Our Data Protection policy indicates that we are dedicated to and responsible for processing the information of our customers, stakeholders, employees and other interested parties with absolute caution and confidentiality. This policy describes how we collect, store, handle and secure our data fairly, transparently, and with confidentiality. This policy ensures that Chams follows good practices to protect the data gathered from its customers, employees, and stakeholders. The rules outlined in this document apply regardless of whether the data is stored electronically, on paper or on any other storage device.
The goal of the data protection policy is to depict the legal data protection aspects in one summarizing document. This is not only to ensure compliance with the Nigeria Data Protection Regulation 2019 but also to provide proof of compliance. This data protection policy ensures Chams:
I. Complies with data protection law and follow good practice
ii. Protects the right of staff, customers and partners
iii. Is open about how it stores and processes individuals’ data
iv. Protects itself from the risks of data breach
v. Safeguard the rights of natural persons to data privacy;
vi. Foster safe conduct of transactions involving the exchange of personal data;
vii. Prevent manipulation of personal data and
viii. Remain competitive in international trade; through the safeguards afforded by a just and equitable legal regulatory framework on data protection and which regulatory framework is in tune with global best practices.
a) “Act” means the National Information Technology Development Agency Act of 2007;
b) “Computer” means Information Technology systems and devices, whether networked or not;
c) ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
d) “Data” means characters, symbols and binary on which operations are performed by a computer. Which may be stored or transmitted in the form of electronic signals is stored in any format or any device;
e) “Database” means a collection of data organized in a manner that allows access, retrieval, deletion and procession of that data; it includes but not limited to structured, unstructured, cached and file system type databases;
f) “Data Administrator “means a persons or organization that processes data
g) “Data Controller” means a person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed;
h) “Database Management System” means software that allows a computer to create a database, add, change or delete data in the database; allows data in the database to be processed, sorted or retrieved;
i) “Data Portability” means the ability for data to be transferred easily from one IT system or computer to another through a safe and secure means in a standard format;
j) Data Protection Compliance Officer (DPCO) means any Person or entity duly authorized by Chams for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Policy or any foreign Data Protection law or Policy having effect in Nigeria;
k) “Data Subject means an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
l) “Data Subject Access Request” means the mechanism for an individual to request a copy of their data under a formal process and payment of a fee;
m) “filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
n) “Foreign Country” means other sovereign states, autonomous or semi-autonomous territories within the international community;
o) “Policy” means this Data Protection Policy and its subsequent amendments and where circumstance requires it shall also mean any other Policys on the processing of information relating to identifiable individual’s Personal Data, including the obtaining, holding, use or disclosure of such information to protect such information from inappropriate access, use, or disclosure
p) “Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others;
q) “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
r) “Personal Data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
s) “Recipient” means a natural or legal person, public authority who accepts data;
t) “Relevant Authorities” means the National Information Technology Development Agency (NITDA) or any other statutory body or establishment having government mandate to deal solely or partly with matters relating to personal data;
u) “Sensitive Personal Data” means Data relating to religious or other beliefs, sexual tendencies, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information;
v) “Third Party” means any natural or legal person, public authority, establishment or any other body other than the Data Subject, the Data Controller, the Data Administrator and the persons who are engaged by the Data Controller or the Data Administrator to process personal data.
Processing shall be lawful if at least one of the following applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the Controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person and
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of the official public mandate vested in the controller.
i. No data shall be obtained except the specific purpose of collection is made known to the Data Subject;
ii. Data Controller is under obligation to ensure that consent of a Data Subject has been obtained without fraud, coercion or undue influence; accordingly:
a) where processing is based on consent, the Controller shall be able to demonstrate that the Data Subject has consented to processing of his or her personal data and the legal capacity to give consent;
b) if the Data Subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding on the data subject;
c) prior to giving consent, the Data Subject shall be informed of his right and the ease to withdraw his consent at any time. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
d) when assessing whether consent is freely given, utmost account shall be taken of whether, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary (or excessive) for the performance of that contract and
e) where data may be transferred to a third party for any reason whatsoever.
a)what constitutes the Data Subject’s consent;
b) description of collectable personal information;
c) purpose of collection of personal data;
d) technical methods used to collect and store personal information, cookies, JWT, web tokens etc.;
e) access (if any) of third parties to personal data and purpose of access;
f) a highlight of the principles stated in section 5;
h) the time frame for remedy and
i) any limitation clause, provided that no limitation clause shall avail any Data Controller who acts in breach of the principles set out in Section 6.
Anyone involved in data processing or the control of data shall develop security measures to protect data; such measures include but not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling personal data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff.
Third-Party Data Processing Contracts
Data processing by a third party shall be governed by a written contract between the third party and the Data Controller. Accordingly, any person engaging a third party to process the data obtained from Data Subjects shall ensure adherence to this Regulation.
Objections by the Data Subjects
The right of a Data Subject to object to the processing of his data shall be safeguarded at all times. Accordingly, a Data Subject shall have the option to:
a) object to the processing of personal data relating to him which the Data Controller intend to process for the purposes of marketing;
b) be expressly and manifestly offered the mechanism for objection to any form of data processing free of charge.
Transfer to Foreign Country
Any transfer of Personal Data which is undergoing processing or is intended for processing after transfer to a foreign country or to an international organisation shall take place subject to the other provisions of the Nigeria Data Protection Regulation (NDPR) and the supervision of the Honourable Attorney General of the Federation (HAGF).
Rights of the Data Subject
(1) The Controller shall take appropriate measures to provide any information relating to processing to the Data Subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and for any information relating to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the Data Subject, the information may be provided orally, provided that the identity of the Data Subject is proven by other means.
(2) If the Controller does not act on the request of the Data Subject, the Controller shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority.
(3) Except as otherwise provided by any public policy or Regulation, the information provided to the Data Subject and any communication and any actions taken shall be provided free of charge. Where requests from a Data Subject are manifestly unfounded or excessive, in particular, because of their repetitive character, the controller may either:
a) Charge a reasonable fee considering the administrative costs of providing the information or communication or taking the action requested; or,
b) Write a letter to the Data Subject stating refusal act on the request and copy The Agency on every such occasion through a dedicated channel which shall be provided for such purpose.
(4) The Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
(5) Where the Controller has reasonable doubts concerning the identity of the natural person making the request for information, the Controller may request the provision of additional information necessary to confirm the identity of the Data Subject.
(6) The information to be provided to Data Subject may be provided in combination with standardized icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically, they shall be machine-readable.
(7) Prior to collecting Personal Data from a Data Subject, the Controller shall provide the Data Subject with all the following information:
a) the identity and the contact details of the Controller;
b) the contact details of the Data Protection Officer;
c) the purpose(s) of the processing for which the Personal Data are intended as well as the legal basis for the processing;
d) the legitimate interests pursued by the Controller or by a third party;
e) the recipients or categories of recipients of the Personal Data, if any;
f) where applicable, the fact that the Controller intends to transfer Personal Data to a third country or international organization and the existence or absence of an adequacy decision by The Agency;
g) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
h) the existence of the right to request from the Controller access to and rectification or erasure of Personal Data or restriction of processing concerning the Data Subject or to object to the processing as well as the right to Data Portability;
i) the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
j) the right to lodge a complaint with a relevant authority;
k) whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data.
l) the existence of automated decision-making, including profiling and, at least, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject;
m) Where the Controller intends to further process the Personal Data for a purpose other than that for which the Personal Data was collected, the controller shall provide the Data Subject prior to that further processing with information on that other purpose, and with any relevant further information; and
n) Where applicable, that the Controller intends to transfer Personal Data to a recipient in a foreign country or international organization and the existence or absence of an adequacy decision by The Agency.
(8) Where Personal Data is transferred to a foreign country or to an international organization, the Data Subject shall have the right to be informed of the appropriate safeguards for data protection in the foreign country. The Data Subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate Personal Data concerning him or her. Considering the purposes of the processing, the Data Subject shall have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
(9) The Data Subject shall have the right to request the Controller to delete Personal Data without delay, and the Controller shall delete Personal Data where one of the following grounds applies:
a) the Personal Data are no longer necessary in relation to the purposes for which they were collected or processed;
b) the Data Subject withdraws consent on which the processing is based;
c) the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
d) the Personal Data has been unlawfully processed, and e) the Personal Data must be erased for compliance with a legal obligation in Nigeria.
(10) The Controller who has made the Personal Data public and is obliged to delete the Personal Data shall take all reasonable steps, to inform Controllers processing the Personal Data of the Data Subject’s request.
(11) The Data Subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) The accuracy of the Personal Data is contested by the Data Subject for a period enabling the controller to verify the accuracy of the Personal Data;
b) The processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) The Controller no longer needs the Personal Data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims; and
d) The Data Subject has objected to processing, pending the verification of whether the legitimate grounds of the controller override those of the Data Subject.
(12) Where processing has been restricted such Personal Data shall, except for storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest in Nigeria.
(13) The Controller shall communicate any rectification or erasure of Personal Data or restriction to each recipient to whom the Personal Data has been disclosed unless this proves impossible or involves disproportionate effort. The controller shall inform the Data Subject about those recipients if the Data Subject requests it.
(14) The Data Subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the controller to which the Personal Data have been provided, where:
(a) The processing is based on consent, or
(b) On a contract, and
(c) The processing is carried out by automated means.
(15) In exercising his right to Data Portability, the Data Subject shall have the right to have the Personal Data transmitted directly from one controller to another, where technically feasible. Provided that this right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(16) The exercise of the foregoing rights shall be in conformity with constitutionally guaranteed principles of law for the general protection and enforcement of fundamental rights.
Review and Update
The Policy will be subject to review and update from time to time as deemed necessary by the Board.