Preamble: Data Privacy Notice

Prodigy Microfinance Bank Limited (“the Bank,” “we,” “our,” or “us”) is committed to protecting the privacy, confidentiality, and rights of all individuals whose personal data we collect, process, and store in the course of providing financial services.
This Privacy Policy is developed in line with the Nigeria Data Protection Act (NDP Act) 2023 and the General Application and Implementation Directive (GAID) 2025.

It outlines our practices in the collection, use, disclosure, and safeguarding of personal data, ensuring transparency and accountability in data processing.

Part 1:    Our Commitment to Data Processing Principles

We are committed to processing personal data in compliance with the NDP Act 2023 principles:

• Lawfulness, Fairness, and Transparency
• Purpose Limitation – Data collected solely for specified, explicit, and legitimate purposes.
• Data Minimization – Only necessary data is collected.
• Accuracy – Ensuring data is accurate and up to date.
• Storage Limitation – Retaining data only for as long as necessary.
• Integrity and Confidentiality – Ensuring appropriate technical and organizational measures.
• Accountability – Demonstrating compliance with the NDP Act 2023 and GAID 2025.

Part 2: Consent of Data Subject

• We obtain consent before processing personal data unless processing is required by law, contract, vital interest, or legitimate interest.
• Consent is freely given, specific, informed, and unambiguous.
• Data subjects may withdraw consent at any time, without affecting the lawfulness of prior processing.

Part 3: Our Scope of Data Processing

We collect and process personal data from:

• Customers – account holders, loan applicants, depositors, and guarantors.
• Employees & Contractors – for HR, payroll, and compliance.
• Third Parties – vendors, agents, and service providers.

Data categories may include:

• Identification details (Name, NIN, BVN, Passport, Driver’s License).
• Contact details (Email, Phone number, Address).
• Financial information (Bank account details, Loan records, Transaction history).
• Employment details (for staff and applicants).
• Sensitive data (biometric information where applicable).

Part 4: Data Subject Rights

Under the NDP Act 2023 and GAID 2025, you have the following rights:

• Right to access your personal data.
• Right to rectify inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”).
• Right to restrict processing.
• Right to data portability.
• Right to object to processing (including marketing communications).
• Right not to be subject to automated decision-making/profiling.

Part 5: Data Retention and Security

• Data is retained only as long as necessary to fulfill the purposes for which it was collected or as required by law.
• We employ technical, organizational, and physical safeguards, including encryption, access control, firewalls, and staff training, to prevent unauthorized access, alteration, disclosure, or destruction.

Part 6: Mandatory Data Collection

Certain personal data is mandatory under laws and regulations such as Know Your Customer (KYC), Anti-Money Laundering (AML), and Counter-Terrorism Financing (CTF) requirements. Failure to provide such data may result in our inability to provide services.

Part 7: Transfer of Data to Third Parties

We may share personal data with:

• Regulatory authorities (e.g., NDPC, CBN, NDIC, EFCC, NFIU).
• Credit bureaus and financial institutions.
• Service providers engaged for core banking, IT support, payment processing, and debt recovery.

All transfers are governed by contracts ensuring confidentiality and compliance.

Part 8: Technical Information and Cookies

• When you use our website or digital platforms, we may collect technical information such as IP address, browser type, and usage patterns.
• Cookies may be used to enhance user experience and analyze web traffic. Users may opt out by adjusting browser settings.

Part 9: Personal Data Security and Integrity

We adopt ISO/IEC 27001-aligned security controls, periodic risk assessments, access restrictions, and incident response measures to preserve confidentiality, availability, and integrity of data.

Part 10: Job Applicants

Personal data provided by job applicants (such as CVs, academic and professional qualifications, references, and any other supporting documents) will be collected and processed solely for recruitment and selection purposes.

We will retain such data only for as long as necessary to complete the recruitment process. Records of unsuccessful applicants will be securely deleted within six (6) months of the recruitment exercise, unless a longer retention period is required by law or with the applicant’s express consent.

Successful applicants’ data will be incorporated into the employee records and processed in accordance with the Bank’s Employee Privacy Policy.

Part 11: Maintaining Accurate Information

Data subjects are encouraged to ensure their information is accurate and up-to-date. Requests for updates may be made through our Data Protection Help Desk.

Part 12: Children’s Privacy

We do not knowingly collect personal data from children under the age of 18 without verifiable parental or guardian consent.

Part 13: Caveat on Website Links

Our platforms may contain links to third-party websites. We are not responsible for the content or privacy practices of such websites.

Part 14: Transfer to Third Parties and Cross-Border Data Transfers

Where data is transferred outside Nigeria, we ensure:

• Adequacy decision by the NDPC.
• Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
• Data subjects are informed, and consent is obtained where required.

Part 15: Data Protection Help Desk

We have a dedicated Data Protection Help Desk to address inquiries, complaints, and rights requests from data subjects.

Part 16: Data Deletion

Data subjects may request deletion of their data where processing is no longer necessary, subject to regulatory retention requirements.

Part 17: Data Subject Access Request (DSAR)

Requests for access, correction, or erasure of data may be submitted in writing to the Data Protection Officer. We shall respond within the timelines stipulated in the NDP Act 2023 and GAID 2025.

Part 18: Remediation

In the event of a data breach, we shall:

• Notify the NDPC within 72 hours.
• Notify affected data subjects where there is a high risk to their rights and freedoms.
• Take prompt steps to remediate and mitigate risks.

Part 19: Alteration of Privacy Policy

We may update this Privacy Policy to reflect changes in practices, legal requirements, or operational needs. All updates will be communicated through our website and banking platforms.

Part 20: Contact Information

Data Protection Officer (DPO)
Prodigy Microfinance Bank Limited
71, Emma Abimbola Cole Street, Lekki Phase 1, Lagos

Email: info@prodigybankng.com
Phone: +2347045578204