• Plot 33D Bishop Aboyade Cole Street , Victoria Island Lagos
Facebook Twitter Instagram Linkedin

07074993280

09045590800

Data Subject Access Request Policy 

1. Introduction

This Data Subject Access Request Policy (Policy) sets out the procedure to be adopted by Hallmark Finance Company Ltd (“HFC” or “the Company”) in responding to requests by individuals (Data Subjects) regarding their personal data held by HFC in line with the provisions of the Nigeria Data Protection Act, 2023 (NDPA). This Policy should be read in conjunction with HFC’s Data Protection Policy. 

The Data Protection Officer (DPO) shall be responsible for overseeing this Policy to ensure compliance with the provisions of the NDPA. 

2. Personal Data

This Policy is limited to the Personal Data collected by HFC from Data Subjects. Under the NDPA, Personal Data means any information relating to an identified or identifiable natural person or Data Subject. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to factor(s) specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. These include name, address, photo, email address, bank details, posts on social networking websites, medical information, and other unique identifier as provided under the NDPA. 

3. Data Subject Rights

    3.1 HFC collects and processes Personal Data of Data Subjects in furtherance of its business operations. 

    3.2 In line with the provisions of the NDPA, Data Subjects are entitled to the rights below: 

          (a) Right to request for and access Personal Data collected and stored by HFC; 

          (b) Right to object to processing of Personal Data; 

          (c) Right to be informed of and provide consent prior to the processing of data for purposes other than that for which the Personal Data were collected; 

          (d) Right to object to automated decision making and profiling; 

          (e) Right to withdraw consent at any time; 

          (f) Right to request rectification and modification of your data kept by HFC; 

         (g) Right to request for deletion of your data collected and stored by HFC; and 

         (h) Right to request the movement of data from HFC to a Third Party i.e. the right to the portability of data.

    3.3 Any request as it relates to implementation of the above rights shall be carried out by completing and submitting the Subject Access Request Form (SAR Form) in accordance with the terms of this Policy. 

4. Subject Access Request Response Procedure

    4.1 Where a Data Subject wishes to exercise any of the rights guaranteed under the NDPA, they shall make a formal request by completing the SAR Form (See Appendix 1) and sending the completed form via email to the Data Protection Officer (DPO) at info@hallmarkfinance.ng 

    4.2 HFC shall contact the Data Subject within 5 working days of the receipt of the SAR Form to confirm receipt of the subject access request and may request additional information to verify and confirm the identity of the individual making the request. 

    4.3 The DPO, on receiving any request from a Data Subject, shall record the request and carry out verification of the identity of the individual making the request using the details provided in the SAR Form and a valid means of identification such as international passport, driver’s license, national identification card, employee identity card issued by HFC or any other acceptable means of identification. 

    4.4 Where the request is from a third party (such as relative or representative of the Data Subject), HFC will verify their authority to act for the Data Subject and may contact the Data Subject to confirm their identity and request the Data Subject’s consent to disclose the information. 

    4.5 When the identity of the individual making the request is verified, the DPO shall coordinate the gathering of all information collected with respect to the individual in a concise, transparent, intelligible and easily accessible form, using clear and plain language with a view to responding to the specific request. The information may be provided in writing, or by other means, including, where appropriate, by electronic means or orally provided that the identity of the Data Subject is proven by other means. 

    4.6 Where the information requested relates directly or indirectly to another person, HFC will seek the consent of that person before processing the request. However, where disclosure would adversely affect the rights and freedoms of others and HFC is unable to disclose the information, HFC will inform the requestor promptly, with reasons for that decision. 

5. Fees and Timeframe

    5.1 HFC shall ensure that it provides the information required by a Data Subject or respond to the request by the Data Subject within a period of one month from the receipt of the request However, where HFC is unable to act on the request of the Data Subject, it shall inform the Data Subject promptly at least within one month of receipt of the request of the reasons for not taking action and notify them of the option of lodging a complaint with the Nigeria Data Protection Commission (NDPC) in line with the NDPA. 

    5.2 Any information provided to the Data Subject by HFC shall be provided free of charge. However, where requests from a Data Subject are manifestly unfounded or excessive in particular because of their repetitive or cumbersome nature, HFC may: 

      (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication, taking the action required or making a decision to refuse to act on the request; or 

      (b) write a letter to the Data Subject stating refusal to act on the request and copying the NDPC. 

6. Exceptions To Data Subjects Access Rights

To the extent permitted by applicable laws, HFC may refuse to act on a Data Subjects request, if at least one of the following applies:  

(a) in compliance with a legal obligation to which HFC is subject; 

(b) protecting the vital interests of the Data Subject or of another natural person; and 

(c) for public interest or in exercise of official public mandate vested in HFC. 

7. Related Policies and Procedures

This Policy shall be read in conjunction with the following policies and procedures of HFC 

(a) Data Protection Policy  

(b) IT Security Policy

(c) Document Retention Policy

(d) Personal Data Breach Management Policy

8. Changes to the Policy

HFC reserves the right to change, amend or alter this Policy at any point in time. If we amend this Policy, we will issue an updated version. 

9. Contact for any Queries

HFC has appointed a DPO responsible for overseeing HFC data protection strategy and its implementation to ensure compliance with NDPA requirements. 

The DPO should be contacted if you have any queries or clarifications regarding the operation of this Policy. The contact details are set out below: 

  • Data Protection Officer:  
  • Location: 33 Bishop Aboyade Cole Victoria Island  
  •  info@hallmarkfinance.ng:   

10. General Information

Title:  Data Subject Access Request Policy 

Status: Mandatory 

Issuing Department: Legal

Distribution/Target Audience:  All employees, including contracted staff of Limited, users of Consolidated Hallmark Holdings Plc and the general public. 

Approver: Management of   Consolidated Hallmark Holdings Plc

Effective Date: January 2024

Version: 1.0

Download data subject access right form

Hallmarkfinance.ng