Privacy Policy

Purpose

This Privacy Policy (the “Policy”) is intended to provide a binding framework for actions involving the collection and use of Personal Data for the purpose of managing the Company’s business, and to serve as a tool for assimilating the duties applicable to the Company under the Data Protection Regulation of Nigeria.

 

Definitions

Company or A4&T NG” – means A4&T Power Solutions Limited (A4&T NG)

Data Protection Regulation” – means the Data Protection Regulation Guidelines issued by the National Information Technology Development Agency (NITDA).

Data Subject” – for the purpose of this policy, this refers to the individual to whom the Personal Data concerns.

Personal Data” – any data about an individual that identifies them personally, including economic information, purchase history information, wage information, occupational experience information, information recording the geographic location, health or mental health information, biometric or genetic information, images allowing for facial recognition, information about beliefs and political opinions, information about a person’s personality, information about sexual orientation, and any other sensitive information about the privacy of a person’s life.

 

Scope of Application and Amendment Procedure

This Policy applies to A4&T NG. Any change in this Policy requires the written approval of the Compliance Officer and the publication of the revised policy to all the relevant parties in the Company. By publishing this Policy, the Company does not assume any responsibility or liability in connection with actions performed prior to its publication, and these actions will be subject to the provisions of the Privacy Protection Laws and company procedures as they were at the time of their implementation.

 

Principles for Collecting and Using Information

The Company will collect and use Personal Data in accordance with the following principles:

Informed Consent

The Company will collect and use Personal Data only after informed consent has been obtained from the Data Subjects. The consent documents that Data Subjects will be asked to approve shall be formulated using the clearest possible language in order to express free, conscious and informed consent to the collection and use actions that the Company wishes to perform on the Personal Data.

Insofar as the consent is given concurrently with additional authorisations, the Data Subject will be asked to clearly and separately indicate that he agrees to the collection and use of the information. For example, insofar as the consent of the Data Subject is obtained by digital means, the Data Subject will be asked to indicate in a special box, unchecked by default, that he consents to the collection of the information and that he has read the appropriate privacy (opt-in) policy. Insofar as the consent of the Data Subjects is obtained by physical means, it shall be made clear to the Data Subjects with a clear and conspicuous indication that they consent to the collection and use of the information, with reference to this Policy. 

The Company shall document the receipt of consent to the collection and use of Personal Data in a centralized and retrievable manner.

 

Transparency

Upon receipt of the consent of the Data Subjects for the collection and use of the Personal Data, they shall be provided with enough information regarding the purposes of the collection and the way the information is used so that they may be able to consider their consent. Such announcement of the way the information is used shall be based on this Policy and shall include, at the very least, the following details: 

  1. the fact that the Data Subject has no legal obligation to provide the information; 
  2. the purpose for which the information is requested and the way it will be used; 
  3. the third parties that shall be provided with the information and the purposes for providing the information; 
  4. the countries to which the information shall be transferred; and 
  5. the right of the Data Subject to review, amend and delete stored information about them and the means of communication available to them for such purposes.

Compatible with the Purposes for which it was Collected

The Company shall use the Personal Data collected and retained by it solely for the purposes for which it was provided by the Data Subjects and in accordance with the information usage policy applicable to this type of information. Should the Company be required to make other uses than those agreed to by the Data Subjects, the Company will contact the Data Subjects in order to obtain their consent.

Privacy by Design

When designing and implementing a new business or technological process involving the collection or use of Personal Data, the Company will take into consideration, among its other consideration, the need for structured privacy planning for this process. For example, the company will consider collecting only the types of information required for the business process in the first place.

For this purpose, any party in the Company responsible for implementing a new business or technological process involving the collection or use of Personal Data shall consult with the Data Protection Officer prior to said assimilation.

 

Confidentiality of Information

The Company is obligated to maintain the confidentiality of any Personal Data collected by it. For this purpose, each and every Company employee provided with access to Personal Data maintained by the Company shall be bound by a confidentiality obligation in connection with the use of Personal Data and shall sign an appropriate confidentiality agreement. The employee’s confidentiality obligation may exist on the basis of the general confidentiality agreement on which they have signed as part of their employment agreement or on the basis of a dedicated confidentiality agreement, all in accordance with the instructions of the Data Protection Officer.

Information Security

The Company is obligated to keep the Personal Data it retains in a secure manner consistent with the Privacy Protection Laws and the information security principles implemented in the Company. The Company shall apply the Company’s Data Protection Policy and procedures determined by it to the Personal Data it retains. The Data Protection Officer will cooperate with the Compliance Officer to ensure that the Company’s data protection and information security measures will also apply to the Personal Data stored in the Company.

Purging of Information

Upon exhaustion or fulfillment of the need to retain the Personal Data, or upon receipt of a request by an Data Subject to delete their stored Personal Data, the Company will act to delete and purge said Personal Data from any digital or physical means available to it, except to the extent that maintaining such information is required for backup purposes, as records for legal purposes and other essential company need, or according to any law. When purging any Personal Data, the Data Protection Officer will confirm that the purging process has been completed after checking with all the relevant parties in the Company.

 

 

 

Methods of Collection and Use of Information

Collection of Customer Information

Consent to the Collection of Information

The collection of information for the database is done directly by completing a KYC form. Information is collected based on customer’s consent in the KYC Form and the Company’s Privacy Policy.

Customer Information Usage Policy
Collected Information

The information collected for the database includes the customer’s name, phone number, address, email address, passport picture, verifiable means of identify scan and date of birth. 

General Use Policy for Customer Information

The Company collects Personal Data about its customers for various purposes. The collection and use of the information will be done in accordance with the Company’s Policy for the Proper Collection, Use and Protection of Customer Information attached to this Policy as Appendix A.

Purposes of Collecting the Information

In order to provide quality services, it is necessary to obtain and store some information about the Company’s Customers. This is a standard practice by network and service providers serving people on commercial terms. It enables the Company to deliver the services that it provides and charge for the provision of such services. The Company also keeps Customer Information in order to enable it to manage its relationship with its Customers and accordingly provide proper support for the service it provides.

Duration of Data Retention

Customer Information will be retained only for as long as it is needed or legally required and thereafter confidentially destroyed. For instance, Customer Information may be stored for longer periods if it is necessary for the information to be processed for archiving purposes in the public interest or scientific, historical or statistical purposes but subject to the implementation of appropriate safeguards.

 


Collection of Vendor and Business Partners Information

Consent to the Collection of Information

The collection of information for the database is done directly by contacting vendors/Business Partners, completing vendor creation forms and/or engaging in contracts. Information is collected based on vendor/Business Partner’s consent in the Vendor File Creation Form/Contract and the Company’s Privacy Policy.

Vendor and Business Partners Information Usage Policy
Collected Information

The information collected for the database includes the name, contact information, professional experience and economic information concerning assets, debts and bank account details.

Purposes of Collecting the Information

The information is collected for wage management, provision of services to the Company.

 

Duration of Data Retention

Retention shall, to the extent necessary, comply with the purposes of the company for which the information was collected and for archive and backup purposes, as required by any law, for purposes of tax audits and financial reports, and for the purpose of conducting legal proceedings or defense against them, for a period not exceeding seven (7) years after completing the use of the vendor’s Personal Data.

 

 

Establishment and Registration of Databases

With the implementation of a new business or technological process involving the collection or use of Personal Data, a database will be established in the Company in which the relevant Personal Data will be stored. The party responsible for the business or technological process in the Company (“Business Process Manager), in coordination with the Data Protection Officer, will determine the identity of the Database Administrator (“Database Administrator“). The Database Administrator will be responsible for managing the database and implementing these Policy provisions with regard to the Personal Data stored therein.

 


Officers and Responsibilities

  1. The Company’s management is responsible for ensuring compliance with this Policy and for collecting and using Personal Data in the course of its business.
  1. The persons responsible for managing the Company’s privacy is the Company’s Data Protection Officer and Compliance Officer. They are responsible for examining from time to time the policies’ consistency with Privacy Protection Laws, and for recommending that the Company’s management update them as necessary. They shall be responsible for enforcing this Privacy Policy, and they have the powers of supervision and inquiry in connection with policy violation claims. They must be updated on any issue that causes or is likely to cause a breach of privacy.
  1. A Database Administrator will be appointed for each company database. Database Administrators shall be responsible for implementing the provisions of this Policy on the databases they are in charge of. Database Administrators shall inform the Data Protection Officer of any matter involving the possibility of a breach of privacy or conflict between administration of the database and this Policy.
  1. Company business process managers shall inform the Data Protection Officer regarding any activities requiring the collection and/or use of Personal Data. Business process managers will assist Database Administrators in implementing the provisions of this Policy dealing with the collection and/or use of Personal Data required for the business process for which they are responsible. Business process managers will inform the Data Protection Officer of any issue involving the possibility of a breach of privacy.