This Data Protection and Procedure (This Document) is an Internal Document of Bleyt Solutions Limited, its affiliates, subsidiaries and associated entities for which Bleyt has rights by law, contract or practice to make policies for hereinafter referred to as (the Company/We/Our/Us).
The Board of Directors, Staff, contractors, service providers and professionals who utilize the Company’s services products and services shall be guided by this Document.
This policy also serves as a reference document for employees and third parties on the responsibilities of handling and accessing personal data and data subject requests.
The Company shall have right to take action against employees, contractors, and relevant third parties as it deem fit for disciplinary measures, claim of damages and other appropriate remedies.
1.1 Definitions
The following words and expressions shall have the meanings assigned to them in the use and Practice of the Company, except where the context otherwise requires:
“Acquirer” means a licensed commercial bank in the Federal Republic of Nigeria which is responsible for maintaining the Merchant’s bank account.;
‘Affiliates” means with respect to any person, any corporation, partnership, trust or other entity or organization that, directly or indirectly, through one or more intermediaries, controls or is controlled by, or is under common control with such person where “control” means the ability to direct or cause the direction of the business, affairs and management policies or practices of a person;
“Agreement” means any Service Level Agreement, Contract of/for Services, Employment Contracts, Merchant Services Agreement and all related contracts entered into by the company
“Application Programming Interface” or “API” means a set of programming code that enables data transmission and interoperability between one software product or web platform and another;
“Attestation of Compliance” is a certificate used by companies that accept, process, store or transmit credit card information to show compliance with the Payment Card Industry Data Security Standard requirements and security assessment procedures;
“Business Day” means any day other than a Saturday, Sunday or public holiday on which commercial banks are generally open for business in the Federal Republic of Nigeria;
“Card” means a credit card, debit card or similar card issued to a Cardholder by an issuer in accordance with a license granted by the respective Payment Schemes;
“Cardholder” means the person to whom a Card is issued by an issuer and whose name, where applicable, is printed or embossed on a valid Card;
“Cardholder Data” includes information embossed on a Card;
“Card-Not-Present Transactions” means a payment card transaction conducted where the Cardholder does not or cannot physically present the Card for a Merchant’s visual examination at the time that an order is given, and payment effected;
“Data Subject” means an identifiable person either corporate or individual entity; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
‘Data Breach’ means the use of data in a manner contrary to the provisions of this Policy, Law or acceptable practices by a third party or the company staff/contractors either during collation, alteration, hacking, analysis, transfer and/or unauthorized access. It shall also include any of the above by a software, malware or physical loss.
“Fees” means the amount payable by and/or to the Company in consideration for the provision an of the Services;
“Industry Standards” means guidelines or regulations issued from time to time by the relevant regulatory body specifically but not limited to National Information Technology and Data Agency NITDA, Central Bank of Nigeria CBNand GDPR.
“Intellectual Property” means all vested contingent and future intellectual property right including but not limited to copyright, patents, trademarks, service marks, design rights (whether registered or unregistered), know-how, trade secrets, inventions, get-up, database rights and any applications or registrations for the protection of these rights and all renewals and extensions thereof existing in any part of the world whether now known or created in the future;
“Internet Gateway Service” means a virtual based gateway system or data exchange platform used to interconnect users including online merchants, subscribersone to another including banks through standards compliant technology and API (Virtual Payment Client), which allows financial companies accept Card not present transactions.
“NDPR” means the Nigeria Data Protection Regulation 2019;
“Payment Card Industry Data Security Standard” or “PCI DSS” means a set of security standards designated to ensure that all companies that accept, process, store or transmit credit card information maintain a security environment, www.pcicomplianceguide.org;
“Payment Scheme” means any applicable Payment Scheme associated with the provision of Services to Merchants;
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, Personalized USSD ID number, SIM, pins and Passwords and others;
“Services” mean the obligations to be performed by the Company under any Agreement which is duly executed and approved by the Company Management through the integration of the Company’s software/Platform with another platform for a specified Purpose;
“Trademark” means the trademarks registered in the name of, or licensed to either Party and such other trademarks as are used by either Party on or in relation to the Services during the term of this Agreement;
“Transaction Data” means all the information related to processing handled by the Company, including the name of the user, number of attempts made prior to completion of a transaction, payment, repayment and time of completion amongst other things;
1.2 Interpretation
Words importing persons or parties shall include firms and corporations and any organization having legal capacity. The defined words, where the context so requires, shall be deemed and understood to be and have the same effect as operative clauses subsequently.
Words importing the singular shall include the plural and vice versa, and words importing the masculine gender shall include the feminine and vice versa.
References to any liabilities are to include any liability whether actual, contingent, present or future in accordance with this Document.
1.3 Our Policy Statement
We obtain data relating to data subjects. We deploy efficient technology, technical expertise to processing personal data, and comply/fulfill individuals’ reasonable expectations of privacy by complying with GDPR/NDPR and other relevant data protection regulations.
The Company has developed policies, procedures, controls, and measures to ensure maximum and continued compliance with the data protection laws and principles. Ensuring and maintaining the security and confidentiality of data is one of our top priorities to protect personal information.
1.4 Our Purpose
The purpose of this policy is to ensure clarity on personal data processing and re-emphasize the company’s high value for privacy of all data in its possessions. This Documents shall also allot responsibilities and state its expectations from all those who process personal data on its behalf; to comply with the data protection law and with good practice; to protect ourreputation by ensuring the personal data entrusted to us is processed in accordance with data subjects’ rights; and to protect us from risks of personal data breaches and other breaches of data protection law.
The purpose of this policy is to ensure that we meet all our legal, statutory and regulatory requirements under the data protection laws and to ensure that all personal and special category information is processed compliantly and in the individual’sbest interest.
1.5 SCOPE
This policy applies to all personal data we process regardless of the location where that personal data is stored (e.g. on an employee’s own device) and regardless of the data subject. All staff and others processing personal data on ourbehalf must read it. Adherence to this policy is mandatory and non-compliance would lead to disciplinary action.
We are guided by the GDPR/NDPR, CBN Policies, other relevant data protection regulations and industry best practices. We remain responsible for and constantly seek todemonstrate compliance with the following data protection principles:
We have zero tolerance for breach of regulations albeit the financial obligation that may be attached to such contravention. We endeavor to obtain/renew all requisite licenses and comply with all legal requirements for data processing,
2.2 Collection for Specified and Legitimate process
We shall ensure that we collect data only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes
Our privacy policy explicitly states the reasons for collection of data which remains our services for which we are permitted by law to carry on. The use of data by us shall specifically be for the provision of these services and services incidental thereto particularly to enhance the provision of our services.
We shall regularly update our privacy policy giving a notification of such update to all our users, subscribers and data subject and explaining how this may expand or limit the use of their personal data.
We shall ensure adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
We ensure that the basic information required for our services are requested form our subjects bearing in mind that any additional information shall be made optional or not requested.
We shall regularly update our Platforms to ensure that only up to date, accurate and usable to the best of our ability is used to transact on our website.
We deploy a minimum of two-way verification process for our data subjects which shall be encrypted on a real-time basis to ensure an enhance security and accuracy.
2.5 Traceable only for as long as necessary
We shall not keep personal in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed
Personal data whilst a user still uses our services shall be kept confidential. Upon deletion, uninstallation and/or discontinuation from our services, the relevant personal data shall be anonymized with no trace to any identifiable individual.
Such data shall not be reactivated, linked or synced to any individual even upon reactivation of the company’s services.
We shall ensure that Personal Data is processed in a manner that ensures its security, using appropriate technical and organizational measures to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
The security of all personal data shall be the responsibility of the Company, the employees, contractors duly supervised by the Chief Technology Officer.
No unauthorized physical device, software or Platform shall be used to transfer, programme, process or install any personal data in whole or part without the express consent of the Chief Technology Officer having been first sought and expressly obtained.
The Chief Technology Officer shall keep a comprehensive record of our Data Activity and regularly co-ordinate the training of all team members on data processing, security and technical expertise.
Data subjects have rights in relation to the way we handle their personal data. These include the following rights:
3.1 Enforcing the Rights
To enforce these rights, we shall ensure that the person making such requests, has the right in law or contract by verifying the identity of such individual. The verification process may include but is not limited to;
We require that all who handle personal data on behalf of the company shall be responsible for and must be able to demonstrate compliance with the data protection principles.
We must therefore apply adequate resources and controls to ensure and to document data protection regulation compliance.
The Company shall conduct an internal data audit process and require a comprehensive report from all its employees and contractors directly working on personal data from collection, collation, processing, analysis, disposal and transfer on a quarterly basis.
The Chief Technology Officer shall co-ordinate the audit process which shall ensure strict adherence to this policy and other applicable laws.
The Company shall adopt and enforce appropriate disciplinary actions against erring staff.
An annual audit of the Company’s data processing activities shall also be organised by license3d consultants approved by the Management who shall profile the data processing activities of the company and proffer appropriate recommendations.
4.1 The Company’s Responsibilities
As the Data Controller, we shall continually establish policies and procedures in order to comply with data protection laws.We are committed toensuring that: