Customer Data Protection Policy

Introduction 

Emerging Cooking Solution Zambia (trading as SupaMoto Ltd) and for the purpose of this document will be referred to as SupaMoto Ltd, is committed to protecting the privacy and security of our data subjects’ personal data. This Data Protection Policy outlines our approach to data protection and sets out the principles that all employees must follow when handling customer data. Compliance with this policy is mandatory for all employees who interact with or process customer data. 

Purpose 

The purpose of this policy is to ensure that all personal data is collected, processed, stored, and disposed of in compliance with the Data Protection Act, 2021, and other applicable laws and regulations. This policy aims to protect the rights and privacy of individuals and ensure that personal data is handled with the highest standards of security and confidentiality.

Scope 

This policy applies to all employees, contractors, consultants, and temporary staff of the organization who have access to customer data. It covers all personal data, including but not limited to names, contact information, identification numbers, financial information, and any other information that can identify an individual. 

Data Protection Principles 

All employees must adhere to the following data protection principles: 

1. Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently. Employees must inform data subjects about how their data will be used and obtain their consent where required. The policy outlines a commitment to lawfulness, fairness, and transparency in data processing, aligning with DPA 2021 requirements. It mandates informing data subjects about data usage and obtaining consent. 

2. Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The policy adheres to purpose limitation, specifying that personal data must only be used for its intended purpose. 

3. Data Minimization: Only personal data that is necessary for the purposes for which it is processed should be collected. Excessive or irrelevant data should not be collected. 

4. Accuracy: Personal data must be accurate and kept up to date. Inaccurate data must be corrected or deleted without delay. 

5. Storage Limitation: Personal data must be kept in a form that permits identification of data subjects, for no longer than is necessary for the purposes for which the data is processed. 

6. Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage. 

In the event of data deletion similar principles apply. 

• Data Deletion: Personal data that is no longer required for the purposes for which it was collected should be deleted or destroyed in a secure manner. This ensures that the data cannot be accessed or reconstructed. 
• Retention Policy: Subject data will be retained for a period of 10 years, for the intended purpose. 
• Anonymization: If data must be retained for legal or historical reasons, it should be anonymized to prevent identification of individuals. Anonymization ensures that personal data cannot be traced back to an identifiable individual. 
• Documentation: SupaMoto Ltd will document the processes followed for the disposal of personal data, including the reasons for data deletion and the methods used. This is important for accountability and demonstrating compliance with the Act. 

7. Data Security: SupaMoto Ltd  has implemented appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. 

Employee Responsibilities 

All parties who interact with or process customer data are responsible for ensuring compliance with this policy and the following practices: 

1. Data Collection and Processing: 

1. Collect personal data only for specified and legitimate business purposes. 

2. Obtain explicit written and signed consent from data subjects. 

3. Ensure data is collected accurately and updated regularly. 

2. Data Access and Use: 

1. Access customer data only for legitimate business purposes and within the scope of your role. 

2. Use customer data only for the purposes for which it was collected and in accordance with this policy. 

3. Data Security: 

1. Implement appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, and destruction. 

2. Use secure methods for storing, transmitting, and disposing of personal data. 

4. Data Sharing and Transfer: 

1. Share customer data with third parties only when necessary and with appropriate safeguards in place. 

2. Ensure that cross-border data transfers comply with applicable laws and this policy. 

5. Data Breach Notification: 

1. Report any suspected data breaches immediately to the Data Protection Officer (DPO). 

2. Assist in the investigation and resolution of data breaches.

Data Protection Officer (DPO) 

SupaMoto Ltd has appointed a Data Protection Officer (DPO) responsible for overseeing data protection compliance. The DPO’s responsibilities include: 

1. Monitoring compliance with data protection laws and this policy. 

2. Providing advice and training to employees on data protection matters. 

3. Investigating and responding to data breaches and complaints. 

4. Acting as the point of contact for data subjects and internal oversight authorities. 

Data Subject Rights 

Customers have the following rights regarding their personal data: 

1. Right to Access: Customers can request access to their personal data held by the organization. 

2. Right to Rectification: Customers can request correction of inaccurate or incomplete data. 

3. Right to Erasure: Customers can request deletion of their data under certain conditions. 

4. Right to Restrict Processing: Customers can request the restriction of processing in specific circumstances. 

5. Right to Data Portability: Customers can request a copy of their data in a commonly used format. 

6. Right to Object: Customers can object to the processing of their data in certain situations.

Training and Awareness 

All employees who handle customer data must receive regular training on data protection principles, this policy, and related procedures. Training will be provided upon hire and periodically thereafter to ensure ongoing compliance and awareness. 

Third-Party Vendor Assessment 
All third-party service providers that process personal data on behalf of SupaMoto Ltd must undergo a thorough data protection assessment. Data processing agreements must be established with these vendors, outlining roles, responsibilities, and compliance obligations. the organization shall only engage vendors who demonstrate adequate data protection standards and agree to adhere to this policy.

Privacy by Design and Default 
SupaMoto Ltd shall embed data protection principles into the design and implementation of all new products, systems, and business processes that involve personal data. Privacy considerations will be addressed from the earliest stages of project planning to ensure compliance with the Data Protection Act and minimize privacy risks. 

Automated Processing and Profiling 

Where automated decision-making, including profiling, is used, SupaMoto Ltd will ensure: 

• The data subject has been informed; 
• The processing is necessary for entering into or performing a contract, authorized by law, or based on explicit consent; 
• Adequate safeguards are in place, including the right to obtain human intervention, express a point of view, and contest decisions. 

Data Governance Structure 

SupaMoto Ltd maintains a data governance framework that designates roles and responsibilities, including: 

• Data Owners: Accountable for data accuracy and compliance in their areas. 
• Data Stewards: Ensure quality and integrity of the data under their stewardship. 
• Data Custodians: Manage technical infrastructure for data access and security. 

Data Lifecycle Management 
Personal data will be managed through all lifecycle stages: collection, usage, storage, archival, and deletion. Procedures will be documented and aligned with the retention schedule and compliance requirements. 

Data Quality Assurance 
SupaMoto Ltd shall implement procedures to routinely verify and maintain the accuracy, completeness, and consistency of personal data. Errors or outdated data must be promptly corrected or removed.

Data Protection Impact Assessments (DPIAs) 
DPIAs shall be conducted for all projects or processing activities likely to result in high risk to the rights and freedoms of data subjects. DPIAs assess risks and recommend mitigation actions.

Incident Response Plan (Detailed) 

In the event of a data breach: 

1. Notify the Data Protection Officer immediately through the channels indicated below. 

2. Assess the scope and impact. 

3. Contain the breach and preserve evidence. 

4. Notify the internal compliance office within 72 hours. 

5. If required, communicate with affected individuals. 

6. Review the breach to improve future response.

Third-Party Management 

All third-party vendors handling personal data must: 

• Sign a data processing agreement. 
• Be assessed for data security and compliance practices. 
• Be periodically reviewed and re-evaluated for ongoing compliance.

Monitoring and Review 

The Data Protection Officer will regularly monitor compliance with this policy and conduct periodic reviews (Quarterly and Yearly)  to ensure its effectiveness. Any changes to this policy will be communicated to all stakeholders promptly. 

Non-compliance with this policy may result in disciplinary action, up to and including termination of employment for internal and contracted parties. Additionally, individuals may be subject to legal penalties under applicable data protection laws. 

For questions or concerns about this policy or data protection practices, please contact the Data Protection Officer at dp@supamoto.global