1. INTRODUCTION
Tenax Marine Limited (“the Company”, “we” or “us”) is committed to responsible management of personal data, in line with the Nigeria Data Protection Act 2023 (“NDPA”), the Nigeria Data Protection Regulation (NDPR) 2019, and global best practices.
This Policy establishes the standards for retaining, reviewing, and securely disposing of personal data collected, stored, and processed by the Company. It ensures that data is kept only for as long as necessary for legitimate business, contractual, or legal purposes, and that the rights of data subjects are respected
In tandem with the Data Protection Legislation(s), “Personal Data” refers to any information pertaining to an identified or identifiable natural person (referred to as a “Data Subject”). An identifiable natural person is someone who can be directly or indirectly identified, typically by means of a name, identification number, location data, online identifier, or other factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
Under the Data Protection Legislation(s), Personal Data must be stored in a manner that allows for the identification of data subjects only for as long as necessary to fulfill the purposes for which it was collected. However, there are exceptions to this rule. Personal Data may be retained for longer periods if it is intended for archiving purposes that serve the public interest, scientific or historical research, or statistical analysis. In such cases, the retention of data must adhere to the appropriate technical and organizational measures outlined in the Data Protection Legislation to ensure the data’s protection and security.
Furthermore, the Data Protection Legislation(s), grants individuals the right to erasure, commonly known as “the right to be forgotten.” This right allows data subjects to request the deletion of their Personal Data and to halt its processing under the following circumstances:
a. When Personal Data is no longer necessary for its original purpose of collection or processing (see above);
b. When the data subject withdraws their consent for processing;
c. When the data subject objects to the processing of their Personal Data and the Company has no overriding legitimate interest;
d. When the Personal Data is processed unlawfully (i.e. in breach of the Data Protection Legislations);
e. When the Personal Data has to be erased to comply with a legal obligation.
This policy outlines the types of Personal Data collected by the Company for its services, along with the duration of retention, criteria for establishing and reviewing retention periods, and procedures for deletion or disposal.
For additional details on data protection and compliance with Data Protection Legislation, please consult the Company’s Privacy Policy.
2. SCOPE
2.1. This Policy applies to all Personal Data processed by the Company in the course of its business operations, whether collected directly or indirectly, and regardless of format (electronic, paper, or otherwise).
2.2. It also applies to all employees, contractors, third-party service providers, and business partners who process Personal Data on behalf of the Company
2.3. Personal data, as held by the above is stored in the following ways and in the following locations:
a. The Company’s servers and secure databases;
b. Third-party servers, operated by third-party service providers engaged by the Company;
c. Computers owned laptops, desktops and mobile devices;
d. Laptop, computers and other mobile devices provided by the Company to its employees;
e. Computers and mobile devices owned by employees, agents, and sub-contractors used in accordance with the Company’s Bring Your Own Device (“BYOD”) Policy;
f. Physical records held in secure storage within Company premises.
3. AIMS AND OBJECTIVES
This Policy is designed to:
a. This Policy aims to provide clear guidelines for the retention and management of Personal Data, ensuring the Company’s strict compliance with data protection regulations and respecting the rights of data subjects, including their right to erasure. The Policy is designed to guarantee the Company’s full adherence to its data protection obligations, as outlined in the Data Protection Legislation, and to protect the privacy and rights of data subjects.
b. This Policy further aims to harmonize the Company’s data management practices with its obligations under the Data Protection Legislation, by implementing efficient data retention and disposal procedures that prevent data accumulation, promote data quality, and ensure the timely disposal of unnecessary data, thereby streamlining data management processes and reducing associated risks.
c. Guarantee timely and secure disposal of data no longer required
d. Promote transparency and respect for data subject rights, including the right to erasure.
e. Protect the Company from regulatory, operational, and reputational risks.
4. DATA SUBJECT RIGHTS AND DATA RETENTION
4.1. All Personal Data held by the Company is held in accordance with the requirements of the Data Protection Legislations and data subjects’ rights thereunder, as set out in the Company’s Data Privacy Policy.
4.2. At the point of collecting the data, data subjects shall be fully informed of their rights, of what Personal Data the Company holds about them, how that Personal Data is used, and how long the Company will hold that Personal Data (or, if no fixed retention period can be determined, the criteria by which the retention of the data will be determined).
4.3. In addition to the above, data subjects are given control over their Personal Data held by the Company including the right to have incorrect data rectified, the right to request that their Personal Data be deleted or otherwise disposed of (notwithstanding the retention periods otherwise set by this Policy), the right to restrict the Company’s use of their personal data, the right to data portability, and further rights as set out in the Company’s Data PrivacyPolicy.
4.4. Personal data shall not be retained for longer than necessary to fulfil the purpose for which it was collected, except where a longer retention period is required by:
a. Legal or regulatory obligations.
b. Contractual obligations.
c. The establishment, exercise, or defence of legal claims.
d. Archiving in the public interest, scientific or historical research, or statistical purposes (with safeguards in place).
4.5. Where no precise retention period can be fixed, retention shall be determined by criteria including:
a. The nature of the personal data.
b. The purpose of processing.
c. Risks associated with retaining or deleting the data.
d. Legal and contractual requirements.
4.6. Retention schedules shall be reviewed periodically to ensure ongoing compliance
5. TECHNICAL AND ORGANISATIONAL SAFEGUARDS
The Company adopts reasonable technical and organizational measures to secure personal data throughout its lifecycle, including:
a. Encryption of electronic data at rest and in transit.
b. Strong access control measures and authentication protocols.
c. Confidential marking of sensitive data.
d. Prohibition of unauthorized transfer of personal data.
e. Regular system backups stored securely in encrypted form.
f. Secure transfer and destruction methods for both physical and electronic records.
g. Employee awareness and training on date retention practices.
The Company is not liable for any unauthorized access, alteration, or loss of personal data that arises from circumstances beyond its reasonable control, including but not limited to cyberattacks, third-party misconduct, or force majeure events.
6. DATA DISPOSAL
Upon the expiration of the data retention periods, or when a data subject validly exercises their right to erasure, the Company will securely dispose of such data as follows:
a. Personal Data stored electronically (including any and all backups thereof) shall be deleted.
b. Personal Data stored in hardcopy form shall be shredded or destroyed using secure disposal processes.
c. Persona Data contained in third party systems shall be authorized to be deleted with confirmation of such deletion obtained from the relevant third party or service provider.
7. ROLES AND RESPONSIBILITIES OF THE DATA PROTECTION OFFICER
7.1. The Company’s Data Protection Officer (DPO) is responsible for.
a. The DPO shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other Data Protection-related policies (including, but not limited to, its Privacy Policy), and with the Data Protection Legislation.
b. The DPO shall be directly responsible for ensuring compliance with the above data retention periods throughout the Company.
c. Any questions regarding this Policy, the retention of personal data, or any other aspect of Data Protection Legislation compliance should be referred to the DPO.
d. Acting as the primary point of contact for data subjects request and NDPC inquires.
8. IMPLEMENTATION OF POLICY AND REVIEW
This Policy shall be deemed effective as of XXXX. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date. The Company reserves the right to review this Policy periodically and updated where necessary to reflect changes in business practices, technology, or legal/regulatory requirements.
This Policy has been approved and authorised by:
SCHEDULE I – DATA RETENTION SCHEDULE
| | |
| | Duration of employment and 7 years thereafter |
| | |
| Training and Learning Development Records | Duration of employment and 7 years thereafer |
| | |
| Performance review records/Promotions | |
| | |
| | |
| Purchase orders, Quotations and Payment Records | |
| Vendor Management Records | |
| Payment on Delivery Records | |
| | |
| | |
Finance and Accounting Records | | |
| Payroll Records and Summaries | |
| Tax returns and worksheets and other documents relating to determination of tax liability | |
| Financial Statements (year-end) | |
| | |
| | |
| | |
| Vessel Logs with personal data | |
Compliance and Regulatory Filings | | |
| | |
| Filings containing personal data | |
Litigation and Claims Records | Data collected for legal disputes or insurance claims | Until resolution of claim and 6 years thereafter |
Marketing and Communications Data | Email addresses, subscription preferences, client communications | Until withdrawal of consent/unsubscribe |
| Medical fitness to work offshore, incident/accident reports |
| 5 years (unless extended by law for specific incidents) |
| Access logs, system usage, CCTV footage |
| CCTV: 90 days (unless required for investigation); System logs: 24–36 months |
