Website Privacy Notice

This Privacy Notice explains how Stephen Alaekwe & Co (“SAC”, “we”, “us”, or “our”) collects, uses, processes, stores, shares, and protects personal data through the sac.ng website and in connection with our professional services.

This Notice applies to all visitors to sac.ng, all persons who submit enquiries or contact forms through the website, all recipients of SAC communications, and all individuals whose personal data SAC processes in connection with its service delivery.

SAC is a licensed Data Protection Compliance Organisation (DPCO) operating under the Nigeria Data Protection Act 2023 (“NDPA”) and its General Application and Implementation Directive (“GAID”). As a licensed DPCO, SAC applies to its own processing the same standards it advises clients to meet. This Notice reflects that commitment.

The data controller for all personal data processed through sac.ng is:

SAC is registered with the NDPC as a Data Controller and Processor of Major Importance (DCPMI) and holds a current DPCO licence. Our data protection practices are subject to NDPC supervision.

We collect only the personal data necessary for the specific purpose for which it is collected. The categories of data we process through sac.ng are set out below.

We collect personal data through the following means:

• Website contact forms — including the general contact form, resource download forms, newsletter signup, and training enquiry forms on sac.ng.
• Direct email correspondence — when you email us at info@sac.ng, privacy@sac.ng, training@sac.ng, or products@sac.ng.
• Resource and checklist downloads — when you request a free resource from the SAC Resources page, we collect the information you provide in the request form.
• Newsletter and insights subscriptions — when you subscribe to the SAC Insights Digest through the website.
• Telephone enquiries — when you call SAC, we may record your name and enquiry details for follow-up purposes.
• Automatic technical data collection — through cookies and similar technologies when you visit sac.ng. See Section 7 for details.

We do not purchase personal data from third-party data brokers or marketing lists. We do not collect personal data from social media platforms without your knowledge.

We do not use personal data collected through sac.ng for automated decision-making or profiling that produces legal or similarly significant effects.

SAC processes personal data only where a lawful basis under the NDPA 2023 applies. The lawful bases we rely on are:

• Consent (NDPA Section 25(1)(a)): Where you have provided a clear, freely given, specific, informed, and unambiguous indication of agreement — for example, by submitting a newsletter subscription form or a resource download form with a checked consent box. You may withdraw consent at any time by contacting us at privacy@sac.ng. Withdrawal of consent does not affect the lawfulness of processing conducted before the withdrawal.
• Contract performance (NDPA Section 25(1)(b)): Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into a contract — for example, managing an advisory engagement or training programme.
• Legal obligation (NDPA Section 25(1)(c)): Where processing is necessary to comply with a legal obligation to which SAC is subject — for example, maintaining records required by regulatory authorities or responding to lawful requests from the NDPC.
• Legitimate interests (NDPA Section 25(1)(f)): Where processing is necessary for SAC’s legitimate interests or the legitimate interests of a third party, provided those interests are not overridden by your interests or fundamental rights. SAC relies on legitimate interests for: responding to professional enquiries, analysing website usage to improve our services, and maintaining professional records. We have conducted a legitimate interests assessment for each processing activity that relies on this basis.

sac.ng uses cookies and similar technologies to support the functionality of the website and to understand how visitors use it. This section explains what we use and why.

SAC does not use advertising or targeting cookies. We do not track visitors across third-party websites. We do not share analytics data with advertising platforms.

You can manage your cookie preferences through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, and receive warnings before cookies are placed. Note that disabling strictly necessary cookies may affect your ability to use certain features of sac.ng.

Our analytics are configured to respect Do Not Track browser signals where technically possible. We use privacy-respecting analytics tools and configure them to minimise personal data retention.

SAC does not sell personal data. We do not share personal data with third parties for their own marketing purposes. We share personal data only in the following limited circumstances:

• Service providers (data processors): We engage third-party service providers to support the operation of sac.ng and our professional services — including website hosting, email delivery, and practice management tools. Each service provider is engaged under a Data Processing Agreement that requires them to process personal data only on SAC’s instructions, maintain appropriate security, and comply with applicable data protection law.
• Professional collaborators: Where SAC engages qualified professional collaborators to assist in delivering a specific advisory engagement, relevant personal data necessary for that engagement may be shared with them under appropriate confidentiality obligations.
• Legal and regulatory requirements: We may share personal data with the NDPC, law enforcement agencies, or other regulatory authorities where required by law, court order, or regulatory demand. We will notify you of any such disclosure where legally permitted to do so.
• Business transfers: In the event of a merger, acquisition, or transfer of SAC’s business or assets, personal data may be transferred to the successor entity. We will notify affected data subjects before any such transfer takes effect, and the successor will be required to process personal data in accordance with this Notice or a materially similar notice.

Where we share data with service providers located outside Nigeria, we ensure that appropriate transfer safeguards are in place in accordance with NDPA Sections 43–44. See Section 13 for further details.

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law or professional obligations. Our retention schedule is as follows:

At the end of the applicable retention period, personal data is securely deleted or anonymised in accordance with SAC’s data deletion procedure. Anonymised data (from which you cannot be identified) may be retained beyond these periods for statistical and reporting purposes.

SAC implements technical and organisational security measures appropriate to the nature and sensitivity of the personal data we process, in accordance with NDPA Section 38 and the GAID’s security requirements. Our security measures include:

• Encryption in transit: All data transmitted between your browser and sac.ng is encrypted using TLS (HTTPS). We do not operate unencrypted pages that process personal data.
• Access controls: Personal data held by SAC is accessible only to individuals who require access for professional purposes, subject to role-based access controls and confidentiality obligations.
• Third-party security requirements: All service providers who process personal data on SAC’s behalf are required to maintain security standards appropriate to the data they process, as specified in our Data Processing Agreements.
• Security review: SAC reviews its security practices as part of its internal compliance programme and in connection with the annual Compliance Audit Return submitted to the NDPC.
• Incident response: SAC maintains a breach response capability and a documented breach response procedure. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify you and the NDPC within the timeframes required by NDPA Section 40.

As a data subject under the NDPA 2023, you have the following rights in relation to your personal data processed by SAC. We will respond to all data subject requests within 30 days of receipt, or within such extended period as permitted by the NDPA where the request is complex.

To exercise any of the rights described in Section 11, please contact SAC’s privacy function using the details below. SAC will acknowledge your request within 3 business days and respond substantively within 30 days, unless the request is complex or we receive multiple requests simultaneously, in which case we may extend this period by a further 30 days with notice to you.

• Preferred contact: privacy@sac.ng — subject line: “Data Subject Request”
• Alternative contact: info@sac.ng
• Postal address: Data Protection Officer, Stephen Alaekwe & Co, Suite 8, Crown Plaza, Utako, Abuja FCT, Nigeria

To enable SAC to process your request efficiently, please provide: your full name and contact email address; a clear description of the right you wish to exercise and the specific data concerned; and such proof of identity as SAC may reasonably require to verify that the request is made by or on behalf of the data subject concerned.

sac.ng may be accessed from outside Nigeria, and SAC may use service providers whose servers or technical infrastructure are located outside Nigeria. Where personal data is transferred outside Nigeria, SAC takes the following steps to ensure that such transfers comply with NDPA Sections 43–44:

• Adequacy determination: Where the NDPC has determined that a recipient country provides adequate protection for personal data, transfers to that country proceed without additional safeguards beyond those in this Notice.
• Standard Contractual Clauses (SCCs): Where no adequacy determination is in place, SAC incorporates appropriate data transfer clauses into its agreements with service providers, requiring them to provide equivalent protections to those available under the NDPA.
• Supplementary measures: Where required by the transfer risk assessment for a particular transfer, SAC implements additional technical or contractual measures to protect transferred data.
• Consent: For specific, occasional transfers not covered by the above mechanisms, SAC may rely on your explicit consent after informing you of the absence of an adequacy determination and the associated risks.

The service providers SAC currently uses include hosting, analytics, and email delivery services. Their processing locations and applicable transfer mechanisms are documented in SAC’s Records of Processing Activities. You may request this information by contacting privacy@sac.ng.

SAC will review and update this Privacy Notice periodically, in particular where there are material changes to our processing activities, changes to applicable law or NDPC guidance, or following our annual Compliance Audit Return review.

When we make material changes to this Notice, we will update the “Last reviewed” date at the top of the page and, where the changes are significant, we will notify active subscribers by email and display a prominent notice on sac.ng for a reasonable period following the update.

The current version of this Notice is the version displayed at sac.ng/privacy-notice. We recommend reviewing this Notice periodically. Prior versions are available on request from privacy@sac.ng.

If you have questions, concerns, or requests relating to this Privacy Notice or SAC’s processing of your personal data, please contact us using any of the following channels:

SAC aims to resolve privacy concerns promptly and constructively. If you remain dissatisfied with SAC’s response to a privacy concern, you have the right to escalate your complaint to the NDPC without first contacting SAC, although we encourage direct contact in the first instance.