Introduction

As one of the Major players in the Nigerian Production Industry, Bestaf Holdings (“the Company”), collects personal information of data subjects it relates with. In compliance with the Nigerian Data Protection Regulation (NDPR), the Company is committed to the protection of the data of its data subject(s) to prevent the occurrence of any breach. The Company has a cross-functional approach to privacy governance. The approach covers all areas of business operations of the Company, including but not limited to details of directors, employees, customers, vendors, agents and the data information of its business partners.

Definitions

1. Data Subject means any person whose personal data is being collected, held and processed.

2. DPO means Data Protection Officer.

3. NDPR means Nigerian Data Protection Regulation.

4. The Company means Bestaf Holdings.

Privacy Governance Policy

The DPO reports to the Managing Director and s/he is responsible for the implementation of the Company’s privacy policy and its compliance within the Company. The Board Nomination and Corporate Governance Committee and the Risk Strategy and Finance Planning Committee of the Board, assists with oversight and monitoring functions of the Company’s privacy and data security framework and risks.

There is a robust and active cyber security program in place to protect and secure all information in our database. We have an effective access control and management system commensurate with the risk of the data collected, to ensure that access to data is given to authorised personnel on the basis of business needs.

There are designated and approved employees who collate and process data information of the Company’s data subject and have direct access to the Company’s database. The Company strictly enforces privacy safeguards through regular training of the designated employees on privacy and data protection requirements.

Data Incident Response

We have a data incident response team that investigates a breach once it is reported, to determine the root cause of the incident and necessary steps to be taken in response to the incident. The breach is reviewed in line with the NDPR and a decision is taken by the Management on how to notify the affected persons and regulators alike. Upon the conclusion of the investigation, the Company shall promptly notify the affected persons and provide necessary support as may be required, by advising the affected persons on steps that can be taken to reduce the risk of harm and any compromise.

Review of Policy

This Policy shall be reviewed every two (2) years or as deemed necessary, in line with the applicable laws.