1. INTRODUCTION
Value Payment Solutions Limited (VALUEPAY) as a payment solutions service provider collects and processes certain personal information about individuals with whom it has a relationship with including but not limited to current, past and prospective employees, customers, users of our infrastructure, subscribers and other stakeholders in its daily business operations.
2. PURPOSE
This framework seeks to introduce the Data Protection Policy Principles covering data subjects of Valuepay.
The Policy seeks to achieve the following:
a. Disclose how Valuepay collects, stores and processes an individual's personal data.
b. Protect Valuepay from the risks associated with data breaches.
c. Protect the rights of staff, members and stakeholders.
d. Comply with Data Protection Regulations and International best practices.
3. SCOPE
The scope of this plan covers all rights of data subjects regarding the collection, use and retention of Personal Data.
This plan makes reference to the Privacy Policy, Consumer Protection and Recourse Mechanism Policy and Dispute Resolution Policy which when combined together provide for a coordinated recourse mechanism recovery and reduces chaos.
4. DEFINITIONS
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
“Customer” means any person or entity who acquires access to Company infrastructure and payment solutions;
“Data” means characters, symbols and binary on which operations are performed by a computer which may be stored or transmitted in the form of electronic signals stored in any format or any device.
“Database” means a collection of data organized in a manner that allows access, retrieval, deletion and procession of that data; it includes but is not limited to structured, unstructured, cached and file system type databases.
“Data Administrator” means a person or organization that processes data.
“Data Controller” means a person who either alone, jointly with other persons or in common with other persons or as a statutory body, determines the purposes for and the manner in which personal data is processed or is to be processed.
“Data Portability” means the ability for data to be transferred easily from one IT system or computer to another through a safe and secure means in a standard format.
“Nigeria Information Technology Development Agency” - NITDA
“Data Protection Compliance Organisation (DPCO)” means any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Regulation or any foreign Data Protection law or regulation having effect in Nigeria.
“Data Subject” means an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
“Merchant” means any person or entity who buys our services or products and sells to third parties.
“Party” means directors, shareholders, servants and privies of a contracting party.
“Personal Data” means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and another unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Record” means public records and reports in credible news media.
“Sensitive Personal Data” means data relating to religious or other beliefs, sexual tendencies, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information.
“Third Party” means any natural or legal person, public authority, establishment or any other body other than the Data Subject, the Data Controller, the Data Administrator and the persons who are engaged by the Data Controller or the Data Administrator to process personal data.
“User” means any person or entity who uses our products or services.
5. NIGERIA DATA PROTECTION REGULATION
The Regulation, which came into force on the 25th of January, 2019; regulates the gathering, storing and processing of personal data (regardless of whether data is stored electronically, on paper or on other materials), and protects the rights and privacy of all living individuals (including children). The Regulation applies to natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent.
6. APPLICABILITY
Valuepay will be the data controller under the terms of the Regulation. This means that Valuepay is responsible for controlling the use and processing of personal data. Valuepay shall appoint a Data Protection Officer (DPO) for the purpose of ensuring adherence to this Regulation, relevant data privacy statements and data protection directives of the Company.
7. DATA PROTECTION POLICY PRINCIPLES
Valuepay commits to processing Personal Data in accordance with the Data protection policy Principles as follows:
1. Notice
Prior to collecting Personal Data, Valuepay notifies Users about the categories of Personal Data that Valuepay collects and the purposes for collection and use of their Personal Data. Valuepay will only process Personal Data in ways that are compatible with the purpose for which the Company collected it or for purposes later authorized.
Before Valuepay uses Personal Data for a purpose that is materially different from the purpose for which Valuepay collected it or that was later authorized, Valuepay will provide Users with the opportunity to opt out.
2. Choice
If Valuepay collects Sensitive Personal Data, we will obtain explicit opt-in consent whenever the Data protection policy requires. Valuepay will obtain opt-in consent before Personal Data is disclosed to third parties other than those described in this Privacy Policy before Personal Data is used for a different purpose than that purpose for which it was collected or later authorized, and whenever Data protection policy requires.
3. Accountability for Onward Transfer
If Valuepay transfers Personal Data to a third party, Valuepay takes reasonable and appropriate steps to ensure that each third-party transferee processes Personal Data transferred in a manner consistent with Company’s obligations under the Data Protection Policy. Valuepay will ensure that each transfer is consistent with any notice provided to Users and any consent they have given. Valuepay requires a written contract with any third party receiving Personal Data that ensures that the third party
- processes the Personal Data for limited and specified purposes consistent with any consent provided by Users,
- provides at least the same level of protection as is required by the Data protection policy,
- notifies Valuepay if it cannot comply with the Data protection policy; and
- ceases processing Personal Data or takes other reasonable and appropriate steps to remediate.
Under certain circumstances, Valuepay may be required to disclose Personal Data in response to valid requests by public authorities, including for national security or law enforcement requirements.
Valuepay remains liable under the Data protection policy Principles if an agent processes Personal Data in a manner inconsistent with the principles unless the Company is not responsible for the event giving rise to the damage.
4. Security
Valuepay has adequate security measures in place to prevent your personal data from being lost, misused, accessed in an unauthorized manner, disclosed, or changed. We will notify you and any applicable regulator of a breach where we are legally required to do so.
Furthermore, we restrict access to your personal data to just those employees, contractors, and third parties who require it for the reasons stated above. They are only allowed to process your data if we permit them, and they are bound to a duty of confidentiality.
5. Data Integrity and Purpose Limitation
Valuepay takes reasonable steps to ensure that such Personal Data is reliable for its intended use, accurate, complete and current. Valuepay adheres to the Data Protection Policy for as long as it retains Personal Data in identifiable form. Valuepay takes reasonable and appropriate measures to comply with the requirement under the Data Protection Policy to retain Personal Data in identifiable form only for as long as it serves the purpose of processing.
Valuepay limits the collection of Personal Data to information that is relevant for processing. Valuepay does not process Personal Data in a way that is incompatible with the purpose for which it was collected or subsequently authorized by a User.
6. Access
A User has the right to access his or her Personal Data and to correct, amend, limit the use of or delete the Personal Data if the Personal Data is inaccurate or processed in violation of the Data protection policy. Valuepay is not required to grant the rights to access, correct, amend and delete Personal Data if the burden or expense of providing access, correction, amendment or deletion is disproportionate to the risks to the User’s privacy or if the rights of persons other than the Users are or could be violated.
7. Recourse, Enforcement, and Liability
In compliance with this Data Protection Policy, Valuepay commits to resolve complaints about your privacy and our collection or use of your Personal Data transferred to Foreign Countries pursuant to their Data Protection Regulations. Individuals with Data protection policy inquiries or complaints should first contact Valuepay at contact@valuepay.ng.
If your Data protection policy complaint cannot be resolved by other redress mechanisms Valuepay has further committed to refer such unresolved complaints under this policy to the Alternative Dispute Resolution mechanism.
Valuepay commits to periodically review and verify its compliance with the Data Protection Policy and to remedy any issues arising out of failure to comply with the Data Protection Policy.
8. RIGHTS OF DATA SUBJECTS
In compliance with the Nigerian Data Protection Regulations, VALUEPAY shall:
- Take appropriate measures to provide any information relating to processing, to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.
- Provide such information in writing, or by other means, including, where appropriate, by
- electronic means.
- Provide any information relating to the processing of data obtained from the data subject orally, at the request of the data subject, provided that the identity of the data subject is proven by other means.
- Inform the data subject without delay and at least within one (1) month of receipt of a request relating to the processing of his/her data, the reasons for not providing the information and the possibility of lodging a complaint with the supervisory authority.
- Provide information, any form of communication or any actions taken to a data subject free of charge.
- Charge data subject if the request for his/her data is manifestly unfounded or excessive, in particular, because of his/her repetitive character. The charge shall be a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested.
- Write a letter to the data subject stating “refusal act” on the request and copy NITDA on every occasion through a dedicated channel which shall be provided for such purpose, provided that such request is excessive.
- Bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
- Request for provision of additional information necessary to confirm the identity of the data subject where the Company has reasonable doubts concerning the identity of the requestor.
- Provide the information in combination with standardized icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing and machine-readable format when presented electronically.
- Provide the data subject with all of the following information, prior to collecting personal data:
- The identity and contact details of Valuepay;
- The contact details of the Data Protection Officer;
- The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- The legitimate interests pursued by Valuepay or by a third party;
- The recipients or categories of recipients of the personal data, if any;
- Where applicable, the fact that the Company intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by NITDA.
- The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
- The existence of the right to request from Valuepay, access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability.
- The existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- The right to lodge a complaint with a relevant authority.
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
- The existence of automated decision-making, including profiling and, at least, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Where Valuepay intends to further process the personal data for a purpose other than that for which the personal data were collected, the Company shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information.
- Where applicable, the Company intends to transfer personal data to a recipient in a foreign country or international organization and the existence or absence of an adequacy decision by NITDA.
13. Inform the data subject of the appropriate safeguards for data protection in the foreign country.
14. Rectify, without undue delay, inaccurate personal data concerning data subjects per their requests.
15. Acknowledge the right of data subjects to have their incomplete data completed, including by means of providing a supplementary statement.
16. Delete personal data without delay, upon request of the data subject.
17. Delete personal data where one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or processed;
- The data subject withdraws consent on which the processing is based;
- The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- The personal data have been unlawfully processed;
- The personal data have to be erased for compliance with a legal obligation in Nigeria.
18. Take all reasonable steps to delete all the personal data made public and inform other companies processing the personal data of the data subject request
19. Acknowledge data subjects’ rights to obtain restrictions of processing their personal data where one of the following applies:
- The accuracy of the personal data is contested by the data subject for a period enabling Valuepay to verify the accuracy of the personal data;
- The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- Valuepay no longer needs the personal data for the purposes of the processing but they are required by the data subject for the establishment, exercise or defence of legal claims;
- The data subject has objected to processing pending the verification to confirm whether the legitimate grounds of Valuepay override those of the data subject.
20. Process personal data with the data subject’s consent, where processing has been restricted.
21. Communicate any rectification or erasure of personal data or restriction to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
22. Provide personal data concerning data subjects, in a structured manner, commonly-used and machine-readable format to such data subjects.
23. Not hinder the data subject from transmitting those data in its database to another company where the processing is based on consent, on a contract and processing is carried out by automated means.
24. Execute data subjects’ requests on the transmission of their personal data to another company, where technically feasible.
9. RELATED STANDARDS, POLICIES AND PROCESSES
- Consumer Protection and Recourse Mechanism Policy Framework
- Privacy Policy
- Dispute Resolution Policy
Getting started takes less than 10 minutes
Create your ValuePay account and start accepting payments today.