Otic
Legal

Data Privacy & Protection Policy

How Otic Technologies Limited collects, processes, stores, and protects personal and institutional data — aligned with the Data Privacy and Protection Laws of Uganda.

1.0 Introduction

At Otic Technologies Limited, we are committed to ensuring the lawful, secure, and ethical collection, use, and management of personal and institutional data and protecting of the right to privacy of our data subjects (our customers, employees, and other stakeholders). This data privacy and protection policy outlines the guidelines, principles and procedures that govern how Otic Technologies Limited (herein after referred to as "the Company", "we", or "us") collects, processes, stores, shares, and disposes of data in a bid to ensure the protection and privacy of personal data. It is designed to comply with the Data Privacy and Protection Laws of Uganda and the Regulations thereto.

2.0 Definitions

2.1 Data

means information which —

  • is processed by means of equipment operating automatically in response to instructions given for that purpose;
  • is recorded with the intention that it should be processed by means of such equipment;
  • is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; or
  • does not fall within paragraph (a), (b) or (c) but forms part of an accessible record.

2.2 Personal Data

means information about a person from which the person can be identified, that is recorded in any form and includes data that relates to —

  • the nationality, age or marital status of the person;
  • the educational level, or occupation of the person;
  • an identification number, symbol or other particulars assigned to a person; identity data; or
  • other information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual.

2.3 Data subject

means an individual from whom or in respect of whom personal information has been requested, collected, collated, processed or stored.

2.4 Data collector

means a person who collects personal data.

2.5 Data Controller

means a person who alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed.

2.6 Data Processor

means a person other than an employee of the data controller who processes the data on behalf of the data controller.

2.7 Policy

means the Otic Technologies Limited Privacy and Protection Policy.

3.0 Scope

3.1 This Data Protection and Privacy policy is a critical need to the company because it is a move to adhere to the lawful requirement of a data collector, controller or processor.

3.2 All the provisions therein apply and must be adhered to by all employees/staff, volunteers, contractors and third-party service providers so as the Company to meet the four corners of the law.

3.3 This policy covers data protection, records management, information security and provides links to other policies and procedures on the three areas.

4.0 Policy Statement

4.1 Otic Technologies Limited, is committed to protect the privacy, integrity and authenticity of all personal data that is collected and processed from all data subjects and to address all complaints which may arise in case of mishandling of the same.

5.0 Data Protection Principles and Data Subject Rights

5.1 Data Protection Principles

Otic Technologies Limited is committed to upholding the following principles of data protection:

  • the Company be accountable to the data subject for data collected, processed held or used;
  • the Company shall collect and process data fairly and lawfully;
  • the Company shall collect, process, use or hold adequate, relevant and not excessive or unnecessary personal data;
  • the Company shall retain personal data for the period authorised by law or for which the data is required;
  • the Company ensure quality of information collected, processed, used or held;
  • the Company shall ensure transparency and participation of the data subject in the collection, processing, use and holding of the personal data; and
  • the Company shall at all times observe security safeguards in respect of the data.

5.2 Data Subject Rights

  • A data subject has the right to request for the correction of his or her personal data.
  • A data subject has the right to know the purpose for which personal data is being collected.
  • A data subject has the right to request for the erasing of any personal data the company holds on him or her.
  • A data subject has the right to withdraw his or her consent at anytime in relation to collecting, controlling and processing of the personal data.
  • A data subject has the right to lodge complaints with the National Data Protection Office.

6.0 Reporting Data Security Breaches

All employees and contractors shall immediately report all security breaches that involve personal data to the Data Protection Officer of the Company and in return the DPO shall take all reasonable steps to remedy the breach.

6.1 Steps to be taken in case of a security breach

6.1.1 Containment and Initial Response

The employees should take immediate action to stop the breach and prevent further unauthorized access to personal data.

The employees should at all material times isolate the affected systems or devices from the network to prevent further damage and should preserve save logs, system data, and other relevant information that may be useful for investigations.

6.1.2 Notification

The employees should notify the following persons in case of any security breach;

Internal stakeholders

  • The Data Protection Officer of the Company providing him or her detailed information about the incident or breach.
  • The management of the Company and IT and security team.

External stakeholders

  • The data subjects to whose personal data has fallen victim to the breach.
  • The Personal Data Protection Office.
  • The Police.

6.1.3 Notify the affected individuals

The Data Protection Officer shall maintain transparent communication with all data subjects whose data was affected by the breach and provide clear information about; what happened, the potential risks and consequences and the steps that can be taken to protect themselves e.g. monitoring the accounts, changing passwords etc.

6.1.4 Cooperate with investigations

All employees should collaborate with internal and external investigators to determine the cause of the breach and implement measures to prevent further breaches.

7.0 Staff Awareness

7.1 All staff members shall be availed with a copy of this policy whenever possible by the company and in the alternative, the staff members can access the same on the Company website.

7.2 A summary of the data protection guidelines and procedures of the Company will be pinned on a notice board that will be in a conspicuous place at the Company premises.

8.0 Policy Compliance

8.1 All staff must at all times comply with the policy and in case of non compliance by any staff member, he or she shall be subjected to any of the following disciplinary actions;

  • A reprimand.
  • Suspension for 1 month and without pay.
  • Dismissal from employment.

9.0 Contact Information

9.1 The following are the contacts to call in case of any question in line with data protection and privacy in the company;

legal@oticgroup.net (Head Legal Department, Otic Technologies Limited)

10.0 Review and Approval

10.1 All policies and procedures are reviewed by the Head Legal department and then forwarded to the CEO for approval.