Purpose and Responsibility
The purpose of this procedure is to ensure that staff adequately comply with the principle of data protection and to provide a managed outline for fulfilling our business needs, accountability and legal responsibility.
Each department with the organisation is responsible for the data that it holds. This responsibility extends to the data that is processed by third parties on behalf of Creseada.
The Audit and Compliance Manager manages and ensures adequate compliance with the data protection procedure.
Principle on Data Protection
Creseada collects and use data in many ways. In doing this, we shall ensure that all legal obligation under Data Protection Act 2018 are met. This includes personal data is:
Processed lawfully and fairly.
Processed for specified, explicit and legitimate purposes and not to be further processed in any manner that is incompatible with that purpose.
Adequate, relevant and limited to what is necessary for the purposes for which it is being processed.
Accurate processing of persona and, where necessary, up to date.
Not kept longer than necessary for the purposes for which it is being processed.
Processed in a secure manner, by using appropriate technical and organisational means.
Processed in keeping with the rights of data subjects regarding their personal data.
Employee Data Protection
Creseada collects relevant Personal Data about employees, their dependents and other individuals that an employee informs the organisation are connected to them.
Generally, Employee Data is collected directly from our Employees. However, in some cases Creseada may collect Personal Data about Employees from trusted third parties when we perform background checks that are necessary for the Employee’s role and / or to obtain information from recruiters in connection with potential applicants.
All Employee Data are collected and used in compliance with the Nigeria Data Protection Regulation 2019 (“NDPR”), other applicable laws and employee’s right to privacy as guaranteed under the Nigerian Constitution.
Data Protection Procedure
Security of Personal Data - It is our dedication to take appropriate technical, physical and organisation measures to keep personal and sensitive data secure at all points of the processing in other to safeguard against unauthorised or unlawful processing or from accidental loss, destruction or damage. We shall implement security measures which provide a level of security which is appropriate to the risks involved in the processing of Manually held Personal Data, Sending Data by Post; Printing of Personal Data; Electronically Held Personal Data; Sending Personal Data via Email and Use of Removable Media Devices.
Purpose Limitation and Consent
Creseada will only process Personal Data for purposes:
Where an Individual has given consent to the processing of his or her Personal Data for one or more specific purposes;
where necessary for the performance of a contract to which the individual is a party or in order to take steps at the request of the individual prior to entering into a contract;
where necessary for compliance with a legal obligation to which Creseada is subject, such as financial accounting, employees’ payroll processing, keeping records for tax purposes or providing information to public bodies, law enforcement agencies, or legitimate and authorised Third Parties;
where set out in any notice made available to the relevant Individual. Notice can be made, among other, through this Policy, the Creseada website, contractual arrangements and formal notices.
Access, Quality, Retention and Disposal of Personal Data
Access - Under this policy an Individual may have access to their Personal Data held by Creseada, where those requests are reasonable and permitted by applicable Data Protection Law. Individuals may object to the processing of their Personal Data for legitimate reasons, to the extent required or permitted by applicable Data Protection Laws. Creseada agrees to rectify, amend, or delete an Individual’s Personal Data upon request where it is inaccurate or where it is being used contrary to this Policy.
Data Quality - All Personal Data should be kept accurate and where necessary, up to date. The Personal Data held by Creseada must be adequate, relevant and not excessive and should be in compliance with the provisions of the Applicable Data Protection Law(s) on data quality obligations.
Retention - Data shall not be kept for longer than is necessary for the purpose for which they were collected. All data held by each department should be stored and filed in accordance with the departmental index of record or archive procedure C-QMS-PM-03 and destroyed in accordance with the required specification and in compliance with regulatory or statutory obligations.
.Disposal - Personal Data shall be disposed of when they are no longer needed for the effective functioning of the business operations. The method of disposal shall be appropriate to the sensitivity of the personal data. Shredding shall be used in the case of manual data and reformatting in the process of deletion shall be used in the case of electronic data
Security and Transfer of Personal Data
Security - Creseada shall take reasonable precautions to secure Personal Data of both customers and employees against accidental or unlawful destruction or loss, alteration, unauthorized disclosure, or access. These precautions include technical, physical, and organizational security measures to prevent unauthorized access. Applicable measures of precaution are kept confidential but are duly documented in relevant Process Manuals.
Transfer of Personal Data - Whenever the need arises for a transfer of Personal Data to an authorized Third Party, Creseada undertakes to secure the transfer by one of the following mechanisms:
Standard Contractual Clauses or Binding Corporate Rules that cover Third Parties Process of Personal Data;
Any other mechanism officially recognized by Applicable Data Protection Laws for ensuring an adequate level of protection of Personal Data.
Monitoring and Enforcement
This policy shall be reviewed annually to ensure it remains adequate and complies with the regulatory and statutory requirements. All staff who process Personal Information must ensure they not only understand but also act in line with this policy.
QUESTIONS and COMPLAINTS
To exercise rights under this Policy, express a concern, request access or personal information update, raise a question, make a complaint, or to obtain additional information about the processing of Personal Data by Creseada, Individuals may send an e-mail to: firstname.lastname@example.org, accompanied by a valid proof of Identification, unless the Individual is an employee who may contact the Manager, Human Resource & Admin.
Creseada undertakes to respond to request within a reasonable time, up to 60 days, depending on the complexity of the request and/or of the number of requests it receives.