BWAY Microfinance Bank Limited

Data Protection Policy

Bridging Gaps — Empowering Lives
Version 2.0 — Effective February 2026
Version2.0
Effective DateFebruary 2026
Policy OwnerData Protection Officer
Approved ByBoard of Directors
ComplianceNigeria Data Protection Act, 2023 (NDPA); Central Bank of Nigeria (CBN) Guidelines; GAID 2025 & Relevant Subsidiary Legislation

Section 1Foreword from the Management

At Bway Microfinance Bank Limited, we recognise that the personal data entrusted to us by our customers, employees, and business partners represents one of the most valuable and sensitive assets in our care. In an era of rapidly evolving digital financial services and increasing regulatory scrutiny, the protection of personal data is not merely a legal obligation — it is a fundamental expression of our institutional values and our commitment to earning and sustaining the trust of those we serve.

This Data Protection Policy has been developed in full compliance with the Nigeria Data Protection Act, 2023 (NDPA), the Guidelines on Adequacy of Infrastructure for Data Protection Compliance (GAID) 2025, the Central Bank of Nigeria (CBN) Consumer Protection Regulations, and all other applicable laws and subsidiary legislation. It reflects our commitment to transparency, accountability, and the highest standards of data governance.

Section 3Introduction and Background

Bway Microfinance Bank Limited (hereinafter referred to as “the Bank”) is a licensed microfinance bank operating under the supervision of the Central Bank of Nigeria (CBN). In the ordinary course of its business, the Bank processes the personal data of a wide range of individuals, including loan applicants, deposit customers, guarantors, employees, contractors, vendors, directors, and other stakeholders.

The enactment of the Nigeria Data Protection Act, 2023 (NDPA) marked a watershed moment in Nigeria’s data protection landscape, establishing a comprehensive statutory framework that superseded several provisions of the earlier Nigeria Data Protection Regulation, 2019 (NDPR). The NDPA established the Nigeria Data Protection Commission (NDPC) as the principal regulatory authority for data protection in Nigeria, with broad powers of enforcement, investigation, and sanction.

Microfinance banks, by reason of the sensitive financial, biometric, and personal data they routinely collect and process, are classified as Data Controllers and Processors of Major Importance (DCPMI) under the NDPA and its subsidiary legislation, including the GAID 2025. This classification imposes heightened obligations including mandatory DPO designation, annual Compliance Audit Returns (CAR) filing, mandatory Data Protection Impact Assessments (DPIA), and adherence to strict data retention, security, and transfer protocols.

This policy consolidates the Bank’s obligations under all applicable data protection laws and provides a unified, practical framework for compliance across all departments, operations, branches, and subsidiaries.

Section 4Purpose and Objectives

The purpose of this policy is to:

Section 5Scope and Application

5.1 Organisational Scope

This policy applies to:

5.2 Data Scope

This policy applies to:

5.3 Territorial Scope

This policy applies to all processing activities conducted within Nigeria and to any processing of personal data of persons within Nigeria, regardless of where the data processor or controller is located, in accordance with Section 2 of the NDPA 2023.

Section 6Definitions and Interpretation

For the purpose of this policy, the following definitions shall apply:

Term Definition
Biometric Data Personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allows or confirms the unique identification of that person (e.g. fingerprints, facial images, retina scans).
Compliance Audit Return (CAR) The mandatory annual compliance report that DCPMIs are required to file with the NDPC, documenting their data protection activities, policies, and compliance status for the preceding year.
Consent Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data Controller A person who determines the purpose and means of processing personal data, whether alone or jointly with another person. The Bank acts as a Data Controller in respect of all personal data it collects directly from data subjects.
Data Processor A person who processes personal data on behalf of a Data Controller. The Bank may also act as a Data Processor in certain service arrangements.
Data Protection Impact Assessment (DPIA) A systematic process to assess the impact of processing activities on the privacy of data subjects, required where processing is likely to result in a high risk to the rights and freedoms of natural persons.
Data Protection Officer (DPO) The designated officer responsible for overseeing the Bank’s data protection strategy and implementation, and serving as the primary point of contact with the NDPC.
Data Subject An identifiable natural person whose personal data is being processed. This includes customers, employees, guarantors, directors, and any other individual whose data the Bank holds.
DCPMI Data Controller or Processor of Major Importance — an entity that processes the personal data of more than 1,000 data subjects in a period of 6 months, or that processes sensitive personal data, as classified under the NDPA 2023.
GAID 2025 Guidelines on the Adequacy of Infrastructure for Data Protection Compliance (2025), issued by the NDPC to provide detailed operational guidance for DCPMIs on compliance obligations.
NDPA Nigeria Data Protection Act, 2023 — the principal federal legislation governing data protection in Nigeria.
NDPC Nigeria Data Protection Commission — the statutory body established under the NDPA to regulate data protection in Nigeria.
Personal Data Any information relating to an identified or identifiable natural person, including names, identification numbers, location data, online identifiers, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Processing Any operation or set of operations performed on personal data, whether by automated or non-automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
Pseudonymisation The processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately.
Sensitive Personal Data Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation, and financial data beyond account numbers.

Section 7Legal and Regulatory Framework

The Bank’s data protection obligations are governed by the following legal and regulatory instruments:

Instrument Relevance to the Bank
Nigeria Data Protection Act, 2023 (NDPA) Primary legislation governing all personal data processing activities in Nigeria; establishes NDPC; defines rights, obligations, and penalties.
Nigeria Data Protection Regulation, 2019 (NDPR) Supplementary regulation; provisions still applicable where not superseded by NDPA; governs data audit requirements.
GAID 2025 Operational guidelines for DCPMIs; prescribes infrastructure, DPO qualifications, CAR filing, DPIA, and penalty framework.
CBN Consumer Protection Regulations, 2022 Governs financial consumer data; requires transparency in data use, prohibition of misleading data practices.
CBN Guidelines on Electronic Banking Governs data security requirements for digital banking channels.
CBN AML/CFT Framework Requires collection and processing of customer identification data for KYC compliance.
Cybercrimes (Prohibition, Prevention Etc.) Act, 2015 Criminalises unauthorised access to computer systems; applies to data security breaches.
Freedom of Information Act, 2011 Applicable to certain disclosure obligations and exemptions.
Evidence Act, 2011 Governs admissibility of electronic records and data.
Constitution of the Federal Republic of Nigeria, 1999 (as amended) Section 37 guarantees the right to privacy; the foundational basis for data protection rights.

Section 8Data Protection Principles

The Bank is committed to ensuring that all personal data it processes is handled in accordance with the following fundamental data protection principles, as enshrined in Section 24 of the NDPA 2023:

8.1 Lawfulness, Fairness, and Transparency

Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject. The Bank shall always have a lawful basis for processing personal data, shall not process data in a manner that is deceptive or harmful to data subjects, and shall provide clear and accessible information about its processing activities.

8.2 Purpose Limitation

Personal data shall be collected for specified, explicit, and legitimate purposes and shall not be further processed in a manner incompatible with those purposes. Where the Bank seeks to use personal data for a new or different purpose, it shall obtain fresh consent or establish a new lawful basis.

8.3 Data Minimisation

Personal data collected and processed by the Bank shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. The Bank shall not collect more data than is required for a given purpose.

8.4 Accuracy

Personal data shall be accurate and, where necessary, kept up to date. The Bank shall take all reasonable steps to ensure that inaccurate personal data is erased or rectified without delay. Data subjects are encouraged to notify the Bank of any changes to their personal information.

8.5 Storage Limitation

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. The Bank’s retention schedule (Section 15) defines the applicable retention periods for each category of data.

8.6 Integrity and Confidentiality

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

8.7 Accountability

The Bank, as data controller, shall be responsible for and be able to demonstrate compliance with the foregoing principles. The Board of Directors bears ultimate accountability for the Bank’s data protection compliance, with day-to-day responsibility delegated to the Data Protection Officer.

Section 9Categories of Personal Data Processed

The Bank processes the following categories of personal data in the course of its operations:

9.1 Customer Data
9.2 Employee Data
9.3 Third-Party / Vendor Data
9.4 Digital and Technical Data

Section 10Lawful Bases for Processing

The Bank shall process personal data only where one of the following lawful bases under Section 25 of the NDPA 2023 applies:

Lawful Basis Description Typical Use Case
Consent The data subject has given clear, informed, and unambiguous consent to processing. Marketing communications, optional data sharing
Contract Performance Processing is necessary for the performance of a contract to which the data subject is party. Loan disbursement, account opening, KYC
Legal Obligation Processing is necessary for compliance with a legal obligation. AML/CFT KYC, tax reporting, regulatory filings
Vital Interests Processing is necessary to protect vital interests of the data subject or another person. Medical emergency situations
Legitimate Interests Processing is necessary for the legitimate interests of the Bank, provided these are not overridden by the data subject’s rights. Fraud prevention, network security, analytics
Public Interest Processing is necessary for the performance of a task carried out in the public interest. Reporting suspicious transactions to NFIU
Note: The Bank shall document the lawful basis for every processing activity in its Record of Processing Activities (ROPA) maintained by the DPO.

Section 11Sensitive / Special Category Data

11.1 Categories of Sensitive Data

The following categories of data are classified as sensitive personal data under Section 30 of the NDPA 2023 and attract heightened protection:

11.2 Processing Requirements for Sensitive Data

The Bank shall only process sensitive personal data where:

11.3 Additional Safeguards

Where the Bank processes sensitive personal data, it shall apply the following additional safeguards:

Section 12Data Subject Rights

The Bank fully recognises and shall facilitate the exercise of the following rights by data subjects under the NDPA 2023:

12.1 Right of Access

Data subjects have the right to obtain confirmation of whether the Bank is processing their personal data and, if so, to receive a copy of that data along with supplementary information about the processing. The Bank shall respond to access requests within 72 hours of receipt and provide the requested information within 30 days.

12.2 Right to Rectification

Data subjects have the right to request the correction of inaccurate personal data and the completion of incomplete data. The Bank shall action rectification requests without undue delay and within 30 days of receipt.

12.3 Right to Erasure (Right to be Forgotten)

Data subjects may request the deletion of their personal data where: the data is no longer necessary for the purpose collected; consent has been withdrawn; the data has been unlawfully processed; or erasure is required by law. The Bank shall respond within 30 days. Note that erasure may not apply where retention is required by law (e.g. AML/CFT records).

12.4 Right to Restriction of Processing

Data subjects may request restriction of processing in circumstances where the accuracy of data is contested, the processing is unlawful, or the Bank no longer needs the data but the data subject requires it for legal claims.

12.5 Right to Data Portability

Where processing is based on consent or contract, data subjects have the right to receive their personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller.

12.6 Right to Object

Data subjects have the right to object to the processing of their personal data where processing is based on legitimate interests or public interest, and in all cases where data is used for direct marketing purposes.

12.7 Rights in Relation to Automated Decision-Making

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. Where automated decision-making is used (e.g. for credit scoring), the Bank shall offer a mechanism for human review.

12.8 Right to Withdraw Consent

Where processing is based on consent, data subjects may withdraw consent at any time without detriment. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

All data subject requests shall be submitted to the DPO via email at ayomide@bway.ng or in writing to any branch of the Bank. The Bank shall acknowledge all requests within 72 hours and respond fully within 30 days, with an extension of up to 60 days for complex requests.

Section 13Consent Management Framework

13.1 Standards for Valid Consent

Where the Bank relies on consent as the lawful basis for processing, the consent obtained must meet the following standards:

13.2 Consent Records

The Bank shall maintain records of all consents obtained, including the date and time of consent, the information provided to the data subject at the time of consent, and the mechanism used to obtain consent. These records shall be retained for the duration of the processing activity plus five (5) years.

13.3 Consent for Minors

Where the Bank provides services to individuals below the age of 18, consent shall be obtained from the parent or legal guardian of such individual. The Bank shall implement reasonable measures to verify the age of data subjects and the authority of persons providing consent on their behalf.

Section 14Data Collection and Use

14.1 Collection Principles

The Bank shall collect personal data only:

14.2 Privacy Notice

The Bank shall provide a clear, concise, and accessible Privacy Notice to all data subjects at or before the point of data collection. The Privacy Notice shall contain:

14.3 Secondary Uses

Where the Bank intends to use personal data collected for a primary purpose for a secondary or additional purpose, it shall assess the compatibility of the new purpose with the original purpose, considering the link between the purposes, the nature of the data, and the potential consequences for data subjects. Where the new use is incompatible, the Bank shall obtain fresh consent or establish a new lawful basis.

Section 15Data Retention and Disposal

15.1 Retention Principles

The Bank shall retain personal data for no longer than is necessary for the purpose for which it was collected, subject to overriding legal obligations requiring longer retention periods.

15.2 Retention Schedule
Data Category Retention Period Legal Basis for Retention
Customer KYC Records 7 years after account closure CBN AML/CFT Regulations
Loan Application & Credit Files 10 years after full settlement CBN Prudential Guidelines
Account Transaction Records 7 years CBN Guidelines / CAMA 2020
Employee Records 7 years after cessation of employment Employment Act / PENCOM
CCTV Footage 90 days unless required for investigation NDPA 2023 / CBN Security Guidelines
Call Recordings 90 days unless required for dispute resolution CBN Consumer Protection Regs
Marketing Consent Records Duration of relationship + 5 years NDPA 2023
Audit Logs and System Access Logs 5 years CBN IT Standards
Board and Management Records Permanently / as required by CAMA CAMA 2020
Data Breach Records 5 years from date of breach NDPA 2023 / GAID 2025
15.3 Secure Disposal

Upon expiry of the applicable retention period, personal data shall be disposed of securely using the following methods:

Section 16Data Security and Technical Safeguards

16.1 Security Governance

The Bank shall implement and maintain a robust information security management framework proportionate to the risks posed by its data processing activities. The Chief Information Security Officer (CISO) or equivalent officer shall be responsible for the implementation of technical and organisational security measures.

16.2 Technical Measures

The Bank shall implement the following technical security measures at minimum:

16.3 Organisational Measures

Section 17Data Breach Management and Response

17.1 Definition of a Data Breach

A personal data breach is any security incident that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes but is not limited to cyberattacks, internal theft, accidental disclosure, lost devices, and system misconfigurations.

17.2 Breach Response Procedure

The Bank shall follow the following response steps upon identification of a data breach:

17.3 Breach Register

The DPO shall maintain a Breach Register containing details of all data security incidents, whether or not they reach the threshold of a notifiable breach. The Breach Register shall be made available to the NDPC upon request.

All staff who become aware of or suspect a data breach must report it to the DPO immediately and in any event within 2 hours of discovery. Failure to report a known breach may result in disciplinary action.

Section 18Third-Party and Vendor Management

18.1 Data Processing Agreements

The Bank shall not share personal data with any third party that will process such data on its behalf unless a Data Processing Agreement (DPA) compliant with Schedule 2 of the NDPA 2023 has been executed. The DPA shall specify:

18.2 Vendor Due Diligence

Prior to engaging any vendor who will process personal data, the Bank’s Procurement and DPO functions shall conduct data protection due diligence including:

18.3 Sub-Processors

Vendors shall not be permitted to engage sub-processors to handle the Bank’s personal data without the Bank’s prior written consent. The Bank shall maintain a register of all approved sub-processors.

Section 19Cross-Border Data Transfers

The Bank shall not transfer personal data outside Nigeria except where one of the following conditions is met, in accordance with Section 43 of the NDPA 2023:

All cross-border transfers shall be documented by the DPO, and appropriate transfer mechanisms shall be reviewed annually to ensure continued adequacy.

Section 20Privacy by Design and Default

The Bank is committed to embedding data protection into the design and architecture of all new products, services, systems, and processing activities, rather than treating it as an afterthought. In accordance with Section 36 of the NDPA 2023 and the principle of Privacy by Design:

Section 21Data Protection Impact Assessment (DPIA)

21.1 When a DPIA is Required

The Bank shall conduct a DPIA prior to commencing any processing activity that is likely to result in a high risk to the rights and freedoms of data subjects. A DPIA is mandatory in the following circumstances:

21.2 DPIA Process

A DPIA shall: systematically describe the processing activity and its purpose; assess the necessity and proportionality of the processing relative to its purpose; identify and assess the risks to the rights and freedoms of data subjects; identify measures to address those risks and reduce them to an acceptable level; be documented and retained by the DPO; and be reviewed and updated if the nature of the processing changes.

21.3 Consultation with NDPC

Where a DPIA indicates a high residual risk that cannot be mitigated, the Bank shall consult with the NDPC prior to commencing the processing activity, in accordance with Section 38 of the NDPA 2023.

Section 22Roles and Responsibilities

Role Key Data Protection Responsibilities
Board of Directors Ultimate accountability for data protection compliance; approval of this policy; oversight of DPO; review of material breaches and significant compliance failures.
Managing Director / CEO Overall executive responsibility; championing a culture of data protection; escalation point for material breaches; ensuring adequate resources for compliance.
Data Protection Officer (DPO) Day-to-day oversight of compliance; ROPA maintenance; DPIA facilitation; breach reporting; staff training; CAR filing; NDPC liaison; policy development and review.
Head of Compliance Integration of data protection into the broader compliance framework; regulatory reporting; policy enforcement.
Head of Legal Data processing agreement reviews; advice on lawful processing bases; data subject rights disputes; regulatory correspondence.
Human Resources Employee data governance; staff data protection training records; employment contract data protection clauses.
Head of IT / Technology System security implementation; access controls; data backup and recovery; technical safeguards.
All Departmental Heads Ensuring their departments comply with this policy; identifying and reporting privacy risks; cooperating with DPO audits.
All Staff Complying with this policy; completing mandatory training; reporting suspected breaches; maintaining confidentiality of personal data.

Section 23Data Protection Officer (DPO)

23.1 Designation

As a DCPMI, the Bank is required by Section 32 of the NDPA 2023 and the GAID 2025 to designate a Data Protection Officer. The DPO shall be formally designated by the Board and registered with the NDPC. The DPO’s details shall be published on the Bank’s website and communicated to all staff and customers.

23.2 Qualifications

The DPO shall possess: expert knowledge of data protection law and practices, particularly the NDPA 2023, NDPR, and GAID 2025; a recognised data protection certification (e.g. NDPR Compliance Certificate from an NITDA-accredited body, CIPP/A, or equivalent); understanding of the financial services regulatory environment; and the ability to act independently and objectively.

23.3 Independence and Non-Retaliation

The DPO shall perform their functions with independence and shall not receive instructions regarding the exercise of those tasks. The DPO shall report directly to the highest level of management. The Bank shall not penalise or dismiss the DPO for performing their duties.

23.4 DPO Functions

The DPO’s primary functions shall include:

Section 24Training and Awareness

24.1 Mandatory Training

All staff shall complete mandatory data protection training as follows:

24.2 Training Records

The DPO shall maintain records of all training completed by each member of staff. Failure to complete mandatory training shall be reported to the relevant line manager and escalated to HR for disciplinary action where necessary.

24.3 Awareness Campaigns

The DPO shall implement ongoing data protection awareness initiatives including: regular internal communications on data protection topics; Data Protection Day observance on 28 January each year; and periodic reminders of staff obligations following any significant regulatory development.

Section 25Audit, Monitoring and Review

25.1 Internal Audit

The Bank’s Internal Audit function shall include data protection compliance as a standing component of its annual audit plan. The audit shall assess: adherence to this policy and applicable laws; adequacy of technical and organisational security measures; completeness and accuracy of the ROPA; effectiveness of data subject rights handling procedures; adequacy of third-party data processing agreements; and training completion rates and effectiveness.

25.2 External Audit / DPCO Engagement

In accordance with the NDPA 2023 and the GAID 2025, the Bank shall engage a licensed Data Protection Compliance Organisation (DPCO) to conduct an annual data protection audit and prepare the Compliance Audit Return (CAR). The DPCO shall be licensed by the NDPC.

25.3 Policy Review

This policy shall be reviewed at least annually by the DPO in consultation with the Legal, Compliance, and IT teams. Ad hoc reviews shall be conducted following: any significant change in applicable law or regulation; a material data breach; significant organisational change; or identification of gaps through audit findings.

Section 26Complaints and Escalation Procedure

26.1 Internal Complaints

Any data subject who wishes to raise a complaint about the Bank’s data protection practices shall submit their complaint in writing to:

Data Protection Officer — Email: ayomide@bway.ng    Telephone: 08115968477

Section 27Policy Governance and Review

This policy is owned by the Data Protection Officer and approved by the Board of Directors. It shall be reviewed at minimum annually and updated as required to reflect changes in law, regulation, or the Bank’s operations. All updates shall be approved by the Board or, in the case of minor administrative amendments, by the Managing Director, and communicated to all staff.

This policy supersedes all previous data protection policies, guidelines, and procedures of the Bank. In the event of any conflict between this policy and a department-specific procedure, this policy shall prevail.

BWAY Microfinance Bank Limited — Bridging Gaps, Empowering Lives