Last Updated: 2025-11-14
This document is prepared in accordance with the provisions of the Nigeria Data Protection Act, 2023 and the Nigeria Data Protection Act (NDPR). It sets out how SunTrust Bank applies and complies with the principles of the act and regulation in processing the personal data of individuals, clients, vendors, and even third parties that interact with SunTrust Bank. This privacy policy describes how we collect and process your personal information through your use of our data collection forms/website (“the site”) and the account you open with us (“Account”), to create account profile, to ensure security of the website and to enable you use our products. The primary purpose of this policy is to provide you with better understanding of:
-Information we collect
-How we use the data we collect
-Who we share your data with?
-Lawful grounds of processing
-Retention period
-Your data right
-How to contact us
-How to contact the regulatory body (NDPC)
-Security of the personal data we hold
SunTrust Bank is a privately held Commercial Bank licensed by the Central Bank of Nigeria under the Banks and Other Financial Institutions Act (BOFIA).
SunTrust Bank is poised to create value for its customers by leveraging on our competencies and a team of highly motivated staff. We work tirelessly to develop & provide a broad range of unique financial services and products to consumers, small businesses, corporations, governments and institutions that will positively impact their business.
We strive to create the best outcomes for our clients and customers with financial ingenuity that leads to solutions that are simple, creative and responsible. The Bank focuses its lending activities on SME Finance, Retail/Consumer Banking, and medium to large Corporate Finance and explores other specialized Development/infrastructure financing activities.
Under the Nigeria Data Protection Act (NDPA) personal data is defined as:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This Privacy Policy tells you how we, SunTrust Bank, collect and use your personal data for the purpose of delivering our banking and financial services, managing our customer relationships, ensuring regulatory compliance, and maintaining the security and integrity of our operations.
We will process (collect, use and store) the information you provide in a manner that complies with the Nigeria Data Protection Act (NDPA). We will endeavour to keep your information accurate and up to date and not keep it for longer than is necessary. SunTrust Bank is required to retain information in accordance with the law, such as information needed for income tax and audit purposes. The retention period for certain kinds of personal data may also be governed by specific business-sector requirements and agreed practices. Personal data may be held in addition to these periods depending on individual business needs.
The personal data we would collect and process, depending on the particular processing requirement, are under the following categories:
| Personal Data Type | Description of Data | Sources |
|---|---|---|
| Identity Data | Full Name, maiden name, marital status, title, biometric information, national identification number (NIN), passport details, driver’s licence details, date of birth, gender, address, biometric, face ID, employment history and citizenship. | Provided directly by the individual (e.g., registration, onboarding, or KYC forms), Obtained from government identity databases or authorized verification partners. |
| Contact Data | Address, Email Address and Telephone Numbers. Information received during contact with face-to-face meetings, phone calls, emails, letters and SMS. | Provided directly by the individual, Updated internally through HR, CRM, or customer service channels. |
| Financial Data | Bank account details (account number, bank name, branch), Payment card information (masked), Salary, allowances, or benefits data, Transaction and payment history. | Provided by the individual, Generated internally through payroll or transaction systems, Obtained from financial institutions or payment processors. |
| Employment Professional Data | Job title and department, Employment history and qualifications, Performance and appraisal records, Reference or referee details, Work-related communications, Data submitted throughout the recruitment process e.g. name, email address. Any personal information provided to SunTrust Bank Limited as part of the recruitment process. | Provided by the employee or job applicant, Generated internally by HR and management systems, Obtained from referees or recruitment agencies. |
| Transaction Data | Details about payments to and from you, transaction history, account activity, and related records of goods or services provided. | Automatically generated through our business systems, financial applications, and service platforms. |
| Technical Data | IP address, device identifiers, browser type, operating system, login credentials (username, encrypted password), access logs, time zone setting and location, browser plug-in types and versions, user security event data and other technology such as geolocation, model, IP and agent on the devices used to access SunTrust website/services. | Automatically collected when you use our systems, applications, or online platforms; generated through IT infrastructure and security monitoring tools. |
| Profile Data | Username and password, preferences, interests, feedback, and responses to surveys or forms. | Provided directly by the individual, generated through user account creation, surveys, or interactions with our services. |
| Usage Data | Information on how you use our website, applications, and products such as login times, page views, session duration, system interactions, etc. | Automatically collected via cookies, web analytics, or internal monitoring systems. |
| Marketing and Communication Data | Your preferences in receiving marketing materials, records of communications, campaign responses, and participation in promotions or surveys. | Provided directly by the individual (e.g., subscription forms, feedback surveys) or generated through marketing platforms and communications systems. |
| Third-Party and Public Source Data | Background verification reports, credit history, or data from public profiles and government registries. | Obtained from authorised third-party service providers, business partners, or publicly available sources. |
| Others | CCTV footage, visitor logbook entries, and access control system records. | Automatically captured through physical security systems (e.g., CCTV, access card readers, and visitor management systems). |
We need to collect your personal data in order for us to provide you with our services. In any event, we are committed to ensuring that the information we collect, and use is appropriate for this purpose(s) only, and will in no way invade your privacy. If there is a need to use your personal data for marketing purpose, SunTrust Bank will ensure to seek additional consent from you. SunTrust Bank shall not collect or process more data than is reasonably required for a particular processing activity. In addition, every processing purpose has at least one lawful basis for processing to safeguard the rights of the data subjects, as listed below:
| Purpose of Processing | Lawful Basis of Processing |
|---|---|
To provide banking and financial services
|
Performance of Contract – Processing is necessary to fulfil our contractual obligations to you as a customer. |
To verify your identity and perform KYC checks
|
Legal Obligation – Required under banking, AML/CFT, and KYC regulations issued by the CBN and other authorities. |
To prevent fraud and enhance security
|
Legal Obligation and Legitimate Interest – Required to comply with anti-fraud and AML laws and to protect our systems and customers from financial crime. |
To comply with applicable laws and regulatory requirements
|
Legal Obligation – Required by financial and data protection regulations. |
To communicate with you
|
Performance of a Contract and Legitimate Interest – To provide timely information relevant to your banking relationship. |
To improve our services and customer experience
|
Legitimate Interest – To enhance the quality, performance, and user experience of our banking products and platforms. |
For marketing and promotional communications
|
Consent – We will only send marketing materials with your prior consent. You can withdraw this consent at any time. |
To manage employment and recruitment
|
Performance of a Contract (employment relationship) and Legal Obligation – Required under labour and tax laws. |
To handle complaints, disputes, and legal claims
|
Legal Obligation and Legitimate Interest – To comply with legal requirements and protect our legal interests. |
To maintain business continuity and disaster recovery
|
Legitimate Interest and Legal Obligation – To ensure service reliability and compliance with operational resilience regulations. |
To perform internal audits and risk assessments
|
Legitimate Interest – To ensure compliance, manage risk, and strengthen governance processes. |
To ensure physical and information security
|
Legitimate Interest – To safeguard our premises, assets, employees, and information systems. |
Where Legitimate Interest is considered the legal basis for processing personal data, SunTrust Bank shall follow the steps below in carrying out a Legitimate Interest Assessment.
Determine the Purpose for ProcessingIn carrying out the purpose test, SunTrust Bank must establish the exact reason for the processing and how it benefits the organisation. Answers to the following shall be provided to determine the exact purpose for processing:
-Description of the processing objective
-The likelihood of meeting the objective and how to determine if the objective was met
-The benefit of the processing and the significance to the organisation
-Description of the possible impact of not processing and any other issues that might be relevant
Determine the Necessity of the ProcessingSunTrust Bank must establish why the processing must take place, how the processing relates to the expected benefits, and any other alternatives and why there were not considered.
Balance the identified interest with the Privacy Interest of the Data SubjectsThe following questions will be addressed under the balance test:
-Who are the data subjects (category)?
-What is the relationship between SunTrust Bank and the data subject?
-What personal data is to be processed?
-How will the processing impact the data subject?
-How will the data subject react to the processing?
SunTrust Bank records this information in line with this policy, data protection impact assessment, and data inventory.
SunTrust Bank requires your explicit consent to process collected personal data. And by consenting to this privacy policy, you are giving us the permission to use/process your personal data specifically for the purpose identified before collection.
If, for any reason, SunTrust Bank is requesting sensitive personal data from you, you will be rightly notified why and how the information will be used.
You may withdraw consent at any time by requesting for Withdrawal of Consent form, following the SunTrust Bank Withdrawal of Consent Procedure.
SunTrust Bank may share your personal data with trusted third-party service providers engaged to perform specific functions on our behalf, such as payment processing, data hosting, identity verification, and customer support. These third parties are contractually bound to use the data only for the purpose provided and to protect it in accordance with SunTrust Bank’s information security and data protection standards.
Where personal data is processed on our behalf, a Data Processing Agreement (DPA) is executed to ensure that appropriate technical, organizational, and physical safeguards—such as encryption, access control, and secure disposal—are in place to prevent unauthorized access, loss, or misuse.
SunTrust Bank will not disclose your personal data without your consent, except where required by law, court order, or for legitimate business purposes such as fraud prevention, regulatory compliance, or the protection of rights.
If sensitive personal data must be shared, your explicit consent will be obtained, unless disclosure is legally mandated. Upon completion of their service, third parties are required to return or securely dispose of all personal data in accordance with the Bank’s data retention and disposal policies.
Where personal data is transferred to a third party or service provider outside Nigeria, SunTrust Bank ensures that such transfers are made in compliance with applicable data protection laws, using adequate safeguards such as data transfer agreements, standard contractual clauses, or confirmation that the receiving country provides an equivalent level of data protection.
In a case where the disclosure is to third parties outside the jurisdiction of the GDPR and NDPA, SunTrust Bank will ensure that the third party meets the core regulatory standards prior to the transfer. This may include transferring the personal data to the third party where SunTrust Bank has satisfied that:
– the country of the recipient has adequate data protection controls established by legal or self-regulatory regime
– SunTrust Bank has a contract in place that uses existing or approved data protection clauses to ensure adequate protection
– SunTrust Bank is making the transfer under approved binding corporate rules
– SunTrust Bank is relying on approved codes of conduct or certification mechanisms, together with binding and enforceable commitments in the foreign country or international organisation to apply the appropriate safeguards in relation to data subject right
– Provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority
In compliance with the Nigeria Data Protection Act (NDPA) and relevant regulatory requirements, SunTrust Bank will retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including service delivery, legal, accounting, or reporting obligations.
Retention considerations include the purpose of processing, type of data, lawful basis, and category of data subject. Generally, personal data is retained for up to ten (10) years after the end of the relationship with the data subject, or as otherwise required by applicable laws and regulations.
Transaction data will be retained for a minimum of five (5) years in accordance with financial record-keeping obligations.
When personal data is no longer required for these purposes, SunTrust Bank will ensure it is securely archived, anonymized, deleted, or destroyed in line with the Bank’s data retention and disposal policy.
According to the provision of the GDPR/NDPA, data subject has certain rights at any point while SunTrust Bank are in possession of or processing your personal data, you, the data subject, have the right to:
– Request a copy of the information that we hold about you
– Correct the data that we hold about you that is inaccurate or incomplete
– Right to rectify inaccurate data
– Ask for the data we hold about you to be erased from our systems/record
– Restrict processing of your personal data where certain conditions apply
– Have the data we hold about you transferred to another organisation
– Object to certain types of processing like direct marketing
– Object to automated processing like profiling, as well as the right to be subject to the legal effects of automated processing or profiling
Right to Lodge Complaint to the Supervisory Authority (Nigeria Data Protection Commission) at Info@ndpc.gov.ng
SunTrust Bank, at your request, can confirm what information we hold about you and how it is processed. If we do hold your personal data, you have the right to request the following information:
All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data.
All information you provide to us is stored securely on systems protected by appropriate technical, physical, and organizational measures to prevent unauthorized access, disclosure, alteration, or destruction. We implement appropriate, generally accepted technical and organisational measures to protect your personal data such as (firewalls, password access and encryption methods) against unauthorised or unlawful Processing, accidental loss, destruction, or damage.
While we employ industry-standard measures to protect your personal information, please note that transmission of data over the Internet is never entirely secure. We therefore cannot guarantee the absolute security of data transmitted to our servers online; such transmission is at your own risk. Once we receive your information, we apply strict controls and procedures to prevent unauthorized access, alteration, or disclosure.
Our Privacy policy may from time to time be updated for whatever reason. The latest version of our privacy statement will replace the earlier versions, unless it provides otherwise.
We may notify you of changes to our privacy by email or through direct message. However, we would appreciate that you review our Privacy Policy periodically in case of any change.
To file a complaint about how your data is handled, contact:
Email: Info@ndpc.gov.ng