Data Protection Policy
Effective Date: 1 February 2026 | Document Owner: Chief Information Security Officer (CISO) | Version 1.0
1 Introduction And Purpose
This Data Protection Policy establishes the framework for how Escrow Africa (“the Company”, “we”, “us”, or “our”) manages, protects, and processes personal data across all our operations. As a trusted escrow service provider operating across multiple African jurisdictions, we recognize that data protection is fundamental to maintaining trust with our clients, partners, and stakeholders.
Policy Objectives This policy aims to: ensure compliance with applicable data protection laws and regulations across African jurisdictions; establish clear roles, responsibilities, and accountability for data protection; protect the rights and privacy of data subjects; minimize risks associated with data processing activities; foster a culture of data protection throughout the organization.
Scope This policy applies to all personal data processed by Escrow Africa, including data relating to customers, vendors, partners, employees, contractors, and any other individuals. It covers all forms of data processing, whether automated or manual, and applies to all employees, contractors, consultants, and third parties processing data on behalf of Escrow Africa.
2 Regulatory Framework
Escrow Africa operates in compliance with applicable data protection regulations as stated in Ghana Data Protection Act, 2012.
3 Key Definitions
Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’). This includes names, identification numbers, location data, online identifiers, and factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
Special Categories of Personal Data: Sensitive data including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation, and criminal records.
Data Processing: Any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
Data Controller: The entity that determines the purposes and means of processing personal data. Escrow Africa acts as a data controller for most processing activities.
Data Processor: An entity that processes personal data on behalf of the data controller. This includes our third-party service providers.
Data Subject: An identified or identifiable natural person whose personal data is being processed.
4 Data Protection Principles
All personal data processing at Escrow Africa must comply with the following fundamental principles:
Lawfulness, Fairness, and Transparency — Personal data must be processed lawfully, fairly, and in a transparent manner. Data subjects must be informed about how their data is being processed. Processing must be based on a valid legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests).
Purpose Limitation — Personal data must be collected for specified, explicit, and legitimate purposes. Data must not be further processed in a manner incompatible with the original purpose. Any new processing purposes require separate legal justification.
Data Minimization — Only collect personal data that is adequate, relevant, and limited to what is necessary. Regularly review data collection practices to ensure minimization.
Accuracy — Personal data must be accurate and kept up to date. Reasonable steps must be taken to ensure inaccurate data is erased or rectified without delay.
Storage Limitation — Personal data must be kept only for as long as necessary for the purposes for which it was collected. Establish and enforce data retention schedules.
Integrity and Confidentiality — Implement appropriate technical and organizational measures to ensure data security. Protect against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Accountability — Escrow Africa is responsible for and must be able to demonstrate compliance with all data protection principles. Maintain comprehensive documentation of all data processing activities.
5 Roles And Responsibilities
Board of Directors: Strategic oversight and governance for data protection; approve data protection policies and significant changes.
Chief Executive Officer (CEO): Ultimate accountability for data protection compliance; champion data protection culture throughout the organization.
Data Protection Officer (DPO): Monitoring compliance with this policy and applicable data protection laws; advising on data protection impact assessments; acting as the point of contact for data subjects and regulatory authorities; conducting data protection training; investigating data breaches and coordinating incident response; maintaining the record of processing activities.
Chief Information Security Officer (CISO): Implement and maintain technical security measures; manage information security risks; coordinate with the DPO on security-related data protection matters.
Department Heads and All Employees: Ensure compliance within their areas; report data protection concerns and incidents to the DPO; complete mandatory data protection training.
6 Legal Basis For Processing
Escrow Africa processes personal data only when we have a valid legal basis:
Consent — Freely given, specific, informed, and unambiguous; used primarily for marketing and non-essential processing.
Contractual Necessity — Processing necessary for the performance of a contract (e.g. escrow services and transaction management).
Legal Obligation — AML, KYC, tax reporting, and other regulatory requirements.
Legitimate Interests — Fraud prevention, system security, business analytics, and service improvement (subject to balancing test).
Vital Interests — Processing necessary to protect the vital interests of the data subject or another person (used rarely).
7 Data Subject Rights
We have established procedures to respond to requests within the timeframes required by applicable law (typically 30 days, extendable by a further 30 days in complex cases).
Right to Information — Data subjects have the right to be informed about the collection and use of their personal data through privacy notices.
Right of Access — Data subjects can request confirmation of whether we process their personal data and obtain a copy of that data.
Right to Rectification — Data subjects can request correction of inaccurate or incomplete personal data.
Right to Erasure (Right to be Forgotten) — Data subjects can request deletion when data is no longer necessary, consent is withdrawn, they object to processing, or data has been unlawfully processed (subject to legal retention obligations).
Right to Restriction of Processing — Data subjects can request that we restrict processing in certain circumstances.
Right to Data Portability — Where processing is based on consent or contract and carried out by automated means, data subjects can receive their data in a structured, machine-readable format.
Right to Object — Data subjects can object to processing based on legitimate interests or for direct marketing. Marketing objections are always honored immediately.
Rights Related to Automated Decision-Making — Data subjects have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, unless necessary for a contract, authorized by law, or based on explicit consent.
8 Data Security Measures
Technical: Encryption in transit (TLS 1.3 or higher) and at rest (AES-256 or equivalent); role-based access control (RBAC); multi-factor authentication (MFA); firewalls, intrusion detection/prevention; comprehensive audit trails and monitoring; vulnerability management and penetration testing; encrypted backups and disaster recovery; endpoint security and device encryption.
Organizational: Security policies and procedures; staff training and phishing simulations; background checks for positions with access to sensitive data; confidentiality agreements; physical security and secure disposal; incident response procedures; vendor management and security requirements in contracts.
Data Classification: High Risk (special categories, financial information, ID documents); Medium Risk (standard identifiers, contact information, transaction data); Low Risk (publicly available, anonymized data).
9 Data Retention And Disposal
Personal data is retained only for as long as necessary. Standard retention periods include: Transaction records — 7 years from transaction completion; KYC/AML documents — 5 years after relationship ends; Employee records — 7 years after employment ends; Marketing consents — until withdrawn or 2 years of inactivity; CCTV — 30–90 days unless incident recorded; System logs — 12 months (security), 6 months (access).
Secure disposal: Digital data — cryptographic erasure, secure wiping (DoD 5220.22-M or equivalent), or physical destruction; Physical documents — cross-cut shredding or secure incineration; all disposal activities documented.
10 Third-party Data Sharing And Processing
When engaging third-party data processors, Escrow Africa ensures: written contracts specifying subject matter, duration, nature, and purpose of processing; processors provide sufficient guarantees of appropriate technical and organizational measures; processors process data only on documented instructions; confidentiality, assistance with data subject requests and breach notifications; deletion or return of data at end of contract; audits and inspections. Due diligence includes review of security certifications (ISO 27001, SOC 2, etc.), data protection policies, breach history, and sub-processor arrangements. International transfers use appropriate safeguards: adequacy decisions, standard contractual clauses, binding corporate rules, or explicit consent where permitted.
11 Data Breach Management
A personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
Phase 1 (0–2 hours): Report to DPO and CISO; activate incident response team; document incident details; implement containment.
Phase 2 (2–24 hours): Detailed investigation; assess scope, root cause, and impact; determine notification requirements; preserve evidence.
Phase 3 (within 72 hours): Notify relevant data protection authorities where the breach poses a risk to rights and freedoms; notify affected individuals without undue delay if high risk; provide clear information about the breach and remedial measures.
Phase 4: Corrective actions; enhance security controls; support affected individuals; document lessons learned. All breaches documented in a breach register maintained by the DPO.
12 Data Protection Impact Assessments (dpia)
A DPIA is required before implementing processing likely to result in high risk: systematic and extensive profiling; large-scale processing of special categories; systematic monitoring of publicly accessible areas; new technologies with privacy risks; automated decision-making with legal or similarly significant effects. Process: identify need, describe processing, assess necessity, identify risks, identify mitigation, consult stakeholders, DPO review, implementation, periodic review. If high residual risk cannot be mitigated, consult the relevant data protection authority before proceeding.
13 Training And Awareness
All personnel complete comprehensive data protection training within 30 days of joining and annually thereafter. Role-specific training for personnel with access to sensitive data. Topics: data protection principles and legal requirements; data subject rights; security best practices and incident reporting; phishing and social engineering; secure handling of documents and data; third-party requirements; consequences of non-compliance. Ongoing awareness via communications, Data Protection Week, and simulated exercises.
14 Monitoring And Compliance
Regular audits of data processing activities, security controls, and policy adherence; continuous monitoring of access logs; periodic assessments of third-party processors; review of data subject requests and response times. Escrow Africa maintains a comprehensive record of processing activities. Quarterly reports to senior management; annual report to the Board; prompt notification of significant issues to authorities.
15 Policy Enforcement
Non-compliance may result in disciplinary action up to and including termination. Violations may also result in regulatory sanctions, fines, civil liability, or criminal prosecution. Investigation process: report to DPO or manager; prompt investigation; right to respond; determination of disciplinary action; corrective measures. Whistleblower protection for good faith reports; anonymous reporting available.
16 Policy Review And Updates
This policy is reviewed annually by the DPO. Ad hoc review when: new legislation is enacted; regulatory guidance or enforcement requires changes; significant changes to operations or technology; major breaches or incidents; audit findings. Updates require CEO and Board approval; communication through multiple channels; acknowledgment documented.
17 Contact Information
Data Protection Officer — For data protection inquiries, data subject requests, or to report a suspected breach: Email: dpo@escrowafrica.com. Data subjects have the right to lodge complaints with relevant data protection authorities.
18 Appendices
Related policies: Privacy Policy (customer-facing), Information Security Policy, Acceptable Use Policy, Incident Response Plan, Data Retention Schedule, Vendor Management Policy, Business Continuity and Disaster Recovery Plan. Version 1.0 — February 1, 2026 — Initial policy creation — Approved by Board of Directors.