Data Protection & Privacy Policy
Document Number: TU.PP.001
Confidentiality: This document is the exclusive property of TechUnlock. It has been provided for the purpose for which it has been supplied and is subject to change.
Document Review
This document is subject to continuous change which will be indicated by version numbers and will only be approved after a review by top management, without which the previous version is still valid.
1. Scope and Purpose
This policy covers all processing, usage, transfer, retention, and disposition of personally identifiable information and data with strict adherence to GDPR and NDPR to safeguard individuals' rights, health, and well-being. This document states what TechUnlock will do to safeguard the data of its interested parties under the laws and provisions of GDPR and NDPR.
2. Definitions
- Data Subject: An individual who can be identified directly or indirectly by the personal data being processed.
- Data: Any information that relates to an identified or identifiable natural person.
- Personal Data: Any information that can be used to directly or indirectly identify an individual.
- Data Processor: An entity that processes personal data on behalf of the data controller.
- Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, or destruction.
- Data Controller/Data Protection Officer: An entity that determines the purposes and means of processing personal data.
3. Data Collection and Processing
Specify lawful bases for collecting and processing personal data, ensuring compliance with GDPR's principles of lawfulness, fairness, and transparency. Outline procedures for obtaining consent and processing sensitive data as per Nigerian regulations.
4. Principles for Security of Data Processing and Storage
TechUnlock promotes the confidentiality, integrity, and availability of data as stated in NDPR/GDPR by adhering to the following principles:
- All personal data collected and processed will adhere to the principles of lawfulness, fairness, and transparency.
- Personal data will be processed for specific, legitimate, and lawful purposes with the consent of the data subject.
- Data will be kept accurate and up-to-date and will be corrected or erased if inaccuracies are discovered.
- Data collection and usage will be limited to what is relevant and necessary for the purpose.
- Personal data will be protected using adequate controls, including encryption and access controls.
- Employees will only access personal data necessary for their duties and will be required to maintain data privacy.
- Personal information will be retained, stored, and destroyed in line with regulatory guidelines.
- TechUnlock will demonstrate accountability by monitoring and improving data privacy practices.
5. Data Subject Rights
Data subjects have the right to:
- Obtain a copy of their personal data.
- Correct mistakes in data held about them.
- Delete their personal data from records (subject to exceptions).
- Restrict processing of their data in certain circumstances.
- Receive their data in a portable format in certain situations.
Data subjects can object to processing for direct marketing and other situations, and withdraw consent if relied upon. However, this may affect the provision of services.
For further information on rights, contact us at privacy@techUnlock.org.
6. Data Breach Response
TechUnlock will implement an Incident Response Plan for managing breaches, including:
- Validating the breach.
- Conducting impartial investigations.
- Identifying remediation requirements and tracking resolution.
- Reporting findings to top management.
- Coordinating with authorities and notifying impacted data subjects if necessary.
7. Training and Awareness
TechUnlock will provide training on GDPR and Nigerian data privacy laws, fostering data privacy awareness through:
- Bi-annual training programs with assessments.
- Quarterly training sessions with at least 75% staff attendance.
- Annual reviews of data privacy standards.
8. Monitoring and Review
TechUnlock will audit its data protection/privacy policy annually and ensure compliance with relevant regulations through:
- Internal or external audits of compliance and cybersecurity posture.
- Updating cybersecurity policies within 3-6 months of regulatory changes.
- Comprehensive compliance audits within 3 months of policy changes.