PRIVACY POLICY
Corona Management Systems (CMS) Website
Effective Date: April 1, 2026
Last Updated: April 1, 2026
TABLE OF CONTENTS
I. INTRODUCTION 1.1 Purpose and Regulatory Context 1.2 Organisational Identity 1.3 Digital Infrastructure 1.4 Scope of Application 1.5 Relationship with Other CMS Policies 1.6 Supplemental Disclosures 1.7 Third-Party Platforms II. DEFINITIONS 2.1 Interpretation 2.2 Personal Data 2.3 Processing 2.4 Data Controller 2.5 Data Processor 2.6 User 2.7 Website 2.8 Services 2.9 Third-Party Service Providers 2.10 Applicable Data Protection Laws III. SCOPE OF POLICY 3.1 General Scope 3.2 Website-Limited Application 3.3 Categories of Data Subjects 3.4 Nature of Interaction 3.5 Role of CMS as Data Controller 3.6 Cross-Border Considerations 3.7 Hierarchy of Application 3.8 Express Exclusion of Operational Data Processing IV. CATEGORIES OF PERSONAL DATA COLLECTED 4.1 General Principle 4.2 Data Provided Directly by Users 4.3 Communication and Correspondence Data 4.4 Technical and Device Information 4.5 Usage and Analytics Data 4.6 Cookies and Similar Technologies 4.7 Data from Third-Party Sources 4.8 Special Categories of Data 4.9 Data Minimisation and Retention Alignment V. LAWFUL BASIS FOR PROCESSING AND PURPOSE LIMITATION 5.1 General Principle of Lawful Processing 5.2 Purpose Limitation 5.3 Contractual Necessity 5.4 Legitimate Interests 5.5 Consent 5.6 Legal and Regulatory Obligations 5.7 Security and Protection of Vital Interests 5.8 Data Minimisation and Necessity Standard 5.9 Prohibition of Secondary Use Without Basis 5.10 Alignment with Regulatory Principles VI. USE OF PERSONAL DATA 6.1 General Use Framework 6.2 Communication and Inquiry Management 6.3 Stakeholder and Engagement Management 6.4 Website Operation and Administration 6.5 Security and Integrity of Systems 6.6 Analytics and Website Improvement 6.7 Compliance, Risk Management, and Record-Keeping 6.8 Prevention of Misuse and Unlawful Activity 6.9 No Automated Decision-Making 6.10 Limitation of Use VII. DISCLOSURE AND SHARING OF PERSONAL DATA 7.1 General Principle of Non-Disclosure 7.2 Permitted Disclosures 7.3 Disclosure to Third-Party Service Providers 7.4 Disclosure Within CMS 7.5 Disclosure for Legal and Regulatory Purposes 7.6 Disclosure in Connection with Organisational Transactions 7.7 Cross-Border Transfers 7.8 No Unauthorised Disclosure 7.9 Third-Party Independence VIII. DATA RETENTION 8.1 General Retention Principle 8.2 Purpose-Based Retention 8.3 Communication Data Retention 8.4 Technical and Analytics Data Retention 8.5 Legal and Regulatory Retention Requirements 8.6 Data Minimisation and Periodic Review 8.7 Secure Deletion and Disposal 8.8 Suspension of Deletion IX. DATA SECURITY AND SAFEGUARDS 9.1 General Security Commitment 9.2 Security Governance Framework 9.3 Access Controls and Confidentiality 9.4 Technical Safeguards 9.5 Organisational Measures 9.6 Third-Party Security Controls 9.7 Incident Detection and Response 9.8 Risk Management and Continuous Improvement 9.9 Limitation of Absolute Security X. DATA SUBJECT RIGHTS 10.1 General Rights Framework 10.2 Right of Access 10.3 Right to Rectification 10.4 Right to Erasure 10.5 Right to Restriction of Processing 10.6 Right to Object 10.7 Right to Withdraw Consent 10.8 Right to Data Portability 10.9 Right to Lodge a Complaint 10.10 Exercise of Rights 10.11 Limitations and Exceptions XI. COOKIES AND TRACKING TECHNOLOGIES 11.1 Use of Cookies and Similar Technologies 11.2 Categories of Cookies Used 11.3 Purpose of Cookies 11.4 Legal Basis for Cookie Usage 11.5 Consent Mechanisms 11.6 Third-Party Cookies 11.7 User Controls and Browser Settings 11.8 Retention of Cookie Data 11.9 Updates to Cookie Practices XII. INTERNATIONAL DATA TRANSFERS 12.1 General Principle 12.2 Cross-Border Nature of Digital Infrastructure 12.3 Compliance with Applicable Data Protection Laws 12.4 Transfer Safeguards 12.5 Transfers to Service Providers 12.6 Absence of Adequacy Decisions 12.7 User Acknowledgement XIII. UPDATES TO THIS PRIVACY POLICY 13.1 Right to Modify 13.2 Effective Date of Changes 13.3 Notification of Material Changes 13.4 User Responsibility to Review 13.5 No Retrospective Impact XIV. CONTACT INFORMATION AND DATA PROTECTION ENQUIRIES 14.1 General Enquiries 14.2 Data Protection Contact Point 14.3 Submission of Requests 14.4 Response Timeframes 14.5 Regulatory Authorities 14.6 Limitation of Contact Channels XV. CHILDREN’S PRIVACY 15.1 General Principle 15.2 No Intentional Collection 15.3 Inadvertent Collection 15.4 Parental or Guardian Rights 15.5 Limitation of Responsibility
I. INTRODUCTION
1.1 Purpose and Regulatory Context
This Privacy Policy (the “Policy”) establishes the principles, standards, and governance framework governing the collection, Processing, storage, use, disclosure, and protection of Personal Data in connection with access to and use of the Corona Management Systems website.
1.2 Organisational Identity
Corona Management Systems (“CMS,” “we,” “our,” or “us”) is a social enterprise engaged in the design, implementation, and management of programmes and technology-driven solutions across the health, education, and social development sectors, operating across multiple jurisdictions.
1.3 Digital Infrastructure
This Policy applies to Personal Data Processed through CMS’s official website located at www.coronams.com (the “Website”), including any web-based interfaces, communication channels, or forms made available through the Website.
1.4 Scope of Application
This Policy governs all Personal Data collected or otherwise Processed in connection with: (a) access to or interaction with the Website; (b) submission of information through web forms, contact channels, or digital interfaces; and (c) any other interaction through which Personal Data is provided to or collected by CMS in a digital context.
1.5 Relationship with Other CMS Policies
This Policy shall be read in conjunction with other CMS governance instruments, including but not limited to internal data protection protocols, information security policies, and any applicable contractual or regulatory obligations governing the handling of Personal Data.
1.6 Supplemental Disclosures
Where CMS provides additional privacy notices, disclaimers, or disclosures in connection with specific programmes, platforms, or engagements, such disclosures shall supplement this Policy and, in the event of inconsistency, shall prevail to the extent expressly stated.
1.7 Third-Party Platforms
This Policy does not apply to third-party websites, platforms, or services that may be accessed through links or integrations provided on the Website. CMS does not control and is not responsible for the privacy practices of such third parties.
II. DEFINITIONS
2.1 Interpretation
For the purposes of this Policy, unless the context otherwise requires, the terms set out in this Section shall have the meanings assigned to them below. Words importing the singular shall include the plural and vice versa.
2.2 Personal Data
“Personal Data” means any information relating to an identified or identifiable natural person, including any data by which such person may be identified, directly or indirectly, by reference to identifiers such as a name, identification number, location data, online identifier, or one or more factors specific to that person’s identity.
2.3 Processing
“Processing” means any operation or set of operations performed on Personal Data, whether by automated means or otherwise, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
2.4 Data Controller
“Data Controller” means the natural or legal person, public authority, agency, or other body that determines the purposes and means of Processing Personal Data.
2.5 Data Processor
“Data Processor” means any natural or legal person or entity that Processes Personal Data on behalf of a Data Controller.
2.6 User
the Website. “User” means any individual who accesses, browses, or otherwise interacts with
2.7 Website
“Website” means the official CMS website accessible at www.coronams.com, including all associated web pages, forms, and digital interfaces.
2.8 Services
“Services” means any information, content, or engagement made available through the Website.
2.9 Third-Party Service Providers
“Third-Party Service Providers” means external vendors, contractors, or service providers engaged by CMS to support the operation, maintenance, hosting, analytics, or security of its digital infrastructure.
2.10 Applicable Data Protection Laws
“Applicable Data Protection Laws” means all laws, regulations, and regulatory frameworks governing the Processing of Personal Data in jurisdictions where CMS operates or where such laws are otherwise applicable, including but not limited to the Nigeria Data Protection Act (NDPA), the General Data Protection Regulation (GDPR), and any other relevant national or international data protection frameworks.
III. SCOPE OF POLICY
3.1 General Scope
This Policy governs the collection and Processing of Personal Data arising from access to and use of the Website and any associated digital interfaces through which CMS engages with Users in an online context.
3.2 Website-Limited Application
Without prejudice to CMS’s broader data protection obligations, this Policy applies exclusively to Personal Data collected through: (a) the Website and its associated pages, interfaces, and forms; (b) electronic communications initiated through the Website, including contact forms, inquiry submissions, and general correspondence; and (c) automated technologies deployed on or through the Website for operational, analytical, or security purposes. For the avoidance of doubt, this Policy does not govern Personal Data Processing activities conducted outside the Website environment, including those arising from CMS’s programmatic, field, research, or service delivery operations, which may be subject to separate data protection frameworks, contractual arrangements, or regulatory regimes.
3.3 Categories of Data Subjects
This Policy applies to Personal Data relating to individuals who interact with the Website, including but not limited to: (a) visitors who browse or otherwise access the Website; (b) individuals who submit inquiries, requests, or other communications through the Website; (c) prospective partners, collaborators, donors, or stakeholders engaging with CMS through digital channels; and (d) any other individual who provides Personal Data to CMS via the Website.
3.4 Nature of Interaction
The Processing activities contemplated under this Policy arise from limited and defined interactions, including informational access, voluntary submission of data, and system-generated data collection necessary for the operation and security of the Website. No Personal Data is collected by CMS through the Website beyond what is reasonably necessary for these purposes, unless explicitly provided by the User.
3.5 Role of CMS as Data Controller
In relation to Personal Data collected through the Website, CMS acts as a Data Controller and determines the purposes and means of Processing such Personal Data, subject to Applicable Data Protection Laws. Where CMS engages Third-Party Service Providers in connection with the operation of the Website, such providers shall act as Data Processors or independent controllers, as the case may be, and shall be subject to appropriate contractual and regulatory safeguards.
3.6 Cross-Border Considerations
Given the global accessibility of the Website, Personal Data may be accessed, transmitted, or Processed across jurisdictions. CMS shall ensure that such cross- border Processing is conducted in accordance with Applicable Data Protection Laws and appropriate safeguards are implemented where required.
3.7 Hierarchy of Application
In the event that Personal Data submitted through the Website subsequently becomes subject to a specific programme, engagement, or contractual relationship with CMS, the data protection terms applicable to such engagement shall govern the Processing of such Personal Data to the extent of any inconsistency with this Policy.
3.8 Express Exclusion of Operational Data Processing
For the avoidance of doubt, this Policy does not apply to the Processing of Personal Data undertaken by CMS in connection with its programme implementation, field operations, research activities, or any independent digital platforms or systems operated by or on behalf of CMS, all of which shall be governed by separate data protection frameworks.
IV. CATEGORIES OF PERSONAL DATA COLLECTED
4.1 General Principle
CMS limits the collection of Personal Data through the Website to data that is relevant, adequate, and necessary for defined purposes, in accordance with the principles of data minimisation and proportionality under Applicable Data Protection Laws.
4.2 Data Provided Directly by Users
CMS may collect Personal Data voluntarily provided by Users through the Website, including where Users: (a) submit inquiries, requests, or messages through contact forms or designated communication channels; (b) communicate with CMS via email addresses published on the Website; or (c) otherwise provide information in connection with engagement, partnership, or general correspondence. Such Personal Data may include, without limitation, the User’s name, email address, telephone number, organisational affiliation, and any other information the User elects to provide.
4.3 Communication and Correspondence Data
CMS may Process Personal Data contained in communications between Users and CMS, including the content of messages, attachments, and any related metadata, for the purposes of responding to inquiries, maintaining records of correspondence, and ensuring continuity of engagement.
4.4 Technical and Device Information
CMS may automatically collect certain technical information when Users access the Website, including: (a) Internet Protocol (IP) address; (b) browser type and version; (c) device type and operating system; (d) date and time of access; and (e) system log data reflecting interactions with the Website. Such information is collected for purposes including system administration, security monitoring, performance optimisation, and detection of unauthorised or malicious activity.
4.5 Usage and Analytics Data
CMS may Process information relating to how Users interact with the Website, including navigation patterns, page views, session duration, and interaction metrics, through the use of analytics tools or similar technologies. This data is used in aggregated or de-identified form to improve Website functionality, enhance user experience, and inform organisational decision- making regarding digital engagement.
4.6 Cookies and Similar Technologies
The Website may utilise cookies, web beacons, and similar tracking technologies to facilitate core functionality, enhance user experience, and collect analytical data. Where required under Applicable Data Protection Laws, Users shall be provided with appropriate notice and, where applicable, the opportunity to consent to or manage the use of such technologies.
4.7 Data from Third-Party Sources
CMS does not intentionally collect Personal Data about Users from third-party sources through the Website. However, where Users engage with CMS through integrated platforms or external links, limited data may be received in accordance with the privacy settings and policies governing such third-party services.
4.8 Special Categories of Data
CMS does not intentionally collect sensitive or special categories of Personal Data through the Website. Users are advised not to submit such data through Website forms or communication channels unless specifically requested and subject to appropriate safeguards.
4.9 Data Minimisation and Retention Alignment
CMS shall ensure that Personal Data collected through the Website is limited to what is necessary for its intended purposes and shall not be retained for longer than required, subject to legal, regulatory, or operational obligations.
V. LAWFUL BASIS FOR PROCESSING AND PURPOSE LIMITATION
5.1 General Principle of Lawful Processing
CMS shall Process Personal Data collected through the Website only where a valid and lawful basis for such Processing exists under Applicable Data Protection Laws. All Processing activities shall be conducted in a fair, lawful, and transparent manner, and shall be limited to what is necessary for clearly defined and legitimate purposes.
5.2 Purpose Limitation
Personal Data collected through the Website shall be Processed solely for specific, explicit, and legitimate purposes communicated to Users at the point of collection or otherwise reasonably inferable from the nature of the interaction. CMS shall not Process Personal Data in a manner that is incompatible with such purposes unless required or permitted under Applicable Data Protection Laws.
5.3 Contractual Necessity
CMS may Process Personal Data where such Processing is necessary to take steps at the request of a User prior to entering into a relationship or to respond to inquiries, requests, or communications initiated through the Website. This includes, without limitation, processing necessary to: (a) respond to contact form submissions or direct inquiries; (b) provide information regarding CMS services, programmes, or engagements; and (c) facilitate preliminary engagement with prospective partners, collaborators, or stakeholders.
5.4 Legitimate Interests
CMS may Process Personal Data where such Processing is necessary for the legitimate interests pursued by CMS, provided that such interests are not overridden by the fundamental rights and freedoms of the User. Such legitimate interests may include, without limitation: (a) maintaining, operating, and improving the functionality and performance of the Website; (b) ensuring the security, integrity, and resilience of CMS digital infrastructure; (c) monitoring usage patterns to inform organisational strategy and enhance user experience; (d) preventing fraud, misuse, unauthorised access, or other unlawful activities; and (e) managing internal administrative and operational processes associated with Website engagement. CMS shall undertake appropriate balancing assessments, where required, to ensure that such Processing does not disproportionately impact User rights.
5.5 Consent
Where required under Applicable Data Protection Laws, CMS shall obtain the User’s consent prior to Processing Personal Data for specific purposes. Such consent shall be: (a) freely given, specific, informed, and unambiguous; (b) obtained through clear affirmative action where required; and (c) capable of being withdrawn by the User at any time, without affecting the lawfulness of Processing carried out prior to such withdrawal. Consent may be relied upon in circumstances including, but not limited to: (a) the use of non-essential cookies or tracking technologies; and (b) specific data submissions where consent is expressly requested.
5.6 Legal and Regulatory Obligations
CMS may Process Personal Data where such Processing is necessary to comply with applicable legal or regulatory obligations. This includes, without limitation, Processing required to: (a) comply with applicable laws, regulations, or regulatory directives; (b) respond to lawful requests, court orders, or directives from competent authorities; and (c) establish, exercise, or defend legal rights or claims.
5.7 Security and Protection of Vital Interests
CMS may Process Personal Data where such Processing is necessary to protect the vital interests of a User or another individual, or to ensure the security and integrity of CMS systems and digital infrastructure.
5.8 Data Minimisation and Necessity Standard
CMS shall ensure that Personal Data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is Processed. No Personal Data shall be collected or retained through the Website on a speculative or excessive basis.
5.9 Prohibition of Secondary Use Without Basis
CMS shall not use Personal Data collected through the Website for secondary or unrelated purposes unless: (a) a valid lawful basis exists for such Processing; and (b) Users have been appropriately informed in accordance with Applicable Data Protection Laws.
5.10 Alignment with Regulatory Principles
This Section shall be interpreted in a manner consistent with the principles of lawfulness, fairness, transparency, purpose limitation, and data minimisation as recognised under Applicable Data Protection Laws, including the Nigeria Data Protection Act (NDPA) and, where applicable, the General Data Protection Regulation (GDPR).
VI. USE OF PERSONAL DATA
6.1 General Use Framework
CMS Processes Personal Data collected through the Website solely for purposes that are lawful, defined, and proportionate to the nature of the interaction between the User and the Website, and for the purpose of supporting CMS’s legitimate administrative, operational, and communication-related functions associated with the Website.
6.2 Communication and Inquiry Management
CMS may Process Personal Data to receive, manage, and respond to inquiries, requests, or communications submitted by Users through the Website or associated communication channels. This includes, without limitation, processing necessary to: (a) acknowledge and respond to User inquiries; (b) provide requested information regarding CMS programmes, services, or operations; and (c) maintain internal records of correspondence for continuity, quality assurance, and administrative purposes.
6.3 Stakeholder and Engagement Management
Personal Data may be Processed to facilitate engagement with individuals or entities expressing interest in CMS activities, including prospective partners, collaborators, donors, or other stakeholders. Such Processing may include evaluating inquiries, coordinating follow-up communications, and managing preliminary engagement processes.
6.4 Website Operation and Administration
CMS may Process Personal Data to operate, maintain, and administer the Website and its associated systems. This includes Processing necessary to: (a) ensure the proper functioning and availability of the Website; (b) manage system performance and reliability; and (c) support internal administrative processes associated with digital operations.
6.5 Security and Integrity of Systems
CMS may Process Personal Data to protect the security, integrity, and resilience of its website and digital infrastructure. This includes, without limitation, Processing undertaken to: (a) detect, prevent, and respond to unauthorised access, misuse, or malicious activity; (b) monitor system activity for security and compliance purposes; and (c) safeguard CMS systems against technical vulnerabilities and cyber threats.
6.6 Analytics and Website Improvement
CMS may Process Personal Data, including technical and usage data, to analyse how Users interact with the Website and to improve its functionality, structure, and content. Such Processing shall, where practicable, be conducted on an aggregated or de-identified basis and shall be used solely to enhance user experience, optimise Website performance, and inform CMS’s digital engagement strategy.
6.7 Compliance, Risk Management, and Record-Keeping
Personal Data may be Processed to support CMS’s compliance with applicable legal, regulatory, and internal governance obligations. This includes Processing necessary to: (a) maintain appropriate records of Website interactions and communications; (b) demonstrate compliance with Applicable Data Protection Laws; and (c) support internal audit, risk management, and governance processes.
6.8 Prevention of Misuse and Unlawful Activity
CMS may Process Personal Data to investigate, prevent, or address suspected misuse of the Website, violations of applicable laws, or breaches of CMS policies. Such Processing may include monitoring and analysing interactions where reasonably necessary to protect CMS’s legal and operational interests.
6.9 No Automated Decision-Making
CMS does not engage in automated decision-making, including profiling, that produces legal or similarly significant effects on Users in connection with Personal Data collected through the Website.
6.10 Limitation of Use
CMS shall not use Personal Data collected through the Website for purposes that are excessive, unrelated, or incompatible with those set out in this Section, unless a lawful basis exists and Users have been appropriately informed in accordance with Applicable Data Protection Laws.
VII. DISCLOSURE AND SHARING OF PERSONAL DATA
7.1 General Principle of Non-Disclosure
CMS does not sell, rent, or otherwise commercially exploit Personal Data collected through the Website. Personal Data shall not be disclosed to third parties except where such disclosure is necessary, lawful, and consistent with the purposes set out in this Policy.
7.2 Permitted Disclosures
CMS may disclose Personal Data to third parties only in the circumstances set out in this Section and subject to appropriate safeguards.
7.3 Disclosure to Third-Party Service Providers
CMS may engage Third-Party Service Providers to support the operation, maintenance, hosting, security, or analytics of the Website. Where such providers Process Personal Data on behalf of CMS: (a) they shall act as Data Processors and Process Personal Data solely in accordance with CMS’s documented instructions; (b) they shall be subject to contractual obligations imposing appropriate technical and organisational measures to protect Personal Data; and (c) they shall not retain, use, or disclose Personal Data for their own purposes. Such providers may include, without limitation, website hosting providers, cloud infrastructure providers, analytics service providers, and IT support vendors.
7.4 Disclosure Within CMS
Personal Data may be disclosed internally within CMS on a need-to-know basis to authorised personnel for the purposes set out in this Policy, including communication management, administrative coordination, compliance, and system oversight. All internal access to Personal Data shall be subject to appropriate confidentiality obligations and access controls.
7.5 Disclosure for Legal and Regulatory Purposes
CMS may disclose Personal Data where such disclosure is required or permitted under applicable law or regulatory obligation. This includes, without limitation, disclosure necessary to: (a) comply with applicable laws, regulations, or regulatory directives; (b) respond to lawful requests from courts, law enforcement agencies, or other competent authorities; (c) enforce CMS’s legal rights or defend against claims; or (d) investigate suspected unlawful activity or policy violations.
7.6 Disclosure in Connection with Organisational Transactions
In the event of any merger, restructuring, reorganisation, or similar transaction involving CMS, Personal Data may be disclosed to relevant counterparties or advisors, subject to appropriate confidentiality obligations and safeguards.
7.7 Cross-Border Transfers
Where Personal Data is disclosed to Third-Party Service Providers or otherwise transferred across jurisdictions, CMS shall ensure that such transfers are conducted in accordance with Applicable Data Protection Laws. Where required, CMS shall implement appropriate safeguards, which may include contractual protections, standard data protection clauses, or reliance on legally recognised transfer mechanisms.
7.8 No Unauthorised Disclosure
CMS shall not disclose Personal Data to any third party except as expressly permitted under this Section or otherwise authorised by Applicable Data Protection Laws. Any unauthorised access, disclosure, or breach involving Personal Data shall be addressed in accordance with CMS’s internal incident response procedures and applicable regulatory requirements.
7.9 Third-Party Independence
Where Personal Data is accessed through third-party platforms, integrations, or external links, such third parties shall act as independent controllers of any Personal Data collected through their own systems, and their processing activities shall be governed by their respective privacy policies. CMS shall not be responsible for the data handling practices of such third parties.
VIII. DATA RETENTION
8.1 General Retention Principle
CMS shall retain Personal Data collected through the Website only for as long as is necessary to fulfil the purposes for which such Personal Data was collected, as set out in this Policy, or as required to comply with applicable legal, regulatory, or operational obligations. Personal Data shall not be retained indefinitely or in excess of what is reasonably required for its intended purpose.
8.2 Purpose-Based Retention
The duration for which Personal Data is retained shall be determined by reference to the specific purpose for which it was collected, including, without limitation: (a) the time required to respond to and manage User inquiries or communications; (b) the need to maintain records of correspondence for administrative continuity and quality assurance; (c) the period necessary to support Website operation, analytics, and system monitoring; and (d) any applicable limitation periods for legal claims or regulatory requirements.
8.3 Communication Data Retention
Personal Data contained in communications between Users and CMS may be retained for a reasonable period to ensure continuity of engagement, enable follow-up where necessary, and maintain appropriate administrative records. Such data shall be periodically reviewed and securely deleted or anonymised where it is no longer required.
8.4 Technical and Analytics Data Retention
Technical, usage, and analytics data collected through the Website may be retained for as long as necessary to support system performance monitoring, security analysis, and Website improvement initiatives. Where practicable, such data shall be retained in aggregated or de-identified form.
8.5 Legal and Regulatory Retention Requirements
CMS may retain Personal Data for longer periods where such retention is required to comply with applicable laws, regulations, or regulatory directives, or where necessary to establish, exercise, or defend legal rights. In such circumstances, retention shall be limited to what is required for compliance with such obligations.
8.6 Data Minimisation and Periodic Review
CMS shall implement measures to ensure that Personal Data is subject to periodic review and shall take reasonable steps to delete, anonymise, or otherwise securely dispose of Personal Data that is no longer required for its original purpose.
8.7 Secure Deletion and Disposal
Upon expiration of the applicable retention period, Personal Data shall be securely deleted, anonymised, or irreversibly destroyed in a manner that prevents unauthorised access, recovery, or reconstruction. Such deletion shall be carried out in accordance with CMS’s internal data management and security protocols.
8.8 Suspension of Deletion
CMS may suspend the deletion of Personal Data where such data is required in connection with an ongoing investigation, audit, dispute, or legal proceeding, provided that such retention is limited to the duration necessary for such purpose.
IX. DATA SECURITY AND SAFEGUARDS
9.1 General Security Commitment
CMS implements appropriate technical and organisational measures designed to protect Personal Data collected through the Website against unauthorised access, disclosure, alteration, loss, or destruction. Such measures are proportionate to the nature, scope, context, and purposes of Processing, as well as the risks posed to the rights and freedoms of Users.
9.2 Security Governance Framework
CMS maintains an internal governance framework for information security and data protection, which includes policies, procedures, and controls governing the handling, storage, and protection of Personal Data across its digital systems. This framework is subject to periodic review and enhancement to reflect evolving risks, technological developments, and regulatory expectations.
9.3 Access Controls and Confidentiality
Access to Personal Data is restricted to authorised personnel within CMS who require such access for legitimate business purposes. Such personnel are subject to confidentiality obligations and are required to handle Personal Data in accordance with applicable policies and data protection principles. CMS implements role-based access controls and reasonable authentication measures to prevent unauthorised access.
9.4 Technical Safeguards
CMS employs appropriate technical safeguards to secure Personal Data, which may include, without limitation: (a) secure hosting environments and infrastructure protections; (b) encryption or secure transmission protocols where applicable; (c) system monitoring and logging mechanisms; and (d) protection against unauthorised system intrusion or malicious activity. Such safeguards are implemented in a manner consistent with industry standards and applicable regulatory expectations.
9.5 Organisational Measures
CMS adopts organisational measures to reinforce data protection and security, including: (a) internal policies governing data handling and system usage; (b) defined roles and responsibilities for data protection and IT security; and (c) awareness and compliance expectations applicable to personnel with access to Personal Data.
9.6 Third-Party Security Controls
Where CMS engages Third-Party Service Providers in connection with the Website, CMS shall take reasonable steps to ensure that such providers implement appropriate security measures consistent with applicable data protection standards. Such providers shall be subject to contractual obligations requiring the protection of Personal Data and restricting its use to authorised purposes.
9.7 Incident Detection and Response
CMS maintains procedures for the identification, assessment, and management of data security incidents, including incidents involving Personal Data. Where a Personal Data breach occurs, CMS shall take appropriate steps to contain, investigate, and remediate the incident, and shall comply with any applicable notification obligations under relevant data protection laws.
9.8 Risk Management and Continuous Improvement
CMS adopts a risk-based approach to data security and shall periodically assess potential vulnerabilities in its systems and processes. Security measures shall be reviewed and updated as necessary to address emerging threats, technological changes, and regulatory developments.
9.9 Limitation of Absolute Security
While CMS implements appropriate safeguards, no system of transmission or storage of data can be guaranteed to be completely secure. Accordingly, CMS does not warrant or guarantee absolute security of Personal Data, and Users acknowledge that the transmission of information via the internet is undertaken at their own risk.
X. DATA SUBJECT RIGHTS
10.1 General Rights Framework
CMS recognises and respects the rights of individuals in relation to their Personal Data, in accordance with Applicable Data Protection Laws. Users whose Personal Data is Processed through the Website may exercise certain rights, subject to applicable legal limitations, conditions, and exemptions.
10.2 Right of Access
Users have the right to request confirmation as to whether CMS Processes Personal Data relating to them and, where that is the case, to request access to such Personal Data, including information regarding the nature, purpose, and scope of the Processing.
10.3 Right to Rectification
Users have the right to request the correction or update of Personal Data that is inaccurate, incomplete, or outdated. CMS shall take reasonable steps to ensure that Personal Data is accurate and, where necessary, kept up to date.
10.4 Right to Erasure
Users may request the deletion or removal of their Personal Data where: (a) the Personal Data is no longer necessary for the purposes for which it was collected or Processed; (b) the User withdraws consent where Processing is based on consent and no other lawful basis applies; or (c) the Processing is otherwise unlawful. This right shall be subject to applicable legal and regulatory obligations that may require CMS to retain certain Personal Data.
10.5 Right to Restriction of Processing
Users may request that CMS restrict the Processing of their Personal Data in certain circumstances, including where the accuracy of the data is contested or where Processing is unlawful but the User opposes deletion.
10.6 Right to Object
Users have the right to object to the Processing of their Personal Data where such Processing is based on legitimate interests, unless CMS demonstrates compelling legitimate grounds that override the User’s rights and freedoms.
10.7 Right to Withdraw Consent
Where Processing is based on consent, Users have the right to withdraw such consent at any time. Withdrawal of consent shall not affect the lawfulness of Processing carried out prior to such withdrawal.
10.8 Right to Data Portability
To the extent applicable under relevant data protection laws, Users may have the right to request the transfer of their Personal Data to another controller in a structured, commonly used, and machine-readable format.
10.9 Right to Lodge a Complaint
Users have the right to lodge a complaint with a competent data protection authority if they believe that their Personal Data has been Processed in a manner that violates Applicable Data Protection Laws.
10.10 Exercise of Rights
Requests to exercise any of the rights set out in this Section may be submitted to CMS through the contact details provided in this Policy. CMS may require reasonable verification of identity before processing such requests and shall respond within the timeframes required under Applicable Data Protection Laws.
10.11 Limitations and Exceptions
The rights set out in this Section are not absolute and may be subject to limitations, restrictions, or exemptions under applicable law, including where Processing is necessary for compliance with legal obligations, the establishment or defence of legal claims, or other legitimate purposes recognised under Applicable Data Protection Laws.
XI. COOKIES AND TRACKING TECHNOLOGIES
11.1 Use of Cookies and Similar Technologies
The Website may utilise cookies and similar tracking technologies, including web beacons, pixels, and local storage mechanisms (collectively, “Cookies”), to support its functionality, enhance user experience, and enable analytical and security-related operations. Cookies are small data files placed on a user’s device when accessing the Website and are widely used to ensure the efficient operation of digital platforms.
11.2 Categories of Cookies Used
CMS may deploy different categories of Cookies through the Website, including the following: 11.2.1 Strictly Necessary Cookies These Cookies are essential for the operation of the Website and enable core functionalities such as page navigation, access to secure areas, and system stability. The Website cannot function properly without these Cookies, and they do not require User consent where permitted under Applicable Data Protection Laws. 11.2.2 Performance and Analytics Cookies These Cookies collect information about how Users interact with the Website, including pages visited, time spent on the Website, navigation patterns, and system performance. Such information is generally collected in an aggregated or anonymised form and is used to improve Website functionality, optimise performance, and enhance user experience. 11.2.3 Functional Cookies These Cookies enable the Website to remember User preferences and choices, such as language settings or form inputs, to provide a more personalised experience. 11.2.4 Security Cookies These Cookies are used to support the security and integrity of the Website, including detecting suspicious activity, preventing fraudulent use, and protecting against unauthorised access.
11.3 Purpose of Cookies
Cookies may be used by CMS for purposes including: (a) ensuring the proper functioning and stability of the Website; (b) improving Website performance and usability; (c) analysing user behaviour to inform Website development and content optimisation; and (d) maintaining the security and integrity of CMS systems.
11.4 Legal Basis for Cookie Usage
The use of Cookies shall be governed by Applicable Data Protection Laws. Where required, CMS shall obtain User consent prior to the placement of non- essential Cookies, including performance, analytics, and functional Cookies. Strictly necessary Cookies may be deployed without consent where permitted by law.
11.5 Consent Mechanisms
Where consent is required, Users shall be presented with a clear and accessible mechanism to: (a) accept or reject non-essential Cookies; (b) manage or customise Cookie preferences; and (c) withdraw or modify consent at any time. CMS shall ensure that consent mechanisms are designed in a manner that is transparent, granular, and compliant with applicable regulatory standards.
11.6 Third-Party Cookies
Certain Cookies may be placed by third-party service providers engaged by CMS, including analytics providers or infrastructure partners. Such third parties may Process information collected through Cookies in accordance with their own privacy policies. CMS shall take reasonable steps to ensure that such providers operate in compliance with applicable data protection requirements.
11.7 User Controls and Browser Settings
Users may manage or disable Cookies through their browser settings. Most browsers allow Users to refuse Cookies or to delete Cookies that have already been placed on their device. However, disabling certain Cookies may affect the functionality, performance, or availability of certain features of the Website.
11.8 Retention of Cookie Data
Cookies may remain on a user’s device for varying periods, depending on their purpose. Session Cookies are typically deleted when the User closes their browser, while persistent Cookies may remain for a longer period unless manually deleted or automatically expired.
11.9 Updates to Cookie Practices
CMS may update its use of Cookies and tracking technologies from time to time to reflect changes in technology, operational requirements, or regulatory expectations. Where such changes materially affect Users, CMS shall provide appropriate notice or update its consent mechanisms accordingly.
XII. INTERNATIONAL DATA TRANSFERS
12.1 General Principle
Personal Data collected through the Website may be transferred to, stored in, or accessed from jurisdictions outside the country in which the User is located, including jurisdictions in which CMS or its Third-Party Service Providers operate. Such transfers may occur in connection with the operation, hosting, maintenance, or security of the Website.
12.2 Cross-Border Nature of Digital Infrastructure
Given the global nature of internet-based services, the processing of Personal Data may involve the use of infrastructure, systems, or service providers located in multiple jurisdictions. Accordingly, Personal Data submitted through the Website may be processed in environments that differ from the User’s jurisdiction of residence.
12.3 Compliance with Applicable Data Protection Laws
CMS shall ensure that any transfer of Personal Data across borders is conducted in accordance with Applicable Data Protection Laws. Where required, CMS shall implement appropriate safeguards to ensure that Personal Data remains protected to a standard consistent with applicable legal and regulatory requirements.
12.4 Transfer Safeguards
Such safeguards may include, without limitation: (a) the use of contractual protections between CMS and Third-Party Service Providers; (b) reliance on recognised data transfer mechanisms or frameworks where applicable; (c) assessment of the data protection standards applicable in the recipient jurisdiction; and (d) implementation of appropriate technical and organisational measures to secure Personal Data.
12.5 Transfers to Service Providers
Where Personal Data is transferred to Third-Party Service Providers located outside the User’s jurisdiction, such providers shall be required to Process Personal Data in accordance with CMS’s instructions and applicable contractual obligations. CMS shall take reasonable steps to ensure that such providers implement adequate data protection and security measures.
12.6 Absence of Adequacy Decisions
In circumstances where Personal Data is transferred to jurisdictions that may not have been formally recognised as providing an adequate level of data protection under applicable law, CMS shall rely on appropriate safeguards and risk-based assessments to ensure the continued protection of Personal Data.
12.7 User Acknowledgement
By using the Website and submitting Personal Data, Users acknowledge that their Personal Data may be transferred across jurisdictions in accordance with this Section.
XIII. UPDATES TO THIS PRIVACY POLICY
13.1 Right to Modify
CMS reserves the right to amend, update, or revise this Privacy Policy from time time to reflect changes in legal requirements, regulatory guidance, technological developments, or CMS’s operational practices.
13.2 Effective Date of Changes
Any updates to this Policy shall become effective upon publication on the Website, unless otherwise stated. The “Effective Date” indicated at the beginning of this Policy shall reflect the date of the most recent revision.
13.3 Notification of Material Changes
Where CMS makes material changes to this Policy that significantly affect the manner in which Personal Data is collected, used, or disclosed, CMS may take reasonable steps to notify Users. Such notification may be provided through Website notices, updates on relevant pages, or other appropriate communication channels, as determined by CMS.
13.4 User Responsibility to Review
Users are encouraged to review this Policy periodically to remain informed about how CMS Processes Personal Data. Continued use of the Website following the publication of any updates shall constitute acknowledgment of such changes, to the extent permitted under Applicable Data Protection Laws.
13.5 No Retrospective Impact
Updates to this Policy shall not apply retrospectively in a manner that would materially alter the lawful basis on which Personal Data was originally collected or processed, except where required or permitted under Applicable Data Protection Laws.
XIV. CONTACT INFORMATION AND DATA PROTECTION ENQUIRIES
14.1 General Enquiries
Users who have questions, concerns, or requests relating to this Privacy Policy or the Processing of their Personal Data by CMS may contact CMS using the details provided below.
14.2 Data Protection Contact Point
CMS has designated a contact point responsible for handling data protection enquiries, including requests relating to the exercise of data subject rights. All such enquiries, including requests for access, correction, or deletion of Personal Data, may be directed to: Email: info@coronams.com CMS may, at its discretion, designate a specific Data Protection Officer or responsible officer for privacy matters, and may update this Policy to reflect such designation where appropriate.
14.3 Submission of Requests
Requests relating to Personal Data should include sufficient information to enable CMS to verify the identity of the requester and to understand the nature and scope of the request. CMS reserves the right to request additional information where necessary to confirm identity or clarify the request.
14.4 Response Timeframes
CMS shall respond to valid data protection requests within the timeframes prescribed under Applicable Data Protection Laws. Where a request is complex or requires additional time, CMS may extend the response period in accordance with applicable legal provisions, provided that the User is appropriately informed.
14.5 Regulatory Authorities
Users who believe that their Personal Data has been Processed in a manner inconsistent with Applicable Data Protection Laws may lodge a complaint with a competent data protection authority. For Users within Nigeria, complaints may be directed to the Nigeria Data Protection Commission (NDPC) or any successor regulatory authority. Users located in other jurisdictions may contact the relevant supervisory authority in their place of residence.
14.6 Limitation of Contact Channels
CMS may determine and update the appropriate channels through which data protection enquiries are received and managed. Users are encouraged to use the contact details provided in this Section to ensure that enquiries are properly received and addressed.
XV. CHILDREN’S PRIVACY
15.1 General Principle
The Website is not directed at, nor intended for use by, individuals under the age of eighteen (18) years (“Children”). CMS does not knowingly collect, solicit, or Process Personal Data from Children through the Website.
15.2 No Intentional Collection
CMS shall not intentionally collect Personal Data from Children without appropriate legal basis and, where required under Applicable Data Protection Laws, verifiable parental or guardian consent. Users are advised not to submit Personal Data relating to Children through the Website unless expressly authorised and in compliance with applicable legal requirements.
15.3 Inadvertent Collection
Where CMS becomes aware that Personal Data relating to a Child has been inadvertently collected through the Website without the requisite legal basis or consent, CMS shall take reasonable steps to: (a) delete such Personal Data; or (b) otherwise Process such data in accordance with Applicable Data Protection Laws, including obtaining the necessary consent where appropriate.
15.4 Parental or Guardian Rights
Parents or legal guardians who believe that Personal Data relating to a Child has been provided to CMS through the Website may contact CMS using the details set out in this Policy to request review, correction, or deletion of such Personal Data. CMS may require reasonable verification of identity and authority before acting on such requests.
15.5 Limitation of Responsibility
CMS relies on Users to ensure that information submitted through the Website complies with applicable legal requirements, including those relating to the provision of Personal Data of Children. CMS shall not be responsible for data submitted in contravention of this Policy or Applicable Data Protection Laws.