← Back to Home

NDPA 2023 Compliance

Last Updated: February 2025

Nigeria Data Protection Act 2023

GbamGbam is committed to complying with the Nigeria Data Protection Act 2023 (NDPA) and protecting the personal data of our users. This document explains your rights under Nigerian law.

1. Legal Basis for Processing

We process your personal data based on the following legal grounds under NDPA:

  • Consent (Section 35): You provide explicit consent when creating an account and agreeing to our Terms of Service
  • Contractual Necessity: Data processing is necessary to provide our Esusu, Jobs, and KCH services
  • Legal Obligation: We comply with Nigerian regulatory requirements
  • Legitimate Interest: Fraud prevention, security, and platform improvement

2. Your Rights Under NDPA 2023

Right to Access (Section 34)

You have the right to request confirmation and access to your personal data.

Action: Contact legal@gbamgbam.ng to request a copy of your data.

Right to Rectification (Section 34)

You may request correction of inaccurate or incomplete personal data.

Action: Update your profile in settings or contact us for changes.

Right to Erasure (Section 34(1)(d))

You have the right to request deletion of your personal data ("Right to be Forgotten").

Action: Use "Delete Account" in settings or email legal@gbamgbam.ng. Deletion will be processed within 30 days.

Right to Data Portability (Section 34)

You may receive your personal data in a structured, machine-readable format.

Action: Use "Export Data" in your account settings or request via email.

Right to Object (Section 34)

You may object to processing based on legitimate interests.

Action: Contact legal@gbamgbam.ng with your objection.

Right to Withdraw Consent (Section 35)

You may withdraw consent at any time without affecting lawfulness of prior processing.

Action: Update privacy preferences in settings or delete your account.

Right to Restrict Processing

In certain circumstances, you may request we limit data processing.

Action: Contact legal@gbamgbam.ng.

3. Data Categories We Process

  • Identity Data: Phone number, email (optional)
  • Transaction Data: Esusu contributions, job history, KCH transfers
  • Behavioral Data: Login times, activity patterns
  • Technical Data: IP address, device information
  • Reputation Data: Score, verification status, witness attestations

4. Data Retention Policy

Under NDPA principles, we retain data only as long as necessary:

  • Active Users: Data retained while account is active
  • Inactive Users: Warning at 6 months, deletion at 12 months
  • Deleted Accounts: 30-day grace period for recovery, then full deletion
  • Legal Holds: Data may be retained longer if required by law

5. Data Breach Notification

In the event of a personal data breach posing a risk to your rights and freedoms, we will:

  • Notify you within 72 hours of becoming aware (NDPA requirement)
  • Provide information in plain, clear language
  • Describe the nature of the breach and likely consequences
  • Outline measures taken to address the breach

6. Data Subject Requests

To make a data subject request:

  1. Email legal@gbamgbam.ng
  2. Specify the right you wish to exercise
  3. Provide identifying information (phone number associated with account)
  4. We will respond within 30 days as required by NDPA

7. Cross-Border Data Transfers

Your personal data may be transferred to countries outside Nigeria. We ensure adequate protection through:

  • Standard contractual clauses with third-party service providers
  • Compliance with NDPC regulations on international transfers
  • Ensuring recipient countries have adequate data protection laws

8. Third-Party Processors

We share data with the following processors who comply with NDPA:

  • Flutterwave: Payment processing (Nigeria & Kenya)
  • Termii: SMS OTP verification (Nigeria-based)
  • Resend: Email services (with EU/US data centers)

9. Nigeria Data Protection Commission (NDPC)

If you believe your data rights have been violated, you may complain to the NDPC:

  • Email: complaints@ndpc.gov.ng
  • Website: www.ndpc.gov.ng
  • Address: Abuja, Nigeria

10. Our Data Protection Officer

GbamGbam has designated a Data Protection Officer responsible for NDPA compliance. Contact:

11. Consent Management

You can manage your data preferences:

  • Email Marketing: Opt in/out in account settings
  • Data Sharing: Control sharing with partners in settings
  • Cookies: Manage browser cookie preferences

12. Audit Trail

We maintain an audit log of all data processing activities as required by NDPA. This includes:

  • Data access logs
  • Consent records with timestamps
  • Data modification history
  • Deletion request records

13. Declaration of Compliance

GbamGbam is committed to protecting your privacy and complying with the Nigeria Data Protection Act 2023. We regularly review our practices to ensure ongoing compliance.

For questions about this NDPA Compliance Notice or our data practices, please contact legal@gbamgbam.ng