MTN Zambia Data Privacy and Protection Policy - MTN Zambia
1. Policy Approval
This Data Privacy and Protection Policy is a Statutory Policy as defined in the MTN Zambia Master Policy and therefore the applicable Policy approval process, as set out in Annexure B of the MTN Zambia Master
Policy would apply
2. Definitions and Abbreviations
The definitions contained in this MTNZ Data Privacy and Protection Policy should be read with the definitions in the MTN Zambia Master Policy. General definitions and abbreviations which are applicable across all MTN Zambia Policies are provided for in the MTN Zambia Master Policy and only policy specific definitions
provided for in this policy.
Term | Definition/Abbreviation |
---|---|
Affiliates | All representatives, agents and officers of MTN Zambia. |
Applicable Data Protection Law(s) | Data privacy and data protection legislation and regulations applicable to the Processing of Personal Data carried out by MTN Zambia, or for or on behalf of MTN Zambia. |
Automated Decision Making | Decision based solely on automated Processing without human involvement or human intervention. This may include, but is not limited to, automatic decisions in respect of work performance, credit worthiness, reliability, location, health, personal preferences or conduct. |
Child / Children | A natural person who has attained, or is below, the age of 18 (eighteen) years. |
Consent | Any voluntary, specific and informed and unambiguous expression of will conveyed by the Data Subject, by a statement or clear affirmative action, signifying agreement to the Processing of his/her/their Personal Data |
Contractor | Any natural or juristic person that provides products and/or services of any nature to MTN, pursuant to a binding agreement with MTN. |
Controller | Is the natural or legal person or entity, public authority, agency or other body which alone or in conjunction with others, determines the purposes and means of Processing Personal Data. |
Data Subject | An individual from, or in respect of whom, personal information is processed. |
Direct Marketing | Communication by whatever means (including but not limited to mail, telephone, online services) of any advertising, marketing or promotional material which is directed to particular Data Subject. This includes communication transmitted directly by MTN or indirectly by another for or on behalf of MTN. |
Director MTNZ | An appointed or elected member of the Board of Directors of MTN Zambia who has certain powers and duties relating to the management or administration of MTN Zambia. |
Employee/s | All persons employed by MTN and/or an MTN Entity whether permanent, time-limited, full-time, or part-time, including directors, trainees, secondees, and external contractors. |
FINCO | A Fintech Company of MTN where the Fintech business has been registered as a standalone entity. The FINCO is a subsidiary of MTN. |
MTNZ Information Security | The department within MTNZ responsible for the design and oversight of information security controls. |
Legal Guardian(s) | The person(s) who is/are legally competent to consent to any action or decision being taken in respect of any matter concerning a Child or person without legal capacity to provide consent for themselves. |
Data Privacy Officer | A Staff of MTN Zambia duly appointed and authorised to occupy and discharge the responsibilities of this position and title (as described in the Data Privacy Procedures). |
Local Regulatory Requirements | Legal, statutory, regulatory, license conditions rules, guidelines, Ministerial/National Security orders or directives, and Directives relating to Public safety (where applicable) and data sovereignty-related requirements with which MTN Zambia is required to comply by applicable authorities. |
MTN Binding Corporate Rules | The intercompany rules or agreement which facilitate cross-border transfers of Personal Data between the various MTN Entities by ensuring that the same high level of protection of Personal Data is complied with by all MTN Entities by means of a single set of binding and enforceable rules. |
MTN Data Privacy and Protection Framework | The Policies, Procedures and Standards, and supporting documents which define and support the management of data privacy and protection requirements within MTN. |
MTN Data Processing Schedule | The approved MTN schedule which aims to regulate the Processing of Personal Data with, for or on behalf of MTN by a Third Party / Third Parties (Processor(s)). |
MTN Data Transfer Schedule | The approved MTN schedule which aims to regulate the transfer of Personal Data from MTN, as a Controller, to a Controller in another country. |
MTN Privacy Procedures | An operational set of specific action steps and processes required to support the implementation of this Policy. |
OpCo | Operating Company of MTN Group |
Personal Data | Any information relating to a Data Subject. Examples of “Personal Data” includes, but is not limited to, the following: a name; any identifying number, symbol, contact information (e.g. e-mail address, postal address, telephone number); location data or physical address, online identifier or other assignment to the person; the biometric information of the Data Subject; the personal opinions, views or preferences of the Data Subject; correspondence sent by the Data Subject that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; the views or opinions of another person about the Data Subject; and the name of the Data Subject if it appears with other Personal Data relating to the Data Subject or if the disclosure of the name itself would reveal information about the Data Subject; and Sensitive Personal Data. |
Personal Data Breach | An event or occurrence (including but not limited to a breach of security) leading to the accidental or unlawful destruction, loss or damage, alteration, disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed. |
Policy Owner | The Business Area executive responsible for the development and management of a policy, together with such additional activities as set out in this Policy. |
Privacy by Design | MTN Entities consider the data privacy and protection issues and/or risks during the design, development and/or selection of systems (including applications), services, products and/or processes where the Processing of Personal Data is involved. This includes: implementing appropriate technical and organisational measures to give effect to the data privacy and protection principles set out in this policy, Applicable Data Privacy Laws and/or Local Regulatory Requirements (as applicable); and integrating the necessary safeguards into the Processing in order to meet the requirements set out in this policy, Applicable Data Privacy Laws and/or Local Regulatory Requirements (as applicable) and to protect the rights of Data Subjects insofar as their Personal Data is concerned. |
Privacy by Default | Implementing appropriate measures to ensure that, by default: only Personal Data which is necessary for each specific purpose of the Processing is Processed without the intervention of the user or Data Subject; and system settings are automatically complied with data privacy and protection principles set out in this policy, Applicable Data Privacy Laws and/or Local Regulatory Requirements (as applicable) |
Processing | Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including collection, receipt, recording, organisation, structuring, collation, storage; adaptation or alteration, updating, retrieval, consultation, use, dissemination, disclosure by means of transmission; or otherwise making available, alignment or combination, merging, restriction, erasure, destruction, and/or degradation. |
Processor | Is the natural or legal person or entity, public authority, agency or other body, which Processes Personal Data on behalf of, and under the authority of the Controller, under the terms of a contract or mandate. |
Public Authority | means any governmental authority, regulatory authority, governmental agency, law enforcement authority, judicial authority, the Supervisory Authority or similar body |
Record | Any recorded information regardless of form or medium, in the possession or under the control of MTN, whether it was created by MTN, regardless of when it came into existence, including: writing on any material; • information produced, recorded or stored by means of any tape recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored; • label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means; book, plan, map, graph or drawing; photograph, film, negative, tape or other device in which one or more visual images are embodied to be capable, with or without the aid of some other equipment, of being reproduced. |
Sensitive Personal Data | A sub-set of Personal Data which is considered more sensitive than other categories of Personal Data. Sensitive Personal Data includes but is not limited to Personal Data revealing a Data Subject’s racial or ethnic origin; political opinions or persuasions; religious or philosophical beliefs; trade union membership; criminal behaviour relating to the alleged commission of a crime or proceedings relating to the alleged commission of a crime; genetic data; biometric data; data concerning health; and/or data concerning a Data Subject’s sex life or sexual orientation. Sensitive Personal Data may include additional categories of Personal Data in terms of Applicable Data Privacy laws. |
Supervisory Authority | The relevant data protection authority or regulator which is competent to regulate, monitor and enforce compliance with the Applicable Data Privacy Law(s). |
Third Party/ies | All service providers, suppliers and vendors who provide directly or indirectly , services and products to MTN Zambia |
Term Affiliates
- Definition/Abbreviation All representatives, agents and officers of MTN Zambia.
Term Applicable Data Protection Law(s)
- Definition/Abbreviation Data privacy and data protection legislation and regulations applicable to the Processing of Personal Data carried out by MTN Zambia, or for or on behalf of MTN Zambia.
Term Automated Decision Making
- Definition/Abbreviation Decision based solely on automated Processing without human involvement or human intervention. This may include, but is not limited to, automatic decisions in respect of work performance, credit worthiness, reliability, location, health, personal preferences or conduct.
Term Child / Children
- Definition/Abbreviation A natural person who has attained, or is below, the age of 18 (eighteen) years.
Term Consent
- Definition/Abbreviation Any voluntary, specific and informed and unambiguous expression of will conveyed by the Data Subject, by a statement or clear affirmative action, signifying agreement to the Processing of his/her/their Personal Data
Term Contractor
- Definition/Abbreviation Any natural or juristic person that provides products and/or services of any nature to MTN, pursuant to a binding agreement with MTN.
Term Controller
- Definition/Abbreviation Is the natural or legal person or entity, public authority, agency or other body which alone or in conjunction with others, determines the purposes and means of Processing Personal Data.
Term Data Subject
- Definition/Abbreviation An individual from, or in respect of whom, personal information is processed.
Term Direct Marketing
- Definition/Abbreviation Communication by whatever means (including but not limited to mail, telephone, online services) of any advertising, marketing or promotional material which is directed to particular Data Subject. This includes communication transmitted directly by MTN or indirectly by another for or on behalf of MTN.
Term Director MTNZ
- Definition/Abbreviation An appointed or elected member of the Board of Directors of MTN Zambia who has certain powers and duties relating to the management or administration of MTN Zambia.
Term Employee/s
- Definition/Abbreviation All persons employed by MTN and/or an MTN Entity whether permanent, time-limited, full-time, or part-time, including directors, trainees, secondees, and external contractors.
Term FINCO
- Definition/Abbreviation A Fintech Company of MTN where the Fintech business has been registered as a standalone entity. The FINCO is a subsidiary of MTN.
Term MTNZ Information Security
- Definition/Abbreviation The department within MTNZ responsible for the design and oversight of information security controls.
Term Legal Guardian(s)
- Definition/Abbreviation The person(s) who is/are legally competent to consent to any action or decision being taken in respect of any matter concerning a Child or person without legal capacity to provide consent for themselves.
Term Data Privacy Officer
- Definition/Abbreviation A Staff of MTN Zambia duly appointed and authorised to occupy and discharge the responsibilities of this position and title (as described in the Data Privacy Procedures).
Term Local Regulatory Requirements
- Definition/Abbreviation Legal, statutory, regulatory, license conditions rules, guidelines, Ministerial/National Security orders or directives, and Directives relating to Public safety (where applicable) and data sovereignty-related requirements with which MTN Zambia is required to comply by applicable authorities.
Term MTN Binding Corporate Rules
- Definition/Abbreviation The intercompany rules or agreement which facilitate cross-border transfers of Personal Data between the various MTN Entities by ensuring that the same high level of protection of Personal Data is complied with by all MTN Entities by means of a single set of binding and enforceable rules.
Term MTN Data Privacy and Protection Framework
- Definition/Abbreviation The Policies, Procedures and Standards, and supporting documents which define and support the management of data privacy and protection requirements within MTN.
Term MTN Data Processing Schedule
- Definition/Abbreviation The approved MTN schedule which aims to regulate the Processing of Personal Data with, for or on behalf of MTN by a Third Party / Third Parties (Processor(s)).
Term MTN Data Transfer Schedule
- Definition/Abbreviation The approved MTN schedule which aims to regulate the transfer of Personal Data from MTN, as a Controller, to a Controller in another country.
Term MTN Privacy Procedures
- Definition/Abbreviation An operational set of specific action steps and processes required to support the implementation of this Policy.
Term OpCo
- Definition/Abbreviation Operating Company of MTN Group
Term Personal Data
- Definition/Abbreviation Any information relating to a Data Subject. Examples of “Personal Data” includes, but is not limited to, the following: a name; any identifying number, symbol, contact information (e.g. e-mail address, postal address, telephone number); location data or physical address, online identifier or other assignment to the person; the biometric information of the Data Subject; the personal opinions, views or preferences of the Data Subject; correspondence sent by the Data Subject that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; the views or opinions of another person about the Data Subject; and the name of the Data Subject if it appears with other Personal Data relating to the Data Subject or if the disclosure of the name itself would reveal information about the Data Subject; and Sensitive Personal Data.
Term Personal Data Breach
- Definition/Abbreviation An event or occurrence (including but not limited to a breach of security) leading to the accidental or unlawful destruction, loss or damage, alteration, disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
Term Policy Owner
- Definition/Abbreviation The Business Area executive responsible for the development and management of a policy, together with such additional activities as set out in this Policy.
Term Privacy by Design
- Definition/Abbreviation MTN Entities consider the data privacy and protection issues and/or risks during the design, development and/or selection of systems (including applications), services, products and/or processes where the Processing of Personal Data is involved. This includes: implementing appropriate technical and organisational measures to give effect to the data privacy and protection principles set out in this policy, Applicable Data Privacy Laws and/or Local Regulatory Requirements (as applicable); and integrating the necessary safeguards into the Processing in order to meet the requirements set out in this policy, Applicable Data Privacy Laws and/or Local Regulatory Requirements (as applicable) and to protect the rights of Data Subjects insofar as their Personal Data is concerned.
Term Privacy by Default
- Definition/Abbreviation Implementing appropriate measures to ensure that, by default: only Personal Data which is necessary for each specific purpose of the Processing is Processed without the intervention of the user or Data Subject; and system settings are automatically complied with data privacy and protection principles set out in this policy, Applicable Data Privacy Laws and/or Local Regulatory Requirements (as applicable)
Term Processing
- Definition/Abbreviation Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including collection, receipt, recording, organisation, structuring, collation, storage; adaptation or alteration, updating, retrieval, consultation, use, dissemination, disclosure by means of transmission; or otherwise making available, alignment or combination, merging, restriction, erasure, destruction, and/or degradation.
Term Processor
- Definition/Abbreviation Is the natural or legal person or entity, public authority, agency or other body, which Processes Personal Data on behalf of, and under the authority of the Controller, under the terms of a contract or mandate.
Term Public Authority
- Definition/Abbreviation means any governmental authority, regulatory authority, governmental agency, law enforcement authority, judicial authority, the Supervisory Authority or similar body
Term Record
- Definition/Abbreviation Any recorded information regardless of form or medium, in the possession or under the control of MTN, whether it was created by MTN, regardless of when it came into existence, including: writing on any material; • information produced, recorded or stored by means of any tape recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored; • label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means; book, plan, map, graph or drawing; photograph, film, negative, tape or other device in which one or more visual images are embodied to be capable, with or without the aid of some other equipment, of being reproduced.
Term Sensitive Personal Data
- Definition/Abbreviation A sub-set of Personal Data which is considered more sensitive than other categories of Personal Data. Sensitive Personal Data includes but is not limited to Personal Data revealing a Data Subject’s racial or ethnic origin; political opinions or persuasions; religious or philosophical beliefs; trade union membership; criminal behaviour relating to the alleged commission of a crime or proceedings relating to the alleged commission of a crime; genetic data; biometric data; data concerning health; and/or data concerning a Data Subject’s sex life or sexual orientation. Sensitive Personal Data may include additional categories of Personal Data in terms of Applicable Data Privacy laws.
Term Supervisory Authority
- Definition/Abbreviation The relevant data protection authority or regulator which is competent to regulate, monitor and enforce compliance with the Applicable Data Privacy Law(s).
Term Third Party/ies
- Definition/Abbreviation All service providers, suppliers and vendors who provide directly or indirectly , services and products to MTN Zambia
3. Introduction
3.1. Data privacy is a significant issue impacting on businesses globally, including MTN Zambia. MTN Zambia Processes large volumes of Personal Data as part of its business operations. The Processing of Personal Data occurs across multiple systems and value chains across MTN Zambia. MTN Zambia has identified the high importance of complying with Applicable Data Privacy Law(s) and the need to set minimum data privacy standards applicable across MTN Zambia. This is necessary to ensure regulatory compliance but moreover to drive MTN Zambia’s strategy.
3.2. It is imperative that MTN Zambia and all its Directors, Employees, Contractors, Third Parties, and Affiliates adopt responsible data privacy and protection practices. This entails adherence to Applicable Data Privacy Law(s), engendering a corporate culture where Personal Data is respected and protected and complying with MTN Zambia’s data privacy and information security Policies, MTN Privacy and Data Protection Procedures, and Standards.
4. Purpose of this Policy
This Policy supports MTN Zambia in establishing and maintaining an adequate and consistent level of data privacy and protection across Zambia. This policy sets out the minimum expectations that MTN Zambia should comply with when Processing Personal Data of Data Subjects and aims to ensure the ethical and responsible collection, use, and management of Personal Data entrusted to MTN Zambia.
5. Scope and Applicability
5.1. This Policy applies to the Processing of all Records of Personal Data by MTN Zambia, or for and on behalf of MTN Zambia and to:
5.1.1. all Directors and Employees who will, by virtue of their position and role within MTN Zambia, have access to Personal Data entrusted to MTN Zambia;
5.1.2. Contractors, Third Parties, and Affiliates who may Process Personal Data for or on behalf of MTN Zambia or otherwise have access to Personal Data entrusted to MTN Zambia;
5.1.3. all Personal Data under the possession, control and/or ownership of MTN Zambia, whether located at MTN Zambia or non-MTN Zambia locations, in all formats including electronic or physical formats; and
5.1.4. any device or IT Infrastructure used to Process Personal Data within MTN Zambia’s information Processing facilities, or which is authorised to access MTN Zambia’s information processing facilities.
5.2. Any proposed localisation of this Policy needs to be approved by the Group Policy Owner in accordance with the MTN Group Master Policy. The Exception/Deviation Process defined in MTN Group Master Policy must be followed when deviating from the requirements of this Policy.
6. Policy Statements
6.1. MTN believes that privacy, including data privacy, is a human right that should be respected by all organisations including MTN Zambia, its Affiliates, Contractors, and Third Parties. MTN Zambia is committed to adhering to both the letter and spirit of Applicable Data Privacy Laws, this Data Privacy and Protection Policy, and related MTN Zambia Privacy and Data Protection Procedures and Standards, as applicable.
6.2. Data Subjects entrust MTN Zambia with their Personal Data Processing and MTN Zambia is committed to Processing their Personal Data in a lawful, transparent, and fair manner, this includes implementing reasonable and appropriate measures to safeguard Personal Data within MTN Zambia’s possession or under its control.
6.3. MTN strives to develop a data privacy programme which is market leading and aligned with international leading privacy practices. However, MTN Zambia acknowledges that a market leading data privacy programme will take time and resources to develop, accordingly MTN Zambia is committed to setting ambitious yet realistic targets to meet its vision.
6.4. MTN Zambia has a low risk appetite towards Non-Compliance with Applicable Data Privacy Laws and/or Non-Compliance with this Policy, any related Policies, MTN Zambia Privacy and Data Protection Procedures and/or Standards which support data privacy and protection principles.
7. Policy Hierarchy
7.1. The MTN Zambia Data Privacy and Protection Framework will consist of the following documents in order of
precedence:
7.1.1. Applicable Data Privacy Laws and Local Regulatory Requirements;
7.1.2. MTN Zambia Data Privacy and Protection Policy;
7.1.3. MTN Zambia Privacy Procedures;
7.1.4. supporting documents, including, but not limited to, any manuals, processes, guidelines and templates.
7.2. This Policy is prescriptive about data privacy and protection requirements and in accordance with Applicable Data Privacy Laws and Local Regulatory Requirements.
7.3. To the extent that the requirements in the MTN Zambia Data Privacy and Protection Policy (including any related Policies, MTN Zambia Privacy and Data Protection Procedures, Standards and/or supporting documents) are also dealt with in Applicable Data Privacy Laws and/or Local Regulatory Requirements, the higher standard will apply.
7.4. Insofar as the requirements set out in this Policy (including any related Policies, MTN Zambia Privacy and Data Protection Procedures, Standards and/or supporting documents) are in conflict with Applicable Data Privacy laws and/or Local Regulatory Requirements, then the Applicable Data Privacy laws and/or Local Regulatory Requirements (as applicable) will prevail subject to consultation with and approval from the Group Policy Owner.
8. Key Privacy Principles
8.1. Accountability
Demonstrate compliance
8.1.1. MTN Zambia shall be responsible for and should demonstrate compliance with Applicable Data Privacy Laws, this Policy and related Policies, MTN Zambia Privacy and Data Protection Procedures and/or Standards giving effect to data privacy and protection.
Governance
8.1.2. MTN Zambia should establish a governance structure that ensures accountability for data privacy and protection at the highest level. The governance structure should be appropriate having regard to the size, complexity, and nature of Processing performed by the business.
8.1.3. MTN Zambia:
8.1.3.1. which is subject to Applicable Data Privacy Laws, should appoint a Data Privacy Officer, as specified in the Data Privacy Procedures, with the knowledge, skills, expertise and of a sufficient seniority to discharge his/her/their roles and responsibilities.
8.1.3.2. may appoint one or more local deputy data privacy officer(s), as specified in the Data Privacy Procedures, to support the Data Privacy in discharging his/her/their roles and responsibility, as appropriate having regard to the size, complexity and nature of Processing performed by MTN Zambia.
Privacy Risk Management and Compliance
8.1.4. MTN Zambia should design and implement robust data privacy and protection risk management measures and mitigating strategies and establish effective controls. In this regard MTN Zambia should at a minimum:
8.1.4.1. apply the MTN Zambia Enterprise Risk Management Policy, Procedures, Standards and Guidelines to ensure data privacy and protection risks are identified, assessed, monitored, managed and reported consistently across MTN Zambia; and
8.1.4.2. implement reasonable, effective and appropriate controls giving effect to the principles of Privacy by Design and Privacy by Default.
Corporate Culture
8.1.5. MTN Zambia should take proactive measures to build, maintain and evidence a corporate culture where all Directors and Employees respect and embrace data privacy and protection within MTN Zambia. This includes conducting appropriate and effective training and awareness.
Third Party Risk Management
8.1.6. MTN Zambia should manage its Third Party risks from a data privacy and protection perspective. In respect of any Third Party which Processes Personal Data for or on behalf of MTN Zambia (Processor) or which may otherwise have access to Personal Data entrusted to MTN Zambia, MTN Zambia should:
8.1.6.1. identify and assess the inherent risk to outsourcing the service;
8.1.6.2. identify and assess the data privacy and protection risks posed by each Third Party / Processor with whom MTN Zambia is engaged or intends to engage;
8.1.6.3. implement reasonable, effective and appropriate measures (including entering into a MTN Zambia Data Processing Agreement or similar contractual arrangement) to mitigate data privacy and protection risks posed by the specific Third Party / Processor; and
8.1.6.4. perform on-going monitoring of the Third Party / Processor to ensure that the data privacy and protection risks posed by the Third Party / Processor remain within MTN Zambia’s risk appetite and that Third Party / Processor is compliant with MTN Zambia’s data privacy and protection requirements.
Regulatory Management
8.1.7. MTN Zambia is responsible for identifying regulatory change and for assessing its impact on business and its data privacy and protection obligations and should implement any measures required in response to such changes in consultation with its Data Privacy Officer and, where required, the Group Privacy Office.
8.1.8. MTN Zambia should identify and lodge any customary regulatory filings or reports that may be required in terms of Applicable Data Privacy Laws to the relevant Supervisory Authority timeously.
8.1.9. MTN Zambia should manage any regulatory interactions related to its business activities within their jurisdiction in consultation with the Data Privacy Officer and Group Data Privacy Officer, including but not limited to:
8.1.9.1. requests, investigations and enforcement action by Supervisory Authorities;
8.1.9.2. civil litigation related to MTN Zambia’s data privacy and protection practices within the jurisdiction; and/or
8.1.9.3. criminal charges related to Non-Compliance with Applicable Data Privacy Laws
Disclosures to Public Authorities
8.1.10. In circumstances that MTN Zambia receives a request or demand (including notice, formal inquiry or investigation) for disclosure of Personal Data of a Data Subject by a Public Authority (“Disclosure Request”) it should review the legality of the Disclosure Request having regard to Applicable Data Privacy Laws (if any) and Local Regulatory Requirements to consider whether the Disclosure Request is legally binding (including judicial order) or whether it should be objected to and/or legally challenged. This determination should made in consultation with and subject to the approval of the Data Privacy Officer, and Local Legal Counsel. The Disclosure Request should be escalated to the Group Data Privacy Officer and Group Chief Legal and Regulatory Counsel in circumstances that the request is material, as specified in the MTN Zambia Privacy Procedure.
8.1.11. If the Disclosure Request is viewed by MTN Zambia as being legally binding and all procedural requirements have been satisfied as specified in the MTN Zambia Privacy Procedure, MTN Zambia
should only provide the minimum Personal Data permissible in response to such request.
8.1.12. If the Disclosure Request is viewed by MTN Zambia as not being legally binding, MTN Zambia should, depending on the circumstances and content of the Disclosure Request, object to the Disclosure Request and/or apply for interim relief in order to suspend the Disclosure Request subject to a competent judicial authority finally pronouncing on the legality and binding nature of the Disclosure Request.
8.2. Fair and lawful basis for Processing
8.2.1. MTN Zambia should Process Personal Data lawfully, and in a manner that does not unfairly infringe the data privacy rights of any Data Subject. In this regard, Processing of:
8.2.1.1. Personal Data shall be lawful only if and to the extent that at least one of the grounds in Paragraph 1 of Annexure A applies to the Processing;
8.2.1.2. Sensitive Personal Data is prohibited unless at least one of the exceptions specified in Paragraph 2 of Annexure A applies to the Processing; and/or
8.2.1.3. Children’s Personal Data is prohibited unless at least one of the exceptions specified in Paragraph 3 of Annexure A applies to the Processing.
8.3. Purpose limitation
8.3.1. MTN Zambia should have a clear understanding of its Processing activities and should maintain an up-to-date record or inventory of the Processing activities under its responsibility.
8.3.2. MTN Zambia should only collect Personal Data for specified, explicit and legitimate purpose(s) related to its business activities (“the Original Purpose(s)”).
8.3.3. MTN Zambia should not further Process Personal Data for any purpose(s) that is incompatible with the Original Purpose(s) unless:
8.3.3.1. such further Processing is authorised in terms of Applicable Data Privacy Laws;
8.3.3.2. it has obtained the Data Subject’s / Legal Guardian’s Consent to the further Processing;
8.3.3.3. further Processing is necessary to comply with an obligation imposed by law or for conducting proceedings in a court or tribunal; or
8.3.3.4. it is for scientific or historical research purposes or statistical purposes.
8.4. Transparency
8.4.1. MTN Zambia should be transparent with Data Subjects regarding its Processing activities including the purposes for and manner in which MTN Zambia Processes Personal Data. In this regard MTN Zambia should implement measures that ensure that:
8.4.1.1. Data Subjects are provided with relevant and appropriate information and communication regarding MTN Zambia’s Processing activities; and
8.4.1.2. such information and communication is clear, concise, easily understandable, and conveyed through channels that are accessible and appropriate for the intended audience.
8.5. Data minimisation
8.5.1. MTN Zambia should only Process Personal Data that is adequate and relevant to the legitimate business purpose(s) for which it is being Processed. MTN Zambia should immediately return, de-identify, destroy through secure means and/or permanently erase by appropriate and effective mechanisms Personal Data which is excessive or irrelevant to MTN Zambia’s legitimate business purpose.
8.6. Personal Data Retention
8.6.1. MTN Zambia should not retain Records of Personal Data any longer than is necessary for achieving the Purpose(s) for which Personal Data is Processed, unless:
8.6.1.1. retention of the Record is required or authorised by Local laws;
8.6.1.2. the Data Subject or Legal Guardian, where the Data Subject is a Child, has Consented to the retention of the Record;
8.6.1.3. required for historical, statistical or research purposes and provided that the MTN Zambia has established appropriate safeguards against the Records being used for any other purposes.
8.6.2. MTN Zambia should ensure that Personal Data which is no longer required, or which MTN Zambia is no longer authorised to retain, in accordance with 8.6.1 above, is as soon as reasonably practicable, de-identified or destroyed through secure means, alternatively through permanent erasure by appropriate and effective mechanisms.
8.7. Data Quality
8.7.1. MTN Zambia should take reasonably practicable steps to ensure that the Personal Data which it Processes is complete, accurate, not misleading and updated, where necessary, taking into consideration the Purpose(s) for which that Personal Data is being or will be Processed. MTN Zambia should take reasonable steps, having regard to the purposes for which the Personal Data is being or will be Processed, to ensure that inaccurate Personal Data is erased or rectified without delay.
8.8. Security and Integrity
Security and Integrity of Personal Data
8.8.1. MTN Zambia should secure the confidentiality, integrity and availability of the Personal Data in its possession or under its control by implementing appropriate, reasonable technical, physical, and organisational measures to prevent:
8.8.1.1. accidental loss of, damage to, or unauthorised destruction of Personal Data;
8.8.1.2. unlawful or unauthorised access to Personal Data; and
8.8.1.3. unlawful or unauthorised Processing of Personal Data.
8.8.2. MTN Zambia should take reasonable measures to regularly identify and assess all reasonably foreseeable internal and external risks to Personal Data in its possession or under its control and implement reasonable and appropriate technical, physical and organisational security measures to protect against the identified risks. Without derogating from the above, MTN Zambia should implement:
8.8.2.1. all minimum security measures prescribed by the MTN Zambia Privacy Office and MTN Zambia Information Security; and
8.8.2.2. any additional security measures that are reasonable and appropriate having regard to, inter alia, the sensitivity of the Personal Data Processed, the nature and context of Personal Data Processing, the impact that a security compromise would have on the Data Subject, the costs of implementation, leading security practices, internal or external evaluation of controls, the likelihood and severity of the risk and, where applicable, the requirements of Applicable Data Privacy Laws and Local Regulatory Requirements.
Personal Data Breaches
8.8.3. If MTN Zambia becomes aware of or reasonably suspects a Personal Data Breach has occurred or that the integrity or confidentiality of Personal Data has been compromised, MTN Zambia should adhere to the MTN Zambia’s incident management Policies, Procedures and supporting documents governing the handling and reporting of Personal Data Breaches.
8.9. Data Subject Rights
8.9.1. MTN Zambia should implement appropriate mechanisms, consistent with Applicable Data Privacy Laws, as there may be, and MTN Zambia Data Privacy and Protection MTN Zambia Privacy and Data Protection Procedures, which enable Data Subjects to exercise the following data privacy rights:
8.9.1.1. Transparent information: Data Subjects have the right to receive transparent, clear and relevant information regarding the Processing of his/her/their Personal Data by or for MTN Zambia;
8.9.1.2. Access: Data Subjects have the right to obtain confirmation from MTN Zambia as to whether or not his/her/their Personal Data is being Processed by or for MTN Zambia and to request access to or copies of his/her/their Personal Data which is being Processed by or for MTN Zambia;
8.9.1.3. Correction: Data Subjects have the right to request the correction of inaccurate Personal Data concerning him/her/them. Further, having regard to the purposes of the Processing, Data Subjects have the right to have incomplete Personal Data supplemented to ensure the Record is complete and not misleading.
8.9.1.4. Destruction: Data Subjects have the right to request MTN Zambia to destroy or delete a Record of Personal Data about the Data Subject that MTN Zambia is no longer authorised to retain in accordance with Applicable Data Privacy Laws and/or this Policy;
8.9.1.5. Restriction: Data Subjects may, under certain circumstances, have the right to request and obtain the restriction of Processing of Personal Data;
8.9.1.6. Withdrawal of consent: Where Personal Data is being Processed on the legal basis of Consent, Data Subjects or, in the case of a Child, their Legal Guardians, have the right to withdraw such Consent to the continued Processing of Personal Data by or for MTN Zambia;
8.9.1.7. Object to Processing: Data Subjects have the right to object, on grounds related to
his/her/their particular circumstances, to the Processing of his/her/their Personal Data. Data
Subjects may exercise this right in circumstances that:
a. MTN Zambia is Processing Personal Data unlawfully and/or contrary to this Policy;
b. MTN Zambia is Processing such Personal Data on the basis that it is necessary for the performance of a task carried out in the public interest or that Processing is necessary in
pursuing the legitimate interest of MTN Zambia or a third party;
c. Personal Data is being Processed for Direct Marketing purposes (including profiling to the extent that it is related to such Direct Marketing); and/or
d. defined in terms of Applicable Data Privacy Laws.
8.9.1.8. Fair decision making: Data Subjects have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects concerning him/her/them or similarly significantly affects him/her/them; and
8.9.1.9. Complaint: Data Subjects have the right to lodge a complaint with MTN Zambia or against MTN Zambia regarding any perceived infringement on his/her/their data subject rights and/or regarding any perceived Non-Compliance by MTN Zambia with Applicable Data Privacy Laws and/or this Policy and applicable related Policies.
8.10. Specific Processing Activities
International Transfers of Personal Data
8.10.1. MTN Zambia may only transfer Personal Data outside of the country where it was originally collected in compliance with Applicable Data Privacy Laws (where there may be) and/or Local Regulatory Requirements.
8.10.2. In addition to complying with 8.10.1 above, MTN Zambia should not transfer Personal Data outside of the country where it was originally collected unless one of the conditions below are satisfied prior to the transfer of Personal Data:
8.10.2.1. the Data Subject or Legal Guardian, where the Data Subject is a Child, has explicitly Consented to the transfer of his/her/their/the Child’s Personal Data to that specific jurisdiction after having been informed of the possible risks of such transfers for the Data Subject;
8.10.2.2. the Personal Data is transferred to Third Party / Processor which is subject to a binding agreement materially the same as the MTN Data Transfer Agreement(s) Governing
International Transfers;
8.10.2.3. the transfer is to another MTN Entity which is subject to the MTN Binding Corporate Rules that are legally binding and apply to and are enforced by both the transferring MTN Entity and the receiving MTN Entity;
8.10.2.4. the transfer is necessary for the conclusion or performance of a contract between the Data Subject and MTN Zambia or for the fulfilment of pre-contractual measures at the request of a Data Subject;
8.10.2.5. the transfer is required for the conclusion of a contract between MTN Zambia and a Third Party, which is in the interests of the Data Subject;
8.10.2.6. the transfer is necessary in order to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of giving consent;
8.10.2.7. the transfer is necessary for the establishment, exercise or defence of legal claims.
Direct Marketing
8.10.3. MTN Zambia should ensure that its Direct Marketing practices, including whether or not to obtain prior consent to Direct Marketing, align with Applicable Data Privacy Laws and/or Local Regulatory Requirements on the matter.
8.10.4. Where MTN Zambia does not require prior consent to perform Direct Marketing, it should reasonably monitor consumer and regulatory sentiment as well as industry practices and adapt its Direct Marketing practices having regard to MTN Zambia’s strategy.
8.10.5. MTN Zambia should give Data Subjects the opportunity and mechanism to opt-out of Direct Marketing on every Direct Marketing communication. If a Data Subject opts-out of receiving Direct Marketing, MTN should, as soon as reasonably practicable, cease Direct Marketing to the Data Subject and only resume Direct Marketing with the express (‘opt-in’) Consent of the Data Subject.
Automated Decision Making
8.10.6. MTN Zambia should not subject a Data Subject to any Automated Decision Making (including profiling) which results in legal consequences for the Data Subject and/or which affects him/her/them in a similarly significant manner unless:
8.10.6.1. the decision is necessary for entering into a contract with the Data Subject;
8.10.6.2. the decision is necessary for performance in terms of a contract with the Data Subject;
8.10.6.3. the decision is based on the Data Subject’s explicit Consent;
8.10.6.4. the Automated Decision Making Process has been approved by the Data Privacy Officer and Group Data Privacy Officer following a comprehensive risk assessment; or
8.10.6.5. it is authorised and governed by Applicable Data Privacy Laws and/or Local Regulatory Requirements in which appropriate measures are specified for protecting the rights and freedoms of Data Subjects.
8.10.7. If MTN Zambia conducts Automated Decision Making, in terms of 8.10.6.1 to 8.10.6.4 above, MTN
Zambia should implement adequate measures to:
8.10.7.1. safeguard the Data Subject’s rights, freedoms and legitimate interests;
8.10.7.2. provide the Data Subject with sufficient information about the underlying logic of the Automated Decision Making process; and
8.10.7.3. allow the Data Subject to request human intervention by MTN Zambia and to express his/her/their point of view and/or to contest the decision.
8.10.8. MTN Zambia should not perform any Automated Decision Making using Sensitive Personal Data, which results in legal consequences for the Data Subject and/or which affects him/her/them in a similarly significant manner unless the requirements in 8.10.7 are implemented and:
8.10.8.1. the Data Subject has given explicit Consent to the Processing of those categories of Sensitive Personal Data for the purposes specified by MTN Zambia by automated means; or
8.10.8.2. it is necessary to meet applicable Local Regulatory Requirements; or
8.10.8.3. the use of Sensitive Personal Data for the Automated Decision Making Process has been approved by the Local Data Privacy Officer and Group Data Privacy Officer following a comprehensive risk assessment.
Cloud adoption
8.10.9. When MTN Zambia is consuming cloud services and/or providing cloud-based services that involve Processing of Personal Data, they must adhere to the privacy controls as detailed in this policy as well as the MTN Zambia Cloud Usage Policy.
9. Document Control
9.1. This Policy, including all its supporting and/or related MTN Zambia Privacy and Data Protection Procedures and Standards should be reviewed annually in terms of the MTN Zambia Master Policy by the Policy Owner to determine any gaps and to assess, amongst others the Policy’s alignment with:
9.1.1. MTN’ Zambia s strategy and business objectives;
9.1.2. MTN Zambia’s data privacy and protection strategy and international best practices;
9.1.3. Related Policies, Processes, MTN Privacy and Data Protection Procedures and Standards (to the extent required); and
9.1.4. gaps in coverage resulting from organisational changes.
9.2. If this Policy, including all its supporting and/or related Processes, MTN Zambia Privacy and Data Protection Procedures and Standards, is not reviewed within the required time frame, then the latest approved Policy including all its supporting and/or related Processes, MTN Zambia Privacy and Data Protection Procedures and Standards, will continue to operate until the review and approval occurs.
10. Policy Compliance
10.1. Any disciplinary action arising from Non-Compliance with this Policy by an Employee will be dealt with by according to the Disciplinary Code and Disciplinary Procedure of MTN Zambia.
10.2. Where an Employee is suspected of breaching the Policy, an internal investigation will be undertaken and, depending on the outcome, disciplinary action, civil and/or criminal legal action may be taken against the
offending Employee.
10.3. If MTN Zambia is unable to comply with the provisions set out in this Policy or in any other Group Policy, the Dispensation template set out in the Master Policy should be completed and submitted for approval to the Group Policy Owner.
10.4. Any Non-Compliance or breach of this Policy by a Contractor, Third Party or Processor will be dealt with in terms of any contractual or common law rights MTN Zambia has against the Contractor, Third Party or Processor.
11. Referenced Documents/Related Policies
Document Name | Publication Date | Published By |
---|---|---|
MTN Zambia Master Policy | ||
MTN Zambia Privacy Procedures | ||
MTN Zambia Risk Acceptance and Escalation Policy | ||
MTN Zambia Treating Customers Fairly Policy | ||
MTN Zambia Digital Human Rights Policy | ||
MTN Zambia Information Security Policy | ||
MTN Zambia Incident Management Policy | ||
MTN Zambia Enterprise Risk Management Policy | ||
MTN Zambia Enterprise Risk Management Framework | ||
MTN Zambia Stakeholder Management Policy | ||
MTN Zambia Cloud Usage Policy | ||
MTN Zambia Marketing Policy | ||
MTN Zambia Legal Contract Policy | ||
MTN Zambia Direct Marketing Policy |
Document Name MTN Zambia Master Policy
- Publication Date
- Published By
Document Name MTN Zambia Privacy Procedures
- Publication Date
- Published By
Document Name MTN Zambia Risk Acceptance and Escalation Policy
- Publication Date
- Published By
Document Name MTN Zambia Treating Customers Fairly Policy
- Publication Date
- Published By
Document Name MTN Zambia Digital Human Rights Policy
- Publication Date
- Published By
Document Name MTN Zambia Information Security Policy
- Publication Date
- Published By
Document Name MTN Zambia Incident Management Policy
- Publication Date
- Published By
Document Name MTN Zambia Enterprise Risk Management Policy
- Publication Date
- Published By
Document Name MTN Zambia Enterprise Risk Management Framework
- Publication Date
- Published By
Document Name MTN Zambia Stakeholder Management Policy
- Publication Date
- Published By
Document Name MTN Zambia Cloud Usage Policy
- Publication Date
- Published By
Document Name MTN Zambia Marketing Policy
- Publication Date
- Published By
Document Name MTN Zambia Legal Contract Policy
- Publication Date
- Published By
Document Name MTN Zambia Direct Marketing Policy
- Publication Date
- Published By
Annexure A – Lawful Basis for Processing Personal Data
1. Personal Data
a. The Data Subject has given Consent to the Processing of his/her/their Personal Data for one or more specific purposes;
b. Processing of Personal Data is necessary in order to comply with legal obligations, such as Local Regulatory Requirements, to which MTN Zambia is subject to;
c. Processing of Personal Data is necessary for the performance of a contract which the Data Subject is a party to or in order to carry out actions necessary for the conclusion of a contract to which the Data Subject is a party;
d. Processing of Personal Data is necessary in order to protect the vital interests of the Data Subject or another natural person;
e. Processing is necessary for the performance of a task carried out in the public interest; or
f. Processing is necessary for pursuing the legitimate business interests of MTN Zambia or of a Third Party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a Child.
2. Sensitive Personal Data
a. The Data Subject has given explicit Consent to the Processing of his/her/their Sensitive Personal Data for one or more specified purposes;
b. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of MTN Zambia or of the Data Subject in the field of employment and social security and social protection law;
c. Processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Consent;
d. Processing relates to Sensitive Personal Data which was intentionally made public by the Data Subject;
e. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
f. Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the Employee, medical diagnosis, the provision of health or social care or treatment or pursuant to contract with a health professional who is subject to the obligation of professional secrecy in terms of local law or rules established by national competent bodies;
g. Processing is necessary for scientific or historical research purposes or statistical purposes provided such Processing is proportionate to the aim pursued, MTN Zambia respects the essence of the right to data protection and MTN Zambia provides for suitable and specific measures to safeguard the fundamental rights and the interests of the Data Subject; or
h. Processing of Personal Data related to criminal behaviour is obtained and used in accordance Local Regulatory Requirements.
3. Children’s Personal Data
a. The Child’s Legal Guardian has given explicit Consent to the Processing of the Child’s Personal Data for one or more specified purposes;
b. Processing is necessary to protect the vital interests of the Child;
c. Processing relates to Personal Data which was intentionally made public by the Child with the Consent of his/her/their Legal Guardian;
d. Processing is necessary for the establishment, exercise or defence of legal claims;
e. Processing is necessary for reasons of substantial public interest, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the Child; or
f. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes provided such Processing is proportionate to the aim pursued, MTN Zambia respects the essence of the right to data protection and MTN Zambia provides for suitable and specific measures to safeguard the fundamental rights and the interests of the Child.