Purpose of this statement
This statement supplements our Privacy Policy and details Gibson Mayo Financial Services’ compliance with:
- Ghana’s Data Protection Act, 2012 (Act 843)
- Nigeria’s Data Protection Act, 2023 (NDPA)
It identifies our role as Data Controller, the lawful bases on which we process personal data, and the rights you have as a data subject.
Data Controller
- Name
- Gibson Mayo Financial Services
- Registered address
- Accra, Ghana
- Data Controller contact
- Mbamti Gibson Mayo, Founder
- Data Protection Officer
- Mbamti Gibson Mayo (small business, DPO function fulfilled by Founder)
Personal data we process
We process the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Contact information | Name, email, phone | Direct from you |
| Business information | Company name, business type, location | Direct from you |
| Service-related data | Financial records, transaction data, pricing information | Direct from you (clients only) |
| Event registration | Name, email, location, expectation responses | Direct from you |
| Communications | Messages you send us, our replies | Direct from you |
| Site analytics | Country / city, device type, pages visited | Plausible Analytics (no cookies) |
Lawful bases
We process personal data on one or more of these bases (Ghana DPA Section 20; NDPA Section 25):
- Consent: for newsletter subscription, event registration, and contact form submissions
- Contract: to deliver paid services to clients
- Legal obligation: to comply with tax, accounting, and audit law
- Legitimate interest: for site security, analytics, and service improvement
Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
Your rights as a data subject
Under both Ghana’s DPA and Nigeria’s NDPA you have the following rights:
| Right | What it means |
|---|---|
| Right of access | Request a copy of the personal data we hold about you |
| Right of rectification | Have inaccurate or incomplete data corrected |
| Right of erasure | Request deletion of your personal data, subject to legal retention obligations |
| Right to restrict processing | Limit how we use your data in certain circumstances |
| Right to object | Object to processing based on legitimate interest, including for marketing |
| Right of data portability | Receive your data in a structured, commonly used, machine-readable format |
| Right to withdraw consent | At any time, where processing is based on consent |
| Right to complain | Lodge a complaint with the relevant data protection authority |
How to exercise your rights
Email info@gibsonmayofinancials.com with:
- Subject line: “Data Subject Request”
- The right you wish to exercise
- Sufficient information to verify your identity (we may request additional verification before acting)
We respond within 30 days of receiving a valid request, in line with Ghana DPA and NDPA timelines. If your request is complex or numerous, we may extend by a further 30 days and notify you.
Data Protection Authority contacts
If you’re unsatisfied with our response to a data request, you can contact:
Ghana, Data Protection Commission
Website: dataprotection.org.gh
Email: info@dataprotection.org.gh
Nigeria, Nigeria Data Protection Commission (NDPC)
Website: ndpc.gov.ng
Email: info@ndpc.gov.ng
Data breach reporting
In the event of a personal data breach affecting your data, we will:
- Notify the Data Protection Commission of Ghana within 72 hours (where required)
- Notify the NDPC within 72 hours (where required under NDPA)
- Notify you directly if the breach is likely to result in a high risk to your rights and freedoms
Updates
This statement is reviewed at least annually and updated as needed to reflect changes in our practices or applicable law.