Privacy Policy

Last Updated: 16th December 2023.

1. Purpose of This Policy

This Data Protection Policy establishes the framework through which GATEPASS NG collects, processes, stores, shares, and protects personal data in compliance with the Nigeria Data Protection Act (NDPA) 2023 and all directives issued by the Nigeria Data Protection Commission (NDPC).

The policy ensures that all personal data handled by the company is managed responsibly, securely, and transparently.

2. Scope

This policy applies to:

  • All employees, contractors, consultants, and temporary staff of GATEPASS NG
  • All software applications, platforms, websites, and digital services operated by the company
  • All personal data processed in electronic or manual form
  • All third-party processors acting on behalf of the company

This policy covers personal data belonging to customers, users, employees, partners, vendors, and any other identifiable individuals.

3. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person (data subject).
  • Sensitive Personal Data: Includes health data, biometric data, financial information, sexual orientation, religious beliefs, etc.
  • Processing: Any operation performed on personal data, including collection, storage, retrieval, transmission, or deletion.
  • Data Controller: GATEPASS NG, which determines the purpose and means of processing personal data.
  • Data Processor: Any third party that processes personal data on behalf of the company.
  • Data Subject: Any individual whose personal data is processed by the company.
  • DPO: Data Protection Officer appointed to oversee compliance.

4. Data Protection Principles

GATEPASS NG adheres to the following principles as required by the NDPA:

4.1 Lawfulness, Fairness, and Transparency

Personal data is processed lawfully, fairly, and in a transparent manner.

4.2 Purpose Limitation

Data is collected for specific, explicit, and legitimate purposes and not processed beyond those purposes.

4.3 Data Minimisation

Only data that is adequate, relevant, and necessary is collected.

4.4 Accuracy

Personal data must be accurate and kept up to date.

4.5 Storage Limitation

Data is retained only for as long as necessary for the purposes for which it was collected.

4.6 Integrity and Confidentiality

Data is processed securely to prevent unauthorised access, loss, or damage.

4.7 Accountability

The company is responsible for demonstrating compliance with all data protection obligations.

5. Legal Basis for Processing Personal Data

The company processes personal data only when one or more of the following legal bases apply:

  • Consent from the data subject
  • Performance of a contract with the data subject
  • Compliance with legal obligations
  • Protection of vital interests of Data Subject
  • Legitimate interests pursued by the company
  • Public interest (where applicable)

6. Categories of Personal Data Collected

Depending on the nature of the software application, the company may collect:

  • Identity data (name, username, date of birth)
  • Contact data (email, phone number, address)
  • Device and technical data (IP address, device ID, OS version)
  • Usage data (app interactions, preferences, logs)
  • Financial or payment data (where applicable)
  • Location data (with consent)
  • Sensitive personal data (only when strictly necessary and with explicit consent)

7. Data Collection Methods

Data may be collected through:

  • User registration forms
  • App usage and analytics tools
  • Customer support interactions
  • Cookies and tracking technologies
  • Third-party integrations (with user consent)

8. Data Subject Rights

In accordance with the NDPA, data subjects have the right to:

  • Access their personal data
  • Request rectification of inaccurate data
  • Request deletion of their data
  • Withdraw consent at any time
  • Object to processing
  • Request data portability
  • Restrict processing
  • Lodge complaints with the NDPC

The company provides clear channels for exercising these rights.

9. Data Security Measures

The company implements robust technical and organisational measures, including:

Technical Measures

  • Encryption of data in transit and at rest
  • Secure coding practices
  • Multi-factor authentication
  • Firewalls and intrusion detection systems
  • Regular vulnerability assessments and penetration testing

Organisational Measures

  • Staff training on data protection
  • Access control policies
  • Confidentiality agreements
  • Incident response and breach reporting procedures
  • Regular compliance audits

10. Data Breach Management

In the event of a data breach:

  • The DPO will activate the incident response plan.
  • The NDPC will be notified within the legally required timeframe.
  • Affected individuals will be informed where the breach poses a risk to their rights.
  • Remedial actions will be taken to prevent recurrence.

11. Data Sharing and Third-Party Processing

Personal data may be shared only when:

  • Required by law
  • Necessary for service delivery
  • The data subject has provided consent

All third-party processors must:

  • Sign a Data Processing Agreement (DPA)
  • Implement adequate security measures
  • Comply with NDPA requirements

12. Cross-Border Data Transfers

Where data must be transferred outside Nigeria, the company ensures:

  • The receiving country has adequate data protection safeguards, or
  • Standard contractual clauses and protective measures are in place

Transfers are conducted strictly in line with NDPC guidelines.

13. Data Retention and Disposal

Data is retained after the point of account deletion for five (5) years to fulfil its purpose or meet legal obligations except explicitly requested by the data subject.

Upon expiration of the retention period, data is:

  • Securely deleted
  • Anonymised
  • Archived (where legally required)

14. Roles and Responsibilities

14.1 Management

Responsible for ensuring adequate resources and oversight.

14.2 Data Protection Officer (DPO)

The DPO oversees:

  • Compliance monitoring
  • Staff training
  • Data protection impact assessments
  • Breach management
  • Communication with the NDPC

14.3 Employees

All staff must:

  • Follow this policy
  • Report suspected breaches
  • Maintain confidentiality

15. Data Protection Impact Assessments (DPIA)

DPIAs are conducted for:

  • New products or features involving personal data
  • High-risk processing activities
  • Use of sensitive personal data
  • Automated decision-making or profiling

16. Use of Cookies and Tracking Technologies

The company uses cookies and similar technologies to:

  • Improve user experience
  • Analyse usage patterns
  • Personalise content

Users are informed and may manage cookie preferences.

17. Policy Review

This policy is reviewed annually or whenever:

  • Laws or regulations change
  • New processing activities are introduced
  • Significant organisational changes occur

18. Contact Information

For inquiries or to exercise data rights, contact:

  • Data Protection Officer (DPO)
  • info@gatepassng.com