PRIVACY POLICY

1. Scope and Legal Basis

This Privacy & Cookies Notice explains how personal data is collected, used, stored, and protected within the Company's Digital KPI and Performance Management System (the "System"). The System is used strictly for internal employee performance management, KPI tracking, appraisal, reporting, and organizational decision-making.

This notice is issued in compliance with the Nigeria Data Protection Act (NDPA, 2023) and, where applicable, the General Data Protection Regulation (GDPR).

2. Personal Data We Process

The System processes only data necessary for performance management purposes, including:

• Identification Data: Full name, employee ID, official work email
• Employment Data: Job role, department, reporting line, employment status
• Performance Data: KPIs, targets, achievement scores, appraisal outcomes, and manager feedback
• Account & Security Data: Username, encrypted password, login timestamps
• System Logs: IP address, device type, access logs, and audit trails

The System does not intentionally collect sensitive personal data such as health, religion, biometric, or financial information.

3. Lawful Basis for Processing

• Contractual Necessity: Processing required to manage employee performance as part of employment obligations
• Legitimate Interest: Monitoring productivity, performance evaluation, and internal reporting
• Legal Obligation: Compliance with labour, audit, and regulatory requirements

4. How We Use Your Data

• Setting, monitoring, and evaluating KPIs and performance goals
• Conducting employee appraisals and managerial reviews
• Generating internal performance reports and analytics
• Managing role-based access and approvals
• Ensuring system security, integrity, and accountability

5. Access Control & Confidentiality

Access to personal data within the System is strictly role-based:

• Employees can access only their own performance records
• Managers can access performance data of their assigned teams
• System administrators can access data solely for maintenance, support, and compliance purposes

All access and modifications are logged to support accountability and auditing.

6. Data Retention

Personal and performance data is retained only for as long as necessary to meet employment, organizational, and legal requirements. KPI records are archived or securely deleted once retention periods expire.

7. Your Data Protection Rights

• Right to access your personal and performance data
• Right to request correction of inaccurate or incomplete data
• Right to request deletion where legally permissible
• Right to restrict or object to certain processing activities
• Right to receive a copy of your data in a structured format

Requests may be made through the System Administrator or designated Data Protection Contact.

8. Security Measures

• Encrypted password storage and secure authentication mechanisms
• HTTPS-secured communication
• Restricted database and server access
• Continuous monitoring and audit logging

9. Cookies & Session Management

The System uses only essential cookies and session storage for:

• User authentication and session continuity
• Security and fraud prevention
• Saving user preferences

No advertising, profiling, or third-party tracking cookies are used.

10. Data Sharing & Third Parties

Personal data is not sold or shared for marketing purposes. Limited data may be processed by trusted service providers (such as hosting or email services) strictly under confidentiality and data-protection obligations.

11. Data Breach Management

In the event of a personal data breach, appropriate technical and organizational measures will be taken to contain, assess, and report the incident in accordance with NDPA requirements and applicable GDPR timelines.

12. Contact & Data Protection Responsibility

13. Updates to This Notice

This notice may be updated periodically to reflect legal, technical, or operational changes. Continued use of the System indicates acceptance of the updated notice.