Skip to content
Cedar BridgePro Limited

Data Protection Statement

Last updated: 14 July 2026

This statement sets out how Cedar Bridge Pro Limited approaches its obligations under the Nigeria Data Protection Act 2023(NDPA) and the Nigeria Data Protection Commission's General Application and Implementation Directive 2025 (GAID). It sits alongside our Privacy Policy, which describes what we collect and why.

The current legal framework

Nigeria's data protection regime changed materially in 2025. The NDPA 2023 replaced the Nigeria Data Protection Regulation 2019 (NDPR) as the principal law, and GAID, issued on 20 March 2025 and effective from 19 September 2025, repealed the NDPR as a regulatory instrument.

We therefore describe our compliance by reference to the NDPA and GAID, not the NDPR. Anyone still advertising “NDPR compliance” is describing a framework that no longer governs.

Our principles

When we handle personal data, we commit to:

  • Collect only what we need. Every field on our forms exists because it changes what we can do for you.
  • Use it only for the purpose we collected it for. A booking enquiry does not become a marketing list.
  • Treat consent as an act, not a formality. Our newsletter opt-in is separate, specific and never pre-ticked. Showing you a privacy notice is disclosure, not consent, and we do not conflate the two.
  • Make withdrawal as easy as consent. Every marketing email carries a one-click unsubscribe that works immediately, with no need to sign in or contact us.
  • Keep evidence. Every grant and withdrawal of consent is logged with its timestamp, the exact wording shown, and the originating IP address.
  • Keep it secure and limited. Access to booking and subscriber records is restricted by role to staff who need it.

Training participant data

Where an engagement means we handle your staff's details (attendance lists, assessment results, feedback), we act as a data processor on your instructions. Your organisation remains the controller of that data. We will:

  • Process it only as your written agreement with us directs
  • Not use it for our own purposes, including marketing
  • Return or securely delete it at the end of the engagement on your instruction
  • Tell you without undue delay if we become aware of a breach affecting it

Registration status

Under GAID, an organisation processing the personal data of more than 200 data subjects in six months is a Data Controller or Processor of Major Importance (DCPMI) and must register with the Commission. Cedar Bridge is reviewing its position as its client base grows, and will register and file the required annual audit where the thresholds are met.

Breach notification

If a breach occurs that is likely to result in a risk to people's rights and freedoms, we will notify the Nigeria Data Protection Commission within the timeframe the NDPA requires, and tell affected individuals directly where the risk to them is high.

Data protection contact

Send any data protection question, request or complaint to hello@cedarbridgepro.com, or write to us at Trinity Plaza, Ring Road III, Uyo, Akwa Ibom State, Nigeria. We aim to respond within one month.

You may also complain directly to the Nigeria Data Protection Commission.

Please note:these policies are a starting point drafted for this website, not legal advice. Nigeria's data protection regime changed materially in 2025, and a licensed Data Protection Compliance Organisation (DPCO) should review them, and Cedar Bridge's registration position, before you rely on them.