DPIA Policy

Cyberpay DPIA Policy

As part of our operations, CyberPay Limited (“CyberPay” or “the Company”) collects and processes certain types of information (such as name, telephone numbers, address, etc.) of individuals that makes them easily identifiable. These individuals include current, past and prospective employees, merchants, suppliers/vendors, customers of merchants and other individuals whom CyberPay communicates or deals with, jointly and/or severally (“Data Subjects”).

Maintaining the Data Subject’s trust and confidence requires that Data Subjects do not suffer negative consequences/effects as a result of providing CyberPay with their Personal Data. To this end, CyberPay is firmly committed to complying with applicable data protection laws, regulations, rules and principles to ensure security of Personal Data handled by the Company. This Data Privacy & Protection Policy (“Policy”) describes the minimum standards that must be strictly adhered to regarding the collection, use and disclosure of Personal Data and indicates that CyberPay is dedicated to processing the Personal Data it receives or processes with absolute confidentiality and security.

This Policy applies to all forms of systems, operations and processes within the CyberPay environment that involve the collection, storage, use, transmission and disposal of Personal Data.

Failure to comply with the data protection rules and guiding principles set out in the Nigeria Data Protection Regulation, 2019 (NDPR) as well as those set out in this Policy is a material violation of CyberPay’s policies and may result in disciplinary action as required, including suspension or termination of employment or business relationship.

This Policy applies to all employees of CyberPay, as well as to any external business partners (such as merchants, suppliers, contractors, vendors and other service providers) who receive, send, collect, access, or process Personal Data in any way on behalf of CyberPay, including processing wholly or partly by automated means. This Policy also applies to third party Data Processors who process Personal Data received from CyberPay.

CyberPay is committed to maintaining the principles in the NDPR regarding the processing of Personal Data.

To demonstrate this commitment as well as our aim of creating a positive privacy culture within CyberPay, CyberPay adheres to the following basic principles relating to the processing of Personal Data:

3.1 Lawfulness, Fairness and Transparency

Personal Data must be processed lawfully, fairly and in a transparent manner at all times. This implies that Personal Data collected and processed by or on behalf of CyberPay must be in accordance with the specific, legitimate and lawful purpose consented to by the Data Subject, save where the processing is otherwise allowed by law or within other legal grounds recognized in the NDPR.

3.2 Data Accuracy
Personal Data must be accurate and kept up-to-date. In this regard, CyberPay:

a) shall ensure that any data it collects and/or processes is accurate and not misleading in a way that could be harmful to the Data Subject;

b) make efforts to keep Personal Data updated where reasonable and applicable; and

c) make timely efforts to correct or erase Personal Data when inaccuracies are discovered.
3.3 Purpose Limitation
CyberPay collects Personal Data only for the purposes identified in the appropriate CyberPay Privacy Notice provided to the Data Subject and for which Consent has been obtained. Such Personal Data cannot be reused for another purpose that is incompatible with the original purpose, except a new Consent is obtained.

The purposes for which CyberPay will use your personal data includes:

a) For the provision of services to you. For example, when you purchase any of our products or services, we will use your personal data to process your order.

b) For customer care and billing. When you use our products or services, we will use your personal information to bill you and to respond to enquiries and concerns that you may have about our products and services.

c) Customer service messages. We will use your personal data to keep you updated with the latest information or changes about our products and services.

d) For marketing purposes. In order to serve you better, will use your personal data to market our products and services to you.

e) Fraud prevention and security. We will process your personal and traffic data in order to protect you against and detect fraud, to protect and detect misuse or damage to our networks.

f) Managing our networks and understanding network usage. We do this to manage the volume of calls and to understand how you use our networks, products and services.
3.4 Data Minimization

3.4.1 CyberPay limits Personal Data collection and usage to data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed.

3.4.2 CyberPay will evaluate whether and to what extent the processing of personal data is necessary and where the purpose allows, anonymized data must be used.

3.5 Integrity and Confidentiality

3.5.1 CyberPay shall establish adequate controls in order to protect the integrity and confidentiality of Personal Data, both in digital and physical format and to prevent personal data from being accidentally or deliberately compromised.

3.5.2 Personal data of Data Subjects must be protected from unauthorized viewing or access and from unauthorized changes to ensure that it is reliable and correct.

3.5.3 Any personal data processing undertaken by an employee who has not been authorized to carry such out as part of their legitimate duties is un-authorized.

3.5.4 Employees may have access to Personal Data only as is appropriate for the type and scope of the task in question and are forbidden to use Personal Data for their own private or commercial purposes or to disclose them to unauthorized persons, or to make them available in any other way.

3.5.5 Human Resources Department must inform employees at the start of the employment relationship about the obligation to maintain personal data privacy. This obligation shall remain in force even after employment has ended.

3.6 Personal Data Retention

3.6.1 All personal information shall be retained, stored and destroyed by CyberPay in line with legislative and regulatory guidelines. For all Personal Data and records obtained, used and stored within the Company, CyberPay

shall perform periodical reviews of the data retained to confirm the accuracy, purpose, validity and requirement to retain.

3.6.2 To the extent permitted by applicable laws and without prejudice to CyberPay’s Document Retention Policy, the length of storage of Personal Data shall, amongst other things, be determined by:

(a) the contract terms agreed between CyberPay and the Data Subject or as long as it is needed for the purpose for which it was obtained; or

(b) whether the transaction or relationship has statutory implication or a required retention period; or

(c) whether there is an express request for deletion of Personal Data by the Data Subject, provided that such request will only be treated where the Data Subject is not under any investigation which may require CyberPay to retain such Personal Data or there is no subsisting contractual arrangement with the Data Subject that would require the processing of the Personal Data; or

(d) whether CyberPay has another lawful basis for retaining that information beyond the period for which it is necessary to serve the original purpose.

Notwithstanding the foregoing and pursuant to the NDPR, CyberPay shall be entitled to retain and process Personal Data for archiving, scientific research, historical research or statistical purposes for public interest.

3.6.3 CyberPay would forthwith delete Personal Data in CyberPay’s possession where such Personal Data is no longer required by CyberPay or in line with CyberPay’s Retention Policy, provided no law or regulation being in force requires CyberPay to retain such Personal Data.

3.7 Accountability

3.7.1 CyberPay demonstrates accountability in line with the NDPR obligations by monitoring and continuously improving data privacy practices within CyberPay.

3.7.2 Any individual or employee who breaches this Policy may be subject to internal disciplinary action (up to and including termination of their employment); and may also face civil or criminal liability if their action violates the law.

CyberPay Limited (“CyberPay” or “the Company”) is firmly committed to complying with the Nigeria Data Protection Regulation, 2019 and other applicable data protection laws, regulations, rules and principles. This Data Protection Impact Assessment Policy (“Policy”) describes the minimum standards that must be strictly adhered to whenever CyberPay wishes to conduct a Data protection Impact Assessment in respect of a new or existing project requiring the processing of Personal Data which is likely to result in a significant risk to the rights and freedoms of Data Subjects, unless the specific processing operation is explicitly excluded from a DPIA by the supervisory authority, in this case the National Information Technology Development Agency (NITDA).
This Policy applies to all personal data processing operations by staff members whether temporary or contract, or any agent or third party that is responsible for managing any personal data processing operation of CyberPay.