As part of our operations, Amplify Digital Limited (“Amplify Digital ” or “the Company”) collects and processes certain types of information (such as name, telephone numbers, address etc.) of individuals that makes them easily identifiable. These individuals include current, past and prospective employees, vendors, customers/clients and their representatives, next-of-kin and other individuals whom Amplify Digital communicates or deals with, jointly and/or severally (“Data Subjects”).
Maintaining the Data Subject’s trust and confidence requires that Data Subjects do not su er negative consequences/e ects as a result of providing Amplify Digital with their Personal Data. To this end, Amplify Digital is firmly committed to complying with applicable data protection laws, regulations, rules and principles to ensure security of Personal Data handled by the Company. This Data Privacy & Protection Policy (“Policy”) describes the minimum standards that must be strictly adhered to regarding the collection, storage, use and disclosure of Personal Data and indicates that Amplify Digital is dedicated to processing the Personal Data it receives or processes with absolute confidentiality and security.
This Policy applies to all forms of systems, operations and processes within the Amplify Digital environment that involve the collection, storage, use, transmission and disposal of Personal Data.
Failure to comply with the data protection rules and guiding principles set out in the Nigeria Data Protection Regulations 2019 (NDPR) as well as those set out in this Policy is a material violation of Amplify Digital ’s policies and may result in disciplinary action as required, including suspension or termination of employment or business relationship.
This Policy applies to all employees of Amplify Digital , as well as to any external business partners (such as suppliers, contractors, vendors and other service providers) who receive, send, collect, access, or process Personal Data in any way on behalf of Amplify Digital , including processing wholly or partly by automated means. This Policy also applies to third party Data Processors who process Personal Data received from Amplify Digital.
Amplify Digital is committed to maintaining the principles in the NDPR regarding the processing of Personal Data.
To demonstrate this commitment as well as our aim of creating a positive privacy culture within Amplify Digital , Amplify Digital adheres to the following basic principles relating to the processing of Personal Data:
Personal Data must be processed lawfully, fairly and in a transparent manner at all times. This implies that Personal Data collected and processed by or on behalf of Amplify Digital must be in accordance with the specific, legitimate and lawful purpose consented to by the Data Subject, save where the processing is otherwise allowed by law or within other legal grounds recognized in the NDPR.
Personal Data must be accurate and kept up-to-date. In this regard, Amplify Digital:
Amplify Digital collects Personal Data only for the purposes identified in the appropriate Amplify Digital Privacy Notice or any other relevant document or based on any other non – written communication (where applicable), provided to the Data Subject and for which Consent has been obtained. Such Personal Data cannot be reused for another purpose that is incompatible with the original purpose, except a new Consent is obtained.
3.4.1 Amplify Digital limits Personal Data collection and usage to data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed.
3.4.2 Amplify Digital will evaluate whether and to what extent the processing of personal data is necessary and where the purpose allows, anonymized data must be used.
3.5.1 Amplify Digital shall establish adequate controls in order to protect the integrity and confidentiality of Personal Data, both in digital and physical format and to prevent personal data from being accidentally or deliberately compromised.
3.5.2 Personal data of Data Subjects must be protected from unauthorized viewing or access and from unauthorized changes to ensure that it is reliable and correct.
3.5.3 Any personal data processing undertaken by an employee who has not been authorized to carry such out as part of their legitimate duties is un-authorized.
3.5.4 Employees may have access to Personal Data only as is appropriate for the type and scope of the task in question and are forbidden to use Personal Data for their own private or commercial purposes or to disclose them to unauthorized persons, or to make them available in any other way.
3.5.5 Human Resources Department must inform employees at the start of the employment relationship about the obligation to maintain personal data privacy. This obligation shall remain in force even after employment has ended.
3.6.1 All personal information shall be retained, stored and destroyed by Amplify Digital in line with relevant Legislative and Regulatory Guidelines. For all Personal Data and records obtained, used and stored within the Company, Amplify Digital shall perform periodical reviews of the data retained to confirm the accuracy, purpose, validity and requirement to retain.
3.6.2 To the extent permitted by applicable laws and without prejudice to Amplify Digital ’s Retention Policy, the length of storage of Personal Data shall, amongst other things, be determined by:
Notwithstanding the foregoing and pursuant to the NDPR, Amplify Digital shall be entitled to retain and process Personal Data for archiving, scientific research, historical research or statistical purposes for public interest.
3.6.3 Amplify Digital would forthwith delete Personal Data in Amplify Digital ’s possession where such Personal Data is no longer required by Amplify Digital or in line with Amplify Digital ’s Retention Policy, provided no law or regulation being in force requires Amplify Digital to retain such Personal Data.
3.7.1 Amplify Digital demonstrates accountability in line with the NDPR obligations by monitoring and continuously improving data privacy practices within Amplify Digital.
3.7.2 Any individual or employee who breaches this Policy may be subject to internal disciplinary action (up to and including termination of their employment); and may also face civil or criminal liability if their action violates the law.
4.1 Amplify Digital considers Personal Data as confidential and as such must be adequately protected from unauthorized use and/or disclosure. Amplify Digital will ensure that the Data Subjects are provided with adequate information regarding the use of their Personal Data as well as acquire their respective Consent, where necessary.
4.2 Amplify Digital shall display a simple and conspicuous notice (Privacy Notice) on any medium through which Personal Data is being collected or processed. The following information must be considered for inclusion in the Privacy Notice, as appropriate in distinct circumstances in order to ensure fair and transparent processing:
5.1 We will only collect and use your Personal data if we have obtained your prior consent or have a lawful and legitimate interest to do so. You are at liberty to withdraw your consent at any time by contacting the Data Protection Officer at email@example.com. The following are data collected and processed by Amplify Digital:
5.2 The following are methods adopted by Amplify Digital in the collection and storage of personal data
In line with the provisions of the NDPR, processing of Personal Data by Amplify Digital shall be lawful if at least one of the following applies:
Where processing of Personal Data is based on consent, Amplify Digital shall obtain the requisite consent of Data Subjects at the time of collection of Personal Data. In this regard, Amplify Digital will ensure:
7.1 Valid Photos
7.1.1 For Consent to be valid, it must be given voluntarily by an appropriately informed Data Subject. In line with regulatory requirements, Consent cannot be implied. Silence, pre-ticked boxes or inactivity does not constitute Consent under the NDPR.
7.1.2 Consent in respect of Sensitive Personal Data must be explicit. A tick of the box would not suffice.
7.2 Consent of MinorsThe Consents of minors (under the age of 18) will always be protected and obtained from minor’s representatives in accordance with applicable regulatory requirements.
8.1 Valid PhotosAll individuals who are the subject of Personal Data held by Amplify Digital are entitled to the following rights:
8.2 Amplify Digital ’s well-defined procedure regarding how to handle and answer Data Subject’s requests are contained in Amplify Digital ’s Data Subject Access Request Policy.
8.3 Data Subjects can exercise any of their rights by completing the Amplify Digital ’s Subject Access Request (SAR) Form and submitting to the Company via firstname.lastname@example.org
9.1 Third Party Processor within NigeriaAmplify Digital may engage the services of third parties in order to process the Personal Data of Data Subjects collected by the Company. The processing by such third parties shall be governed by a written contract with Amplify Digital to ensure adequate protection and security measures are put in place by the third party for the protection of Personal Data in accordance with the terms of this Policy and the NDPR.
9.2 Transfer of Personal Data to Foreign Country
9.2.1 Where Personal Data is to be transferred to a country outside Nigeria, Amplify Digital shall put adequate measures in place to ensure the security of such Personal Data. In particular, Amplify Digital shall, among other things, conduct a detailed assessment of whether the said country is on the National Information Technology Development Agency (NITDA) White List of Countries with adequate data protection laws.
9.2.2 Transfer of Personal Data out of Nigeria would be in accordance with the provisions of the NDPR. Amplify Digital will therefore only transfer Personal Data out of Nigeria on one of the following conditions:
Provided, in all circumstances, that the Data Subject has been manifestly made to understand through clear warnings of the specific principle(s) of data protection that are likely to be violated in the event of transfer to a third country, this proviso shall not apply to any instance where the Data Subject is answerable in duly established legal action for any civil or criminal claim in a third country.
Amplify Digital will take all necessary steps to ensure that the Personal Data is transmitted in a safe and secure manner. Details of the protection given to your information when it is transferred outside Nigeria shall be provided to you upon request.
9.3 Where the recipient country is not on the White List and none of the conditions stipulated in Section 8.2.2 of this Policy is met, Amplify Digital will engage with NITDA and the O ce of the Honourable Attorney General of the Federation (HAGF) for approval with respect to such transfer.
10.1 A data breach procedure is established and maintained in order to deal with incidents concerning Personal Data or privacy practices leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
10.2 All employees must inform their designated line manager or the DPO of Amplify Digital immediately about cases of violations of this Policy or other regulations on the protection of Personal Data, in accordance with Amplify Digital ’s Personal Data Breach Management Procedure in respect of any:
10.3 A data protection breach notification must be made immediately after any data breach to ensure that:
10.4 When a potential breach has occurred, Amplify Digital will investigate to determine if an actual breach has occurred and the actions required to manage and investigate the breach as follows:
10.5 You can read more about Amplify Digital ’s Personal Data Breach Management Procedure.
Amplify Digital shall carry out a Data Protection Impact Assessment (DPIA) in respect of any new project or IT system involving the processing of Personal Data to determine whenever a type of processing is likely to result in any risk to the rights and freedoms of the Data Subject.
Amplify Digital shall carry out the DPIA in line with the procedures laid down in the Amplify Digital Data Protection Impact Assessment Policy.
12.1 All Personal Data must be kept securely and should not be stored any longer than necessary. Amplify Digital will ensure that appropriate measures are employed against unauthorized access, accidental loss, damage and destruction to data. This includes the use of password-encrypted databases for digital storage and locked cabinets for those using paper form.
12.2 To ensure security of Personal Data, Amplify Digital will, among other things, implement the following appropriate technical controls:
Amplify Digital has appointed a Data Protection O cer(s) (DPO) responsible for overseeing the Company’s data protection strategy and its implementation to ensure compliance with the NDPR requirements. The DPO is knowledgeable in data privacy and protection principles and is familiar with the provisions of the NDPR.
The contact details of the Data Protection officer are as follows –
3b Fabac Close,
The main tasks of the DPO include:
Amplify Digital shall ensure that employees who collect, access and process Personal Data receive adequate data privacy and protection training in order to develop the necessary knowledge, skills and competence required to effectively manage the compliance framework under this Policy and the NDPR with regard to the protection of Personal Data. On an annual basis, Amplify Digital shall develop a capacity building plan for its employees on data privacy and protection in line with the NDPR
Amplify Digital shall conduct an annual data protection audit through a licensed Data Protection Compliance Organization (DPCOs) to verify Amplify Digital ’s compliance with the provisions of the NDPR and other applicable data protection laws.The audit report will be certified and filed by the DPCO to NITDA as required under the NDPR.
This Policy shall be read in conjunction with the following policies and procedures of Amplify Digital:
Amplify Digital reserves the right to change, amend or alter this Policy at any point in time. If we amend this Policy, we will provide you with the updated version.
“Consent” means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
“Database” means a collection of data organized in a manner that allows access, retrieval, deletion and processing of that data; it includes but is not limited to structured, unstructured, cached and file system type Databases.
“Data Processor” means a person or organization that processes Personal Data on behalf and on instructions of Amplify Digital.
“DPCO” means an organization registered by NITDA to provide data protection audit, compliance and training services to public and private organizations who process Personal Data in Nigeria.
“Data Subject” means any person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
“NDPR” means the Nigerian Data Protection Regulation, 2019.
“Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.
“Sensitive Personal Data” means data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information.