Annex C — Data Protection & Privacy Policy

Last modified: November 7, 2025
For versions:
Estimated reading time: 5 min

Global Baseline + Host‑Law Appendices (PDPA/GDPR/nFADP et al.)
Owner: Data Protection Officer (DPO)
Review cadence: Annual and upon material law change

Purpose. Protect individuals’ privacy while enabling lawful, auditable data use for Nexus programs. This policy sets minimum global controls and adds host‑law appendices for each regional consortium. Where rules conflict, the most restrictive applies. This policy governs conduct and contracts; it does not authorise regulated financial activity.

1) Scope & Layering

  • Applies to: SNC, all regional consortia and NatCos, Program SPVs, contractors, and volunteers handling personal data (PD) or confidential data under Nexus programs.
  • Layering: (1) Global baseline (this Annex); (2) host‑law appendices (country/region); (3) customer‑specific requirements.
  • Systems in scope: Production and non‑prod environments, SDZs (Sovereign Data Zones), collaboration suites, analytics platforms, and physical records.

2) Roles & Responsibilities

  • DPO (Owner): Maintain policy; run DPIA program; manage data‑subject requests (DSRs); lead breach notifications; advise on cross‑border transfers and lawful bases.
  • CISO: Technical and organisational measures (TOMs), incident response, SBOM/SLSA controls, key management, logging.
  • Legal/Compliance: Vendor DPAs, transfer tools (SCCs/IDTA/BCRs/TIAs), records of processing (RoPA), lawful basis mapping.
  • Data Stewards (business owners): Accuracy, minimisation, retention, and access approvals in their domains.
  • All Personnel: Complete privacy training; follow SOPs; report incidents immediately.

3) Privacy Principles (Global)

  1. Lawfulness, fairness, transparency (clear notices, disclosures).
  2. Purpose limitation (documented in RoPA and SOWs).
  3. Data minimisation (collect only what’s needed; prefer derived, statistical, or anonymised data).
  4. Accuracy (stewards maintain correction processes).
  5. Storage limitation (retention schedules; defensible deletion).
  6. Integrity & confidentiality (Zero‑Trust; encryption in transit/at rest; least privilege; logging).
  7. Accountability (evidence packs: DPIAs, TIAs, RoPA, training, vendor audits).

4) Lawful Bases & Special Categories

  • Lawful bases: consent, contract performance, legal obligation, vital interests, public interest, legitimate interests (with LIA documented).
  • Special categories/sensitive PD: health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, trade‑union membership, sexual life/ orientation, precise geolocation where regulated. Processing requires additional safeguards and explicit consent or applicable derogations.
  • Children’s data: obtain verified parental consent where required; apply heightened minimisation and profiling bans where law mandates.

5) Sovereign Data Zones (SDZ) & Data Architecture

  • Compute‑to‑data default: Move computation to data; avoid copying/extracting PD.
  • No PII on chain: Content‑address only; store PD off‑chain within SDZ boundaries.
  • Residency: PD remains in host‑country SDZ unless lawfully transferred using approved transfer tools and DPIA/TIA confirms adequacy.
  • Access control: Least privilege; JIT (just‑in‑time) elevation; dual‑control for sensitive categories.
  • Logging/traceability: Immutable access logs; tamper‑evident; retain per schedule.

6) DPIAs (Data Protection Impact Assessments)

  • Triggers (mandatory): New or changed processing with high risk (e.g., large‑scale profiling, sensitive PD, cross‑border transfers, automated decisions with legal effects, observation/telemetry at scale, new tech).
  • Process: (a) Describe processing; (b) assess necessity & proportionality; (c) identify risks to rights/freedoms; (d) define TOMs/mitigations; (e) consult DPO/Legal; (f) if residual high risk remains, consult authority where required.
  • Outputs: DPIA report; residual risk owner; re‑assessment cadence (≥ annually or upon changes).

7) Data‑Subject Rights (DSRs)

  • Rights supported: access, rectification, erasure, restriction, objection, portability, and rights related to automated decision‑making/profiling where applicable.
  • SLA: Respond within 30 days (extendable per law with notice).
  • Verification: Reasonable identity verification; log decisions; provide data in common, portable formats.
  • Exemptions: Apply only where lawful (e.g., legal privilege, public interest); document rationale.

8) Vendor Management & DPAs

  • DPA required for every processor/sub‑processor handling PD.
  • Minimum terms: purpose‑bound processing; confidentiality; TOMs; sub‑processor controls; assistance with DSRs; breach notification; deletion/return at end; audits.
  • Security addenda: SBOM/SLSA attestations, vulnerability SLAs, pen‑test cadence, encryption/KMS requirements.
  • Cross‑border: SCCs/IDTA/BCRs + Transfer Impact Assessment (TIA); ensure onward‑transfer controls and government access risk assessments.
  • Registers: Maintain vendor and sub‑processor registers (public‑facing list where required).

9) Cross‑Border Transfers

  • Tools: Adequacy decisions; SCCs (EU/UK), IDTA (UK), BCRs, intra‑group agreements; for Switzerland use FDPIC‑recognised clauses.
  • TIA: Required when relying on SCCs/IDTA; document destination laws, access risks, and technical measures (encryption, split knowledge).
  • Government access: Apply risk‑based encryption (end‑to‑end where feasible), key residency, and defined lawful request handling SOP.

10) Security & Privacy by Design (summary – see Annex E/F)

  • TOMs: Encryption (at rest/in transit), network segmentation, strong IAM/MFA, HSM/KMS, secure coding, vulnerability mgmt (critical ≤7d).
  • Anonymisation/pseudonymisation: Prefer privacy‑preserving techniques; documented re‑identification risk analysis.
  • Data classification: Public / Internal / Confidential / Restricted‑PD; map to handling rules.
  • Testing: Privacy reviews in change management; pre‑production data masking.

11) Breach Management & Notification Clocks

  • Immediate actions: Contain → assess → record → notify.
  • Internal clock: Notify DPO/CISO within 12 hours of suspected incident.
  • External clocks (default references; see appendices for local rules):
    GDPR (EU): Notify supervisory authority within 72 hours of awareness if risk to rights; notify individuals without undue delay if high risk.
    PDPA (Singapore): Notify PDPC and affected individuals as soon as practicable, and no later than 3 calendar days after assessment determines a notifiable breach.
    nFADP (Switzerland): Notify FDPIC as soon as possible where high risk; notify individuals where necessary for protection.
    POPIA (South Africa): Notify Information Regulator and affected data subjects as soon as reasonably possible.
    LGPD (Brazil): Notify ANPD and data subjects without undue delay per guidance.
    Kenya DPA: Notify ODPC within 72 hours and affected data subjects without undue delay where risk is high.
    Canada (PIPEDA/Law 25): Report to OPC and notify individuals as soon as feasible if real risk of significant harm; provincial rules may be stricter.
    US State Laws: Notify affected individuals without unreasonable delay; regulator/AG timelines vary by state; consult US appendix.
  • Record‑keeping: Maintain breach register; post‑incident review and corrective actions; dual‑log Class A/B if material.

12) Notices, Consent & Transparency

  • Privacy notices: Clear, layered notices for websites, apps, and program materials.
  • Consent management: CMP for web/app; withdrawal as easy as grant; record consent time, scope, and proof.
  • Direct marketing: Opt‑in/opt‑out per law; maintain suppression lists; honour marketing preferences across systems.

13) Retention & Deletion

  • Schedules: Define retention by data category; default to shortest period consistent with legal/operational needs.
  • Defensible deletion: Automated jobs; verifiable destruction or anonymisation; logs retained.
  • Legal holds: Suspend deletion where litigation or investigation is reasonably anticipated.

14) Training & Audits

  • Training: Induction + annual refresher; role‑specific modules for engineers, analysts, and frontline teams.
  • Audits: Annual privacy audit (policy effectiveness, DPAs, DPIAs, DSR handling); remediation tracked to closure; spot checks on SDZ access controls.

15) Enforcement

Policy breaches may lead to disciplinary action up to termination, contract suspension, or regulator notification, alongside contractual/legal remedies.

16) Host‑Law Appendices (Equal Treatment)

Each appendix supplements the baseline; apply the strictest rule where conflicts arise.

  • Appendix SG — Singapore (PDPA 2012, as amended): DPO appointment; data‑breach notification timing; deemed consent for contractual necessity and notification; Do‑Not‑Call (DNC) Registry rules; cross‑border transfer obligations; PDPC guides.
  • Appendix EU/FR — European Union/France (GDPR + French law): Controller/processor roles; Article 30 RoPA; DPO independence; DPIA criteria (WP29); SCCs; ePrivacy/consent for cookies; CNIL specifics.
  • Appendix CH — Switzerland (nFADP): FDPIC notice triggers “as soon as possible”; profiling of high risk; Swiss‑specific SCC references; records in German/French/Italian as needed.
  • Appendix US — United States (State privacy + sector): CCPA/CPRA, Colorado/Connecticut/Virginia/Utah acts; HIPAA/GLBA sector overlays; data broker registrations where applicable; AG notice content.
  • Appendix CA — Canada (PIPEDA + Quebec Law 25): Privacy management program; breach reporting; cross‑border transparency; Quebec consent/formalities; prospective CPPA notes.
  • Appendix BR — Brazil (LGPD): Legal bases; DPO (Encarregado); ANPD guidance on breach timing; international transfer rules.
  • Appendix KE — Kenya: Data Protection Act 2019; registration of data controllers/processors; 72‑hour breach; Data Commissioner guidance.
  • Appendix ZA — South Africa (POPIA): Conditions for lawful processing; Information Regulator notices; operator agreements.
  • Appendix SN/WA — Senegal/West Africa: Senegal Law No. 2008‑12 (CNPJ); UEMOA/ECOWAS principles; CNDP/CNIL‑style filings; OHADA records interface.
  • Appendix UAE — United Arab Emirates: Federal Decree‑Law No. 45/2021 (PDPL); DIFC/ADGM data protection regimes; cross‑border clauses; DPO/representative where required.

17) Effective Date & Governance

Adopted by the Board(s) of all regional operators on [●] and incorporated by reference into each Charter/Bylaw and into vendor/customer contracts via DPA terms. Class B to amend; Class A to weaken controls.

Written by: GRF
Was this article helpful?
Dislike 0 0 of 0 found this article helpful.
Views: 56

Continue reading

Previous: Annex B — Regulatory Perimeter & Licensing Policy
Next: Annex D — Sovereign Data Zone (SDZ) & Cross‑Border Transfers Policy

Leave a Reply

Have questions?