BRAILS FINANCAILS INC

DATA PRIVACY & PROTECTION POLICY

Table of Contents
1. Introduction .......................................................................................................................................... 3
2. Scope.................................................................................................................................................... 3
3. General Principles for Processing of Personal Data ..................................................................... 3
3.1 Lawfulness, Fairness and Transparency ................................................................................ 4
3.2 Data Accuracy ............................................................................................................................. 4
3.3 Purpose Limitation ...................................................................................................................... 4
3.4 Data Minimization ....................................................................................................................... 4
3.5 Integrity and Confidentiality ....................................................................................................... 5
3.6 Personal Data Retention ........................................................................................................... 5
3.7 Accountability .............................................................................................................................. 6
4. Data Privacy Notice ............................................................................................................................ 6
5. Legal Grounds For Processing of Personal Data .......................................................................... 7
6. Consent ...........................................................................................Error! Bookmark not defined.
7. Lawfulness of Processing of Sensitive Personal Data .............Error! Bookmark not defined.
8. Data Subject Rights............................................................................................................................ 9
9. Transfer of Personal Data ................................................................................................................. 9
9.1 Third Party Transfer of Personal Data..................................................................................... 9
9.2 Transfer of Personal Data to Foreign Country (ies) ............................................................ 10
10. Data Breach Management Procedure ....................................................................................... 11
11. Data Privacy Impact Assessment (DPIA) ................................................................................. 12
12. Data Security ................................................................................................................................. 12
13. Data Protection Officers .............................................................................................................. 12
14. Training .......................................................................................................................................... 13
15. Data Protection Audit ................................................................................................................... 13
16. Related Policies and Procedures ............................................................................................... 13
17. Changes to the Policy .................................................................................................................. 13
18. Glossary ......................................................................................................................................... 14
1. INTRODUCTION

As part of our operations, Brails Financials Inc (“Brails” or “the Company”) collects and
processes certain types of information (such as name, telephone numbers, address, etc.) of
individuals that makes them easily identifiable. These individuals include current, past and
prospective employees, merchants, suppliers/vendors, customers of merchants and other
individuals whom Brails communicates or deals with, jointly and/or severally (“Data
Subjects”).

Maintaining the Data Subject’s trust and confidence requires that Data Subjects do not suffer
negative consequences/effects as a result of providing Brails with their Personal Data. To
this end, Brails is firmly committed to complying with applicable data protection laws,
regulations, rules and principles to ensure security of Personal Data handled by the
Company. This Data Privacy & Protection Policy (“Policy”) describes the minimum standards
that must be strictly adhered to regarding the collection, use and disclosure of Personal Data
and indicates that Brails is dedicated to processing the Personal Data it receives or
processes with absolute confidentiality and security.

This Policy applies to all forms of systems, operations and processes within the Brails
environment that involve the collection, storage, use, transmission and disposal of Personal
Data.

Failure to comply with the data protection rules and guiding principles set out in the Nigeria
Data Protection Regulation, 2019 (NDPR), the Nigeria Data Protection Act, 2023 (NDPA) as
well as those set out in this Policy is a material violation of Brails’s policies and may result in
disciplinary action as required, including suspension or termination of employment or
business relationship.

2. SCOPE

This Policy applies to all employees of Brails, as well as to any external business partners
(such as merchants, suppliers, contractors, vendors and other service providers) who
receive, send, collect, access, or process Personal Data in any way on behalf of Brails,
including processing wholly or partly by automated means. This Policy also applies to third
party Data Processors who process Personal Data received from Brails.

3. GENERAL PRINCIPLES FOR PROCESSING OF PERSONAL DATA

Brails is committed to maintaining the principles in the NDPR and NDPA regarding the
processing of Personal Data.

To demonstrate this commitment as well as our aim of creating a positive privacy culture
within Brails, Brails adheres to the following basic principles relating to the processing of
Personal Data:

3.1 Lawfulness, Fairness and Transparency

Personal Data must be processed lawfully, fairly and in a transparent manner at all
 times. This implies that Personal Data collected and processed by or on behalf of
Brails must be in accordance with the specific, legitimate and lawful purpose
consented to by the Data Subject, save where the processing is otherwise allowed by
law or within other legal grounds recognized in the NDPR and NDPA.

3.2 Data Accuracy

Personal Data must be accurate and kept up-to-date. In this regard, Brails:

a) shall ensure that any data it collects and/or processes is accurate and not
misleading in a way that could be harmful to the Data Subject;

b) make efforts to keep Personal Data updated where reasonable and applicable;
and

c) make timely efforts to correct or erase Personal Data when inaccuracies are
discovered.

3.3 Purpose Limitation

Brails collects Personal Data only for the purposes identified in the appropriate Brails
Privacy Notice provided to the Data Subject and for which Consent has been
obtained. Such Personal Data cannot be reused for another purpose that is
incompatible with the original purpose, except a new Consent is obtained.

The purposes for which Brails will use your personal data includes:

a) For the provision of services to you. For example, when you purchase any of
our products or services, we will use your personal data to process your order.

b) For customer care and billing. When you use our products or services, we will
use your personal information to bill you and to respond to enquiries and concerns
that you may have about our products and services.

c) Customer service messages. We will use your personal data to keep you
updated with the latest information or changes about our products and services.

d) For marketing purposes. In order to serve you better, will use your personal
data to market our products and services to you.

e) Fraud prevention and security. We will process your personal and traffic data
in order to protect you against and detect fraud, to protect and detect misuse or
damage to our networks.

f) Managing our networks and understanding network usage. We do this to

manage the volume of calls and to understand how you use our networks,
products and services.

3.4 Data Minimization

 3.4.1 Brails limits Personal Data collection and usage to data that is relevant,
adequate, and absolutely necessary for carrying out the purpose for which
the data is processed.

3.4.2 Brails will evaluate whether and to what extent the processing of personal
data is necessary and where the purpose allows, anonymized data must be
used.

3.5 Integrity and Confidentiality

3.5.1 Brails shall establish adequate controls in order to protect the integrity and
confidentiality of Personal Data, both in digital and physical format and to
prevent personal data from being accidentally or deliberately compromised.

3.5.2 Personal data of Data Subjects must be protected from unauthorized

viewing or access and from unauthorized changes to ensure that it is reliable
and correct.

3.5.3 Any personal data processing undertaken by an employee who has not
been authorized to carry such out as part of their legitimate duties is un-
authorized.

3.5.4 Employees may have access to Personal Data only as is appropriate for the
type and scope of the task in question and are forbidden to use Personal
Data for their own private or commercial purposes or to disclose them to
unauthorized persons, or to make them available in any other way.

3.5.5 Human Resources Department must inform employees at the start of the
employment relationship about the obligation to maintain personal data
privacy. This obligation shall remain in force even after employment has
ended.

3.6 Personal Data Retention

3.6.1 All personal information shall be retained, stored and destroyed by Brails
in line with legislative and regulatory guidelines. For all Personal Data and
records obtained, used and stored within the Company, Brails

shall perform periodical reviews of the data retained to confirm the accuracy,
purpose, validity and requirement to retain.

3.6.2 To the extent permitted by applicable laws and without prejudice to Brails’s
Document Retention Policy, the length of storage of Personal Data shall,
amongst other things, be determined by:
 (a) the contract terms agreed between Brails and the Data Subject or as
long as it is needed for the purpose for which it was obtained; or

(b) whether the transaction or relationship has statutory implication or a

required retention period; or

(c) whether there is an express request for deletion of Personal Data by

the Data Subject, provided that such request will only be treated where
the Data Subject is not under any investigation which may require
Brails to retain such Personal Data or there is no subsisting
contractual arrangement with the Data Subject that would require the
processing of the Personal Data; or

(d) whether Brails has another lawful basis for retaining that information
beyond the period for which it is necessary to serve the original
purpose.

Notwithstanding the foregoing and pursuant to the NDPR/NDPA, Brails

shall be entitled to retain and process Personal Data for archiving,
scientific research, historical research or statistical purposes for public
interest.

3.6.3 Brails would forthwith delete Personal Data in Brails’s possession where
such Personal Data is no longer required by Brails or in line with Brails’s
Retention Policy, provided no law or regulation being in force requires
Brails to retain such Personal Data.

3.7 Accountability

3.7.1 Brails demonstrates accountability in line with the NDPR/NDPA obligations

by monitoring and continuously improving data privacy practices within
Brails.

3.7.2 Any individual or employee who breaches this Policy may be subject to
internal disciplinary action (up to and including termination of their
employment); and may also face civil or criminal liability if their action
violates the law.

4. DATA PRIVACY NOTICE

4.1 Brails considers Personal Data as confidential and as such must be adequately
protected from unauthorized use and/or disclosure. Brails will ensure that the Data
Subjects are provided with adequate information regarding the use of their Personal Data
as well as acquire their respective Consent, where necessary.

4.2 Brails shall display a simple and conspicuous notice (Privacy Notice) on any medium
through which Personal Data is being collected or processed. The following information
must be considered for inclusion in the Privacy Notice, as appropriate in distinct
circumstances in order to ensure fair and transparent processing:
 a) Description of collectible Personal Data;
b) Purposes for which Personal Data is collected, used and disclosed;
c) What constitutes Data Subject’s Consent;
d) Purpose for the collection of Personal Data;
e) The technical methods used to collect and store the information;
f) Available remedies in the event of violation of the Policy and the timeframe for
remedy; and
g) Adequate information in order to initiate the process of exercising their privacy rights,
such as access to, rectification and deletion of Personal Data.

4.3 Brails’s Privacy Notice is available on Brails’s website

5. LEGAL GROUNDS FOR PROCESSING OF PERSONAL DATA

The personal data we collect from our customers and how we collect it depends on the services
that our customers subscribe to, how they use our services and how they interact or interface
with us. This also applies to persons who are not customers of Brails but have interacted with
Brails. We may also obtain your personal data from a third party with permission to share it
with us.

Please note that we only process your personal data based on the grounds set out in the
NDPR/NDPA. Accordingly, in line with the provisions of the NDPR/NDPA, processing of
Personal Data by Brails shall be lawful if at least one of the following applies:

a) where you give us consent to the processing of your Personal Data for one or more specific
purposes. You are at liberty to withdraw the consent and Brails will cease to process your
personal where there is no other basis to do so.

b) Where the processing is necessary for the performance of a contract to which the Data
Subject is party or in order to take steps at the request of the Data Subject prior to entering
into a contract;

c) processing is necessary for compliance with a legal obligation to which Brails is subject;

d) processing is necessary in order to protect the vital interests of the Data Subject or of
another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or
in exercise of official public mandate vested in Brails; and

f) Processing is in the legitimate interest of Brails

5.1. We collect your personal data when you do any of the following:

a) Buy or use any of our products and services;

b) Use our network or other Brails products and services;

c) Register for a specific product or service;

d) Fill in your information on our KYC registration form, self-service applications, social
media platforms, SIM Swap Forms, MNP Forms;
 e) Visit or browse our website;

f) Have given permission to other companies to share information about you;

g) Where your information is publically available;

h) Are the customers of a business we acquire or;

i) Take part in a competition, prize draw or survey.

Personal data we have about our customers, where applicable includes: name, phone
number, address, sex, photograph, ID card number, fingerprint, educational information, job
experiences, signature, etc.

6. CONSENT

Where processing of Personal Data is based on consent, Brails shall obtain the requisite
consent of Data Subjects at the time of collection of Personal Data. In this regard, Brails will
ensure:

a) that the specific purpose of collection is made known to the Data Subject and the Consent
is requested in a clear and plain language;
b) that the Consent is freely given by the Data Subject and obtained without fraud, coercion
or undue influence;
c) that the Consent is sufficiently distinct from other matters to which the Data Subject has
agreed;
d) that the Consent is explicitly provided in an affirmative manner;
e) that Consent is obtained for each purpose of Personal Data collection and processing;
and
f) that it is clearly communicated to and understood by Data Subjects that they can update,
manage or withdraw their Consent at any time.

6.1 Valid Consent

6.1.1 For Consent to be valid, it must be given voluntarily by an appropriately informed

Data Subject. In line with regulatory requirements, Consent cannot be implied.
Silence, pre-ticked boxes or inactivity does not constitute Consent under the
NDPR/NDPA.

6.1.2 Consent in respect of Sensitive Personal Data must be explicit. A tick of the box
would not suffice.

6.2 Consent of Minors

In the unlikely event that we deal with minors, the consent of minors will always be
protected and obtained from minor’s representatives in accordance with applicable
regulatory requirements.
7. DATA SUBJECT RIGHTS

7.1 All individuals who are the subject of Personal Data held by Brails are entitled to the
following rights:

a) Right to request for and access their Personal Data collected and stored. Where
data is held electronically in a structured form, such as in a Database, the Data
Subject has a right to receive that data in a common electronic format;
b) Right to information on their personal data collected and stored;
c) Right to objection or request for restriction;
d) Right to object to automated decision making;
e) Right to request rectification and modification of their data which Brails keeps;
f) Right to request for deletion of their data, except as restricted by law or Brails’s
statutory obligations;
g) Right to request the movement of data from Brails to a Third Party; this is the right
to the portability of data; and
h) Right to object to, and to request that Brails restricts the processing of their
information except as required by law or Brails’s statutory obligations.

To opt out of marketing and unsolicited messages:

If you no longer want to receive marketing messages from Airtel, you can choose to opt
out at any time. If you’ve previously opted in to receive personalised content based on
how and where you use our network, you can also opt out at any time.

These are various ways to opt out:

• Contact our customer services team – see the contact us page;

• Click the unsubscribe icon from our email;
• Disable push notification messages, including marketing messages, at any time in our
apps by changing the notification settings on your device or by uninstalling the app;
• Contact our customer service team

7.2 Brails’s well-defined procedure regarding how to handle and answer Data Subject’s
requests are contained in Brails’s Data Subject Access Request Policy.

7.3 Data Subjects can exercise any of their rights by completing the Brails’s Subject Access
Request (SAR) Form and submitting to the Company via [email protected]

8. TRANSFER OF PERSONAL DATA

8.1 Third Party Processor within Nigeria

Brails may engage the services of third parties in order to process your Personal Data
of collected by us. The processing by such third parties shall be governed by a written
contract with Brails to ensure adequate protection and security measures are put in
place by the third party for the protection of Personal Data in accordance with the terms
of this Policy and the NDPR. We may also share your personal data with law enforcement
agencies where required by law to do so.
 Where applicable, Brails will share your information with:

a) Partners, suppliers or agents involved in delivering the products and services you’ve
ordered or used. For example, when you apply for loan, your loan request is handled
by our business partner who is bound by contract to protect your personal data.

b) Law enforcement agencies, government bodies, regulatory organisations, courts or

other public authorities if we have to, or are authorized to by law. For example, under
the Cybercrimes Act, a law enforcement agency may request a service provider to
keep or release any traffic data, subscriber information, content or non-content
information. This is however for law enforcement purposes only.

c) A third party or body where such disclosure is required to satisfy any applicable law,
or other legal or regulatory requirement e.g to detect or prevent fraud or the
commission of any other crime.

d) A merging or acquiring entity where we undergo business reorganization e.g merger,

acquisition or takeover.

8.2 Transfer of Personal Data to Foreign Country

8.2.1 Where Personal Data is to be transferred to a country outside Nigeria, Brails

shall put adequate measures in place to ensure the security of such Personal
Data. In particular, Brails shall, among other things, conduct a detailed
assessment of whether the said country is on the National Information
Technology Development Agency (NITDA) White List of Countries with
adequate data protection laws.

8.2.2 Transfer of Personal Data out of Nigeria would be in accordance with the
provisions of the NDPR/ NDPA. Brails will therefore only transfer Personal
Data out of Nigeria on one of the following conditions:

a. The consent of the Data Subject has been obtained;

b. The transfer is necessary for the performance of a contract between

Brails and the Data Subject or implementation of pre-contractual
measures taken at the Data Subject’s request;

c. The transfer is necessary to conclude a contract between Brails and a

third party in the interest of the Data Subject;

d. The transfer is necessary for reason of public interest;

e. The transfer is for the establishment, exercise or defense of legal claims;

f. The transfer is necessary in order to protect the vital interests of the Data
Subjects or other persons, where the Data Subject is physically or legally
incapable of giving consent.

Provided, in all circumstances, that the Data Subject has been manifestly
 made to understand through clear warnings of the specific principle(s) of data
protection that are likely to be violated in the event of transfer to a third country,
this proviso shall not apply to any instance where the Data Subject is
answerable in duly established legal action for any civil or criminal claim in a
third country.

Brails will take all necessary steps to ensure that the Personal Data is
transmitted in a safe and secure manner. Details of the protection given to
your information when it is transferred outside Nigeria shall be provided to you
upon request.

9. DATA BREACH MANAGEMENT PROCEDURE

9.1 A data breach procedure is established and maintained in order to deal with incidents
concerning Personal Data or privacy practices leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data
transmitted, stored or otherwise processed.

9.2 All employees must inform their designated line manager or the DPO of Brails
immediately about cases of violations of this Policy or other regulations on the protection
of Personal Data, in accordance with Brails’s Personal Data Breach Management
Procedure in respect of any:

a) improper transmission of Personal Data across borders;

b) loss or theft of data or equipment on which data is stored;
c) accidental sharing of data with someone who does not have a right to know
this information;
d) inappropriate access controls allowing unauthorized use;
e) equipment failure;
f) human error resulting in data being shared with someone who does not have a right
to know; and
g) hacking attack.

9.3 A data protection breach notification must be made immediately after any data breach to
ensure that:

a) immediate remedial steps can be taken in respect of the breach;

b) any reporting duties to NDPC or any other regulatory authority can be complied with,
c) any affected Data Subject can be informed and
d) any stakeholder communication can be managed.

9.4 When a potential breach has occurred, Brails will investigate to determine if an actual
breach has occurred and the actions required to manage and investigate the breach as
follows:
 a) Validate the Personal Data breach.
b) Ensure proper and impartial investigation (including digital forensics if necessary) is
initiated, conducted, documented, and concluded.
c) Identify remediation requirements and track resolution.
d) Report findings to the top management.
e) Coordinate with appropriate authorities as needed.
f) Coordinate internal and external communications.
g) Ensure that impacted Data Subjects are properly notified, if necessary.

10. DATA PROTECTION IMPACT ASSESSMENT

Brails shall carry out a Data Protection Impact Assessment (DPIA) in respect of any new
project or IT system involving the processing of Personal Data to determine whenever a type
of processing is likely to result in any risk to the rights and freedoms of the Data Subject.

Brails shall carry out the DPIA in line with the procedures laid down in the Brails
Data Protection Impact Assessment Policy.

11. DATA SECURITY

11.1 All Personal Data must be kept securely and should not be stored any longer than
necessary. Brails will ensure that appropriate measures are employed against
unauthorized access, accidental loss, damage and destruction to data. This includes
the use of password encrypted databases for digital storage and locked cabinets for
those using paper form.

11.2 To ensure security of Personal Data, Brails will, among other things, implement the
following appropriate technical controls:

a) Industry-accepted hardening standards, for workstations, servers, and databases.

b) Full disk software encryption on all corporate workstation/laptops operating
systems drives storing Personal and Personal/Sensitive Data.
c) Encryption at rest including key management of key databases.
d) Enable Security Audit Logging across all systems managing Personal Data.
e) Restrict the use of removable media such as USB flash disk drives.
f) Anonymization techniques on testing environments.
g) Physical access control where Personal Data are stored in hardcopy.

12. DATA PROTECTION OFFICER

Brails shall appoint a Data Protection Officer(s) (DPO) responsible for overseeing the
Company's data protection strategy and its implementation to ensure compliance with the
NDPR/ NDPA requirements. The DPO shall be a knowledgeable person on data privacy
and protection principles and shall be familiar with the provisions of the NDPR/NDPA.
 The main tasks of the DPO include:

a) administering data protection policies and practices of Brails;

b) monitoring compliance with the NDPR, NDPAand other data protection laws, data
protectionpolicies, awareness-raising, training, and audits;
c) advice the business, management, employees and third parties who carry on
processing activities of their obligations under the NDPR/NDPA;
d) acts as a contact point for Brails;
e) monitor and update the implementation of the data protection policies and practices of
Brails and ensure compliance amongst all employees of Brails;
f) ensure that Brails undertakes a Data Impact Assessment and curb potential risk in
Brails data processing operations; and
g) maintain a Data Base of all Brails data collection and processing operations of Brails.

13. TRAINING

Brails shall ensure that employees who collect, access and process Personal Data receive
adequate data privacy and protection training in order to develop the necessary knowledge,
skills and competence required to effectively manage the compliance framework under this
Policy and the NDPR/ NDPA with regard to the protection of Personal Data. On an annual
basis, Brails shall develop a capacity building plan for its employees on data privacy and
protectionin line with the NDPR and NDPA.

14. DATA PROTECTION AUDIT

Brails shall conduct an annual data protection audit through a licensed Data Protection
Compliance Organization (DPCOs) to verify Brails’s compliance with the provisions of the
NDPR, NDPA and other applicable data protection laws.

The audit report will be certified and filed by the DPCO to NDPC as required under the NDPR/
NDPA.

15. CHANGES TO THE POLICY

Brails reserves the right to change, amend or alter this Policy at any point in time. If we
amend this Policy, we will provide you with the updated version.
16. GLOSSARY

‘‘Consent’’ means any freely given, specific, informed and unambiguous

indication of the Data Subject's wishes by which he or she, through
a statement or a clear affirmative action, signifies agreement to the
processing of Personal Data relating to him or her.

“Database” means a collection of data organized in a manner that allows

access, retrieval, deletion and processing of that data; it includes
but not limited to structured, unstructured, cached and file system
type Databases.

“Data Processor means a person or organization that processes Personal Data on

behalf and on instructions of Brails Financials Inc.

“DPCO” means an organization registered by NITDA to provide data

protection audit, compliance and training services to public and
private organizations who process Personal Data in Nigeria.

“Data Subject” means any person, who can be identified, directly or indirectly, by
reference to an identification number or to one or more factors
specific to his physical, physiological, mental, economic, cultural or
social identity.

“NDPA” means the Nigeria Data Protection Act, 2023.

“NDPR” means the Nigeria Data Protection Regulation, 2019.

“Personal Data” means any information relating to an identified or identifiable natural

person (‘Data Subject’); an identifiable natural person is one who
can be identified, directly or indirectly, in particular by reference to
an identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person; It can be anything from a name,
address, a photo, an email address, bank details, posts on social
networking websites, medical information, and other unique
identifier such as but not limited to MAC address, IP address, IMEI
number, IMSI number, SIM, Personal Identifiable Information (PII)
and others.

“Sensitive Personal Data” means data relating to religious or other beliefs, sexual orientation,
health, race, ethnicity, political views, trades union membership,
criminal records or any other sensitive personal information.
a. General Information

Title Data Privacy and Protection Policy

Status Mandatory
Issuing Department Risk and Compliance
Distribution/Target Audience All employees, including contracted staff, vendors/
suppliers and customers of Brails Technologies
Limited
Approver Management of Brails Financials Inc
Effective Date March 2023
Version 1.1