1. Introduction
Hendan Group (comprising of all DCP, DSR, and DIL business units) hereinafter referred to as the “Group” is committed to protecting the privacy and confidentiality of Personal Information about its employees, customers, business partners and other identifiable individuals. The Group’s policies, guidelines and actions support this commitment to protecting Personal Information. Each employee bears a personal responsibility for complying with this Policy in the fulfillment of their responsibilities.
Purpose:
The Group respects the privacy of its employees and third parties such as customers, business partners, vendors, service providers, suppliers, former employees, and candidates for employment and recognizes the need for appropriate protection and management of Personal Information.
Scope:
This Policy sets the minimum standard and shall guide and apply to all employees and third parties such as customers, business partners, vendors, service providers, suppliers, and agents of the Group even if local law is less restrictive. Supplemental policies and practices will be developed as needed to meet the local legal or departmental requirements.
Supplemental policies and practices may provide for more strict or specific privacy and protection standards than are set forth in this Policy.
Policy
The Group is guided by the following principles in Processing Personal Information:
i. Notice
ii. Choice
iii. Accountability for onward transfer
iv. Security
v. Data Integrity and purpose limitation
vi. Access
vii. Recourse, Enforcement and Liability
i. Notice:
When collecting Personal Information directly from individuals, the Group strives to provide clear and appropriate notice about the:
(a) Purposes for which it collects and uses their Personal Information.
(b) Types of non-Agent third parties to which the Group may disclose that information, and
(c) Choices and means, if any, the Group offers individuals for limiting the use and disclosure of their Personal Information.
ii. Choice:
Generally, the Group offers individuals a choice regarding how Personal Information is processed, including the opportunity to choose to opt-out of further processing or, in certain circumstances, to opt-in. However, explicit consent from individuals is not required when processing Personal Information for:
(a) Purposes consistent with the purpose for which it was originally collected or subsequently authorized by the individual.
(b) Purposes necessary to carry out a transaction relationship.
(c) Purposes necessary to comply with legal requirements, or
(d) Disclosure to an Agent.
iii. Accountability for onward transfer:
Regarding the transfer of Personal Information to either an Agent or Controller, the Group strives to take reasonable and appropriate steps to:
(a) Transfer such Personal Information only for specified purposes and limit the Agent or Controller’s use of that information for those specified purposes.
(b) Obligate the Agent or Controller to provide at least the same level of privacy protection as is required by this Policy.
(c) Help ensure that the Agent or Controller effectively Processes the Personal Information in a manner consistent with its obligations under this Policy.
(d) Require the Agent or Controller to notify the Group if the Agent or Controller determines it can no longer meet its obligation to provide the same level of protection as is required by this Policy, and
(e) Upon notice from the Agent or Controller, take further steps to help stop and remediate any unauthorized Processing.
iv. Security:
The Group takes reasonable and appropriate measures to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the Processing and the nature of the Personal Information.
v. Data Integrity and Purpose Limitation:
The Group will only Process Personal Information in a way that is compatible with the purpose for which it has been collected or subsequently authorized by the individual. The Group shall take steps to help ensure that Personal Information is accurate, reliable, current, and relevant to its intended use.
vi. Access:
The Group provides individuals with reasonable access to their Personal Information for purposes of correcting, amending, or deleting that information where it is inaccurate or has been Processed in violation of its data privacy principles.
Purpose of collecting and use of Personal Information:
The Group may from time to time, Process certain Personal Information from or about employees and third parties such as customers, business partners, vendors, service providers, suppliers, former employees, and candidates for employment, including information recorded on various media as well as electronic data.
The Group will use these Personal Information to provide customers, business partners, vendors, service partners and suppliers with information and services and to help the Group personnel better understand the needs and interests of these customers, business partners, vendors, service partners and suppliers. Specifically, the Group uses information to help complete a transaction or order, to facilitate communication, to market and sell products and services, to deliver products/services, to bill for purchased products/services, and to provide ongoing service and support. Occasionally the Group personnel may use Personal Information to contact customers, business partners, vendors, service partners, and suppliers to complete surveys that are used for marketing and quality assurance purposes.
The Group may also share Personal Information with its business partners, vendors, service providers and suppliers to the extent needed to support the customers’ business needs.
Suppliers are required to keep confidential Personal Information received from the Group and shall not use it for any purpose other than as originally intended or subsequently authorized or permitted.
The Group also collects Human Resources Data in connection with administration of its Human
Resources programs and functions and for the purpose of communicating with its employees.
These programs and functions may include compensation and benefit programs, employee development planning and review, performance appraisals, training, business travel expense and tuition reimbursement, identification cards, access to the Group’s facilities and computer networks, employee profiles, internal employee directories, Human Resource record keeping, and other employment related purposes.
The Group also collects and uses Personal Information to consider candidates for employment opportunities within its business units. Human Resources Data may be shared with third party vendors and service providers for the purpose of enabling the vendor or service provider to provide service and/or support to the Group in connection with these Human Resources programs and functions. The Group will not share Human Resources Data with third parties for non-employment related purposes. The Group requires third parties receiving Personal Information to apply the same level of privacy protection as contained in this Policy and as required by applicable law.
Lawful Basis for Processing Data:
Without prejudice to the principles set out in Section 5 and conditions set out in Sections 7 and 8 of the Ghana Data Protection Regulation 2012 (ACT 2012) and Sections 34(1)- Sections 37(1) of the Ghana Data Protection Act 2012 (Act 843), the Group reserves the lawful right to process personal data either received or submitted because of use of any of the Group’s services. Usage of any of the Group’s services entails that at least one of the following below is applicable and acts as a lawful basis to process personal data.
i. Given consent by the Data Subject to the processing of personal data for one or more specific purposes.
ii. Processing is necessary for the performance of a contract to which the Data Subject is party or to take steps at the request of the Data Subject prior to entering a contract.
iii. Processing is necessary for compliance with a legal obligation to which the Group is subject.
iv. Processing is necessary to protect the vital interests of the Data Subject or of another natural person.
v. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official public mandate vested in the controller.
International Data Transfer:
Data that the Group collects may be stored, processed, and transferred between any of the countries in which the Group operates, to enable the Group to use the information in accordance with this Policy. It is important to note that other countries of operation are not subject to the guidelines of the GDPR 2012, the Group is subject to the policies set out within such countries with regards data privacy.
Data that the Group collects may be transferred to any of the countries where the Group has any of its operational activities domiciled.
An individual (employee /recruitment candidate) expressly agrees to the transfers of personal data described in this Section.
Retaining Personal Data:
This Section sets out the Group data retention policies and procedures, which are designed to help ensure that the Group complies with the legal obligations regarding the retention and deletion of personal data. Personal data that are processed by the Group for the purpose of customer engagement, recruitment, or required as part of the process for employment, shall not be kept for longer than is necessary for that purpose.
The Group collects and stores the minimum amount of personal data for the period required and ensures that third-party data of customers, business partners, vendors, service providers, suppliers, and employees’ data in its possession, remains relevant. Customers and employee’s personal data would be retained only for as long as is necessary and in line with prevailing best practice.
The Group will retain documents (including electronic documents) containing personal data:
i. To the extent that is required by law.
ii. If the Group believes that the documents may be relevant to any ongoing or prospective legal proceedings, recruitment process, employment gained, or customer engagement; and to establish, exercise, or defend the legal rights (including providing information to others for the purposes of fraud prevention) of the Group.
Cookies:
The Group’s website uses session cookies. These cookies expire at the end of the user session when the browser is closed. They do not contain any information that personally identifies a user, but personal data that is stored about a user may be linked to the information stored in and obtained from cookies. Consenting to the use of cookies in accordance with the terms of this Policy when a user first visits the Group’s website permits the Group to use cookies every time a user visits the Group’s website.
Administration:
Responsibility for compliance with this Policy rests with the heads of the individual functions, business units and departments together with any individual employees collecting, using or otherwise Processing Personal Information. Business unit, function, and department heads, in coordination with the Legal Department, are responsible for implementing further standards, guidelines and procedures that uphold this Policy, and for assigning day-to-day responsibilities for privacy protection to specific personnel for enforcement and monitoring.
This Policy is meant to be implemented in conjunction with supplementary data privacy policies specific to a country, or department, if required. These supplementary data privacy policies will account for differences in data protection requirements by jurisdiction or function and will specify individual roles and responsibilities. The Group’s business units will implement supplementary data privacy policies as required to follow applicable laws.
In the event of any conflict between this Policy and any supplemental data privacy policy, this Policy will supersede the supplemental data privacy policy to the extent that the supplemental data privacy policy is less restrictive. Local data privacy policies may provide for stricter data privacy and protection standards than are set forth in this Policy. In the event local data privacy law provides for stricter data privacy and protection than this Policy, the local data privacy law will supersede this Policy in that jurisdiction to the extent necessary to comply with stricter local law.
To exercise your right to query, access and amend your personal data, you can contact us by email on info@hendangroup.com