DATA PROTECTION

Data Privacy Policy for Open Space Financial Services

  1. Synopsis
  • This policy clarifies when and why personal information about our app/website visitors is collected, its usage, security and your rights as data subject.
  • The collection, usage and storage of your data can be done as described in this Data Privacy Policy and as defined when we collect data from you.
  • Amendment to this Data Privacy Policy may be made from time to time without prior notice.  This amendment to Data Privacy Policy may be due to regulations.  However, for any major changes, you will be informed.  So you are advised to check our app/website for the latest Privacy Policy.
  • We always comply with Nigeria Data Protection Regulation (NDPR) when dealing with your data. For this reason, we will be the “controller” of all personal data we hold about you.
  1. Collecting Personal Information

The following types of personal information may be collected, stored, and used:

  • Information about your computer including your IP address, geographical location, browser type and version, and operating system;
  • Information about your visits to and use of this app/website including the referral source, length of visit, page views, and app/website navigation paths;
  • Information, such as your email address, that you provide when you register with our app/website;
  • Information that you provide when you create a profile on our app/website, for example, your name, profile pictures, gender, birthday, relationship status, interests and hobbies, educational details, and employment details;
  • Information, such as your name and email address, that you provide to set up subscriptions to our emails and/or newsletters;
  • Information that you provide while using the services on our app/website;
  • Information that is generated while using our app/website, including when, how often, and under what circumstances you use it;
  • Information relating to services you use, or transactions you make through our app/website, which includes your name, address, telephone number, email address, etc.
  • Information that you post to our app/website with the intention of publishing it on the internet, which includes your username, profile pictures, and the content of your posts;
  • Information contained in any communications that you send to us by email or through our app/website, including its communication content and metadata;
  • Any other personal information that you send to us.
  • Before you disclose to us the personal information of another person, you must obtain that person’s consent to both the disclosure and the processing of that personal information in accordance with this policy.
  1. Using your personal information

Personal information forwarded to us via our app/website will be utilized for the purposes specified in this policy or on the appropriate pages of the app/website. We may use your personal information for the following:

  • administering our app/website and business;
  • personalizing our app/website for you;
  • enabling your use of the services available on our app/website;
  • sending account statements, contract notes, cscs statements etc;
  • sending you non-marketing commercial communications;
  • sending you email notifications that you have specifically requested;
  • sending you our email newsletter, if you have requested it (you can inform us at any time if you no longer require the newsletter);
  • sending you marketing communications on our business or the businesses of carefully-selected third parties which we think may be of interest to you, by post or, where you have specifically agreed to this, by email or similar technology (you can inform us at any time if you no longer require marketing communications);
  • providing third parties with statistical information about our users (but those third parties will not be able to identify any individual user from that information);
  • dealing with inquiries and complaints made by or about you on our app/website
  • keeping our app/website secure and to prevent fraud
  • verifying compliance with the terms and conditions governing use of our app/website (including monitoring private messages sent through our app/website private messaging service);

If you submit personal information for publication on our app/website, we will publish and/or otherwise use that information in accordance with the license you grant to us.

Your privacy settings can be used to limit the publication of your information on our app/website and can be adjusted using privacy controls on the app/website.

We will not, without your express consent, supply your personal information to any third party for their or any other third party’s direct marketing.

  1. Disclosing Personal Information

We may disclose your personal information to any of our employees, officers, insurers, professional advisers, agents, suppliers, or subcontractors as reasonably needed for the purposes set out in this policy.

We may disclose your personal information to any member of our group of companies (this means our subsidiaries, our ultimate holding company and all its subsidiaries) as reasonably necessary for the purposes set out in this policy.

Disclosure of your personal information will be done:

  • to the extent that we are required to do so by law;
  • in connection with any ongoing or prospective legal proceedings;
  • in order to establish, exercise, or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk);
  • to the purchaser (or prospective purchaser) of any business or asset that we are (or are contemplating) selling; and
  • to any person who we reasonably believe has applied to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information.
  • Except as provided in this policy, we will not provide your personal information to third parties.
  1. International Data Transfers
  • Information that we collect may be stored, processed, and transferred between any of the countries in which we operate to enable us to use the information in accordance with this policy.
  • Information that we collect may be transferred to the following countries which do not have data protection laws equivalent to those in force in Nigeria, the United States of America, Russia, Japan, China, and India.
  • Personal information that you publish on our app/website or submit for publication on our app/website may be available, via the internet, around the world. We cannot prevent the use or misuse of such information by others.
  • You expressly agree to the transfer of personal information described in this Section
  1. Retaining Personal Information
  • Section 6 sets out our data retention policies and procedures, which are designed to help ensure that we comply with our legal obligations regarding the retention and deletion of personal information.
  • Personal information that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  • Without prejudice, we generally delete personal data based on our data retention policy.
  • Notwithstanding other provisions, we will retain documents (including electronic documents) containing personal data:

(a) to the extent that we are required to do so by law;

(b) if we believe that the documents may be relevant to any ongoing or prospective legal proceedings; and

(c) in order to establish, exercise, or defend our legal rights (including providing information to others for fraud prevention and reducing credit risk).

  1. Security of your personal information
  • Reasonable technical and organizational precautions will be taken to prevent loss, misuse, or alteration of your personal information.
  • All personal information provided will be stored on our secure (password – and firewall-protected) servers.
  • All electronic financial transactions entered into through our app/website will be protected by encryption technology.
  • Acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
  • You are responsible for keeping the password you use for accessing our app/website confidential; we will not ask you for your password (except when you log in to our app/website).
  1. Amendments

We may update this policy from time to time by publishing a new version on our app/website. You should check this page occasionally to ensure you understand any changes to this policy. We may notify you of changes to this policy by email or through the private messaging system on our app/website.

  1. Third – party app/websites

Our app/website includes hyperlinks to, and details of, third party app/websites. We have no control over, and are not responsible for, the privacy policies and practices of third parties.

  1. Updating information

Please let us know if the personal information that we hold about you needs to be corrected or updated.

  1. Your rights

You may instruct us to provide you with any personal information we hold about you; provision of such information will be subject to the following:

  1. Paying a service fee where applicable; and
  2. The supply of appropriate evidence of your identity:
  • International Passport
  • Passport Photograph
  • Driver’s License
  • Voters card
  • National Identification Number (National ID Card)
  1. To access your data
  2. To be provided with information about how your data is processed
  3. To have your data corrected
  4. To have your data erased in certain circumstances
  5. To object to or restrict how your data is processed
  6. To have your data transferred to you or to another business in certain circumstances.

We may withhold personal information that you request to the extent permitted by law.

You may instruct us at any time not to process your personal information for marketing purposes.

In practice, you will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide you with an opportunity to opt- out of the using of your personal information for marketing purposes.

For more details, please address any questions, comments and requests regarding our data processing practices to our Data Protection Officer privacy@openspace.finance.

  1. Our Contact:

11 Olufemi Pedro Street,

Plot 9, Parkview Estate, Ikoyi. Lagos.

+234 201 3309 599

privacy@openspace.finance 

Data Protection Policy for Open Space Financial Services

  1. Why the policy

Data Protection Policy elucidates the basic principles on data protection which is the bedrock for sustained business relationship and projects the reputation of Open Space as an attractive employer. It certifies the adequate level of data protection prescribed by the European Union General Data Protection Regulation (GDPR) and the Nigerian Data Protection Regulation (NDPR) 2019 ear marked for cross-border data transmission, and countries not complaint with data protection laws.

Furthermore, when, why and how personal data involving shareholders, investors and staff are to be collected, secured, used and stored are also indicated.

  1. Principles of data management

Open Space is committed to processing data in accordance with its responsibilities under the Nigerian Data Protection Regulation.

Article 5 of the GDPR requires that personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. Accurate and, where necessary, kept up to date.  Every reasonable step must be taken to ensure that personal data that are inaccurate, not in conformity with the purposes for which they are processed, are erased or rectified without delay;
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods as long as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Open Space will ensure that:

  • Data must be recorded as accurately and completely as possible using the most informed source, considering point of creation and secured in electronic form.
  • Data should only be collected for a specific and documented purpose which will be made available to those with a legitimate business need.
  • Data capture, validation and processing should be automated wherever possible
  • Data should be recorded and managed over time in an auditable and traceable manner.
  • Data must not be duplicated unless duplication is absolutely essential and has the approval of the relevant Data Steward.  In such cases, one source must be clearly identified as the master, while copies will be kept intact.  Copies must not be modified (i.e., ensuring that data in the source system is the same as that in other databases).
  • Every data source must have a defined Custodian in a business leadership role who has overall responsibility for the accuracy, integrity and security of those data.
  • Wherever possible, data must be simple to enter and clearly defined.  They must also be in a usable form for both input and output.
  • Processes that update a given data element must be standard across the information system.
  • Personal data is stored securely using up to date modern software and access to personal data limited to personnel who need it and appropriate security should be in place to avoid unauthorized sharing of information. When personal data is deleted this should be done safely such that the data is irrecoverable. Appropriate backup and disaster recovery solutions shall also be put in place.
  • Data breach resulting to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, an assessment of risk to people’s rights and freedoms will be done and where appropriate, report this breach to the National Information Technology Development Agency (NITDA) via dpo@nitda.gov.ng

NATURE OF DATA COLLECTED:

For Clients:

  • Biodata, means of identification, utility bill for address verification, passport photographs, contact details, clearing house number.  These will be used for service rendition, in compliance with regulatory requirements and will be kept as necessary.

STAFF:

  • Biodata, academic qualifications, professional qualifications, passport photographs, referees/guarantor, account details, PFA and RSA details.

Service Provider:

  • CAC documents, Tax identification number, Account details, CAC documents, Service Level Agreement (SLA).

Should you require further clarifications or details, do not hesitate to address your questions, comments and requests regarding our data processing practices to our Data Protection Officer via privacy@openspace.finance or the under listed contact details:

11 Olufemi Pedro Street,

Plot 9, Parkview Estate, Ikoyi. Lagos.

+234 201 3309 599

privacy@openspace.finance 

Data Privacy Notice for Open Space Financial Services

Introduction

Open Space takes your privacy seriously and is fully committed to keeping your data private. The processing and sharing of personal information come with significant rights on your part and significant responsibilities on us as an institution.

This Data Privacy Notice is provided to achieve our responsibilities under the General Data Protection Regulation (GDPR) which requires greater accountability and transparency from organizations regarding your personal information, and which gives you greater control over how we use it. Data Privacy Notice therefore, clarifies how and when we collect personal data from and about you, why we do so, and how we treat this information and serves as a guide as to how personal data is managed by Open Space.  It also elucidates your rights concerning the collection of personal information and how you can exercise those rights.

The term Personal Data as used in the Privacy Notice means any information about you such as your name, contact details, bank account details, etc.  Personal Data does not include data from which you can no longer be identified such as an anonymized aggregate data.

Personal Data We Collect

We collect personal data when you open an account, request further information about our products, fill out a form, apply for a job through our app/website, or if you contact us by letter, telephone, email, or any other means of electronic or personal communication.  Personal data includes: your contact details such as your address, email address, telephone number, status/job title, means of identification (issue date and expiry date), nearest bus stop/landmark, BVN. etc.

We may also automatically collect some technical information when you visit our app/website, such as IP address and information about your visit such as pages that you viewed. This information assists us to understand customer interests and aids us to improve our app/website.

 

 

Usage of personal data

We process personal data to communicate with you or provide further information about our products, how we can serve you better, respond to your purchase or sell orders, process your application for employment with Open Space, or fulfill our contractual obligations with you.  We may also process your data to comply with provisions of applicable laws.  We will therefore process your data only:

  • If you have consented for us to do so
  • If we need it to perform the contract we have entered into with you
  • If we need it to follow legal obligations or
  • If we (or a third party) have a legitimate interest that is not overridden by your interests or fundamental rights and freedoms.  Such legitimate interests include the provision of legal services by us, administrative or operational processes within Open Space and direct marketing.

Although we will only use personal data for the purpose for which we collected it, if there is a need to use your data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.  We may anonymize your personal data so that it can no longer be associated with you in which case it is no longer personal data.

Sharing of Personal Information

We respect your privacy and limit the disclosure of your personal data to third parties.  We do not sell, give or trade any personal data that we obtain from you to any third party for data mining or marketing purposes.  However, we may share your data with service providers engaged by us to provide services to Open Space subject to appropriate data security and protection.  

We may also share your information where there is a regulatory or statutory obligation to disclose such personal data in accordance with provisions of applicable laws.

Data protection principles

All processing of personal data must be conducted in accordance with the data protection principles set out in relevant legislation. Our policies and procedures are designed to ensure compliance with the following principles: –

Personal data must be processed lawfully, fairly and transparently: 

Lawful – the legal basis for processing personal data is normally based on relevant legislation. We are permitted by law to process information for administrative schemes, statutory schemes and core functions.  Where there is no statutory basis, then we will request your consent at the time that the information is collected.  

Fairly – For processing to be fair, we have to make certain information available to you. This applies whether the personal data was obtained directly from you or other sources.

Transparently – We will provide a Data Privacy Statement upfront whenever you are sharing personal information with Open Space. We will ensure that the information provided is detailed and specific, and that the information is written in plain English which will be understandable and accessible.

 

Our Responsibilities under GDPR

  • Personal data can only be collected for specific, explicit and legitimate purposes – We will collect and process personal data only for the purposes for which it is collected and will be clearly stated.  
  • Personal data must be adequate, relevant and limited to what is necessary for processing – We will ensure that in designing new and current methods of data collection, whether online, forms or offline, that only the personal data required to establish your identity and provide the service will be processed.
  • Personal data must be accurate and kept up to date with every effort to erase or rectify without delay – We will ensure that your data is accurate and complete. We need accurate and up-to-date data to ensure that the correct services are provided to the correct recipients. Where we have shared your data with a third party, we will update them as to any changes to your data, unless this is impossible or requires disproportionate effort.
  • Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing – We will implement appropriate policies and procedures to ensure that personal data is retained only for the minimum period required to provide the services in question. Once this period has passed, we may destroy the personal data, anonymize it or use any other appropriate method.
  • Personal data must be processed in a manner that ensures appropriate security- We will implement appropriate technical and organization measures to ensure that appropriate security of the processing of personal data is implemented. This includes encryption, restricted access to files and physically securing the data.
  • Accountability for demonstrating compliance – We will ensure that we maintain adequate records of its processing and evidence that we have complied with this policy and related policies and procedures.
  • Data Sharing – We may need to share your data with a third party on occasion to provide services.

Security and Retention of Your Personal Data

Personal data will be kept private and every effort will be made to secure it by restricting access to your Personal Data on a need-to-know basis.  Staff and third parties that carry out any work on our behalf will comply with appropriate security standards to protect your Personal Data.

Personal data will be retained for as long as necessary to fulfill the purpose for which it was collected and processed including the purpose of satisfying any legal, regulatory, accounting or reporting requirements.  For the appropriate retention period, consideration will be given to the amount, nature and sensitivity of the Data, potential risk of harm from unauthorized use or disclosure and applicable legal requirements.

Upon expiry of the applicable retention period, we will securely destroy your Personal Data in accordance with applicable laws and regulations.

Your Rights

You can exercise the following rights concerning your Personal Data with Open Space:

  • Right to be informed– Organizations must tell individuals what data of theirs is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
  • Right of access by the data subject– You have the right to request access to your data. This can be done by contacting Open Space at the contact details below and completing a Subject Access Request form.
  • Right to withdraw consent– Where we have collected your data based on consent, you have the right to withdraw your consent at any time. This could affect our ability to provide you with services.
  • Right to rectification – You have the right to have your data rectified where inaccuracies or incompleteness have been identified.
  • Right to erasure (Right to be forgotten)– Where we process personal data it is normally because there is a statutory basis for the processing. Where we receive a request from you looking to exercise your right of erasure, then we will assess whether the data can be erased without affecting our ability to provide future services to you or fulfill statutory obligations.
  • Right to restriction of processing– You can ask us to restrict the processing of your personal information in certain circumstances. We will implement and maintain appropriate procedures to assess whether a request to restrict the processing of your data can be implemented. Where the request for restriction of processing is carried out, then we will write to you to confirm the restriction has been implemented and when the restriction is lifted.
  • Right to data portability– Open Space processes personal data it collects because there is normally a statutory basis for the processing. Where personal data on data subjects have been collected by consent or by contract, the data subjects have a right to receive the data in electronic format to give to another data controller.
  • Right to object– You have a right to object to the processing of your data in specific circumstances. Where such an objection is received, we will assess each case on its merits.
  • Right not to be subject to automated decision making– You have the right not to be subject to a decision based solely on automated processing, where such decisions would have a legal or significant effect concerning you.
  • Right to complain– Open Space will implement and maintain a complaints process whereby you will be able to contact the Data Protection Officer. The Data Protection Officer will work with you to bring the complaint to a satisfactory conclusion for both parties.

18 or Under

  • We are concerned about protecting the privacy of children aged 18 or under. If you are aged 18 or under‚ you must get a parent/guardian’s permission before you provide any personal information to Open Space.

Personal data breaches

A ‘personal data breach’ is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. (e.g. – the most common breach incidents that can occur are correspondence issuing to an unauthorized third party). Any loss of personal data in paper or digital format is considered to be a personal data breach.

Changes To Privacy Notice

Due to constant changes in technology and regulatory requirements, we may need to change our privacy notice or update it from time to time.  The most recent version can always be accessed on the web site.

Our Contact

For further information or clarification on this notice, feel free to contact Open Space using:

11 Olufemi Pedro Street,

Plot 9, Parkview Estate, Ikoyi. Lagos.

+234 201 3309 599

privacy@openspace.finance 

 

 

Data Subject Consent Form

I hereby grant Open Space and all its third-party processors the authority to process my personal data for the purpose of assessing my application, mandate execution, product offerings and rendering of services.

I am aware that this is essential for Open Space’s genuine interests to process personal information

I am aware I can find description of what personal data Open Space collects and the purpose of collection, processing and utilization on Open Space’s official app/website: https://openspace.finance/  

I am aware that I may withdraw my consent at any time by using the Data Subject Withdrawal Form.

Data Breach Policy

A data breach occurs when the data for which an organization is responsible for suffers a security incident resulting in a breach of confidentiality, availability or integrity.

Furthermore, a data breach is a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.  Data breaches may involve financial information such as credit card & debit card details, bank details, personal health information (PHI), Personally Identifiable Information (PII), trade secrets of corporations or intellectual property. Most data breaches involve overexposed and vulnerable unstructured data – files, documents, and sensitive information.

Additionally, Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal data transmitted, stored or otherwise processed.

If that occurs, and the breach is likely to pose a risk to an individual’s rights and freedoms, the organization has to notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach.

If the data breach poses a high risk to those individuals affected, then they should all also be informed, unless there are effective technical and organizational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialize.

Personal data breaches can include:

  • access by an unauthorized third party;
  • deliberate or accidental action (or inaction) by a controller or processor;
  • sending personal data to an incorrect recipient;
  • computing devices containing personal data being lost or stolen;
  • alteration of personal data without permission; and
  • loss of availability of personal data.

Since Open Space collects, processes, holds and shares personal data adequate care is taken to protect personal data from incidents which can be accidental or deliberate to obviate data protection breach that could jeopardize security thereby resulting to reputational damage, epileptic service and financial loss.

Purpose & Scope:

The main objective of this policy is to avoid breaches, but where it occur to minimize the risk, decipher measures to adopt to protect personal data and avoid more breaches.

To this end, Open Space will:

  • Put in place an institutional framework aimed at ensuring security of all personal data throughout its life cycle
  • Adopt effective procedures that will be consistent in managing personal and special category (sensitive) data breach and security incidents.
  • Ensure that all employees including temporary, contractors, consultants, suppliers are covered.

Type of Breaches:

  • Postal Breach  – occurs where someone’s envelope contains two further letters addressed to other people.

This can be controlled by adopting the following measures:

  • Address personal information to a named person
  • Consider using tracked or recorded delivery for personal information
  • Case notes to be sent in robust approved packaging.
  • Email Breach – occurs where email has been pawned, meaning that the security of anaccount has been compromised, which could be passwords and email addresses ending up in the hands of cyber criminals or when cybercriminals hack into organizations databases and steal sensitive information. The data, which is exposed to the public, can include, passwords, account numbers, correspondence, names, home addresses, Social Security numbers and more.

Before emailing any external parties; Open Space will:

  • Check whether it is acceptable to send personal information
  • Confirm the accuracy of the email addresses
  • Check that everyone on the copy list has a genuine need to know
  • Use the minimum identifiable information (e.g NHIS number)
  • Check encryption requirements

Where email needs to be sent to an unsecure recipient:

  • Check they understand and accept the risks or
  • If you can encrypt the mail
  • Phone Breach– entails using phone numbers and names to send out SMS-based phishing messages that are crafted in a way that’s a little bit more believable

Measures Open Space put in place:

  • Confirm the enquirer’s name, job title and organization
  • Confirm the reason is appropriate
  • Take a contact phone number, eg. main switchboard number
  • Check whether the information can be provided – if in doubt, tell the enquirer you will call them back
  • Provide the information only to the enquirer.
  • Record your name and details about disclosure, along with recipient’s details

It is also noteworthy that data security breaches include both confirmed and suspected incidents.

An incident is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to Open space information assets and /or reputation.

An incident includes, but is not limited to:

  • loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad/tablet device, or paper record);
  • equipment theft or failure;
  • system failure;
  • unauthorized use of, access to or modification of data or information systems;
  • attempts (failed or successful) to gain unauthorized access to information or IT system(s);
  • unauthorized disclosure of sensitive /confidential data;
  • app/website defacement;
  • hacking attack;
  • unforeseen circumstances such as a fire or flood;
  • human error;
  • ‘blagging’ offences where information is obtained by deceiving the organization who holds it.

Reporting Incidents:

Where a data breach occurs it must be reported immediately to Data Protection Officer (DPO) through this email address: privacy@openspace.finance  giving full details such as:

  • When the breach occurred regarding date and time
  • How did it happen
  • Where it happened as in which section or department, or type of data was compromised
  • What business activity was going on when it happened

The DPO will assess the extent of breach in conjunction with Head ICT, and Head Internal Control Department to ascertain the severity and commence investigation immediately and where possible within 24 hours of the breach being reported.

Investigation will cover areas like:

  • Type of data involved
  • It’s sensitivity
  • Whether encryption is in place
  • Was the data lost or stolen
  • Will the data be put to illegal or inappropriate use?
  • Are data subjects affected, if yes, what is the number and possible effects on the data subjects
  • Are there broader consequences to the breach

The DPO and team based on the outcome of the investigation, will decide if relevant authorities will be notified of the breach.  If on the affirmative, will notify NITDA not later than 72 hours of occurrence.  

Where the breach is likely to result in a high risk to the rights and freedoms of individuals under Data Protection Legislation, data subjects should be notified without undue delay. Notification will capture areas like:

  • How and when the breach occurred
  • Data involved
  • Actions already taken to mitigate risks
  • Contact details should they require further clarification on the issue.

The DPO, having satisfactorily contained the incident, will review, among other things:

  • Cause of the breach
  • Response time
  • Adequacy of policies and procedures as well as existing controls
  • Storage of personal data
  • Security of data transmission

Policy Review:

The policy will be updated to mirror best practice, thereby ensuring compliance with changes or amendments to applicable legislation and will be reviewed annually.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Data Subject Access Request

The  General  Data  Protection  Regulations  (GDPR)  entitle  individuals  to  request access to any personal data that Open Space holds about them.  This is  known  as Data  Subject  Access  Request  (DSAR).  This document outlines the  procedures surrounding making and responding to a DSAR.

A DSAR is where an individual, using their rights under GDPR, makes a request for a copy of the personal data an organisation holds on them, or details of what data is held and  its  source.  A  DSAR  does  not  have  to  reference  GDPR,  the  term  “Data  Subject Access Request” or any legislative rights.  

Procedures For Making A DSAR

DSAR’s can be made verbally, via email or in writing to Open Space’s Data Protection Officer (DPO), at the address below;

11 Olufemi Pedro Street,

Plot 9, Parkview Estate, Ikoyi. Lagos.

+234 201 3309 599

privacy@openspace.finance 

  • If a DSAR is made verbally then the requester should be asked to put their request in  writing, to allow Open Space to understand the nature of the DSAR and to  verify the identity of the requester.  
  • Where a request is received elsewhere in Open Space, the Data Protection Officer should be immediately informed  so  they can deal with  the  request with no undue delay.
  • Once the request is received, the Data Protection Officer will confirm the identity of  the requester and assess the scope of the request.   

 

Confirming the Identity of the Requestor:

  • Additional information may be requested to evidence the identity of the requester.  

This can be established by the production of two or more of the following:  

  • Current passport
  • Current driving license
  • Recent utility bill with current address
  • Birth/marriage certificate
  • Recent credit card/deed of assignment/c of o/mortgage statement
  • If Open Space is not satisfied with the identity of the requester, then the request will not be granted to avoid inadvertent data breach.
  • If a request is made by a person seeking the personal data of a data subject, and which purports to be made for that data subject, then a response must not be provided unless and until written authorisation has been provided by the data subject.
  • Open Space should not approach the data subject directly, but should inform the requester that it cannot respond without the written authorization of the data subject.
  • Where consent cannot be obtained, or is denied, the DPO will consider the reasons and Open Space’s duty of care to both parties to decide whether to disclose the information.
  • Where the parent of a minor makes a request, consideration must be given as to whether the minor is mature enough to understand their rights.
  • If it is considered that the minor cannot understand their rights, then the response should be sent directly to the parent.

Fee for Responding to Requests:

Open Space will  usually  deal with a DSAR  free  of  charge,  however, a  fee may be charged in the following circumstances;

  • Where a  request is manifestly  unfounded  or excessive,  or  Open Space refuses  to  respond  to  the  request.  This will be stated in writing highlighting the reasons for refusing to respond.
  • Where a repeat request for the same information is made.   

Process for dealing with a DSAR:  

  • Once the identity of the data subject (or the right/authority to request the data where the data subject is not the requester) is ascertained, the Data Protection Officer will kick start the process of contacting the appropriate departments to collect and collate the information.
  • The DPO will take all reasonable and proportionate steps to identify and disclose all data relating to the request.  
  • To locate the correct information within Open Space, the DPO may ask the requester  to  confirm  exactly  what  information  they  are  requesting,  or  where they believe the information may be stored.   
  • Where the information contains  reference to third parties the DPO will redact (blank  out) the third parties.
  • Where this is impossible, and consent from the third party has not been received the information will not be disclosed.  
  • The  information  provided  in  reply  to  a  request  must  be  that  which  Open Space  holds (subject to any exemptions) at the time the request is received. However, DPR   allows routine updating and maintenance of the data to continue between the date on which the request is received and the date when the reply is dispatched.
  • This means that  the  information  provided  to  the  individual may differ  from  that  which  was held at the time when your request was received as a result of normal processing.
  • The DPO will ensure that the information disclosed is clear and technical terms are clarified and explained.  
  • The response should be provided in a written format, via email or letter, including an  explanation  of  the  types  of  data  provided  and  whether,  and  as  far  as  possible for what reasons, any data has been withheld.  

Period For Responding To A DSAR  

Open Space has one month to respond to a DSAR. This will run from:

  • The date of the request;
  • The date when any additional identification, or other information requested, is received;
  • Payment of any required fee.  

The  period  of  response  may  be  extended  by  a  further  two  calendar  months  in  relation to complex requests. If it is decided that due to the complexity of the request an extension of the period for response is required, the DPO will notify the requester  within one calendar month of receiving the request, together with the reasons as to  why this is considered necessary.

If a request is received during festive periods/end of the year, a response may not be feasible within the stipulated one month period because some key staff may be on vacation.  

If a receipt is received during this period, Open Space will send out an initial acknowledgement  of  the  request,  followed by a further acknowledgement as soon as possible following the start of a new year setting out details of when a full response will be provided (not later than one month into the new year)

 Contacts & Complaints

Enquiries regarding  this  procedure  or   Open Space’s  Data  Protection Policies should be directed to Open Space’s DPO using the contact details.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

NATIONAL DATA PROTECTION COMMISSION

PREAMBLE

Nigeria Data Protection Commission [hereafter referred to as “Data Controller” or NDPC] is an establishment of the Federal Government of Nigeria. The central mandate of NDPC is to implement the Nigeria Data Protection Act (NDPA) 2023.

Our contact information is provided under ARTICLE 12 of this Data Privacy Policy.

This privacy policy is in furtherance of section 37 of the Constitution of the Federal Republic of Nigeria (CFRN) 1999 (as amended), the Nigeria Data Protection Act (NDPA) 2023 and all other legal instruments designed to protect the privacy rights of natural persons.

As the “Data Controller”, we are cognizant of the privacy rights of all natural persons who are part of NDPC or interact with us on all our data processing mediums or platforms. These classes of people are our “Data Subjects”. As a responsible establishment, we are committed to safeguarding the privacy rights of our data subjects through this strict privacy policy. It shall complement extant legal regulatory framework as an internal standard of care we owe our “Data Subjects”.

ARTICLE 1: OUR GUIDING PRINCIPLES ON DATA PROCESSING

In processing your personal data, we adhere strictly to the principles of data processing as set out under S.24 of the NDPA. Our obligation in terms of the principle is to ensure that personal data is:

  1. processed in a fair, lawful and transparent manner;
  2. collected for specified, explicit, and legitimate purposes, and not to be further processed in a way incompatible with these purposes;
  3. adequate, relevant, and limited to the minimum necessary for the purposes for which the personal data was collected or further processed;
  4. retained for not longer than is necessary to achieve the lawful bases for which the personal data was collected or further processed;
  5. accurate, complete, not misleading, and, where necessary, kept up to date having regard to the purposes for which the personal data is collected or is further processed; and
  6. processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach.

Furthermore, we are committed to ensuring accountability, demonstrating duty of care to you and also upholding data Confidentiality, Integrity and availability.

ARTICLE 2: CONSENT OF DATA SUBJECT

Except as otherwise required by operation of law or principles of law, your consent as the data subject is paramount in our considerations. You have the right to give, withhold or otherwise withdraw your consent to data processing. For further understanding of the operation of the principle of consent under data processing. See S.26 of the NDPA 2023.

 

 

ARTICLE 3: OUR SCOPE OF DATA PROCESSING

In varying degrees, vis-à-vis the services we provide for you or your level of engagement with us, we do process your personal data. Below is a table containing the major types of personal data, the purpose and the lawful bases for processing them:

S/N

PURPOSE OF COLLECTION

TYPE OF DATA

LAWFUL BASIS

1

REGULATORY ACTIONS

Name, Phone, Email Address, Contact Address, Sex, Date of Birth, passport and educational record.

LEGAL OBLIGATION. Some instances may involve public interest.

2

NOTIFICATIONS

Name, Phone, Email Address, Contact Address, Sex and Date of Birth.

LEGAL OBLIGATION. Some may require consent as prescribed by the NDPA.

3

DATA ANALYTICS

Name, Phone, Email Address, Contact Address, Sex and Date of Birth.

CONSENT. (To ensure that our services suit the purpose of data subjects and to measure our performance). Some may involve legitimate interest or legal obligation where analytics are tailored towards crime prevention.

4

SECURITY

Name, Phone, Email Address, Contact Address, Sex, Date of Birth and passport.

LEGAL OBLIGATION. For safety and security of lives and property. Some may involve legitimate interest or public interest where analytics are tailored towards crime prevention.

5

EMPLOYMENT

Name, Phone, Email Address, Contact Address, Sex, Date of Birth, passport, medical record, educational record.

CONTRACT. This is the major lawful basis. Some instances may involve other lawful basis such as consent, vital interest or legal obligation.

6

CONTRACT

Name, Phone, Email Address, Contact Address and Sex/td>

CONTRACT. Some instances may involve legitimate interest or public interest – particularly in carrying out due diligence.

Please note that the categories of data and the lawful basis provided are not exhaustive. We are governed by the NDPA and we process data without prejudice to your rights as a data subject.

 

 

 

ARTICLE 4: RIGHTS OF DATA SUBJECTS

We hold your privacy rights very dear to our operations. Apart from the right to give, withhold or withdraw consent, you have rights to all relevant information that may guide you in making informed decisions about your personal data. For example, you have the right to be notified of anyone or any place to which we may transfer your personal data. Your rights under the NDPA include but are not limited to the following:

 

  1. a)Right to be Informed
  2. b)Right of Access
  3. c)Right to Rectification
  4. d)Right to Object to Processing
  5. Right to Data Portability
  6. Right to be Forgotten
  7. Right in Relation to Automated Decision Making (which essentially entitles you to human intervention)

Note that you also have a right to lodge a complaint with the Commission. See Part VI of the NDPA.

ARTICLE 5: WITHHOLDING RELEVANT DATA

There are types of personal data that are mandatory for us to process in order to carry out your instructions or perform our legal mandate for your benefit. If you withhold such information, it may be impracticable to carry out our mandate in relation to you. If you seek more clarification on our data processing contact our designated Data Protection Officer as provided under ARTICLE 12 below.

 

ARTICLE 6: TRANSFER OF DATA TO A THIRD-PARTY

As a public establishment, third parties may wish to provide essential services to you (through our platforms) while relying on the relevant lawful bases for processing your personal data in this regard. The type of data usually processed for this may be your contact details. Where such services depend on consent, you have the right to decline and further restrict the processing of your personal data. You can simply unsubscribe to the notices sent for the purpose of such services.

 

ARTICLE 7: TECHNICAL INFORMATION AND COOKIES

Customarily, app/websites are designed to collect certain information from the visitor. Our app/website is also designed to collect your IP address and other information that your web browser typically shares with the app/websites that you visit. The purpose of this is to know you better and to automatically and dynamically engage with you through your actions on our app/website.
“Cookies”, in computer parlance, are text files that are downloaded to your browsing devices such as phones or computers when you browse pages of app/websites. They contain small amounts of data and their essential function is to intelligently memorise your preferences and therefore present them to you as choices when you are browsing – even at different times. Note that various app/websites use cookies for different purposes, some of which may undermine your privacy rights. We have taken measures to ensure that all methods adopted by us to engage automatically with you do not violate your privacy rights under the NDPA. In the case of cookies, we ensure that they have security protocols and are not vulnerable to abuses by anyone.

 

ARTICLE 8: PERSONAL DATA SECURITY AND INTEGRITY

We use cutting-edge technologies and fool proof protocols to provide you with comprehensive layers of security in the area of personal data. Thus, we are constantly vigilant in preventing cyber-attacks, fraudulent intrusion, unauthorised access, loss or corruption of personal data. We are equally cognizant of the obligations imposed on us by law in terms of data protection. Accordingly, we conduct reviews of process and privacy impact assessment, carry out trainings and obtain strict warranties where applicable.