DATA PRIVACY PROTECTION POLICY
DATA PRIVACY PROTECTION POLICY
1. INTRODUCTION
An essential component of Greenbox’s business operations is the collection and processing of personal data that can directly or indirectly identify individuals, referred to as “Data Subjects.” This term encompasses a wide range of individuals, including current employees, former employees, prospective job applicants, clients, suppliers, vendors, contractors, business partners, and any other individuals who interact with Greenbox in various capacities.
Greenbox is deeply committed to safeguarding the privacy and personal data rights of all Data Subjects. Our dedication to securing personal data and maintaining its confidentiality and integrity is fundamental to building and sustaining trustworthy relationships with clients, employees, and stakeholders. This Data Privacy Protection Policy (hereinafter referred to as “the Policy”) delineates the guiding principles and operational standards that Greenbox adheres to ensure compliance with all relevant data protection legislation, particularly the Nigerian Data Protection Regulation (NDPR).
This Policy applies to all operating systems, digital platforms, business processes, and transactional operations within Greenbox that involve the collection, storage, utilization, transfer, or disposal of personal data.
Non-compliance with the data protection rules and guiding principles outlined in the Nigerian Data Protection Regulation (NDPR) and this Policy constitutes a violation of Greenbox’s policies. Such violations may lead to disciplinary actions as necessary, which could include suspension or termination of employment or business relationships.
2. SCOPE
This Policy applies universally to all parties connected with Greenbox, detailing the scope of its relevance:
2.1. Individuals employed by Greenbox: This includes a broad spectrum of personnel, such as full-time permanent staff, part-time employees, temporary workers, and interns. Each category of employee is integral to our operations and thus falls under the purview of this Policy.
2.2. External business partners: The Policy extends to all external entities that engage in business interactions with Greenbox, encompassing contractors who perform specific tasks, service providers who deliver essential services, and vendors who supply goods necessary for our operations.
2.3. Third-party data processors: This applies to any third-party organization or individuals that manage or process personal data on behalf of Greenbox. It is essential that these parties adhere to our data protection standards to ensure the integrity and security of all personal data.
2.4. Departments and units: All functional areas within the organization that are involved in processing personal data are covered by this Policy. This encompasses teams that manage, store, and utilize personal data for various business activities.
Furthermore, this Policy includes all methodologies of data processing activities, regardless of the format. This includes activities conducted through automated systems—leveraging software applications and digital tools—as well as traditional manual processes for handling data. By addressing both automated and manual methods, our objective is to comprehensively safeguard personal data across all platforms, ensuring that we meet and adhere to relevant regulations.
3. PURPOSE
The purpose of this Policy is multi-faceted and outlined as follows:
3.1. Risk mitigation: The primary aim is to protect the Company from potential data breaches, which could lead to significant financial loss, reputational damage, and legal consequences.
3.2. Transparency in data management: We seek to provide clear disclosure on how the Company stores and processes personal data, thereby ensuring that all stakeholders are informed about our practices and protocols.
3.3. Guidelines for data protection: The Policy establishes a framework for safeguarding employee data, guarding against unauthorized access, misuse, or any form of disclosure that could undermine privacy and trust.
3.4. Protection of rights: It is essential to uphold the rights of all staff members, stakeholders, and affiliated parties, ensuring that their personal information is handled with the utmost respect and care.
3.5. Compliance and best practices: We are committed to adhering to the Nigeria Data Protection Regulation (NDPR) and any other applicable laws, while also aligning our practices with international best practices in data protection. This commitment ensures that we not only meet legal obligations but also foster a culture of security and trust across the organization.
4. TYPES OF EMPLOYEE DATA COLLECTED
The company may collect the following personal data categories:
i. Personal Identification: Name, gender, date of birth, marital status, nationality.
- Contact Information: Address, state of origin cert, utility bill, phone number, email.
- Employment Information: Job title, department, employee ID, date of employment, salary, benefits.
- Educational and Professional Background: Qualifications, certifications, employment history, referee contact.
- Financial Data: Bank account details, tax identification number.
- Health and Emergency Data: Medical information (as applicable), next of kin/emergency contacts.
- Performance and Disciplinary Records: Appraisals, warnings, promotions, training records.
- Biometric Data (if applicable): Fingerprints, photos, and other data used for ID or access control.
5. DATA PROCESSING PRINCIPLES
At Greenbox, we are wholeheartedly committed to upholding key principles that govern the lawful and responsible processing of personal data. Our approach is rooted in a deep respect for individual privacy and transparency.
5.1. Authenticity of Personal Data
Greenbox prioritizes the integrity and accuracy of the personal data we hold. This commitment entails a rigorous process to ensure that all information is not only up-to-date but also accurately reflects the identities and circumstances of the individuals involved. In instances where discrepancies or inaccuracies are discovered—whether through routine audits or reports from Data Subjects—we act swiftly and efficiently to correct, update, or delete any erroneous information to prevent misrepresentation.
5.2. Legal and Unbiased Processing
The processing of personal data at Greenbox is conducted in a manner that is strictly legal and free from bias. To facilitate this, we ensure that Data Subjects receive transparent and easily comprehensible information about how their data will be utilized. Each initiative that involves data handling is backed by legitimate purposes, such as compliance with contracts or fulfilling legal obligations, and we are diligent in obtaining informed consent from Data Subjects where required.
5.3. Purposes and Basis for Data Collection and Processing
We are committed to gathering and processing personal data with clear, well-defined purposes, which we communicate transparently to all individuals involved. This commitment to transparency not only fosters trust but also limits the use of data strictly to the original intentions for which it was collected. If there are any changes to how this data will be used, we will proactively seek clear and explicit additional consent from the individuals concerned.
The specific purposes for collecting personal data encompass a broad range of activities, including but not limited to the following:
i. Recruitment and Onboarding: During the recruitment phase, we collect personal details from applicants to assess their qualifications and suitability for roles. This process includes gathering resumes, references, and relevant background information, followed by an onboarding process that requires additional personal data to facilitate a smooth transition into the company.
ii. Performance of Contracts: We gather personal data that is crucial for fulfilling our contractual obligations. For instance, when entering into employment agreements, we ensure that we collect the necessary information to manage relationships effectively and honor all terms that have been agreed upon by both parties.
iii. Payroll and Benefits Administration: To ensure employees receive their correct pay and benefits on time, we collect and process personal data such as bank details and benefit selections. This information is essential for accurate payroll processing and maintaining compliance with financial regulations.
iv. Performance Management: We collect data related to employee performance through evaluations and feedback mechanisms. This information helps us promote professional growth, support career development, and facilitate a productive work environment.
v. Compliance with Legal and Regulatory Requirements: Certain personal data is collected to adhere to various laws and regulatory guidelines relevant to our operations. This might involve maintaining detailed records required by tax authorities, employment laws, and industry-specific standards, ensuring that our business practices remain lawful and ethical.
vi. Training and Development: We collect information regarding employee participation in various training programs and professional development workshops. This data helps us identify skill gaps, customize training initiatives, and enhance overall workforce competency.
vii. Health, Safety, and Security Management: The safety and well-being of our employees are paramount. We collect personal data related to health and safety issues, including emergency contact information and medical necessities, to ensure a safe working environment and effective emergency response.
viii. Legitimate Company Interests: We collect and utilize personal data when it serves our legitimate interests as a company. For instance, maintaining organized records improves Human Resource processes and supports better internal decision-making.
ix. Explicit Consent from Employees: In some cases, we collect personal data only with the informed consent of the employees, particularly when engaging in actions that are not strictly necessary for contractual or legal purposes, ensuring that individuals retain control over their personal information.
x. Essential Service Notifications and Updates: We emphasize the importance of keeping our clients informed by sending timely and relevant notifications regarding any service changes, critical updates, or interruptions. This approach guarantees that Data Subjects are consistently aware of significant information that may influence their experience with our services.
xi. Comprehensive Customer Support: Our dedicated client support team relies heavily on personal data to effectively respond to inquiries regarding various matters, including billing discrepancies, service utilization, and other client-related concerns. By personalizing our support based on individual needs, we aim to enhance user satisfaction and resolve issues in a timely manner.
xii. Efficient Delivery of Products and Services: We leverage personal data to facilitate the seamless delivery of our offerings. This encompasses the entire process from service requests to service delivery, ensuring that clients are attended to in a timely and efficient manner. Our goal is to provide comprehensive visibility throughout the fulfillment journey.
xiii.Robust Fraud Detection Measures: To safeguard the integrity and security of our services, we implement advanced systems designed to detect and prevent fraudulent activities. This proactive approach involves continuous monitoring of unusual activity patterns and the rigorous protection of personal data against unauthorized access or breaches.
xiv. Network Optimization and Data Analytics: We make use of the data we collect to enhance the performance of our network and improve service delivery. By analyzing usage trends and patterns, we identify areas needing improvement, allowing us to tailor our services in a more responsive and efficient manner, aligned with the changing needs of our users.
xv. Targeted Marketing and Promotional Efforts: We collect data for strategic marketing initiatives aimed at both potential and existing customers. By analyzing customer preferences and behaviors, we create personalized promotional content that enhances engagement and meets the specific interests of our audience.
5.4. Minimization of Data Collection
At Greenbox, we are committed to the principle of data minimization, which is integral to our approach to data privacy. We take great care to gather only the personal information that is absolutely essential for achieving the specific purposes outlined in our services. Our priority is to limit data collection to what is necessary for operational effectiveness while enhancing user privacy. In instances where it is feasible, we actively promote the use of anonymized data. This strategy not only bolsters the protection of our Data Subjects’ identities but also significantly reduces the potential risk of exposing sensitive personal data in the event of a breach.
5.5. Data Security Measures
To ensure the utmost protection of personal data, we implement a range of robust technical and organizational strategies. These measures include:
i. Password-Protected Systems and Databases: All systems and databases that handle personal data are secured with strong, unique passwords. Regular updates and complexity requirements are enforced to mitigate the risk of unauthorized access.
ii. Role-Based Access Control (RBAC): Access to sensitive information is strictly limited based on the specific roles of employees within the organization. Each employee is granted permissions tailored to their job functions, ensuring that individuals can only access the data necessary to perform their duties effectively.
iii. Secure Document Storage: Physical and digital documents that contain personal data are stored securely. Digital files are housed in secure servers with limited access, while physical documents are kept in locked filing cabinets with restricted access.
iv. Data Protection Training for Employees: To strengthen our data security culture, we provide ongoing training programs aimed at educating respective employees about data protection best practices. This training includes how to recognize phishing attempts, secure handling of personal data, and the importance of reporting any security breaches immediately.
By implementing these comprehensive measures, we strive to maintain a high standard of data security and trust within our organization.
5.6. Data Storage, Retention, and Disposal
i. Secure Storage: All collected data will be stored in a secure manner, whether it is maintained electronically on protected servers or physically in locked facilities. Access to this data will be strictly limited to authorized personnel only, who have undergone appropriate training to handle sensitive information responsibly.
ii. Retention Duration: Data will be retained exclusively for the duration that is necessary to achieve the specific purpose for which it was collected. Additionally, we will ensure compliance with all relevant legal obligations that dictate retention periods, ensuring that data is not held longer than required.
iii. Post-Employment Data Handling: In the event of termination of employment, all employee-related data will be retained in accordance with applicable regulatory requirements. Once the designated retention period has expired, this data will be disposed of in a secure manner, ensuring that the information cannot be recovered or misused.
iv. Management of Service Provider Data: Any personal data belonging to individuals or entities we engage with as service providers will be managed with diligence. This data will be deleted in strict adherence to the relevant legal frameworks or after the prescribed retention period has elapsed, and we will follow specific protocols to guarantee the complete and secure elimination of this information.
5.7. Accountability and Record Keeping
Greenbox places a high value on accountability, dedicating itself to maintaining detailed and systematic records of all data processing activities. We engage in periodic assessments of our privacy controls and procedural frameworks to ensure they consistently meet our elevated standards for data protection. Any instances of data breaches or policy violations are treated with utmost seriousness; such incidents may trigger substantial disciplinary actions or legal consequences. This proactive stance reflects our unwavering commitment to ethical data handling practices and highlights our determination to uphold the trust placed in us by our clients and users alike.
6. DATA PRIVACY NOTICE
At Greenbox, we are deeply committed to ensuring the utmost confidentiality and protection of your personal data. To promote transparency regarding our data collection practices, we provide a thorough and easily accessible privacy notice prior to or at the time we collect any personal information from you. This notice comprehensively outlines the following key components:
i. Data Collection: We clearly specify the various types of personal data we may collect from you. This includes but is not limited to your full name, email address, phone number, residential address, demographic information (such as age, gender, and location), and any other pertinent details that may be necessary to deliver our services effectively.
ii. Purpose of Collection: We articulate the specific reasons for collecting your personal data. This includes enhancing and customizing your user experience, improving the quality and efficiency of our services, conducting market research, and complying with statutory and regulatory obligations that may apply.
iii. Data Usage and Sharing: The notice elaborates on how we utilize your personal data. This may involve processing your information to facilitate service delivery, providing customer support, conducting marketing communications tailored to your interests, and sharing your data with trusted third parties strictly when it is essential for fulfilling our services or as mandated by law. We ensure that any third parties with whom we share your information adhere to equivalent privacy standards.
iv. Rights of Data Subjects: We detail your rights as a data subject under applicable privacy laws. These rights include, but are not limited to, the right to access your personal data, the right to rectify any inaccuracies, the right to request the deletion of your data, the right to restrict the processing of your information, and the right to request data portability, allowing you to obtain and reuse your personal data across different services.
v. Methods for Exercising Rights: We provide clear and straightforward instructions on how you can exercise your rights under this notice. This includes information on how to contact our designated Data Protection Officer, alongside guidance on how to submit requests regarding your personal data, ensuring your queries are addressed promptly and efficiently.
vi. Methods Used to Collect and Store Information: We outline the techniques and methodologies employed to gather and securely store your personal data. This may involve using secure online forms, data encryption practices, and adhering to robust information security protocols to protect your data against unauthorized access and breaches.
vii. Remedies for Privacy Violations: We inform you of the steps available to you should you feel that your privacy rights have been compromised. This includes the option to lodge a complaint with a supervisory authority, as well as internal procedures to help resolve any concerns you may have regarding our data practices.
7. LAWFUL BASIS FOR PROCESSING PERSONAL DATA
The personal data we gather from our customers varies significantly based on the specific services they choose, their usage behaviors, and the nature of their interactions with us. This practice also extends to individuals who may not be direct customers of Greenbox but have engaged with our platform in some capacity. Your personal information may be acquired from authorized third parties who have obtained your explicit consent to share such data with us.
Our commitment to user privacy is paramount, and we ensure that all processing of personal data is conducted in strict compliance with applicable laws and regulations. We undertake this practice only when there is a robust legal basis that justifies the collection and processing of such data. The legal grounds for processing personal data can encompass a variety of situations. These may include fulfilling contractual obligations where data processing is necessary to deliver services; complying with legal requirements where the law mandates certain disclosures; protecting vital interests, particularly in emergency situations; fulfilling tasks carried out in the public interest; or pursuing legitimate interests that benefit Greenbox or recognized third parties, provided those interests do not override the rights of the individuals involved.
We ensure that any processing of personal data is conducted in compliance with applicable laws and only when there is a valid legal basis. These grounds may include:
i. Consent from the Data Subject: We obtain explicit consent from you for specific data processing activities, ensuring you have control over what is shared.
ii. Contractual Necessity: Your personal data may be processed when it is necessary to fulfill a contract that you have entered into with us, including providing services or products you request.
iii. Legal Obligations: We may process your data to comply with legal and regulatory requirements, ensuring that we operate within the law.
iv. Protection of Vital Interests: In cases where processing is essential to protect someone’s life or health, we will act in accordance with this necessity.
v. Public Interest or Official Mandate: Our data processing may also occur when it serves the public interest or is necessary for a task carried out in the interest of the public or under official authority.
7.1. Your personal data is collected and assessed when you engage in the following activities:
i. Purchase or utilize any of our diverse range of products and services, which encompass everything from telecommunications options to advanced technology solutions tailored to meet your needs.
ii. Complete the registration process for any specific product or service, which may include setting up an account to gain access to exclusive features and benefits.
iii. Participate in competitions, promotions, or surveys that we host, giving you the chance to provide feedback and engage with our brand while potentially receiving exciting rewards.
iv. Access our extensive network or other offerings, ensuring that you can take full advantage of our innovative and reliable solutions designed for seamless connectivity.
v. Browse or explore our official website, where we offer a wide range of informative resources and options designed to help you maximize your experience with our services.
vi. Provide us with information that is publicly accessible, ensuring that we can maintain accurate records and tailor our offerings accordingly.
vii. Provide your personal information through our Know Your Customer (KYC) registration form, submit details on our self-service applications, connect with us via our social media platforms, or fill out forms related to SIM swaps or Mobile Number Portability
viii. Grant permission to third-party companies, organizations, or individuals to share information about you, allowing us to enhance our services and provide you with more personalized experiences
ix. Become a customer of a business that we have acquired, thereby allowing us to integrate your information into our systems for better service continuity.
The personal information we collect from our data subjects may encompass a variety of specific details, including but not limited to their full name, contact telephone number, residential and mailing addresses, gender identification, and a recent photograph. Additionally, we may store identification details such as government-issued ID card numbers and biometric data, including fingerprints. Our records may also include essential educational background information, detailing degrees attained and institutions attended, as well as a comprehensive overview of job experiences, highlighting previous roles, responsibilities, and durations of employment. Furthermore, we may keep a digital or scanned copy of the individual’s signature for verification purposes, among other relevant data points.
8. CONSENT
When Greenbox processes personal data based on consent, we are committed to ensuring that the consent obtained from individuals meets several key criteria:
i. Clarity and Transparency: Consent must be expressed in a clear and understandable manner, enabling individuals to comprehend the specifics of what they are consenting to.
ii. Informed and Freely Given: Individuals should be well-informed about the purpose and implications of their consent, ensuring that it is granted without any form of coercion or undue influence.
iii. Specificity to Purpose: The consent must be explicitly tied to the particular purpose for which personal data is being processed, without any assumptions regarding other uses.
iv. Withdrawal Without Consequences: Individuals retain the right to withdraw their consent at any time, without facing any negative repercussions or adverse effects on their rights or services received.
For the processing of sensitive personal data, Greenbox enforces a policy requiring explicit and unequivocal consent from individuals. In circumstances involving minors, consent must be secured from a legal guardian or representative, in full compliance with applicable laws and regulations.
9. DATA SUBJECT RIGHTS
Individuals whose data is being processed are granted several rights to ensure their personal information is being handled appropriately. These rights include:
i. Right to Access: Data Subjects have the entitlement to request and obtain confirmation regarding whether their personal data is being processed and, if so, access to that data.
ii. Right to Information: They have the right to understand how their personal data is utilized, including the purposes of processing and the legal grounds for such actions.
iii. Right to Rectification: Data Subjects can request corrections to ensure that any inaccurate or incomplete personal data is promptly amended.
iv. Right to Erasure: Under certain circumstances, individuals can request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected.
v. Right to Restrict Processing: Data Subjects have the right to limit or restrict the processing of their personal data in specific situations defined by law.
vi. Right to Withdraw Consent: Individuals may withdraw consent to the processing of their personal data at any time, effectively stopping any further processing that relied on that consent.
vii. Right to Data Portability: They may request a copy of their personal data in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller.
Right to Object to Automated Decisions: Data Subjects can object to decisions made solely on automated processing, including profiling, that could have legal effects or significantly affect them.
10. TRANSFER OF PERSONAL DATA
10.1. Transfers Within Nigeria
At Greenbox, we may engage third-party processors to share personal data as part of our legitimate business operations. This data sharing is subject to rigorous contractual agreements that are designed to ensure the protection and confidentiality of your data throughout the various stages of transfer and processing.
We understand the importance of your personal data and may share it with law enforcement agencies when required by applicable laws. Specifically, Greenbox will share your information with the following parties:
i. Business Partners and Service Providers: When you engage our services, such as applying for a loan, your application will be processed by our trusted business partners. These partners are contractually obligated to safeguard your personal data and handle it responsibly during the entire process.
ii. Law Enforcement and Regulatory Bodies: We may disclose your personal information to law enforcement agencies, governmental bodies, regulatory organizations, courts, or other public authorities when required or permitted by law. For example, under the Cybercrimes Act, law enforcement may request that a service provider retain or provide access to traffic data, subscriber information, and related content strictly for the purposes of law enforcement.
iii. Legal Obligations: In certain circumstances, we may need to share your personal data with a third party as mandated by law or to comply with legal or regulatory requirements. Such disclosures may be necessary to detect, prevent, or investigate potential fraud or the commission of other crimes.
iv. Corporate Transactions: In the event of a business reorganization, such as a merger, acquisition, or takeover, your personal data may be transferred to the new entity involved. In such cases, we will ensure that there are adequate measures in place to protect your information throughout this transition.
10.2. Cross-Border Transfers
When personal data is set to be transferred outside the borders of Nigeria, Greenbox is committed to implementing comprehensive and robust safeguards to secure such personal information. Specifically, Greenbox will conduct thorough evaluations to determine whether the destination country is included on the National Information Technology Development Agency (NITDA) White List. This list identifies countries that possess sufficient legal frameworks to ensure adequate data protection.
Greenbox will only execute transfers of personal data to jurisdictions recognized for their rigorous data protection measures, adhering to established regulatory standards. In accordance with this policy, Greenbox will follow the guidelines outlined below regarding cross-border transfers of personal data:
i. Consent Requirement: Prior to initiating any cross-border transfer, Greenbox will ensure that explicit and informed consent has been acquired from the Data Subject. This consent process will involve clear communication about the nature of the data, the purpose of the transfer, and the implications it may have.
ii. Contractual Necessity: Transfers may occur when they are indispensable for fulfilling a contractual obligation that the Data Subject is involved in or to meet legal obligations that must be satisfied.
iii. Public or Vital Interest: In exceptional circumstances, data transfers may be authorized if they serve a significant public interest or are necessary to protect the vital interests of the Data Subjects or other individuals, particularly when the Data Subject is unable to provide consent, either physically or legally.
iv. Legal Claims: Transfers may also be justified if they support the establishment, exercise, or defense of legal claims.
In all scenarios, it is crucial that the Data Subject is comprehensively informed about potential risks related to data protection principles that could be infringed upon if data is transferred to a third country. This specific warning will be communicated transparently, ensuring that the Data Subject understands their rights and the nature of the risk involved. Notably, this clause does not protect against instances where the Data Subject is required to respond to a civil or criminal legal action in the destination country.
In circumstances where the recipient country is not included on the White List and none of the conditions outlined in this policy are fulfilled, Greenbox will collaborate with the National Information Technology Development Agency (NITDA) and the Office of the Honorable Attorney General of the Federation to seek approval for such data transfers.
Greenbox is dedicated to taking all necessary actions to guarantee that personal data is transmitted in a secure and safe manner. For individuals seeking more information, detailed descriptions of the protective measures in place for data that is transferred beyond Nigeria’s borders will be readily available upon request.
11. DATA BREACH MANAGEMENT PROCEDURE
Greenbox has established and maintains a Data Breach Management Procedure to effectively respond to incidents involving accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data that is transmitted, stored, or otherwise processed. This procedure ensures swift action to protect the integrity and confidentiality of Personal Data.
11.1. EMPLOYEE RESPONSIBILITIES
All employees at Greenbox are mandated to promptly report any actual or suspected violations of this policy or other regulations related to data protection. Such reports should be directed to their immediate supervisor or the designated Greenbox Data Protection Officer (DPO). Below are examples of potential data breaches that must be reported:
i. Unauthorized or Improper Data Transmission: Any instances where Personal Data is transmitted without proper authorization, particularly across international borders, are to be reported. This includes sending sensitive information through unsecured channels or to unauthorized recipients.
ii. Loss or Theft of Devices: If any devices or equipment containing Personal Data, such as laptops, smartphones, or external storage devices, are lost or stolen, it is crucial to inform the appropriate authorities immediately to mitigate potential risks.
iii. Accidental Disclosure: Situations where Personal Data is unintentionally shared with individuals who do not have the clearance to access it must be reported. This may include misdirected emails or mistakenly granting access to sensitive documents.
iv. Inadequate Access Controls: Any weaknesses in access controls that could potentially allow unauthorized individuals to gain access to Personal Data must be highlighted. This includes issues such as shared passwords or improper user permissions.
v. Equipment Malfunctions: Instances where a malfunctioning device compromises data security, such as software failures that expose Personal Data, need to be reported immediately to assess the extent of the breach.
vi. Human Error: Any human errors that lead to the exposure of Personal Data to unauthorized entities should be communicated. This could involve mistakes such as incorrect data entry or failing to follow proper data handling procedures.
vii. Cybersecurity Attacks: Employees must remain vigilant and report any signs of cybersecurity threats, including hacking attempts, phishing emails, or malware installations that could jeopardize the integrity of Personal Data.
11.2. Breach Notification
In the event of a data breach, Greenbox is committed to ensuring a swift and effective response through the following comprehensive actions:
i. Notification of Regulatory Authorities: In compliance with legal obligations, Greenbox will notify relevant regulatory authorities, such as the Nigeria Data Protection Commission (NDPC) or any other applicable governing bodies, where mandated. This notification will include detailed information regarding the breach, including the type of data involved, the potential risks to affected individuals, and the steps being taken to address the situation.
ii. Initiation of Immediate Remedial Measures: Upon detection of a data breach, Greenbox will promptly activate a response team to implement immediate remedial measures. This includes identifying the nature and extent of the breach, containing the incident to prevent further unauthorized access, and mitigating any potential damage to both the organization and the affected individuals.
iii. Coordinated Communication with Stakeholders: Effective communication will be maintained with all stakeholders regarding the breach. This includes thorough coordination between internal teams, such as IT, legal, and public relations, as well as external partners. Strategies will be developed to manage the dissemination of information in a controlled manner, ensuring that stakeholders are kept informed without causing unnecessary alarm.
iv. Timely Communication with Affected Data Subjects: Greenbox prioritizes transparency and will ensure that affected Data Subjects are informed as soon as it is feasible. This communication will provide clear and comprehensive details regarding the nature of the breach, the types of personal data involved, the potential consequences, and the measures being implemented to safeguard their information. Additionally, guidance on steps that individuals can take to protect themselves will be included.
12. DATA PROTECTION IMPACT ASSESSMENT (DPIA)
12.1. DPIA Requirement
Before the initiation of any new project, product, or information technology system that involves the processing of Personal Data, Greenbox is committed to conducting a comprehensive Data Protection Impact Assessment (DPIA). This assessment serves as a critical evaluative tool to ascertain whether the proposed activities related to data processing may potentially pose risks to the rights and freedoms of individuals whose data is being processed, known as Data Subjects. The DPIA aims to ensure that any potential adverse effects on personal privacy are identified and addressed proactively.
12.2. DPIA Procedure
All DPIAs conducted by Greenbox will adhere meticulously to the established procedures outlined in our Data Protection Impact Assessment Policy. The DPIA process will include the following detailed steps:
i. Identification of Potential Privacy Risks and Impacts: This initial stage involves a thorough examination of the project to pinpoint any privacy risks, such as unauthorized access to data, data breaches, or impacts on the confidentiality and integrity of Personal Data. We will also assess the severity and likelihood of these risks occurring.
ii. Evaluation of Necessity and Proportionality of Processing Activities: We will critically analyze whether the data processing activities are essential for the intended purpose and whether the benefits outweigh the potential risks. This step involves considering alternative methods to achieve the same objectives with minimal privacy impact.
iii. Recommendation of Measures to Mitigate Identified Risks: Following the risk evaluation, the DPIA will include actionable recommendations aimed at minimizing or eliminating identified risks. These measures may encompass enhanced security protocols, data minimization strategies, and the implementation of privacy by design principles.
iv. Consultation with the HRA, Legal & Compliance Team, and Relevant Regulatory Authorities: Engaging in dialogue with the HRA and the Legal & Compliance team is a vital aspect of the DPIA process. Both parties will provide expert guidance on compliance with data protection legislation. If necessary, Greenbox will also consult with the appropriate regulatory authority to seek advice on mitigating any significant risks that cannot be sufficiently addressed internally.
This structured approach ensures that Greenbox upholds the highest standards of data protection and remains committed to safeguarding the rights of Data Subjects throughout all processing activities.
13. DATA PROTECTION AGENT
The Head of Human Resources & Administration (HRA) plays a crucial role in managing and overseeing the Company’s data protection policy, ensuring that all practices are compliant with the Nigerian Data Protection Regulation (NDPR). This position requires extensive knowledge of data privacy laws and principles, as well as a comprehensive understanding of the NDPR’s provisions.
The primary responsibilities of the Head, HRA encompass a variety of tasks aimed at safeguarding personal data and enhancing organizational compliance, which include:
i. Implementation of Data Protection Policies and Practices: Developing, communicating, and enforcing robust data protection policies that align with NDPR requirements to ensure that every aspect of data handling is secure and responsible.
ii. Monitoring Compliance: Regularly assessing and auditing the Company’s adherence to the NDPR and other relevant data protection regulations, establishing methods to track compliance and address discrepancies as they arise.
iii. Advisory Role: Providing expert guidance to the business, management, employees, and external partners involved in data processing activities. This involves clarifying their responsibilities and the obligations necessary for compliance with the NDPR.
iv. Liaison for Greenbox: Serving as the primary contact for all data protection-related inquiries within Greenbox, facilitating communication and understanding of privacy issues across the organization.
v. Policy Implementation Oversight: Continuously monitoring and updating the execution of data protection policies and practices within Greenbox, ensuring that all employees are trained and compliant with the established protocols.
vi. Data Impact Assessment Coordination: Leading the initiative for conducting Data Impact Assessments (DIAs) to identify and mitigate potential risks associated with data processing operations at Greenbox. This proactive approach aims to enhance the security and privacy of personal data.
vii. Database Maintenance: Establishing and managing a comprehensive database that catalogs all data collection and processing activities undertaken by Greenbox. This database will serve as a vital resource for tracking compliance and identifying areas for improvement in data protection efforts.
By fulfilling these responsibilities, the Head of Human Resources & Administration ensures that Greenbox maintains a high standard of data protection, safeguarding the privacy of all stakeholders involved.
14. TRAINING AND CAPACITY BUILDING
Greenbox is committed to ensuring that all employees who collect, access, or process personal data are equipped with the appropriate knowledge and skills to handle such data responsibly and in full compliance with applicable data protection laws, including the Nigeria Data Protection Regulation (NDPR) and any other relevant frameworks.
To this end, Greenbox shall:
i. Provide regular and role-specific data privacy and protection training to employees.
- Develop and implement an annual capacity-building plan to enhance employee understanding and competence in data protection practices.
- Ensure that all training activities are designed to support Greenbox’s compliance obligations under the NDPR and other applicable data protection regulations.
15. DATA PROTECTION AUDIT
To uphold transparency and accountability in our data processing activities, Greenbox will conduct an annual Data Protection Audit through our legal & compliance team
This audit shall:
i. Assess and verify Greenbox’s compliance with the NDPR and any other applicable data protection laws.
- Identify areas for improvement and recommend corrective actions.
16. POLICY ENFORCEMENT
Failure to comply with this policy may lead to a range of disciplinary measures. These consequences could include, but are not limited to, formal reprimands, suspension from duties, or even the termination of employment, depending on the severity of the violation. Additionally, in circumstances where legal implications arise, the organization may pursue legal action to address any breaches of the policy or relevant laws. It is essential to understand the seriousness of adherence to these guidelines to maintain a safe and productive work environment.
17. UPDATES TO THE POLICY
Greenbox reserves the right to update, modify, or amend this Data Privacy Protection Policy at any time to reflect changes in legal, regulatory, operational, or technological requirements.
When changes are made:
i. The revised policy will be communicated to all relevant stakeholders.
- An updated version will be made available through appropriate communication channels and published on the company’s official platforms.
For questions or concerns regarding this Policy or your personal data, please contact our Human Resources & Administration Department at admin@greenboxfacilities.com