MFS Africa develops, owns and operates technology that enables organisations and individuals to process various cross-border payment, money and value transfer transactions (the “MFS-Hub”). Inherent in the provision of these services, MFS Africa both has access to and needs to process personal data and information relating to individuals.
This Policy sets out how personal data shall be handled to comply with the legal standards governing data exchange and protection in the jurisdictions in which MFS Africa operates including but not limited to the European Union, the United States of America, Mauritius, and various jurisdictions across Africa and Asia (“laws of the relevant jurisdictions”).
To provide a framework that ensures that MFS Africa along with its employees and external partners that handle personal data for which MFS Africa may be responsible (collectively “data handlers”) as well as its external partners (the “external partners”) that collect, process and store personal data via the MFS-Hub, including the personal data of customers, or Hub-participants:
- Comply with international legal standards and best practice for the collection, storage, retrieval, consultation, use, disclosure by transmission, dissemination or even erasure and destruction (“processing”) of personal data of individuals (“data subjects”);
- Protect the rights of data subjects whose personal data are processed by their employees;
- Transparently disclose how they process, handle and store individuals’ personal data;
- Ensure an adequate level of security in its operations to protect itself from the risks of a data breach.
This Policy is intended to guide data handlers and decision makers inside and outside of MFS in respect of their legal and ethical obligations regarding the exchange of data and data privacy and protection.
This Policy applies to the processing of personal data wholly or partly by an automated means by all data by MFS Africa and its data controllers.
The rules and standards set out in this Policy apply regardless of whether personal data –
- Relates to an employee, end-user, Hub Participant or other natural person, or
- Is stored electronically, digitally, on paper, or on other materials, or through other methods.
4. REFERENCE DOCUMENTS
In order that the standards of conduct required by the University are properly understood, attention is drawn to the following legislation and policies:
- The General Data Protection Regulation (GDPR) (EU) 2016/679;
- The Data Protection Act 2018 (United Kingdom);
- The Data Protection Act 2017 (Mauritius);
- MFS Africa Anti-Bribery and Corruption Policy;
- MFS Africa Code of Conduct.
Note: This Policy may supplement but is not intended to replace any existing national laws to which a party may be subject. In the absence of local law on data exchange or protection, this Policy shall apply. National legislation will take precedence over this Policy where a conflict may exist, or where such national law has stricter requirements than this Policy.
Data controller – the natural or legal person(s) which alone or jointly with others determines the purposes and means of processing of personal data subject to this policy.
Data processor – the natural or legal person(s) which alone or jointly with processes data on behalf of the controller.
Data subject – an identified or identifiable natural person who is the object of personal information.
External partners - partners, suppliers and all their subcontractors and suppliers of MFS.
Hub-participant – partners of MFS Africa that transfer stores of value over the MFS-Hub be they mobile network operators, money transfer organisations, merchants or other.
Personal data – any information relating to a data subject that is protected (or sought to be protected) for the benefit of data subject(s) under laws of the relevant jurisdictions.
MFS Africa, its data processors and external partners must take all reasonable organisational and technical measures to protect themselves and the data subjects from various very real data security risks including:
- Breaches of confidentiality through data breaches or inappropriate disclosure;
- Hacking risks (including reputational damage, breaches of confidentiality, or destruction of valuable intellectual property);
- Failing to offer choice regarding how data is used, and other risks of liability related to personal data processing; and
- Third parties’ data acquired from partners and employees.
Principles applicable to the processing of personal data
At all times personal data should be:
- Collected and processed fairly and lawfully, in accordance with legal standards applicable to such data or data categories;
- Obtained only for specific lawful purposes;
- Adequate, relevant and not excessive for the purpose it was obtained for;
- Accurate, and kept up to date;
- Held for no longer than necessary for the purpose it was obtained for;
- Processed in accordance with the rights of data subjects;
- Protected in appropriate ways, methodologies and procedures and according to suitable methods, both organisationally and technologically;
- Not disclosed or transferred or exported illegally, or in breach of any agreement with any party.
Roles and Responsibilities at MFS Africa
Each person who works for MFS Africa or handles data for or belonging to MFS has some responsibility to ensuring that personal data collected is processed appropriately and in line with this Policy. Persons at MFS Africa with particularly key responsibility as regards data protection include:
1. The board of directors who are ultimately responsible for ensuring that MFS Africa identifies and navigates all material risks to which the company is exposed and simultaneously meets its legal and ethical obligations.
2. The Office of the Chief Legal and Compliance Officer (the “CLCO”) which is responsible for:
- Keeping the board updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training and advice for those parties who have responsibilities under the Policy.
- Handling data protection questions from employees and anyone else covered by the policy.
- Dealing with requests from individuals to see data that MFS Africa holds about them (also called ‘subject access requests’).
- Ensuring that MFS internal stakeholders such as employees and directors receive the adequate information, including as appropriate, training, so as to allow them to fulfil the requirements of this Policy.
- Checking and approving any contracts or agreements with third parties that may handle MFS Africa’s sensitive or protected data.
3. The Office of the Chief Technical Officer (the “CTO”) which is responsible for:
- Ensuring all systems, services and equipment used for storing data meet internationally acceptable standards of security and data safeguarding.
- Ensuring all systems, services and equipment used for storing data are regularly updated to continue to comply with internationally acceptable standards.
- Issuing appropriate, clear, regular rules and directives, whether for MFS Africa as a whole or a particular part of it, department, person or level of person in relation to any aspect of MFS Africa’s work, including password protocols, data access protocols, levels of persons who enjoy access to certain data sign-on procedures, password safeguarding protocols, sign-on and sign-off procedures, log-on and log-off procedures; the description of accessories, applications and equipment that will or may be used, and/or that may not be used under any circumstances, and the like.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluating any third-party services MFS Africa is considering using, building or acquiring to store or process data.
4. The marketing manager, and in the absence of this specific role within the organisation, the CEO, who is responsible for:
- Approving any data protection statements attached to communications such as emails and letters.
- Addressing any data protection queries from journalists or media outlets like newspapers.
- Ensuring that all materials published on behalf of or by MFS Africa meet the requirements of this Policy.
- Where necessary, working with other employees to ensure marketing initiatives abide by data protection principles.
7. THE RULES
All personal data shall be deemed confidential information and shall be handled as such.
The only person(s) entitled to access data covered by this Policy will be those who need to access it for the execution of their direct work, services or required outputs.
Under no circumstances will personal data or information be shared outside the scope of required work outputs, or informally. In the event of any doubt, an employee shall be entitled to access confidential information only after obtaining authorisation from their line manager or a senior manager, where any work output requiring access is unusual or out of the ordinary.
Lawful bases for processing personal data:
There must be a lawful basis for all processing of personal data (unless an exemption or derogation applies), including but not limited to:
1. Consent - the data subject has consented to such processing;
2. Contractual necessity - such processing is necessary in order to enter into or perform a contract with the data subject;
3. Compliance with legal obligations - the controller has a legal obligation to perform such processing; or
4. Legitimate interests - where the controller has a legitimate interest in processing those data, provided that such legitimate interest is not overridden by the rights or freedoms of the affected data subjects.
Where consent is the lawful basis for processing, it must be obtained for all personal data that will be processed by MFS Africa, its data processors or external partners. For consent to be valid, it must be given freely, specific, informed and unambiguous, and as easy to withdraw as to give. In addition, the data subject may have the right to erasure of its data (“right to be forgotten”) on application.
It is the responsibility of external partners that process the information of data subjects used over the MFS-Hub to rely on and obtain the proper lawful basis for processing such personal data in accordance with this Policy and the law of relevant jurisdictions.
Data Security Safeguards
Questions about processing and storing data safely can be directed to the Office of the Chief Legal and Compliance Officer.
Data must be safeguarded from unauthorised access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. MFS Africa takes all reasonable precautions to keep personal data secure and requires its partners and other third parties handling data to do the same.
When data is stored on paper (or electronically but printed out for any reason), it will always be kept in a secure place where unauthorized people cannot see it. Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidentally deletion and malicious hacking attempts.
It is the responsibility of MFS Africa, its data processors and external partners to ensure that they have effective procedures and mechanism focussing on high risk operations (e.g. involving new technologies) and carry out data impact assessments periodically to evaluate the likelihood and severity of risks involved.
- Data should be protected by strong passwords that are changed regularly and never shared between employees.
- If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
- Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services
- Servers containing personal data should be sited in a secure location, away from general office space.
- Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
- Data should be never be saved directly to laptops or other mobile devices like tablets or smart phones.
- All servers and computers containing data should be protected by approved security software and a firewall.
Data breach notification
MFS Africa shall report any data breaches to the regulator without undue delay (and in any event within 72hours) upon becoming aware of any unauthorized or unlawful loss, alteration, disclosure or access to personal data or information (“personal data breach”). MFS Africa shall take such steps as are necessary to provide MFS Africa with sufficient information to allow it to meet any obligations to report the personal data breach under the law of the relevant jurisdiction, including for instance the requirement on data processors to report corresponding breaches within a complimentary timeline.
MFS Africa shall ensure that the data processor involved in a breach cooperates with it and takes all reasonable steps as are directed by us to assist in the investigation, mitigation and remediation of each such personal data breach.
In some cases, MFS Africa may also be required to notify the affected data subjects without undue delay. The following details of the incident should be included in the notification to the extent possible: description of the incident, date and time of the incident, date and time incident was detected, the type of data involved and its sensitivity, the number (and if applicable, group) of individuals affected by the breach, whether the data was encrypted, and the details of any information technology systems involved in the incident.
Personal data must be collected for a specific, explicitly defined and lawful purpose related to the activities of MFS Africa . We may use personal data, inter alia, to:
- Enable our external partners to connect to the MFS-Hub;
- Improve our services that we deliver to external partners;
- Perform statistical analysis;
- Request feedback from our external partners;
- Report to external partner emails, submissions, questions, comments or requests; and
- Comply with the laws of relevant jurisdictions (e.g. know-your-client verifications and anti-money laundering checks).
MFS Africa its employees and data processors shall take reasonable steps to ensure personal data is kept accurate and up-to-date. It is the responsibility of every employee who works with personal data to do so.
The more important it is that personal data is accurate, the greater the effort and measures should be to ensure its accuracy.
- Employees will make use of every opportunity to ensure that a data component is accurate and up-to-date, e.g. by confirming details when handling an outside party call.
- MFS Africa, data processors and as applicable, external partners will make it easy for data subjects to update the personal data it obtains and holds about them.
- Personal data should be updated as inaccuracies are discovered.
- Employees, and the employees of data processors, shall at all times remain knowledgeable and informed about all data updating practices and work protocols used by MFS Africa, such as updating via official, acknowledged websites and platforms used by external partners.
Personal data sharing and transfer
No personal data should be transferred to or collected from third parties without obtaining the correct basis for the legal transfer of such data and, where required by the law of relevant jurisdictions, without informing data subjects in advance.
Where data may be transferred internationally, explicit consent showing that (1) the data subject has been sufficiently informed of the transfer and of related risks may be required, and that (2) a legitimate basis exists for transferring such personal data.
Personal data should:
- Always be held in as few places as necessary to ensure efficient service delivery and risk avoidance. Employees are not permitted to create any unnecessary additional data sets.
- Not be shared informally (email transfers should be avoided, where required these should be properly protected or secured);
- Be encrypted before being transferred electronically. The CTO together with the CLCO will develop and maintain protocols for data transfer to ensure it is sent in protected form to authorised external contacts only, and to avoid it being sent to any unauthorised external or internal parties;
- Never be transferred or sent to any entity not authorised directly to receive it;
- Not be saved to personal computers;
Rights of The Data Subject and Data Subject Access Requests
All data subjects (whether employees of MFS Africa data processors or external partners) are entitled to:
- Enquire what information is held about them and the purpose for holding it;
- Enquire how to gain access to their own personal data;
- Be informed of any special measures that MFS Africa, data processor or as applicable, external partner uses to keep such data up to date;
- Be informed how MFS Africa, data processor or as applicable, external partner) is meeting its data protection obligations
If a data subject contacts MFS Africa or an external partner requesting this information this is called a subject access request. Subject access requests shall be made by e-mail and addressed to the Office of the Chief Legal and Compliance Officer who shall address these in consultation with management.
The identity of a person making a data subject request will always be verified before handing over any information requested.
Depending on the law of relevant jurisdictions, data subjects may benefit from additional rights such as the rights to:
- Change or correct his/her personal data;
- Delete his/her personal data if it is no longer necessary to provide services and MFS Africa has no legal obligation to keep it;
- Object to, or limit or restrict, use of his/her personal data;
- Right take his/her personal data in machine readable form.
Disclosing Information for other reasons:
In certain circumstances, laws of relevant jurisdictions will allow or require that personal data be disclosed to law enforcement or other agencies without the consent of the data subject.
In such circumstance, MFS Africa, its data processors or external partners may be obliged to disclose the requested personal data but will first ensure that the request is legitimate and will seek assistance beforehand from its legal advisers or other experts.
Only Office of the Chief Legal and Compliance Officer will be authorised to furnish the requested data to the enquiring party.
Procedures and protocol will be developed by the Office of the Chief Legal and Compliance Officer from time to time.
Enforcement of this policy will be the board of directors, to be exercised through the executive management of MFS Africa and in particular, the Office of the Chief Legal and Compliance Officer. Violation of this policy may incur the extent of penalty required under the law in order to ensure the legal compliance and reputational integrity of the data management, exchange and privacy functions of MFS Africa.