Privacy Policy
OLANUSI GLOBAL ENTERPRISE LIMITED
PRIVACY INFORMATION MANAGEMENT SYSTEM (PIMS)
Privacy Policy Document
---
Document Code: PIMS_Privacy_Policy_001
Version: 1.0
Date of Version: April 12, 2026
---
TABLE OF CONTENTS
SECTION 1: PRIVACY POLICY
1. INTRODUCTION AND GDPR/NDPA REQUIREMENTS ........................................... 4
1.1 Introduction ................................................................................................ 4
1.2 GDPR/NDPA Requirements ....................................................................... 4
1.3 Data Protection by Design .......................................................................... 4
1.4 Privacy by Design and Default Principles .................................................. 5
1.5 Privacy by Design and Default Checklist ................................................... 5
1.6 Annexure A – PbD Guidelines .................................................................... 7
---
SECTION 2: DATA PROTECTION POLICY
2. INTRODUCTION ................................................................................................ 9
2.1 Purpose ...................................................................................................... 9
2.2 Scope ........................................................................................................ 10
2.3 List of Referenced Privacy Policy and Procedures .................................. 10
3. PRIVACY AND GENERAL DATA PROTECTION POLICY ...................................... 11
3.1 The General Data Protection Regulation ................................................. 11
3.2 Definitions ................................................................................................ 11
4. ROLES AND RESPONSIBILITIES ....................................................................... 13
4.1 Data Controller ......................................................................................... 13
4.2 Data Processor ......................................................................................... 14
4.3 Data Privacy Officer ................................................................................. 14
5. PRIVACY GOVERNANCE ................................................................................... 15
5.1 Quarterly Privacy Meetings ..................................................................... 15
5.2 DPO ........................................................................................................... 15
5.3 Privacy Officer .......................................................................................... 16
6. PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA ......................... 17
6.1 Six Principles of NDPA/GDPR ................................................................. 17
6.2 Specifics about Important Principles ...................................................... 18
7. RIGHTS OF THE INDIVIDUAL ............................................................................ 19
8. LAWFULNESS OF PROCESSING ........................................................................ 20
8.1 Consent .................................................................................................... 20
8.2 Performance of a Contract ...................................................................... 21
8.3 Legal Obligations .................................................................................... 21
8.4 Vital Interests of the Data Subject .......................................................... 21
8.5 Task Carried Out in Public Interest ........................................................ 21
8.6 Legitimate Interests ................................................................................. 22
9. DATA MAPPING AND DATA INVENTORY ......................................................... 22
10. DATA PROTECTION IMPACT ASSESSMENT ..................................................... 23
11. PRIVACY BY DESIGN ........................................................................................ 23
12. TECHNICAL AND SECURITY MEASURES ......................................................... 24
13. DATA SHARING AND CROSS BORDER .............................................................. 24
14. DATA PROTECTION OFFICER ........................................................................... 25
15. BREACH NOTIFICATION ................................................................................... 25
16. ADDRESSING COMPLIANCE WITH THE NDPA AND GDPR ............................... 26
17. TRAINING ......................................................................................................... 27
18. SELF-ASSESSMENT ......................................................................................... 27
19. ENFORCEMENT ................................................................................................ 28
20. ANNEXURE – ROLES AND RESPONSIBILITIES .................................................. 29
---
SECTION 3: CROSS-BORDER PROCESSING OR TRANSFERS OF PERSONAL DATA
21. PURPOSE AND SCOPE ..................................................................................... 33
21.1 Reference Documents ............................................................................. 33
21.2 Background ............................................................................................ 33
22. CROSS-BORDER PROCESSING ........................................................................ 34
23. TRANSFERS OF PERSONAL DATA .................................................................... 35
23.1 Transfers within Nigeria .......................................................................... 35
23.2 Transfers outside Nigeria ........................................................................ 35
23.3 Transfers Based on an Adequacy Decision ........................................... 35
23.4 Transfers Subject to Appropriate Safeguards ........................................ 36
23.5 Exceptions to the Prohibition on Transfers Outside Nigeria ................. 36
23.6 Infrequent / Limited Transfers ................................................................ 37
24. OTHER PROVISIONS RELATING TO TRANSFERS OF PERSONAL DATA ............. 38
24.1 Right to Information & Access ................................................................ 38
24.2 Future Developments ............................................................................. 38
---
SECTION 4: DATA RETENTION POLICY
25. PURPOSE AND SCOPE ..................................................................................... 39
25.1 Purpose .................................................................................................... 39
25.2 Scope ...................................................................................................... 39
26. POLICY STANDARDS ........................................................................................ 40
26.1 Retention ................................................................................................ 40
26.2 Retention Periods .................................................................................. 41
26.3 Expiration of the Retention Period ........................................................ 41
26.4 Destruction and Data Disposal ............................................................... 42
26.5 Obligations to Data Subjects under NDPA 2023 and GDPR .................. 42
26.6 Destruction Log ...................................................................................... 43
27. ANNEXURE A - APPROVED RETENTION PERIODS ........................................... 43
27.1 Non-Personal Data ................................................................................. 43
27.2 Personal Data ......................................................................................... 43
---
SECTION 5: DATA CLASSIFICATION POLICY
28. PURPOSE ......................................................................................................... 44
29. SCOPE .............................................................................................................. 44
30. POLICY ............................................................................................................ 44
30.1 Restricted ............................................................................................... 44
30.2 Sensitive ................................................................................................. 44
30.3 Open ...................................................................................................... 45
---
SECTION 6: COOKIES POLICY
31. PURPOSE ......................................................................................................... 46
32. DESCRIPTION .................................................................................................. 46
32.1 What are Cookies and Similar Technologies? ........................................ 46
32.2 What are the Different Types of Cookies? ............................................. 47
32.3 What are Cookies Used For? ................................................................. 48
32.4 How Does the Organization Use Cookies? ............................................. 49
32.5 How Can Users Manage or Opt Out of Cookies? .................................. 51
32.6 Further Information and Contact Details ............................................... 52
---
SECTION 1: PRIVACY POLICY
---
1. INTRODUCTION AND GDPR/NDPA 2023 REQUIREMENTS
1.1 INTRODUCTION
The Privacy by Design (PbD) principle means that privacy and data protection are embedded throughout the life cycle of technologies, from the early design stage to their deployment, use and ultimate disposal. This in particular means that data protection must be at the heart of an organization's internal processes.
1.2 GDPR/NDPA REQUIREMENTS
Data Protection by Design
Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. It means building privacy into the design, operation and management of IT systems, networks and business processes.
As per GDPR, "the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, effectively"
Examples of how to achieve Privacy by Design requirements:
- Minimizing the processing of personal data
- Pseudonymizing personal data as soon as possible
- Transparency concerning the functions and processing of personal data
- Enabling the data subject to monitor the data processing
- Enabling the controller to create and improve security features
- Staff training
In particular, Article 25 specifically focuses on data minimization. It says that for data protection, organizations should implement and practice methods of data minimization by default.
As per GDPR, "the controller shall implement technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed."
This obligation applies to:
- The amount of personal data collected
- The extent of their processing
- The period of their storage
- Their accessibility
In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
Data protection by default encourages organizations to apply the strictest privacy settings to a particular product or service at the outset of when that product or service is made available.
---
1.3 PRIVACY BY DESIGN AND DEFAULT PRINCIPLES
Proactive not Reactive; Preventative not Remedial
- Privacy should be part of the complete lifecycle of the project/software development and start early to prevent data breaches.
Privacy as the DEFAULT
- Most data protection-friendly pre-settings
- Personal data must be protected without action from the individual. GDPR has specific requirements to ensure the data subject does not have to take action to protect their data.
Privacy Embedded into the Design
- Privacy Controls should be embedded in the architecture of IT systems, operations, and business processes without lessening functionality for the User.
Full Functionality
- Ensure that full functionality is available to users without affecting their privacy and data security
End-to-End Security: Lifecycle Protection
- Early pseudonymization
- Embed Privacy and Data Protection into systems throughout the data lifecycle from Collection to Destruction.
Visibility and Transparency
- Transparency of privacy and data protection policies to the data subjects
- Respect for User Privacy
---
1.4 PRIVACY BY DESIGN AND DEFAULT CHECKLIST
- Before any new application or process is implemented, a DPIA shall be carried out.
- In addition to a DPIA, the Privacy Team shall also ensure compliance with Privacy by design/default guidelines detailed in Annexure A – PbD Guidelines.
- The PbD Checklist (attached separately) shall be completed for each assessment of Privacy by Design and Default.
---
1.5 ANNEXURE A – PbD GUIDELINES
| PbD PRINCIPLE / AREA | REQUIREMENT |
|----------------------|-------------|
| Proactive, Not Reactive | • The project should identify the assignment of responsibility and accountability for privacy in the organization, and privacy training program(s).<br>• Assignment of privacy resources to the software project, recording who is responsible, accountable, consulted, or informed for various privacy-related tasks.<br>• Reference all external sources of privacy requirements, including policies, principles, and regulations.<br>• Identify and include privacy requirements specific to the service/product being engineered, and anticipated deployment environments.<br>• As part of DPIA, include privacy risk/threat model(s) including analysis and risk identification, risk prioritization, and controls mapped to risks. |
| Privacy as Default | • List all [categories of] data subjects as a stakeholder.<br>• Document the purposes for collection and processing, including retention of personal data.<br>• Document expressive models of detailed data flows, processes, and behaviours for use cases or user stories associated with internal software projects and all data/process interaction with external platforms, systems, APIs, and/or imported code.<br>• Describe the selection of privacy controls and privacy services/APIs and where they apply to privacy functional requirements and risks.<br>• Include software retirement plan from a privacy viewpoint. |
| Privacy Embedded into Design | • Have Privacy sections in BRD/FSD/SSD.<br>• Contain description of business model showing traceability of personal data flows for any data collected through new software services under development.<br>• Describe privacy UI/UX design.<br>• Include human sign-offs/privacy checklists for software engineering artefacts.<br>• Show tests for meeting privacy objectives, in terms of the operation and effectiveness of implemented privacy controls or services. |
| Other Aspects | • Ensure data minimization as part of software development.<br>• Minimize replication of personal data in log tables, user tables and other database tables/archives.<br>• Avoid archives that retain personal data for extended period.<br>• Ensure that backups are not held across any storage device for more than 1-2 months. |
---
SECTION 2: DATA PROTECTION POLICY
---
2. INTRODUCTION
Data protection is safeguarding the rights of individuals about the processing of personal data, in both paper and electronic format.
At OLANUSI GLOBAL ENTERPRISE LIMITED we operate for our citizens and those with dual nationality. Given data protection requirements, it requires us to comply with the Nigerian Data Protection Act 2023 (NDPA) and General Data Protection Regulation (GDPR) on collection, processing, use and disposal of personal data and sensitive personal data.
In its everyday operations, OLANUSI GLOBAL ENTERPRISE LIMITED makes use of a variety of data about identifiable individuals, including data about:
- Citizens
- Current and past employees
- Users on our websites
- Subscribers
- Other stakeholders
In collecting and using this data, the Organization is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it.
2.1 PURPOSE
The purpose of this policy is to set out the relevant legislation and to describe the steps OLANUSI GLOBAL ENTERPRISE LIMITED is taking to ensure that it complies with it.
The policy helps to protect the rights and privacy of individuals by NDPA/GDPR. The policy also sets out the process and the framework according to ISO 27701 Privacy Information Management System (PIMS) within which to collect, use and protect Personal and Sensitive Data.
2.2 SCOPE
The control applies to all systems, people and processes that constitute the Organization's information systems, including Board members, Directors, Employees, Suppliers and other third parties who have access to the Organization's systems.
2.3 LIST OF REFERENCED PRIVACY POLICY AND PROCEDURES
The following policies and procedures are incorporated by reference and which are relevant to this document:
- Data Protection Impact Assessment Process
- Data Breach Procedure
- Personal Data Mapping Procedure
- Legitimate Interest Assessment Procedure
- Information Security Incident Response Procedure
- GDPR Roles & Responsibilities
- Records, Retention and Protection Policy
- Change Management Policy
---
3. PRIVACY AND GENERAL DATA PROTECTION POLICY
3.1 THE NIGERIAN DATA PROTECTION ACT 2023 (NDPA) AND GENERAL DATA PROTECTION REGULATIONS
The NDPA, and General Data Protection Regulation 2016 (GDPR) are among the most significant pieces of regulations affecting the way the Organization carries out its information processing activities. Significant fines are applicable if a breach is deemed to have occurred under the NDPA/GDPR, which is designed to protect the personal data of citizens and others. It is the Organization's policy to ensure that our compliance with the NDPA/GDPR and other relevant legislation is clear and demonstrable at all times.
3.2 DEFINITIONS
There are a total of 26 definitions listed within the NDPA/GDPR and it is not appropriate to reproduce them all here. However, the most fundamental definitions concerning this policy are as follows:
Data Subject
Data subject shall mean the individual about which the Organization is holding information; which could be the Organization's employees, clients, citizens and other third parties such as contractors, suppliers, Agencies/Depts. of the Government and International Agencies.
Personal Data
Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing
Any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the Nigerian Government through the NDPA Act 2023 or EU or Member State law or the controller.
The specific criteria for its nomination may be provided by the NDPA Act 2023 or EU or Member State law.
Sensitive Personal Data
Sensitive Personal Data shall mean personal data about an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings. The Organization does not accept, store, process or transmit any sensitive personal data, only for census and other socio-political and economic activities.
Data Controller
A Data Controller is an identified employee within the Organization who is authorized by the Organization's top management to control the collection, storage, transmission and use of personal information within the Organization, as per the NDPA and GDPR. The roles and responsibilities of the Data Controller are listed in this policy.
Data Processor
A Data Processor is an identified employee within the Organization who is authorized by Organization management to process personal data as instructed by a data controller (which can be the client of the Organization) for specific purposes.
---
4. ROLES AND RESPONSIBILITIES
NDPA and GDPR mandate that organizations such as OLANUSI GLOBAL ENTERPRISE LIMITED define roles and responsibilities that are required by the regulations. Due to its operations, the Organization carries out the role of Data Controller and Data Processor.
Apart from a Data Controller and Data Processor, the Organization shall also identify a staff with roles and responsibilities similar to a DPO, to discharge OLANUSI GLOBAL ENTERPRISE LIMITED obligations under the NDPA and GDPR. This individual shall be named as a Data Privacy Officer.
4.1 DATA CONTROLLER
The Organization is a data controller as it controls and is responsible for the keeping and use of personal information on its Information Assets or in structured manual files.
The Organization shall identify an authorized employee or a Consultant to carry out the roles and responsibilities of the Data Controller.
The key responsibility of a controller is to be accountable and to take actions in line with legal and regulatory requirements, and to be able to explain the compliance of OLANUSI GLOBAL ENTERPRISE LIMITED with NDPA and GDPR to its data subjects and the NDPC or other supervisory Authority, as and when required.
4.2 DATA PROCESSOR
The Organization is also a data processor when it processes data on behalf of a data controller (when data is provided by a client). Data processors are also referred to as third party. The key responsibility of the processor is to ensure that conditions specified by the data controller are always met and that obligations stated in NDPA and GDPR are complied with.
4.3 DATA PRIVACY OFFICER
The Organization must appoint a Data Protection Officer as:
- Core operational activities of the Organization do require large-scale, regular and systematic monitoring of individuals, such as online behaviour tracking etc.
- Core operational activities of the Organization do not require large-scale processing of special categories of data or data relating to criminal convictions and offences.
However, as a good practice, the Organization has appointed a DPO, to discharge the Organization's obligations under the NDPA and GDPR. This individual/third party shall be named as a Data Privacy Officer.
---
5. PRIVACY GOVERNANCE
5.1 QUARTERLY PRIVACY MEETINGS
DPO
The Data Protection Officer (DPO) is a mandatory requirement of NDPA and GDPR. This role is mandatory for the Organization as it:
- Carries out large-scale, regular and systematic activities that monitor individuals (for example, online behaviour tracking) to achieve its operational objectives
- Carries out large-scale processing of special categories of data or data relating to criminal convictions and offences.
DPO is responsible for assisting the Organization in monitoring internal compliance, informing and advising on data protection obligations, providing advice regarding Data Protection Impact Assessments (DPIAs) and acting as a contact point for data subjects and the supervisory authority.
GUUT Technologies Limited is appointed as a Data Privacy Officer in the Organization.
5.2 PRIVACY OFFICER
The Data Privacy Officer is an identified employee within the Organization who is authorized by the Organization's management to carry out its obligations under NDPA and GDPR. The Data Privacy Officer's roles and responsibilities are similar to a DPO, to discharge Organization's obligations under the NDPA and GDPR.
Position of the DPO in the Organization
The DPO is an integral part of the Organization, making the Organization ideally placed to ensure compliance. Nevertheless, the DPO can perform as assigned to an individual duties independently.
In the Nigerian socio-political-economic environment and other EU institutions and bodies, there are several assurances guaranteeing this independence:
1. The applicable rules for the NDPA Act and other international institutions and bodies expressly provide that the DPO does not receive any instructions regarding the performance of his/her duties.
2. There must not be a conflict of interest between the duties of the individual as a DPO and his/her other duties, if any.
3. The Organization must offer staff and resources to support the DPO in carrying out his/her duties. Access to resources also includes training facilities.
4. The DPO shall have the authority to investigate.
5. A minimum term of appointment and strict conditions for dismissal shall be set out by the Organization for the DPO post.
The DPO is appointed for five (5) years.
---
6. PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA
6.1 SIX PRINCIPLES OF NDPA AND GDPR
There are several fundamental principles upon which the NDPA and GDPR are based. The legislation places a responsibility on every data controller to process any personal data by the following principles:
1. Lawfulness, Fairness and Transparency: The data is processed lawfully, fairly and in a transparent manner in relation to the data subject.
2. Purpose Limitation: Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, by Article 89(1), not be considered to be incompatible with the initial purposes.
3. Data Minimization: Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4. Accuracy: Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay.
5. Storage Limitation: Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes by Article 89(1) subject to implementation of the appropriate technical and organizational measures required by NDPA and GDPR to safeguard the rights and freedoms of the data subject.
6. Integrity and Confidentiality: Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures.
The Organization will ensure that it complies with all of these principles both in the processing it currently carries out and as part of the introduction of new methods of processing such as new IT systems.
6.2 SPECIFICS ABOUT IMPORTANT PRINCIPLES
Transparency and Fairness – Privacy Notice
The new regulatory environment demands higher transparency and accountability in how organizations manage and use personal data. It also accords new and stronger rights for individuals to understand and control that use.
The NDPA and GDPR contain provisions that the Organization shall need to be aware of as data controllers, including provisions intended to enhance the protection of our customer's data.
Regarding Data Collection, the Organization shall ensure:
- Privacy notices are written in a clear, plain way that our stakeholders shall understand.
- Any forms used to gather data on an individual shall contain a statement (fair collection statement) explaining the use of that data, how the data may be disclosed and also indicate whether or not the individual needs to consent to the processing.
Accuracy and Relevance
The Organization shall ensure that any personal data processed is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. The Organization shall not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this. Individuals may ask that we correct inaccurate personal data relating to them.
Data Deletion
The Organization has a process to dispose of records that have reached the end of the minimum retention, in line with the Information Asset Handling Policy.
Data Retention
The Organization retains personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but if relevant, the length of retention will be determined in a manner consistent with published legal and regulatory data retention guidelines.
---
7. RIGHTS OF THE INDIVIDUAL
The data subject also has rights under the NDPA and GDPR. These consist of:
1. The Right to be Informed
2. The Right to Access
3. The Right to Rectification
4. The Right to Erasure
5. The Right to Restrict Processing
6. The Right to Data Portability
7. The Right to Object
8. The Right to automated decision-making and profiling
Each of these rights is supported by appropriate procedures within the Organization that allow the required action to be taken within the timescales stated in the GDPR. These timescales are shown in the table below:
| DATA SUBJECT REQUEST | TIMESCALE |
|----------------------|-----------|
| The Right to be informed | When data is collected (if supplied by the data subject) or within one month (if not supplied by the data subject) |
| The Right to Access | One Month |
| The Right to Rectification | One Month |
| The Right to Erasure | Without Undue Delay |
| The Right to Restrict Processing | Without Undue Delay |
| The Right to Data Portability | One Month |
| The Right to Object | On receipt of objection |
| The Right with automated decision making and profiling | Not specified |
- The Organization upon request from a data subject, shall provide a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals.
- The Organization will also allow a data subject request to transfer their data directly to another system.
- The Organization will take one month to provide a full response to the data subject. Data subjects can be encouraged to submit requests during term time but are under no legal obligation to do so.
---
8. LAWFULNESS OF PROCESSING
There are six alternative ways in which the lawfulness of a specific case of processing of personal data may be established under the NDPA and GDPR. It is the Organization's policy to identify the appropriate basis for processing and to document it, under the Regulations. The options are described in brief in the following sections.
8.1 CONSENT
Unless it is necessary for a reason allowable under the NDPA and GDPR, the Organization will always obtain explicit consent from a data subject to collect and process their data.
- In the case of children below the age of 16 (a lower age may be allowable in the NDPA Acts 2023 and specific EU member states) parental consent will be obtained.
- Transparent information about our usage of their data will be provided to data subjects at the time that consent is obtained and their rights about their data explained, such as the right to withdraw consent. This information will be provided in an accessible form, written in clear language and free of charge.
- If the personal data are not obtained directly from the data subject, then this information will be provided to the data subject within a reasonable period after the data are obtained and definitely within a month.
Consent as a basis for processing
- The Organization shall ensure that individuals' 'consent' to process their data is accepted explicitly and is freely given, as a specific, informed and unambiguous indication of the individual's wishes.
- The consent shall be provided by a clear affirmative action and shall signify an agreement to the processing of their data.
- The data subject is allowed to withdraw their consent at any time.
- All consents shall be recorded and stored.
- Non-response to a communication shall not be considered as consent.
- The Controller shall be able to demonstrate that consent was obtained for the processing operation.
- Currently, the Organization does not process sensitive data. In case sensitive data is being collected, explicit written consent of individuals shall be obtained unless an alternative legitimate basis for processing exists.
8.2 PERFORMANCE OF A CONTRACT
Where the personal data collected and processed are required to fulfil a contract with the data subject, explicit consent is not required. This will often be the case where the contract cannot be completed without the personal data in question; e.g. a delivery cannot be made without an address to deliver to.
8.3 LEGAL OBLIGATIONS
If the personal data is required to be collected and processed to comply with the law, then explicit consent is not required. This may be the case for some data related to employment and taxation for example and many areas addressed by the public sector.
8.4 VITAL INTERESTS OF THE DATA SUBJECT
In a case where personal data are required to protect the vital interest of the data subject or another natural person, then this may be used as the lawful basis of the processing.
The Organization will retain reasonable documented evidence that this is the case, whenever this reason is used as a lawful basis for the processing of personal data. For example, this may be used in aspects of social care, particularly in the public sector.
8.5 TASK CARRIED OUT IN PUBLIC INTEREST
Where the Organization needs to carry out a task that it believes is in public interest or as part of an official duty then the data subject's consent will not be requested. The assessment of the public interest or official duty will be documented and made available as evidence where required.
8.6 LEGITIMATE INTERESTS
If the processing of specific personal data is in the legitimate interests of the Organization and is judged not to affect the rights and freedom of the data subject in a significant way, then this may be defined as the lawful reason for the processing. Again the reasoning behind this view will be documented.
---
9. DATA MAPPING AND DATA INVENTORY
The Organization shall maintain a record and maintain a data processing inventory. This is a formal list of the processing activities and their purpose. The Organization shall ensure that this Data Processing list is aligned with the Organization's operations. Maintaining such a Data processing inventory is a requirement under NDPA and GDPR…….and Article 30 respectively.
These records may contain:
- The name and contact details of the controller
- Controller's representative and the data protection officer (if applicable)
- Purposes of the processing
- Description of the categories of data subjects and the categories of personal data
- Categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations
- Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, along with the documentation of suitable safeguards
- Envisaged time limits for the erasure of the different categories of data
- A general description of the technical and organizational security measures referred to.
---
10. DATA PROTECTION IMPACT ASSESSMENT
The Organization shall conduct a Data Protection Impact Assessment ("DPIA") to identify and minimize the privacy risks of ongoing or new projects or policies, to ensure that potential problems are identified at an early stage, and to address them at the earliest without any impact to the Organization.
The Organization shall conduct DPIA as defined by the Organization Procedure for Data Protection Impact Assessment.
---
11. PRIVACY BY DESIGN
The Organization has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy issues, including the completion of one or more data protection impact assessments.
Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The Data Controller shall be responsible for ensuring that all data security processes and projects commence with a privacy plan. When relevant, and when it does not hurt the data subject, privacy settings shall be set to the most private by default.
The data protection impact assessment will include:
- Consideration of how personal data will be processed and for what purposes
- Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s)
- Assessment of the risks to Individuals in processing the personal data
- What controls are necessary to address the identified risks and demonstrate compliance with the legislation?
Note: Use of techniques such as data minimization and Pseudonymization will be considered where applicable and appropriate.
---
12. TECHNICAL AND SECURITY MEASURES
The Organization protects its personnel against loss or misuse. When other organizations process personal data as a service on behalf of the Organization, the Data Controller shall establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third-party organizations.
---
13. DATA SHARING AND CROSS BORDER
The Organization will ensure that all relationships it enters into that involve the processing of personal data are subject to a documented contract that includes the specific information and terms required by the NDPA and GDPR.
INTERNATIONAL TRANSFERS OF PERSONAL DATA
Transfers of personal data outside Nigeria will be carefully reviewed before the transfer takes place to ensure that they fall within the limits imposed by the NDPA and GDPR. This depends partly on the jurisdiction judgment as to the adequacy of the safeguards for personal data applicable in the receiving country and this may change over time.
Intra Group International Data transfers will be subject to legally binding agreements referred to as binding Corporate Rules (BCR) which provide enforceable rights for data subjects.
---
14. DATA PROTECTION OFFICER
A defined role of Data Protection Officer (DPO) is required under the NDPA and GDPR at the Organization:
- Performs large-scale monitoring
- Processes particularly sensitive types of data on a large scale.
The DPO is required to have an appropriate level of knowledge and can either be an in-house resource or outsourced to an appropriate service provider.
---
15. BREACH NOTIFICATION
It is the Organization's policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data.
In line with the NDPA and GDPR where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours.
This will be managed by our information security incident response procedure which sets out the overall process of handling information security incidents.
The Organization has established a formal Data Breach Procedure.
All staff shall be trained to follow the Data Breach Procedure.
---
16. ADDRESSING COMPLIANCE WITH THE NDPA AND GDPR
The following actions are undertaken to ensure that the Organization complies at all times with the accountability principles of NDPA and GDPR:
- The legal basis for processing personal data is clear and unambiguous
- A Data Protection Officer is appointed with the specific responsibility for data protection in the Organization if required
- All staff involved in handling personal data understand their responsibilities for following good data protection practice
- Training in Data Protection has been provided to all staff
- Rules regarding consent are followed
- Routes are available to Data Subjects wishing to exercise their rights regarding personal data and such enquiries are handled effectively
- Regular reviews of procedures involving personal data are carried out
- Privacy by Design is adopted for all new or changed systems and processes
- The following documentation of processing activities is recorded:
- Organization name and relevant details
- Purposes of personal data processing
- Categories of individuals and personal data process
- Categories of personal data recipients
- Agreements and mechanisms for transfers of personal data to Non-EU countries including details of controls in place
- Personal data retention schedules
- Relevant technical and organizational controls in place.
These actions are reviewed regularly as a part of the management process concerned with Data Protection.
---
17. TRAINING
All the staff of the Organization shall receive training on this policy. New joiners will receive training as part of the induction process. Further training shall be provided at least once a year or whenever there is a substantial change in the law or our policy and procedure.
Training is provided through an in-house session regularly.
Training shall cover:
- The law relating to data protection
- The Organization's data protection and related policies and procedures.
Completion of training is mandatory for all staff of the Organization.
---
18. SELF-ASSESSMENT
The Organization has established an internal process of review and self-assessment to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of confidential and personal data.
Decisions on data collection and release to third parties for processing are subject to detailed assessment and approval of senior management.
The following activities are strictly monitored and reviewed:
- Who is requesting the data
- Purpose for which it is required
- Category of personal data requested
- Arrangements in place to store and handle the data
- Performance of data processors.
The Organization shall formally conduct an audit covering areas of data processing such as what data is held, where it is stored, how it is used, who is managing it - and any other data processing activities that may be relevant.
---
19. ENFORCEMENT
- All employees (permanent or temporary) shall comply with the conditions of use set out in the Policy.
- Breaches of this policy and/or security incidents can be defined as events which could have resulted in, the loss, alteration or unauthorized deletion of personal data of the Organization's stakeholders.
- All employees are responsible for reporting security incidents and breaches of this policy as quickly as possible through the Organization Incident Reporting Procedure. This obligation also extends to any external organization contracted to support or access the Organization Information Systems.
- If the Organization becomes aware of any criminal conduct or an alleged breach of this Policy, then the Organization shall take action as stipulated by NDPA and GDPR.
---
20. ANNEXURE – ROLES AND RESPONSIBILITIES DATA CONTROLLER'S ROLES AND RESPONSIBILITIES
- When personal data has been collected, provide data subjects with relevant details such as the purpose of processing the data, recipients of the data, and the period for which the data shall be stored.
- When personal data has not been collected, provide data subjects with relevant details such as the purpose of processing the data, recipients of the data, and the period for which the data shall be stored.
- Implement measures to safeguard the data subject's rights to contest decisions that were based on automated data processing, including profiling
- Establish appropriate data protection policies
- Create binding corporate rules to regulate the international transfers of personal data and have these rules approved by the supervisory authority
- Document any personal data breaches
- Conduct assessments, and implement appropriate safeguards before transferring personal data to a third country or international organization
- Adhere to codes of conduct or certification mechanisms to demonstrate compliance with data protection requirements
- Implement technical and organizational measures to minimize the collection and processing of data
- Demonstrate compliance with data minimization and protection principles
- Implement measures to ensure the confidentiality, integrity, availability, and resilience of processing systems and services
- Ensure ongoing testing, assessment, and evaluation of the effectiveness of data security measures
- Adhere to codes of conduct or certification mechanisms to demonstrate compliance with data security requirements
- Conduct a Data Protection Impact Assessment (DPIA) when a data processing activity is likely to result in a high-risk
- Perform reviews to assess if data is being processed by DPIAs
- Conduct data protection audits to verify compliance with binding corporate rules
- Respond to requests for information from data subjects promptly
- Respond to requests from data subjects on their right to access their data, and to lodge a complaint with the supervisory authority
- Respond to requests from data subjects on their right to rectify any data that is inaccurate or incomplete
- Respond to requests from data subjects on their right to be forgotten
- Respond to requests from data subjects on their right to restrict the processing of data under specific conditions
- Notify data subjects on the actions taken to rectify or erase personal data, or restrict data processing
- Respond to objections from data subjects on the processing of personal data
- Ensure that automated decision-making does not extend to special categories of personal data, unless suitable measures are in place to safeguard the data subject's rights
- Notify the supervisory authority of a personal data breach within 72 hours of becoming aware of it
- Notify data subjects of personal data breaches without undue delay
- Consult the supervisory authority when a DPIA indicates that processing would result in a high-risk
- Ensure that DPOs can manage requests from data subjects about data processing issues
- Onboard only those data processors that can ensure compliance with data protection requirements
- Implement contracts to govern how data processors store and process data
- Restore the availability and access to personal data quickly in the event of a physical or technical incident.
DATA PROCESSOR'S ROLES AND RESPONSIBILITIES
- Adhere to codes of conduct or certification mechanisms to demonstrate compliance with GDPR
- Conduct assessments, and implement appropriate safeguards before transferring personal data to a third country or international organization
- Implement measures to ensure the confidentiality, integrity, availability, and resilience of processing systems and services
- Assist the controller in ensuring compliance with GDPR requirements, and managing audits
- Ensure ongoing testing, assessment, and evaluation of the effectiveness of data security measures
- Conduct data protection audits to verify compliance with binding corporate rules
- Notify the controller of a data breach without undue delay
- Ensure approval of the controller before engaging another processor
- Conduct effective due diligence on downstream processors to ensure that they can comply with data protection requirements
- Restore the availability and access to personal data quickly in the event of a physical or technical incident.
DATA PRIVACY OFFICER'S ROLES AND RESPONSIBILITIES
- Protect the Organization's Information Technology assets and ensure their usage as per legal and regulatory requirements and adherence to the Organization's internal policies and procedures.
- Ensure that data controllers and data subjects are informed about their data protection rights, obligations and responsibilities and raise awareness about them.
- Provide advice and recommendations to senior management about the interpretation or application of the data protection rules
- Ensure that an inventory of all IT Assets is maintained. The inventory shall contain the hardware details, software details, access rights provided on the hardware and software, usage information etc.
- Manage maintenance contracts (as applicable) and related documentation for each IT assets
- Ensure that a register of processing operations is maintained and rules of processing are complied with
- Handle queries or complaints raised on Data Privacy or legal and regulatory matters by the Senior Management, the Data controller, or any other person
- Work with the Data Controller on data breaches, investigations, complaint handling, audit and any matter concerning supervisory authorities.
- Draw the Senior Management's attention to any failure or potential failure to comply with the applicable data protection rules.
---
SECTION 3: CROSS-BORDER PROCESSING OR TRANSFERS OF PERSONAL DATA
---
21. PURPOSE AND SCOPE
The Organization strives to comply with applicable laws and regulations related to Personal Data protection in Nigeria and other countries where the Organization operates.
This Policy sets forth the basic principles relating to the cross-border processing and transfers of personal data by the Organization.
This policy applies to the Organization and its directly or indirectly controlled wholly-owned operating in Nigeria or processing the personal data of data subjects who are in Nigeria, irrespective of whether such processing takes place within Nigeria or elsewhere.
21.1 REFERENCE DOCUMENTS
- Nigeria Data Protection Regulation Act 2023 (NDPA)
- European Union (EU) General Data Protection Regulation (GDPR) i.e. EU GDPR 2016/679
This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
21.2 BACKGROUND
When personal data moves across borders outside Nigeria, it may put the ability of individuals to exercise their data protection rights at increased risk, in particular, to protect themselves from unlawful use or disclosure of their data.
Supervisory authorities like NDPC may also find that they are unable to pursue complaints or conduct investigations relating to activities outside their borders.
To address these risks, the NDPA and the EU GDPR impose certain restrictions and conditions on the transfer of personal data outside Nigeria i.e. to third countries and international organizations.
These restrictions are intended to ensure that the level of protection afforded to individuals under the NDPA and GDPR is not undermined when data is moved or processed across international borders.
Infringements of provisions relating to the transfer of personal data outside Nigeria are one of the (few) circumstances that could result in administrative fines as stipulated by the NDPA.
---
22. CROSS-BORDER PROCESSING
Defines 'cross-border processing' as:
- Processing of personal data by a Controller or Processor having establishments in Nigeria; or
- Processing of personal data by a Controller or Processor having a single establishment in Nigeria, but which substantially affects or is likely to substantially affect data subjects.
The concept of 'cross-border processing' as defined in the NDPA and GDPR is relevant primarily for determining the NDPC and Lead Supervisory Authority respectively, in cases where the Controller or Processor has establishments.
In such cases, NDPC and the supervisory authority of the single establishment, or the supervisory authority of the main establishment of the Controller or Processor shall be competent to act as Lead Supervisory Authority for any cross-border processing carried out by that Controller or Processor.
---
23. TRANSFERS OF PERSONAL DATA
Transfers of personal data of EU data subjects can either be:
- As stipulated by the NDPR
- Transfers outside the European Union (EU) as the case may be.
23.1 TRANSFERS WITHIN NIGERIA, AFRICA OR OTHER JURISDICTIONS
The NDPA, African Charter or guidelines on the exchange of personal data and GDPR lays down rules relating to the protection of individuals in relation to the processing of personal data, and rules relating to the free movement of personal data.
NDPA specifically states that the free movement of personal data within Nigeria shall not be restricted or prohibited, despite the NDPA's stated objective to protect personal data.
In other words, personal data is permitted to move freely and without restrictions within the regions where there is an agreement signed by leading supervisory authorities.
23.2 TRANSFERS OUTSIDE NIGERIA
Transfers outside Nigeria typically refer to transfers of personal data for processing to third countries or international organizations. Under the NDPA and GDPR, 'processing' includes disclosure by transmission, storage, retrieval, erasure or destruction (among several others).
The NDPA and GDPR limit the Organization's ability to transfer personal data outside Nigeria based only on its assessment of the adequacy of protection provided to the personal data.
Any transfer of personal data to a third country or an international organization outside Nigeria can take place only if all the conditions laid down for the same are complied with by the Controller and Processor, including for any onward transfers of personal data to another third country or another international organization.
23.3 TRANSFERS BASED ON AN ADEQUACY DECISION
NDPC may decide that a third country, a territory of one or more specific sectors in the third country, or an international organization offers an adequate level of data protection.
In such cases, transfers of personal data to that third country or international organization may take place without the need to obtain any further authorization.
Exceptions to Transfer Restrictions
The NDPA allows for exceptions where personal data can be transferred without meeting the adequacy requirement, such as:
- With the explicit consent of the data subject
- For the performance of a contract
- For public interest reasons
- To protect the vital interests of the data subject
23.4 TRANSFERS SUBJECT TO APPROPRIATE SAFEGUARDS
A Controller or Processor may transfer personal data to a third country or an international organization only if it has provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available.
If appropriate safeguards are in place, the transfer may take place without requiring any specific authorization from a supervisory authority.
Appropriate safeguards may be provided (among others) by:
- Standard Data Protection Clauses (in the form of template transfer clauses) adopted by the Organization, or adopted by a Supervisory Authority and approved by the Organization
- Binding Corporate Rules (BCR), which are essentially personal data protection policies uniformly adhered to between organizations within a corporate group (e.g. multinational)
- Compliance with an approved Code of Conduct
- Certification under an approved Certification Mechanism
- Contractual clauses between the Controller or Processor and the Controller, Processor or the Recipient of the personal data in the third country or international organization. However, this is subject to authorization by the competent Supervisory Authority.
23.5 EXCEPTIONS TO THE PROHIBITION ON TRANSFERS OUTSIDE NIGERIA
The NDPA and GDPR do provide for some exceptions (derogations) from the general prohibition on transfers of personal data outside Nigeria, for certain specific situations.
In the absence of an adequacy decision, or of appropriate safeguards (including binding corporate rules), a transfer of personal data outside Nigeria, can take place only on one of the following conditions (among others).
The transfer or set of transfers is:
- Explicitly consented to by the individual, after being informed of the possible risks due to the absence of an adequacy decision and appropriate safeguards
- Necessary for the performance of a contract between the individual and the Controller or for pre-contractual steps taken at the individual's request
- Necessary for the performance of a contract made in the interests of the individual between the Controller and another person.
There are a few other situations, however, these would be less relevant to the Organization's usual operational needs.
23.6 INFREQUENT / LIMITED TRANSFERS
Even in cases that do not fall in the above 3 categories, the NDPA and GDPR provide that personal data may still be transferred to Nigeria and outside the EU, provided the transfer:
- Involves data related only to a limited number of individuals
- Is not repetitive (similar transfers are not made regularly)
- Is necessary for compelling legitimate interests of the Organization (provided such interests are not overridden by the interests of the individual); and
- Is made subject to suitable safeguards put in place by the Organization to protect the personal data (after an assessment of all the circumstances surrounding the transfer). The Controller or Processor shall document the assessment as well as the suitable safeguards in its Record of Processing Activities.
In such cases, the Organization would also be obliged to:
- Inform the individual of the transfer, and the compelling legitimate interests necessitating the transfer, and
- Inform the relevant supervisory authority of the transfer
- Specifically consider the nature of the personal data, the purpose and duration of the proposed processing operations, and the situation in the country of origin, the third country and the country of final destination, and provide suitable safeguards to protect the personal data.
Such transfers should be undertaken only in residual cases where none of the other grounds for transfer are applicable.
---
24. OTHER PROVISIONS RELATING TO TRANSFERS OF PERSONAL DATA
24.1 RIGHT TO INFORMATION & ACCESS
Data subjects must be kept informed in cases where the Organization intends to transfer their data outside Nigeria, including:
- Whether the data is being transferred to a "safe country" i.e. whether or not there is an adequacy decision by the Organization
- In case of transfers subject to appropriate safeguards or binding corporate rules or in frequent/limited transfers, reference to the appropriate or suitable safeguards and how to obtain a copy of them or where they have been made available.
- A Processor must process the personal data only on documented instructions from the Controller, including about transfers of personal data outside Nigeria. If the Processor is required to transfer personal data outside Nigeria to which it is subject, it must inform the Controller of that legal requirement before processing.
- The Controller / Controller's representative and the Processor / Processor's representative must maintain a record of processing activities under its responsibility/carried out on behalf of a Controller, including transfers of personal data outside Nigeria.
- The record should identify the third country or international organization to which the personal data is transferred and, in the case of infrequent/limited transfers, the documentation of suitable safeguards.
24.2 FUTURE DEVELOPMENTS
Associations and other bodies representing categories of Controllers or Processors may devise Codes of Conduct for the proper application of the NDPA and GDPR including the transfer of personal data outside Nigeria.
Such Codes of Conduct are likely to take into account the specific features of processing sectors and the specific needs of micro, small and medium-sized enterprises.
Similarly, data protection certification mechanisms, seals or marks may be established to demonstrate the existence of appropriate safeguards provided by Controllers or Processors.
The Organization may take into account such guidance as and when it becomes available.
---
SECTION 4: DATA RETENTION POLICY
---
25. PURPOSE AND SCOPE
25.1 PURPOSE
The objective of this Data Retention Policy is to guide the retention of various types of data the Organization holds. This document strives to balance the need to store information with legal obligations to destroy the data safely when it is no longer required.
Data retention policy is an established protocol for retaining data/information in electronic format (soft copy) for operational, and regulatory compliance. The purpose of this policy is to ensure all data managed by the Organization's IT team are retained and disposed of in compliance with legal, compliance and business regulations.
NDPA 2023 and GDPR Requirements
The NDPA 2023 and GDPR provides that to comply with the 'storage limitation' and 'data minimization' principle, data controllers must ensure that 'the period for which the personal data are stored is limited to a strict minimum.'
"Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed"
25.2 SCOPE
- This policy covers all data of the Organization's services and operational data. The stakeholder-provided data would be governed by the contractual norms agreed upon with the customer.
- It applies throughout the lifecycle of the information, from creation through storage and utilization to disposal. Appropriate protection is required for all forms of information to ensure business continuity and to avoid any breaches of the law and statutory, regulatory or contractual obligations.
- The policy applies to all staff of the Organization and other users associated with the Organization.
---
26. POLICY STANDARDS
26.1 RETENTION
- The policy is outlined to aid departments in understanding their obligations towards internal and external requirements in retaining data including electronic documents.
- The Organization shall archive, retain, and dispose of data either owned or managed by the IT team.
- Archived data shall be retained as per applicable legal and compliance obligations and the Organization policies and procedures. Proper management of archived data is ensured to enable easy retrieval.
- The legal and regulatory records of the Organization shall be retained with appropriate protection as per the requirements of the law.
- Any information containing the customer information is considered Confidential / Sensitive Data. Sensitive or Personal data shall only be allowed to be stored in protected containers like centralized File Services, SFTP & application Database.
Customer Data & Records
- Customer data and records shall be retained as per stakeholders' requirements outlined in the signed contract (MSA and/or SOW) or as per any specific requests from the customer.
- In case of requests from the customer, data shall be retained till such time the customer receives them and acknowledges the receipt of the same.
Personal Data
Generally, personal data should only be retained for as long as necessary. The retention periods can differ based on the type of data processed, the purpose of processing or other factors. Issues to consider include:
- Whether any legal requirements apply for the retention of any particular data.
- In the absence of any legal requirements, personal data may only be retained as long as necessary for processing. This means data is to be deleted, e.g., when:
- The data subject has withdrawn consent to processing
- A contract has been performed or cannot be performed anymore; or
- The data is no longer up to date.
How to Determine the Relevant Data Retention Period?
In compliance with the "risk-based approach" which is the basis of the accountability principle, the Organization shall determine the applicable data retention periods, also indicating in the accountability program the criteria that were followed in such determination.
This is because, in a potential privacy audit, the Organization shall be able to justify the data retention periods that have been adopted.
The Organization Data
- Internal Company data shall be retained and protected if they are needed for the collection of evidence or statutory and regulatory requirements and functioning of businesses.
- Such data shall be treated for disposal or retention under approval from the process owner and top management of the Organization.
- Any changes to the retention period should be enforced after the approval of the following personnel:
- Data owner
- Chairman
26.2 RETENTION PERIODS
The retention period for different types of data is attached as Annexure A.
All retention periods are approved by the CEO / Data Privacy Officer, and reviewed periodically.
26.3 EXPIRATION OF THE RETENTION PERIOD
After the expiration of the applicable retention period, personal data does not necessarily have to be completely erased. It is sufficient to anonymize the data. This may, for example, be achieved using:
- Erasure of the unique identifiers which allow the allocation of a data set to a unique person
- Erasure of single pieces of information that identify the data subject (whether alone or in combination with other pieces of information)
- Separation of personal data from non-identifying information (e.g. an order number from the customer's name and address); or
- Aggregation of personal data in a way that no allocation to any individual is possible.
- The above applies only to Personal Data (PII data included) and does not include other confidential or strictly confidential data.
26.4 DESTRUCTION AND DATA DISPOSAL
- Proper destruction of data is essential to creating a credible data management program. Data containing restricted/sensitive information shall only be destroyed in the ordinary course of business.
- The IT department is responsible for deleting or destroying electronic records. This includes ensuring that the data or information is permanently removed from the Organization system and destroyed.
- Destruction shall commence as soon as reasonably possible once a document or data has expired. Managers are responsible for executing their document and data destruction plans on an annual basis.
- No data that are currently involved in, or have open investigations, audits, or litigation pending shall be destroyed or otherwise discarded.
- When retention requirements have been met, data shall be either immediately destroyed or placed in secure locations in a controlled manner.
- The authorized methods of destruction for non-electronic data are shredding.
26.5 OBLIGATIONS TO DATA SUBJECTS UNDER NDPA 2023 AND GDPR
NDPA 2023 and GDPR require to expressly specify "the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period" in the privacy information notice.
Therefore, data controllers will have to make explicit such periods towards their customers, employees and vendors.
In the context of data retention, data subjects must be informed of:
- The retention period
- If no fixed retention period can be provided – the criteria used to determine that period
- The new retention period if the purpose of processing has changed after personal data has been obtained.
26.6 DESTRUCTION LOG
A destruction log shall be maintained to identify the destroyed records. The destruction log shall capture the following information:
- The date of destruction
- The name of the individual responsible for destroying the records
- The name of the person who witnessed the destruction
- The method used to destroy the records.
Destruction / Erasure by NDPA 2023 and GDPR
Personal data subject to NDPA 2023 and GDPR may be required to be erased or destroyed from internal systems. Such erasure or deletion shall be by the respective policies.
---
27. ANNEXURE A - APPROVED RETENTION PERIODS
27.1 NON-PERSONAL DATA
| TYPE OF DATA | RETENTION PERIOD |
|--------------|------------------|
| Client contracts and agreements | 3 years from the expiry of the contract |
| Client data in applications such as financial data | As per client contracts |
| Employee data | As per statutory limits |
| Accounting and finance-related data | As per statutory limits |
27.2 PERSONAL DATA
| TYPE OF DATA | RETENTION PERIOD |
|---------------------------------------------|------------------------------------|
| Respondents personal data | As per statutory requirements |
| Raw responses for surveys | As per statutory requirements |
| Tabulated survey results | As per statutory requirements |
| BD / Marketing Database | As per statutory requirements |
| Finance data, invoicing and client contracts | As per statutory requirements |
---
SECTION 5: DATA CLASSIFICATION POLICY
---
28. PURPOSE
To provide the basis for protecting the confidentiality of data at the Organization by establishing a data classification system. Further policies and standards will specify handling requirements for data based on their classification.
---
29. SCOPE
This standard applies to all data or information that is created, collected, stored or processed by the Organization, in electronic or non-electronic formats.
---
30. POLICY
All data at the Organization shall be assigned one of the following classifications. Collections of diverse information should be classified as to the most secure classification level of an individual information component with the aggregated information.
30.1 RESTRICTED
Data in any format collected, developed, maintained or managed by or on behalf of the Organization, or within the scope of Organization activities that are subject to specific protections under federal or state law or regulations or applicable contracts.
Examples include, but are not limited to: person's name, contact details, Email ID, driving license details, personal information etc.
30.2 SENSITIVE
Data whose loss or unauthorized disclosure would impair the functions of the Organization, cause significant financial or reputational loss or lead to likely legal liability.
Examples include but are not limited to: customer data, market research data that contain personal information, financial information, strategy documents and information used to secure the Organization's physical or information environment.
30.3 OPEN
Data that does not fall into any of the other information classifications. This data may be made generally available without specific approval of the information owner/designee or delegate.
Examples include, but are not limited to: advertisements, job opening announcements, regulations and policies, website content and press releases.
---
SECTION 6: COOKIES POLICY
---
31. PURPOSE
This Cookies Policy explains how the Organization use cookies and similar technologies. Whenever you use the Organization's websites, apps, products, advertising services or other technologies ("Services"), or visit a website, app or service which uses our Services, information may be collected through the use of cookies and similar technologies.
The Organization is committed to protecting the personal information collected when you use our Services.
---
32. DESCRIPTION
This Cookies Policy provides the following information for users:
- 32.1 What are cookies and similar technologies?
- 32.2 What are the different types of cookies?
- 32.3 What are cookies used for?
- 32.4 How does the Organization use cookies?
- 32.5 How can users manage or opt out of cookies?
- 32.6 Contact details and where to find further information
32.1 WHAT ARE COOKIES AND SIMILAR TECHNOLOGIES?
A cookie is a small data file, often including a unique identifier, which is sent to your computer, mobile phone or tablet device (referred to in this policy as a "device") by the web server so the website can remember some information about your browsing activity on the website.
The cookie will collect information relating to your use of our Services, information about your device, e.g. the device's IP address and browser type, broad location and, if you arrived at our site via a link from a third-party site, the URL of the linking page.
If you have registered for any Services or you are a subscriber, it may also collect your name and email address, which may be transferred to data processors for registered user or subscriber verification purposes.
Similar technologies known as "local storage" may also be used as an alternative to cookies.
This is a technology which is similar to cookies and performs very similar functions, such as caching data to enable us to improve our Services, allowing you to register for our Services, tracking activity to enable us and our advertisers to advertise to you under this policy and counting the number of people who view adverts on our Services. Where we refer to "cookies" in this policy, we mean cookies or similar technologies.
Cookies record information about your online preferences and help us to tailor our Services to your interests. Information provided by cookies can help us to analyze your use of our Services and help us to provide you with a better user experience.
In addition to cookies, our Services may also use web beacons, clear GIFs, page tags and web bugs. These are all types of technology implemented by websites or third-party ad servers to allow them to analyze your website use and help improve your experience of the Services.
32.2 WHAT ARE THE DIFFERENT TYPES OF COOKIES?
- Session cookies are only stored for the duration of your visit to a website and are deleted from your device when you close your browser.
- Persistent cookies are saved on your device for a fixed period after the browser has closed and are used where we (or a third party) need to identify you for a later browsing session. The fixed period is typically 30-90 days for targeting or behavioural advertising cookies and may be up to 26 months for analytical performance and measurement cookies.
- First-party cookies are set by the website you are visiting.
- Third-party cookies are cookies used within our Services which are set by other organizations. These include cookies from external analytics services which help us to understand the use of our sites, or by advertisers so that they can track the effectiveness of their advertisements.
32.3 WHAT ARE COOKIES USED FOR?
1. Functional Cookies
Functional cookies are essential to the running of our Services. They are used to remember your preferences on our websites and to provide enhanced, more personal features.
The information collected by these cookies is usually anonymized, so we cannot identify you personally. Functional cookies do not track your internet usage or gather information which could be used for selling advertising, but they do help with serving advertising. These cookies are usually session cookies which will expire when you close your browsing session.
2. Essential or 'Strictly Necessary' Cookies
These cookies are essential for the running of our Services. Without these cookies, parts of our websites would not function. These cookies do not track where you have been on the internet, do not remember preferences beyond your current visit and do not gather information about you that could be used for marketing purposes.
These cookies are usually session cookies which will expire when you close your browsing session.
3. Analytical Performance and Measurement Cookies
Analytical performance cookies are used to monitor the performance of our Services. Web analytics services may be designed and operated by third parties.
The information provided by these cookies allows us to analyze patterns of user behavior and we use that information to enhance user experience or identify areas of the website which may require maintenance.
The information is anonymous (i.e. it cannot be used to identify you and does not contain personal information such as your name and email address) and it is only used for statistical purposes.
4. Targeting or 'Behavioral Advertising' Cookies
These cookies, which may be placed on your device by us or our trusted third-party service providers, remember that you have visited a website and use that information to provide you with content or advertising which is tailored to your interests.
This is often called online behavioural advertising (OBA) and is done by grouping shared interests based on web browsing history. Your web browsing history can be used to infer things about you (e.g. your age, gender etc.), and this information may also be used to make advertising on websites more relevant to you.
Without these cookies, the content and advertisements you encounter may be less relevant to you and your interests.
32.4 HOW DOES THE ORGANIZATION USE COOKIES?
The Organization, together with our trusted partners, uses cookies in combination with other information we maintain for several purposes, including the following:
1. Essential and Functional Cookies
We use these cookies to enable certain online functionality including:
- Accessing your information so we can provide you with customized content and experiences, or remember the last page you visited on the Services
- Identifying returning users, registrants and subscribers and allowing them to be presented with a personalized version of the site
- Eliminating the need for returning users to re-enter their login details
- Commenting on our sites
- Operating a shopping trolley on various of our Services
- Maintaining your settings and authenticating your identity while you are logged in to the Services
- To support security measures and to assist in identifying possible fraudulent or abusive activities
2. Analytical Performance and Measurement Cookies
We use these cookies to measure users' behaviour to better develop our Services. By using analytics services provided by third parties such as Google Analytics, we can analyze and measure which pages are viewed, how long for and which links are followed, and we can use this information to provide more content which is of interest.
We also use this analysis to report on our performance and to sell advertising.
3. Targeting and Behavioral Advertising Cookies
We use these cookies to:
- Manage online advertising and revenue share arrangements. Our approved advertising partners, primarily Google (Doubleclick, AdX, AdSense) use cookies together with web beacons to provide advertising to you and to enable us to manage our relationship with those advertisers by, for example, tracking how many unique users have seen a particular advertisement or followed a link in an advertisement
- Manage e-commerce activities via affiliate links and associated revenue share arrangements
- Measure general user behaviour across our sites and third-party sites to build a profile based on users browsing patterns so that we and third parties can target advertising to users that will be more relevant to users' interests
- This means that if, for example, users visit a page with a review about a particular camera then the cookie will collect this information and we may target adverts for that camera to those users, if users visit third-party sites that are part of the same advertising network, those third parties may target adverts for that camera to those users
- Create profiles that trusted third parties can buy to allow them to better target their advertising with more relevant content
- Keep track of the number of users who saw a particular ad or visited a particular page of one of our websites, analyze the effectiveness of our ads, and provide auditing, research and reporting for advertisers
The trusted partners we work with regarding targeting and behavioural advertising include third-party ad servers, ad agencies, technology vendors, providers of advertisement content, research firms and other companies that help us provide more effective advertising and offer you a more personalized experience.
As your browser, app or device communicates with the third party's servers, these companies can collect information, including your IP address, page header information, and browser or device information, just as if you had requested their web page or used their apps directly.
We cannot control nor do we have access to any cookies placed on your computer by third-party advertisers and sponsors.
4. Other Third Party Cookies
You may notice on some pages of our websites that cookies have been set that are not related to the Organization. When you visit a page with content embedded from, for example, YouTube or Facebook, these third-party service providers may set their cookies on your device.
The Organization does not control the use of these third-party cookies and cannot access them due to the way that cookies work, as cookies can only be accessed by the party who originally set them. Please check the third-party websites for more information about these cookies.
32.5 HOW CAN USERS MANAGE OR OPT OUT OF COOKIES?
Some people find the idea of a website storing information on their device a little intrusive, in particularly when the information is stored and used by a third party. If you would prefer to opt out of cookies, it is possible to control cookies by following the steps below, however, you should be aware that you might lose some features and functionality of the website if you do so.
Cookies, including those which have already been set, can be deleted from your hard drive. You can also change the preferences/settings in your web browser to control cookies. Some internet browsers have a 'Do Not Track' or 'DNT' setting; this sends a signal to websites asking them not to track your browsing.
In some cases, you can choose to accept cookies from the primary site, but block them from third parties. In others, you can block cookies from specific advertisers, or clear out all cookies. Deleting or blocking cookies may reduce the functionality of the site.
To learn more about how to reject cookies, go to the help menu within your internet browser. If you experience any problems having deleted cookies, you should contact the supplier of your web browser.
Please be aware that these are third-party websites and the Organization does not accept any liability for the instructions given on these sites.
Opting out of Analytical Performance Cookies
If you would like to opt out of Analytics cookies, please do so by clicking on the relevant links in the Third Party Cookies table.
Opting out of Targeting and Behavioral Advertising Cookies
If you would like to disable third-party cookies generated by advertisers or providers of targeted advertising services, you can turn them off by going to the third party's website.
32.6 FURTHER INFORMATION AND CONTACT DETAILS
Please contact the Organization's Data Protection Officer if you would like more information on the cookies that we use and their purposes:
By Email: Write the contact email address
By Telephone: Write contact number
---
I have read this document
---
End of Document
OLANUSI
Innovation in Motion, Value in Action.
© 2026. All rights reserved.