Data Protection POLICY

Introduction and Purpose

This Data Protection Policy outlines how DAS Properties and Investment Limited handles personal data in accordance with applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and related statutory requirements.

DAS Properties is committed to protecting the privacy and rights of individuals whose personal information we collect, store and process. This policy explains the principles we follow, the responsibilities of our staff and partners and the procedures in place to ensure that all data is handled lawfully, fairly and transparently.

As part of our business operations, we are required to process certain categories of personal data belonging to employees, clients, partners, suppliers and other stakeholders. In some cases, this data is processed to comply with legal obligations imposed by governmental authorities, regulators or law enforcement agencies.

We recognise that maintaining the trust and confidence of those we interact with is vital to our success. Our handling of personal data is underpinned by a robust governance structure, including the implementation of a Personal Information Management System (PIMS), which ensures consistent adherence to legal standards and industry best practices.

Scope and Applicability

This policy applies to all employees, contractors, agents, partners and third-party service providers who process personal data on behalf of DAS Properties.

It covers all personal data that is collected, accessed, stored or processed in any form whether electronic, paper-based, verbal or photographic and applies to all locations where DAS Properties operates or has data processing functions.

The policy governs the handling of personal information relating to:

• Customers (buyers, tenants, landlords and sellers)
• Staff and job applicants
• Contractors and service providers
• Website users and marketing contacts
• Any other individuals whose personal data we may process during our business

It ensures that all data processing activities undertaken by DAS Properties are compliant with applicable laws and uphold the rights and freedoms of individuals, as set out in the UK GDPR and related data protection regulations.

Legal and Regulatory Framework

DAS Properties is committed to conducting its data processing activities in full compliance with all relevant data protection laws and regulations. This policy is guided by the following key legislative and regulatory frameworks:

• UK General Data Protection Regulation (UK GDPR) Sets out the core principles, rights and obligations governing the processing of personal data within the UK.
• Nigeria Data Protection Regulation (NDPR) 2019 Enacted by the National Information Technology Development Agency (NITDA), the NDPR governs the collection, storage, processing and transfer of personal data in Nigeria, promoting data subject rights and responsible data handling.
• Data Protection Act 2018 Supplements the UK GDPR and provides a national framework for data protection, including enforcement and exemptions.
• Privacy and Electronic Communications Regulations (PECR) 2003 Governs electronic communications, including marketing emails, cookies and telephone communications.
• The Human Rights Act 1998 Ensures the right to respect for private and family life, which includes protection of personal data.
• Freedom of Information Act 2000 Ensures transparency in public bodies and may intersect with data protection where information includes personal data.
• Regulation of Investigatory Powers Act 2000 Regulates the interception and monitoring of communications.
• The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 Requires the collection and verification of identity information for compliance purposes.

DAS Properties also monitors updates to data protection legislation and best practices at both national and international levels, including guidance from the Information Commissioner's Office (ICO), and where relevant, the European Data Protection Board (EDPB).

By aligning with these frameworks, we ensure that personal data is processed in a lawful, fair and transparent manner, and that individuals’ rights are protected throughout the data lifecycle.

Objectives and Commitment to Data Protection

At DAS Properties, safeguarding personal data is central to our operations and a reflection of our core values integrity, transparency and trust. Our objectives under this Data Protection Policy are to ensure that:

• Personal data is collected, used, stored and shared responsibly and in accordance with applicable data protection laws, including the UK GDPR, the Nigeria Data Protection Regulation (NDPR) and the Data Protection Act 2018.
• All data processing activities are conducted lawfully, fairly and transparently, with clear purposes and legitimate grounds for each action.
• Individuals' privacy rights including the right to access, rectify, erase and restrict processing of their data are respected and upheld.
• Appropriate technical and organisational measures are in place to protect personal data from loss, misuse, unauthorised access, disclosure, alteration or destruction.
• Our team members, contractors and third-party partners are trained, informed and accountable in their roles as data handlers and processors.
• Data processing activities across all our business units and jurisdictions (UK, Nigeria) are reviewed and monitored for ongoing compliance and risk mitigation.

We are fully committed to:

• Embedding data protection into our operational processes and decision making.
• Maintaining a Personal Information Management System (PIMS) to continuously assess, manage and improve our data protection practices.
• Cooperating with data protection authorities such as the Information Commissioner’s Office (ICO) in the UK and NDPC in Nigeria and responding promptly to data subject requests or breaches.
• Being transparent with our clients, partners and stakeholders about how and why we process personal data.

This commitment underpins our efforts to build and maintain a culture of data privacy that not only complies with regulatory requirements but also earns and retains the trust of everyone we serve.

Scope and Applicability

This Data Protection Policy applies to DAS Properties and Investment Limited, including its branches, subsidiaries, affiliates, staff and third-party service providers who may process personal data on behalf of the company. It covers all personal data processing activities carried out in connection with the company’s services in the United Kingdom, Nigeria and other international jurisdictions where applicable.

This policy applies to:

• All employees, contractors and consultants of DAS Properties who access or process personal data in the course of their duties.
• All business functions of DAS Properties sales, lettings, property management, customer support, marketing and legal compliance.
• All third-party service providers, partners and vendors who act as data processors on behalf of DAS Properties.
• All types of data subjects, including but not limited to clients, tenants, landlords, buyers, vendors, suppliers, staff, job applicants and visitors.
• All forms of personal data, whether collected or stored digitally, on paper or through other means.

It applies across all:

• Business locations, including offices in the UK, Nigeria and any other countries where DAS Properties operates.
• Technological platforms and systems used to process personal data, including websites, CRM software, email, mobile apps and cloud-based services.

This Policy is designed to ensure compliance with:

• The UK General Data Protection Regulation (UK GDPR)
• The Data Protection Act 2018
• The Nigeria Data Protection Regulation (NDPR)
• Any additional national data protection regulations applicable where DAS Properties operates.

All stakeholders, internal or external, who process or access personal data under the authority of DAS Properties are expected to read, understand and comply with this Policy. Failure to do so may result in disciplinary action, contract termination or legal consequences.

Roles and Responsibilities under GDPR & NDPR

To ensure effective data protection compliance, The Organisation has established clearly defined roles and responsibilities in line with both the General Data Protection Regulation (GDPR) and the Nigeria Data Protection Regulation (NDPR).

1. The Data Protection Compliance Officer (DPCO) As mandated by the NDPR, The Organisation has appointed a Data Protection Compliance Officer (DPCO), who serves as the point of contact with the Nigeria Data Protection Commission (NDPC) and is responsible for ensuring organisation wide compliance with NDPR. The DPCO also collaborates with the Data Protection Organiser to ensure alignment with GDPR requirements, where applicable.
2. Senior Management / Executive Responsibility The Partners and Directors of The Organisation are accountable for embedding a culture of privacy and data protection. They ensure sufficient resources, training and oversight are allocated to data protection efforts, in both the EU and Nigerian operational contexts.
3. Departmental Heads and Line Managers Departmental leaders are responsible for ensuring that data protection principles are integrated into their teams’ everyday operations. They must identify risks and escalate data processing concerns to the DPCO.
4. All Staff Members All employees, contractors and temporary workers who handle personal data are required to comply with this policy. They are responsible for:
   • Understanding data protection principles and applying them to their work.
   • Reporting suspected breaches or non-compliance to the DPCO immediately.
   • Completing regular data protection training and certification.
5. Third-Party Processors and Vendors Vendors or partners who process personal data on behalf of The Organisation are required to sign a Data Processing Agreement (DPA) and comply with GDPR/NDPR obligations. They must also demonstrate adequate safeguards, such as technical and organisational measures to ensure data confidentiality and integrity.

Training and Awareness

To ensure ongoing compliance with both the General Data Protection Regulation (GDPR) and the Nigeria Data Protection Regulation (NDPR), The Organisation places high importance on training and awareness for all staff and third parties who handle personal data.

Staff Training Responsibilities

• All employees, contractors and temporary staff are required to undergo data protection training as part of their onboarding process.
• Refresher training is conducted annually or when there are significant updates to the data protection policy or relevant legislation.
• Training is tailored to reflect the specific responsibilities of each role, especially those that involve direct data handling or processing.

Awareness and Culture

• The Organisation actively promotes a culture of privacy and data responsibility.
• Regular internal communications (emails, workshops, posters, etc.) are used to reinforce data protection principles.
• Employees are encouraged to raise questions or report any concerns or suspected breaches to the designated Data Protection Officer (DPO).

Record-Keeping

• A training log is maintained to track attendance and completion of data protection training.
• All training materials are reviewed regularly and updated as needed to reflect legal or procedural changes.

Third-Party and Processor Training

• Any third-party processors or service providers with access to personal data must demonstrate appropriate data protection awareness and compliance.
• Where applicable, third parties are provided with training or are required to provide evidence of relevant data protection training for their staff.

Data Breach and Incident Response

The Organisation is committed to safeguarding the personal data it holds and to responding swiftly and effectively to any actual or suspected data breaches. This section outlines how The Organisation identifies, manages and reports data breaches in compliance with both the General Data Protection Regulation (GDPR) and the Nigeria Data Protection Regulation (NDPR).

What Constitutes a Personal Data Breach ?

pA personal data breach is defined as any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Examples include:

• Sending personal data to the wrong recipient
• Loss or theft of a device containing personal data
• Hacking or ransomware attacks
• Accidental deletion or alteration of records
• Failure of physical or digital security controls

Reporting a Breach

• All staff must report actual or suspected data breaches immediately to the DPCO or designated officer.
• Reports must be made within 24 hours of discovery, even if all the details are not yet available.

Initial Assessment and Containment

Upon receiving a breach report:

• The DPCO will assess the nature, severity and scope of the breach.
• Immediate steps will be taken to contain the breach, such as suspending affected systems, retrieving wrongly sent information or disabling user access.

Notification Requirements

• If the breach is likely to result in a risk to the rights and freedoms of data subjects, the relevant supervisory authority must be notified:
  • GDPR: Notification to the ICO (Information Commissioner’s Office) must be made within 72 hours of awareness.
  • NDPR: Notification must be made to NITDA (National Information Technology Development Agency) within 72 hours.
• If the breach is likely to result in a high risk to the affected individuals, those individuals will also be informed without undue delay, in clear and plain language, outlining the steps being taken to address the issue and reduce potential harm.

Investigation and Remediation

• A formal investigation will be conducted by the DPCO or designated incident response team.
• Root cause analysis will be carried out, and appropriate remedial actions will be taken to prevent recurrence.
• Where applicable, disciplinary procedures may follow for breaches due to negligence or wilful misconduct.

Documentation

• All data breaches, whether notifiable or not, will be recorded in a Breach Register maintained by the DPCO.
• This record will include:
• Description of the incident
• Categories and approximate number of data subjects and data records involved
• Likely consequences of the breach
• Measures taken or proposed to be taken

Ongoing Monitoring and Review

• Following a breach, related policies and controls will be reviewed and updated if necessary.
• Staff involved in the breach (directly or indirectly) may receive additional training.

Monitoring and Policy Review

The Organisation is committed to ensuring the continuous effectiveness, relevance and compliance of its data protection practices. As part of this commitment, the Organisation maintains a structured process for monitoring, reviewing and updating this Data Protection Policy and its related procedures.

Ongoing Monitoring

• The Organisation regularly monitors its data processing activities to ensure adherence to this policy and compliance with all applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the Nigeria Data Protection Regulation (NDPR).
• Monitoring is conducted by the Data Protection Officer and designated Compliance Officers, who ensure:
• Data processing activities align with the Organisation’s declared legal basis for processing.
• Security measures are appropriately maintained and updated.
• Employees and third-party processors are acting in accordance with their data protection obligations.

Audit and Compliance Checks

• Internal audits are conducted at least annually and additionally as needed, particularly following:
• A data breach or security incident
• Changes in data protection law or regulatory guidance
• Updates to the Organisation’s operations that affect personal data processing
• Audit results inform any updates to policies, procedures or technical safeguards.

Policy Review

• This Data Protection Policy will be formally reviewed every 12 months by the DPCO or designated officers to ensure:
• It remains aligned with current legal requirements.
• It reflects the Organisation’s data handling practices accurately.
• It incorporates lessons learned from audits, incident investigations or regulatory feedback.
• Interim reviews may be conducted in response to:
• Legislative or regulatory changes (e.g., updates from ICO, NDPC, or EU regulators)
• New technologies or systems being adopted
• Organisational restructuring or new service offerings

Stakeholder Involvement

• Where applicable, feedback will be sought from:
• Internal stakeholders (e.g. department heads, IT, legal, HR)
• External consultants or auditors
• Regulatory bodies or professional associations

Staff Notification

• Any significant updates to this policy will be communicated to all staff and where relevant, to partners, contractors and third-party data processors.
• Staff will be required to acknowledge their understanding of updated policies and may undergo refresher training where necessary.

Version Control

• The Organisation will maintain version control and archive previous versions of this policy for reference and accountability.
• The most current version will always be accessible via the Organisation’s internal systems and shared upon request.

MONEY LAUNDERING POLICY

DAS Properties and Investment Limited is committed to maintaining robust systems and controls to prevent the facilitation of money laundering and terrorist financing. This policy outlines the company’s responsibilities under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, the Proceeds of Crime Act 2002, the Terrorism Act 2000, and the Nigeria Data Protection Regulation (NDPR), where applicable.

DAS Properties conducts due diligence checks on all parties involved in a transaction, including vendors, landlords, purchasers and tenants. This includes verifying:

• Identity and proof of address
• The existence of any beneficial owners (individuals who ultimately own or control a customer)
• Where appropriate, the source of funds, source of wealth and/or destination of funds

Failure to provide this information will prevent us from proceeding with property marketing, concluding a sale or finalising a tenancy.

Risk Awareness & Assessment

The real estate sector is considered high-risk for money laundering due to the high-value nature of transactions and potential for anonymity.

DAS Properties adopts a risk-based approach to AML/CTF. We assess risk factors including:

• Customer type and geography
• Customer type and geography
• Whether there is face-to-face interaction
• Use of third parties or intermediaries

This approach allows us to apply enhanced due diligence where necessary and maintain vigilance over suspicious behaviours.

Managing Risk & Internal Controls

We maintain internal policies and procedures to detect and deter financial crime. These include:

• Appointment of a Money Laundering Reporting Officer (MLRO)
• Ongoing AML training for all relevant staff
• Internal reporting mechanisms for suspicious activity
• Procedures for escalating reports to the National Crime Agency (NCA) in the UK, or relevant authorities where applicable

Our MLRO is responsible for evaluating and escalating all suspicious activity reports (SARs) and ensuring compliance with legal obligations.

Identification & Verification Process

As part of our due diligence:

• All customers must undergo electronic identity verification
• The AML verification fee is £30 per person (inclusive of VAT) and is non-refundable
• Where electronic verification is not possible, certified identity documents must be provided from a list of acceptable alternatives

We may also collect identification details for other stakeholders in a transaction, such as individuals gifting deposit funds.

Note: Our identity verification process does not affect your credit score or credit history.

Non-Individual Clients

Where the customer is an entity (e.g., company, charity, trust), we are required to verify:

• Company registration details and registered address
• Authority of the individual(s) acting on behalf of the organisation
• Identity of beneficial owners or persons with significant control

This ensures transparency and compliance with both AML legislation and corporate governance standards.

Reporting Suspicious Activity

All staff have a duty to report suspicious activity internally to the MLRO. Suspicious activity may include but is not limited to:

For new customers:

• Unwillingness to provide ID
• Use of intermediaries with no clear rationale
• Lack of a legitimate reason for property transactions

For existing customers:

• Third-party payments with no clear link to the client
• Unusual requests to transfer funds to unrelated parties
• Transactions far below market value
• Refusal to disclose the source of large cash payments

Confidentiality: All reports and associated information are treated as confidential and shared strictly on a need-to-know basis.

Record Keeping

In line with regulatory obligations, we retain:

• Identity verification records for 5 years from the end of the customer relationship or transaction
• Transaction and communication records for 5 years from completion

This supports regulatory compliance and assists in any future investigations.

Staff Training

DAS Properties provides ongoing training to all employees on AML/CTF obligations. Staff are required to understand:

• How to identify and report suspicious activity
• Procedures for customer identification
• Their responsibilities under the law

Training records are maintained to demonstrate compliance.

Policy Governance

This policy is reviewed annually or in response to:

• Changes in AML/CTF legislation
• Regulatory guidance
• Organisational or operational developments

The policy is approved by senior management and forms part of DAS Properties' wider compliance framework, including data protection and business ethics.

Cookies Policy

At DAS Properties and Investment Limited (“we”, “our”, or “us”), we are committed to protecting your personal information and ensuring transparency in how we use technology on our websites. This Cookies Policy explains how and why cookies and similar tracking technologies are used on our website and how you can control them.

What Are Cookies ?

Cookies are small text files that are downloaded to your device (computer, tablet, mobile) when you visit a website. They help the website recognize your device and store information about your preferences or past actions.

Cookies may be set by us (first-party cookies) or by third parties whose services we use (third-party cookies).

Why We Use Cookies

We use cookies to:

• Ensure our website functions properly
• Remember your preferences (e.g. language, location)
• Improve your browsing experience
• Analyse website traffic and usage patterns
• Support marketing efforts by tailoring content and ads

Cookies help us understand how visitors interact with our website and allow us to continually improve the experience.

Types of Cookies We Use

Type of Cookie	Purpose
Strictly Necessary	Essential for the functioning of our website and cannot be turned off.
Performance	Collect anonymous information on how visitors use our site (e.g. Google Analytics).
Functional	Remember choices you make to enhance functionality and personalization.
Targeting/Advertising	Used to deliver relevant advertisements and track the effectiveness of our marketing campaigns.

Third-Party Cookies

Some third-party services we use (e.g., Google Maps, YouTube, social media plugins, and advertising networks) may also set cookies on your device through our website. These cookies are governed by the privacy policies of those third parties.

Your Cookie Choices

Upon your first visit to our website, you will see a cookie consent banner. You can:

• Accept all cookies
• Customize your cookie preferences
• Reject non-essential cookies

You can also manage or delete cookies at any time through your browser settings. Please note that disabling some cookies may impact the functionality of our site.

To learn more about how to control cookies, visit:

• www.aboutcookies.org
• www.allaboutcookies.org

Data Protection & Your Privacy

Any personal data collected through cookies is processed in accordance with our Privacy Policy and in compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Nigeria Data Protection Regulation (NDPR).

Changes to This Cookies Policy

We may update this Cookies Policy from time to time. We encourage you to review this page periodically to stay informed about how we use cookies.

Contact Us

If you have any questions about our use of cookies or this policy, please contact us via:

info@daspropertiesinvest.co.uk