1. General Policy Scope
O3 Capital Nigeria Limited set forth how it shall manage the Personal Data collected in the normal course of business. Any data provided are handled confidentially to ensure that the content and service being offered are tailored to specific requests, needs, and interests.

1. This Policy applies to:  All investors, individuals, or employees who provide Personal Data using any channel.
All functional areas and O3 Capital Nigeria Limited sites in the scope of the NDPR
All methods of contact, including in-person, written, via the Internet, direct mail, telephone, or other data capturing channels/methods. 
This Policy is designed also to inform all stakeholders about their obligation to protect the privacy of all stakeholders’ information and the security of Personal Data. 
This document applies to the entire Nigerian Data Privacy Regulation scope.

2. Purpose and Users
1. O3 Capital Nigeria Limited business process needs to gather and process certain information about individuals with whom it has a relationship for various purposes, but not limited to the recruitment and payment of staff, relationship management with Members, issuers, investors, collection of personally identifiable information on their platforms, In light of the emerging data regulatory environment that requires higher transparency in how companies manage personal information, the Company must ensure that its business operations align with global best practices on the protection of rights and privacy of individuals. This Policy is designed to inform all stakeholders about their obligation to protect the privacy of O3 Capital Nigeria Limited.
This document applies to the entire Nigerian Data Privacy Regulation scope. Users of this document are all employees of and service providers. 

3. Policy Statement
All data in the custody of O3 Capital Nigeria Limited shall be handled with utmost privacy and protection. O3 Capital Nigeria Limited shall comply with all legislation and regulations applicable to its business and operations regarding data protection and privacy. All personal data shall be classified in line with O3 Capital Nigeria Limited Information Classification Policy.
4. Description This policy document describes how we use and protect Your Information and the control you have over it. O3 Capital Nigeria Limited respects your privacy and will keep all your details confidential. 5. Terms and definitions
Database Administrator/Processor is a specialized computer systems administrator who maintains a successful database environment by directing or performing all related activities to keep the data The top responsibility of a DBA professional is to maintain data integrity. 

Data Controller means a person who either alone, jointly with other persons or in common with other persons or as a statutory body, determines the purposes for and how personal data is processed or is to be processed.
Data Portability means the ability for data to be transferred easily from one IT system or computer to another through a safe and secure means in a standard format Nigeria Information Technology Development Agency – NITDA
Data Protection Compliance Organization (DPCO) means any entity duly licensed by NITDA for training, auditing, consulting, and rendering services and products for compliance with Nigeria Data Protection Regulation, or any foreign Data Protection law or any other regulation affecting in Nigeria. 
Consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her. 
Data means facts and statistics collected together for reference or analysis.  Database refers to a structured set of data held in a computer, especially one that is accessible in various ways. 

Data Subject/PII Principal means an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.
Personal Data is any information that relates to an identified or identifiable living individual.
Different pieces of information, which when collected together can lead to the identification of a particular person, also constitute personal data.
Data breach is a security incident in which information is accessed without authorization. 
Record a thing constituting a piece of evidence about the past, especially an account kept in writing or some other permanent form, means public record and reports in creditable news media 

Sensitive Personal Data means data relating to religious or other beliefs, sexual tendencies, health, race, ethnicity, political views, trade union membership, criminal records, or any other sensitive personal information. 

6. Purpose
The purpose of this policy is to: 
1.
0. Protect the company from the risks of a data breach.
1. Disclose how O3 Capital Nigeria Limited stores and processes data of individuals.  Protect the rights of staff, members, and stakeholders.
1.
0. Comply with the regulation and follow international best practices. 

7. Data Protection Regulation The Regulation was established in January 2019 which provides information on the gathering, storing, and processing of personal data (regardless of whether data is stored electronically, on paper, in transit, or on other materials), and protects the rights and privacy of all individuals. The Regulation applies to natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent. 

7.1. Applicability Controllers and Processors Customers and PII Principals are the controllers and is the processors of personally identifiable information/data. Other sub-processors are our service providers. Any update of this policy or changes in status will be communicated to all relevant stakeholders. 

8. Governing Principles of Data Protection The Regulation mandates every data processor to process any personal data following the governing principles of data protection. To comply with the obligation undertakes to adhere to the following principles 

8.1. Data processing
1. All forms of data processing will be done transparently. In-line with the European Union General Data Protection Regulation (GDPR) and the Nigeria Data Protection Regulation (NDPR), all policies have been updated to ensure that your data is being processed lawfully. 

2. By using our service, you give your consent to process your data per these policies and our Terms of Services (TOS). All Information will be stored and easily accessible for as long as the purposes for which they were collected exist. However, retention of information may be done where there is a need for legal necessaries like invoices, audit logs, subscription information. 

8.2. Lawful Processing
The Company shall process personal data of individuals if at least one of the following applies: 

1. The data subject has given consent to the processing of his or her data for one or more specific purposes. 

2. Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract. 

3. Processing is necessary for compliance with a legal obligation to which O3 Capital Nigeria Limited is a subject. 

4. Processing is necessary to protect the vital interests of the data subject or another natural person. 

8.3. Procuring Consent
To fulfil the requirement of the Regulation, personal data will be processed by the rights of the data subject. The Company’s business operations will be guided by the following: 

1. The Company shall request for consent in a manner that is distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language, where the data subject’s consent is given in the context of a written declaration. 

2. The Company shall inform the data subject of his/her right and the ease to withdraw his/her consent at any time. 3. For security purposes and other purposes stated in these policies. 

The company shall request for consent of the data subject where data may be transferred to a third party for any reason.  shall only obtain personal information for the specific purpose of the collection after which consent is sought from the data subject to processing of his or her data and the legal capacity to give consent, where processing is based on consent. 

8.4. Due Diligence and Prohibition of Improper Motives
To align with these requirements, the Company shall: 

1.
0. Process and retain personal information for its stated and communicated purpose only. 

1. Take reasonable measures to ensure that a party to any data processing contract does not have a record of violating the O3 Capital Nigeria Limited regulation and such party is accountable to NITDA or a reputable regulatory authority for data protection within or outside Nigeria. 

8.5. Data Security To ensure the safety of personal information 

1. 0. Secured web services have been configured to run within a virtual private connection and an SSL certificate to make sure that all communications are made over HTTPS, SFTP using TLS. 

1. Development of security measures including but not limited to protecting systems from hackers, setting up firewalls and protection email systems, secure storage of data, employ data encryption technologies. 2. Development of organizational policy for handling personal data and other sensitive or confidential data and Continuous capacity building for all staff are also strategies to ensure data privacy in-house. 

8.6. Data Processing Contracts with interested/third parties To ensure compliance with the Regulation, being a data controller, the Company shall: 

1. 0. Establish a written contract that shall be signed by a third party that will process the personal data of individuals. 

1. Ensure that such third party process the data obtained from data subjects complies with the regulation 8.7. Data Subject’s Rights to information 

1. As a user, you have certain rights/control over the information you submit to us. You have the right; 

1. To access and confirm your Information. 

2. To withdraw your consent from processing your Information (this does not affect already processed information). 

3. To rectify or update any inaccurate or outdated information. 

4. To know the purpose of processing your Information. 

5. To restrict the processing of your Information. 

6. To erase any information, we hold about you. 

7. To request a copy of the information we keep about you. 

8. To object/refuse your Information for direct marketing. 

8.8. Transfer of information to a Foreign Country 

1. The Company shall comply with the regulation and any transfer of personal data that is undergoing processing or is intended for processing after transfer to a foreign country or an international organization shall take place subject to the provisions of the Regulation. 

8.9 Assigning Roles and Responsibilities O3 Capital Nigeria Limited has identified the roles and responsibilities of relevant stakeholders to enforce the privacy policy across the organization. 

9.1. Board Board must ensure that O3 Capital Nigeria Limited is nurturing public trust and complying with regulations as they take advantage of data collected from customers. They must also enforce and ensure compliance with documented privacy policies per NDPR. 

9.2. Executive Management Committee 

1. 0. The main role of the privacy committee should be to make strategic recommendations about data security across the company. 

1. Ensure data protection objectives are established and aligned with the strategic direction of the Company. 

2. Ensure the availability of resources needed for the protection of data. 

3. Communicate the importance of effective data protection in the company and of conforming to its requirements. 

9.3. Data Protection Officer 

1. 0. The primary role of the data protection officer (DPO) is to ensure that O3 Capital Nigeria Limited processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. 

1. Keep Executive Management updated about data protection responsibilities, risks, and issues. 

2. Review all data protection procedures and related policies, in line with an agreed schedule. 

3. Arrange data protection training and advice for the people covered by the policy. 

4. Handle data protection questions from staff and anyone else covered by the policy. 

5. Deal with requests from individuals to obtain the data O3 Capital Nigeria Limited holds about them. 

6. Review and approve any contracts or agreements with third parties that may handle the company’s sensitive data. 

9.4. Human resource 

1. 0. Must ensure everyone is informed and up to date when it comes to keeping information safe. 

1. HR ensures that the user’s data is only being used for what the original owner intended and agreed to. While the process is lengthy, it saves a lot of legal trouble and potential theft. 

2. Ensure the pillars of an exit strategy should be put in place as soon as the employee joins the company, ensuring as few misunderstandings as possible. Keeping good communication and appropriate company culture can help breaches like this from ever happening. 

10. Policy Review This policy shall be reviewed at least annually to ensure effectiveness and continual application and relevance to the company’s business or as may be required. Kindly follow-up on this policy from time to time to ensure that you have up-to-date information. 

11. Escalation Anyone breaching information security policy may be subject to disciplinary action. If a criminal offense has been committed further action may be taken to assist in the prosecution of the offender(s). 

12. Policy Exceptions & Retention A policy exception represents a circumstance whereby an employee of O3 Capital Nigeria Limited knowingly deviates from a requirement of the Policy. All Policy exceptions must be approved by the MD/CEO of O3 Capital Nigeria Limited. All documentation shall be maintained under the O3 Capital Nigeria Limited policy for retention of documents and records or as regulation require. 

13. Contact us The website is owned and operated by O3 Capital Nigeria Limited, a company registered in Nigeria. If you have any questions or comments about this policy, or if you would like us to update information, we have about you or your preferences, please email: – dpo@o3cards.com OR contact: 18a Jerry Iriabe Street, Lekki Phase 1, Lago