Habeeb Jimoh & Associates | Innovative approach to legal services

1. Introduction and Scope of Application

Habeeb Jimoh & Associate Law Firm, hereinafter referred to as "the Firm," recognizes the profound importance of protecting the personal data entrusted to us by our clients, website visitors, and other individuals with whom we interact during the course of our professional activities. This comprehensive Privacy Policy articulates the Firm's unwavering commitment to data protection and outlines the meticulous procedures implemented to ensure compliance with a complex array of international and domestic data protection legislation. These laws include, but are not limited to, the European Union's General Data Protection Regulation (GDPR), and the Nigeria Data Protection Act (NDPA), alongside other relevant sector-specific and common law duties of confidentiality.

This Policy applies to all forms of personal data processing undertaken by the Firm, whether collected through our official website, through electronic communications, during the provision of legal services, or in connection with our recruitment and business development activities. The scope of this document extends to all employees, partners, consultants, and third-party service providers who process personal data on the Firm's behalf, establishing a uniform and rigorous standard for data handling across the entire organization. The Firm operates as the Data Controller for the purposes described herein, determining the means and purposes of the processing of personal data.

2. Definitions of Key Terms

To ensure clarity and precision within this formal document, the following terms carry the specific meanings assigned below, reflecting the terminology used in prevailing data protection frameworks:

Term

Definition

Personal Data

Any information relating to an identified or identifiable natural person (a 'Data Subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Sensitive Personal Data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. For a law firm, this also includes information relating to criminal convictions and offenses, and the highly confidential details of legal matters.

Processing

Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data Subject

The identified or identifiable natural person to whom the Personal Data relates.

Data Controller

The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In the context of this Policy, this is Habeeb Jimoh & Associate Law Firm.

Data Processor

A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

3. Categories of Information We Collect

The Firm collects various categories of Personal Data necessary for the operation of our legal practice and the provision of professional services. The collection methods are segmented to ensure that only data strictly necessary for a specified purpose is acquired, adhering to the principle of data minimization.

3.1. Information Collected Directly from You

This category encompasses data provided by you when engaging with the Firm, including but not limited to:

· Identification and Contact Data: Full name, title, professional affiliation, postal address, telephone numbers, email addresses, and passport or national identification details required for Know Your Client (KYC) and Anti-Money Laundering (AML) checks.

· Professional and Employment Data: Job title, employer, professional background, and details contained within curricula vitae or application forms submitted for employment or consultancy roles.

· Financial and Transactional Data: Bank account details, payment card information, billing and payment history, and other financial records necessary for invoicing and managing client accounts.

· Client Matter Data: All information, including highly sensitive and confidential details, provided to the Firm for the purpose of receiving legal advice or representation. This constitutes the core of the Firm's data processing activities and is protected by legal professional privilege and strict confidentiality obligations.

3.2. Information Collected Indirectly or from Third Parties

In the execution of our legal mandates, the Firm often receives Personal Data from sources other than the Data Subject, which may include:

· Public Records and Databases: Information obtained from government registries, court records, land registries, and professional directories for due diligence, litigation support, or conflict checks.

· Opposing Parties and Counsel: Personal Data disclosed during the course of litigation, negotiation, or other legal proceedings.

· Referral Sources: Information provided by other law firms, existing clients, or professional intermediaries when referring a new matter or client.

· Background Check Providers: Data acquired from specialized third-party services for the purpose of conducting necessary background, KYC, and AML checks as required by law.

3.3. Information Collected Automatically (Technical Data)

When you interact with the Firm's website or electronic communications, certain technical data is automatically collected to enhance functionality and analyze usage patterns. This data includes:

· Internet Protocol (IP) Addresses: The unique numerical address assigned to your device when connecting to the internet.

· Device and Browser Information: Details concerning the operating system, browser type, and device identifiers.

· Usage Data: Information regarding your activity on our website, such as pages viewed, time spent on pages, links clicked, and the referring website address.

· Cookie Data: Information collected through cookies and similar tracking technologies, as detailed in Section 12 of this Policy.

4. Legal Basis for Processing Personal Data

The Firm processes Personal Data only when a valid legal basis exists for doing so, ensuring that all processing activities are lawful, fair, and transparent. The primary legal bases relied upon by the Firm are detailed below:

4.1. Performance of a Contract

The processing of Personal Data is necessary for the performance of a contract for legal services to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into such a contract. This basis applies specifically to data required to:

· Establish and manage the client relationship, including conflict checks and engagement letters.

· Provide the requested legal advice, representation, and related professional services.

· Process payments and manage billing for services rendered.

4.2. Compliance with a Legal Obligation

The Firm is subject to various legal and regulatory obligations that necessitate the processing of Personal Data. This includes, but is not limited to, compliance with:

· Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) regulations, requiring the collection and verification of identity documents.

· Tax and accounting laws, requiring the retention of financial transaction records.

· Court orders, subpoenas, or other mandatory legal processes requiring the disclosure of information.

4.3. Legitimate Interests

The Firm processes Personal Data where it is necessary for the purposes of the legitimate interests pursued by the Firm or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data. The Firm's legitimate interests include:

· Business Administration: Managing the Firm's operations, including financial reporting, internal audits, and general administrative functions.

· Security and Fraud Prevention: Protecting the Firm's assets, networks, and information systems against unauthorized access, loss, or damage.

· Marketing and Business Development: Sending professional updates, legal alerts, and invitations to events to existing clients and professional contacts, provided that the Data Subject has not opted out of such communications.

· Recruitment: Assessing the suitability of job applicants for open positions within the Firm.

4.4. Consent

In limited circumstances, the Firm relies on the explicit, freely given, specific, and informed consent of the Data Subject for the processing of their Personal Data. This basis is typically used for:

· Sending direct marketing communications to individuals who are not existing clients.

· Processing certain categories of Sensitive Personal Data where no other legal basis applies.

· The use of non-essential cookies and tracking technologies on the Firm's website.

The Data Subject maintains the right to withdraw consent at any time, and the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

5. Purposes for Which We Process Personal Data

The Personal Data collected by the Firm is processed for specific, explicit, and legitimate purposes directly related to our function as a legal service provider and responsible business entity.

5.1. Provision of Legal Services

The primary purpose for processing Personal Data is the delivery of high-quality legal advice and representation. This involves:

· Analyzing facts, conducting legal research, and formulating legal strategies.

· Communicating with clients, opposing counsel, courts, and regulatory bodies.

· Preparing, filing, and managing legal documents and case files.

· Executing transactions and managing closings on behalf of clients.

5.2. Client Relationship Management

We process data to manage and enhance our relationship with clients and prospective clients, including:

· Maintaining accurate and up-to-date client records and contact information.

· Conducting conflict checks to ensure professional independence and adherence to ethical rules.

· Administering and managing billing, fee arrangements, and debt collection.

5.3. Marketing and Business Development

The Firm utilizes Personal Data to inform clients and contacts about legal developments, Firm news, and professional events that may be of professional interest. This processing is conducted in a manner that respects the Data Subject's preferences and includes:

· Distributing legal updates, newsletters, and publications.

· Organizing and managing seminars, webinars, and networking events.

· Analyzing the effectiveness of our marketing campaigns to improve relevance.

5.4. Recruitment and Human Resources

For individuals applying for employment or consultancy roles, the Firm processes Personal Data to:

· Evaluate qualifications, experience, and suitability for the position.

· Conduct reference checks and background screening.

· Manage the on-boarding process for successful candidates.

5.5. Website and IT Management

Technical data is processed to ensure the security, functionality, and continuous improvement of the Firm's digital infrastructure:

· Diagnosing and resolving technical issues and security incidents.

· Monitoring website traffic and usage patterns to optimize content and user experience.

· Ensuring the security and integrity of our network and data.

6. Data Sharing and Disclosure to Third Parties

The Firm does not sell Personal Data. Disclosure of Personal Data to third parties occurs only when necessary for the purposes outlined in this Policy, when legally required, or with the explicit consent of the Data Subject. All third-party recipients are subject to strict contractual obligations to maintain the confidentiality and security of the data.

6.1. Service Providers and Data Processors

We engage trusted third-party service providers to perform functions on our behalf, including:

· IT and Cloud Services: Providers of data hosting, software, and network security services.

· Financial Services: Banks, payment processors, and auditors.

· Administrative Support: Providers of document management, translation, and archiving services.

· Marketing and Communications: Platforms used for email distribution and event management.

6.2. Professional and Regulatory Disclosures

Personal Data may be disclosed to professional and regulatory bodies as required by our legal and ethical obligations:

· Courts and Tribunals: Disclosure necessary for the conduct of litigation or regulatory proceedings.

· Opposing Counsel and Parties: Disclosure required during the discovery phase or settlement negotiations.

· Regulators and Government Agencies: Disclosure to comply with AML, tax, or other mandatory reporting requirements.

· Professional Advisors: Disclosure to the Firm's own auditors, insurers, and external legal counsel.

6.3. Corporate Transactions

In the event of a merger, acquisition, or sale of all or a portion of the Firm's assets, Personal Data may be transferred to the acquiring entity, provided that the data remains subject to a privacy policy that is substantially similar to this one.

7. International Data Transfers

As a law firm with an international clientele and a commitment to global best practices, the processing of Personal Data often involves transfers across international borders, including transfers from the European Economic Area (EEA) and the United Kingdom (UK) to jurisdictions outside these areas, and vice versa.

7.1. Mechanisms for Lawful Transfer

The Firm ensures that all cross-border transfers of Personal Data are conducted in compliance with the stringent requirements of the NDPA and its GAID 2025 and GDPR. Where Personal Data is transferred from Nigeria to a country not deemed to provide an adequate level of protection by the Nigerian government, the Firm implements appropriate safeguards, primarily through the use of:

· Standard Contractual Clauses (SCCs): The Firm utilizes the SCCs approved by the European Commission and the UK Information Commissioner's Office (ICO) as the primary mechanism for ensuring adequate protection.

· Binding Corporate Rules (BCRs): Where applicable, the Firm may rely on approved BCRs for intra-group transfers.

· Derogations: In limited circumstances, transfers may be based on specific derogations, such as the explicit consent of the Data Subject or the necessity of the transfer for the performance of a contract.

7.2. Specific Considerations for NDPA Compliance

Given the Firm's potential connection to Nigeria, the Firm adheres to the NDPA requirements for international transfers, which mandate that the recipient country must have an adequate data protection law, or the transfer must be subject to contractual clauses or other safeguards approved by the Nigeria Data Protection Commission (NDPC). The Firm undertakes a thorough assessment of the data protection regime in the recipient country before any transfer is executed.

8. Data Retention and Disposal

The Firm retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements. The determination of the appropriate retention period is based on several factors, including:

· The nature and sensitivity of the Personal Data.

· The potential risk of harm from unauthorized use or disclosure.

· The purposes for which we process the data and whether those purposes can be achieved through other means.

· Applicable legal and professional retention periods, particularly those related to legal professional privilege and statutory limitation periods for claims.

8.1. Data Retention Schedule (Illustrative)

The following table provides an illustrative overview of the retention periods applied to key categories of data, which are subject to periodic review and adjustment based on evolving legal and professional standards:

Data Category

Retention Period

Legal/Professional Justification

Client Matter Files (Hard & Electronic)

Minimum of seven (7) years after the conclusion of the matter.

Statutory limitation periods for professional negligence claims and regulatory requirements (e.g., AML).

Financial and Accounting Records

Minimum of six (6) years from the end of the relevant financial year.

Compliance with tax and corporate accounting legislation.

Recruitment Records (Unsuccessful Applicants)

Twelve (12) months from the date of notification of the outcome.

Defense against potential legal claims and consideration for future roles, unless consent for longer retention is obtained.

Marketing and Communication Data

Until the Data Subject opts out or withdraws consent.

Legitimate interest in maintaining contact, subject to the right to object.

Technical/Website Usage Data

Up to twenty-six (26) months for aggregated analytics data.

Optimization of website performance and security analysis.

8.2. Secure Disposal Procedures

Upon the expiration of the retention period, the Firm ensures that Personal Data is securely disposed of or anonymized to prevent any subsequent identification. Disposal methods include:

· Electronic Data: Secure deletion, overwriting, or cryptographic erasure that renders the data irrecoverable.

· Hard Copy Documents: Shredding or incineration by certified secure disposal services.

9. Data Security Measures

The Firm implements robust technical and organizational measures designed to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Recognizing the highly confidential nature of the data handled by a law firm, our security framework is continuously reviewed and updated to meet or exceed industry standards.

9.1. Technical Safeguards

The technical controls employed to protect our data infrastructure include:

· Encryption: Use of industry-standard encryption protocols (e.g., AES-256) for data at rest (storage) and Transport Layer Security (TLS) for data in transit (communication).

· Access Control Systems: Implementation of multi-factor authentication (MFA) for remote access and least-privilege access principles, ensuring personnel can only access the data necessary for their specific role.

· Network Security: Deployment of advanced firewalls, intrusion detection and prevention systems (IDPS), and regular vulnerability scanning.

· Data Backup and Recovery: Maintenance of secure, encrypted, and geographically separated backups to ensure business continuity and data availability in the event of a disaster.

9.2. Organizational Safeguards

The Firm's commitment to security is reinforced by comprehensive organizational policies and procedures:

· Staff Training: Mandatory and regular data protection and security awareness training for all personnel, emphasizing the ethical and legal obligations of handling client data.

· Confidentiality Agreements: All employees and contractors are bound by strict confidentiality clauses that extend beyond the termination of their engagement.

· Data Protection Impact Assessments (DPIAs): Conducting DPIAs for new projects or systems that involve high-risk processing activities to proactively identify and mitigate privacy risks.

· Incident Response Plan: Maintaining a detailed and tested plan for the timely detection, containment, investigation, and reporting of any suspected or actual data breach.

10. Your Rights as a Data Subject

Under the NDPA and GDPR, Data Subjects possess a suite of rights concerning their Personal Data. The Firm is committed to facilitating the exercise of these rights in a timely and transparent manner.

10.1. The Right of Access (NDPA/GDPR)

You have the right to obtain confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to the Personal Data and specific information regarding the processing. This includes the purposes of the processing, the categories of data concerned, and the recipients to whom the data has been or will be disclosed.

10.2. The Right to Rectification (NDPA/GDPR)

You have the right to obtain from the Firm, without undue delay, the rectification of inaccurate Personal Data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.

10.3. The Right to Erasure ('Right to be Forgotten') (NDPA/GDPR)

You have the right to request the erasure of Personal Data concerning you without undue delay when one of the following grounds applies: the data is no longer necessary for the purposes for which it was collected; you withdraw consent and no other legal ground for processing exists; you object to the processing; or the data has been unlawfully processed. This right is subject to certain exceptions, particularly where the processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.

10.4. The Right to Restriction of Processing (NDPA/GDPR)

You have the right to obtain restriction of processing where one of the following applies: the accuracy of the Personal Data is contested; the processing is unlawful and you oppose erasure; the Firm no longer needs the data for the purposes of processing but you require it for the establishment, exercise, or defense of legal claims; or you have objected to processing pending the verification of the legitimate grounds.

10.5. The Right to Data Portability (NDPA/GDPR)

Where processing is based on consent or on a contract, and the processing is carried out by automated means, you have the right to receive the Personal Data concerning you, which you have provided to the Firm, in a structured, commonly used, and machine-readable format. You also have the right to transmit that data to another controller without hindrance from the Firm.

10.6. The Right to Object (NDPA/GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to the processing of Personal Data concerning you which is based on the Firm's legitimate interests, including profiling. The Firm will cease the processing unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. You have an absolute right to object to processing for direct marketing purposes.

10.7. Procedure for Exercising Your Rights

To exercise any of these rights, you must submit a verifiable request to the Firm using the contact details provided in Section 15. The Firm will respond to all legitimate requests within one month of receipt, which may be extended by two further months where necessary, taking into account the complexity and number of the requests. We may require specific information from you to help us confirm your identity and ensure your right to access the data or to exercise other rights.

11. Cookies and Tracking Technologies

The Firm's website utilizes cookies and similar tracking technologies to enhance user experience, analyze website performance, and support marketing efforts. A cookie is a small text file placed on your device by a web server.

11.1. Categories of Cookies Used

The cookies deployed on our website fall into the following categories:

11.2. Managing Your Cookie Preferences

Upon your first visit to our website, a clear and prominent cookie banner is presented, allowing you to accept or reject non-essential cookies. You can manage your preferences at any time through the cookie settings available on our website. Furthermore, most web browsers allow you to control cookies through their settings, enabling you to refuse all cookies or to indicate when a cookie is being sent.

12. Children's Privacy

The Firm's services are not directed to children under the age of Eighteen (18), and we do not knowingly collect Personal Data from children without verifiable parental consent. If we become aware that we have inadvertently received Personal Data from a child under the age of sixteen without parental consent, we will delete such information from our records immediately. Where the Firm is required to process the Personal Data of a minor in the context of a legal matter, such processing is conducted strictly in accordance with applicable laws and with the utmost sensitivity, typically relying on the legal basis of compliance with a legal obligation or the legitimate interests of the client.

13. Changes to this Privacy Policy

This Privacy Policy is subject to periodic review and revision to reflect changes in our processing practices, legal and regulatory requirements, or technological advancements. The Firm reserves the right to amend this Policy at any time. When material changes are made, the "Effective Date" at the top of the Policy will be updated, and we will take reasonable steps to notify Data Subjects of the changes, such as by posting a prominent notice on our website or by sending a direct communication. We encourage you to review this Policy periodically to remain informed about how we protect your information.

14. Contact Information and Complaints

The Firm is committed to resolving any inquiries or complaints regarding this Privacy Policy or our data processing practices.

14.1. Data Protection Officer (DPO)

For all matters related to the protection of your Personal Data, including the exercise of your rights, please contact our designated Data Protection Officer:

Data Protection Officer
Habeeb Jimoh & Associate Law Firm

Email: info@habeebjimohassociates.com
Telephone: ++2347038771202 or +2348058334106

14.2. Supervisory Authorities

Should you have a complaint about the Firm's processing of your Personal Data, you maintain the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.

· For Nigeria (NDPA): The Nigeria Data Protection Commission (NDPC).

15. Legal Professional Privilege and Confidentiality

It is essential to understand that this Privacy Policy operates in conjunction with, and does not supersede, the Firm's fundamental professional and ethical obligations. The Personal Data of our clients, particularly the confidential information shared in the context of an attorney-client relationship, is protected by the strictest rules of legal professional privilege and attorney-client confidentiality. These privileges are sacrosanct and provide a higher level of protection than general data protection laws. Where there is a conflict between the provisions of this Policy and the Firm's duties of professional confidentiality, the professional duties shall prevail. The Firm will not disclose privileged information except as required by law or with the client's explicit authorization.

PRIVACY POLICYHABEEB JIMOH & ASSOCIATE