Commercium Africa

Privacy Policy
 

Last updated: 27 August 2025
  1. Introduction
    Commercium Africa Ltd (hereinafter referred to as “the Company”) is committed to protecting the privacy and security of personal data. This Data Protection Policy outlines the Company’s practices regarding the collection, use, and protection of personal data, ensuring compliance with the Nigerian Data Protection Regulations (NDPR) and the General Data Protection Regulation (GDPR).
  2. Scope
    This policy applies to all employees, contractors, consultants, temporary staff, and other workers at the Company, including all personnel affiliated with third parties. It covers all personal data processed by the Company, irrespective of the format (electronic, paper-based, etc.).
  3. Definitions
    • Personal Data: Any information relating to an identified or identifiable natural person.
    • Processing: Any operation performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, disclosure, erasure, or destruction.
    • Data Subject: An individual whose personal data is processed by the Company.
    • Data Controller: The entity that determines the purposes and means of processing personal data.
    • Data Processor: The entity that processes personal data on behalf of the Data Controller.
  4. Data Protection Principles
     The Company adheres to the following principles concerning the processing of personal data:
    1. Lawfulness, Fairness, and Transparency
      Personal data shall be processed lawfully, fairly, and transparently concerning the Data Subject.
    2. Purpose Limitation
      Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
    3. Data Minimization
      Personal data shall be adequate, relevant, and limited to what is necessary concerning the purposes for which they are processed.
    4. Accuracy
      Personal data shall be accurate and, where necessary, kept up to date. Inaccurate data shall be erased or rectified without delay.
    5. Storage Limitation
      Personal data shall be kept in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed.
    6. Integrity and Confidentiality
      Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
  1. Legal Basis for Processing
    The Company shall process personal data only when there is a legal basis for such processing. The legal bases include, but are not limited to:
    • Consent of the Data Subject.
    • Performance of a contract to which the Data Subject is a party.
    • Compliance with a legal obligation.
    • Protection of vital interests of the Data Subject or another natural person.
    • Performance of a task carried out in the public interest or in the exercise of official authority.
    • Legitimate interests pursued by the Company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.
  2. Data Subject Rights
    Data Subjects have the following rights concerning their personal data:
    • Right to Access: Data Subjects have the right to obtain confirmation as to whether personal data concerning them is being processed, and, if so, access to the personal data.
    • Right to Rectification: Data Subjects have the right to obtain the rectification of inaccurate personal data concerning them.
    • Right to Erasure: Data Subjects have the right to obtain the erasure of personal data concerning them in certain circumstances.
    • Right to Restriction of Processing: Data Subjects have the right to restrict the processing of personal data in certain circumstances.
    • Right to Data Portability: Data Subjects have the right to receive personal data concerning them in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller.
    • Right to Object: Data Subjects have the right to object to the processing of personal data concerning them in certain circumstances.
    • Right to Withdraw Consent: Data Subjects have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  3. Data Security
    The Company implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
    • Encryption of personal data.
    • Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
    • Ability to restore the availability and access to personal data promptly in the event of a physical or technical incident.
    • Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
  4. Data Breach Notification
    In the event of a personal data breach, the Company shall notify the relevant supervisory authority and, where applicable, the Data Subject, without undue delay and within the timeframe specified by applicable law.
  5. Data Protection Officer
    The Company has appointed a Data Protection Officer (DPO) to oversee compliance with this policy and applicable data protection laws. The DPO’s responsibilities include:
    • Informing and advising the Company and its employees about their obligations to comply with data protection laws.
    • Monitoring compliance with data protection laws and Company policies.
    • Providing advice regarding Data Protection Impact Assessments (DPIAs).
    • Cooperating with supervisory authorities.
    • Acting as the contact point for supervisory authorities and Data Subjects.
  6. Data Protection Impact Assessments
    The Company shall conduct Data Protection Impact Assessments (DPIAs) for processing operations that are likely to result in a high risk to the rights and freedoms of Data Subjects, particularly for new projects or significant changes to existing processing activities.
  7. Training and Awareness
    The Company provides regular training and awareness programs for employees on data protection principles, policies, and practices to ensure compliance with applicable data protection laws.
  8. Policy Review
    This policy shall be reviewed regularly and updated as necessary to reflect changes in applicable laws, regulations, and the Company’s processing activities.
  9. Contact Information
    For any questions or concerns regarding this policy or data protection practices, please contact the Data Protection Officer at: [email protected]
Signed,
Thessa Brongers Bagu
Managing Director