DATA PROTECTION AND PRIVACY POLICY
This Data Protection and Privacy Policy (the “Privacy Policy”) explains the types of personal information, also referred to as Personal Data, CHI Limited may collect about its employees, job applicants, and vendors and how this may be used in accordance with the Nigerian Data Protection Regulation 2019 (NDPR), governed by the National Information Technology Development Agency (NITDA). It governs the handling of all personal information received from CHI Limited’s employees and third parties (as well as its Vendors) and sets the standard as to how such data is to be used and protected. By the provisions of the NDPR it is mandatory that certain guards are in place to protect and keep data confidential. The penalty for non-compliance by companies carries a huge consequence and thus CHI Limited requires that its employees (and third party handlers of data) cooperate with the company to ensure strict adherence to this privacy policy and abide by the provisions of the regulation in the way and manner of handling electronic data.
This Privacy Policy focuses mainly on the following;
The Privacy Policy shall be maintained in an orderly format and shall be accessible to employees, Vendors and Third Parties who have dealings with the company. All employees and non-employee workers, interns, vendors, and other third parties who are in a contractual arrangement with the Company (“Third Parties”) are required to abide by this Privacy Policy. The management of each team/vendor shall ensure the individuals within their assigned area of control understand, adhere to and comply with this Privacy Policy.
The Company strives to keep the data fully updated and as such, where there are changes to the Privacy Policy following a regular review, such updates will be circulated through the medium for circulating information to all employees.
OBJECTIVES OF THE PRIVACY POLICY.
KEY PRINCIPLES OF THE PRIVACY POLICY.
DEFINITIONS
1. What data do we collect?
Personal Information is information that is peculiar to an individual; no form of anonymity is involved. Such information is collected by CHI limited for various reasons, such as instances where:
For operational efficiency and reasons above stated, the various forms of data CHI Limited collects include:
2. How do we collect your data?
All data is directly provided by the Data Subject to the Company upon request; the medium through which Personal Data is being collected or processed must display a simple and conspicuous privacy agreement that the class of Data Subject being targeted can understand. The Company collects and processes data when employees apply for a job and are subsequently recruited by the company or when prospective vendors are interested in working for the company.
Other ways personal data is collected include:
3. How will we use your data?
CHI LIMITED may disclose your personal information to any member of the CHI LIMITED group of companies. This may include our holding company and/or its subsidiaries, or any subsidiaries or affiliate companies of CHI LIMITED or its parent company.
CHI LIMITED may use the information internationally in connection with processing requests by potential customers or potential employers of contract workers or temporary employees. CHI LIMITED may also disclose personal data about you to potential employers (direct placements) or potential customers if you are a contract worker we are seeking to assign to a customer.
CHI LIMITED may respond to subpoenas, court orders, or legal process by disclosing your personal data and other related information, if necessary. CHI LIMITED may also disclose your personal data where we are to establish or exercise our legal rights or defend against legal claims.
CHI LIMITED will only provide data to the extent required, and in the case of third parties, to the minimum amount of personal data necessary to provide the services on our behalf. These third parties are not permitted to use your personal data except for the limited purpose of completing the requested service or transaction.
CHI LIMITED may collect and possibly share personal data and any other additional information available to it in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person.
As a part of providing services to our customers, we may share personal data from our customers with other third parties as instructed by the customer. We may share the personal data with others solely for the purposes of managing the work we are contracted to manage and will abide by any contractual obligations contained in any customer agreement related to the sharing of personal data we actually receive in writing from the customer. Be rest assured that your personal data is never sold or leased to any external company, unless you have granted us permission to do so.
CHI LIMITED does not disclose personal information about its employees without specific authorization from or notice to the employee, as provided in this statement, or as required by law. Should you withdraw consent, in writing, to the use of your information for any of the above-identified purposes, we will stop using your information for such purposes as soon as it is reasonably possible to do so. CHI LIMITED will also notify you if withdrawing consent affects our ability to service you or retain your services.
4. How do we store your data?
Data is collected from varying sources and each source utilizes a mode of storage for such data. The Company securely stores the data of employee and vendor and will keep it for the period necessary to complete the purpose for which it was collected; thereafter, data is immediately deleted. C.H.I Limited stores data in the following manner:
At no time is a third party (Recruitment and/or Medical Agency) permitted to access or make use of employees’ information without prior management permission and consent of the affected employee. In such an instance where permission is granted, third party(ies) shall use employees’ information solely for the primary purpose for which it was intended/permitted. Where Third party(ies) is/are found to have contravened the privacy policy, penalties shall be imposed where necessary, in accordance with contractual stipulations and applicable regulations.
A. Information Technology Security.
Personal data may not be of value to CHI Limited unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft. The Information Technology Department is therefore responsible to ensure that all employees and Vendors data are guided from unauthorized use. Some steps to ensure this include:
Where the internet is used unwisely, the internet can be a source of security problems that can do significant damage to the company’s data and reputation. Users are required therefore to ensure they must not knowingly introduce any form of computer virus, Trojan, spyware or other malware into the company. Employees must also not gain access to websites or systems for which they do not have authorization, either within the business or outside it.
Employees should be aware of the security and data protection issues that can arise from using social networks. Staff members must also always consider the security of the company’s systems and data when using the internet. If required, help and guidance is available from line managers and the company IT department Security and data protection.
B. Maintain Confidentiality
Availability and Integrity of both the Company’s Data and Personal information is a requirement on all of us, from the most junior employee in the most distant part of our business to the senior executives at its head. Employees are therefore required to treat information entrusted to them respectfully and professionally taking account of Confidentiality, Integrity and Availability of the information as if it were our own. Employees must ensure that any information they process is done so legally and for legitimate business reasons.
C. Access Control
Access to all Systems where Personal information is stored shall be granted in a controlled manner driven by business requirements. Individuals shall be explicitly granted access to information or systems. there is no implicit right of access. Access is denied unless explicitly permitted. Access to all personal data shall be granted upon permission from employees to the use of such information. Consent from employees must be free, unambiguous, uninfluenced and devoid of any form of coercion.
The Company Information Security Policy provides for an Access Control Policy which all employees must be aware of. The policy in this regard includes:
D. User Registration and De-registration
User registration and de-registration procedures shall be documented and followed when granting access rights for all systems. These procedures shall include steps to:
For more information on this Section, please refer to the Company’s Information Security Policy.
5. Security measures adopted to protect data.
The Company understands that, according to the NDPR, anyone who is entrusted with or who is in possession of Personal Data owes a duty of care to the Data Subject and as such, is accountable for its acts and omissions in respect of data processing. As such, the Company has created security measures which protect data and its systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, and employing data encryption technologies. These processes include:
Physical security measures and environmental controls shall be in place to ensure the physical security, integrity and availability of Company information assets. Protection measures shall be appropriate to the classification level of the information asset.
B. Network security management
This section defines the requirements to assure the protection of Company information in networks and connected services by reducing the risk of unauthorized access. It applies to all Employees and Third Parties, focusing on those with information technology (IT) network and communications responsibilities. Network controls include:
Management shall ensure that any network services agreements identify and include security requirements, service levels, monitoring, and management requirements for all provided network services. All remote access points shall be protected by a Company approved Secure Access Zone (SAZ) or other related protection technology and approved by the information protection organization. The use of unauthorized or remote access solutions including wireless LAN access is not permitted.
C. User access provisioning
All access to Systems shall be controlled by an authentication method involving a minimum of a unique user ID and secret authentication information including, but not limited to, strong password, passcode, PIN, passphrase, biometrics, or information derived from an encryption key. All Users shall be supplied with a Existing user IDs and access shall be reviewed at least once within a 12-month period.
D. Supplier and Third Party Relationships
There is a requirement by the Company for all third parties, individuals and/or other companies to maintain the security of Company information and information assets, where such data or information is exposed in the course of their operation. This involvement may occur, but is not limited to, the following circumstances:
Employees who liaise with such third parties are responsible for the protection of Company information collected, transmitted, stored, or processed by Third Parties. Requirements for protecting Company information shall be included in all agreements with Third Parties that are provided Company information and Company information assets. Furthermore:
Where there is a need for CHI Limited to transfer personal data to a third party to process, such data processing shall be governed by a written contract between the third party and the Company. By so doing such written contract in the form of a non-disclosure agreement protects employees ’personal information from unauthorized use. This could be, for example, a third-party who the company has outsourced part of its recruitment to. Third Party shall ensure that information supplied is confidential and shall not be shared with the public except information that has already been made public.
In such instances, reasonable measures will be taken to ensure that all parties to the data processing contract (except the employee) do not have a record of violating this Privacy Policy, ensure adherence to the regulatory policies and are accountable to NITDA or a regulatory authority for data protection within or outside Nigeria; and the Data Protection Officer shall be liable for the actions or inactions of third parties who handle the Personal Data of employees.
Please refer to the Company’s Information Security Policy for more information on this Section and for information on the SUPPLIER AND THIRD PARTY RELATIONSHIP POLICY.
6. The Data Protection Officer.
In accordance with legal requirements, CHI Limited shall ensure the appointment of a Data Protection Officer(s). The DPO shall ensure adherence to the Privacy Policy, and may work with competent third parties to ensure the Company’s adherence with applicable data protection laws and regulations.
The Data Protection Officer (DPO) is responsible for maintaining the policy and investigating non-compliance issues. Other duties of the Data Protection Officer include:
F. Ensure that the policies of Privacy Policy, practices and procedures are met and well recorded for the purpose of each audit.
The DPO shall ensure continuous capacity building of persons protecting/processing such data and shall guide against unauthorized use at all time of personal data by putting certain measures in place for the purpose of security.
7. What are your data protection rights?
Each employee has a right to:
8. Complaints?
You agree that any unauthorized use of Personal Information or its contents may cause CHI LIMITED immediate and irreparable harm for which money damages may not constitute an adequate remedy. Where an employee/vendor personal information has been used without authorization or for other unlawful purposes, we encourage individuals that are affected by these acts to immediately report to their line manager/local ethics officer where it will be taken up and investigated.
A. Breach/Remedies/Penalties
In the event that the privacy policy is breached or violated, the employee shall be able to take advantage of any of the below available remedies to seek redress, within the stipulated timeframe.
9. Reference
10. Appendix
Policy Revision History July 12th, 2019.
11. Contact Us.
If you have any questions about this Privacy Policy, the manner your data is processed or simply wish to exercise any of your data protection rights, kindly contact the Human Resource Department or the Information Technology Department, by email of the below persons:
Human Resource Department
Name: Mr. Gofwan Gotau
Email: gofwan.gotau@chilimited.com
Data Protection Officer
Name: Mr. Damola Akinade
Email: damola.akinade@chilimited.com
CHI FOOD SAFETY POLICY
We are committed to the processing and selling of safe and quality juices, drinks, bakery, milk and milk-based products by meeting customers and all applicable statutory and regulatory requirements under a safe and hygienic environment and effective communication process with our stake holders.
CHI QUALITY POLICY
We shall continuously meet and exceed the quality expectations of our consumers, local and overseas customers, satisfying all our applicable statutory and regulatory requirements, and continually improving our quality management system.
CHI HSE POLICY
CHI Limited Nigeria, Manufacturer of fruit Juice and drinks, bakery products, milk, and milk-based products, has a vision to achieve competitive business advantage through leadership and excellence in Health, Safety and Environment sustainability. CHI Limited has a commitment to conduct its operations in a responsible manner to protect its employees, the environment and community in which it operates. All employees are responsible for implementing the appropriate controls for effective management of HSE risks and aspects in their respective areas. HSE performance of individuals shall be taken into consideration in the decisions on their career advancement.