Data Protection Policy
Last updated: 23rd May, 2023.
Taxpal Africa (or Taxpal), as a technology service, needs to gather and process certain information about individuals with whom it has relationship for various purposes such as, but not limited to the recruitment and payment of staff, relationship management with Members, issuers, investors, collection of relevant fees for services rendered, provision of post-technology services, etc. In light of the emerging data regulatory environment, which requires higher transparency and accountability in how companies manage and use personal data, Taxpal must ensure that its business operations align with global best practices on protection of rights and privacy of individuals.
The Data Protection Policy (the Policy) is a formal acknowledgment that Taxpal is committed to the protection of rights and privacy of individuals, in accordance with the Nigeria Data Protection Regulation, 2019 (the Regulation).
The Policy describes how Taxpal shall collect, handle and store personal data of individuals to meet the data protection standards.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Datameans characters, symbols and binary on which operations are performed by a computer which may be stored or transmitted in the form of electronic signals stored in any format or any device.
Databasemeans a collection of data organised in a manner that allows access, retrieval, deletion and procession of that data; it includes but is not limited to structured, unstructured, cached and file system type databases.
Data Administratormeans a person(s) or organisation that processes data.
Data Controller means a person who either alone, jointly with other persons or in common with other persons or as a statutory body, determines the purposes for and the manner in which personal data is processed or is to be processed.
Data Portability means the ability for data to be transferred easily from one IT system or computer to another through a safe and secure means in a standard format.
Nigeria Information Technology Development Agency - NITDA
Data Protection Compliance Organisation (DPCO) means any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Regulation or any foreign Data Protection law or regulation having effect in Nigeria.
Data Subject means an identifiable person; one who can be identified directly or indirectly, in particular by reference, to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
Party means directors, shareholders, servants and privies of a contracting party.
Personal Data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether, or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Record means public record and reports in credible news media.
Sensitive Personal Data means data relating to religious or other beliefs, sexual tendencies, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information.
The purpose of this policy is to:
The Regulation, which came into force on January 25, 2019, regulates the gathering, storing and processing of personal data (regardless of whether data is stored electronically, on paper or on other materials), and protects the rights and privacy of all living individuals (including children). The Regulation applies to natural persons residing in Nigeria or residing outside Nigeria but of Nigeria descent.
Taxpal will be the data controller under the terms of the Regulation – this means it is ultimately responsible for controlling the use and processing of personal data. Taxpal shall appoint a Data Protection Officer (DPO) for the purpose of ensuring adherence to this Regulation, relevant data privacy statements and data protection directives of Taxpal.
The Regulation mandates every data controller to process any personal data in accordance with the governing principles of data protection. In order to comply with the obligations, Taxpal undertakes to adhere to the following principles.
The following statement shall guide compliance with the Regulation on data processing. Taxpal shall:
Taxpal shall process personal data of individuals if at least one (1) of the following applies:
To fulfill the requirement of the Regulation, personal data will be processed in accordance with the rights of the data subject. Taxpal’s business operations will be guided by the following statements:
To align with these requirements, Taxpal shall:
Taxpal recognises the importance of protecting data from unauthorised access and data corruption and Taxpal shall:
To ensure compliance with the Regulation, being a data controller, Taxpal shall:
Taxpal acknowledges that individuals have the right to object to the processing of their data, as such Taxpal shall only process personal data in accordance with data subjects’ rights as listed below:
Taxpal shall comply with the Regulation and any transfer of personal data which is undergoing processing or is intended for processing after transfer to a foreign country or an international organisation shall take place subject to the provisions of the Regulation.
In the absence of any decision made by NITDA or Honourable Attorney General of the Federation (HAGF) on the transfer of personal data to a foreign country, Taxpal shall initiate the transfer or set of transfers of personal data to such foreign country or an international organisation only when:
Taxpal, in compliance with the Regulation, shall explicitly communicate through clear warnings of the specific principle(s) of data protection that are likely to be violated in the event of a transfer to a third country.
To comply with this section under the Regulation, Taxpal shall:
In compliance with the Regulation, Taxpal has identified key stakeholders and their responsibilities to drive the operationalisation of the Policy and implementation of necessary data protection controls.
This Policy applies to all staff, Management and Board of our company. As a matter of best practice, other companies (contractors, suppliers etc.), individuals working with Taxpal and its stakeholders who have access to personal information. It is also applicable to all data that Taxpal holds relating to identifiable individuals, even if that information technically falls outside of the Regulation. This includes, but not limited to:
The consequence of not adhering to the Policy will be handled in line with our company's Disciplinary Policy.
Nigeria Data Protection Regulation, 2019.