-
INTRODUCTION
Thank you for taking the time to familiarise yourself with the Data Protection & Privacy Policy (the Policy) of Eko Electricity Distribution Plc. Eko Electricity Distribution Plc is customer-centric utility engaged in the provision of electricity distribution and connected services to a wide range of electricity users in the southern parts of Lagos State and Agbara, in Ogun State.
This Policy enlightens our Customers, Website Users, Visitors to our various business offices and Representatives of vendors/contractors (hereinafter referred to as "you", "your" or "Data Subject") as to why we collect your Personal Data, how we use and look after your Personal Data, your rights in connection with the Personal Data you provide us and how you can exercise these rights.
Any reference to "we", "us", "our" and "the Company" is to Eko Electricity Distribution Plc.
-
PURPOSE AND OBJECTIVE OF THE POLICY
This Policy aims to give you information on how EKEDP collects and processes your Personal Data when:
- As a prospective or existing Customer, you fill/complete any of our forms or execute an agreement in connection with the delivery or use of our Services. It also covers instances where you contact us to resolve any disruption to our Services;
- As a Representative of a contractor/vendor, you provide us your Personal Data in connection with a proposed or existing contract between us and the contractor/vendor whom you are representing;
- As a Visitor at any of our business offices, you provide us Personal Data to gain access to and be on our business premises for purposes connected with our Services or to visit any person in our premises;
- As a Website User, you access or create an account on our website; and
- You engage with us by any other medium and platform through which you provide us with your Personal Data in order enable us to provide you with our Services as an electricity distribution utility or to contract with us.
The Policy is intended to comply with our obligations to provide you with information about the Company's processing of your Personal Data under the relevant laws and regulations, particularly the NDPR. It neither has a contractual status, commitment to provide our Services nor constitutes any agreement to contract with the contractor/vendor whom you represent.
It is important that you read and retain this Policy, together with any other privacy notices we may provide on specific occasions when we are collecting or processing Personal Data about you, so that you are aware of how and why we are using such Personal Data and what your rights are under the applicable laws and regulations.
This Policy supplements other notices and privacy policies and is not intended to override them except as expressly provided.
-
SCOPE OF THE POLICY
As already highlighted, the Policy applies to prospective and existing Customers, Website Users, Visitors at our business offices and Representatives of contractors/vendors who are contracting or are desiring to contract with us for the provision of goods or services.
-
DEFINITION OF TERMS/ACRONYMS
Here you can find the meanings of the key words/phrases used in this Policy to help you understand the Policy better:
S/N |
Terms |
Definition |
|
Customer |
This means a natural person regarding whom we provide the Services. |
|
COREN |
This means the Council for the Regulation of Engineering in Nigeria. |
|
Data Subject |
This means the natural person or human being the Personal Data belongs to. In the context of this Policy this includes Customers, Website Users, Visitors and Representatives as defined in this document. |
|
DPO |
Data Protection Officer. |
|
EKEDP |
Eko Electricity Distribution Plc. |
|
NDPR |
This means the Nigerian Data Protection Regulations issued by NITDA. |
|
NEMSA |
This means the Nigerian Electricity Management Services Agency. |
|
NITDA |
This means the National Information Technology Development Agency. |
|
Personal Data or data |
This means information which in itself or when combined with other pieces of information, enables one to identify a person. This includes information like name, address, email address, telephone number, etc. However, it does not include data where a person's identity has been removed (anonymous data).
|
|
process/processing |
In connection with Personal Data means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, retention, organisation, storage, adaptation or alteration, updating, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, etc. |
|
Representatives |
This means the representatives of prospective or existing contractor/vendors providing goods or services to us. |
|
Sensitive Personal Data |
This includes Personal Data about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions and views, trade union membership, information about your health, genetic and biometric data, and criminal convictions, which require a higher level of security and protection. |
|
Services |
This means electricity distribution and connected services provided by us as a licensed electricity distribution company. |
|
Website |
This means the official website of EKEDP. |
|
Website User |
This means any person using our Website. |
-
POLICY UPDATE AND UPDATE OF PERSONAL DATA
Here you can find information about what happens when changes are made to this Policy and actions to take where there is any change to the Personal Data you have provided us.
This Policy is made available on our Website. Accordingly, any Visitor, Customer or Representative engaging with us is directed to visit our Website for the Policy.
Kindly note that we may modify the Policy from time to time. The modified Policy will be uploaded on our Website. You are advised to visit our Website periodically for any changes to this Policy. You may also receive notifications from us informing you of modifications to the Policy. Changes to this Policy are effective when they are posted on the Website.
It is also important that the Personal Data we hold about you is accurate and kept up to date. In view of this, always update your Personal Data and keep us informed if there are changes to your Personal Data during continuance of the business relationship with us. On our own, we regularly rectify and or erase inaccurate or incomplete personal data, promptly upon becoming aware of such inaccuracy and/or information gap.
-
DATA PROTECTION PRINCIPLES
Here you can find the principles we follow when processing Personal Data.
At EKEDP, we process Personal Data only when it is fair, lawful and compliant with the principles set out under the applicable laws and regulations, particularly the NDPR. Specifically, in collecting and processing your Personal Data, EKEDP will, in compliance with applicable laws and regulations, ensure that your Personal Data is:
- collected and processed in accordance with specific, explicit, legitimate and lawful purpose consented to by you;
- adequate, accurate and without prejudice to the dignity of human person;
- stored only for the period within which it is reasonably needed; and
- secured against all foreseeable hazards and breaches such as theft, cyber-attack, viral attack, dissemination; unauthorised access; manipulations of any kind or damage.
Ensuring the protection of the Personal Data we process is integrated into our day-to-day activities, Services, processes and our development efforts. We understand that compliance with data protection rules, particularly as required under the NDPR takes place through our employees. Therefore, we are committed to ensuring that our employees know and comply with the requirements thereof. We expect, instruct and train our employees to respect the security and confidentiality of your Personal Data with us.
-
CAPACITY IN WHICH WE DEAL WITH PERSONAL DATA AND OUR DATA PROTECTION OFFICER
We mainly deal with your Personal Data in the capacity of Data Controllers. This means that we determine the purpose and means of processing your Personal Data. Specifically, we determine issues in relation to the following:
a) The types/class of Personal Data to process about you;
b) Why the Personal Data is to be processed;
c) How the Personal Data is to be processed; and
d) Who processes the Personal Data.
Answers to the above activities we determine are provided in this Policy in a concise, clear and plain language so that you can easily understand them.
Processing your Personal Data may be undertaken by us or outsourced to a third party referred to sometimes as data processors/administrators. We have set out in this Policy, the steps and standards we enforce when we outsource data processing activities.
Further, to ensure that any concerns you may have regarding the protection of your Personal Data is addressed sufficiently and timeously, we have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Policy.
If you have any questions about this Policy or our privacy practices, including any requests to exercise your legal rights which have been specified in this Policy, please contact the DPO using the details set out below:
Attention: The Data Protection Officer, Eko Electricity Distribution Plc
Postal address: 24/25 Marina Road, Lagos Island, Lagos, Nigeria
Email address: [email protected]
Telephone number: 0817 903 0425
Without prejudice to your right to make a complaint at any time to the National Information Technology Development Agency (NITDA), the supervisory authority for data protection issues ( www.nitda.gov.ng ) for any alleged breach of your data privacy rights, we would appreciate that you contact us in the first instance through the DPO if you have any concerns regarding the protection of your data or this Policy.
-
CATEGORIES OF PERSONAL DATA WE COLLECT
Here you can find what Personal Data we process about Customers, Website Users, Visitors and Representatives.
For Customers, we may collect, use, store and process different types/classes of Personal Data which we have listed as follows:
- Name;
- Contact details, such as physical address, e-mail address and telephone number,
- Passport photograph;
- Government issued identification numbers and identity documents, including drivers’ licences, national voters’ card, national identification number, etc
- Title documents to premises to which electricity supply is requested;
- Third-party related data such as the name and address of your landlord in instances where the Customer is a tenant.
For Representatives, we may collect, use, store and process different types/classes of Personal Data which we have listed as follows:
- Name;
- Contact details, such as physical address, e-mail address and telephone number; and
- Personal Data comprised in curriculum vitae and professional certifications (including COREN and NEMSA Certificates) and bank reference letter; and
- Third-party related data such as Personal Data contained in reference letters from previous clients.
For Visitors, we may collect, use, store and process different types/classes of Personal Data which we have listed as follows:
- Name;
- Contact details, such as physical address, e-mail address and telephone number;
- Pictures/videos from CCTV cameras at our premises; and
- Third-party related data such as the name of the person you want to see at our premises.
For Website Users, we may collect, use, store and process different types/classes of Personal Data which we have grouped as follows:
- Cookies related data.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website;
- Profile Data includes your username and password, requests made by you, your interests, preferences, feedback and survey responses;
- Usage Data includes information about how you use our website and services;
In all, we only collect the Personal Data we need for our purposes, and we do not ask for or keep irrelevant details. In addition, we do not hold Personal Data on the off chance that it might be useful in the future. We restrict collecting Sensitive Personal Data except it is crucial for the purpose for which it is requested, or such collection is required to comply with a legal obligation.
Please note that before you provide us Personal Data about third parties other than yourself, you must first inform the relevant third parties of the data you intend to provide to us and of the processing to be carried out by EKEDP, as detailed in this Policy. You can also refer such third parties to our website so that they are also made aware of how their Personal Data is processed.
-
MEANS OF COLLECTING PERSONAL DATA
We use different methods to collect Personal Data from and about you including through:
- Direct interactions and provision: You may give us your Personal Data by coming into our business premises, filling our application forms and signing contracts (manually or online), using our website, corresponding with us by post, phone, email, helpline, webchat as well as other related medium/platforms to provide our Services. This particularly covers the Personal Data you provide when you apply for our Services, give us feedback or contact us.
- Digital technologies or interactions: As you interact with our website, we will automatically collect Technical Data and Profile Data, including information about your equipment, browsing actions and patterns. We collect this Personal Data by using cookies, server logs and other similar technologies.
- Cookies: A cookie is a small text file that is stored on a user's computer for record-keeping purposes. Cookies are used to recognise you the next time you visit our website automatically. As a result, the information which you have earlier entered in certain fields on the website, may automatically appear the next time when you use our website. You can set your browser to refuse all or some browser cookies or to alert you when websites set or access cookies. Please note that some parts of this website may become inaccessible or not function properly if you disable or refuse cookies.
- From third-parties under circumstances, some of which are recognised in this Policy.
-
LAWFUL BASIS FOR PROCESSING PERSONAL DATA
Here you can read on what grounds we process your Personal Data.
We will only collect and process your Personal Data when the relevant laws or regulations allows us to. Most commonly, we will collect and process your Personal Data in the following circumstances:
- Data Subject's consent – means processing your data where you have voluntarily agreed that we should process it for any specific purpose;
- Performance of contract - means processing your data where it is necessary for the performance of a contract or to take steps before entering into such a contract;
- Compliance with legal obligation - means processing your Personal Data where it is necessary for compliance with a legal obligation that we are subject to. This can be an obligation under the law or pursuant to an order of a court;
- Public interest – means where processing your Personal Data is necessary in order to protect your interest, the interest of another Data Subject or for the performance of a task carried out in the public interest or in exercise of official public mandate vested in us; and
- Legitimate interest - means the interest of our business in conducting and managing our business relationship with you, including when reasonably required to protect our lawful interest.
-
COMPANY RELIANCE ON CONSENT
We majorly rely on your consent, the performance of a contract and compliance with legal obligation as the legal basis for processing your Personal Data.
Regarding what constitutes 'consent', in accordance with the applicable laws and regulations, we ensure that consent is freely given and is obtained without fraud, coercion or undue influence.
Please note that you have the right to withdraw consent at any time to the processing of your Personal Data by contacting us, provided that we are relying solely on your consent as the legal basis for processing your data.
-
USE OF PERSONAL DATA
Here you will see information on why and purposes for which we collect all the categories of information in the list above [Categories of Data Collected] from Customers, Visitors, Website Users and Representatives.
- We use Personal Data collected from Customers to:
- conduct KYC;
- conduct fraud prevention checks;
- process applications from prospective Customers for our Services;
- register and contract with Customers;
- deliver our Services and for performance of the obligations arising from the agreement entered with the Customer;
- process payments made by you for the purpose of enjoying our Services;
- communicate with the Customer from time to time and also educate the Customer on our Services;
- realise rights and fulfil obligations arising from contractual relations with Customers;
- comply with legal obligations, especially those connected to electricity distribution companies;
- process inquiries and requests.
- We use Personal Data collected from Representatives to:
- conduct KYC;
- conduct fraud prevention checks
- facilitate entering into a contract with the contractor/vendor;
- communicate with the contractor/vendor;
- manage the contractual relationship with the contractor/vendor;
- comply with legal obligations, especially those connected to taxes;
- process inquiries and requests.
- We use Personal Data from Visitors to:
- monitor who enters our business offices;
- ensure security of persons and property in our premises; and
- restrict unauthorised persons from gaining access to our business premises.
- We use Personal Data collected from Website Users to:
- facilitate the delivery of our Services; and
- improve our website, services, education, customer relationships and user experiences;
Some of the above purposes or legal basis for processing Personal Data will overlap, and there may be several grounds that justify our use of your Personal Data.
We do not generally use your Personal Data for marketing purposes. We may, however, from time to time, notify you about planned outages and fault clearance activities.
If the need ever arises that we should use your Personal Data for purely direct marketing purposes, we will get your express opt-in consent before using your Personal Data for marketing. In addition, we shall promptly honour your objection to direct marketing from us.
-
CHANGE OF PURPOSE
We will only use your Personal Data for the purposes for which it was collected unless we reasonably consider, in consideration of the applicable laws and regulations, that we need to use it for another reason, and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and will explain the legal basis, which allows us to do so or collect your consent for the new purpose.
If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us through our DPO. Please note that we may process your Personal Data without your consent, where this is required or permitted by relevant laws and regulations.
-
CONSEQUENCE OF FAILURE TO PROVIDE PERSONAL DATA
Where we need to collect Personal Data and you fail to provide that Personal Data, we may not be able to:
- For Customers, process your application for our Services or deliver our Services;
- For Representatives, contract with the contractor/vendor whom you are representing or otherwise undertake certain actions under the contract already entered with such contractor/vendor;
- For Visitors, to allow you gain access into our business premises; and
- For Website Users, deliver the best user experience on our website.
-
DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES
We may share your Personal Data with the parties set out below for the purposes set out above [USE OF PERSONAL DATA] and in compliance with the applicable laws and regulations:
- Service providers who provide IT and system administration services, revenue collection services, electricity billing and printing services, gateway channel services, workforce management services and electricity vending services;
- Professional advisers, including consultants, lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting service providers; and
- Regulatory and government agencies and authorities who require reporting of processing activities in certain circumstances, particularly in accordance with the applicable laws and regulations.
When we transfer or outsource all or part of Personal Data processing to third-parties (data processors/administrators), we require them to respect the security of your Personal Data and to treat it in accordance with the law.
We do not allow our data processors to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions as stipulated in a written contract.
We also ask the data processors for evidence of proper security and confidentiality measures they have in place or intend to implement before starting the Personal Data processing.
-
TRANSFER OF PERSONAL DATA
Our Personal Data processing activities majorly occurs within Nigeria. However, we may, however, store your Personal Data using cloud solutions with servers outside Nigeria but even in such cases, we ensure that the cloud solutions companies enshrine best practices in data security. Further, we do not physically transfer your Personal Data outside Nigeria or to an international organisation. Whenever there is a need to transfer your Personal Data out of Nigeria or to an international organisation, we shall ensure that we comply with the applicable laws.
-
DATA SECURITY AND PROTECTION
At EKEDP, the confidentiality and security of the Personal Data entrusted to us are essential. Therefore, we:
- Limit access to your Personal Data to those employees, agents, contractors and other third parties who need to know the same. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality as governed by a written contract;
- Always keep Personal Data confidential, and if we need to disclose it to third parties (apart from regulatory or government authorities), irrespective of the relationship we may have with them, we cover with a contract all relevant aspects of such disclosure;
- Implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, accidental loss, alteration or unauthorised disclosure or access;
- Enforce whoever is authorised to access our data or electronic communication system (including Information Technology Team members, in the performance of their duties) to:
- not use the grant of access to obtain records other than those for which the access has been authorised;
- limit the access to the minimum level of content and the least action possible; and
- limiting the number of persons involved to only those required to initiate and conduct the access.
-
STORAGE OF PERSONAL DATA
Here you can find our data retention principles, that is, the length of the period for which we keep Personal Data.
We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal obligation. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider: the amount of Personal Data, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We regularly review the Personal Data we hold about you and securely delete anything we no longer need, always considering, the rules applicable to specific kind of personal data. We generally, do not keep data indefinitely 'just in case', or if there is only a small possibility that it will be used.
In some circumstances, we may anonymise your Personal Data so that it can no longer be associated with you.
-
RIGHT OF DATA SUBJECT
Here you can read about the rights you have in connection with the Personal Data you have provided us.
You as a Data Subject have the following rights in relation to your Personal Data that has been provided to us:
- Request access to your Personal Data (commonly known as a "Data Subject Access Request"). This enables you to receive a copy of the Personal Data we hold about you.
- Request correction/rectification of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data without delay where it is no longer necessary for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object (see below) to processing and there are no overriding legitimate grounds for the processing; where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with a legal obligation in Nigeria. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you, if applicable, at the time of your request.
- Object to processing of your Personal Data at any time. This right enables you to stop or prevent us from processing the Personal Data we hold about you in relation to all or any particular purpose under certain circumstances. Particularly, you have the absolute right to object to the processing of your Personal Data where we are processing it for direct marketing purposes. You can also object to the processing of your Personal Data when we are processing on the basis of public interest or our legitimate interest. However, in these instances, your right is not absolute and could be overridden if we can demonstrate compelling grounds for processing that prevail over your interest, rights, and freedoms or the processing is necessary to establish, exercise, or defend legal claims.
- Request restriction of processing of your Personal Data. This right enables you to ask us to suspend the processing of your Personal Data in the following scenarios: If you want us to verify the accuracy of the personal data; where our processing of the Personal Data is unlawful, but you do not want us to erase it; where you need us to hold the Personal Data even if we no longer require it as you need it to establish, exercise or defend legal claims; and when you have objected to our processing of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer (commonly known as "Data Portability") of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying only on your consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to continue our engagement with you. We will advise you if this is the case at the time you withdraw your consent. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in accordance with the applicable laws.
Where you have restricted our processing of your Personal Data, we shall nevertheless be able to store the Personal Data. However, we shall only be able to continue to process the Personal Data if you consent or if the processing is necessary for the establishment, exercise or defence of a legal claim; to protect the right of another natural or legal person or in the public's interest in Nigeria.
If you wish to exercise any of the rights set out above, please contact our DPO.
-
PROCESSING REQUEST FEES AND TIMELINES
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances by writing to you and copying NITDA or other applicable authority.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within a reasonable time, but no later than one (1) month from the date of receiving your request. Occasionally, it could take us longer time if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
-
PERSONAL DATA BREACH
In the event of a Personal Data breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, EKEDP shall within a reasonable time of becoming aware of the breach:
- promptly assess the risk;
- promptly notify the affected Data Subject;
- take all necessary measures and steps to ensure that further damage is not caused by the breach;
- take all steps to retract the Personal Data (in cases of unauthorised access or disclosure); and
- as applicable, report the breach to the appropriate authority within the applicable timeline of 72 hours upon discovering the breach.