Personal Data Policy

Last updated November 8, 2022

This personal data retention and destruction policy (this “policy”) sets out the obligations of Nanumo Limited (“Nanumo”/we/us/our”) regarding the retention of the personal data we collect, hold and process. The purpose of this policy is to set out the basis and periods for which we will retain personal data, and how we will dispose of personal data. This will ensure compliance with our legal obligations and effective data management. This procedure must be read together with Nanumo data protection policies and procedures.

This policy applies to all personal data received from service users, employees, professional advisers, suppliers and others, whether held in electronic or physical records, processed by Nanumo or on behalf of Nanumo (such as personal data in hosted or cloud systems). This includes personal data in structured records (such as databases), unstructured records (such as documents and spreadsheets), in emails, in audio and video recordings and includes personal data we generate (such as through access control systems and in personnel files) as well as personal data provided to us.

This Policy applies to all Nanumo employees, consultants and workers (“Personnel” “You”, “Your”). Your compliance with this Policy is mandatory.

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) (“GDPR”) and the Nigerian Data Protection Regulation, 2019 ('NDPR')

Definitions

The same definitions as stated in the Nanumo Data Protection Policy apply for this policy.

Responsibilities

The same responsibilities as stated in the Nanumo Data Protection Policy apply for this policy.

Data Retention Principles

The following data retention and destruction principles shall apply to all personal data processed by Nanumo:

  1. Personal data shall not be retained for longer than is necessary for the purposes for which the personal data is processed
  2. Once personal data has reached the end of its life, the data or the record holding the data shall be securely disposed of in a manner that ensures it can no longer be used

Meeting these principles helps to ensure that we manage risks to rights and freedoms of data subjects associated with processing their personal data, facilitate data subject rights, meet our legal obligations and improve the quality and efficiency of our data management.

Data Retention Periods

Personal data will be retained for a period no longer than is required to provide the service for which the user has agreed to be provided.

In certain situations, personal data may be kept for longer but only where the Data Protection Officer has given his approval and where Nanumo has reasonable grounds for retain the personal data beyond the retention period. Examples include situations where:

  1. The personal data is required for the exercise or defence of legal claims, and appropriate technical and organisational measures have been applied to the continued retention of the personal data to protect the risks to rights and freedoms of data subjects,
  2. The personal data is required by Nanumo for statistical purposes and appropriate safeguards (pursuant to Article 89(1) of the GDPR) have been applied to the processing for these purposes, to protect the risks to rights and freedoms of data subjects.
  3. The personal data has been fully and effectively anonymised and the Data Protection Officer is satisfied that data subjects cannot be identified from the anonymised data.

When establishing or reviewing personal data retention periods, the following shall be considered:

  1. The lawful basis upon which the personal data is collected and processed,
  2. Whether the personal data is a special category personal data or relates to criminal convictions or offences,
  3. The risks to rights and freedoms of data subjects associated with collecting, holding, and processing the personal data,
  4. Nanumo’s legal or regulatory obligations to collect or retain the personal data in question; and
  5. Nanumo’s objectives and requirements when collecting and processing the personal data.

Data Destruction

Personal data shall be disposed of in the following circumstances:

  1. On expiry of the period of service provision for which the data was collected.
  2. In response to a request from a data subject to erase their personal data where the Nanumo Subject Rights Procedure has been followed and the Data Protection Officer has confirmed the personal data should be destroyed,
  3. At the discretion of a Nanumo Director where retention of the personal data is no longer necessary for the purpose of the processing prior to the expiry of the relevant retention period, and the Data Protection Officer has confirmed the personal data should be destroyed.

Where personal data is erased at the request of a data subject, Nanumo may retain such limited personal data as is reasonably necessary to keep a record of the erasure for the purposes of demonstrating compliance, and enforcing erasure across all business systems, provided appropriate technical and organisational measures have been applied to the retained data in order to protect the risks to rights and freedoms of the data subject.

The personal data which may be erased, destroyed, or otherwise disposed of in a secure manner, are as follows:

  1. personal data held in electronic records (including back-ups),
  2. special category or sensitive personal data held in electronic records (including back-ups),
  3. personal data held in physical records (including archives) which must be crosscut shredded as ‘confidential waste’,
  4. special category or other sensitive personal data held in physical records (including archives) which must be crosscut shredded as ‘confidential waste’.

In all cases, proof of destruction is to be recorded. Where an external destruction supplier is used, a certificate of destruction must be provided by the supplier.

Electronic or physical records may contain different types of personal data which are used for different purposes. These different types of personal data may be subject to different retention periods or have different levels of sensitivity. It is therefore imperative that the data itself is managed individually according to categories and not the physical or electronic file as a whole. It may be necessary to destroy some data from a file, at the same time retaining other information from the same file.

Implementation and policy management

This Policy shall be deemed effective as of 21 July 2022 and shall be reviewed annually and following any data breach involving personal data by the Data Protection Officer and any other individual deemed necessary for the review process.

Updates to this policy will be made at this URL and more information about the policy and updates to the policy can be obtained by emailing [email protected]