Login
Sign up

DATA PROTECTION POLICY

Data Protection Policy

CONTENT OUTLINE

Introduction

At Advocacy for Policy Intelligence and Innovation (API), (“We,Us’, ‘Our’) we are committed to safeguarding the privacy and security of personal data. This policy outlines our approach to data protection and compliance with the Nigerian Data Protection Law, the GDPR, and other applicable laws. This policy sets forth the basic principles by which we process the personal data of our users, subscribers, business partners, and employees and indicates the responsibilities of our business departments and employees while processing personal data.

Definitions

“Binding Corporate Rules” means personal data protection policies and procedures adhered to by the members of a group of firms under common
control with respect to the transfer of personal data among such members and containing provisions for the protection of such personal data

“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“Data Controller” means a person who either alone, jointly with other persons or in common with other persons or as a statutory body, determines the purposes for and the manner in which personal data is processed or is to be processed.

“Data Processor” means an individual, private entity, public authority, or any other body, who processes personal data on behalf of or at the direction
of a data controller or another data processor ;

“Data Protection Officer” is primarily responsible for ensuring that their organisation processes the personal data of staff, users, providers, or any other individuals (referred to as data subjects) in strict compliance with relevant data protection regulations.

“Data Portability” means the ability for data to be transferred easily from one IT system or computer to another through a safe and secure means in a standard format.

“Data Subject”: An individual to whom personal data relates

“Personal Data”: Any information relating to an individual, who can be identified or is identifiable, directly or indirectly, such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual ;

“Processing”: Any operation performed on personal data (e.g., collection, storage, retrieval, etc.). Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means or not, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“User” means any person or entity who uses our products or services.

Scope

This policy applies to all employees, contractors, and third parties who handle personal data on behalf of our organisation, even as we ensure that each third-party transferee processes personal data transferred in a manner consistent with our obligations under this Data Protection Policy. 

API mandates that each transfer is consistent with any notice provided to our users and any consent they have given. Partners and third parties receiving personal data undertake to process the personal data under the same level of protection as is required by the data protection policy, notify the company if it cannot comply with the data protection policy, and cease processing personal data or take other reasonable and appropriate steps to remediate.

This policy applies to all personal data processed, irrespective of the data subject or the storage location (e.g., on an employee’s own device).

Data Protection Principles

Following the core principles outlined by governing laws, we undertake to abide by these fundamental guidelines when handling personal data:

  1. Lawfulness, Fairness, and Transparency: Data processing must be lawful, transparent, and fair upon consent to do so provided by the data subject.
  2. Purpose Limitation: Personal data should only be used for specified, explicit purposes. e.g for the performance of a contract at the data subject’s behest.
  3. Data Minimization: Only necessary data for legitimate purposes may be collected—whether for processing or onward transmission.
  4. Accuracy: Ensure data accuracy and keep it up to date.
  5. Storage Limitation: Retain data only as long as necessary.
  6. Integrity and Confidentiality: Implement appropriate security measures.
  7. Accountability: Demonstrate compliance with the Nigerian Data Protection Law and the GDPR.
Responsibility

Heads of departments have day-to-day responsibility for implementing and monitoring compliance with the data protection policy.

Even as API implements appropriate practices, processes, controls, and training to ensure the strictest compliance by all staff with the best practices and protection regimes stated herein, failure to comply with this policy may result in disciplinary action with cause. 

The Data Protection Officer (DPO) will oversee policy enforcement, handle subject access requests, and ensure data subject rights.
Requests should be in writing (letter, email, or form) and include the individual’s name, address, contact details, and requested information to hello@apiintelligence.org.

All concerned requests and rights enforcements inquiries should be promptly forwarded to donald@apiintelligence.org

Rights of Data Subject

 Data subjects have the right to:

  1. Be informed about data processing.
  2. Access their personal data.
  3. Rectify incorrect data.
  4. Erase data (right to be forgotten).
  5. Restrict processing.
  6. Data portability.
  7. Object to processing (in certain cases).
Breach Notification Procedure

We maintain a distinct breach notification policy that provides comprehensive guidance on the protocols we follow. In the event of a data breach, we promptly engage our internal processes and promptly notify both the relevant authorities and affected individuals.

Our commitment to legal responsibility is unwavering. We adhere strictly to the reporting protocols outlined in the Nigerian Data Protection Law and the GDPR. Our goal is to process personally identifiable information about living individuals securely, maintaining confidentiality and integrity, and ensuring access is granted only to those with a legitimate right to do so.

Please find a succinct summary and the reporting timelines below: 

Staff reporting of incidents must occur promptly to designated managers and the Data Protection Officer (DPO) within 12 hours of becoming aware of an incident. This notification should provide essential details about the breach, including the nature of the personal data affected, approximate numbers of data subjects, and personal data records involved. Within the subsequent 24 hours, the Data Protection Officer will conduct a thorough assessment, ensuring full compliance with existing laws, and proceed with reporting the breach.

International Data Transfers

We assure that any cross-border data transfers adhere to the provisions of the Nigerian Data Protection Law, in alignment with GDPR requirements.

Standard Contractual Clauses (SCCs) or other legal or certification mechanism that affords an adequate level of protection with respect to these guiding laws.

In the absence of an adequacy decision, Privacy Shield membership, binding corporate rules and/or model contract clauses, a transfer of personal data to a third country or international organisation shall only take place on one of the following conditions:

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defence of legal claims; and/or
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
Records of Data Processing

We maintain records of data processing activities.
These records include purposes, categories of data, recipients, and retention periods and must encompass the following key elements:

  • Data Controller and DPO Details: Including their names and contact information.
  • Personal Data Types: Specify the types of personal data processed.
  • Data Subject Types: Identify the categories of individuals (data subjects).
  • Processing Activities: Describe the specific data processing actions.
  • Processing Purposes: State the reasons for data processing.
  • Third-Party Recipients: List any entities receiving the personal data.
  • Storage Locations: Indicate where the personal data is stored.
  • Data Transfers: Note any cross-border data transfers.
  • Retention Period: Define how long the data is retained.
  • Security Measures: Provide details about protective measures in place.
Data Security Standards

API implements robust security measures to protect personal data.  Our strategy includes encryption, stringent access controls, and regular security assessments.

Sharing of Personal Data

In furtherance of our commitment to best practices, all staff are strongly encouraged to participate in the internal Data Protection training exercises and API is dedicated to equipping our staff with the knowledge and skills necessary to fulfill their Data Protection responsibilities. Our Governance and Legal Services team provides ongoing support and advice via email, telephone, and other adaptable means.

The Data Protection Law is accessible for review by all staff. Additionally, an explanatory note can be found in our database. We conduct quarterly data protection training sessions and seminars to promote best practices, and we strongly encourage attendance and active participation.

By adhering to this policy, we demonstrate our commitment to safeguarding personal data and complying with the Nigerian Data Protection Law, the GDPR, and other relevant regulations. If you have any questions or require further clarification, please reach out to our Data Protection Officer (DPO).

Contact Information

For any clarifications or other requests pertaining to these terms and conditions or any referenced document or annex, please contact hello@apiintelligence.org

Last updated: This Data Protection Policy was last updated on February 23, 2023 

Keep up with Trends and Policies

Our monthly newsletters give you unrivalled coverage of policy developments in your industry

API Logo-white

We are known for providing real-time, verifiable and valuable policy intelligence.

Policies
Connect
Contact
  • Copyright © 2024 API
  • Designed by Allure Effect
API Logo-white

Become a member