In this Policy, the following terms shall have the meanings set out below, unless the context requires otherwise:
“Personal Data” Any information relating to an identified or identifiable natural person (a “Data Subject”), such as a name, address, photograph, email address, bank details, or other unique identifier.
“Computer” Information Technology systems and devices, whether networked or not.
“Consent” Any freely given, specific, informed, and unambiguous indication of a Data Subject’s wishes, by which the Data Subject, through a statement or clear affirmative action, signifies agreement to the collection and processing of personal data relating to him or her.
“Data Controller” An organisation that collects data from a Data Subject and determines the purposes for, and the way, personal data is or will be processed. For the purposes of this Policy, the Data Controller is Jodoa Properties Limited.
“Data Processor” A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.
“Data Subject” An identifiable person; one who can be identified directly or indirectly.
“Data Protection Officer” or “DPO” The officer designated by the Company, namely the Head of Compliance, who is responsible for overseeing compliance with the Nigeria Data Protection Act, as amended (see section 4.0 below).
“Personal Data Breach” A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
“Processing” Any operation or set of operations performed on personal data, whether by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, alignment or combination, restriction, erasure, or destruction.
“Act” or “NDPA” The Nigeria Data Protection Act, 2023.
“NDPC” The Nigeria Data Protection Commission.
“Sensitive Personal Data” Data sensitive personal data is defined as information relating to an individual’s genetic or biometric data for unique identification, race, ethnic origin, religious or philosophical beliefs, health status, sex life, political opinions, trade union membership, or any other data prescribed by the Commission.
“DPIA” Data Protection Impact Assessment.
“Child” Any person under the age of 18 years.
Jodoa Properties Limited (“Jodoa” or “the Company”) is a real estate and property investment company that, in the course of its operations, collects and processes personal data relating to clients, prospective clients, investors, co-investors, employees, vendors, contractors, regulators, business partners, website users, and other stakeholders (collectively, “Data Subjects”).
The Company recognises data protection as a fundamental right and a cornerstone of trust, integrity, and sustainable business. Jodoa is committed to ensuring that all personal data is processed lawfully, fairly, and transparently, with due respect for the rights and freedoms of Data Subjects.
In delivering its services, Jodoa processes various categories of personal data, including identification, contact, financial, employment, and health-related information (where required), through physical records, digital platforms, IT systems, and third-party service providers.
The Company operates in strict compliance with the NDPA, under the oversight of the NDPC. In relation to its corporate and investment-related activities, Jodoa also complies with applicable requirements of the Corporate Affairs Commission (“CAC”), the Securities and Exchange Commission (“SEC”), and other relevant laws and regulatory obligations.
Through this Policy, Jodoa affirms its commitment to strong compliance and governance, effective security controls, and a culture of privacy and accountability across all its operations.
This Policy applies to:
This Policy also governs the sharing of Personal Data with Jodoa’s Head Office in Dubai and with any other regional or international office, affiliate, or related entity outside Nigeria. Any such intra-group transfer is permitted only in accordance with section 15.0 (Cross-Border Data Exchange) of this Policy, including reliance on Binding Corporate Rules or other approved safeguards designed to ensure that Nigerian Personal Data is protected to a standard consistent with the NDPA wherever it is processed within the Jodoa Group.
The purpose of this Policy is to establish a clear, structured, and comprehensive framework for the lawful and responsible processing of personal data by Jodoa. Specifically, this Policy seeks to:
To ensure effective implementation of this Policy and full compliance with the NDPA, under the oversight of the NDPC, Jodoa adopts a clearly defined governance structure with distinct roles and responsibilities, as set out below. Where applicable, this governance structure also supports compliance with obligations arising from oversight by the CAC, the SEC, and other relevant authorities.
The Board of Directors retains ultimate oversight and accountability for data protection and privacy governance within the Company. The Board shall:
Executive Management is responsible for operationalising the Board’s directives and ensuring effective implementation of data protection controls across the Company. Executive Management shall:
The Data Protection Officer (“DPO”) serves as the focal point for data protection compliance and advisory within the Company. The role of DPO is held by the Company’s Head of Compliance, who shall operate with independence and shall report to Executive Management and the Board, as appropriate. Responsibilities include:
All employees, contractors, channel partners, and third parties acting on behalf of the Company are responsible for protecting personal data within their custody or control. They shall:
Before any contractor, vendor, channel partner, or other third party is given access to personal data, the Company shall require execution of a Non-Disclosure Agreement (“NDA”) and, where applicable, a written data processing agreement setting out that party’s data protection obligations. The DPO shall monitor and periodically review compliance by such third parties with these obligations, including through audits, attestations, or other appropriate oversight mechanisms.
The Company, as the Data Controller, shall process the personal data of individuals only where at least one of the following applies:
The data processing activities of the Company are built upon key principles that govern the protection and processing of personal data in line with the NDPA. These principles ensure that privacy rights are respected and that personal data is handled responsibly by Jodoa. Below are the fundamental principles of data protection which the Company adopts:
Personal data must be processed lawfully, fairly, and transparently. Data Subjects should be informed about the purposes for which their data is being collected and processed, and processing should be carried out in accordance with applicable laws and regulations.
Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Jodoa shall clearly define the purposes for which data is collected and ensure that it is only used for those purposes.
Jodoa shall only collect personal data that is necessary for the purposes for which it is being processed. Data collection shall be limited to what is relevant and proportionate to achieve those purposes.
Personal data shall be accurate, complete, and kept up to date to ensure its integrity and reliability. Jodoa shall take reasonable steps to ensure that inaccurate or outdated data is rectified or erased.
Personal data shall be kept in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which it is being processed, in line with section 24(1)(d) of the NDPA. Data shall be securely disposed of when it is no longer needed, in accordance with the Company’s Data Retention, Archival, and Destruction procedures and the Retention Schedule referred to in section 14.0 below.
Jodoa shall implement appropriate technical and organisational measures to ensure the security of personal data and protect it against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Jodoa shall be responsible for ensuring compliance with data protection principles and must be able to demonstrate such compliance. This includes implementing policies and procedures to ensure that personal data is processed in accordance with the Act and taking responsibility for the actions of third parties who process data on its behalf.
Data Subjects have rights regarding their personal data, including the right to access, rectify, erase, or restrict the processing of their data. Jodoa shall respect these rights and provide mechanisms for Data Subjects to exercise them.
Personal data shall not be transferred outside Nigeria unless adequate safeguards are in place to protect the data and the rights of Data Subjects. Jodoa shall ensure that any international transfer of data complies with the requirements of the Act.
The rights of Data Subjects in respect of the Company shall include, but are not limited to, the following:
Prior consent of the Data Subject must be obtained before personal data is used, unless there is another legal basis for the processing. Consent requires genuine choice and genuine control.
Consent is obtained when the Data Subject agrees to the processing of his or her personal data by indicating, in writing or through positive action, agreement to the processing. Consent must be specifically and expressly given. Where consent is given in a document that deals with other matters, the Company must ensure that the request for consent is presented separately and distinctly from those other matters.
Before giving consent, the Data Subject shall be informed of his or her rights, including the ability to withdraw consent at any time. Withdrawal of consent must be promptly honoured once the Data Subject expressly indicates withdrawal.
Consent must be renewed or sought afresh if the Company intends to process personal data for a different purpose that was not disclosed when the Data Subject first consented, or if the previous consent has expired. The DPO must always maintain evidence of consent received, to demonstrate compliance with this Policy.
No consent shall be sought, given, or accepted in any circumstance that may engender the direct or indirect propagation of violence, hate, child rights violations, criminal acts, or anti-social conduct.
The DPO, in partnership with the Information Technology Team, shall implement and sustain appropriate safeguards to protect personal data, considering, in particular, the risks to Data Subjects arising from unauthorised or unlawful processing, or accidental loss, destruction of, or damage to, their personal data. These measures include:
Data may be collected through, but is not limited to, the following:
The Company shall use the data it collects for the following purposes:
When working with personal data, employees should ensure that the screens of their computers are always locked when left unattended. Personal data should not be shared informally and should, in particular, never be sent through an employee’s personal email account, but only through the Company’s assigned email system. All data must be encrypted before being transferred electronically. Employees shall not save copies of personal data on their personal computers and should always access and update a central copy of any data.
Jodoa shall retain personal data for no longer than is necessary to fulfil the specific, lawful purpose(s) for which it was collected, in line with section 24(1)(d) of the NDPA. To give effect to this, the Company shall maintain a formal Retention Schedule, approved by the DPO, specifying:
Where personal data must be kept beyond the period for which it is actively used, for example, for legal, regulatory, audit, tax, or dispute-resolution purposes, such data shall be archived and retained only for the specific period required by the applicable law, regulation, contractual obligation, or limitation period, and shall thereafter be securely disposed of in accordance with the Company’s disposal procedures.
Data processing by a third party shall be governed by a written contract between the third party and the Company, which shall expressly set out each party’s data protection obligations, breach notification duties, and responsibility and liability for any personal data breach. The third party must undergo the Company’s full onboarding process, and such onboarding shall include due diligence on the third party’s technical and organisational safeguards, breach history, regulatory standing, and capacity to assume liability for breaches arising from its acts, omissions, negligence, non-compliance, or contractual default. Where external companies are used to process personal data on behalf of the Company, Jodoa and the relevant external company shall each bear responsibility and liability for data breaches, security failures, unauthorised processing, or misuse of personal data to the extent caused by their respective acts, omissions, negligence, breach of this Policy, breach of applicable data protection laws, or breach of their contractual obligations.
The Company may only transfer personal data to third-party service providers (i.e., data processors) approved by the DPO, who provide sufficient guarantees that they will implement appropriate technical and organisational measures to comply with data protection laws. The written contract with each third-party data processor shall clearly allocate responsibility and liability between Jodoa and the third-party processor, including indemnity, cooperation, notification, remediation, and cost-bearing obligations arising from any actual or suspected data breach. Where a third-party data processor is used:
The Company shall prohibit the transfer of personal data outside Nigeria in most circumstances, to ensure that personal data is not transferred to a country that does not provide an equivalent level of protection for the rights of Data Subjects. In this context, a “transfer” of personal data includes transmitting, sending, viewing, or accessing personal data in or to a different country.
Personal data may be shared with Jodoa’s Head Office in Dubai, and with other Jodoa Group offices or affiliates outside Nigeria, strictly on a need-to-know basis and for legitimate business purposes (for example, group reporting, investment administration, or shared services). Such transfers shall only be made where:
Outside of the intra-group arrangements described above, Cross-Border Data Exchange may only be permitted where one of the following conditions applies:
In the absence of any NDPC approval as to the adequacy of safeguards in a foreign country, a transfer (or set of transfers) of personal data to a foreign country or international organisation shall take place only where one of the following conditions is satisfied:
Jodoa recognises that children constitute a vulnerable category of Data Subjects and are entitled to enhanced protection under the NDPA. In circumstances where the Company processes personal data relating to minors, such as dependants of employees, beneficiaries under property-related arrangements and/or investments, or participants in digital services, the Company shall implement strict safeguards to protect their rights and interests.
Accordingly, in line with the specific obligations imposed under the NDPA in respect of the processing of a child’s personal data, Jodoa shall:
A DPIA shall be conducted where processing:
DPIAs shall be documented and retained for the duration of the processing activity to which they relate, that is, throughout the active processing lifecycle, and shall be made available to the NDPC upon request.
The Company shall maintain a cookie notification on its website, informing visitors that personal information stored in cookies is protected against data breaches. The cookie notification shall also allow visitors to disable cookies while browsing the website.
The Company may, during its real estate, property development, asset management, and investment operations, deploy automated systems and analytical tools for activities such as customer due diligence, fraud detection, risk assessment, service optimisation, and marketing analytics. Where such processing involves automated decision-making, including profiling that produces legal effects or similarly significant impacts on Data Subjects, Jodoa shall ensure strict compliance with the Act and applicable regulatory standards. Accordingly, Jodoa shall implement the following safeguards:
Jodoa shall maintain documented records including:
A personal data breach includes any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Where a breach occurs, the following steps shall be implemented:
All employees, contractors, investors, partners, and third-party processors must immediately report any actual or suspected data breach to the DPO and/or the Information Technology Department, without delay upon becoming aware of it, regardless of the perceived severity of the incident. The DPO shall promptly initiate an internal investigation to assess the scope, cause, and impact of the breach. Failure to report a suspected breach may constitute a disciplinary offence.
Upon notification, the Company shall:
Where a breach is likely to result in a risk to the rights and freedoms of Data Subjects, the Company shall notify the NDPC within seventy-two (72) hours of becoming aware of the breach. Where notification is not made within 72 hours, the Company shall provide documented reasons for the delay. The notification shall include all required regulatory information, including the nature of the breach, the categories of data involved, the likely consequences, and the measures taken or proposed to address the breach.
Where a breach is likely to result in a high risk to the rights and freedoms of affected Data Subjects, the Company shall notify those individuals immediately, and in any event without undue delay, upon confirming the existence of that high risk. Such notification shall be communicated in clear and plain language and shall include:
Notification to individuals may not be required where: appropriate technical safeguards (such as encryption) render the data unintelligible; subsequent measures have eliminated the high risk; or notification would involve disproportionate effort, in which case public communication may be considered where appropriate.
The Company shall maintain a Data Breach Register documenting:
This register shall be periodically reviewed to identify trends, strengthen controls, and improve incident response mechanisms.
The DPO is required to ensure that all employees undergo adequate training to enable them to comply with data protection laws. The DPO shall periodically review systems and processes to ensure they comply with this Policy.
Failure to adhere to this Policy will be handled in line with the Company’s Disciplinary Policy.
This Policy shall be reviewed, amended, modified, or supplemented every two years, or as the need arises, to ensure compliance with any modification, amendment, or supplementation issued by the regulators, or as may otherwise be recommended by the Board.
– CHRISTOPHER EVANS
CHAIR