Avinell and its subsidiaries (“the Company”) are committed to protecting the privacy, confidentiality, and security of personal data in accordance with applicable data protection laws, including the UK General Data Protection Regulation (GDPR) and the Nigeria Data Protection Act (NDPA) 2023. This policy outlines how personal data is collected, processed, stored, shared, and protected in the course of business operations.

The purpose of this Data Privacy Policy is to:

• Ensure lawful, fair, and transparent processing of personal data.
• Protect the rights and freedoms of data subjects.
• Ensure compliance with UK GDPR and NDPA 2023 requirements.
• Establish accountability and governance for data protection.
• Prevent unauthorized access, misuse, or loss of personal data.

This policy applies to:

• All employees, contractors, directors, and third parties.
• All personal data of clients collected.
• All personal data processed by the Company in any form (electronic, paper, verbal).
• All business units, subsidiaries, and outsourced service providers.

• Personal Data: Any information relating to an identified or identifiable natural person.
• Data Subject: The individual (client, employees, contractors, directors, and third parties) whose personal data is processed.
• Processing: Any operation performed on personal data (collection, storage, use, disclosure, etc.)
• Data Controller: The entity determining purposes and means of processing personal data
• Data Processor: Entity processing data on behalf of the controller

The Company shall ensure that personal data is:

• Lawfully, fairly, and transparently processed
• Collected for specified, explicit, and legitimate purposes
• Adequate, relevant, and limited to what is necessary (data minimization)
• Accurate and kept up to date
• Stored only for as long as necessary (storage limitation)
• Processed securely to prevent unauthorized access or loss (integrity & confidentiality)
• Accountable with demonstrable compliance

Personal data will only be processed where at least one of the following applies:

• Consent of the data subject.
• Performance of a contract.
• Compliance with a legal obligation.
• Protection of vital interests.
• Performance of a task carried out in public interest.
• Legitimate interests pursued by the Company (balanced against individual rights).

The Company shall collect personal data only:

• Directly from data subjects where possible.
• For legitimate business purposes.
• With clear notification of purpose at the point of collection.

Data collected may include but is not limited to:

• Identification data (name, ID, passport, etc.)
• Contact details (address, email, phone number)
• Financial, credit and transactional data.
• Employment records.

In compliance with UK GDPR and NDPA 2023 requirements, data subjects have the right to:

• Be informed about data processing.
• Access their personal data.
• Request correction of inaccurate data.
• Request deletion (“right to be forgotten”) where applicable.
• Restrict or object to processing.
• Request data portability.
• Withdraw consent at any time by writing to the company.

The Company shall implement appropriate technical and organizational measures, including:

• Access controls and role-based permissions.
• Encryption of sensitive data.
• Secure storage systems and backups.
• Firewall and cybersecurity protections.
• Staff training and awareness programs.
• Regular audits and vulnerability assessments.

Personal data may only be shared where:

• There is a lawful basis for sharing.
• It is necessary for business operations.
• The recipient has adequate data protection safeguards.

Third-party processors must:

• Sign Data Processing Agreements (DPA).
• Comply with UK GDPR/NDPA 2023 requirements.
• Ensure confidentiality and security of data.

Personal data may be transferred outside Nigeria or the EU only where the destination country has adequate data protection laws, OR Appropriate safeguards are in place (e.g., Standard Contractual Clauses, binding corporate rules, or consent).

A personal data breach includes unauthorized access, disclosure, alteration, or destruction of data.

In the event of a breach:

• It must be reported immediately to the Data Protection Officer (DPO).
• Risk assessment must be conducted where required.
• Notify relevant supervisory authority within 72 hours (UK GDPR and NDPA 2023).
• Notify affected data subjects without undue delay.

Personal data shall not be retained longer than necessary for the purpose collected.

Retention will be determined based on:

• Legal and regulatory requirements.
• Business needs.
• Statutory limitation periods.

At the end of retention periods, data shall be securely deleted or anonymized.

Data Protection Officer (DPO)

• Ensure compliance with UK GDPR and NDPA 2023.
• Monitor data protection practices.
• Handle data subject requests.
• Report breaches to regulators where required.

Management

• Appoint a data protection officer.
• Implement data protection controls.
• Ensure staff compliance and training.
• Support audits and investigations.

Employees

• Handle personal data responsibly.
• Report breaches immediately.
• Comply with all data protection procedures.

The Company shall conduct DPIAs where processing is likely to result in high risk to individuals, including:

• Large-scale processing of sensitive data.
• Automated decision-making or profiling.
• New technology deployments.

The Company shall:

• Conduct periodic compliance audits.
• Review data protection policies regularly.
• Ensure continuous improvement of data security controls.

Any violation of this policy may result in:

• Disciplinary action (warning letters, suspension, termination)
• Regulatory penalties under NDPA or GDPR.
• Civil or criminal liability where applicable.

The company shall contract a Data Protection Compliance Organization (DPCO) to test readiness and preparedness for compliance and ahead of Nigeria Data protection Commission (NDPC) statutory audits and General Data Protection Regulation (GDPR) reviews.

This policy shall be reviewed every two years, or when there are regulatory changes, or when operational changes require updates.