INTRODUCTION?

Sudo Africa ("we", "our", or "the Bank") is a licensed financial institution regulated by the Central Bank of Nigeria (CBN), providing a wide range of services to diverse customers, including:

• Individuals
• Small and Medium Enterprises (SMEs)
• Large Corporates and Multinationals
• Governmental Agencies/Ministries, Departments, and Agencies (MDAs)
• Non-Governmental Organizations (NGOs) and Institutions

Our services are accessible through multiple channels, including:

Our company collects the following data:

• Head Office Operations
• Electronic Channels:
  1. Internet
  2. Mobile Applications
  3. USSD Services

As part of our commitment to data protection and privacy, this Data Privacy Policy outlines how we collect, process, store, and protect your personal data, in compliance with the Nigeria Data Protection Act (NDPA) 2023 and other applicable regulatory frameworks.

For further details on how we handle your personal data, please refer to the full Privacy Policy.

Your Trust is Our Priority

At Sudo Africa, we recognize that when you use our services, you entrust us with your personal information. We take this responsibility seriously and are committed to:

• Safeguarding your data using industry-standard security measures.
• Ensuring transparency in how we collect, use, and store your information.
• Empowering you with control over your personal data.

This Privacy Policy explains:

• What data we collect
• Why we collect it
• How you can manage, access, and delete your information

Our commitment to data privacy and security aligns with the Nigeria Data Protection Act (NDPA) 2023 and other regulatory guidelines issued by the Central Bank of Nigeria (CBN).

For further details, please review the full Privacy Policy.

WHERE-OF

1. Legal Compliance

   This Privacy Policy is established in full compliance with:

   • Section 37 of the Constitution of the Federal Republic of Nigeria (CFRN) 1999 (as amended), which guarantees the right to privacy.
   • The Nigeria Data Protection Act (NDPA) 2023, which governs data privacy, protection, and processing.
   • All other applicable national and international data privacy legislation, including regulations issued by the Central Bank of Nigeria (CBN).
2. Scope of Application

   This Policy outlines our commitment to data privacy principles when processing the personal data of:

   1. Customers/Clients
   2. Staff (Employees and Contractors)
   3. Vendors (Suppliers and Service Providers)
   4. Visitors (Both physical and online visitors to the platforms)
   5. Any third party interacting with the Platform.
3. Protection of Data Subjects’ Rights

   For individuals, this Policy emphasizes their data privacy rights under the NDPA 2023. It applies to all data subjects whose personal data is collected, processed, stored.

4. Data Protection Officer and Employee Responsibilities

   The designated Data Protection Officer (DPO) of Sudo Africa is responsible for:

   1. Ensuring the accuracy, completeness, and timeliness of this Privacy Policy.
   2. Overseeing the proper notification of data subjects before data collection and processing, including data collected via the Sudo Africa's website, mobile applications, and e- channels.
   3. Monitoring compliance with data privacy laws, internal policies, and regulatory standards

Employee Responsibilities

• All employees handling personal data must strictly adhere to the provisions outlined in this Privacy Policy.
• Employees are expected to exercise due diligence in ensuring data confidentiality, integrity, and availability.
• Any unauthorized access, disclosure, or processing of personal data will be treated as a serious policy violation and may result in disciplinary actions.

ARTICLE 1: OUR COMMITMENT TO DATA PROCESSING PRINCIPLES

At Sudo Africa, we are committed to processing your personal data lawfully, fairly, and securely, in accordance with Section 24 of the Nigeria Data Protection Act (NDPA) 2023.

We adhere to the following core principles to ensure your data is protected and handled responsibly:.

1.1 Fair, Lawful, and Transparent Processing

• We will always obtain your consent or rely on another lawful basis before processing your personal data.
• We will be transparent about how your data is collected, processed, shared, and stored.
• You will be informed of your data rights and how you can exercise them.

1.2 Purpose Limitation

• Your data will only be collected and processed for specified, explicit, and legitimate purposes.
• We will not use your data for any purpose other than what has been communicated to you, unless we obtain your consent or are required to do so by law or regulation.

1.3 Data Minimization

• We will only collect the minimum amount of data necessary to achieve the intended purpose
• Your data will not be excessively collected or retained beyond what is reasonably required.

1.4 Accuracy and Data Integrity

• We will take reasonable steps to ensure that your personal data is accurate and up to date.
• You have the right to rectify any incorrect or outdated information we hold about you.

1.5 Data Security and Confidentiality

We implement robust security measures to protect your personal data against:

• Unauthorized access
• Unlawful processing
• Accidental loss or destruction
• Cyber threats and data breaches

Security measures include encryption, firewalls, secure data storage, and access controls to safeguard your data.

Our commitment to these data protection principles reflects our dedication to building trust, ensuring compliance, and protecting your privacy.

For further details on how we process and protect your personal data, please refer to our Privacy Policy or contact our Data Protection Officer (DPO) at dpo@sudo.africa

BEYOND COMPLIANCE: ACCOUNTABILITY AND THE DATA PROTECTION TRIAD

At Sudo Africa, we go beyond mere compliance with the Nigeria Data Protection Act (NDPA) 2023.

Our commitment extends to demonstrating accountability in all our data processing activities while upholding the Data Protection Triad:

1. Accountability in Data Processing

   Responsibility: We take full ownership of how we collect, process, store, and share your personal data.

   Transparency: We provide clear, honest, and accessible information about how your data is used.

   Ongoing Compliance: We regularly review and update our data protection policies, security protocols, and employee training programs to align with evolving best practices and regulations.

2. The Data Protection Triad: Confidentiality, Integrity, and Availability Confidentiality:

   Confidentiality:

   • Your personal data is strictly protected against unauthorized access or disclosure.
   • We use secure encryption, access controls, and authentication mechanisms to safeguard your data.

   Integrity:

   • We ensure your data remains accurate, reliable, and unaltered throughout its lifecycle.
   • All updates or modifications are tracked and verified to maintain data consistency.

   Availability:

   • Your personal data remains accessible when needed, without compromising security.
   • We implement disaster recovery plans, backup solutions, and uptime guarantees to ensure data availability.

Our beyond-compliance approach ensures that Sudo Africa Limited does not just meet regulatory requirements but also exceeds industry standards in protecting your privacy, security, and trust.

ARTICLE 2: CONSENT OF DATA SUBJECT

At Sudo Africa, we respect your right to control your personal data. In compliance with the Nigeria Data Protection Act (NDPA) 2023, your consent serves as the primary legal basis for processing your personal data, except where processing is required by law, regulatory obligation, or contractual necessity.

2.1 Your Right to Consent

• Grant Consent: You have the right to freely give consents before we process your personal data.
• Withhold Consent: If you do not agree to certain types of processing, you have the right to withhold consent.
• Withdraw Consent: You may withdraw your consent at any time, without affecting the lawfulness of processing conducted before withdrawal.

We will always seek your clear, informed, and voluntary consent before processing your data, except in cases where another lawful basis applies.

2.2 Legal Basis for Consent

Our approach to consent aligns with Sections 26, 34, 36, and 38 of the NDPA 2023 , which provide that:

1. Consent must be freely given, specific, informed, and unambiguous.
2. Data subjects must be able to withdraw consent as easily as it was given.
3. Where processing is based on contractual, legal, or regulatory obligations, consent may not be required.
4. Additional consent is required for the processing of sensitive personal data.

For a detailed explanation of your rights regarding consent, please refer to Sections 26, 34, 36, and 38 of the NDPA 2023.

If you have any questions or wish to exercise your consent rights, please contact our Data Protection Officer (DPO) at dpo@sudo.africa

ARTICLE 3: OUR SCOPE OF DATA PROCESSING

3.1 Overview

At Sudo Africa, we collect and process your personal data in compliance with the Nigeria Data Protection Act (NDPA) 2023. The table below provides an overview of the categories of personal data we collect, the purpose of collection, and the lawful basis for processing.

CATEGORIES OF PERSONAL DATA, PURPOSE, AND LAWFUL BASIS FOR PROCESSING

3.2 Compliance with NDPA 2023

All personal data collected by Sudo Africa is processed lawfully, fairly, and securely, in compliance with the NDPA 2023 and applicable regulations.

For further inquiries on how we process personal data, please contact our Data Protection Officer (DPO) at dpo@sudo.africa

3.3 Payment Data

If you subscribe to our ATM card products, Sudo Africa Limited will issue you an ATM card with a set of unique security numbers, including:

• Personal Access Number (PAN)
• Personal Identification Number (PIN)
• Card Verification Number (CVV)

It is your responsibility to ensure that your ATM card and these security numbers remain confidential and are not accessed by any unauthorized person.

3.3.1 Default PIN and Security Requirements

For certain payment cards, a default PIN may be provided by us at the time of issuance. If a default PIN is assigned to your card:

• You are required to change the default PIN to a new, secure PIN upon activation.
• Your new PIN must be kept confidential and should not be shared with anyone.
• If you suspect that your PIN or card details have been compromised, you should immediately contact the Bank.

3.3.2 Authentication and Transactions

Whenever you conduct transactions, enrollments, or use online /card services, your:

• PAN, PIN, or CVV may be required for authentication.
• Additional security verification methods (e.g., One-Time Password (OTP), biometric authentication, or two-factor authentication) may be applied.

We strongly advise that you:

• Never share your PIN or card details via email, phone, or unverified channels.
• Regularly update your security details to prevent fraud and unauthorized access.
• Monitor your account transactions and immediately report any suspicious activity.

For further inquiries on payment security and fraud prevention, please contact our Data Protection Officer (DPO) at dpo@sudo.africa

ARTICLE 4: HOW Sudo Africa COLLECTS YOUR INFORMATION

At Sudo Africa, we collect personal data through various channels to provide you with secure and efficient services.

We ensure that all data collection activities comply with the Nigeria Data Protection Act (NDPA) 2023 and other applicable regulations.

4.1 Direct Collection from You

We collect personal data directly from you when you interact with us in the following ways:

1. Account Creation and Service Usage

   When you register for an account, log in, or use our services through our website, mobile app, or physical branches, we collect the information you provide, including:

   • Data provided in application forms for account opening, loan applications, or financial services.
   • Policy transfers, financial agreements, and uploaded documents for verification and compliance.
   • Information shared through email, phone calls, physical correspondence, or online chats with our customer support team.
2. Inquiries and Other Communications

   We collect personal data when you:

   • Make inquiries regarding our products, loan facilities, or account transactions.
   • Request assistance via email, phone, in-person visits, or our online customer service platforms.
   • Interact with our financial advisors, loan officers, or branch representatives for consultations.

   This data helps us enhance our service delivery, respond to inquiries, and ensure regulatory compliance.

   For further details on how we collect and process your data, please contact our Data Protection Officer (DPO) at dpo@sudo.africa

4.2 Website Browsing

Sudo Africa automatically collects certain information when you browse our website or use our digital services. This information helps us enhance security, improve user experience, and analyze website performance.

1. Cookies and Similar Technologies
   • We use cookies, server logs, and tracking technologies to collect information about your browsing patterns and device data.
   • These may include IP address, browser type, device model, and usage behavior.
   • You can manage or disable cookie preferences at any time via your browser settings or our website's cookie preferences panel.

4.3 Data Collection from Third Parties and Public Sources

In certain cases, we may collect personal data from trusted third-party sources to enhance security, prevent fraud, and comply with financial regulations.

1. Technical Data
   • We may receive technical data about your device and browsing activity from:
     1. Analytics providers (e.g., Google Analytics)
     2. Advertising networks
     3. Search information providers
2. Contact, Financial, and Transaction Data

   We may obtain contact details, financial history, and transaction data from

   1. Technical service providers
   2. Payment processors (e.g., card issuers, mobile money operators)
   3. Credit bureaus (for creditworthiness assessments)
   4. Anti-fraud services (to detect fraudulent activities)
3. Financial Crime Prevention
   • We engage third-party services to verify customer data and prevent financial crimes.
   • This includes checking against:
     1. Fraud databases
     2. Sanction lists
     3. Politically Exposed Persons (PEPs) registers
     4. Anti-money laundering (AML) compliance checks

4.4 Recordings and Images

To ensure security, regulatory compliance, and quality assurance, we may collect audio and visual data through the following:

1. Phone Calls

   We may record or monitor your phone calls with us for:

   1. Regulatory compliance
   2. Training and quality assurance
   3. Customer service improvement
   4. Fraud prevention and dispute resolution
2. CCTV Surveillance
   • CCTV cameras are installed at Sudo Africa. ’s premises for:
     1. Staff and customer safety
     2. Fraud prevention
     3. Security monitoring
   • CCTV recordings are stored securely and accessed only by authorized personnel.

ARTICLE 5: DATA SUBJECT RIGHTS

At Sudo Africa, we are committed to upholding your data privacy rights in compliance with the Nigeria Data Protection Act (NDPA) 2023. In addition to your right to grant, withhold, or withdraw consent, you have the following data subject rights under Sections 34 and 35 of the NDPA:

5.1 Right to Access

• You have the right to request a copy of the personal data we hold about you.
• You can request this data in a structured, machine-readable format.

5.2 Right to Rectification

• If any personal data we hold about you is inaccurate or incomplete, you can request that we correct or update it.
• We will respond to rectification requests promptly and transparently.

5.3 Right to Object

• You have the right to object to how we use your personal data in certain situations.
• You may also request that we limit the way we process your information, especially where processing is based on legitimate interest or direct marketing.

5.4 Right to Data Portability

• You can request a copy of your personal data in a portable format that allows you to easily transfer it to another service provider.

5.5 Right to Erasure ("Right to Be Forgotten")

• You have the right to request that your personal data be deleted from our systems, subject to legal and regulatory obligations.

5.6 Right to Restrict Processing

ou may request that we limit how your data is processed under certain circumstances, such as when:

• You contest the accuracy of the data.
• You object to processing based on legitimate interest.
• Processing is unlawful, but you prefer restriction instead of deletion.

5.7 Right to Object to Automated Decision-Making

If decisions about you are made solely through automated processing, you have the right to:

• Object to such processing.
• Request human intervention in decision-making processes.

5.8 Right to Withdraw Consent

You have the right to withdraw your consent to the processing of your personal data at any time.

👉 To opt out of interest-based advertising, visit: 🔗 www.sudo.africa

👉 To unsubscribe from our marketing communications, you can:

• Click on the "unsubscribe" link in our marketing emails.
• Contact us directly using the details in Article 22.

5.9 Right to Complain to the Supervisory Authority

If you believe your data privacy rights have been violated or that Sudo Africa has failed to comply with the Nigeria Data Protection Act (NDPA) 2023, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).

How to File a Complaint:

You can contact the NDPC through the following channels:

• 📧 Email: info@ndpc.gov.ng
• 📞 Phone: +2349160615551
• 🌐 Website: www.ndpc.gov.ng
• 🏢 Office Address: No.12 Clement Isong Street, Asokoro, Federal Capital Territory Abuja.

We encourage you to contact the NDPC if you have any questions or concerns about your data privacy rights.

5.10 Exercising Your Rights

To exercise any of these rights, please contact our Data Protection Officer (DPO) at: Email: dpo@sudo.africa

For detailed information on your data rights and the complaint process, please refer to Part VI of the NDPA 2023.

ARTICLE 6: DATA RETENTION AND SECURITY

6.1 Commitment to Data Protection

At Sudo Africa, we are committed to safeguarding your personal data in full compliance with the Nigeria Data Protection Act (NDPA) 2023.

To protect your data, we implement appropriate technical and organizational measures to ensure:

• Security: Safeguarding data from unauthorized access and breaches.
• Integrity: Maintaining the accuracy and completeness of data.
• Confidentiality: Ensuring data is only accessible to authorized personnel.
• Availability: Ensuring data is accessible when needed for lawful purposes.
• Resilience: Ensuring systems and processes can recover quickly from disruptions.

6.2 Data Retention Periods

The retention period for your personal data is based on the purpose for which it was collected. We adhere to the following principles when managing data retention:

1. Necessity

   We only collect and retain data that is reasonably required by law or best practices to:

   • Serve you effectively.
   • Respond to inquiries.
   • Comply with regulatory obligations.
2. Legitimacy

   We process and retain data only for lawful and justified purposes, ensuring compliance with legal, contractual, or regulatory requirements.

   Our commitment to data protection aligns with your right to privacy, as guaranteed by:

   • Section 37 of the 1999 Constitution of the Federal Republic of Nigeria.
   • International human rights laws and standards.

6.3 Retention Period Guidelines

The table below provides general guidelines for how long we retain different types of personal data.

Please note that specific retention periods may vary depending on the nature of the data and applicable laws.

6.4 Secure Data Disposal

When your personal data is no longer needed or exceeds the retention period, we ensure its secure disposal by:

• Deleting data from our systems using secure, irreversible methods.
• Shredding or incinerating physical records.
• Anonymizing data where it is no longer linked to an identifiable individual.

For any inquiries regarding data retention or security, please contact our Data Protection Officer (DPO) at dpo@sudo.africa

ARTICLE 7: MANDATORY DATA COLLECTION

ertain types of personal data are essential for Sudo Africa to:

• Fulfil contractual obligations.
• Comply with legal and regulatory requirements.

Without this information, we may be unable to provide the services or products you expect.

7.1 Purpose of Mandatory Data Collection

We collect and process mandatory data to:

• Verify your identity for account creation and ongoing transactions.
• Comply with Know Your Customer (KYC), Anti-Money Laundering (AML), and other legal obligations.
• Ensure security and prevent fraud.
• Fulfil contractual obligations, such as loan agreements or financial product subscriptions.

7.2 Examples of Mandatory Data

Examples of mandatory data include, but are not limited to:

• Identification Information (e.g., full name, date of birth, national ID, BVN).
• Contact Information (e.g., phone number, email address).
• Financial Data (e.g., bank account details, transaction history).
• Security Data (e.g., biometric data for verification).

7.3 Your Rights and Further Assistance

If you have any questions or require clarifications regarding our mandatory data collection practices, please contact our designated Data Protection Officer (DPO) as detailed in Article 12 below:

Email: dpo@sudo.africa

We remain committed to protecting your data privacy rights while fulfilling our legal and contractual obligations.

ARTICLE 8: TRANSFER OF DATA TO A THIRD PARTY

In today’s interconnected world, the provision of services often requires interaction with multiple counterparts to facilitate transactions and meet regulatory requirements.

For instance, in a card transaction, personal data may be shared with:

• Personalization companies
• Switching companies
• Processors
• Acquirers
• Merchants
• Card schemes

Such data transfers are essential to ensure the successful completion of transactions. However, Sudo Africa is committed to safeguarding your personal data and ensuring that it is shared only for:

• The provision of services.
• Legal, regulatory, and contractual compliance.
• Other tangential or incidental uses directly linked to service delivery.

Where data sharing becomes necessary, we take adequate security measures to ensure your data is protected and accessed only by authorized recipients.

8.1 Third-Party Services Offered Through Our Platform

Sudo Africa partners with third-party service providers to offer value-added services through our platform. These providers’ process personal data based on their own lawful bases and in connection with the services they provide.

Types of Data Processed by Third Parties

The personal data shared with these providers may include:

• Contact information (e.g., name, phone number, email address).
• Transaction details (e.g., payment or usage data).

We ensure that such partnerships comply with the Nigeria Data Protection Act (NDPA) 2023 and other applicable regulations.

8.2 Your Right to Control Your Data

You have the right to control how your data is shared and processed by third parties:

• For services that rely on your consent, you can:
  1. Decline participation in such services.
  2. Restrict the processing of your personal data.
• You can unsubscribe from promotional communications related to these optional services at any time by:
  1. Clicking the unsubscribe link in the communication.
  2. Contacting us directly using the details provided in Article 12.

ARTICLE 9: TECHNICAL INFORMATION AND COOKIES

9.1 Website Data Collection and Cookies

Our website collects technical information and browsing data from visitors to help us:

• Understand user behavior.
• Enhance website functionality.
• Improve your overall experience.

The data we collect may include:

• IP address.
• Browser type and version.
• Operating system.
• Time zone settings.
• Pages visited and time spent on our website.

This information is gathered using cookies, server logs, and other tracking technologies that are common to most websites.

9.2 Cookies and Your Preferences

Cookies are small text files downloaded to your device (e.g., computer, smartphone) when you visit our website. They store limited data and are used to:

• Remember your preferences, such as login details or language selection.
• Pre-populate choices for future sessions, ensuring a seamless browsing experience.
• Track your usage patterns to optimize website performance.

While cookies are generally helpful, not all websites use cookies responsibly. To give you more control:

• You can manage your cookie preferences through your browser settings or the cookie preferences panel on our website.
• You can delete or block cookies at any time, though this may limit certain website features.

9.3 Our Commitment to Privacy

At Sudo Africa, we are committed to:

• Respecting your privacy rights as outlined in the Nigeria Data Protection Act (NDPA) 2023.
• Ensuring that all automatic interactions on our website are designed to protect your privacy and data security.

Key Measures We Employ:

• Robust security protocols to prevent cookie misuse or unauthorized access.
• Clear and transparent disclosures about how cookies are used on our website.
• Providing tools to help you manage your cookie preferences.

We ensure that our use of cookies aligns with best practices and does not compromise your data privacy.

For further details on how we use cookies and collect technical data, please contact our Data Protection Officer (DPO) at dpo@sudo.africa

ARTICLE 10: PERSONAL DATA SECURITY AND INTEGRITY

10.1 Data Security and Regulatory Compliance

At Sudo Africa, we are committed to safeguarding your personal data using state-of-the-art security technologies and robust protocols.

Our Security Commitments Include:

• Employing a multi-layered security approach to prevent:
  1. Cyberattacks
  2. Unauthorized access
  3. Data loss or corruption
• Regularly updating and reviewing our security infrastructure to adapt to evolving threats.

10.2 Meeting Legal Requirements

We actively fulfil our legal obligations under the Nigeria Data Protection Act (NDPA) 2023 by:

1. Ensuring full compliance with the NDPA.
2. Conducting Data Privacy Assessments to identify and mitigate risks.
3. Providing employee training on data protection practices and ensuring all staff understand their responsibilities.
4. Obtaining strict data security warranties from third-party vendors where applicable.

10.3 Measures to Maintain Data Integrity and Confidentiality

We establish adequate controls to ensure the integrity and confidentiality of personal data, both in digital and physical formats.

Key Measures Include:

1. Protection Controls
   • Personal data is safeguarded against accidental or deliberate compromise.
   • Unauthorized viewing, access, or changes to personal data are strictly prohibited to maintain data reliability and accuracy.
2. Employee Data Access
   • Only authorized employees can access personal data, and only for tasks directly related to their legitimate duties.
   • Employees are strictly forbidden to:
     1. Use personal data for private or commercial purposes.
     2. Disclose data to unauthorized persons.
     3. Make personal data available in any other unauthorized way.
3. Employment Privacy Obligations
   • The Human Resources Department informs employees at the start of their employment about their obligations to maintain data privacy.
   • These obligations remain in force even after the employee’s relationship with the Bank has ended.

10.4 Data Breach Notification

In compliance with the NDPA, Sudo Africa is required to report any data breach that poses a high risk to the rights and freedoms of data subjects to the Nigeria Data Protection Commission (NDPC) within 72 hours of discovery.

This ensures:

• Immediate action to mitigate risks.
• Rectification to prevent further damage.

For detailed information, please refer to Sections 28, 39, and 40 of the NDPA 2023.

For additional information on our data security measures or breach notification process, please contact our Data Protection Officer (DPO) at dpo@sudo.africa

ARTICLE 11: JOB APPLICANTS

11.1 Application Information

When applying for a position at Sudo Africa, applicants will be required to submit specific personal data, including:

• Name and contact details.
• Educational background and work history.
• Other relevant information supporting the application.
• Personal details of referees, next of kin, and guarantors.

Providing this information is essential for processing your application and evaluating your suitability for the role.

11.2 Data Usage for Recruitment

The information provided during the application process is used for:

1. Recruitment Process:
   • Assessing your skills and experience against job requirements.
   • Tracking feedback and interactions throughout the recruitment process.
2. Recruitment Analysis:

   We may also use your data to analyze and improve our recruitment practices, including:

   • identifying effective recruitment sources.
   • Improving integration and training programs for new hires.
   • Enhancing the interview model for better hiring decisions.

11.3 Optional Communications and Data Sharing

With your consent, Sudo Africa may:

• Use your data to communicate about company events or send you relevant publications.
• Share your information with:
  • Affiliated companies.
  • Third-party service providers (e.g., recruitment agencies, background check providers, IT system providers).

Data shared with third parties may be processed in or outside your country of residence, in compliance with the Nigeria Data Protection Act (NDPA) 2023.

11.4 Data Retention

We retain your application data for a maximum period of six (6) months, after which it will be securely deleted or anonymized unless:

• Retention is required by law or regulation.
• You are hired, in which case your data becomes part of your employee record.

11.5 Data Subject Rights and Contact

To exercise your data subject rights, including the right to:

• Access your personal data.
• Rectify inaccuracies in your information.
• Request deletion of your data.

Please contact our Data Protection Officer (DPO) at: dpo@sudo.africa

Sudo Africa is committed to ensuring the privacy and security of all applicants' data throughout the recruitment process.

ARTICLE 12: MAINTAINING ACCURATE INFORMATION

At Sudo Africa, we are committed to maintaining accurate and up-to-date personal data for all our users. Ensuring data accuracy helps us provide reliable services and comply with the Nigeria Data Protection Act (NDPA) 2023.

12.1 Your Responsibility to Update Information

If your personal information changes during your relationship with Sudo Africa (e.g., changes in address, phone number, or employment status), we request that you:

• Notify us promptly to ensure your records are updated.
• Provide accurate and complete information when submitting updates.

12.2 How to Update Your Information

You can easily update your personal information by:

• Contacting our Data Protection Officer (DPO) at: dpo@sudo.africa

12.3 Your Right to Rectification

Under the NDPA 2023, you have the right to rectification, which ensures that:

• You can request the correction of inaccurate or incomplete personal data.
• Sudo Africa will respond to rectification requests in a timely and transparent manner.

ARTICLE 13: CHILDREN'S PRIVACY

Sudo Africa is committed to protecting the privacy of children. While our services are generally not intended for children under 13, we recognize that some specialized services may involve children, and in such cases, we implement extra precautions to safeguard their privacy and data security.

13.1 Specialized Services for Children

In rare instances, we may provide specialized services for children, such as the Kids Savings Account. When doing so, we ensure:

1. Strong Data Protection Measures

   We implement robust security measures to ensure the confidentiality and security of any child's personal information collected.

2. Limited Data Collection

   We collect only the minimum data necessary to provide the specialized service.

3. Parental Consent Required

   We require verifiable parental or guardian consent before collecting, processing, or using a child’s personal data.

13.2 Kids Savings Account

• The Kids Savings Account is opened and managed by the child’s parent or guardian until the child reaches the age of eighteen (18).
• All personal data related to this account is provided by the parent or guardian.
• Parents or guardians are encouraged to read this Privacy Policy thoroughly to understand how the provided data is processed and handled.

13.3 Target Account for Students

• Students in tertiary institutions with valid identification, admission letters, and passport photographs can open a Student Target Account.
• Personal data collected for such accounts is processed as adult data, provided the individual is above the age of 13 years.

13.4 General Relationships with Minors

• Other than the Kids Savings Account and Student Target Account, the Bank does not establish relationships with minors (persons under the age of 18).
• We do not knowingly collect personally identifiable information from anyone under 18, except under the conditions stated above or where the age of the individual cannot be determined.

13.5 Parental Responsibility

• Parents or guardians who are aware that their child has provided personal data to us without consent are advised to contact us immediately.
• If we become aware that we have collected personal data from children without parental consent, we will take steps to delete such data from our systems.

13.6 Compliance with the NDPA 2023

For detailed information on parental consent requirements under the Nigeria Data Protection Act (NDPA) 2023, please refer to Section 31.

If you have any questions or need clarification, please contact our Data Protection Officer (DPO) at: dpo@sudo.africa

ARTICLE 14: CAVEAT ON WEBSITE LINKS

Our website may contain links to third-party websites for your convenience. These external links may direct you to:

• Partner services
• Financial resources
• Regulatory bodies
• Other relevant platforms

However, Sudo Africa does not endorse, control, or take responsibility for the content, products, or services offered on these external websites.

14.1 Limitation of Responsibility

• When you click on a third-party link, through Sudo Africa.’s website.
• These external sites operate under their own privacy policies and data protection practices.
• We do not accept liability for:
  • The way third parties collect, process, store, or use your personal data.
  • Any loss or damage that may arise from using third-party websites.

14.2 Your Responsibility as a User

Before providing personal data to any third-party website, we strongly recommend that you:

• Review their privacy policy and understand how they handle your data.
• Verify their security measures to ensure your information is protected.
• Be cautious about unsolicited requests for personal or financial details.

14.3 Privacy Policy Scope

ur Privacy PolicyO applies solely to the Sudo Africa website and services.

We are committed to ensuring:

• Your data privacy and security within our digital platforms.
• Compliance with the Nigeria Data Protection Act (NDPA) 2023

If you have concerns about data security or third-party links on our platform, please contact our Data Protection Officer (DPO) at: dpo@sudo.africa

ARTICLE 15: TRANSFER TO THIRD PARTIES AND COUNTRIES (CROSS-BORDER TRANSFERS)

To effectively fulfil our mandate, Sudo Africa may engage third-party service providers located within or outside Nigeria. These third parties assist in various operations, including technology services, regulatory compliance, and data security.

Where personal data is transferred to a third party outside Nigeria, we take appropriate measures to ensure that your data remains protected in compliance with the Nigeria Data Protection Act (NDPA) 2023.

15.1 Conditions for Third-Party Transfers

Before transferring personal data to a third party, whether local or international, we ensure:

• A Data Processing Agreement (DPA) is signed, ensuring that the third party adheres to strict data protection obligations.
• Your consent is obtained if the purpose of processing was not originally stated at the point of data collection.
• The third party has adequate data protection measures to safeguard against:
  • Unauthorized access
  • Use or disclosure
  • Loss or destruction

15.2 Conditions for Cross-Border Transfers

For personal data transfers outside Nigeria, the bank ensures that:

1. The recipient country has an adequate data protection framework recognized by the Nigeria Data Protection Commission (NDPC).

2. In cases where no adequacy decision exists, by the the third party must:

   • Sign a contract incorporating data protection clauses approved by the NDPC.
   • Comply with Binding Corporate Rules (BCRs) approved by the NDPC to ensure adequate data security.

15.3 Examples of Third-Party Services Requiring Data Transfers

The following services may involve third-party data processing and cross-border transfers:

• Internet connectivity services
• Cloud storage solutions
• Data analytics and processing
• Data security and fraud prevention
• Software development and IT infrastructure management

15.4 Regulatory Compliance

In all third-party data transfers, we strictly comply with Part VIII of the Nigeria Data Protection Act 2023 to:

• Ensure lawful data transfer mechanisms.
• Protect your personal data from misuse.
• Guarantee compliance with international data protection standards.

If you have concerns about how your data is transferred to third parties or international entities, please contact our Data Protection Officer (DPO) at: dpo@sudo.africa

ARTICLE 16: DATA PROTECTION HELP DESK

At Sudo Africa, we are committed to ensuring prompt and effective responses to all data privacy-related requests, suggestions, and complaints.

To facilitate this, we have established a Data Protection Help Desk, managed by our Data Protection Officer (DPO), who is responsible for ensuring compliance with the Nigeria Data Protection Act (NDPA) 2023 and other applicable regulations.

16.1 Contacting the Data Protection Officer (DPO)

You can reach our DPO for inquiries, concerns, or complaints via:

Email: dpo@sudo.africa

16.2 Services Provided by the Data Protection Help Desk

Our DPO is responsible for overseeing and managing various data protection functions, including but not limited to:

1. Compliance & Breach Services – Ensuring adherence to data protection regulations and managing data breach incidents.
2. Data Protection & Privacy Advisory – Providing guidance on data privacy best practices.
3. Data Protection Capacity Building – Conducting staff training and awareness programs on data privacy.
4. Data Regulations & Contracts Advisory – Assisting with drafting contracts and agreements related to data privacy obligations.
5. Privacy Breach Remediation & Support – Developing strategies to mitigate data breaches and provide support for affected individuals.
6. Information Privacy Audits – Conducting internal audits to assess compliance with data privacy laws.
7. Data Privacy Breach Impact Assessment – Evaluating the extent and consequences of a data breach.
8. Due Diligence Investigations – Performing investigations and risk assessments to ensure proper handling of personal data by third parties.

16.3 Commitment to Your Data Privacy Rights

We assure all our customers and stakeholders that:

• Your data privacy concerns will be addressed promptly.
• Our responses to inquiries and complaints will be timely, transparent, and in line with regulatory requirements.
• We continuously review and improve our data protection policies and procedures to reflect evolving industry standards.

For further inquiries about your data privacy rights, feel free to contact our DPO at the email address provided above.

ARTICLE 17: DATA DELETION

At Sudo Africa, we respect your right to request the deletion of your personal data at any time. We have implemented secure data deletion procedures to ensure the complete and irreversible destruction of data that is no longer necessary for business or legal purposes while maintaining the highest security standards.

17.1 Conditions for Data Deletion

We will take reasonable steps to delete your personal data upon request, subject to:

• Legal and regulatory requirements.
• Business or contractual obligations
• Ongoing investigations or compliance mandates.

17.2 Data Deletion Process

To ensure secure and verifiable deletion, our data deletion process follows these steps:

1. Identification
   • We regularly review our data storage systems to identify data that has reached its retention period or is no longer required.
2. Scheduling
   • Data marked for deletion is placed on a scheduled deletion list.
   • The deletion schedule considers:
     • Data type
     • Legal requirements
     • Potential risks associated with deletion delays
3. Overwriting
   • Data slated for deletion is overwritten with random characters or patterns, ensuring that it becomes unreadable and unrecoverable.
4. Verification
   • After overwriting, our system verifies that the deletion process was successful and that the original data is no longer accessible.
5. Audit Trail

   We maintain an audit trail of all data deletion activities, including:

   • Type of data deleted
   • Date of deletion
   • Individual responsible for the deletion

17.3 Data Deletion Requests

You can request the deletion of your personal data at any time by submitting a Data Subject Access Request (DSAR) Form.

We will process data deletion requests within a commercially reasonable time-frame, subject to legal and regulatory requirements.

17.4 Exceptions to Data Deletion

There may be situations where we are unable to delete your personal data immediately.

This may occur if:

• We are legally required to retain your data for a specific period (e.g., financial regulations, anti-money laundering laws).
• The data is necessary to resolve a legal dispute or enforce our terms of service.
• The data has been anonymized and is no longer personally identifiable.

In these cases, we will take steps to limit the processing of your data to the extent necessary.

17.5 Contact for Data Deletion Requests

To request deletion of your personal data, please contact our Data Protection Officer (DPO) at: dpo@sudo.africa

ARTICLE 18: DATA SUBJECT ACCESS REQUEST (DSAR)

Under the Nigeria Data Protection Act (NDPA) 2023, you have the right to access the personal data that Sudo Africa holds about you. This process is known as a Data Subject Access Request (DSAR).

18.1 What is a DSAR?

A DSAR allows you to request access to your personal data, which may include:

• Name and contact information.
• Demographic details.
• Account-related data.
• Any other information that can directly or indirectly identify you.

18.2 How to Submit a DSAR

You can submit a DSAR using either of the following methods:

1. Email Submission:
   • Send an email to dpo@sudo.africa clearly specifying the information you are requesting.
2. DSAR Form Submission:
   • Contact our Data Protection Officer (DPO) to request a DSAR form.
   • Fill out the form and email it to dpo@sudo.africa

18.3 Verification Process

To protect your privacy and ensure that we are providing information to the correct data subject, we may request additional information to verify your identity.

The verification process may include:

1. Providing identification documents, such as:
   • Driver’s license
   • International passport
   • National Identification Number (NIN) slip
2. Verifying account-related information linked to your request.

18.4 Response Timeline

We aim to respond to your DSAR within 30 days of confirmation.

Our response will include:

1. Confirmation of your request.
2. The requested information in a clear, concise, and electronic format.
3. Explanation for any denied request, if applicable.

18.5 Reasons for Denying Access

In rare instances, we may be unable to fulfil your request. Common reasons for denial include:

• Your request conflicts with legal or regulatory obligations.
• The information requested contains confidential or privileged data.
• The request is fraudulent or unreasonable.

If we deny your request, we will provide a clear explanation for our decision.

18.6 Fees for DSAR Requests

Submitting a DSAR is generally free of charge.

However, a fee may be applied if your request is:

• Clearly unreasonable.
• Submitted too frequently.
• A repeated request for the same information within a short time-frame.

For further inquiries regarding your data access rights, please contact our DPO at: dpo@sudo.africa

ARTICLE 19: REMEDIATION

Sudo Africa is committed to addressing any concerns regarding your data privacy. We encourage you to report any complaints or inquiries to our Data Protection Officer (DPO). Please refer to Article 22 for contact details.

Our DPO will review and respond to your concerns promptly, aiming to provide a resolution within seven (7) business days. If a matter requires additional time due to its complexity, we will notify you accordingly and take all necessary steps to safeguard your rights and interests throughout the process.

ARTICLE 20: ALTERATION OF PRIVACY POLICY

Sudo Africa (the Data Controller) reserves the right to update this Privacy Policy periodically.

Such updates may be necessary to:

• Align with evolving public interest considerations.
• Ensure compliance with lawful directives from the Federal Government of Nigeria.

All revisions will be carried out in accordance with the safeguards established under the Nigeria Data Protection Act, 2023 (NDPA) and the 1999 Constitution of the Federal Republic of Nigeria.

Where significant changes occur, we will take appropriate steps to inform affected individuals in line with legal and regulatory requirements.

ARTICLE 21: DEFINITIONS AND KEY TERMS

To ensure clarity throughout this Privacy Policy, the following key terms are defined:

1. Cookie – A small piece of data stored by your web browser when you visit a website. It helps websites remember your preferences, login information, and browsing activity.
2. Consent – The consent of the Data Subject refers to any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes. This is expressed through a statement or clear affirmative action signifying agreement to the processing of their Personal Data.
3. Sudo Africa ("we, " “our, ” or "the Bank") – Refers to Sudo Africa, located at M&G plaza, Adetokunbo Ademola Cres, Wuse, Abuja 904101, Federal Capital Territory, Nigeria. The Bank serves as the Data Controller and is responsible for processing your data under this Privacy Policy.
4. Country – Refers to Nigeria, the jurisdiction where the Bank and its founders/owners operate.
5. Customer – An individual, organization, or company that utilizes the Sudo Africa's services to manage relationships with their consumers or service users.
6. Data Protection Officer (DPO) – The individual appointed in accordance with Data Protection Laws to advise Sudo Africa (including its employees) on their data protection responsibilities and to monitor compliance with applicable regulations.
7. Device – Any internet-connected gadget such as a phone, tablet, computer, or other electronic devices used to access the Sudo Africa's website and services.
8. Internet Protocol (IP) Address – A unique identifier assigned to every device connected to the internet. In some cases, an IP address can provide general geographic location information.
9. Closed-Circuit Television (CCTV) – The Bank utilizes CCTV cameras at various locations to ensure security and safety. Video footage and still images may be stored for security purposes.
10. Personnel– Employees or individuals contracted by the Bank to perform services on its behalf.
11. Data– Refers to characters, symbols, and binary information on which operations are performed by a computer. Data may be stored or transmitted in electronic form across various formats and devices.
12. Personal Data – Any information related to an identified or identifiable natural person (Data Subject). A person is identifiable if they can be recognized directly or indirectly by reference to an identifier such as:
    • Name
    • Identification number
    • Location data
    • Online identifier
    • Physical, physiological, genetic, mental, economic, cultural, or social identity factors

    Personal Data may include but is not limited to: names, addresses, photos, email addresses, bank details, social media posts, medical records, and unique identifiers such as MAC address, IP address, IMEI number, IMSI number, SIM details, and other Personally Identifiable Information (PII).

13. Service– Refers to the products and services provided by Sudo Africa, including but not limited to:
    • Internet
    • Mobile
    • Branchless
    • USSD
14. Third-Party Service– External entities such as advertisers, contest sponsors, marketing and promotional partners, and other service providers that may offer content or products/services through the Sudo Africa's platform.
15. Data Subject ("You")– An individual or entity registered with Sudo Africa to use its services.

ARTICLE 22: CONTACT

For any inquiries, comments, or requests regarding your privacy rights and data protection, please reach out to us using the contact details below:

Data Controller

Sudo Africa

M&G plaza, Adetokunbo Ademola Cres, Wuse, Abuja 904101, Federal Capital Territory, Nigeria.

Email: hello@sudo.africa

Data Protection Officer (DPO)

For specific concerns related to data privacy and protection, you may contact our Data Protection Officer (DPO) at:

Email: dpo@sudo.africa