Corporate Policy

This company operates and adheres to all the requirements and obligations regulating the protection of data of employees, clients and relevant third parties as set out in the Data Protection Act, 2012 ( Act 843) of Ghana.

1. PURPOSE AND SCOPE

This policy establishes the framework for the collection, usage, storage, and disposal of personal data by Trustbridge Services (hereinafter called the "Company"). It applies to all employees, contractors, site workers, architectural consultants, and third-party subcontractors. The objective of this policy is to protect the privacy rights of individuals in accordance with Act 843.

2. DATA PROTECTION PRINCIPLES

The Company shall adhere to the eight core principles of Act 843:

• Accountability: The Company is responsible for all data in its possession.
• Lawfulness of Processing: The Company shall ensure that data will be processed reasonably and without infringing privacy.
• Specification of Purpose: Data collected by the company shall be for specific construction and administrative goals.
• Compatibility of Further Processing: Data collected for payroll shall not be used for unrelated marketing without consent.
• Quality of Information: The company shall ensure that data collected is accurate and kept up to date.
• Openness: The Company shall, to the extent of the interest of the company, be transparent about its data practices.
• Data Security Safeguards: The Company shall at all material times ensure the use of technical and organizational security measures.
• Data Subject Participation: The Company safeguards the rights of individuals to access their data.

3. COLLECTION AND PROCESSING OF DATA

4. DATA STORAGE AND RETENTION

• Personal data shall be retained only for as long as necessary to fulfill the purpose of collection or as required under Ghanaian law.
• Employee or Site Worker Records shall be kept for a maximum of 6 years post-employment for GRA or SSNIT audit purposes.
• Architectural or Project Records shall be kept for a maximum of 10 years in accordance with the limitation period for structural liability.
• CCTV Footage shall be kept for a maximum of 10 days, unless a security incident requires a longer hold.
• In the disposal of data, electronic data will be permanently deleted, and physical files shall bd shredded after the expiration of the retention except in special circumstances where the Company deems it fit to retain certain data.
• Where the Company retains data after the expiration of the retention period, the company shall provide relevant reasoning for the retention.

5. THIRD-PARTY DATA FLOWS & SUBCONTRACTORS

Where it involves Data Processor Contracts, all subcontractors including outsourced payroll, security firms, or cloud software providers shall be mandated to sign a Data Processing Agreement. The subcontractor shall provide "appropriate safeguards" for the data and notify the Company of any breaches immediately. Data transferred to international consultants or cloud servers shall comply with Section 18(2) of Act 843, ensuring the recipient country has adequate data protection standards.

6. DATA SUBJECT RIGHTS

Every individual here being worker, client, or consultant has the right to:

• Request Access and consequently obtain a copy of their personal data held by the Company.
• Request Rectification and correct inaccurate or incomplete records.
• Object to Processing of data for purposes other than legal or contractual obligations.
• Lodge a complaint with the Company’s Data Protection Supervisor or the Data Protection Commission (DPC).

7. DATA BREACH RESPONSE PROTOCOL

In the event of a data breach, that is but not limited to theft of a site laptop, unauthorized access to payroll, The Company shall notify the Data Protection Commission immediately. If the breach is likely to result in high risk to the individual (e.g., identity theft), the Company will notify the affected persons directly. Where an individual is of the opinion that there has been a breach of his or her privacy, the individual shall lodge a formal complaint regarding the breach of data protection to the Data Protection Supervisor after which a formal enquiry and investigation shall be conducted into the matter. Where there is any breach, the complainant shall be entitled to appropriate remedy which includes monetary compensation.

8. STATUTORY REGISTRATION

The Company shall:

• Maintain an active registration as a Data Controller with the Data Protection Commission.
• Renew the registration every two years as required by Section 50 of Act 843.
• Appoint a certified Data Protection Supervisor to oversee this policy.

9. PENALTIES FOR NON-COMPLIANCE

Failure by staff to adhere to this policy may result in disciplinary action. Under Act 843, the Company and its officers may also face criminal prosecution, fines, or imprisonment for serious contraventions.