Privacy Policy

1.1. F.A. GARRICK & CO (the “Firm”, “we”, “us”) is committed to safeguarding the privacy, confidentiality, and security of all personal data collected, received, or otherwise processed in the course of its legal practice and related business operations within the Federal Republic of Nigeria. This Privacy Policy sets out the Firm’s approach to the lawful collection, use, storage, disclosure, and protection of personal data, in accordance with the provisions of the Nigeria Data Protection Act 2023, applicable regulations, and recognized data protection principles.

1.2. This Policy underscores the Firm’s commitment to:

a. preserving the trust and confidence of its clients, prospective clients, employees, consultants, service providers, regulators, and other stakeholders;

b.  implementing appropriate technical and organizational measures to safeguard personal data against unauthorized access, loss, misuse, alteration, or disclosure; and

c. promoting transparency, accountability, and compliance in all personal data processing activities undertaken by the Firm.

This Privacy Policy (“Policy”), together with any applicable terms of engagement, client care letters, website terms of use, or other ancillary terms issued by F.A. GARRICK & CO from time to time, governs your use of the Firm’s website and any legal, advisory, or ancillary services provided by or accessible through the Firm’s digital platforms, physical offices, or any other channels (collectively, the “Services”).

This Policy sets out the basis upon which any personal data collected from you, or otherwise provided to the Firm in the course of its professional engagement or interactions with you, shall be processed. This Policy is issued in compliance with the Constitution of the Federal Republic of Nigeria 1999 (as amended), the Nigeria Data Protection Act 2023, the Nigeria Data Protection Act (General Application and Implementation) Regulations and Directives 2025, and all other applicable data protection laws and regulatory guidelines in force within the Federal Republic of Nigeria.

3.1. F.A. GARRICK & CO may collect and process personal data from individuals in the course of its legitimate legal, professional, and business activities. The categories of personal data collected may include, without limitation, the following:

3.1.1. Information provided by you (Submitted Information):

This includes personal data voluntarily provided by you, including but not limited to information:

a. submitted through forms on the Firm’s website or other digital platforms operated by the Firm (collectively, the “Firm’s Platforms”);

b. provided through correspondence with the Firm, whether by electronic mail, telephone, messaging applications, or other means of communication;

c. supplied in the course of engaging the Firm for legal or advisory services, making enquiries, subscribing to publications or updates, submitting documents, reporting issues, or otherwise interacting with the Firm through its Platforms or physical offices.

3.1.2. Information collected automatically (Device and Usage Information):

Where you communicate with the Firm by electronic mail or other electronic means, the Firm may retain such communications for the purpose of processing enquiries, responding to requests, maintaining records, and improving its services.

Each time you access or visit the Firm’s Platforms, the Firm may automatically collect certain information, including:

a. technical information such as the type of device used, network information, operating system, browser type, approximate location, and time zone settings (“Device Information”); and

b. information relating to your use of or visits to the Firm’s Platforms, including traffic data, location data, logs, and other communication data (“Usage Information”).

3.1.3. Location Information:

The Firm may, where applicable, utilise location-based technologies or services to determine your general location. You may withdraw your consent to the collection or use of such location information at any time by adjusting your device settings or by contacting the Firm to disable location-based data processing, where applicable.

3.1.4. Information obtained from third parties (Third-Party Information):

Having regard to the nature of legal services provided by the Firm, it may be necessary to interact with and obtain information from third parties, including clients, courts, regulatory bodies, law enforcement agencies, counterparties, professional advisers, and other relevant institutions. The Firm may retrieve, receive, verify, or process personal data obtained from such third parties strictly for lawful and legitimate purposes.

3.2. The Firm may also collect personal data through other lawful channels, including but not limited to:

a. employment applications, recruitment processes, and staff onboarding;

b. in-person meetings, consultations, conferences, seminars, and professional events.

All personal data collected by the Firm shall be obtained fairly, lawfully, and transparently, and processed in accordance with applicable data protection laws and regulations.

3.3. Tracking Technologies and Cookies:

The Firm may utilise cookies or similar tracking technologies on its Platforms to distinguish users and enhance user experience. This enables the Firm to improve the functionality, performance, and security of its Platforms and services. You may control or disable cookies through your browser or device settings, subject to any limitations this may impose on your use of the Firm’s Platforms.

4.1. F.A. GARRICK & CO shall process personal data solely for legitimate, specific, and lawful purposes. Personal data shall not be processed in a manner incompatible with the purposes for which such data was originally collected, except as permitted or required by law.

4.2. Personal data may be processed by the Firm for one or more of the following purposes:

a. providing legal, advisory, consultancy, and ancillary services requested by clients or prospective clients;

b. managing client relationships, communications, and professional engagements;

c. processing employment applications, staff onboarding, payroll administration, and human resources management;

d. conducting research, legal analysis, internal reviews, and improving the Firm’s operations and service delivery;

e. complying with contractual obligations, professional duties, and applicable legal and regulatory requirements;

f. preventing fraud, misconduct, or unauthorised access, and protecting the Firm’s rights, systems, premises, and assets;

g. responding to enquiries, complaints, disputes, or actual or threatened legal claims;

h. communicating with users and stakeholders regarding requests, instructions, or services provided by the Firm;

i. retrieving, identifying, verifying, and validating personal data for lawful professional purposes;

j. complying with risk management obligations, regulatory directives, court orders, anti-money laundering and counter-terrorism financing requirements, record-keeping obligations, and requests from competent authorities;

k. conducting risk analysis, assessments, and audits relating to the Firm’s services, platforms, and market activities;

l. ensuring compliance with applicable codes of conduct, ethical rules, and recognised professional best practices;

m. diagnosing, troubleshooting, and resolving operational or technical issues relating to the Firm’s services or digital platforms;

n. detecting, preventing, and investigating fraud or other unlawful or unauthorised activities;

o. improving the quality, efficiency, and user experience of the Firm’s services and platforms;

p. offering lawful incentives, professional updates, or informational materials to clients and stakeholders, where applicable;

q. collaborating with third parties, consultants, or service providers where necessary for the provision or improvement of the Firm’s services, subject to appropriate safeguards;

r. educating clients, prospective clients, and other stakeholders on the Firm’s services, legal developments, or other relevant information;

s. improving the Firm’s internal processes, policies, procedures, and governance frameworks;

t. improving data accuracy, integrity, and quality;

u. conducting research, testing, and internal evaluations; and

v. carrying out lawful marketing, professional communication, awareness, and sensitisation activities relating to the Firm’s services.

4.3. In processing personal data, the Firm shall ensure that:

a. such processing is lawful, fair, and transparent;

b. personal data collected is adequate, relevant, and limited to what is necessary for the stated purposes;

c. personal data is accurate and, where necessary, kept up to date; and

d. personal data is retained only for such period as is necessary to fulfil the purposes for which it was collected or as required under applicable law.

5.1. By engaging with F.A. GARRICK & CO or providing personal data to the Firm, you hereby consent to the collection, processing, and use of your personal data by the Firm. Where any document, agreement, or interaction involves multiple matters, the Firm shall obtain your consent in respect of each individual matter as necessary.

5.2. The Firm may process personal data without your explicit consent where such processing is necessary:

a.  for the performance of a contract to which you are a party, or to take steps at your request prior to entering into such a contract, including the provision of any legal or professional services;

b.  for compliance with a legal obligation imposed on the Firm by applicable law or regulation;

c.  to protect your vital interests or those of another natural person;

d.  for the performance of a task carried out in the public interest or in the exercise of an official mandate conferred upon the Firm; or

e.  for the purposes of legitimate interests pursued by the Firm or by a third party to whom personal data may be disclosed, provided that such interests are not overridden by your rights or fundamental freedoms.

5.3. Where the Firm intends to use your personal data for purposes other than those for which it was originally collected, the Firm shall seek your consent prior to such use, unless such use is otherwise permitted or required by law.

5.4. In the event of any corporate restructuring, merger, acquisition, sale, transfer of business or assets, internal or external reorganisation, dissolution, or liquidation, you hereby consent that your personal data held by the Firm may be transferred or assigned to third parties who may assume responsibility as controllers or processors of such personal data.

The Firm shall, at all times, ensure that you are notified whenever your personal data is intended to be transferred to third parties under the circumstances described above.

5.5. No consent shall be sought, given, or accepted in any circumstance that may facilitate, promote, or be used for the propagation of criminal acts, hate speech, atrocities, violations of children’s rights, or any other anti-social conduct.

5.6. You have the right to request the modification, correction, or update of your personal data held by the Firm. In all instances of access, modification, or amendment of personal data, the Firm shall require sufficient identification or verification to confirm that you are the lawful owner of the personal data concerned.

6.1. F.A. GARRICK & CO may, where necessary for the proper provision of its legal, advisory, or professional services, share personal data with trusted third parties, including but not limited to:

a. service providers, consultants, or contractors engaged to perform services on behalf of the Firm;

b. financial institutions, auditors, professional advisers, or legal counsel;

c. regulatory authorities, courts, law enforcement agencies, or other governmental bodies, where required or permitted by law; and

d. business partners, collaborators, or joint venture participants, subject to appropriate data protection arrangements and safeguards.

6.2. Before sharing personal data with any third party, the Firm shall ensure that:

a. the third party maintains adequate technical and organisational measures to safeguard personal data;

b. the transfer or disclosure complies with all applicable data protection and privacy laws, including the Nigeria Data Protection Act 2023; and

c. confidentiality, non-disclosure, or data processing agreements are executed where necessary to protect the confidentiality and integrity of the data.

6.3. Where personal data is to be transferred outside Nigeria, the Firm shall ensure that such transfers occur only to jurisdictions with adequate data protection standards, in accordance with the Nigeria Data Protection Act 2023 and any other applicable data protection laws and regulations.

7.1. Personal data collected by F.A. GARRICK & CO shall be retained only for as long as is necessary to fulfil the purposes for which it was collected, or as may be required under applicable laws, contractual obligations, or regulatory requirements.

7.2. Once personal data is no longer required for the purposes for which it was collected, the Firm shall ensure that such data is securely deleted, anonymized, or destroyed using appropriate methods designed to prevent unauthorized access, disclosure, or misuse.

7.3. Retention schedules shall be properly documented, and periodic reviews conducted to ensure ongoing compliance with this Policy, applicable law, and recognized professional best practices regarding data retention and security.

8.1. F.A. GARRICK & CO is committed to maintaining the security, confidentiality, and integrity of all personal data in its possession. The Firm employs appropriate technical, organisational, and administrative measures to protect personal data from unauthorised access, alteration, disclosure, or destruction. Such measures include, without limitation

a. encryption of sensitive personal data during storage and transmission;

b. role-based access controls, strong authentication procedures, and multi-factor authentication where applicable;

c.  regular updates of systems, application of security patches, and performance of vulnerability assessments;

d. secure disposal of both physical and electronic records containing personal data; and

e.  regular training of employees, contractors, and authorised third-party service providers on data security, privacy, and protection awareness.

8.2. All employees, contractors, and third-party processors engaged by the Firm are required to comply with F.A. GARRICK & CO’s policies on data protection and information security. Any breach or non-compliance may result in disciplinary, contractual, or legal action, as appropriate.

8.3. No method of transmission over the internet or electronic storage is entirely secure. While the Firm undertakes all reasonable measures to protect personal data and continually reviews and enhances its information security procedures, F.A. GARRICK & CO cannot guarantee absolute security. Accordingly, the Firm shall not be held liable for any loss, damage, or unauthorised access arising from electronic transmission or storage of personal data.

9.1.  The personal data collected by F.A. GARRICK & CO may be stored or processed within Nigeria by the Firm or by trusted third-party service providers engaged by the Firm in the course of providing legal, advisory, or professional services.

By providing your personal data to the Firm, you consent to the collection, processing, and storage of your personal data in accordance with this Policy and the Firm’s engagement terms.

9.2. F.A. GARRICK & CO is committed to protecting personal data in its possession. The Firm implements appropriate physical, managerial, and technical measures, including but not limited to:

a.  access control systems and monitoring;

b. encryption, anonymisation, or pseudonymisation of personal data where applicable;

c. regular employee training and awareness programs on data protection; and

d. security policies and procedures designed to prevent unauthorised access, disclosure, alteration, destruction, or accidental loss.

These measures are regularly reviewed and updated to ensure compliance with the Nigeria Data Protection Act 2023 and recognised professional best practices. You may contact the Firm to obtain information on the safeguards implemented to protect your personal data.

9.3. Where the Firm provides you with a password or other authentication mechanism to access certain parts of its digital platforms, you are responsible for maintaining its confidentiality. You should not share your password with any third party.

While the Firm strives to protect the security of personal data transmitted over the internet or stored electronically, no system is completely secure. Any transmission is at your own risk. Once received, the Firm applies strict procedures and safeguards to prevent unauthorised access, disclosure, or misuse of your personal data.

10.1. Under the Nigeria Data Protection Act 2023, individuals whose personal data is collected or processed by F.A. GARRICK & CO (“you” or “Data Subject”) have specific legal rights, which include the following:

a. Where the Firm’s processing of your personal data is based on consent, you may withdraw that consent at any time;

b. You may request access to any personal data that the Firm holds about you;

c. You may object to the Firm’s processing of your personal data in limited circumstances, including where the processing is based on legitimate interests or public interest and the Firm cannot demonstrate overriding lawful grounds for processing;

d. You may request that the Firm restrict the processing of your personal data in specific circumstances, for example, where there is a dispute regarding the accuracy of the data;

e. You may request that the Firm erase personal data without undue delay where:

i. the personal data is no longer necessary for the purposes for which it was collected;

ii.  consent is the sole legal basis for processing and such consent has been withdrawn, and there is no other lawful basis for processing;

iii. the processing is unlawful; or

iv. you object to processing based on legitimate interests or public interest and the Firm has no overriding lawful grounds to continue processing;

f. You may request that the Firm correct inaccurate or incomplete personal data;

g. In certain circumstances, you may request a copy of your personal data in a structured, commonly used, and machine-readable format, and to have it transferred to another controller;

h. You have the right to be informed of any personal data breach which is likely to result in a high risk to your rights and freedoms;

i.  You may request that processing that is likely to cause damage to you or any other person be prevented;

j. You may request information on the technical and organisational safeguards applied to your personal data;

k. You may lodge a complaint with the National Information Technology Development Agency (NITDA) or any other relevant regulatory authority regarding the processing of your personal data.

10.2. To exercise any of the rights outlined above, you may contact F.A. GARRICK & CO’s via info@fgarrickco.com All requests will be addressed promptly and in accordance with the Nigeria Data Protection Act 2023 and other applicable laws.

Compliance with this Privacy Policy is mandatory for all employees, partners, contractors, interns, vendors, and third parties who collect, process, or handle personal data on behalf of F.A. GARRICK & CO in the course of providing legal, advisory, or professional services.

Failure to comply with this Policy may result in disciplinary measures, termination of engagement, or legal sanctions, depending on the severity of the breach.

The Firm shall be responsible for monitoring adherence to this Policy, conducting audits, and overseeing investigations into incidents of non-compliance or personal data breaches.

12.1. F.A. GARRICK & CO has implemented procedures to detect, respond to, and remediate any suspected personal data breach. In the event of a breach, the Firm will notify affected individuals and provide information regarding the steps taken to address the breach, including the security measures applied to render the personal data unintelligible or inaccessible.

12.2. All suspected breaches of personal data shall be addressed and remediated within one (1) month from the date the breach is reported or identified.

12.3. If you become aware of, or suspect, that a personal data breach has occurred, you should immediately contact the Firm via info@fgarrickco.com 

12.4. F.A. GARRICK & CO shall not be held responsible for any personal data breach that occurs as a result of:

a. events beyond the reasonable control of the Firm;

b. acts or threats of terrorism;

c. acts of God, including but not limited to fires, explosions, earthquakes, floods, or other natural disasters, which compromise the Firm’s data protection measures;

d. war, hostilities (whether war be declared or not), invasion, act of foreign enemies, mobilisation, requisition, or embargo;

e. rebellion, revolution, insurrection, civil unrest, or usurpation of power which compromises the Firm’s data protection measures;

f. the transfer of personal data to a third party at your instruction; or

g. the use or processing of your personal data by a third party designated by you.

13.1. F.A. GARRICK & CO may, from time to time, update or amend this Privacy Policy to reflect changes in law, regulations, or the Firm’s operations. Any such changes will be posted on the Firm’s website and, where appropriate, notified to clients, prospective clients, or data subjects.

13.2. By continuing to engage the Firm’s legal, advisory, or professional services following the posting of any amendments, you confirm your acceptance of the updated Privacy Policy and consent to the terms set out therein.

13.3. Any questions, comments, or requests regarding this Privacy Policy, or the processing of personal data by the Firm, should be addressed to info@fgarrickco.com