reviewed on an ongoing basis at least once every four calendar years, subject to market realties, significant change in operating environment and business re-focusing, to ensure that the overall approach to creating and managing data privacy risk exposure remains relevant and responsive to changes in the environment and the Bank’s corporate and business unit strategies.

The Management of the Bank in conjunction with the Board of Directors, sequel to any of its periodic or special reviews of this policy, may amend this policy. Amendments shall be made whenever, in the opinion of the board, changes in prevailing regulations, or the credit activities of the Bank require policy changes. 

Any amendment that is being made to this policy will be communicated by the Chief Risk Officer who also has the responsibility to enforce all the sections therein.

All conflicts in the interpretation of any section or clause in this policy shall be resolved by the Managing Director on the recommendations of Chief Risk Officer who will ensure that such resolutions are consistent with the principles and values of the company and do not increase risk profile.

The Data Protection Policy will be in the custody of the Chief Risk Officer. All participants in the Bank operations and  processes will have access to the electronic copy with “VIEW ONLY” option. This will be made available on the Bank’s policy portal. 

This Data Protection Policy guide is a confidential document of Edfin Microfinance Bank and shall therefore not be reproduced, copied in whole or part, to any other parties without the authorisation of the Managing Director.

The Nigeria Data Protection Act 2023 provides a legal framework for the protection of personal information and establishes the Nigeria Data Protection Commission (NDPC) for the regulation of the processing of personal information.

At Edfin Microfinance Bank, we are dedicated to protecting the privacy and providing the highest level of security at any point of interaction with our customers and stakeholders (vendors, employees, recruitment candidate etc). 

This Privacy Policy explains what information we collect, how we collect, share, use, and protect, store, and retain your personal information when you visit or use our site and other services offered by Edfin Microfinance Bank. 

You are also informed of your rights regarding the information we process and how you can contact us. By continuing to visit our websites (www.edfinmfb.com) while using any of our digital or mobile platforms/services, our Mobile Banking App, mobile authentication service when communicating with us through any of our social media or other interactive channels or any other engagement with us (“Services”), you accept and consent to the practices described in this policy.

Personal information refers to data that could identify a specific individual such as names, addresses, e-mail addresses, and telephone numbers. Depending on the medium of interaction with Edfin MFB, we collect various types of information fas described below.

· Personal/Contact details (name, date of birth, passport information or other identification information phone number, email address, postal address, or mobile number), Biometric information (fingerprints, facial recognition, or voice recognition) or Information about your family and social circumstances (such as dependents, marital status, next of kin and contact details) will be collected on the bank mobile banking applications, social media, calls, SMS or interactions with our Relationship Officers during account opening or account update.

· Transactional details will be requested when payment is made or when payment-related complaints are made. Also, visual images and personal appearance (such as copies of passports or CCTV images) will be requested for when there is a complaint made against the bank’s application or services rendered.

· Medical information (results of urine, blood, and X-ray analysis), Education and employment information will be requested from new staff during the onboarding process.

· Financial information (bank account number, debit card numbers, financial history) including information you provide to deliver payment initiation services and account information services regarding accounts you hold with other providers.

Edfin MFB personnel or any third party acting on its behalf shall only process your personal data if at least one of these conditions are met:

i. Consent: this refers to any freely given, specific, informed, and unambiguous indication through a statement or a clear affirmative action that signifies your agreement to the processing of your Personal Data by Edfin MFB. Edfin MFB does not intend to seek consent that may engender direct or indirect propagation of atrocities, hate, criminal acts, and anti-social conducts.

ii. Contract: processing is necessary for the performance of a contract or entering a contract at your request.

iii. Legal obligation: processing is necessary for compliance with a legal obligation to which Edfin MFB is subject.

iv. Vital interest: processing is necessary to protect the  vital interests or those of another natural person.

v. Public interest: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Edfin MFB.

Edfin MFB personnel or any third party acting on its behalf shall only process personal data if at least one of these conditions are met: To the extent permissible under applicable` law, Edfin may use the information for the following legitimate actions:

· Providing and operating the products and services requested.

· For other related purposes which may include updating and enhancing Edfin MFB records, understanding the financial needs, conducting credit checks, reviewing credit worthiness, and assisting other financial institutions to conduct credit checks.

· Identifying and informing clients about other products or services that Edfin think may be tailored to suit the clients’ interest.

· Reviewing credit or loan eligibility

· For crime/fraud prevention and debt collection purposes

· To plan, conduct and monitor Edfin’s business.

· For improving the design and marketing of our range of services and related products for the  customer usage.

· Compare information for accuracy and verify it with third parties/publicly available information.

· Manage Edfin relationship with the clients.

· To monitor, carry out statistical analysis and benchmarking to identify potential markets and trends, evaluate and improve our business.

· Monitor activities at our facilities, including compliance with applicable policies.

· To comply with and enforce applicable legal and regulatory requirements, relevant industry standards, contractual obligations, and our policies.

Without the clients’ personal information, we may not be able to provide or continue to provide clients with the products or services that are needed.

Personal data collected by Edfin MFB may be transferred among the various departments (with personnel who have business need to know). Other than to those individuals and entities listed below, clients’ details will not be revealed by Edfin MFB to any external body unless has the client’s permission or is under either a legal obligation or Edfin MFB any other duty to do so. For the purposes detailed above, the clients’ information may be disclosed to:

§ Any regulatory, supervisory, governmental, or quasi-governmental authority with jurisdiction over Edfin MFB members.

§ Any agent, contractor or third-party service provider, professional adviser, or any other person under a duty of confidentiality to the Edfin MFB.

§ Credit reference agencies and, in the event of default, debt collection agencies.

§ Any actual or potential participant or sub-participant in, assignee, novate or transferee of any of the Edfin MFB rights and/or obligations in relation to you.

§ Any financial institution with which Edfin MFB has or proposes to have dealings.

The above disclosures may require the transfer of clients’ information to parties located in countries that do not offer the same level of data protection as your home country. However, Edfin MFB will ensure that the parties to whom clients’ details are transferred treat the information securely and confidentially by implementing appropriate organizational and technical measures have been implemented to keep your Personal Information/Data confidential and secure. This includes the use of encryption, firewalls physical and environmental access controls, adequate authentication and authorization access controls and other forms of security to ensure that your data is protected.

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a foreign country or to an international organization shall take place subject to the other provisions of this Regulation and the supervision of the Attorney General of the Federation.

EXCEPTIONS IN RESPECT OF TRANSFER TO A FOREIGN COUNTRY

In the absence of any decision by the Agency or Attorney General of Federation as to the adequacy of safeguards in a foreign country, a transfer, or a set of transfers of personal data to a foreign country or an international organization shall take place only on one of the following conditions:

1. The client      or data subject has explicitly consented to the proposed transfer, after      having been informed of the possible risks of such transfers due to the      absence of an adequacy decision and appropriate safeguards and that there      are no alternatives.
2. The      transfer is necessary for the performance of a contract between the client      and the Controller, or the implementation of pre- contractual measures      taken at your request.
3. The      transfer is necessary for the conclusion or performance of a contract      concluded in the interest of client between the Controller and another      natural or legal person.
4. The      transfer is necessary for important reasons of public interest.
5. the      transfer is necessary for the establishment, exercise, or defense of legal      claims.
6. The      transfer is necessary to protect the customer vital interests or of other      persons, where the customer are physically or legally incapable of giving      consent.

Provided, in all circumstances, that you shall be manifestly made to understand through clear warnings of the specific principle(s) of data protection that are likely to be violated in the event of transfer to a third country. This proviso shall not apply to any instance where the Data Subject is answerable in duly established legal action for any civil or criminal claim in a third country.

We have implemented appropriate organizational and technical measures (including physical access controls and secure software and operating environments) to keep the clients Personal Data confidential and secure. Please note, however, that these protections do not apply to information you choose to share in public areas such as third-party social networks. Where we have provided the client (or where you have chosen) with a password which grants the client access to specific areas on our site, the clients are responsible for keeping this password confidential. We request that the clients do not share their pin, password, or other authentication details (e.g., token generated codes) with anyone.

Edfin Microfinance Bank will inform relevant authorities and if necessary affected individuals of personal data breach within 72 hours of being aware of the breach, where Personal Breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. Remedies shall include but not limited to investigating and reporting to appropriate authorities, recovering personal data, correcting it and/or enhancing controls around it.

Edfin Microfinance Bank would like to make sure that our clients aware of all their data protection rights. Every Client is entitled to the following:

• The      right to be informed - To emphasize the need for transparency over the      usage of personal data for targeted marketing, we ensure fair processing      of information typically through this privacy policy.
• The      rights to access – The clients have the right to request from Edfin      Microfinance Bank for copies of the client’s personal data where those      requests are reasonable and permitted by law or regulation. Edfin MFB may      charge you a fee for this service.
• The      right to rectification – The clients have the right to request that Edfin      Microfinance bank correct any information the client believe is      inaccurate. The clients also have the right to request for complete      information the client believe is incomplete.
• The      right to restrict processing – The clients have a right to ‘block’ or      withdraw or revoke your consent to our processing of your information,      which client can do at any time. When processing is restricted, we are      permitted to store personal data, but not further process it.
• The      right to erasure – The clients have the right to request the deletion or      removal of personal data where there is no compelling legal or regulatory      requirement for its continued processing. 
• The right to data      portability – The clients have the right to request that the bank transfer      the data that Edfin has collected to another organization, or directly to      you, under certain conditions. We will ensure that personal data is moved,      copied, or transferred easily from one IT environment to another in a safe      and secure way, without hindrance to usability.
• The      right to refusal - You have the right to refuse the processing of your      information if there are compelling legitimate grounds to do so and to the      extent permitted by law or regulation. To exercise your right(s), please      contact the Data Protection Officer of Edfin Microfinance Bank.
• Right      to receive the clients Personal Data in a commonly used and      machine-readable format and the right to transmit these data to another      Data Controller when the processing is based on (explicit) consent or when      the processing is necessary for the performance of a contract.
• Lodge      a complaint with the National IT Development Agency (NITDA) where the client believe Edfin processing of his/her      data violates the requirements of the Nigeria Data Protection Regulation      2019 (NDPR).

As a data subject, clients have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or significantly affects the client. We are committed to complying with this right under NDPR

If Edfin use automated decision-making, we will provide clients with clear and concise information about the types of decisions that may be made and the potential impact on the clients. We will also implement appropriate safeguards to protect clients’ rights and freedoms, such as ensuring that decisions are fair and transparent, and that clients have the right to challenge the decision or request human intervention. We may use automated decision-making in the following circumstances:

• when      it is necessary for entering into or performing a contract between Edfin      and Edfin Microfinance Bank
• when      it is authorized by law, subject to appropriate safeguards to safeguard the      clients’ rights and freedoms; or
• when      it is based on clients’ explicit consent.

The clients have the right to object to automated decision-making, by contacting our data protection officer or privacy representative. 

The Bank’s Data Analytics have machine learning loan underwriting which are being used for nano loans assessments. These analyses included analysing similarities between a customer usage of a product and other customers. Analysing the demographic, behavioural and financial performance of customers in predicting their character and financial capacity.

We take the privacy of customer personal data seriously, and we will only retain it for as long as is necessary for the purposes for which it was collected. Once the purpose for which the personal data was collected has been fulfilled, we will destroy the personal data, unless retention is required to comply with legal, regulatory, or accounting requirements or to protect Edfin Microfinance Bank interests.

We regularly review our retention policies to ensure that personal data is not retained for longer than necessary.

Please note that regulations may require the Bank to retain the clients’ personal data for a specified period even after the end of the client’s banking relationship with us. However, we will ensure that we comply with the applicable legal and regulatory requirements.

If a client wishes to exercise his/her right to request the deletion of his/her personal data, the client can contact our data protection officer. Edfin will consider the clients request carefully and will provide clients with a clear and concise explanation of any circumstances where their request may be denied.

It's also important to note that it is the clients’ responsibility to maintain the secrecy of their user ID and login password they hold. This will help to ensure that the client’s personal data is kept secure and confidential.

Cookies are text files placed on Edfin sites to collect standard Internet log information and visitor behaviour information. When customer visit our websites, we may collect information from them automatically through cookies or similar technology, to improve their experience while on our websites. We would like to let our customers know a few things about our cookies:

• Some      cookies are essential to access certain areas of this site.
• We use      analytics cookies to help us understand how you use our site to discover      what content is most useful to you.  
• Edfin      Microfinance Bank uses cookies in a range of ways to improve your      experience on our website, including:
  • Allow       Edfin to recognize the PC our customers are using when they return to our       web site so that we can understand their interest in our web site and       tailor its content and advertisements to match their interests (This type       of cookie may be stored permanently on customers’ PC but does not contain       any information that can identify them personally).
  • Identify       clients after they have logged in by storing a temporary reference number       in the cookie so that our web server can conduct a dialogue with the       client while simultaneously dealing with other clients. (Client browser       keeps this type of cookie until they log off or close their browser when       these types of cookies are normally deleted. No other information is       stored in this type of cookie).
  • Enable       us to evaluate the effectiveness of our advertising and promotions.

Please note that by continuing to use our website, clients consent to our use of cookies as described above. Client can manage their consent to cookies through their web browser settings, which allow them to accept or reject cookies, or to be notified when a cookie is set. Please note that blocking all cookies may limit the ability to access certain features of our website.

Our clients are responsible for making sure the information provided to the Bank is accurate and should inform the Bank on any changes as it occurs, this will enable us to update the information with us.

Edfin Microfinance Bank respects the privacy of children. We do not knowingly collect names, email addresses, or any other personally identifiable information from children through the internet or other touchpoints. Edfin does not allow children under the age of 18 to open accounts nor provide online banking for children less than 18 years of age without the consent of a guardian. Our website may include linked 3rd party sites that would be of interest to children. We are not responsible for the privacy and security practices of these sites. Parents should review the privacy policies closely before allowing children to provide any personally identifiable information.  

Edfin operates and communicate through our designated channels, pages, and accounts on some social media sites to inform, help and engage with our customers. We monitor and record comments and posts made about us on these channels so that we can improve our services. The public can access and read any information posted on these sites. Please note that any content clients post to such social media platforms is subject to the applicable social media platform’s terms of use and privacy policies. We recommend that clients review the information carefully to better understand their rights and obligations regarding such content.

In providing the client’s telephone, facsimile number, postal and e-mail address, or similar details, the client agree that Edfin Microfinance Bank may contact him/her by these methods to keep him/her informed about the Edfin Microfinance Bank products and services or for any other reason. If client prefer not to be kept informed of Edfin Microfinance Bank products and services, please contact Edfin Microfinance Bank by E-mail (contactus@edfinmfb.com)

Edfin website, related websites and mobile applications may have links to or from other websites. Although we try to link only to websites that also have high privacy standards, we are not responsible for their security, privacy practices or content. We recommend that you always read the privacy and security statements on these websites.

Edfin Microfinance Bank reserves the right to amend its prevailing Data Protection and Privacy Statement at any time and will place any such amendments on our websites (www.edfinmfb.com). The latest version of our privacy statement will replace all earlier versions unless it says differently. Please check back frequently to see any updates or changes to our Notice. This policy is not intended to, nor does it, create any contractual rights whatsoever or any other legal rights, nor does it create any obligations on Edfin Microfinance Bank in respect of any other party or on behalf of any party.

If you have any questions, concerns, or comments about our privacy policy, you may contact our Data Protection Officer. Kindly address your request to “The Data Protection Officer” at 152, Ogunlana Drive, Surulere, Lagos, Nigeria or via email (contactus@edfinmfb.com)