Region

Jurisdiction

Regulator

2025-03-01

Personal Data Protection Policy (PDPC)

The Central Bank of the Republic of Guinea (BCRG) has issued this Personal Data Protection Policy to establish comprehensive legal and operational standards for the collection, processing, retention, and security of personal data across its operations. The policy mandates strict compliance with Guinean cybersecurity laws and ECOWAS regulations, assigning clear responsibilities to the Data Controller, Data Protection Officer, employees, and external processors while guaranteeing data subjects' rights to access, rectification, and erasure. It further enforces transparent data handling practices, mandatory retention periods of at least ten years, and robust security measures for domestic disclosures, cross-border transfers, and breach management.

Guinea

Banque Centrale de la Republique de Guinee

==Page 1==

BCRG BCRG/DGCP/CC/PPDCP Personal Data Protection Policy (PDPC)

CENTRAL BANK OF THE REPUBLIC OF GUINEA (BCRG) No 014

PERSONAL DATA PROTECTION POLICY (PDPC)

==Page 2==

BCRG BCRG/DGCP/CC/PPDCP Personal Data Protection Policy (PDPC)

Document Title	Personal Data Protection Policy (PDPC)
Entity	Central Bank of the Republic of Guinea (BCRG)

History

Version	Date	Author	Modification
01	25/06/2022	Compliance Unit / General Directorate for Permanent Control	Design
02	16/08/2022	AML/CFT Committee	Approval
03	25/08/2022	Risk Management Steering Committee	Validation
04	31/03/2023	Audit Committee	Validation
05	06/10/2023	Board of Directors	Adoption

Definition of Acronyms and Abbreviations

Acronyms and Abbreviations	Definition
BCRG	Central Bank of the Republic of Guinea
PPDAP	Personal Data Protection Policy
DAP	Personal Data
RCC	Head of Compliance Unit
DGCP	General Directorate for Permanent Control
CEDEAO	Economic Community of West African States
PDCP	Personal Data Protection
CPD	Data Protection Correspondent/Officer
LBC/FT	Anti-Money Laundering and Counter-Terrorist Financing

Page 2 of 12

==Page 3==

BCRG BCRG/DGCP/CC/PPDCP Personal Data Protection Policy (PDPC)

Definition of Terms

No.	Terms	Definition
1	Personal Data	All information concerning an identified or identifiable natural or legal person.
2	Personal Data Protection	The set of legal and technical measures governing the collection, use, retention, and confidentiality of personal data.
3	Data Controller	Refers to the Central Bank of the Republic of Guinea (BCRG).
4	Data Processor	Refers to any natural or legal person processing personal data on behalf of the BCRG.
5	Employee	A person working at the BCRG, including (but not limited to) the Board of Directors, the Executive Office, the Monetary Policy Committee, the Approval Committee, the Audit Committee, executives and staff, and other employees (permanent, fixed-term, or temporary).
6	Data Subjects	Refers to the clients and/or partners of the BCRG.
7	Recipients	Refers to natural or legal persons who receive personal data from the BCRG. Data recipients may therefore be both BCRG employees and external entities (partners, banking institutions, service providers, etc.).
8	Data Protection Officer	Head of the Compliance Unit.

Page 3 of 12

==Page 4==

BCRG BCRG/DGCP/CC/PPDCP Personal Data Protection Policy (PDPC)

Preamble ................................................................................................................................... 5 I. Principles of the PDPC ............................................................................................................ 5 II. Scope and Application .......................................................................................... 6 III. Object of the PDPC ............................................................................................................... 6 IV. Regulatory Framework and Reference Standards ........................................................................................ 6 V. Guiding Principles ............................................................................................................... 6 VI. Responsibilities ..................................................................................................................... 7

Data Controller ................................................................................................. 7
Data Protection Officer ..................................................................................................... 7
Employees and External Service Providers ..................................................................................... 7
Data Processors..................................................................................................................... 7 VII. Collection of Personal Data ........................................................................ 8
Types of Data Collected by the BCRG ....................................................................... 8
Use of Personal Data by the BCRG ............................................. 8 VIII. Processing and Register of Processing Activities ................................................................................. 9 IX. Disclosure of Personal Data to Third Parties............................................ 10 X. Transfer of Personal Data to Third Countries or International Organizations.................................................................................................. 10 XI. Retention Rules (Data Archiving)...................................................................... 10 XII. Security Measures and Management of Potential Breaches .................................................. 10 XIII. Data Protection by Design and by Default ...................................... 11 XIV. Rights of Data Subjects....................................................................................... 11 XV. Training............................................................................................................................ 12 XVI. Information of Data Subjects .............................................................................. 12 XVII. Responsible for Implementation and Updates............................................................ 12 XVIII. Sanctions and Disciplinary Measures ................................................................................. 12 XIX. Entry into Force............................................................................................................... 12

Page 4 of 12

==Page 5==

BCRG BCRG/DGCP/CC/PPDCP Personal Data Protection Policy (PDPC)

Preamble

The challenges associated with processing personal data, regulated by Law No. L/2016/037/AN of July 28, 2016, on cybersecurity and personal data protection in the Republic of Guinea, led the BCRG Government to incorporate them into the Compliance Unit's responsibilities.

It is therefore essential to define a personal data protection policy (PDPP), the contours of which are outlined in this document, stating the principles and guidelines governing the matter and ensuring the safeguarding of the rights of data subjects regarding processing activities carried out by the Central Bank of the Republic of Guinea.

This policy aims to inform the methods of collection, processing, and use of personal data, as well as the rights available to all stakeholders regarding personal data protection in accordance with the Law on cybersecurity and personal data protection in the Republic of Guinea.

The policy strengthens the rights and obligations of data controllers, processors, data subjects, and data recipients.

I. Principles of the PDPC

The Personal Data Protection Law, in Article 19, mandates that the collection, registration, processing, storage, transmission, and interconnection of personal data files must be conducted lawfully and fairly.

In this context, the BCRG's personal data processing policy places the following principles at the core of its commitments:

A legal basis: the collection and processing of personal data are legitimate and rely on a determined legal foundation based on the pursued objective (or purpose) and the context in which processing occurs.
Data relevance: data collection and processing are adequate, relevant, and not excessive relative to the pursued objectives.
Retention period: a personal data retention period is defined based on the objectives of each processing activity and any applicable legal obligations.
Security and confidentiality: mindful of protecting and securing data, the BCRG takes all necessary measures to guarantee data confidentiality and prevent any intrusion, loss, or deterioration, as well as unauthorized disclosure. These measures are determined based on the risks associated with each processing activity (data sensitivity, processing objective...).

Page 5 of 12

==Page 6==

BCRG BCRG/DGCP/CC/PPDCP Personal Data Protection Policy (PDPC)

Transparency: the BCRG demonstrates transparency by informing data subjects, upon collection of their personal data, about how the BCRG uses and potentially shares them with third parties.
Respect for rights: respecting the rights of data subjects, the BCRG informs them of the purpose for which their data will be processed. Furthermore, they are informed about how to exercise their rights under current regulations: a right of access, rectification, erasure of data, and objection to collection for legitimate reasons.

II. Scope and Application

This policy applies without restriction to the personnel and partners of the BCRG.

Monitoring compliance with the principles stated herein is primarily the responsibility of operational functions within the first line of defense, followed by control-related functions, including Internal Control, Compliance, and Internal Audit.

III. Object of the Personal Data Protection Policy

This policy states the principles and guidelines applicable to the BCRG regarding personal data processing.

Its purpose is to define the conditions for processing personal data and to emphasize the obligations governing the BCRG regarding respect for the rights of data subjects (clients, staff members, partners, other counterparties...) during processing and transfer of their data.

IV. Regulatory Framework and Reference Standards

This Policy falls within the framework of applying the following provisions:

Law No. L/2016/037/AN of July 28, 2016 on cybersecurity and personal data protection in the Republic of Guinea;
Additional Act A/SA.1/01/2010 on personal data protection in the ECOWAS area;
African Union Convention on cybersecurity and personal data protection;
BCRG Risk Management Policy;
BCRG Global Compliance Policy;
BCRG Information Classification Policy; and
BCRG Code of Ethics and Conduct.

V. Guiding Principles

The BCRG adheres to the following four (4) guiding principles:

Individual responsibility: compliance is everyone's concern and cannot be separated from the exercise of any professional activity within the bank or on its behalf, regardless of the mission or department to which each person belongs.

Page 6 of 12

==Page 7==

BCRG BCRG/DGCP/CC/PPDCP Personal Data Protection Policy (PDPC)

The existence of a Compliance function within the BCRG cannot exempt anyone from their personal responsibility in the field of Personal Data Protection, particularly compliance in general.

Comprehensiveness: the Compliance entity's missions extend to all levels of the bank; to perform them under good conditions, it must have access to all necessary information across different departments.
Independence: compliance staff and correspondents within the bank perform their missions under conditions that guarantee their independence of judgment and action.
The "best practice" ethical rule: in the field of ethical standards, those adopted by the BCRG prevail over local rules when the latter are at a lower level of requirement and rigor.

VI. Responsibilities

1. Data Controller

In the course of its activities, the BCRG acts as the Data Controller for personal data entrusted to it, within the meaning of the definition in the Guinean Law on cybersecurity and personal data protection.

As Data Controller, the BCRG ensures that necessary measures are taken regarding compliance with legal requirements for personal data protection.

2. Data Protection Officer

Within the BCRG, the Head of the Compliance Unit serves as the Data Protection Officer (DPO). This appointment must be notified to the Authority responsible for Personal Data Protection.

The DPO is responsible for data protection, in accordance with the Personal Data Protection Law. Their role is to monitor the data protection method to ensure BCRG compliance with the law.

3. Employees and External Service Providers

Any person working for the BCRG, as an employee or external service provider, must comply with these personal data protection measures and obligations related to the legal framework.

4. Data Processors

Processors that process personal data on behalf of the BCRG (within the meaning of Articles 24 and 42 of the Data Protection Law) must respect, in particular, the obligations notified to them by the BCRG.

In certain cases, the BCRG itself acts as a processor for clients who entrust it with personal data processing. In this context, the BCRG commits to also comply with the requirements of Articles 24 and 42 of the Data Protection Law, as notified by its clients acting in their capacity as Data Controllers vis-à-vis the BCRG.

Page 7 of 12

==Page 8==

BCRG BCRG/DGCP/CC/PPDCP Personal Data Protection Policy (PDPC)

VII. Collection of Personal Data

1. Types of Data Collected by the BCRG

The BCRG collects and processes personal data communicated by its clients, the representatives and beneficial owners of its corporate clients, its employees, partners, and suppliers, such as identification data, professional status, economic or banking information, as well as those generated during the use of subscribed accounts and products or while browsing its website or applications.

These include:

identification data: name, address, date of birth, nationality, identity documents, email address, phone number, number of dependents;
personal life data: interests, salaries and benefits; information on family members (spouse, children, etc.);
professional data: occupational status, job title;
economic and financial information: transaction data, taxation and residence, account number, income amount, tax brackets, asset valuation; economic and financial information of financial institutions;
connection data: Identifier, electronic service passwords, IP address
sensitive data: possible convictions, possibly health data;
telephone and electronic conversations and communications.
video surveillance data.

These Personal Data are collected:

directly from data subjects;
during the search or provision of information within partnership relationships;
during the contract subscription process and throughout contractual relationships;
or generated by the activities of clients, employees, partners, or third parties, from third parties and/or public sources when a legal obligation requires it.

2. Use of Personal Data by the BCRG

The BCRG collects and processes only personal data strictly necessary for the implementation of its activities. In the course of its activities, the BCRG uses personal data to:

effectively carry out its assigned missions;
comply with its national and international legal and regulatory obligations, such as anti-money laundering or counter-terrorist financing.

These uses are based on:

contractual relationships (banking, employment contract, service or purchase agreement...);
legal and regulatory texts or legitimate interest;
consent for more specific uses.

Page 8 of 12

==Page 9==

BCRG BCRG/DGCP/CC/PPDCP Personal Data Protection Policy (PDPC)

Furthermore, the BCRG retains Personal Data for at least 10 years from the end of the business relationship or the date of the transaction.

VIII. Processing and Register of Processing Activities

Data subjects (clients, representatives and beneficial owners of corporate clients, employees or third parties) are informed by this Policy that the personal data transmitted and necessary for the execution of operations and services concerning them are subject to processing.

These processing activities correspond to any operation or set of operations, whether manual or automated, applied to personal data or sets of personal data.

The Processing activities carried out by the BCRG have, in particular, the following purposes:

managing banking relationships with clients, including through statistical studies enabling the management of the BCRG-client relationship;
human resources management;
third-party relationships;
conducting opinion and personal statistical studies;
fraud prevention;
compliance with legal and regulatory obligations, particularly regarding operational risk management (including security of computer networks and transactions as well as the use of international payment networks, or retention/sub-retention of financial instruments), anti-money laundering and counter-terrorist financing, capital market obligations, and determination of tax status;
processing disputes, recoveries, and more generally payment incident management;
processing personal data generated by seriously reprehensible behaviors or acts;
recording conversations and communications with clients, regardless of medium (emails, faxes, telephone interviews, etc.), for the purpose of improving telephone reception, complying with legal and regulatory obligations related to capital markets, and securing transactions;
video surveillance.

As applicable, an information and consent form will be submitted for signature by the BCRG partner concerned by the processing, or a special information notice regarding personal data use will be marked at the bottom of paper and electronic media.

The BCRG maintains a register of personal data processing activities. The purpose of each processing activity, as well as the basis for its legitimacy, are defined in the register.

Page 9 of 12

==Page 10==

BCRG BCRG/DGCP/CC/PPDCP Personal Data Protection Policy (PDPC)

This register is maintained over time based on various elements that may impact it, such as a new processing activity, modification of an existing one, or new regulations.

IX. Disclosure of Personal Data to Third Parties

The BCRG may be required to disclose personal data internally, as well as to its contractual partners, banking correspondents, public entities, processors, and service providers, within the limits necessary to carry out the processing activities described above.

The BCRG may also be required to disclose Personal Data, upon request, to official bodies and competent administrative or judicial authorities located within or outside the country, particularly in the context of anti-money laundering and counter-terrorist financing.

In case of disclosure to a third party, and particularly for exchanges with its Processors, the BCRG will take all measures provided by applicable regulations to preserve the confidentiality and security of the relevant Personal Data.

X. Transfer of Personal Data to Third Countries or International Organizations

Considering in particular the international nature of certain operations and to optimize service quality, the BCRG may transfer Personal Data to third countries or international organizations, whose legislation on personal data protection differs from that of ECOWAS and Guinea.

In such cases, the BCRG will ensure that transferred Personal Data are protected by appropriate contractual clauses.

These data transfers occur under conditions and guarantees designed to ensure the protection and security of Personal Data.

XI. Retention Rules (Data Archiving)

For all personal data processing activities, the BCRG implements retention rules (retention period and final disposition) to ensure that processed data are retained in production systems only for as long as necessary.

XII. Security Measures and Management of Potential Breaches

The core business of the BCRG is the security of its payment system, accounts, and client information, the implementation of monetary policy, and the stabilization of the financial system. Personal data confidentiality is ensured with the same level of rigor as the protection of its clients' and other counterparties' financial data.

In no case shall the data