1. Introduction


The Blue Penguin Company Limited (hereafter referred to as “BP”) is committed to protecting the rights and freedoms of our data subjects, and safely and securely processing their data in accordance with all of our legal obligations, including compliance with the Ghana’s Data Protection Act.


We process both personal and sensitive data about our employees, merchants, customers, suppliers, and other

individuals for a variety of business purposes.


This policy sets out how we seek to protect personal data and ensure that our employees, joint controllers and

third-party data processors understand the rules governing their use of the personal data to which they have

access during the course of their work on behalf of BP.



  1. Scope


This policy applies to all personal data processed by BP and all our partners, vendors and merchants.


All personal and sensitive data will be equally referred to as personal data in this policy, unless specifically stated



This policy relates to data protection, and email and systems use.


  1. Principles of BP’s General Data Protection Regulation


The following outlines the principles of BP’s General Data Protection Regulation. The Blue Penguin adheres to the

principles set out below.


3.1. Lawfulness, Fairness and Transparency


All data must be processed legally, and in a way that is fair and transparent. The Data Subject will be

clearly informed about how their data is being processed at the time it is being captured and who their data

is shared with. The Data Subject’s data will not be shared with or disclosed to a third party other than to a

party contracted to BP and operating on its behalf.








Data Protection Policy




3.2. Collected for specific, explicit and legitimate purposes


The Blue Penguin will only collect data from data subjects for a specific purpose, and this purpose will

be made clear to the data subject at the time the data is collected.


Once data is collected for a specific purpose, it will not be processed for any other purpose without

the data subject’s prior consent.



3.3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are



The Blue Penguin will ensure that any data obtained from the data subject will be adequate and relevant

to the purpose(s) for which it is being processed. No unnecessary or additional data will be processed if

the original purpose has been satisfied.



3.4. Accurate and, where necessary, kept up-to-date



Every effort will be made to ensure that all data collected from data subjects is accurate. Data held on

the Blue Penguin’s system will be updated periodically to ensure any inaccuracies are rectified. Where

BP is made aware of any inaccurate data by the data subject, we will rectify this immediately. BP will

ensure that any out-of-date data be destroyed or deleted.



3.5. Kept in a form which permits identification of data subjects for no longer than is necessary


Data will be retained for no longer than is necessary in light of the purposes for which that data was

originally collected and processed. Any unsolicited data received by The Blue Penguin employees, via

email or post, will be deleted/destroyed immediately.



3.6. Processed in a manner that ensures appropriate security of personal data


All data will be processed safely and securely, to prevent unlawful or unauthorized processing, accidental

or unlawful destruction, or accidental loss or damage to the data.


The Blue Penguin will conduct a periodic security review of its IT systems to ensure that the appropriate

measures are in place and adhered to.



3.7. Accountability for the implementation of the above principles


The Blue Penguin takes responsibility to adhere to the above principles at all times during the course of

business. The Blue Penguin will keep a record of all the merchant’s personal data collected, held or

processed. The following details will be recorded:









– 3 –        info@theblupenguin.com




Data Protection Policy




Merchant’s name

Merchant’s telephone number

Merchant’s email address

Merchant’s Account details

Merchant’s Bank Account Details



  1. Data Protection Officer


As part of the Data Protection Act Data Protection Act, 2012 (Act 843) it is mandatory for The Blue Penguin

to formally appoint Data Protection Officer (“DPO”).


The DPO will be included in any matters involving data protection at the earliest possible stage, including

privacy impact assessments, data processing activities that may affect data subjects, and incidents which

affect the data of subjects.



4.1. Responsibilities of the DPO


The DPO will be responsible for the following:

To inform and advise BP, its employees, and third-party data processors of their obligations

under the Data Protection Act;

To monitor compliance with The Data Protection Commission (DPC) and BP policies in relation

to the protection of personal data, including raising awareness of these policies amongst BP

employees, ensuring relevant and continuous staff training, and auditing and reviewing BP

systems and procedures;

To act as the contact point with the supervisory authority on issues relating to BP’s

processing activities;

To ensure a strict code of confidentiality concerning their role as DPO;

To provide advice to BP, where requested, regarding Data Privacy Impact Assessments and to

monitor their performance.



4.2. Contacting the DPO


The DPO should be notified of data breaches, processor agreements or as per data breach

management policy

















– 4 –        info@theblupenguin.com




Data Protection Policy






  1. Data Protection Breach


5.1. What is a personal data breach?

A personal data breach is described as a breach of security leading to the accidental or unlawful

destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored

or otherwise processed.


5.2. Reporting a breach

BP treats data breaches very seriously. The Blue Penguin should be notified immediately of any data

breaches as per the Data Protection Act, 2012 (Act 843) breach management policy.


A record of any data breach that occurs, including a description of the breach, its effects and the remedial

action taken, will be kept in the BP’s Data Breach Log.


Where the personal data breach results in a high risk to the rights and freedoms of a data subject, the

BP are obliged to inform the data subject immediately.


5.3. Data Breach Management Policy

In the event of a data breach occurring, the BP’s `Data Breach Management Policy’ outlines the

procedure to be followed in responding to and managing the breach.



  1. Training, Auditing & Monitoring


6.1. Training

All The Blue Penguin’s employees will receive data protection training specific to their role. This training

will be periodically reviewed and refreshed to ensure continuing professional development in the area of

data protection law and the general data protection regulation.


6.2. Auditing & Monitoring

Methods of collecting, holding and processing personal data will be regularly evaluated and reviewed. All

employees, joint controllers and third-party processors working on behalf of CAO will be made fully aware

of both their individual responsibilities and CAO’s responsibilities under the Regulation and under this



















– 5 –        info@theblupenguin.com




Data Protection Policy






  1. Glossary


Personal Data      `Personal data’ means any information relating to an identified or identifiable natural

person (`data subject’); an identifiable natural person is one who can be identified, directly

or indirectly, in particular by reference to an identifier such as a name, an identification

number, location data, an online identifier or to one or more factors specific to the

physical, physiological, genetic, mental, economic, cultural or social identity of that natural


Data Subject        An individual who is the subject of the personal data.


Special                  Special categories of data include information about an individual’s racial or ethnic origin,

Categories of        political opinions, religious or similar beliefs, trade union membership (or non-

Personal Data      membership), physical or mental health or condition, criminal offences, or related

proceedings, and genetic and biometric information — any use of special categories of

personal data should be strictly controlled in accordance with this policy.

Data                      `Data controller’ means the natural or legal person, public authority, agency or other bodyPController            which, alone or jointly with others, determines the purposes and means of the processing

of personal data; where the purposes and means of such processing are determined by



Data                      `Processor’ means a natural or legal person, public authority, agency or other

Processor              body which processes personal data on behalf of the controller.


Processing            `Processing’ means any operation or set of operations which is performed on personal

data or on sets of personal data, whether or not by automated means, such as collection,

recording, organization, structuring, storage, adaptation or alteration, retrieval,

consultation, use, disclosure by transmission, dissemination or otherwise making

available, alignment or combination, restriction, erasure or destruction.



Supervisory         This is the national body responsible for data protection.