1. What data do we collect?
Personal Information is information that is peculiar to an individual; no form of anonymity is involved. Such information is collected by CHI limited for various reasons, such as instances where:
For operational efficiency and reasons above stated, the various forms of data CHI Limited collects include:
2. How do we collect your data?
All data is directly provided by the Data Subject to the Company upon request; the medium through which Personal Data is being collected or processed must display a simple and conspicuous privacy agreement that the class of Data Subject being targeted can understand. The Company collects and processes data when employees apply for a job and are subsequently recruited by the company or when prospective vendors are interested in working for the company.
Other ways personal data is collected include:
3. How will we use your data?
CHI LIMITED may disclose your personal information to any member of the CHI LIMITED group of companies. This may include our holding company and/or its subsidiaries, or any subsidiaries or affiliate companies of CHI LIMITED or its parent company.
CHI LIMITED may use the information internationally in connection with processing requests by potential customers or potential employers of contract workers or temporary employees. CHI LIMITED may also disclose personal data about you to potential employers (direct placements) or potential customers if you are a contract worker we are seeking to assign to a customer.
CHI LIMITED may respond to subpoenas, court orders, or legal process by disclosing your personal data and other related information, if necessary. CHI LIMITED may also disclose your personal data where we are to establish or exercise our legal rights or defend against legal claims.
CHI LIMITED will only provide data to the extent required, and in the case of third parties, to the minimum amount of personal data necessary to provide the services on our behalf. These third parties are not permitted to use your personal data except for the limited purpose of completing the requested service or transaction.
CHI LIMITED may collect and possibly share personal data and any other additional information available to it in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person.
As a part of providing services to our customers, we may share personal data from our customers with other third parties as instructed by the customer. We may share the personal data with others solely for the purposes of managing the work we are contracted to manage and will abide by any contractual obligations contained in any customer agreement related to the sharing of personal data we actually receive in writing from the customer. Be rest assured that your personal data is never sold or leased to any external company, unless you have granted us permission to do so.
CHI LIMITED does not disclose personal information about its employees without specific authorization from or notice to the employee, as provided in this statement, or as required by law. Should you withdraw consent, in writing, to the use of your information for any of the above-identified purposes, we will stop using your information for such purposes as soon as it is reasonably possible to do so. CHI LIMITED will also notify you if withdrawing consent affects our ability to service you or retain your services.
4. How do we store your data?
Data is collected from varying sources and each source utilizes a mode of storage for such data. The Company securely stores the data of employee and vendor and will keep it for the period necessary to complete the purpose for which it was collected; thereafter, data is immediately deleted. C.H.I Limited stores data in the following manner:
A. Information Technology Security.
Personal data may not be of value to CHI Limited unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft. The Information Technology Department is therefore responsible to ensure that all employees and Vendors data are guided from unauthorized use. Some steps to ensure this include:
Where the internet is used unwisely, the internet can be a source of security problems that can do significant damage to the company’s data and reputation. Users are required therefore to ensure they must not knowingly introduce any form of computer virus, Trojan, spyware or other malware into the company. Employees must also not gain access to websites or systems for which they do not have authorization, either within the business or outside it.
Employees should be aware of the security and data protection issues that can arise from using social networks. Staff members must also always consider the security of the company’s systems and data when using the internet. If required, help and guidance is available from line managers and the company IT department Security and data protection.
B. Maintain Confidentiality
Availability and Integrity of both the Company’s Data and Personal information is a requirement on all of us, from the most junior employee in the most distant part of our business to the senior executives at its head. Employees are therefore required to treat information entrusted to them respectfully and professionally taking account of Confidentiality, Integrity and Availability of the information as if it were our own. Employees must ensure that any information they process is done so legally and for legitimate business reasons.
C. Access Control
Access to all Systems where Personal information is stored shall be granted in a controlled manner driven by business requirements. Individuals shall be explicitly granted access to information or systems. there is no implicit right of access. Access is denied unless explicitly permitted. Access to all personal data shall be granted upon permission from employees to the use of such information. Consent from employees must be free, unambiguous, uninfluenced and devoid of any form of coercion.
The Company Information Security Policy provides for an Access Control Policy which all employees must be aware of. The policy in this regard includes:
D. User Registration and De-registration
User registration and de-registration procedures shall be documented and followed when granting access rights for all systems. These procedures shall include steps to:
For more information on this Section, please refer to the Company’s Information Security Policy.
5. Security measures adopted to protect data.
The Company understands that, according to the NDPR, anyone who is entrusted with or who is in possession of Personal Data owes a duty of care to the Data Subject and as such, is accountable for its acts and omissions in respect of data processing. As such, the Company has created security measures which protect data and its systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, and employing data encryption technologies. These processes include:
Physical security measures and environmental controls shall be in place to ensure the physical security, integrity and availability of Company information assets. Protection measures shall be appropriate to the classification level of the information asset.
B. Network security management
This section defines the requirements to assure the protection of Company information in networks and connected services by reducing the risk of unauthorized access. It applies to all Employees and Third Parties, focusing on those with information technology (IT) network and communications responsibilities. Network controls include:
Management shall ensure that any network services agreements identify and include security requirements, service levels, monitoring, and management requirements for all provided network services. All remote access points shall be protected by a Company approved Secure Access Zone (SAZ) or other related protection technology and approved by the information protection organization. The use of unauthorized or remote access solutions including wireless LAN access is not permitted.
C. User access provisioning
All access to Systems shall be controlled by an authentication method involving a minimum of a unique user ID and secret authentication information including, but not limited to, strong password, passcode, PIN, passphrase, biometrics, or information derived from an encryption key. All Users shall be supplied with a Existing user IDs and access shall be reviewed at least once within a 12-month period.
D. Supplier and Third Party Relationships
There is a requirement by the Company for all third parties, individuals and/or other companies to maintain the security of Company information and information assets, where such data or information is exposed in the course of their operation. This involvement may occur, but is not limited to, the following circumstances:
Employees who liaise with such third parties are responsible for the protection of Company information collected, transmitted, stored, or processed by Third Parties. Requirements for protecting Company information shall be included in all agreements with Third Parties that are provided Company information and Company information assets. Furthermore:
Where there is a need for CHI Limited to transfer personal data to a third party to process, such data processing shall be governed by a written contract between the third party and the Company. By so doing such written contract in the form of a non-disclosure agreement protects employees ’personal information from unauthorized use. This could be, for example, a third-party who the company has outsourced part of its recruitment to. Third Party shall ensure that information supplied is confidential and shall not be shared with the public except information that has already been made public.
Please refer to the Company’s Information Security Policy for more information on this Section and for information on the SUPPLIER AND THIRD PARTY RELATIONSHIP POLICY.
6. The Data Protection Officer.
The Data Protection Officer (DPO) is responsible for maintaining the policy and investigating non-compliance issues. Other duties of the Data Protection Officer include:
The DPO shall ensure continuous capacity building of persons protecting/processing such data and shall guide against unauthorized use at all time of personal data by putting certain measures in place for the purpose of security.
7. What are your data protection rights?
Each employee has a right to:
You agree that any unauthorized use of Personal Information or its contents may cause CHI LIMITED immediate and irreparable harm for which money damages may not constitute an adequate remedy. Where an employee/vendor personal information has been used without authorization or for other unlawful purposes, we encourage individuals that are affected by these acts to immediately report to their line manager/local ethics officer where it will be taken up and investigated.
Policy Revision History July 12th, 2019.
11. Contact Us.
Human Resource Department
Name: Mr. Gofwan Gotau
Data Protection Officer
Name: Mr. Damola Akinade
CHI FOOD SAFETY POLICY
We are committed to the processing and selling of safe and quality juices, drinks, bakery, milk and milk-based products by meeting customers and all applicable statutory and regulatory requirements under a safe and hygienic environment and effective communication process with our stake holders.
CHI QUALITY POLICY
We shall continuously meet and exceed the quality expectations of our consumers, local and overseas customers, satisfying all our applicable statutory and regulatory requirements, and continually improving our quality management system.
CHI HSE POLICY
CHI Limited Nigeria, Manufacturer of fruit Juice and drinks, bakery products, milk, and milk-based products, has a vision to achieve competitive business advantage through leadership and excellence in Health, Safety and Environment sustainability. CHI Limited has a commitment to conduct its operations in a responsible manner to protect its employees, the environment and community in which it operates. All employees are responsible for implementing the appropriate controls for effective management of HSE risks and aspects in their respective areas. HSE performance of individuals shall be taken into consideration in the decisions on their career advancement.