This document is prepared in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Nigerian Data Protection Act (NDPA). It sets out how Zenith Pensions Custodian Limited (Zenith Pensions) applies and complies with the principles of the Act in processing the personal data of individuals, clients, vendors, third parties that interact with Zenith Pensions, and employees.
For personal data of individuals, this document also highlights their rights and covers the data subject(s) whose personal data is collected and processed in compliance with the GDPR/NDPR. ZPC’s processing is undertaken in line with its statutory mandate under the Contributory Pension Scheme (CPS).
| Role | Responsibilities |
|---|---|
| Data Protection Officer | • To ensure that this notice is correct and up-to-date and bring this notice to the awareness of data subjects prior to the collection and processing of personal data by Zenith Pensions, including on Zenith Pension’s website. |
| All Employees/Staff who interact with personal data |
• To follow the provisions of this policy document. • To seek the consent of data subject(s) for the secure processing of their personal data. • To ensure that this notice is brought to the attention of the data subject(s). |
3. Policy Statement
Zenith Pensions Custodian Limited (ZPC) is a subsidiary of Zenith Bank Plc licensed by the National Pension Commission (PenCom) to provide Pension Fund Custody pursuant to the Pensions Reform Act 2004 and 2014 as amended. ZPC is run as a separate legal entity in line with global best practices and aims to be the foremost pension fund custodian in Nigeria. We are a reference point in the pension industry as a result of our exceptional services and competence as pension custodian. Zenith Pensions Custodian was one of the operators selected by the National Pension Commission to be understudied by countries like Ghana and Malawi prior to the implementation of their pension reform.
We commenced operations in July 2006 and have been able to achieve outstanding growth in assets under custody to the tune of N10.6 trillion as at December 2025, which accounts for 38.70% of the industry's total assets. ZPC has been able to carve a niche for itself in the Pension Industry as we place premium on excellent customer service, Information Technology, human capital development and sound corporate governance.
The personal data we would collect and process, depending on the particular processing requirement, are under the following categories:
| Personal Data Type | Sources |
|---|---|
| Biodata | Directly From Pension Contributors & Retirees/From Employers/From Pension Fund Administrators (PFA)/From Regulatory bodies and lawful third parties/From Related Persons. |
| Identification Information |
Directly From Pension Contributors & Retirees/From Employers/From Pension Fund Administrators (PFA)/From Regulatory bodies and lawful third parties/From Related Persons. |
| Financial Information |
Directly From Pension Contributors & Retirees/From Employers/From Pension Fund Administrators (PFA)/From Regulatory bodies and lawful third parties/From Related Persons. |
| Employment-related Information (Contributors/Retirees) |
Directly From Pension Contributors & Retirees/From Employers/From Pension Fund Administrators (PFA)/From Regulatory bodies and lawful third parties/From Related Persons. |
| Employee HR & Employment Data (ZPC Employees) – e.g., contact details, next of kin, employment history, payroll/tax, benefits, training & compliance records, performance data, access logs, health & safety records (where applicable) |
Directly from employees / from background check providers / from statutory bodies (e.g., tax, pensions, regulators) / from benefit and insurance providers / from internal systems capturing access and security logs. |
In certain instances, the personal data we need to collect may fall under a special category of personal data, which includes race, political opinion, ethnic origin, religion, philosophical believes, genetic/biometric data, health record, sex life/sex orientation, criminal records, or alleged criminal activity. In such instances, our lawful basis of processing will be explicit consent, employment/social protection law (as applicable), compliance with a legal obligation, or for legal proceedings/advice.
Zenith Pensions ensures that the personal data collected and processed is necessary for the purpose of collection, and Zenith Pensions shall not collect or process more data than is reasonably required for a particular processing activity. In addition, every processing purpose has at least one lawful basis for processing to safeguard the rights of the data subjects, as listed below:
| Purpose of Processing | Lawful Basis of Processing |
|---|---|
| To fulfill ZPC’s statutory mandate of safeguarding pension assets under the Contributory Pension Scheme (CPS) | Legal Obligation – ZPC processes personal data as required by pension laws and regulatory mandates. |
| To maintain accurate biodata and records of contributors, retirees, and related persons |
Legal Obligation – Required for identifying contributors and ensuring pension benefits are correctly managed. |
| To collect and store employment and financial information for pension administration |
Legal Obligation – Necessary to calculate, reconcile, and administer pension contributions and benefits. |
| To process retirement benefits and payments |
Performance of a Legal/Statutory Duty – Processing is essential for fulfilling pension benefit disbursement requirements. |
| To manage relationship with employers and obtain required employee/contributor data |
Legal Obligation – Employer-provided data supports statutory pension administration. |
| To provide disclosures to third parties only in exceptional circumstances allowed by law |
Legal Obligation – Disclosures occur only where required by law or regulatory guidelines. |
| To maintain secure records and databases for access, retrieval, storage, and protection of personal data |
Legitimate Interest & Legal Obligation – ZPC is required to keep pension data secure and maintain compliant systems. |
| To ensure transparency by informing data subjects about processing activities |
Legal Obligation – ZPC informs contributors and retirees of how data is collected and used. |
| (Employees) To administer payroll, benefits, and statutory deductions; manage the employment relationship; and maintain staff records |
Contractual Necessity & Legal Obligation (e.g., employment, tax, pensions) |
| (Employees) To ensure workplace health and safety and to manage training, compliance, and investigations |
Legal Obligation & Legitimate Interests. |
| (Employees & All Users) To secure our systems and facilities (access controls, activity logs, fraud prevention) |
Legitimate Interests & Legal Obligation. |
| (Pension Administration Data Flows) To receive, reconcile, and where necessary transmit pension related data to/from PFAs in line with statutory processes and service level agreements |
Legal Obligation & Contractual Necessity – to support accurate records, reconciliations, and benefit processing consistent with the CPS. |
Where Legitimate Interest is considered the legal basis for processing personal data, Zenith Pensions shall follow the steps below in carrying out a Legitimate Interest Assessment.
In carrying out the purpose test, Zenith Pensions must establish the exact reason for the processing and how it benefits the organisation. Answers to the following shall be provided to determine the exact purpose for processing:
• Description of the processing objective
• The likelihood of meeting the objective and how to determine if the objective was met
• The benefit of the processing and the significance to the organisation
• Description of the possible impact of not processing and any other issues that might be relevant
The following questions will be addressed under the balance test:
• Who are the data subjects (category)?
• What is the relationship between Zenith Pensions and the data subject
• What personal data is to be processed
• How will the processing impact the data subject
• How will the data subject react to the processing
Zenith Pensions Custodian Ltd records this information in line with this policy, data protection impact assessment, and data inventory.
Zenith Pensions Custodian Ltd may require your explicit consent to process certain categories of personal data or for specific purposes . And by consenting to this privacy policy, you are giving us the permission to use/process your personal data specifically for the purpose identified before collection.
If, for any reason, Zenith Pensions is requesting sensitive personal data from you, you will be rightly notified why and how the information will be used.
You may withdraw consent at any time by requesting for Withdrawal of Consent form, following the Zenith Pensions Withdrawal of Consent Procedure.
For most pension administration and employment related processing, our lawful basis will be legal obligation, contractual necessity, or legitimate interests, not consent.Zenith Pensions Custodian Ltd will not pass on your personal data to third parties except as permitted by law, under a valid lawful basis, or with your consent where required.
The third parties/categories below may receive personal data as part of our processing activities:
| Recipient / Category | Purpose of Disclosure | Lawful Basis |
|---|---|---|
| Pension Fund Administrators (PFAs) | Pension administration data exchanges (e.g., reconciliations, updates, benefit processing) pursuant to statutory processes and SLAs. | Legal obligation & contractual necessity (CPS operations) |
| Employers | Verification and updates of contributor employment data; remittances reconciliation | Legal obligation |
| Regulatory and Supervisory Authorities (e.g., PenCom, NDPC) | Compliance, supervision, and reporting | Legal obligation |
| Auditors and Professional Advisers | Audit, compliance reviews, legal advice | Audit, compliance reviews, legal advice |
| IT, Cloud, and Business Service Providers | Hosting, software support, communications, archiving, security | Contractual necessity & legitimate interests (with DPAs in place) |
| Banks/Payment Processors/Insurers | Benefit payments, premium administration, risk coverage | Contractual necessity & legal obligation |
| Group/Affiliate Entities (where applicable) | Internal reporting, governance, or shared services under appropriate safeguards | Legitimate interests & contractual necessity |
Where disclosure involves transfer to a foreign country/international organisation, Zenith Pensions will ensure appropriate safeguards are in place prior to transfer, including (as applicable):
International Transfers – Record of Safeguards
| Foreign Country/International Organisation | Safeguards in place to protect your personal data | Retrieve a copy of the safeguards in place here: |
|---|---|---|
| International Employment Verification Bodies (organisations that contact ZPC to verify exited staff employment history with us) | N/A |
Where there is a need for a third party to process the personal data of data subjects, Zenith Pensions will enter into a Data Processing Agreement with the third party and be satisfied that the third party has adequate measures in place to protect the data against accidental or unauthorised access, use, disclosure, loss, or destruction. In a case where the disclosure is to third parties outside the jurisdiction of the GDPR and NDPR, Zenith Pensions will ensure that the third party meets the core regulatory standards prior to the transfer. This may include transferring the personal data to the third party where Zenith Pensions has satisfied that:
• the country of the recipient has adequate data protection controls established by legal or self-regulatory regime
• Zenith Pensions has a contract in place that uses existing or approved data protection clauses to ensure adequate protection
• Zenith Pensions is making the transfer under approved binding corporate rules
• Zenith Pensions is relying on approved codes of conduct or certification mechanisms, together with binding and enforceable commitments in the foreign country or international organisation to apply the appropriate safeguards in relation to data subject rights
• Provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority
In compliance with the GDPR/NDPA data retention policy, Zenith Pensions will process your personal data for as long as is necessary to fulfil its statutory mandate under the Contributory Pension Scheme (CPS), including the administration, management, custody, and disbursement of pension assets and will retain the personal data for the duration of your active relationship (e.g., as a contributor, retiree, beneficiary, employee) and for an additional period necessary to comply with legal, regulatory, and contractual obligations (e.g., record keeping, audits, dispute resolution, fraud prevention, and regulatory reporting.
This retention period has been established to enable us to use the personal data for the necessary legitimate purposes identified, in full compliance with the legal and regulatory requirements. When we no longer need to use your personal information, we will delete it from our systems and records, and/or take steps to encrypt/anonymise it to protect your identity as the case may be.
Data subjects, according to the provision of the GDPR/NDPA, have certain rights. At any point while Zenith Pensions are in possession of or processing your personal data, you, the data subject, have the right to:
• Request a copy of the information that we hold about you
• Correct the data that we hold about you that is inaccurate or incomplete
• Ask for the data we hold about you to be erased from our systems/record
• Restrict processing of your personal data where certain conditions apply
• Have the data we hold about you transferred to another organisation
• Object to certain types of processing like direct marketing
• Object to automated processing like profiling, as well as the right to be subject to the legal effects of automated processing or profiling
• Judicial review. In the event that Zenith Pensions refuses your request under rights of access, we will provide you with a reason as to why. And you have the right to complain.
• Right to lodge a complaint with the National Supervisory body (NDPC) if you are not satisfied with how we process your personal data, using info@ndpc.gov.ng
All the above requests will be forwarded on should there be a third party involved in the processing of your personal data.
If for any reason you wish to make a complaint about how Zenith Pensions (or any of our third parties described in 3.4 above) processes your personal data, or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and the Data Protection Officer of Zenith Pensions.
Below are the details for each of these contacts:
| Supervisory Authority | Data Protection Officer (DPO) | |
|---|---|---|
| Contact Name: | Nigeria Data Protection Commission (NDPC) | Daniel Chokor |
| Address: | No.12 DR Clement Isong Street, Abuja | 4th and 5th Floor, Civic Towers, Ozumba Mbadiwe Avenue, Victoria Island, Lagos. |
| Email: | info@ndpc.gov.ng | Daniel.chokor@zenithcustodian.com |
| Telephone: | +234 (0) 916 061 5551 | 02012782940; +2348033027477 |
For more information on how we use your personal data and why, please visit Privacy policy