1. Scope

Belema Financial Technology Limited sets forth how it shall manage the Personal Data collected in the normal course of business. Any data provided is handled in a confidential manner to ensure that the content and service being offered are tailored to specific requests, needs and interests. This Policy applies to:

a) All investors, operators, individuals or employees who provide Personal Data using any channel;
b) All functional areas and Belema Financial Technology Limited sites
c) All methods of contact, including in person, written, via the Internet, direct mail, telephone, or other data capturing channels/methods.

This Policy is designed also to inform all stakeholders about their obligation to protect the privacy of all stakeholders’ information and the security of Personal Data. This document applies to the entire Nigerian Data Privacy Regulation scope.

2. Information Security Summary

Read the information security summary here

3. Reference documents.

ISO/IEC 27701:2019 standard

4. Purpose and Users

Belema Financial Technology Limited software development needs to gather and process certain information about individuals with whom it has relationships for various purposes, but not limited to the recruitment and payment of staff, relationship management with Members, issuers, investors, collection of personal identifiable information on their platforms (list), etc.

In light of the emerging data regulatory environment which requires higher transparency in how companies manage personal information, the Company must ensure that its business operations align with global best practices on protection of rights and privacy of individuals.

This Policy is designed also to inform all stakeholders about their obligation to protect the privacy of all stakeholders’ information and the security of Personal Data. This document applies to the entire Nigerian Data Privacy Regulation scope. Users of this document are all employees of Belema Financial Technology Limited and service providers.

5. Policy Statement

All data in custody of Belema Financial Technology Limited shall be handled with utmost privacy and protection. Belema Financial Technology Limited shall comply with all legislations and regulations applicable to its business and operations regarding data protection and privacy. All personal data shall be classified in line with Belema Financial Technology Limited Information Classification Policy

6. Description

This policy describes how we use and protect Your Information and the control you have over your Information. Belema respects your privacy and will keep all your details confidential.

7. Terms and definitions

Database Administrator/ Processor is a specialized computer systems administrator who maintains a successful database environment by directing or performing all related activities to keep the data secure. The top responsibility of a DBA professional is to maintain data integrity.

Data Controller means a person who either alone, jointly with other persons or in common with other persons or as a statutory body, determines the purposes for and the manner in which personal data is processed or is to be processed.

Data Portability means the ability for data to be transferred easily from one IT system or computer to another through a safe and secure means in a standard format

Data Protection Compliance Organization (DPCO) means any entity duly licensed for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Regulation or any foreign Data Protection law or regulation having effect in Nigeria.

Consent of the data subject Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Datameans facts and statistics collected together for reference or analysis.

Databaserefers to a structured set of data held in a computer, especially one that is accessible in various ways.

Data Subject/PII Principalmeans an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. This may include individual users of the Belema product or any other product that may be released by Belema Financial Technology Limited from time to time.

Personal Data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

Data breach is a security incident in which information is accessed without authorization.

Record a thing constituting a piece of evidence about the past, especially an account kept in writing or some other permanent form, means public record and reports in credible news media

Sensitive Personal Data means data relating to religious or other beliefs, sexual tendencies, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information. means data relating to religious or other beliefs, sexual tendencies, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information.

8. Objectives

• Protect the company from the risks of a data breach.
• Disclose how Belema Financial Technology Limited stores and processes data of individuals.
• Protect the rights of staff, members and stakeholders.
• Comply with the regulation and follow international best practices.

9. Data Protection Regulation

The Regulation was established in January 2019 which provides information on the gathering, storing and processing of personal data (regardless of whether data is stored electronically, on paper, in transit or on other materials), and protects the rights and privacy of all individuals. The Regulation applies to natural persons residing in Nigeria or residing outside Nigeria but of Nigeria descent.

10. Governing Principles of Data Protection

The Regulation mandates every data processor to process any personal data in accordance with the governing principles of data protection. In order to comply with the obligations, undertakes to adhere to the following principles

10.1 Applicability

Customers and PII Principals are the controllers and Belema Financial Technology Limited is the processors of personal identifiable information/data. Other sub-processors are our service providers. Any update of this policy or changes in status will be communicated to all relevant stakeholders.

10.2 Data processing

All forms of data processing will be done transparently. In-line with the Nigeria Data Protection Regulation (NDPR), all policies have been updated to ensure that your data is being processed lawfully. By using our service, you give your consent to process your data in accordance with these policies and our Terms of Services (ToS). All Information will be stored and easily accessible for as long as the purposes for which they were collected exist. However, retention of information may be done where there is a need for legal necessaries like invoices, audit logs, subscription information etc.

10.3 Lawful Processing

The Company shall process personal data of individuals if at least one (1) of the following applies:

a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
b) Processing is necessary for the performance of a contract to which data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
c) Processing is necessary for compliance with a legal obligation to which Belema Financial Technology Limited is a subject.
d) Processing is necessary in order to protect the vital interests of the data subject or of another natural person.

10.4 Procuring Consent

To fulfill the requirement of the Regulation, personal data will be processed in accordance with the rights of the data subject. The Company’s business operations will be guided by the following:

• The Company shall request for consent in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language, where the data subject’s consent is given in the context of a written declaration.
• The Company shall inform the data subject his/her right and the ease to withdraw his/her consent at any time.
• To operate and maintain your account, and to provide you with access to the Website and use of the Apps and Services that you may request from time to time. Your email address and password are used to identify you when you sign into the Platform. Your device-IDs are used to ensure that you are in control of the devices that have access to your subscription.
• To seek your participation in surveys, to conduct and analyze the results of those surveys if you choose to participate.
• To provide you with technical support.
• To respond to you about any comment or enquiry you have submitted
• To prevent or take action against activities that are, or may be in breach of our Terms of Service (ToS) or applicable law.
• For identification and verification purposes.
• For marketing, sales and promotional activities.
• For product development, to build higher quality and more useful services.
• For security purposes and other purposes stated in these policies.
• The company shall request for consent of the data subject where data may be transferred to a third party for any reason.
• Belema shall only obtain personal information for the specific purpose of collection after which consent is sought from the data subject to processing of his or her personal data and the legal capacity to give consent, where processing is based on consent.

10.5 Due Diligence and Prohibition of Improper Motives

To align with these requirements, the Company shall:

• Process and retain personal information for its stated and communicated purpose only.
• Take reasonable measures to ensure that a party to any data processing contract does not have a record of violating the regulation and such party is accountable to a reputable regulatory authority for data protection within or outside Nigeria.

10.6 Data Security

Belema Financial Technology Limited has established the necessary technical and security measures to prevent unauthorized or unlawful access to or accidental loss of or destruction or damage to personal Information. To ensure the safety of personal Information, secured web services have been configured to run within a virtual private connection and an SSL certificate to make sure that all communications are made over HTTPS, SFTP using TLS Development of security measures including but not limited to protecting systems from hackers, setting up firewalls and protection email systems, secure storage of data, employ data encryption technologies, Development of organizational policy for handling personal data and other sensitive or confidential data and Continuous capacity building for all staff are also strategies to ensure data privacy in-house.

10.7 Data Processing Contracts with interested/ Third-parties

To ensure compliance with the Nigerian Data Protection Regulations, being a data controller, the Company shall:

• Establish a written contract which shall be signed by a third party that will process personal data of individuals.
• Ensure that such third party process the data obtained from data subjects complies with the regulation

10.8 Data Subject’s Rights to information

As a user of any of Belema Financial Technology Limited’s products, you have certain rights/control over the information you submit to us. You have the right;

• To access and confirm your Information.
• To withdraw your consent from processing your Information (this does not affect already processed information).
• To rectify or update any inaccurate or outdated information.
• To know the purpose for processing your Information.
• To restrict the processing of your Information.
• To erase any information, we hold about you.
• To request for a copy of the information we keep about you.
• To object/refuse your Information for direct marketing.
• For portability, if feasible.
• The accuracy of the personal data is contested by the data subject for a period enabling Belema Financial Technology Limited to verify the accuracy of the personal data.
• Provide personal data concerning data subjects, in a structured manner, commonly-used and machine readable format to such data subjects.
• Not hinder the data subject from transmitting those data in its database to another company where the processing is based on consent, on a contract and processing is carried out by automated means.
• Execute data subjects’ requests on transmission of their personal data to another company, where technically feasible.
• When you make a request to exercise any of the above rights, we shall provide you with your personal information and other necessary information as requested by you. However, we reserve the right to charge you or refuse your request where we notice that your request is repetitive or excessive. Your rights to an erasure of your Information does not apply to legal necessaries like invoices, audit logs, subscription information, and your Information archived on our backup systems which we shall securely isolate and protect the use of it from any further processing, to the extent required by applicable law etc

10.9 Transfer of information to a Foreign Country

The Company shall comply with the Regulation and any transfer of personal data which is undergoing processing or is intended for processing after transfer to a foreign country or an international organization shall take place subject to the provisions of the Regulation.

11. Assigning Roles and Responsibilities

Belema Financial Technology Limited has identified roles and responsibilities of relevant stakeholders to enforce the privacy policy across the organization.

11.1 Board

The Board must ensure that Belema Financial Technology Limited are nurturing public trust and complying with regulations as they take advantage of data collected from customers. They must also enforce and ensure compliance with documented privacy policies in accordance with NDPR.

11.2 Executive Management Committee

• The main role of the privacy committee should be to make strategic recommendations about data security across the company.
• Ensure data protection objectives are established and aligned with the strategic direction of the Company.
• Ensure the availability of resources needed for the protection of data.
• Communicate the importance of effective data protection in the company and of conforming to its requirements.

11.3 Data Protection Officer

• The primary role of the data protection officer (DPO) is to ensure that Belema Financial Technology Limited processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.
• Keep Executive Management updated about data protection responsibilities, risks and issues.
• Review all data protection procedures and related policies, in line with an agreed schedule.
• Arrange data protection training and advice for the people covered by the policy.
• Handle data protection questions from staff and anyone else covered by the policy.
• Deal with requests from individuals to obtain the data Belema Financial Technology Limited holds about them.
• Review and approve any contracts or agreements with third-parties that may handle the company’s sensitive data

11.4 Head, Solution Delivery.

• Evaluate any third-party services Belema Financial Technology Limited is considering using to store or process data such as private cloud computing services.
• Ensure all systems, services and equipment used for storing data meet acceptable security standards.
• Perform regular checks and vulnerability scans to ensure adequate security of hardware and software used in data processing.

11.5 Quality Assurance

• Provide reasonable assurance regarding the achievement of the operational objectives, such as the effectiveness and efficiency of the security controls.
• Carry out internal audit and report findings to the Executive Management Committee.
• Recommend preventive and corrective action.

11.6 Human resource

• Must ensure everyone is informed and up to date when it comes to keeping information safe.
• HR ensures that the user's data is only being used for what the original owner intended and agreed to. While the process is lengthy, it saves a lot of legal trouble and potential theft.
• Ensure pillars of an exit strategy should be put in place as soon as the employee joins the company, ensuring as few misunderstandings as possible. In fact, keeping good communication and appropriate company culture can help breaches like this from ever happening.

12. Policy Review

This policy shall be reviewed at least annually to ensure effectiveness and continual application and relevance to the company’s business or as may be required.

13. Escalation

Anyone breaching information security and privacy policy may be subject to disciplinary action. If a criminal offence has been committed further action may be taken to assist in the prosecution of the offender(s). All policy breaches shall be escalated to the Information Technology department for action

14. Policy Exceptions & Retention

A policy exception represents a circumstance whereby an employee of Belema Financial Technology Limited knowingly deviates from a requirement of the Policy. All Policy exceptions must be approved by the MD/CEO of Belema Financial Technology Limited. All documentations shall be maintained in accordance with the Belema Financial Technology Limited policy for Retention of documents and records or as regulation require