Skip to main content Scroll Top

Data Protection Policy

Data Protection Policy
  1. Introduction

Welcome2Africa International Limited (“the Company”, “W2A”) is committed to protecting the personal data of all individuals with whom it interacts, including employees, consultants, partners, investors, clients, vendors, and other third parties.

The Company recognises that the lawful, fair, and transparent handling of personal data is essential to maintaining trust, safeguarding individual rights, and ensuring compliance with applicable data protection laws, including the Nigeria Data Protection Act (NDPA) and any other relevant regulatory frameworks.

This Policy establishes the principles and procedures governing the collection, processing, storage, sharing, and protection of personal data across all entities within the Welcome2Africa Group.

  1. Purpose

The purpose of this Policy is to:

  1. Ensure that personal data is processed lawfully, fairly, and transparently;
  2. Establish clear standards for the collection, use, storage, and sharing of personal data;
  3. Protect personal data against unauthorised access, loss, misuse, or disclosure;
  4. Define roles and responsibilities for data protection compliance within the organisation;
  5. Ensure compliance with the Nigeria Data Protection Act (NDPA) 2023 and applicable international standards; and
  6. Promote accountability and good governance in all data processing activities.

 

  1. Scope

This Policy applies to:

  1. All employees of Welcome2Africa International Limited and its subsidiaries;
  2. Contractors, consultants, interns, and temporary staff;
  3. Board members, advisors, and partners acting on behalf of the Company; and
  4. All third parties who process personal data on behalf of the Company.

This Policy applies to all personal data processed in connection with the Company’s operations, whether stored electronically or in physical form.

  1. Definition of Personal Data

For the purpose of this Policy, “Personal Data” refers to any information relating to an identified or identifiable natural person, including but not limited to:

  1. Names, addresses, email addresses, and phone numbers
  2. Identification numbers (national ID, passport, etc.)
  3. Financial information
  4. Employment records
  5. Biometric data; and
  6. Any other information that can directly or indirectly identify an individual

 

  1. Data Protection Principles

The Company shall ensure that all personal data is processed in accordance with the following principles:

  1. Lawfulness, Fairness, and Transparency – Data must be processed in a lawful, fair, and transparent manner.
  2. Purpose Limitation – Data shall be collected for specified, explicit, and legitimate purposes only.
  3. Data Minimisation – Only data that is adequate, relevant, and necessary shall be collected.
  4. Accuracy – Personal data shall be kept accurate and up to date where necessary.
  5. Storage Limitation – Data shall not be retained longer than necessary.
  6. Integrity and Confidentiality – Appropriate technical and organisational measures shall be implemented to secure data.

 

  1. Lawful Basis for Processing

The Company shall process personal data only where at least one lawful basis exists, including:

  1. Consent of the data subject;
  2. Performance of a contract;
  3. Compliance with legal obligations;
  4. Legitimate interests pursued by the Company; or
  5. Any other lawful basis recognised under applicable data protection laws.

 

  1. Data Collection and Use

The Company shall ensure that:

  1. Data is collected only for legitimate and specified purposes;
  2. Individuals are informed of the purpose of data collection at the point of collection;
  3. Data is not used for purposes incompatible with the original purpose without further consent or lawful basis.

 

  1. Data Storage and Security
    • The Company shall implement appropriate technical and organisational measures to safeguard personal data, including:
  2. Restricted access based on role and necessity;
  3. Secure digital storage systems with access controls;
  4. Password protection and authentication systems;
  5. Physical security for hard copy records; and
  6. Regular system reviews and updates to prevent data breaches.
    • Employees are strictly prohibited from storing Company-related personal data on unsecured personal devices or unauthorised platforms.

 

  1. Data Sharing and Disclosure

Personal data may only be shared:

  1. With authorised personnel within the Company on a need-to-know basis;
  2. With third-party service providers under strict contractual data protection obligations; or
  3. Where required by law, regulation, or court order.

All third parties processing data on behalf of the Company must comply with equivalent data protection standards.

  1. Data Subject Rights

Individuals whose data is processed by the Company have the right to:

  1. Access their personal data;
  2. Request correction of inaccurate data;
  3. Request deletion of personal data, subject to legal and operational limitations;
  4. Object to certain processing activities;
  5. Withdraw consent where processing is based on consent.

Requests shall be addressed in accordance with applicable legal timelines.

  1. Data Breach Management

The Company shall take all reasonable steps to prevent data breaches. In the event of a breach:

  1. It must be reported immediately to the Legal and Expansion Department and HR;
  2. Immediate containment measures shall be implemented;
  3. An internal investigation shall be conducted; and
  4. Where required, regulators and affected individuals shall be notified in accordance with applicable law.

 

  1. Roles and Responsibilities
  2. Human Resources Department: Ensures employee compliance and training on data handling practices.
  3. Legal and Expansion Department: Oversees compliance, policy updates, and regulatory alignment.
  4. All Employees and Contractors: Responsible for safeguarding any personal data they access or process.

 

  1. Cross-Border Data Transfers

Where personal data is transferred outside Nigeria, the Company shall ensure that adequate safeguards are in place in accordance with applicable data protection laws.

 

  1. Retention and Disposal

Personal data shall be retained only for as long as necessary for the purpose for which it was collected or as required by law. Secure disposal methods shall be used to ensure that data cannot be reconstructed or accessed after deletion.

 

  1. Compliance and Breach of Policy

Any breach of this Policy may result in disciplinary action, including termination of employment or contractual relationship, and may also result in legal action where applicable.

 

  1. Policy Review

This Policy shall be reviewed every two (2) years by the Legal Department or earlier where there are changes in applicable laws, operational requirements, or regulatory guidance.