INTRODUCTION
1. Compens8 Solutions Limited by virtue of its operations, needs to gather and process certain information about clients with whom it has relationship for various purposes. Considering the emerging data regulatory environment which requires higher transparency and accountability in how companies manage and use client’s data, the Company must ensure that its business operations align with global best practices on protection of rights and privacy of individuals.
1.2 PURPOSE
1.2 1 The purpose of this Policy is as follows;
a. Protect the Company from the risks of a data breach
b. Disclose how Compens8 stores and processes clients' data
c. Protect the rights of staff, members and stakeholders
d. Comply with the Regulation and follow international best practices.
1.2.2 The objective of this Policy is to set out how Compens8 shall collect, handle and store personal data of its clients and vendors to meet the data protection and privacy standards.
2 POLICY STATEMENT
This Policy reflects Compens8's commitment to uphold to the protection of rights and privacy of its customers and vendors, in accordance with the Nigeria Data Protection Regulation, 2019 (the Regulation).
3. APPLICABILITY
Compens8 will be the data controller under the terms of the Regulation -- This means it is ultimately responsible for controlling the use and processing of data collected from clients. Compens8 shall appoint a Data Protection Officer (DPO) for the purpose of ensuring adherence to this Regulation, relevant data privacy statements and data protection directives of the company.
4. SCOPE
This Policy applies to all staff and Management of Compens8. As a matter of best practice, the
policy also applies to clients, contractors, suppliers etc., individuals working with Compens8
and its stakeholders who have access to personal information. It is also applicable to all data
that Compens8 holds relating to identifiable individuals, even if that information technically falls outside of the Regulation. This includes, but not limited to:
• Names of individuals
• Email addresses
• Contact phone numbers
• Compensation
• Including any other information relating to the individuals.
5. NIGERIA DATA PROTECTION REGULATION
The Regulation, which came into force on January 25, 2019, regulates the gathering, storing and processing of personal data (regardless of whether data is stored electronically, on paper or on other materials), and protects the rights and privacy of all living individuals (including children). The Regulation applies to natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent
6. GOVERNING PRINCIPLES OF DATA PROTECTION
The Regulation mandates every data controller to process any personal data in accordance with the governing principles of data protection. In order to comply with the obligations, Compens8 undertakes to adhere to the following principles;
6.1. Data Processing
In complying with the Regulation on data processing, Compens8 shall;
a. Collect and process personal data in accordance with specific, legitimate, and lawful purpose consented to by the data subject;
b. Store personal data about an individual that is sufficient for the purpose it is holding it for in relation to that individual;
C. Store individuals’ personal data only for the period within which it is reasonably needed;
d. Secure personal data against all foreseeable hazards, breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements;
e. Exercise duty of care of personal data in its possession;
f. Be accountable for its acts and omissions in respect of data processing and in accordance with the Regulation.
6.2 Lawful Processing
The Company shall process personal data of individuals if at least one (1) of the following applies:
a. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b. Processing is necessary for the performance of a contract to which data subject is party or in
order to take steps at the request of the data subject prior to entering into a contract;
c. Processing is necessary for compliance with a legal obligation to which Compens8 is subject;
d. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official public mandate vested in Compens8.
6.3. Procuring Consent
To fulfil the requirement of the Regulation, personal data will be processed in accordance with the rights of the data subject. The Company's business operations will be guided by the following statements:
a. Compens8 shall not obtain personal data except the specific purpose of collection is made to the data subject;
b. The Company shall ensure that consent of data subject has been obtained without fraud, coercion or undue influence;
c. The Company shall ensure that the data subject has consented to processing of his or her personal data and the legal capacity to give consent, where processing is based on consent;
d. The Company shall request for consent in a manner which is clearly distinguishable from other
matters, in an intelligible and easily accessible form, using clear and plain language, where the data subject's consent is given in the context of a written declaration.
6.4. Due Diligence and Prohibition of Improper Motives
To align with these requirements, the Company shall:
a. Not seek consent that may engender direct or indirect propagation of atrocities, hate, child rights violation, criminal acts and anti-social conducts;
b. Take reasonable measures to ensure that a party to any data processing contract does not have a record of violating the Regulation and such party is accountable to NITDA or a reputable regulatory authority for data protection within or outside Nigeria
6.5. Privacy Policy
The Company shall display a simple and conspicuous privacy policy that the class of data subjects being targeted can understand, irrespective of the medium through which such personal data are being collected or processed. Compens8's privacy policy shall contain the following:
a. Constitution of data subjects' consent;
b. Description of collectable personal information;
c. Purpose of collection of personal data;
d. Technical methods used to collect and store personal information, cookies, etc.
e. Access, if any, of third parties to personal data and purpose of access;
f. A highlight of the principles governing data processing;
g. Available remedies in the event of violation of the privacy policy;
6.6. Data Security
Compens8 recognizes the importance of protecting data from unauthorized access and data corruption and the Company shall:
a. Develop security measures including but not limited to protecting systems from hackers;
b. Set up firewalls and protect email systems;
c. Store data securely with access to specific authorized individuals;
d. Employ data encryption technologies;
e. Develop organizational policy for handling personal data and other sensitive or confidential data;
f. Continuously build capacity for all staff
6.7. Objections by the Data Subject
The Company acknowledges that individuals have the right to object to the processing of their data, as such the Company shall only process personal data in accordance with data subjects' rights as listed below:
a. Option to object the processing of personal data relating to the data subject which Compens8 intends to process for the purposes of marketing;
b. Option to be expressly and manifestly offered the mechanism for objection to any form of data processing free of charge
6.8. Transfer to a Foreign Country
The Company shall comply with the Regulation and any transfer of personal data which is undergoing processing or is intended for processing after transfer to a foreign country or an international organisation shall take place subject to the provisions of the Regulation.
6.9. Exceptions in Respect of Transfer to a Foreign Country
In the absence of any decision made by NITDA or Honourable Attorney General of the Federation (HAGF) on the transfer of personal data to a foreign country, Compens8 shall initiate the transfer or set of transfers of personal data to such foreign country or an international organisation only when:
a. The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards and that there are no alternatives;
b. The transfer is necessary for the performance of a contract between the data subject and Compens8, or the implementation of pre-contractual measures taken at the data subject's request;
c. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between Compens8 and another natural or legal person;
d. The transfer is necessary for important reasons of public interest;
e. The transfer is necessary for the establishment, exercise or defence of legal claims;
Compens8, in compliance with the Regulation, shall explicitly communicate through clear warnings of the specific principle(s) of data protection that are likely to be violated in the event of a transfer to a third country
6.10. Rights of Data Subjects
To comply with this section under the Regulation, Compens8 shall:
a. Take appropriate measures to provide any information relating to processing, to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child;
b. Provide such information in writing, or by other means, including, where appropriate, by electronic means;
c. Provide any information relating to processing of data obtained from the data subject orally, at the request of the data subject, provided that the identity of the data subject is proven by other means;
d. Inform the data subject without delay and at least within one (1) month of receipt of a request relating to the processing of his/her data, 'the reasons for not providing the information and the possibility of lodging a complaint with the supervisory authority;
e. Write a letter to the data subject stating "refusal act" on the request and copy NITDA on every occasion through a dedicated channel which shall be provided for such purpose, provided that such request is excessive;
f. Request for provision of additional information necessary to confirm the identity of the data subject where the Company has reasonable doubts concerning the identity of the requestor;
g. Provide the information in combination with standardized icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing and machine-readable format when presented electronically;
h. Provide the data subject with all of the following information, prior to collecting personal data:
i. The identity and the contact details of Compens8
ii. The contact details of the Data Protection Officer
iii. The purposes of the processing for which the personal data are intended as well as the legal basis for the processing
iv. The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
v. The existence of the right to request from Compens8, access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability
I. Rectify, without undue delay, inaccurate personal data concerning data subjects per their requests
j. Acknowledge the right of data subjects to have their incomplete data completed, including by means of providing a supplementary statement
k. Delete personal data without delay, upon request of the data subject
l. Delete personal data where one of the following grounds applies:
i. The personal data are no longer necessary in relation to the purposes for which they were collected or processed
ii. The data subject withdraws consent on which the processing is based
iii. The data subject objects to the processing and there are no overriding legitimate grounds tor the processing
iv. The personal data have been unlawfully processed
v. The personal data have to be erased tor compliance with a legal obligation in Nigeria
m. Take all reasonable steps to delete all the personal data made public and inform other companies processing the personal data of the data subject request
n. Acknowledge data subjects' rights to obtain restriction of processing their personal data where one of the following applies:
i. The accuracy of the personal data is contested by the data subject for a period enabling Compens8 to verify the accuracy of the personal data
ii. The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
iii. Compens8 no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims
o. Process personal data with the data subject consent, where processing has been restricted
p Communicate any rectification or erasure of personal data or restriction to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort
7. ROLES AND RESPONSIBILITIES
In compliance with the Regulation, the Company has identified key stakeholders and their responsibilities to drive the operationalisation of the Policy and implementation of necessary data protection controls.
7.1. Management Committee
Ensure data protection objectives are established and are aligned with the strategic direction of the Company
• Ensure that the resources needed for the protection of data are available
• Communicate the importance of effective data protection in the Company and of conforming to its requirements
• Support other relevant Management roles to demonstrate their leadership as it applies to their areas of responsibility
7.2. Data Protection Officer
• Keep Executive Management updated about data protection responsibilities, risks and issues
• Review all data protection procedures and related policies, in line with an agreed schedule
• Arrange data protection training and advice for the people covered by the Policy
• Handle data protection questions from staff and anyone else covered by the Policy
• Deal with requests from individuals to obtain the data Compens8 holds about them
• Review and approve any contracts or agreements with third parties that may handle the Company's sensitive data
7.3. Head, Information Technology
• Ensure all systems, services and equipment used for storing data meet acceptable security standards
• Evaluate any third-party services Compens8 is considering using to store or process data such as private cloud computing services
• Perform regular checks and vulnerability scans to ensure adequate security of hardware and software used in data processing
8. NON-COMPLIANCE
Non-compliance with the provisions of the Policy constitutes serious misconduct and will be subject to appropriate disciplinary measures including, but not limited to, termination of employment of the affected staff in line with the Compens8's disciplinary procedures.
Breach of the Policy by agents, contractors, intermediaries, suppliers, vendors, consultants, or other business partners may lead to the termination of such business relationships.
9. REPORTING NON-COMPLIANCE
9.1. In the event that any staff becomes aware of a breach of this Policy, he/she must report such breach to the Data Protection Officer by sending an email to dpo@compens8ng.com
9.2. Any person who reports a breach of this Policy shall be protected from victimization, if the report was made in good faith.
9.3. All breaches of this Policy will be investigated promptly.