Honeytreat Group Privacy Policy

1. Purpose

This Privacy Policy defines the framework by which Honeytreat Group ('the Group', 'HTG', 'we', 'us') collects, processes, stores, shares, and destroys personal data relating to trainees, students, employees, job applicants, contractors, business partners, and website visitors.

This document has been prepared in full compliance with the Nigeria Data Protection Act 2023 (NDPA), the NDPC General Application and Implementation Directive (GAID) 2025.

2. Scope

This Policy applies to all personal data processing activities conducted by or on behalf of the Honeytreat Group, including:

• Honeytreat Limited - building and engineering services
• Honeytreat Trade Academy Limited - skills training in construction, digital skills, agriculture, and entertainment
• Honeytreat Global Services Ltd - Equipment Leasing
• All subsidiary operations, project sites, training centres in Lagos, Abuja, and other locations
• All digital platforms, websites, and mobile applications operated by the Group

This Policy binds all employees, interns, contractors, and third-party processors acting on behalf of the Group.

3. Definitions and Abbreviations

4. Normative References

• Nigeria Data Protection Act 2023 (NDPA)
• NDPC General Application and Implementation Directive (GAID) 2025
• Constitution of the Federal Republic of Nigeria 1999 (as amended), Section 37
• Companies and Allied Matters Act (CAMA) 2020
• Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (as amended 2024)
• Freedom of Information Act 2011
• Central Bank of Nigeria Consumer Protection Framework 2016
• ISO 9001:2015 - Quality Management Systems (document control principles)

5. Identity of the Data Controller

6. Personal Data Collected

7. Lawful Basis for Processing (NDPA 2023, Section 25)

We process personal data only where a valid lawful basis exists. The applicable basis for each processing activity is documented in our Record of Processing Activities (ROPA - HTG-DPC-ROPA-001).

8. Purposes of Processing

• Enrolment and administration of skills training, vocational, and academic programmes
• Processing of job applications, recruitment, and management of employment relationships
• Payment of stipends, salaries, and statutory deductions (PAYE, pension, NHF)
• Communication with trainees, students, employees, contractors, and business partners
• Marketing and promotion of Group programmes and services (with prior consent)
• Health, safety, and welfare management on project sites and training centres
• Compliance with legal, regulatory, and statutory obligations under Nigerian law
• Audit, monitoring, and continuous improvement of Group operations and quality management
• Statistical analysis and reporting to funders, partners, and regulatory authorities

9. Rights of Data Subjects (NDPA 2023, Sections 34-40)

Data subjects may exercise the following rights by submitting a written request to the DPO (see Section 13). We will respond within 30 days of receipt. Identity verification may be required.

10. Special Categories of Personal Data (NDPA 2023, Section 30)

Sensitive personal data (including health data and biometric information) is processed only where:

• The data subject has given explicit written consent; or
• Processing is necessary for occupational health or safety obligations; or
• Processing is required to comply with obligations under Nigerian employment law; or
• Processing is necessary to protect the vital interests of the data subject.

Additional safeguards apply, including restricted access, enhanced encryption, and mandatory staff training.

11. Children's Personal Data (NDPA 2023, Section 31 & GAID 2025)

• The Group does not knowingly collect personal data from persons under the age of 13 without verifiable parental or guardian consent.
• For persons aged 13 to 17, parental or guardian consent is obtained prior to processing, in line with the NDPA digital age of consent provisions.
• Where data from a child has been inadvertently collected without proper consent, it will be promptly deleted and the NDPC notified if required.

12. Disclosure and Sharing of Personal Data

We do not sell, rent, or trade personal data. Data may be shared only as follows:

• Service Providers / Data Processors: engaged under binding DPAs (NDPA s.43) for payroll, IT, background checks, and related services.
• Regulatory Authorities: NDPC, FIRS, NSITF, NIS, CAC, or law enforcement where required by Nigerian law.
• Partner Organisations: TechPro Institute, ISHK, and certification bodies, solely for programme delivery.
• Professional Advisers: solicitors, auditors, and insurers under obligations of confidentiality.
• Successor Entities: in the event of a merger, acquisition, or restructuring, subject to appropriate notice to data subjects.

13. Cross-Border Transfers (NDPA 2023, Sections 42-43)

Personal data will only be transferred outside Nigeria where:

• The destination country has been designated by the NDPC as providing adequate protection; or
• Appropriate safeguards are in place, including NDPC-approved Standard Contractual Clauses; or
• The data subject has given explicit, informed consent after being made aware of the risks.

14. Data Retention Schedule

Personal data is retained only for as long as necessary for its stated purpose or as required by applicable Nigerian law. Our full retention schedule is maintained in HTG-DPC-RS-001.

15. Security of Personal Data (NDPA 2023, Section 39)

The Group implements appropriate technical and organisational measures proportionate to the risk. These include:

• Encryption of personal data in transit and at rest
• Role-based access controls and multi-factor authentication
• Regular security audits and vulnerability assessments
• Physical security controls at all training centres and project sites
• Mandatory data protection training for all staff with access to personal data
• Incident response and business continuity procedures

16. Personal Data Breach Management (NDPA 2023, Section 40)

In the event of a personal data breach:

• The DPO must be notified immediately upon discovery.
• A breach risk assessment will be completed within 24 hours.
• Where the breach is likely to result in risk to data subjects' rights, the NDPC will be notified within 72 hours of discovery, in accordance with NDPA Section 40.
• Where high risk to data subjects is identified, affected individuals will be notified without undue delay.
• All breaches - notifiable or otherwise - must be recorded in the Breach Register (HTG-DPC-BR-001).

17. Data Protection Officer (NDPA 2023, Section 32)

Honeytreat Group will designate a Data Protection Officer (DPO) responsible for monitoring compliance with this Policy and the NDPA, serving as the primary point of contact for the NDPC and for data subjects.

18. Cookies and Online Tracking (GAID 2025, Article 19)

Our website (www.honeytreatgrp.com) uses cookies in accordance with GAID 2025, Article 19:

• Strictly necessary cookies enabled without consent (security, session management, core functionality).
• Analytical, marketing, and preference cookies require explicit opt-in consent via our cookie consent banner.
• Cookie consent may be withdrawn at any time through the cookie preference centre on our website.

19. Data Protection Impact Assessments (NDPA 2023, Section 41)

A DPIA must be conducted before commencing any new processing activity likely to result in a high risk to the rights and freedoms of data subjects, including large-scale processing of sensitive data or systematic monitoring. Where residual high risk remains after mitigation measures, the NDPC must be consulted prior to processing. DPIA records are maintained in HTG-DPC-DPIA-001.

20. Policy Review and Update

This Policy will be reviewed:

• Annually, or following any material change to the Group's data processing activities;
• Following any amendment to the NDPA, GAID, or other applicable Nigerian law;
• Following any significant data breach or regulatory enforcement action;
• At the direction of the NDPC.

All revisions will be recorded in the Revision History table on the document control page. Previous versions will be archived and clearly marked as superseded. Users must ensure they are consulting the current controlled version.

21. Contact and Regulatory Complaints