DEFINITIONS

In this Policy, the following terms shall have the meanings set out below, unless the context requires otherwise:
“Personal Data” Any information relating to an identified or identifiable natural person (a “Data Subject”), such as a name, address, photograph, email address, bank details, or other unique identifier.
“Computer” Information Technology systems and devices, whether networked or not.
“Consent” Any freely given, specific, informed, and unambiguous indication of a Data Subject’s wishes, by which the Data Subject, through a statement or clear affirmative action, signifies agreement to the collection and processing of personal data relating to him or her.
“Data Controller” An organisation that collects data from a Data Subject and determines the purposes for, and the way, personal data is or will be processed. For the purposes of this Policy, the Data Controller is Jodoa Properties Limited.
“Data Processor” A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.
“Data Subject” An identifiable person; one who can be identified directly or indirectly.
“Data Protection Officer” or “DPO” The officer designated by the Company, namely the Head of Compliance, who is responsible for overseeing compliance with the Nigeria Data Protection Act, as amended (see section 4.0 below).
“Personal Data Breach” A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
“Processing” Any operation or set of operations performed on personal data, whether by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, alignment or combination, restriction, erasure, or destruction.
“Act” or “NDPA” The Nigeria Data Protection Act, 2023.
“NDPC” The Nigeria Data Protection Commission.
“Sensitive Personal Data” Data sensitive personal data is defined as information relating to an individual’s genetic or biometric data for unique identification, race, ethnic origin, religious or philosophical beliefs, health status, sex life, political opinions, trade union membership, or any other data prescribed by the Commission.
“DPIA” Data Protection Impact Assessment.
“Child” Any person under the age of 18 years.

1.0 INTRODUCTION

Jodoa Properties Limited (“Jodoa” or “the Company”) is a real estate and property investment company that, in the course of its operations, collects and processes personal data relating to clients, prospective clients, investors, co-investors, employees, vendors, contractors, regulators, business partners, website users, and other stakeholders (collectively, “Data Subjects”).
The Company recognises data protection as a fundamental right and a cornerstone of trust, integrity, and sustainable business. Jodoa is committed to ensuring that all personal data is processed lawfully, fairly, and transparently, with due respect for the rights and freedoms of Data Subjects.
In delivering its services, Jodoa processes various categories of personal data, including identification, contact, financial, employment, and health-related information (where required), through physical records, digital platforms, IT systems, and third-party service providers.
The Company operates in strict compliance with the NDPA, under the oversight of the NDPC. In relation to its corporate and investment-related activities, Jodoa also complies with applicable requirements of the Corporate Affairs Commission (“CAC”), the Securities and Exchange Commission (“SEC”), and other relevant laws and regulatory obligations.
Through this Policy, Jodoa affirms its commitment to strong compliance and governance, effective security controls, and a culture of privacy and accountability across all its operations.

2.0 SCOPE

This Policy applies to:

  • All employees;
  • Directors and management;
  • Investors and partners;
  • Contractors and vendors;
  • Third-party processors;
  • Affiliates and subsidiaries;
  • Digital platforms and websites;
  • Physical and electronic records; and
    All Personal Data processed within Nigeria and cross-border, regardless of the medium on which that data is stored or whether it relates to past or present employees, vendors, investors, partners, clients, professional advisers, shareholders, website and app users, or any other Data Subject.

 

This Policy also governs the sharing of Personal Data with Jodoa’s Head Office in Dubai and with any other regional or international office, affiliate, or related entity outside Nigeria. Any such intra-group transfer is permitted only in accordance with section 15.0 (Cross-Border Data Exchange) of this Policy, including reliance on Binding Corporate Rules or other approved safeguards designed to ensure that Nigerian Personal Data is protected to a standard consistent with the NDPA wherever it is processed within the Jodoa Group.

3.0 PURPOSE

The purpose of this Policy is to establish a clear, structured, and comprehensive framework for the lawful and responsible processing of personal data by Jodoa. Specifically, this Policy seeks to:

  • Safeguard the Company against data protection risks and breaches;
  • Provide transparency on how personal data is collected, stored, processed, and managed;
  • Protect the rights and freedoms of Data Subjects;
  • Ensure compliance with applicable laws, regulations, and global best practices; and
  • Embed a culture of accountability and data protection by design.
4.0 ROLES AND RESPONSIBILITIES

To ensure effective implementation of this Policy and full compliance with the NDPA, under the oversight of the NDPC, Jodoa adopts a clearly defined governance structure with distinct roles and responsibilities, as set out below. Where applicable, this governance structure also supports compliance with obligations arising from oversight by the CAC, the SEC, and other relevant authorities.

Board of Directors

The Board of Directors retains ultimate oversight and accountability for data protection and privacy governance within the Company. The Board shall:

  • Determine and approve the Company’s privacy governance framework;
  • Define and monitor privacy performance metrics;
  • Promote and embed a data protection culture;
  • Prioritise data security and risk management; and
  • Exercise oversight responsibility.

Executive Management

Executive Management is responsible for operationalising the Board’s directives and ensuring effective implementation of data protection controls across the Company. Executive Management shall:

  • Establish data protection objectives;
  • Provide sufficient financial, technological, and human resources necessary for the effective protection of personal data;
  • Ensure regulatory compliance;
  • Integrate privacy-by-design and privacy-by-default principles into business processes, product development, IT systems, procurement, and vendor management; and
  • Ensure timely reporting, investigation, containment, and remediation of data breaches or privacy incidents.

Data Protection Officer (Head of Compliance)

The Data Protection Officer (“DPO”) serves as the focal point for data protection compliance and advisory within the Company. The role of DPO is held by the Company’s Head of Compliance, who shall operate with independence and shall report to Executive Management and the Board, as appropriate. Responsibilities include:

  • Develop, review, and oversee the implementation of the Company’s Data Protection and Privacy Policy and related procedures;
  • Inform and advise Management and Employees of their obligations under the NDPA and applicable international privacy standards;
  • Receive, manage, and respond to Data Subject Access Requests (“DSARs”) and other privacy-related requests in accordance with statutory timelines;
  • Develop an annual data protection training plan and coordinate regular internal and external training sessions for Employees and Management to enhance awareness and compliance, with associated costs subject to prior approval;
  • Advise on and review Data Protection Impact Assessments conducted by the Risk Management Department or relevant business units for high-risk processing activities;
  • Ensure that actual or suspected data breaches are promptly identified, documented, investigated, contained, and reported in line with regulatory requirements;
  • Monitor company-wide compliance with the NDPA and internal privacy policies through periodic reviews, audits, and assessments;
  • Act as the primary point of contact for the NDPC and coordinate regulatory communications, filings, and investigations where required; and
  • Maintain appropriate records of processing activities, risk assessments, breach registers, and compliance documentation.

Employees and Third Parties

All employees, contractors, channel partners, and third parties acting on behalf of the Company are responsible for protecting personal data within their custody or control. They shall:

  • Process personal data only in accordance with authorised instructions and established guidelines;
  • Safeguard personal data against unauthorised disclosure and always ensure secure handling;
  • Participate and attend required data protection and privacy awareness programmes;
  • Immediately report any actual or suspected data breach, security vulnerability, or non-compliance to the DPO or appropriate authority within the Company; and
  • Follow approved security protocols, including password management, encryption requirements, secure disposal of documents, and restricted data sharing.

Before any contractor, vendor, channel partner, or other third party is given access to personal data, the Company shall require execution of a Non-Disclosure Agreement (“NDA”) and, where applicable, a written data processing agreement setting out that party’s data protection obligations. The DPO shall monitor and periodically review compliance by such third parties with these obligations, including through audits, attestations, or other appropriate oversight mechanisms.

5.0 LAWFUL BASIS FOR PROCESSING OF DATA

The Company, as the Data Controller, shall process the personal data of individuals only where at least one of the following applies:

  • the Data Subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the Data Subject is party, or to take steps at the request of the Data Subject before entering a contract;
  • processing is necessary for compliance with a legal obligation to which the Company, as controller, is subject;
  • processing is necessary to protect the vital interests of the Data Subject or another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the Company; and
  • processing is necessary for the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject, which require the protection of personal data, where the Data Subject is a child.
6.0 PRINCIPLES OF DATA PROTECTION

The data processing activities of the Company are built upon key principles that govern the protection and processing of personal data in line with the NDPA. These principles ensure that privacy rights are respected and that personal data is handled responsibly by Jodoa. Below are the fundamental principles of data protection which the Company adopts:

Lawfulness, Fairness, and Transparency

Personal data must be processed lawfully, fairly, and transparently. Data Subjects should be informed about the purposes for which their data is being collected and processed, and processing should be carried out in accordance with applicable laws and regulations.

Purpose Limitation

Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Jodoa shall clearly define the purposes for which data is collected and ensure that it is only used for those purposes.

Data Minimisation

Jodoa shall only collect personal data that is necessary for the purposes for which it is being processed. Data collection shall be limited to what is relevant and proportionate to achieve those purposes.

Accuracy

Personal data shall be accurate, complete, and kept up to date to ensure its integrity and reliability. Jodoa shall take reasonable steps to ensure that inaccurate or outdated data is rectified or erased.

Storage Limitation

Personal data shall be kept in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which it is being processed, in line with section 24(1)(d) of the NDPA. Data shall be securely disposed of when it is no longer needed, in accordance with the Company’s Data Retention, Archival, and Destruction procedures and the Retention Schedule referred to in section 14.0 below.

Security

Jodoa shall implement appropriate technical and organisational measures to ensure the security of personal data and protect it against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Accountability

Jodoa shall be responsible for ensuring compliance with data protection principles and must be able to demonstrate such compliance. This includes implementing policies and procedures to ensure that personal data is processed in accordance with the Act and taking responsibility for the actions of third parties who process data on its behalf.

Data Subject Rights

Data Subjects have rights regarding their personal data, including the right to access, rectify, erase, or restrict the processing of their data. Jodoa shall respect these rights and provide mechanisms for Data Subjects to exercise them.

International Data Transfers

Personal data shall not be transferred outside Nigeria unless adequate safeguards are in place to protect the data and the rights of Data Subjects. Jodoa shall ensure that any international transfer of data complies with the requirements of the Act.

7.0 RIGHTS OF THE DATA SUBJECT

The rights of Data Subjects in respect of the Company shall include, but are not limited to, the following:

  • Right of access;
  • Right to erasure;
  • Right to rectification of data;
  • Right to restrict processing;
  • Right to lodge a complaint;
  • Right to data portability; and
  • Right to withdraw consent.
8.0 CONSENT OF THE DATA SUBJECT

Prior consent of the Data Subject must be obtained before personal data is used, unless there is another legal basis for the processing. Consent requires genuine choice and genuine control.
Consent is obtained when the Data Subject agrees to the processing of his or her personal data by indicating, in writing or through positive action, agreement to the processing. Consent must be specifically and expressly given. Where consent is given in a document that deals with other matters, the Company must ensure that the request for consent is presented separately and distinctly from those other matters.
Before giving consent, the Data Subject shall be informed of his or her rights, including the ability to withdraw consent at any time. Withdrawal of consent must be promptly honoured once the Data Subject expressly indicates withdrawal.
Consent must be renewed or sought afresh if the Company intends to process personal data for a different purpose that was not disclosed when the Data Subject first consented, or if the previous consent has expired. The DPO must always maintain evidence of consent received, to demonstrate compliance with this Policy.
No consent shall be sought, given, or accepted in any circumstance that may engender the direct or indirect propagation of violence, hate, child rights violations, criminal acts, or anti-social conduct.

9.0 DATA SECURITY

The DPO, in partnership with the Information Technology Team, shall implement and sustain appropriate safeguards to protect personal data, considering, in particular, the risks to Data Subjects arising from unauthorised or unlawful processing, or accidental loss, destruction of, or damage to, their personal data. These measures include:

  • Encryption and pseudonymisation, where appropriate;
  • Access controls;
  • Multi-factor authentication;
  • Network monitoring;
  • Incident response mechanisms;
  • Secure disposal methods; and
  • Regular vulnerability assessments.
10.0 DATA COLLECTION

Data may be collected through, but is not limited to, the following:

  • Curriculum vitae and application documents from candidates for employment;
  • Use of the Company’s website, contact forms, and digital platforms;
  • Property enquiry forms, subscription forms, investment onboarding documents, and transaction records submitted by clients or investors;
  • Know Your Customer (“KYC”), due diligence, and compliance documentation obtained from customers, investors, vendors, and business partners; and
  • Correspondence, meetings, telephone calls, site visits, and other direct interactions with the Company.
11.0 USES OF DATA COLLECTED

The Company shall use the data it collects for the following purposes:

  • For recruitment, employment administration, and human resource management;
  • To fulfil legal and regulatory obligations, including compliance requirements involving the NDPC, CAC, SEC, and other competent authorities;
  • To assess, process, and manage property transactions, investment opportunities, customer onboarding, and related due diligence activities, including on-going anti-money laundering and counter-terrorism financing checks;
  • To communicate effectively with clients, investors, prospects, vendors, and other stakeholders about the Company’s products and services;
  • To provide customer care, support, and responses to enquiries or complaints;
  • To verify the identity of clients, investors, and counterparties in line with applicable compliance and due diligence requirements;
  • To improve the performance, security, and usability of the Company’s website and digital channels;
  • To detect, prevent, and address fraud, security incidents, technical issues, and operational risks;
  • To conduct analytics and generate internal reports for service improvement, business administration, and decision-making;
  • To send marketing communications, newsletters, and promotional materials where the Data Subject has consented, or where otherwise permitted by law; and
  • To identify whether a Data Subject is a Politically Exposed Person, which requires heightened due diligence, higher onboarding approval thresholds, and heightened on-going monitoring.
12.0 DATA USE AND PROCESSING

When working with personal data, employees should ensure that the screens of their computers are always locked when left unattended. Personal data should not be shared informally and should, in particular, never be sent through an employee’s personal email account, but only through the Company’s assigned email system. All data must be encrypted before being transferred electronically. Employees shall not save copies of personal data on their personal computers and should always access and update a central copy of any data.

13.0 DATA RETENTION

Jodoa shall retain personal data for no longer than is necessary to fulfil the specific, lawful purpose(s) for which it was collected, in line with section 24(1)(d) of the NDPA. To give effect to this, the Company shall maintain a formal Retention Schedule, approved by the DPO, specifying:

  • Data category;
  • Legal and/or contractual retention period;
  • Disposal method; and
  • Archival protocols.

Where personal data must be kept beyond the period for which it is actively used, for example, for legal, regulatory, audit, tax, or dispute-resolution purposes, such data shall be archived and retained only for the specific period required by the applicable law, regulation, contractual obligation, or limitation period, and shall thereafter be securely disposed of in accordance with the Company’s disposal procedures.

14.0 THIRD-PARTY DATA PROCESSORS

Data processing by a third party shall be governed by a written contract between the third party and the Company, which shall expressly set out each party’s data protection obligations, breach notification duties, and responsibility and liability for any personal data breach. The third party must undergo the Company’s full onboarding process, and such onboarding shall include due diligence on the third party’s technical and organisational safeguards, breach history, regulatory standing, and capacity to assume liability for breaches arising from its acts, omissions, negligence, non-compliance, or contractual default. Where external companies are used to process personal data on behalf of the Company, Jodoa and the relevant external company shall each bear responsibility and liability for data breaches, security failures, unauthorised processing, or misuse of personal data to the extent caused by their respective acts, omissions, negligence, breach of this Policy, breach of applicable data protection laws, or breach of their contractual obligations.

The Company may only transfer personal data to third-party service providers (i.e., data processors) approved by the DPO, who provide sufficient guarantees that they will implement appropriate technical and organisational measures to comply with data protection laws. The written contract with each third-party data processor shall clearly allocate responsibility and liability between Jodoa and the third-party processor, including indemnity, cooperation, notification, remediation, and cost-bearing obligations arising from any actual or suspected data breach. Where a third-party data processor is used:

  • the third-party data processor shall provide sufficient guarantees about its security measures to protect the processing of personal data;
  • the DPO shall take reasonable steps to ensure that such security measures are in place;
  • a written contract establishing what personal data will be processed, for what purpose, the applicable security requirements, and each party’s responsibility and liability for any data breach must be entered into by both the third-party data processor and the Company; and
  • the Company shall ensure that the third-party data processor does not have a record of violating data processing principles and is accountable to the NDPC, or to another reputable regulatory authority for data protection within or outside Nigeria, where applicable.
15.0 CROSS-BORDER DATA EXCHANGE

The Company shall prohibit the transfer of personal data outside Nigeria in most circumstances, to ensure that personal data is not transferred to a country that does not provide an equivalent level of protection for the rights of Data Subjects. In this context, a “transfer” of personal data includes transmitting, sending, viewing, or accessing personal data in or to a different country.

Intra-Group and Affiliate Transfers

Personal data may be shared with Jodoa’s Head Office in Dubai, and with other Jodoa Group offices or affiliates outside Nigeria, strictly on a need-to-know basis and for legitimate business purposes (for example, group reporting, investment administration, or shared services). Such transfers shall only be made where:

  • the Company’s privacy notices have been updated to disclose that personal data may be shared with the Company’s international offices, and to name the specific legal safeguards applied; and
  • Jodoa has executed Binding Corporate Rules (“BCRs”), or equivalent intra-group data transfer agreements, that legally bind the Dubai office and other Group offices to protect Nigerian personal data to a standard consistent with the NDPA.

Other Cross-Border Transfers

Outside of the intra-group arrangements described above, Cross-Border Data Exchange may only be permitted where one of the following conditions applies:

  • Where it is intended that personal data shall be transferred to a foreign country or to an international organisation for processing, the affirmation and approval of the NDPC that the data protection levels in the foreign country or international organisation are adequate, in accordance with the provisions of its regulations, must be obtained. An application to the NDPC shall be accompanied by all data protection laws applicable to the foreign data processor, including the foreign recipient’s data protection policies. Due diligence on the foreign recipient, including onboarding and Know Your Customer (“KYC”) checks, where necessary, shall be conducted prior to any such transfer.

In the absence of any NDPC approval as to the adequacy of safeguards in a foreign country, a transfer (or set of transfers) of personal data to a foreign country or international organisation shall take place only where one of the following conditions is satisfied:

  • the Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfer arising from the absence of an adequacy decision and appropriate safeguards, and that no alternatives are available;
  • the transfer is necessary for the performance of a contract between the Data Subject and the Company, or the implementation of pre-contractual measures taken at the Data Subject’s request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Company and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise, or defence of legal claims; and
  • the transfer is necessary to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of giving consent.
16.0 CHILDREN’S DATA

Jodoa recognises that children constitute a vulnerable category of Data Subjects and are entitled to enhanced protection under the NDPA. In circumstances where the Company processes personal data relating to minors, such as dependants of employees, beneficiaries under property-related arrangements and/or investments, or participants in digital services, the Company shall implement strict safeguards to protect their rights and interests.
Accordingly, in line with the specific obligations imposed under the NDPA in respect of the processing of a child’s personal data, Jodoa shall:

  • Obtain verifiable parental or guardian consent before processing a child’s personal data;
  • Implement robust age-verification measures;
  • Prohibit the use of a child’s personal data for marketing or profiling purposes; and
  • Apply enhanced technical and organisational safeguards proportionate to the heightened risk involved.
17.0 DATA PROTECTION IMPACT ASSESSMENT (DPIA)

A DPIA shall be conducted where processing:

  • Involves large-scale processing;
  • Involves sensitive data;
  • Uses new technology;
  • Involves systematic monitoring;
  • Involves automated decision-making;
  • Involves cross-border transfers; and/or
  • Presents high risk to rights and freedoms.

DPIAs shall be documented and retained for the duration of the processing activity to which they relate, that is, throughout the active processing lifecycle, and shall be made available to the NDPC upon request.

18.0 USAGE OF COOKIES

The Company shall maintain a cookie notification on its website, informing visitors that personal information stored in cookies is protected against data breaches. The cookie notification shall also allow visitors to disable cookies while browsing the website.

19.0 AUTOMATED DECISION-MAKING AND PROFILING

The Company may, during its real estate, property development, asset management, and investment operations, deploy automated systems and analytical tools for activities such as customer due diligence, fraud detection, risk assessment, service optimisation, and marketing analytics. Where such processing involves automated decision-making, including profiling that produces legal effects or similarly significant impacts on Data Subjects, Jodoa shall ensure strict compliance with the Act and applicable regulatory standards. Accordingly, Jodoa shall implement the following safeguards:

Transparency and Notification

  • Clearly inform Data Subjects where automated decision-making or profiling is used;
  • Provide meaningful information about the logic involved, the significance of the processing, and the potential consequences of such decisions; and
  • Include disclosures in privacy notices, policy documentation, and relevant customer communications.

Availability of Human Intervention

  • Ensure that automated decisions are subject to meaningful human review where required;
  • Provide accessible channels through which Data Subjects may request human intervention; and
  • Design internal procedures to enable qualified personnel to assess, validate, or override automated decisions where appropriate.

Right to Contest and Seek Review

  • Allow individuals to contest decisions made solely or significantly through automated processing;
  • Establish clear procedures, with a 30-day timeline, for reviewing contested decisions; and
  • Ensure that reviews are conducted fairly, objectively, and without undue delay.
    Fairness, Non-Discrimination, and Risk Mitigation
  • Regularly assess automated systems to prevent bias, discrimination, or unfair outcomes;

Conduct Data Protection Impact

  • Assessments where profiling or automated processing poses high risks to individuals’ rights and freedoms; and
  • Implement appropriate technical and organisational safeguards to protect data integrity and accuracy.
20.0 RECORDS OF PROCESSING ACTIVITIES (“ROPA”)

Jodoa shall maintain documented records including:

  • Processing purposes;
  • Categories of Data Subjects;
  • Categories of personal data;
  • Recipients;
  • Cross-border transfers;
  • Retention periods; and
  • Security measures.
21.0 DATA BREACH MANAGEMENT

A personal data breach includes any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Where a breach occurs, the following steps shall be implemented:

Immediate Internal Notification

All employees, contractors, investors, partners, and third-party processors must immediately report any actual or suspected data breach to the DPO and/or the Information Technology Department, without delay upon becoming aware of it, regardless of the perceived severity of the incident. The DPO shall promptly initiate an internal investigation to assess the scope, cause, and impact of the breach. Failure to report a suspected breach may constitute a disciplinary offence.

Containment and Risk Assessment

Upon notification, the Company shall:

  • Assess the nature of the data involved, the number of Data Subjects affected, and the potential consequences, and take immediate steps to contain and mitigate the breach;
  • Determine whether the breach poses a risk, or a high risk, to the rights and freedoms of affected individuals; and
  • Document its findings and recommended remediation measures.

Notification to the Nigeria Data Protection Commission (NDPC)

Where a breach is likely to result in a risk to the rights and freedoms of Data Subjects, the Company shall notify the NDPC within seventy-two (72) hours of becoming aware of the breach. Where notification is not made within 72 hours, the Company shall provide documented reasons for the delay. The notification shall include all required regulatory information, including the nature of the breach, the categories of data involved, the likely consequences, and the measures taken or proposed to address the breach.

Notification to Affected Individuals

Where a breach is likely to result in a high risk to the rights and freedoms of affected Data Subjects, the Company shall notify those individuals immediately, and in any event without undue delay, upon confirming the existence of that high risk. Such notification shall be communicated in clear and plain language and shall include:

  • A description of the nature of the breach;
  • The likely consequences;
  • The measures taken or proposed to mitigate the adverse effects; and
  • The contact details of the DPO or designated contact point.

Notification to individuals may not be required where: appropriate technical safeguards (such as encryption) render the data unintelligible; subsequent measures have eliminated the high risk; or notification would involve disproportionate effort, in which case public communication may be considered where appropriate.

Breach Register and Documentation

The Company shall maintain a Data Breach Register documenting:

  • The facts relating to each breach;
  • The categories and volume of personal data involved;
  • The effects and risk assessment;
  • Containment and remediation measures implemented;
  • Regulatory and Data Subject notifications made; and
  • Lessons learned and preventive actions taken.

This register shall be periodically reviewed to identify trends, strengthen controls, and improve incident response mechanisms.

22.0 TRAINING AND AUDIT

The DPO is required to ensure that all employees undergo adequate training to enable them to comply with data protection laws. The DPO shall periodically review systems and processes to ensure they comply with this Policy.

23.0 CONSEQUENCES

Failure to adhere to this Policy will be handled in line with the Company’s Disciplinary Policy.

24.0 REVIEW OF THE POLICY

This Policy shall be reviewed, amended, modified, or supplemented every two years, or as the need arises, to ensure compliance with any modification, amendment, or supplementation issued by the regulators, or as may otherwise be recommended by the Board.

BY ORDER OF THE BOARD

– CHRISTOPHER EVANS
CHAIR