1. Introduction

This Data Subject Access Request Policy (Policy) sets out the procedure to be adopted by Airtel Networks Limited (‘Airtel’) in responding to requests by individuals (Data Subjects) regarding their personal data held by Airtel in line with the provisions of the Nigeria Data Protection Regulation 2019 (NDPR). This Policy should be read in conjunction with Airtel Data Privacy and Protection Policy and Airtel Privacy Notice.

The Data Protection Officer (DPO) shall be responsible for overseeing this Policy to ensure compliance with the provisions of the NDPR.

2. Personal Data

This Policy is limited to the Personal Data collected by Airtel from Data Subjects. Under the NDPR, “Personal Data” means any information relating to an identified or identifiable natural person or Data Subject. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, Identification number, location data, online identifier or to factor(s) specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes name, address, photo, email address, bank details, posts on social networking websites, medical information, and other unique identifier as provided under the NDPR.

3. Data Subject Rights

3.1. Airtel collects and processes Personal Data of Data Subjects in furtherance of its business operations.

3.2. In line with the provisions of the NDPR, Data Subjects are entitled to the rights below:

a) Right to request for and access Personal Data collected and stored by Airtel

b) Right to object to processing of Personal Data;

c) Right to be informed of and provide consent prior to the processing of data for purposes other than that for which the Personal Data were collected;

d) Right to object to automated decision making and profiling;

e) Right to withdraw consent at any time;

f) Right to request rectification and modification of your data kept by Airtel;

g) Right to request for deletion of your data collected and stored by Airtel; and

h) Right to request the movement of data from Airtel to a Third Party i.e. the right to the portability of data.

3.3. Any request as it relates to implementation of the above rights shall be carried out by completing and submitting the Subject Access Request Form (SAR Form) in accordance with the terms of this Policy.

4. Subject Access Request Response Procedure

4.1. Where a Data Subject wishes to exercise any of the rights guaranteed under the NDPR, they shall make a formal request by completing the SAR Form (See Appendix 1) and sending the completed form via email to the Data Protection Officer (DPO) at

4.2. Airtel shall contact the Data Subject within 5 working days of the receipt of the SAR Form to confirm receipt of the subject access request and may request additional information to verify and confirm the identity of the individual making the request.

4.3. The DPO, on receiving any request from a Data Subject, shall record the request and carry out verification of the identity of the individual making the request using the details provided in the SAR Form and a valid means of identification such as international passport, driver’s license, national identification card, employee identity card issued by Airtel or any other acceptable means of identification.

4.4. Where the request is from a third party (such as relative or representative of the Data Subject), Airtel Network will verify their authority to act for the Data Subject and may contact the Data Subject to confirm their identity and request the Data Subject’s consent to disclose the information.

4.5. When the identity of the individual making the request is verified, the DPO shall coordinate the gathering of all information collected with respect to the individual in a concise, transparent, intelligible and easily accessible form, using clear and plain language with a view to responding to the specific request. The information may be provided in writing, or by other means, including, where appropriate, by electronic means or orally provided that the identity of the Data Subject is proven by other means.

4.6. Where the information requested relates directly or indirectly to another person, Airtel will seek the consent of that person before processing the request. However, where disclosure would adversely affect the rights and freedoms of others and Airtel is unable to disclose the information, Airtel will inform the requestor promptly, with reasons for that decision.

5. Fees and Timeframe

5.1. Airtel shall ensure that it provides the information required by a Data Subject or respond to the request by the Data Subject within a period of one month from the receipt of the request. However, where Airtel is unable to act on the request of the Data Subject, it shall inform the Data Subject promptly at least within one month of receipt of the request of the reasons for not taking action and notify them of the option of lodging a complaint with the National Information Technology Development Agency (NITDA), in line with the NDPR.

5.2. Any information provided to the Data Subject by Airtel shall be provided free of charge. However, where requests from a Data Subject are manifestly unfounded or excessive in particular because of their repetitive or cumbersome nature, Airtel may:

a. charge a reasonable fee taking into account the administrative costs of providing the information or communication, taking the action required or making a decision to refuse to act on the request; or

b. write a letter to the Data Subject stating refusal to act on the request and copying the National Information Technology Development Agency (NITDA).

6. Exceptions To Data Subjects Access Rights

To the extent permitted by applicable laws, Airtel may refuse to act on a Data Subject’s request, if at least one of the following applies:

a) in compliance with a legal obligation to which Airtel is subject;

b) protecting the vital interests of the Data Subject or of another natural person; and

c) for public interest or in exercise of official public mandate vested in Airtel

7. Related Policies and Procedures

This Policy shall be read in conjunction with the following policies and procedures of Airtel Networks

a) Data Privacy and Protection Policy

b) IT Security Policy

c) Document Retention Policy

d) Personal Data Breach Management Policy

8. Changes to the Policy

Airtel reserves the right to change, amend or alter this Policy at any point in time. If we amend this Policy, we will issue an updated version.

9. Contact for any Queries

Airtel has appointed a DPO responsible for overseeing Airtel data protection strategy and its implementation to ensure compliance with NDPR requirements.

The DPO should be contacted if you have any queries or clarifications regarding the operation of this Policy. The contact details are set out below:

· Data Protection Officer: Moyosore Jide-Taiwo

· Location: Airtel HQ. Plot L2 Foreshore Estate Banana Island Ikoyi Lagos.

· Phone: …09041119000.

· Email: …