1. Introduction
This Data Subject Access Request Policy (Policy) sets out the procedure to be adopted by Main One Cable Company Limited, its affiliates and subsidiaries, including but not limited to MainOne Cable Company Nigeria and MainData Nigeria Limited (“MainOne” or “the Company”) in responding to requests by individuals (Data Subjects) regarding their personal data held by MainOne in line with the provisions of the Nigerian Data Protection Regulation 2019 (NDPR). This Policy should be read in conjunction with MainOne’s Data Privacy and Protection Policy and MainOne’s Privacy Notices.
The Data Protection Officer (DPO) shall be responsible for overseeing this Policy to ensure compliance with the provisions of the NDPR.
2. Personal Data
This Policy is limited to the Personal Data collected by MainOne from Data Subjects. Under the NDPR, “Personal Data” means any information relating to an identified or identifiable natural person or Data Subject. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, Identification number, location data, online identifier or to factor(s) specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes name, address, photo, email address, bank details, posts on social networking websites, medical information, and other unique identifier as provided under the NDPR.
3. Data Subject Rights
3.1. MainOne collects and processes Personal Data of Data Subjects in furtherance of its business operations.
3.2. In line with the provisions of the NDPR, Data Subjects are entitled to the rights below:
a) Right to request for and access Personal Data collected and stored by MainOne;
b) Right to object to processing of Personal Data;
c) Right to be informed of and provide consent prior to the processing of data for purposes other than that for which the Personal Data were collected;
d) Right to object to automated decision making and profiling;
e) Right to withdraw consent at any time;
f) Right to request rectification and modification of your data kept by MainOne;
g) Right to request for deletion of your data collected and stored by MainOne; and
h) Right to request the movement of data from MainOne to a Third Party i.e. the right to the portability of data.
3.3. Any request as it relates to implementation of the above rights shall be carried out by completing and submitting the Subject Access Request Form (SAR Form) in accordance with the terms of this Policy.
4. Subject Access Request Response Procedure
4.1. Where a Data Subject wishes to exercise any of the rights guaranteed under the NDPR, they shall make a formal request by completing the SAR Form (See Appendix 1) and sending the completed form via email to the Data Protection Officer (DPO) at data.protection.officer@mainone.net
4.2. MainOne shall contact the Data Subject within 5 working days of the receipt of the SAR Form to confirm receipt of the subject access request and may request additional information to verify and confirm the identity of the individual making the request.
4.3. The DPO, on receiving any request from a Data Subject, shall record the request and carry out verification of the identity of the individual making the request using the details provided in the SAR Form and a valid means of identification such as international passport, driver’s license, national identification card, employee identity card issued by MainOne or any other acceptable means of identification.
4.4. Where the request is from a third party (such as relative or representative of the Data Subject), MainOne will verify their authority to act for the Data Subject and may contact the Data Subject to confirm their identity and request the Data Subject’s consent to disclose the information.
4.5. When the identity of the individual making the request is verified, the DPO shall coordinate the gathering of all information collected with respect to the individual in a concise, transparent, intelligible and easily accessible form, using clear and plain language with a view to responding to the specific request. The information may be provided in writing, or by other means, including, where appropriate, by electronic means or orally provided that the identity of the Data Subject is proven by other means.
4.6. Where the information requested relates directly or indirectly to another person, MainOne will seek the consent of that person before processing the request. However, where disclosure would adversely affect the rights and freedoms of others and MainOne is unable to disclose the information, MainOne will inform the requestor promptly, with reasons for that decision.
5. Fees and Timeframe
5.1. MainOne shall ensure that it provides the information required by a Data Subject or respond to the request by the Data Subject within a period of one month from the receipt of the request. However, where MainOne is unable to act on the request of the Data Subject, it shall inform the Data Subject promptly at least within one month of receipt of the request of the reasons for not taking action and notify them of the option of lodging a complaint with the National Information Technology Development Agency (NITDA), in line with the NDPR.
5.2. Any information provided to the Data Subject by MainOne shall be provided free of charge. However, where requests from a Data Subject are manifestly unfounded or excessive in particular because of their repetitive or cumbersome nature, MainOne may:
a. charge a reasonable fee taking into account the administrative costs of providing the information or communication, taking the action required or making a decision to refuse to act on the request; or
b. write a letter to the Data Subject stating refusal to act on the request and copying the National Information Technology Development Agency (NITDA).
6. Exceptions to Data Subjects Access Rights
To the extent permitted by applicable laws, MainOne may refuse to act on a Data Subject’s request, if at least one of the following applies:
a) in compliance with a legal obligation to which MainOne is subject;
b) protecting the vital interests of the Data Subject or of another natural person; and
c) for public interest or in exercise of official public mandate vested in MainOne.
7. Related Policies and Procedures
This Policy shall be read in conjunction with the following policies and procedures of MainOne:
a) Data Privacy and Protection Policy (https://www.mainone.net/)
b) IT Security Policy (https://www.mainone.net/)
c) Document Retention Policy (https://www.mainone.net)
d) Personal Data Breach Management Policy (https://www.mainone.net./)
8. Changes to the Policy
MainOne reserves the right to change, amend or alter this Policy at any point in time. If we amend this Policy, we will issue an updated version.
9. Contact for any Queries
MainOne has appointed a DPO responsible for overseeing MainOne’s data protection strategy and its implementation to ensure compliance with NDPR requirements.
The DPO should be contacted if you have any queries or clarifications regarding the operation of this Policy. The contact details are set out below:
• Data Protection Officer: ………………… ………………………….
• Location: ……………………………………………………..
• Phone: …………………………………..
• Email: data.protection.officer@mainone.net
10. General Information
| Title | Data Subject Access Request Policy |
| Status | Mandatory |
| Issuing Department | |
| Distribution/Target Audience | All employees, including contracted staff and agents of MainOne, customers, vendors/suppliers of MainOne and the general public. |
| Approver | Management of MainOne |
| Effective Date | October 2019 |
| Version | 1.0 |