The Blue Penguin Company Limited (hereafter referred to as “BP”) is committed to protecting the rights and freedoms of our data subjects, and safely and securely processing their data in accordance with all of our legal obligations, including compliance with the Ghana’s Data Protection Act.
We process both personal and sensitive data about our employees, merchants, customers, suppliers, and other
individuals for a variety of business purposes.
This policy sets out how we seek to protect personal data and ensure that our employees, joint controllers and
third-party data processors understand the rules governing their use of the personal data to which they have
access during the course of their work on behalf of BP.
This policy applies to all personal data processed by BP and all our partners, vendors and merchants.
All personal and sensitive data will be equally referred to as personal data in this policy, unless specifically stated
This policy relates to data protection, and email and systems use.
- Principles of BP’s General Data Protection Regulation
The following outlines the principles of BP’s General Data Protection Regulation. The Blue Penguin adheres to the
principles set out below.
3.1. Lawfulness, Fairness and Transparency
All data must be processed legally, and in a way that is fair and transparent. The Data Subject will be
clearly informed about how their data is being processed at the time it is being captured and who their data
is shared with. The Data Subject’s data will not be shared with or disclosed to a third party other than to a
party contracted to BP and operating on its behalf.
Data Protection Policy
3.2. Collected for specific, explicit and legitimate purposes
The Blue Penguin will only collect data from data subjects for a specific purpose, and this purpose will
be made clear to the data subject at the time the data is collected.
Once data is collected for a specific purpose, it will not be processed for any other purpose without
the data subject’s prior consent.
3.3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are
The Blue Penguin will ensure that any data obtained from the data subject will be adequate and relevant
to the purpose(s) for which it is being processed. No unnecessary or additional data will be processed if
the original purpose has been satisfied.
3.4. Accurate and, where necessary, kept up-to-date
Every effort will be made to ensure that all data collected from data subjects is accurate. Data held on
the Blue Penguin’s system will be updated periodically to ensure any inaccuracies are rectified. Where
BP is made aware of any inaccurate data by the data subject, we will rectify this immediately. BP will
ensure that any out-of-date data be destroyed or deleted.
3.5. Kept in a form which permits identification of data subjects for no longer than is necessary
Data will be retained for no longer than is necessary in light of the purposes for which that data was
originally collected and processed. Any unsolicited data received by The Blue Penguin employees, via
email or post, will be deleted/destroyed immediately.
3.6. Processed in a manner that ensures appropriate security of personal data
All data will be processed safely and securely, to prevent unlawful or unauthorized processing, accidental
or unlawful destruction, or accidental loss or damage to the data.
The Blue Penguin will conduct a periodic security review of its IT systems to ensure that the appropriate
measures are in place and adhered to.
3.7. Accountability for the implementation of the above principles
The Blue Penguin takes responsibility to adhere to the above principles at all times during the course of
business. The Blue Penguin will keep a record of all the merchant’s personal data collected, held or
processed. The following details will be recorded:
– 3 – firstname.lastname@example.org
Data Protection Policy
Merchant’s telephone number
Merchant’s email address
Merchant’s Account details
Merchant’s Bank Account Details
- Data Protection Officer
As part of the Data Protection Act Data Protection Act, 2012 (Act 843) it is mandatory for The Blue Penguin
to formally appoint Data Protection Officer (“DPO”).
The DPO will be included in any matters involving data protection at the earliest possible stage, including
privacy impact assessments, data processing activities that may affect data subjects, and incidents which
affect the data of subjects.
4.1. Responsibilities of the DPO
The DPO will be responsible for the following:
To inform and advise BP, its employees, and third-party data processors of their obligations
under the Data Protection Act;
To monitor compliance with The Data Protection Commission (DPC) and BP policies in relation
to the protection of personal data, including raising awareness of these policies amongst BP
employees, ensuring relevant and continuous staff training, and auditing and reviewing BP
systems and procedures;
To act as the contact point with the supervisory authority on issues relating to BP’s
To ensure a strict code of confidentiality concerning their role as DPO;
To provide advice to BP, where requested, regarding Data Privacy Impact Assessments and to
monitor their performance.
4.2. Contacting the DPO
The DPO should be notified of data breaches, processor agreements or as per data breach
– 4 – email@example.com
Data Protection Policy
- Data Protection Breach
5.1. What is a personal data breach?
A personal data breach is described as a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored
or otherwise processed.
5.2. Reporting a breach
BP treats data breaches very seriously. The Blue Penguin should be notified immediately of any data
breaches as per the Data Protection Act, 2012 (Act 843) breach management policy.
A record of any data breach that occurs, including a description of the breach, its effects and the remedial
action taken, will be kept in the BP’s Data Breach Log.
Where the personal data breach results in a high risk to the rights and freedoms of a data subject, the
BP are obliged to inform the data subject immediately.
5.3. Data Breach Management Policy
In the event of a data breach occurring, the BP’s `Data Breach Management Policy’ outlines the
procedure to be followed in responding to and managing the breach.
- Training, Auditing & Monitoring
All The Blue Penguin’s employees will receive data protection training specific to their role. This training
will be periodically reviewed and refreshed to ensure continuing professional development in the area of
data protection law and the general data protection regulation.
6.2. Auditing & Monitoring
Methods of collecting, holding and processing personal data will be regularly evaluated and reviewed. All
employees, joint controllers and third-party processors working on behalf of CAO will be made fully aware
of both their individual responsibilities and CAO’s responsibilities under the Regulation and under this
– 5 – firstname.lastname@example.org
Data Protection Policy
Personal Data `Personal data’ means any information relating to an identified or identifiable natural
person (`data subject’); an identifiable natural person is one who can be identified, directly
or indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity of that natural
Data Subject An individual who is the subject of the personal data.
Special Special categories of data include information about an individual’s racial or ethnic origin,
Categories of political opinions, religious or similar beliefs, trade union membership (or non-
Personal Data membership), physical or mental health or condition, criminal offences, or related
proceedings, and genetic and biometric information — any use of special categories of
personal data should be strictly controlled in accordance with this policy.
Data `Data controller’ means the natural or legal person, public authority, agency or other bodyPController which, alone or jointly with others, determines the purposes and means of the processing
of personal data; where the purposes and means of such processing are determined by
Data `Processor’ means a natural or legal person, public authority, agency or other
Processor body which processes personal data on behalf of the controller.
Processing `Processing’ means any operation or set of operations which is performed on personal
data or on sets of personal data, whether or not by automated means, such as collection,
recording, organization, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction.
Supervisory This is the national body responsible for data protection.