BEST EXECUTION POLICY STATEMENT

Standard Union Securities Limited cares about best execution, we must take all sufficient steps to obtain the best possible result under the relevant circumstance when executing transactions on clients’ behalf.

Upon acceptance of a client order and when there is no specific client instruction regarding the execution method, Standard Union Securities Limited will execute an order in accordance with this policy.

When executing orders Standard Union Securities Limited will take all reasonable steps to obtain the best possible result under the circumstances for the client taking into account price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order (“Best Execution”).

Whenever there is a specific instruction from or on behalf of a client; Standard Union Securities Limited will, to the extent possible execute the order in accordance with the specific instruction. A specific instruction from a client may prevent Standard Union Securities Limited from taking steps that it has described in this policy to obtain the best possible result for the execution of orders. Trading rules for specific markets may prevent Standard Union Securities Limited from following certain of the client’s instructions. To the extent that a client instruction is not complete, the firm will determine any non- specified components of the execution in accordance with this policy. The policy does not create any obligation on Standard Union Securities Limited that it does not have under the rules.

COMPLAINTS MANAGEMENT POLICY

OVERVIEW


At Standard Union Securities Limited we strive to personally and professionally demonstrate certain values in our actions. We are disciplined and reliable and engender trust and integrity. We appreciate that on occasions customers may not be satisfied with the service they receive from us and we recognize the right of any person to make complaint. We are committed at all levels of the organization to their efficient, impartial and courteous resolution.

THE COMPLAINT HANDLING PROCESS

Complaints may be made in person, by phone, email or in writing. The client service units will receive the complaints and forward them to the Head, Client Services. All complaints should be duly logged into the complaints register for tracking.

The Head, Client Services will forward such complaints to the Managing Director for assessment. The MD will then forward such complaints to the designated personnel for resolution. (This process should be completed within 24hrs of receiving the complaints)

After a thorough investigation has been conducted, the designated personnel analyses the complaints and put in place a mechanism for prompt resolution. The compliance officer should be notified of the status of the complaints.

Proposed resolutions are forwarded to the Head, Client Services within 48hrs with appropriate approvals put in place.

A detailed resolution must be forwarded to the client immediately the complaint is resolved and where more time is required, the client must be notified, stating the reasons for the extension. The designated client services representative must ensure that the complaints and their resolution and related correspondences are filed in a client complaints file and a copy retained in the respective client’s file. On a periodic basis, the designated personnel or the compliance officer should undertake a root cause analysis of the complaints to determine resolutions for recurring issues. Where customer complaints have been received by the regulators and forwarded to the company for resolution, the compliance officer shall acknowledge receipt of the complaint in writing. On resolution of the complaint, a copy of the response shall be forwarded to the regulators by the compliance officer. The complaint register should be reviewed by the Managing Director on a daily basis and must detail the following:

  • Date of complaint
  • Name of complaint
  • Form/Nature of complaints
  • Expected Resolution date
  • Details of review officer (name and department) as assigned by the Managing Director
  • Concerned units
  • Actual date of resolution
  • Complaint status whether active or close

Where clients are dissatisfied with the resolution of a complaint, they have the right to pursue such complaint until it is resolved to their satisfaction. Such case will then be re-opened and efforts will be put in place to resolve it satisfactorily.

The objective of the complaints handling process involves the following: Manage complaints objectively and deal with them fairly, respectfully, consistently and without actual or perceived conflicting interests. Take all reasonable steps to ensure that a complainant is not adversely affected. Protect the rights of officers where they are the subject of a complaint. Deal with complaints confidentially to the extent possible. Ensure that all available information/evidence has been collected from both sides.

If you require additional information please contact us on office@standardun.com or call us on 8033012039, 08181283000

DATA PRIVACY POLICY
DATA PROTECTION AND PRIVACY POLICY
EFFECTIVE DATE: 21 October 2019


Standard Union Securities Limited takes the privacy and security of your personal data very seriously, our privacy statement explains the information we collect from you, why we collect this data, how we ensure that it is kept safe and it explains your rights in relation to your personal data. You should read this statement carefully to ensure that you understand how we handle your personal data.



Who is Standard Union Securities Limited and how can you contact us?

Standard Union Securities Limited is a Capital Market Operator and financial entity registered with CAC, Nigeria. Standard Union Securities Limited is the data controller and processor as defined in the General Data Protection Regulation or NDPR. Should you wish to contact us with general questions these can be sent to office@standardun.com It is also possible to contact our data protection officer via anthony@standardun.com. The registered office for Standard Union Securities Limited is F1, Sani Abacha Way, Kano, Kano State, Nigeria while the Head Office is at 1st Floor, Shippers’ Plaza, 31, Ndola Crescent, off Michael Okpara Street, Wuse Zone 5, Abuja, FCT.


What do we mean by personal data?

Personal data is any information relating to you or can be used to identify you. As a client of Standard Union Securities Limited you provide us with some of your personal data, this includes your name, telephone number, email address. It can also include Internet Protocol or IP addresses which in some circumstances can be used to identify you. In the event that a corporate or professional party intend on becoming a client, we will also collect personal data which relates to the interested individuals of the company for example, directors, and authorised representatives etc.

What do we mean by processing?

Processing is a concept from law. It is a very broad concept which covers actions taken in respect to your personal data such as: collection, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction Whenever Standard Union Securities Limited carries out any processing of personal data, we do so in line with the relevant privacy regulation – NDPR and GDPR

How do we collect your data?

Below you will find ways in which we collect your personal data:

  • When you provide information by email, via the website or CloudIntegra, phone, in writing, or other means. This includes for example the information you provide during the account opening, KYC information update, entering a promotion or survey and other purposes.
  • When you visit our websites, we will automatically collect information including the IP address. We also collect information about your visit, this includes the full click path and mouse movement, pages you visited, searches which were made and other page interaction information.;
  • Where necessary, it is possible that we will receive information about you from registrar, NGX Group or CSCS and any other agencies, this collection is carried out in line with the Client Agreement;
  • For Corporate clients we will also collect information which is publicly available in relation to the Directors of the company.
  • If you visit us in person, for security we collect images of visitors using CCTV.;

Why do we process your personal data?

Standard Union Securities Limited collect personal data for the following reasons:

  • To comply with the legal and regulatory obligations;
  • Marketing activities; and
  • Execution of contractual obligations.

Standard Union Securities Limited as an investment firm has a number of regulatory obligations which require the processing of client data; client identification is one of the main reasons we collect and process personal data. Further to this there are additional legal and regulatory obligations we must comply with, co-operation with courts and authorised law enforcement agencies and to prevent and detect crime. Next to this, when people contact Standard Union Securities Limited to ask for additional information or to become a client of Standard Union Securities Limited, Standard Union Securities Limited needs to be able to contact that client or potential client or you request us to send you our periodical newsletters. Standard Union Securities Limited also have contractual obligations which mean that they need to process the data of their clients to fulfil these obligations.

When Standard Union Securities Limited processes the personal data of its clients, it does so by using the minimal amount of data possible to ensure that aim is met.

What do we use personal data for?

Standard Union Securities Limited only records personal information that you have provided upon request when you become a client of Standard Union Securities Limited and only after your explicit permission. Without these statements Standard Union Securities Limited cannot and must not exercise its business activities. Standard Union Securities Limited will use your information to provide you services that keep you informed about old and new products and services from Standard Union Securities Limited for anonymous statistical analysis and comply with legal obligations.

All telephone conversations between the customer and Standard Union Securities Limited are recorded. These recordings are stored and can be used for:

  • Delivery of documents, such as by difference of interpretation or regarding the content of the telephone conversation;
  • Fraud detection and investigation;
  • Evaluation of service quality;
  • Training, coaching, and evaluation purposes.
Furthermore, Standard Union Securities Limited may for example do the following with your personal data:
  1. Client acceptance

    It is required by law for us to verify the identity of our clients, and without this information Standard Union Securities Limited could not provide its services to you. With your personal data we can for example,

    • Contact you.
    • Perform the relevant checks to ensure that you are eligible to become a client of Standard Union Securities Limited.
    • Review and check your request to become our client or to change your profile.
    • Keep your details in our administration and update them when there are changes.
    • Manage your profile(s) including your individual risk profile; which are based on internal client acceptance policies.
  2. Reduce risks

    We share the responsibility for the safety and stability of the financial sector. We also have a responsibility to you and all our clients. We will therefore use your personal data to reduce risks. You might notice for example:

    • If the risk on your account breaches the allowed limits, we will contact you to allow you to bring this back into the allowed limits. You might not notice much of the below, but it is also done to protect you:
    • We keep your IP address when you visit our site. This can be used in the event that there is a dispute as to who accessed your account or for the security of the company for example preventative measures against Distributed Denial of Service (DDoS) attacks.
    • Ensure good levels of security and invest in resources that protect both you and ourselves against all kind of crimes.
    • Internal quality checks, to determine possible issues, risks and testing to ensure that legislation has been properly implemented.
    • Carry out the relevant regulatory reporting.
    • Ensure that we remain a healthy company (risk management).
  3. Legal obligations

    There are a variety of legal obligations which Standard Union Securities Limited as an investment firm must follow.

    • Identification of clients: we check who you are and ensure that we have enough knowledge to allow us to offer our services.
    • Provide your personal data to specific organisations which are authorised to request this information, for example the government agencies, financial regulators, CSCS, company registrars or when we are legally obliged to share this information for example during a criminal investigation.
    • We also have a number of obligations under anti money laundering legislation.
  4. Market Activities

    At Standard Union Securities Limited we like to keep you informed. For example, with emails, newsletters, offers or updates to our FixPro or CloudIntegra trading platform.

    • We can for example collect your searches within the website of Standard Union Securities Limited to ensure that our FAQ are up to date with the information clients need. This information is anonymised, so no one is able to ascertain which client is asking the question.
    • We use anonymized data to ensure that our marketing campaigns are effective. If you would prefer not to receive some of this information, please feel free to contact the Service desk or unsubscribe via the button within the marketing email.
  5. Improve and Innovate

    We may also use personal data for analytical research, this allows us to find better solutions and ensure that we continue to be innovative. When we are carrying out these research activities, we use the minimal data required and do this in a way where your information is either pseudonymized or anonymized.

  6. Google Analytics

    In order to ensure that the website of Standard Union Securities Limited is easy to use for clients, and to assess the success of campaigns Standard Union Securities Limited make use of Google Analytics. Standard Union Securities Limited have signed an agreement for the use of this service and ensures that the data is anonymized as much as possible, this includes masking part of the IP address.

  7. Who do we collect personal data from?

    We can have (some) personal data of anyone who has contact with Standard Union Securities Limited. If you request additional information, we will store the information which is provided during that request. We are required by law and regulation to have personal information surrounding all of our clients. This information is gathered during the registration/account opening and requested when necessary. In some cases, it may be necessary for us to make use of third parties to either verify or collect information.

What personal data is collected?

Data about you

This includes your name, address, telephone number and email address. In the event you are a corporate client we will also collect information surrounding your company or foundation. If you open a minor account or a joint account, the information surrounding the secondary account holders will also be collected. We will also ask for copies of your ID and personal numbers such as your BVN, tax identification number or relevant identifiers.

Transaction history

In addition to personal data which Standard Union Securities Limited have in relation to clients, we also keep a historic log concerning transaction and order history.

Contact history

We keep record of the times when you have contacted Standard Union Securities Limited, this includes telephone recordings, emails or other ways you have communicated with us.

Website visits and app use

In the event that you visit the website of Standard Union Securities Limited, we will also collect the IP address which is used. Should your IP address be used, for example via Google Analytics this will be done in an anonymized manner.

External data sources

There are times where Standard Union Securities Limited will use external data providers, such as checking with the relevant agency or in the event of KYC and compliance check is required. In the event that Standard Union Securities Limited carry out compliance and KYC check, they apply the strict confidentiality on this information. Any individual who has access to this information does so only in the performance of their duty and the relevant data protection regulation is fully complied with. In the event you have questions of when KYC checks are carried out please contact the service desk of Standard Union Securities Limited Securities Limited on:

office@standardun.com.


Sensitive personal data

Sensitive personal data include things such as Bank verification Number, tax identification number, criminal history, biometric data, matrimonial status, sexuality or ethnic origin, etc. If processing sensitive personal data is necessary, there are stricter rules applied to this. At Standard Union Securities Limited we never use sensitive data related to health, religious beliefs, political or philosophical beliefs, sexual orientation. We have a legal obligation to identify our clients, therefore we require the tax identification number and national identification to do this.

Who do we share your personal information with?

In principle we do not share your information with others. It is possible that we may share personal data within the financial market ecosystem which Standard Union Securities Limited is a part of. All members of the ecosystem have the similar strict Privacy Policy. The police, judiciary, regulators and the tax authority can also request information from us on the grounds of law. However, we follow procedures which ensure that any sharing of information is both legitimate and proportionate.

Service providers

In the event we use a service provider to assist Standard Union Securities Limited, we will aim to inform you about the use of a third party and limit the sharing of personal information strictly to what is required for that specific assignment.

In the event that you registrars request your information for verification, it is possible that we will need to provide them with information about who you are.

With other companies on your own request

There are times when we will only share your personal data with other companies when you specifically ask. When this is done, we will specify this in the agreement to share the information.

Government and regulators and other CMO’s operators

As an investment firm regulated within Nigeria, there are times when we receive requests for information concerning our clients. We are obliged under law to provide the regulators with this information. Additionally, we have legal obligations which require us to share information with governmental bodies and competent legal authorities such as NFIU, NGX Group. The data protection regulations which cover Sigma are also applicable to these bodies mentioned. Standard Union Securities Limited will in specific circumstances also share information with relevant tax authorities.

How long do we store your personal data?

When you become a client of Standard Union Securities Limited, we will keep your personal data for the duration of our relationship, we have a legitimate business need to do so. Upon the end of the relationship we are required to keep this personal data for five years. We need to keep this to ensure that we can comply with legal obligations such as fighting financial crime or to settle any disputes or mount a legal defense.

How do we protect your personal data?

Security

We spend a lot of time and resources to ensure our systems and your personal data have the relevant security measures in place. In the case that there is a breach of our systems we will report this to the relevant authorities within the period of 72hrs and ensure that our clients are aware.

We have appropriate technical and organisational measures in place to protect your personal data against unauthorised access including accidental loss, destruction or disclosure of your data. We place restrictions on the access of personal data, so only those employees who need to access your data can. To ensure that any new processing is justified and compliant with the law we complete data protection impact assessments and carry out monitoring of any external data processors.

Confidentiality

Our employees have all signed a confidentiality agreement and agreed to an internal code of conduct and follow the Oath of promise in the financial sector. Further to this, only authorised personnel may view and process your personal data.

Supervision

  • We are supervised by the Nigerian Data Protection Authority (NITDA) to ensure we comply with the Personal Data Protection Act.
  • Standard Union Securities Limited operates under behavioural supervision of The NGX Group and Securities and Exchange Commission.

Is your personal data used in automated decision making?

There are times for example when you change profile from a Basic to an online Trading account that we will automatically send you an email containing your login details and guides on how to use the portals easily and safely.

Your rights

  1. Right of access:

    You have the right to access any personal data which Standard Union Securities Limited hold about you. We can provide a copy of this information, to request this you can contact the relevant Service Desk of Standard Union Securities Limited who can provide this information after completing security.

  2. Right to rectification:

    If you find your data to be incorrect or outdated, you should contact the relevant service desk of Standard Union Securities Limited to request for this data to be updated.

  3. Complaints:

    If you have complaints about the processing of your personal data, please get in touch either with the relevant service desk of Standard Union Securities Limited or by contacting the Data Protection Officer via anthony@standardun.com

  4. NITDA:

    Under NDPR you have the right to complain about our processing of your personal data to the NITDA. Under NDPR you have some other rights which may be possible in specific circumstances:

    • Right to Erasure:

      In certain circumstances it is possible for us to delete some of or all the personal data we hold for you.

    • Right to restriction of processing:

      You can ask for Standard Union Securities Limited to restrict the way your personal data is processed.

    • Right to data portability:

      It is possible to request for your data to be provided to you or to be sent to a third party.

    • Right to object:

      You have the right to object to the processing of your personal data when this processing is done based on legitimate interest.

  5. Right to stop marketing:

    It is possible to stop using your personal data for direct-marketing purposes. This can be done via the unsubscribe button in the marketing emails or by contacting the relevant Service Desk. Please be informed that for some communication reason, we are required to inform you and for these it will not be possible to unsubscribe while you are a client, this includes changes to the client agreement for example.

    Furthermore, in the event that consent was required for the processing of your personal data, you have the right to withdraw your consent as given regarding your data at any time.

    The above requests will be considered by Standard Union Securities Limited and responded to within a reasonable period. Please be aware that some of these requests might not be granted, for instance in cases where these would result in Standard Union Securities Limited failing to meet a legal requirement or the ability to exercise or defend a legal claim.

  6. Our view on privacy

    At Standard Union Securities Limited, our clients trust is fundamental to our relationship. We therefore strive to ensure that our clients have faith in the way we deal with their personal data. We take great care in ensuring that your data is safe and only processed when authorised to do so.

    When we process your personal data, we always make sure that it is essential for us to do this. When possible, we will anonymize your personal data or when this is not possible, we will only use the data which is strictly necessary. For processing your personal data, we will also ensure that the concept of ‘privacy by design’ is at the heart of our development.

    Our privacy policy is updated regularly, as law and regulations are continuously subjected to change.

  7. Questions about privacy

    In the event you have some additional questions in relation to privacy or your personal data you can contact the service desk of Standard Union Securities Limited via office@standardun.com where staff will answer all questions.

    In the event that you wish to complain about the way we have handled your personal data please contact the data protection officer via anthony@standardun.com. Please note when contacting the data protection officer this communication will be answered in English. The DPO will then look into your complaint and work towards a resolution.

    If you still feel that your personal data has not been handled appropriately according to the law, you can contact NITDA and file a complaint with them.

  8. Liability

    Standard Union Securities Limited considers it important that the processing of your (personal) information is conducted in a manner that is consistent with the existing safeguards to protect your personal information. Standard Union Securities Limited complies with the rules of the Data Protection Act and the Financial Sector Supervision in all its activities. Your (personal) information will not be disclosed to third parties outside Standard Union Securities Limited without your express consent, unless legal obligations require to do so.

Third-party websites

Standard Union Securities Limited are not responsible for the measures of other websites using terms, even when they are associated with Standard Union Securities Limited’s websites with hyperlinks or otherwise.

Exercise of rights

You have the right to see your information and when necessary the ability improve or correct this information. For this, contact Standard Union Securities Limited through this website. We’ll keep you updated about (new) products and services from Standard Union Securities Limited via e-mail.

Cookies

What is a cookie?

Cookies are small files stored on the hard drive of your computer. Cookies ensure that your browser is recognized by Standard Union Securities Limited’s Web server.

Why does Standard Union Securities Limited use cookies and web bugs?

Websites have no memory. A visitor who browses from page to page on the site is regarded as a new visitor each time. Cookies enable a website to recognize your browser. Web bugs behaves in much the same way as cookies.

Are all cookies the same?

No! There are different types of cookies. The distinction is made between function, duration and who places the cookie.

By Function:

A technical cookie is necessary for a website and specific functions to work (technically). For example, to create access to protected or secured parts of a website. Without this type of cookie, some services, such as a login, shopping cart and electronic payment will not work.

An analysis cookie collects information about how visitors use a website. For example, the page that is visited most and where any errors occur. The purpose of this type of cookie is to provide the website provider insight into how the site works and how it can be improved. This cookie thereby also contributes to the website’s usability.

A functional cookie remembers the choices made by the user. It may be choices such as a username, currency, language or country. This means that a user does not need to specify their preferences again. The functional cookie thus also contributes to ease of use.

An advertising cookie is used to display advertisements that are targeted at visitors of the website to ensure that the same advertising does not appear every time, and to measure the effectiveness of advertising campaigns. These are usually placed by advertising networks with the consent of the administrator of the website. They record that a website is visited.

By Duration

A session cookie is installed on the visitor’s computer and collects data as long as the visitor is actually on the website. When you close your browser, the cookie is removed.

A permanent cookie is installed on the visitor’s computer in a fixed (longer) period.

A first-party cookie (first party cookie) is a cookie that is connected to the website which the visitor is visiting at the time. It may be a cookie from Standard Union Securities Limited placed when visiting www.standardun.com or related subdomains.

A third-party cookie (third party cookie) is a cookie that is placed by a party other than Standard Union Securities Limited (the provider of the visited website). For example, providers of advertisements and (external) providers of applications whose advertisements or applications are integrated in the visited website.

What is a web bug?

A web bug is an electronic image of a single pixel (1 x 1) or a so-called “colourless GIF” in the website’s coding. Web bugs really function in the same way as cookies. Web bugs are used to follow the visitor traffic from one page to another, in order to optimize the flow of traffic on the website. What can I do if I do not want (certain) cookies?

You can in your browser settings (eg. Opera, Internet Explorer, Safari, Firefox, Mozilla or Chrome) specify whether you allow cookies or not and which cookies to accept. The settings are different from browser to browser. You can obtain information about the location and method under the ‘Help’ on your browser. You should be aware that you may not be able to use our website’s functions properly if you refuse (certain) cookies. If you do not wish to receive advertising cookies, you can activate the ‘do not track’ in your browser. You can on www.youronlinechoices.eu indicate that you do not want to receive cookies from advertising companies.

Changes

Standard Union Securities Limited reserves the right to make changes to this statement. It is therefore advisable to consult this privacy statement regularly when you visit our website. Do you think that there is something wrong with this statement or are you unhappy with another aspect of our service? Please make sure to contact us. Your complaint will be handled by Standard Union Securities Limited’s compliance officer.

THIS POLICY WAS REVIEWED IN FEBRUARY 2020

STUS DATA BREACH POLICY

Introduction

Standard Union Securities Limited collects, holds, processes, and shares personal data, a valuable asset that needs to be suitably protected. Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security. Compromise of information, confidentiality, integrity, or availability may result in harm to individual(s), reputational damage, detrimental effect on service provision, legislative non-compliance, and/or financial costs.


Purpose and Scope

Standard Union Securities Limited is obliged under Data Protection legislation to have in place an institutional framework designed to ensure the security of all personal data during its life cycle, including clear lines of responsibility. This policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents across Standard Union Securities Limited . This policy relates to all personal and special categories (sensitive) data held by Standard Union Securities Limited regardless of format. This policy applies to all employee of Standard Union Securities Limited. This includes temporary, out-source or agency staff and contractors, consultants, suppliers and data processors working for, or on behalf of the Standard Union Securities Limited. The objective of this policy is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.


Definitions / Types of breach

For the purpose of this policy, data security breaches include both confirmed and suspected incidents. An incident in the context of this policy is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to the Standard Union Securities Limited information assets and / or reputation. An incident includes but is not restricted to, the following:
  • loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad / tablet device, or paper record); equipment theft or failure; system failure; unauthorised use of, access to or modification of data or information systems;
  • attempts (failed or successful) to gain unauthorised access to information or IT system(s);
  • unauthorised disclosure of sensitive / confidential data;
  • website defacement;
  • hacking attack;
  • unforeseen circumstances such as a fire or flood;
  • human error;
  • ‘blagging’ offences where information is obtained by deceiving the organisation who holds it.

Reporting an incident

Any individual who accesses, uses or manages Standard Union Securities Limited information is responsible for reporting data breach and information security incidents immediately to the Data Protection Officer via dpo@standardun.com

If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable. The report must include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the information, and how many individuals are involved. An Incident Report Form should be completed as part of the reporting process (refer to [The data Breach report form]).


Containment and recovery

  1. The Data Protection Officer (DPO) will first determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the breach.
  2. An initial assessment will be made by the DPO in liaison with relevant officer(s) to establish the severity of the breach and who will take the lead investigating the breach, as the Lead Investigation Officer (this will depend on the nature of the breach; in some cases it could be the DPO).
  3. The Data Protection Officer will establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause.
  4. The Data Protection Officer will establish who may need to be notified as part of the initial containment and will inform the police, where appropriate.
  5. The Data Protection Officer, in liaison with the relevant officer(s) will determine the suitable course of action to be taken to ensure a resolution to the incident.
  6. Investigation and risk assessment
  7. An investigation will be undertaken by the DPO with the Head of Information Technology / Head Internal Control department immediately and wherever possible, within 24 hours of the breach being discovered / reported.
  8. The DPO with the Head of Information Technology / Head of Internal Control department will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.
  9. The investigation will need to take into account the following:
    • the type of data involved;
    • its sensitivity;
    • the protections in place (e.g. encryptions);
    • what has happened to the data (e.g. has it been lost or stolen;
    • whether the data could be put to any illegal or inappropriate use;
    • data subject(s) affected by the breach, number of individuals involved and the potential effects on those data subject(s);
    • whether there are wider consequences to the breach.

Notification

The DPO with the Head of Information Technology / Head of Internal Control department, in consultation with relevant colleagues will establish whether the Authority will need to be notified of the breach, and if so, notify them within 72 hours of becoming aware of the breach, where feasible. Every incident will be assessed on a case by case basis; however, the following will need to be considered:

  • whether the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms under Data Protection legislation;
  • whether notification would assist the individual(s) affected (e.g. could they act on the information to mitigate risks?);
  • whether notification would help prevent the unauthorised or unlawful use of personal data;
  • whether there are any legal / contractual notification requirements;
  • the dangers of over notifying. Not every incident warrants notification and over notification may cause disproportionate enquiries and work.

Individuals whose personal data has been affected by the incident, and where it has been considered likely to result in a high risk of adversely affecting that individual’s rights and freedoms, will be informed without undue delay. Notification will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks. Individuals will also be provided with a way in which they can contact Standard Union Securities Limited for further information or to ask questions on what has occurred.

The Data Protection Officer must consider notifying third parties such as the police, insurers, banks or credit card companies. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.

A record will be kept of any personal data breach, regardless of whether notification was required.


Evaluation and response

Once the initial incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken. Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring. The review will consider:

  • where and how personal data is held and where and how it is stored;
  • where the biggest risks lie including identifying potential weak points within existing security measures;
  • whether methods of transmission are secure; sharing minimum amount of data necessary;
  • staff awareness;
  • implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches of security.

If deemed necessary, a report recommending any changes to systems, policies and procedures will be considered by Standard Union Securities Limited.

Policy Review

This policy will be updated as necessary to reflect best practice and to ensure compliance with any changes or amendments to relevant legislation.

THIS POLICY WAS REVIEWED IN FEBRUARY 2020.

DATA SUBJECT ACCESS REQUEST POLICY

About this Policy: scope, purpose and users

This procedure sets out the key features regarding handling or responding to requests for access to personal data made by data subjects, their representatives or other interested parties. This procedure will enable Standard Union Securities Limited (further: “Company”) to comply with legal obligations, provide better customer care, improve transparency, enable individuals to verify that information held about them is accurate, and increase the level of trust by being open with individuals about the information that is held about them.

This procedure applies broadly across all entities or subsidiaries owned or operated by the Company but does not affect any state or local laws or regulations which may otherwise be applicable.

This procedure applies to employees that handle data subject access requests such as the Data Protection Officer.


Data Subject Access Request (DSAR)

A Data Subject Access Request (DSAR) is any request made by an individual or an individual’s legal representative for information held by the Company about that individual. The Data Subject Access Request provides the right for data subjects to see or view their own personal data as well as to request copies of the data.

A Data Subject Access Request must be made in writing. In general, verbal requests for information held about an individual are not valid DSARs.

A Data Subject Access Request can be made via any of the following methods: email or post. DSARs made on-line must be treated like any other Data Subject Access Requests when they are received, though the Company will not provide personal information via social media channels.


The Rights of a Data Subject

The rights to data subject access include the following:

  • Know whether a data controller holds any personal data about them.
  • Receive a description of the data held about them and, if permissible and practical, a copy of the data.
  • Be informed of the purpose(s) for which that data is being processed, and from where it was received.
  • Be informed whether the information is being disclosed to anyone apart from the original recipient of the data; and if so, the identity of those recipients.
  • The right of data portability. Data subjects can ask that their personal data be transferred to them or a third party in machine readable format (Word, PDF, etc.). However, such requests can only be fulfilled if the data in question is: 1) provided by the data subject to the Company, 2) is processed automatically and 3) is processed based on consent or fulfilment of a contract.
  • If the data is being used to make automated decisions about the data subject, to be told what logic the system uses to make those decisions and to be able to request human intervention. The Company must provide a response to data subjects requesting access to their data within 30 calendar days of receiving the Data Subject Access Request unless local legislation dictates otherwise.

Requirements for a valid DSAR

In order to be able to respond to the Data Subject Access Requests in a timely manner, the data subject should:

  • Submit his/her request using a Data Subject Access Request Form.
  • Provide the Company with sufficient information to validate his/her identity (to ensure that the person requesting the information is the data subject or his/her authorized person).

Subject to the exemptions referred to in this document, the Company will provide information to data subjects whose requests are in writing (or by some other method explicitly permitted by the local law), and are received from an individual whose identity can be validated by Company.

However, Company will not provide data where the resources required to identify and retrieve it would be excessively difficult or time-consuming. Requests are more likely to be successful where they are specific and targeted at particular information.

Factors that can assist in narrowing the scope of a search include identifying the likely holder of the information (e.g. by making reference to a specific department), the time period in which the information was generated or processed (the narrower the time frame, the more likely a request is to succeed) and being specific about the nature of the data sought (e.g. a copy of a particular form or email records from within a particular department).


DSAR process

Request

Upon receipt of a DSAR, the Data Protection Team will log and acknowledge the request. The requestor may be asked to complete a Data Subject Access Request Form to better enable the Company to locate the relevant information.

Identify verification

The Data Protection Team needs to check the identity of anyone making a DSAR to ensure information is only given to the person who is entitled to it. If the identity of a DSAR requestor has not already been provided, the person receiving the request will ask the requestor to provide two forms of identification, one of which must be a photo identity and the other confirmation of address. If the requestor is not the data subject, written confirmation that the requestor is authorized to act on behalf of the data subject is required.


Information for DSAR

Upon receipt of the required documents, the person receiving the request will provide the Data Protection Team with all relevant information in support of the DSAR. Where the Data Protection Team is reasonably satisfied with the information presented by the person who received the request, the Data Protection Officer will notify the requestor that his/her DSAR will be responded to within 30 calendar days. The 30 day period begins from the date that the required documents are received. The requestor will be informed by the Data Protection Team in writing if there will be any deviation from the 30 day time-frame due to other intervening events.


Review of Information

The Data Protection Team composed of cross department representative will collate the relevant and required information as requested in the DSAR. The Data Protection Team must ensure that the information is reviewed/received by the imposed deadline to ensure the 30 calendar day time-frame is not breached. The Data Protection Officer will ask the relevant department to complete a “Data Subject Disclosure Form” to document compliance with the 30 day requirement.


Response to access requests

The Data Protection Team will provide the finalized response together with the information retrieved and/or a statement that the Company does not hold the information requested, or that an exemption applies. The Data Protection Team will ensure that a written response will be sent back to the requestor. This will be via email, unless the requestor has specified another method by which they wish to receive the response (e.g. post). The Company will only provide information via channels that are secure. When hard copies of information are posted, they will be sealed securely and sent by recorded delivery.


Archiving

After the response has been sent to the requestor, the DSAR will be considered closed and archived by the Data Protection Team.


Exemptions

An individual does not have the right to access information recorded about someone else, unless they are an authorized representative.

  • The Company is not required to respond to requests for information unless it is provided with sufficient details to enable the location of the information to be identified, and to satisfy itself as to the identity of the data subject making the request.
  • In principle, the Company will not normally disclose the following types of information in response to a Data Subject Access Request:
  • Information about other people – A Data Subject Access Request may cover information which relates to an individual or individuals other than the data subject. Access to such data will not be granted, unless the individuals involved consent to the disclosure of their data.
  • Repeat requests – Where a similar or identical request in relation to the same data subject has previously been complied with within a reasonable time period, and where there is no significant change in personal data held in relation to that data subject, any further request made within a six month period of the original request will be considered a repeat request, and the Company will not normally provide a further copy of the same data
  • Publicly available information – The Company is not required to provide copies of documents which are already in the public domain.
  • Opinions given in confidence or protected by copyright law – The Company does not have to disclose personal data held in relation to a data subject that is in the form of an opinion given in confidence or protected by copyright law.

DSAR Refusals

There are situations where individuals do not have a right to see information relating to them. For instance:

  • If the information is kept only for the purpose of statistics or research, and where the results of the statistical work or research are not made available in a form that identifies any of the individuals involved.
  • Requests made for other, non-data protection purposes can be rejected.
  • If the responsible person refuses a Data Subject Access Request on behalf of the Company, the reasons for the rejection must be clearly set out in writing. Any individual dissatisfied with the outcome of his/her Data Subject Access Request is entitled to make a request to the Data Protection Officer to review the outcome.

Responsibilities

The overall responsibility for ensuring compliance with a DSAR rests with the Data Protection Officer.

If the Company acts as a data controller towards the data subject making the request then the DSAR will be addressed based on the provisions of this procedure.

If the Company acts as a data processor the Data Protection Officer will forward the request to the appropriate data controller on whose behalf the Company processes personal data of the data subject making the request.

THIS POLICY WAS REVIEWED IN FEBRUARY 2020

BUSINESS CONTINUITY PLAN

Background

The objective of Information Security, Business Continuity Management and Back-Up Arrangement (BCM) is to ensure the timely resumption and delivery of essential business activities in the event of service disruption by maintaining the key business resources required to support delivery of those activities.

The primary aim of this policy is to create a plan for mitigating some of an organization’s risks.

SOURCES OF DISRUPTION

In the course of our business over the years, we have identified some common sources of service failure which includes:

  1. Internet failure :

    Since all our business operations are done online, internet has become a very critical factor in our day to day business operations. However, due to the peculiarities of our operating environment, the internet sometime fails resulting in our inability to carry out some of the required operations.

  2. System Failure:

    In some cases, software issues, or even hardware issues may affect our ability to attend to our clients. Some of these issues include Operating system crash, software failure or malfunctioning among others.

  3. Server failure from our OMS vendor:

    There is a possibility of system failure from our vendor even though not yet experienced; it is, however, considered a possibility. If this occurs, some parts of our business activities shall be disrupted.

Business Continuity Plan, Standard Union Securities Limited.

2 PLANS TO MITIGATE ABOVE IDENTIFIED THREAT

  1. Internet failure:

    In order to avoid service disruption as a result of internet failure, we shall always subscribe to the services of two or more internet service providers in order to enable us switch to whichever is working at the time of any particular failure. This implies that we shall have more than one 4g routers that we can switch the entire network to whenever there is a down time from any of the providers.

  2. System Failure:

    The IT department must be equipped with personnel that can attend to issues arising from computer hardware and software, in order to promptly fix the affected systems.

  3. Server failure from our OMS vendor:

    We shall always have a disaster recovery site (a separate environment not hosted on the same server with the main software applications) where we can move the last database backup into in order to continue business operations without delay. This must be discussed with our vendor Programos, in order to work out the best model to recover from which ever failure that may occur in this regard.

PREPARED BY:MR. ANTHONY OJEWALE

APPROVED BY: Chairman, Board of Directors

DATE: February 22, 2021