Policy Statement

Touch and Pay Technologies Limited and its joint venture companies (collectively known as “Touch and Pay/ Company”) are committed to complying with all laws and regulations which govern our operations in every country in which we operate.

This Data Protection Policy (the “Policy”) explains and details our responsibility to comply with all relevant data regulations and laws in our country of operation and to ensure that all third parties we engage to act on our behalf do the same. The governing legislation applicable to this Policy is the Nigeria Data Protection Regulations, 2019 (the “Regulation”).

The penalties for violating the Regulation can be severe for Touch and Pay and for the individual involved.

Touch and Pay has a zero-tolerance attitude towards data mismanagement and any latitude of such, can damage the reputation of the Company. Accordingly, any violation of this Policy may result in disciplinary action, up to and including dismissal in appropriate circumstances. It is therefore extremely important that you familiarize yourself with this Policy and strictly adhere to it. If you have any questions, please consult the Head of Operations/ Data Protection Officer.

Scope of Policy

The principles and obligations outlined in this Policy shall apply to all individuals working at all levels and grades including directors, senior managers, officers, employees (whether permanent or temporary), consultants, contractors, suppliers, volunteers, or any other person associated with the Company, who have access to the personal information of clients and of the employees. (collectively referred to as Employees in this policy).

This Policy sets forth the Company’s minimum compliance standards with respect to data privacy and protection.

Key Descriptions Under The Regulations

Applicability of the Regulation

The Policy is in line with the Regulation and would be applicable to all transactions intended for the processing of personal data and to the actual processing of personal data of Nigerians and non-Nigerian residing in Nigeria.

Personal Data

The Regulation defines Personal Data as “any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others”.

Processing

Processing is defined by the Regulation to mean “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

Data Controller

By the provision of the Regulation, the Company is a “Data Controller”, being “a person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed”. In this instance, Touch & Pay determines the purposes for and the manner in which the personal data of the users of Touch & Pay are processed.

Compliance with the regulation

Appointment of a Data Protection Officer

The Company in compliance with the Regulation, shall at all times in its employ a qualify staff assigned to the role of a Data Protection Officer (“DPO”). The DPO shall be responsible for maintaining compliance with the Regulation and ensuring that all Employees are properly trained on the expectations for the protection of data rights of its clients. The DPO shall also conduct monthly data protection implementation assessments. In collaboration with the IT and human resources department, the DPO shall ensure that the Company is audited annually before the 15 th of March of each year.

Publication of the Company’s Data Polices

In compliance with the Regulation, the Company shall display its privacy policy on every medium through which personal data is being collected and or processed. For example: the Company’s website, mobile applications and platforms.

Security

The Company will ensure proper and adequate security measures are taken to protect the data obtained from its clients/ customers.

Third Party Obligations

The Company shall ensure that it shall always legally engage any third party with a written agreement and shall ensure that such third party complies with the Regulation or the relevant data protection regulations of the country of operation of such third party. The Company is also expected to conduct adequate due diligence to ascertain that the third party does not have a record of violating the rights of a data subject. This is required because the Company will be held responsible where such third party violates the applicable regulation.

Audit

The DPO of the Company is expected to ensure that the Company carries out an audit of its data protection practices for the year 2020 on or before the 30 th of June 2020.

The DPO is expected to recruit the services of a Data Protection Compliance Organization (“DPCO”) to carry out audit. Where the audit reveals that the Company processes the data of more than 2,000 data subjects, the audit report should be submitted to NITDA not later than the 15 th of March of each year.

Contents of the Audit Report

The data protection officer shall ensure that the audit report covers:

the personally identifiable information that Touch & Pay collects on its employees and members of the public;

any purpose for which the personally identifiable information is collected;

any notice given to individuals regarding the collection and use of personal information relating to that individual;

any access given to individuals to review, amend, correct, supplement, or delete personal information relating to that individual;

whether or not consent is obtained from an individual before personally identifiable information is collected, used, transferred, or disclosed and any method used to obtain consent;

the policies and practices of Touch & Pay for the security of personally identifiable information;

the policies and practices of Touch & Pay for the proper use of personally identifiable information;

Touch & Pay’s policies and procedures for privacy and data protection;

the policies and procedures of Touch & Pay for monitoring and reporting violations of privacy and data protection policies; and

the policies and procedures of Touch & Pay for assessing the impact of technologies on the stated privacy and security policies.

Penalty for non-compliance

Where Touch & Pay or any of its Employees does not comply with the provisions of the Regulation, Touch & Pay will be exposed to great liabilities, fines up to the sum of N10 Million and more. Specifically:

payment of fine of 2% of the annual gross revenue of the preceding year or payment of the sum of 10 million Naira, whichever is greater, in the case of a Data Controller dealing with more than 10,000 Data Subjects; and

the payment of a fine of 1% of the annual gross revenue of the preceding year or payment of the sum of 2 million Naira, whichever is greater, in the case of a Data Controller dealing with less than 10,000 Data Subjects.

Report all violations

It is expected that the Employees shall observe this Policy and promptly report to the Data Protection Officer or Head of Risk and Compliance of the Company.

The Company shall keep confidential any report and identity of the individual who made the report and shall ensure that there are no forms of victimization of the individual for making the report, where such report is made in good faith and in compliance with the Policy.

The DPO is required to self-report within 72 hours of any breach of the Regulation to NITDA.

Discipline

Non-compliance with this Policy constitutes a serious misconduct and will be subject to appropriate disciplinary measures including but not limited to termination of employment, as per the Company’s employment policies.