Privacy Policy

To provide our services to you and deliver on our promises, Paelon Memorial Hospital Limited requires the use of certain personal data. This means that to access our services — whether onsite, offsite, or through our online platforms — we may require you to provide personal data to enable us to deliver a personalised experience.

In line with our commitment to preserve, protect, and safeguard your data privacy rights under our applicable statutory obligations and internationally recognised standards, we have provided the necessary information about how we collect, store, protect, and process your personal data.

This Privacy Policy outlines how you can control your data and how we manage, store, protect, share, retain, or delete your information. It will tell you about your privacy rights and how Nigerian law protects you.

This Privacy Policy is issued by Paelon Memorial Hospital Limited ("Paelon" or "the Hospital"). The words "we", "us", or "our" refer to Paelon Memorial Hospital Limited.

It is important that you read this Privacy Policy together with any other privacy notice or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data.

By completing the consent form at the end of this document or ticking the consent box on our forms, you agree to all the terms of this Privacy Policy, allowing us to utilise your data to provide you with the best possible experience.

This Privacy Policy supplements other notices and policies and is not intended to override them.

This Privacy Policy applies to personal data collected and processed in connection with the business of Paelon Memorial Hospital Limited. It sets out the Hospital's approach to personal data received from persons accessing any of our services, whether in person, online, or through third-party referrals.

We collect Personal Data — any information that relates to an identified or identifiable living individual, or pieces of information which, if combined, can lead to the identification of a person. This includes data such as name, email address, phone number, home address, and identification numbers. It does not include anonymised data.

The specific categories of personal data we may collect include:

We collect data through the following means:

• Direct Interactions: When you register as a patient, fill in forms, correspond with us by phone, email, or in person, or use our services directly.
• Automated Technologies: As you interact with our website, we may automatically collect technical data about your device and browsing behaviour using cookies and similar technologies.
• Third Parties: We may receive your data from employers, health maintenance organisations, referral sources, or publicly available sources where you have legally provided consent for such sharing.

We do not use your data for any purpose beyond those listed in this policy, and we do not sell, lend, or rent your personal data to any third parties.

• To process your requests and provide you with our healthcare services.
• To communicate with you regarding your treatment, care plan, and related services.
• To enable you to receive benefits with third parties such as health insurance or pre-employment medical checks.
• To respond to queries and resolve problems related to our services.
• To meet our legal and regulatory obligations under Nigerian law.
• To maintain accurate and up-to-date medical and administrative records.

Under the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR), we process personal data under one or more of the following lawful bases:

• Consent — You have given clear consent for us to process your data for a specific purpose.
• Contract — Processing is necessary for the performance of a contract with you.
• Legal Obligation — Processing is necessary to comply with the law.
• Vital Interests — Processing is necessary to protect someone's life.
• Public Interest — Processing is necessary for public health or safety purposes.
• Legitimate Interests — Processing is necessary for our legitimate interests, provided these are not overridden by your rights.

While we primarily process your data with your consent, we may rely on any of the above bases depending on the circumstances.

You have the right to limit the data you provide to us. In addition, you have the following rights under the NDPA:

• 1Request access to personal data we hold about you.
• 2Request correction of inaccurate or outdated personal data.
• 3Request restriction of how we process your data.
• 4Request partial or complete erasure of your personal data.
• 5Object to processing of your data for direct marketing purposes.
• 6Object to automated decision-making that significantly affects you.
• 7Request the transfer (portability) of your personal data to another party.
• 8Withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact our Data Protection Officer using the details in Section 12.

It may be necessary to share your personal data with the following third parties, and we will seek your consent before doing so:

• Corporate entities (where you are an employee referred for medical services)
• National Health Insurance Authority (NHIA) or other regulatory bodies
• Health Maintenance Organisations (HMOs)
• Service providers acting on our behalf
• Law enforcement agencies or government officials, where required by law

We do not share your personal data without your authorisation except where required by law or contract. We do not sell your data to any party for commercial purposes.

We maintain appropriate technical and organisational security measures to prevent your data from being accidentally lost, accessed without authorisation, or misused. Access to your personal data is limited to authorised personnel on a strict need-to-know basis.

We have procedures in place to handle suspected personal data breaches and will notify you and any applicable regulator — including the Nigeria Data Protection Commission (NDPC) — where legally required to do so, within the timeframes stipulated by law.

While no system is entirely immune to security threats, we commit to taking all reasonable and proportionate measures to protect your data.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying legal, accounting, or regulatory requirements. Once there is no further lawful basis to retain your data, it will be securely deleted or destroyed.

We review this Privacy Policy regularly and may update it from time to time. The current version was last updated in March 2026 and supersedes all previous versions. Any material changes will be communicated to you where reasonably practicable.

Please ensure that the personal data you provide to us remains accurate and up to date. Notify us promptly if any of your details change during your relationship with us.

For any queries relating to your data or this Privacy Policy, please contact our Data Protection Officer: