Who does this notice apply to?
This notice applies to two primary groups of individuals with whom MTN has, had or may in future have an employment relationship with:
- current employees of MTN (whether they are employed on a permanent, temporary, or fixed term contract including interns, secondees and graduates);
- former / past employees of MTN. (collectively referred to as “MTN Employees” / “you” / “your”).
Where there are differences to the Processing of Personal Data by MTN in respect of current employees compared to former employees, we have made this clear through the use of sub-headings. Where there are no such sub-headings then the Processing applies to both current employees and former employees.
What are the important terms we need to understand when reading this notice?
Applicable Data Privacy Law(s)
Data privacy and data protection legislation and regulations applicable to the Processing of Personal Data carried out by MTN, or for or on behalf of MTN.
Means an identified or identifiable natural person, including current and former MTN Employees. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. It shall also include any additional persons afforded data privacy rights and protection of Personal Data in terms of Applicable Data Privacy Law(s).
Local Regulatory Requirements
Legal, statutory, regulatory, license conditions rules, guidelines, Ministerial/National Security orders or directives, and Directives relating to Public safety (where applicable) and Data Sovereignty*-related requirements with which MTN is required to comply by applicable authorities in the jurisdictions in which MTN operates.
*Data Sovereignty relates to the laws and governance structures that Personal Data is subject to, due to the geographical location of where it is processed.
Means any information relating to a Data Subject from which a data subject can be identified. Examples of “Personal Data” includes, but is not limited to, the following:
Personal Data Breach
Means an event or occurrence (including but not limited to a breach of security) leading to the accidental or unlawful destruction, loss or damage, alteration, disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including collection, receipt, recording, organisation, structuring, collation, storage; adaptation or alteration, updating, retrieval, consultation, use, dissemination, disclosure by means of transmission; or otherwise making available, alignment or combination, merging, restriction, erasure, destruction, and/or degradation.
Sensitive Personal Data
A sub-set of Personal Data which is considered more sensitive than other categories of Personal Data. Sensitive Personal Data includes, but is not limited to, Personal Data revealing a Data Subject’s racial or ethnic origin; political opinions or persuasions; religious or philosophical beliefs; trade union membership; criminal behaviour relating to the alleged commission of a crime or proceedings relating to the alleged commission of a crime; genetic data; biometric data; data concerning health; and/or data concerning a Data Subject’s sex life or sexual orientation.
What Personal Data does MTN collect and use?
To run our business, MTN collects, uses, and stores Personal Data about MTN Employees.
In addition to the information collected about you during the recruitment process, we also collect, use, and store the following additional information in respect of current employees:
- Detailed identification information (e.g., name, position, title, office location, business telephone number, date of birth, picture, identity document number, passport numbers and other national ID numbers as required, employment identification number, private email and/or postal address, residential address, and car registration number);
- Electronic identification data (e.g., login information, access rights, badge number, IP address, online identifiers/cookies, logs, and connection time, sound, or image recording such as CCTV, video, and voice recordings);
- Personal and physical characteristics (e.g., gender assigned at birth, immigration status, and physical characteristics);
- Family information (e.g., marital status, marriage certificate and number of children);
- Education and employment information (e.g., remuneration, bonus, pension entitlements, insurance and other benefits information, employment dates such as dates of hiring/promotion/position change, performance evaluation, position information such as position title and reference number, attendance information including, where relevant, illness or leaves of absence for medical or other reasons, language skills, and training, education, and development information);
- National registry number, tax identifying number; social security number or local equivalent;
- Signatures (both handwritten and electronic);
- Financial information (e.g., bank account details, professional credit card numbers, tax‑related information and, where relevant, information relating to account transactions and dealings);
- Monitoring of company assets and systems (e.g., where relevant information about how you may use IT systems and hardware, records of phone calls and other Personal Data that may be processed as a result of the monitoring of the employees is conducted in accordance with MTN’s relevant and applicable policies); and
- Information relevant to the administration of benefits: (e.g., to the extent that you are entitled to medical aid and/or provident fund / pension fund benefits, we will only collect the Personal Data prescribed by the relevant service provider in order to process your application for these benefits and/or to administer these benefits. The Personal Data required may include, but not limited to, Personal Data of dependents of your medical aid plan and/or beneficiaries of your provident fund / pension fund).
MTN continues to store the above information (related to current employees) in respect of former employees, as far as this information was collected during the former employee’s employment with MTN and subject to MTN’s retention policies and procedures.
What Sensitive Personal Data does MTN process?
In some cases, the Personal Data of MTN Employees that we collect will also include Sensitive Personal Data, such as:
- Diversity related information (including data about citizenship and status of citizenship applications, racial and ethnic origin);
- Religious beliefs and other beliefs of a similar nature;
- Trade union membership;
- Health data (such as medical records, sickness records, vaccination status and disability records);
- Data about alleged or proven criminal offences; and
- Biometric information.
Where does MTN collect my Personal Data from?
During your employment with MTN, most of the Personal Data will be collected directly from you. However, there are also occasions when it is necessary to collect Personal Data from indirect sources for example, we collect Personal Data from:
- other employees / third parties as part of the performance appraisal process;
- other employees / third parties as part of any disciplinary proceedings;
- whistleblowers who include information about you in their reporting to us;
- a customer who may refer to you in their complaint or compliment correspondence; and/or
- Institutional references and Employer references
For what purposes does MTN use my Personal Data?
MTN is committed to only process Personal Data for specified, explicit and legitimate purposes related to its business activities. The general purposes for which MTN may process your Personal Data is explained below.
We process Personal Data of current employees to inter alia:
• administer, plan, and manage our personnel (including task, benefits and absence management, succession planning, staff turnover, transfers, and promotions, conducting checks if you move role within MTN, internal workforce analysis and planning, the collection of trade union membership fees, issuing tax declaration forms and filing the related data, and employee participation programmes);
- assist us in managing external providers (e.g., insurance companies, pension funds, medical insurance);
- implement tasks and plan activities in preparation of or under existing contracts;
- perform internal or external training;
- manage our payroll, bonus and compensation schemes, and further bookkeeping obligations;
- manage our HR records and update the MTN personnel databases and where relevant, manage and make available Personal Data within the MTN group of companies;
- conduct performance reviews, satisfaction surveys and other people surveys;
- monitor our employees’ activities in the workplace, including compliance with internal policies as well as health and safety rules in place;
- manage our IT resources, including infrastructure management and business continuity;
- manage disciplinary processes;
- receive and manage internal or external complaints, grievances or reports made to MTN in respect of the conduct of employees (for example through a compliance hotline);
- reply to an official request from a public or judicial authority with the necessary authorization;
- inform employees of internal events and leisure activities;
- send internal communications relevant to employees of MTN;
- comply with any legal obligations imposed on MTN in relation to its people;
- for the health and safety of employees;
- to monitor and evidence compliance with laws and internal policies (e.g., processing declarations made by the employee regarding conflicts of interest or compliance with MTN policies. We also process your Personal Data to meet MTN’s sanction compliance requirements regarding citizenship status);
- promote and market the MTN brand to the public (e.g., publicizing photographs taken from events on social media platforms, internal communications, and external communications);
- allow qualifying employees the opportunity to participate in pilot programmes for new products or services; and
- to support any merger and acquisition activities (e.g., enable a transfer to a potential buyer, transferee, merger partner or seller and their advisers in connection with an actual or potential transfer or merger of part or all of MTN’s business or assets, or any associated rights or interests, or to acquire a business or enter into a merger with it).
Further to the above, your computer related Personal Data (e.g., username, installed software, IP address, computer name, location etc.) is used for the purposes of tracking and managing computing assets such as software licensing and hardware systems, installation of additional software applications, etc. to the extent necessary for the purposes below:
• intrusion detection, system protection, monitoring and logging;
• providing helpdesk services, including error reports and treatments as well as Processing IT related issues and problems; and
• preventing unauthorized third parties from accessing our sites.
Generally, we do not actively process the Personal Data of former employees but do store former employees Personal Data in accordance with our retention policies and/or to comply with the retention periods prescribed in terms of Local Regulatory Requirements and Applicable Data Privacy Law(s) that apply to MTN.
There may be circumstances which require us to actively process Personal Data of former employees for example:
- to support a third party with verification of employment at MTN (e.g., when requested to confirm whether an employee was employed at MTN and to provide factual information in respect of such employment);
- to manage any outstanding payroll, bonus and compensation schemes, and further bookkeeping obligations;
- to manage any pending and/or on-going disciplinary action or litigation proceedings in any forum;
- to manage internal or external complaints, grievances or reports made to MTN in respect of the conduct of former employees (for example through a compliance hotline);
- to reply to an official request from a public or judicial authority with the necessary authorization; and
- to comply with any legal obligations imposed on MTN in relation to former employees.
MTN will not further process Personal Data for any purpose that is incompatible with the original purpose that the Personal Data was collected for unless:
- such further Processing is authorised in terms of Applicable Data Privacy Laws;
- we have obtained your consent to the further Processing;
- the further Processing is necessary to comply with an obligation imposed by Local Regulatory Requirements or for conducting proceedings in a court or tribunal; or
- it is for scientific or historical research purposes or statistical purposes.
Is MTN allowed to Process my Personal Data and Sensitive Personal Data?
We are allowed to process Personal Data, so long as we have a legal basis to do so. When we process your Personal Data, we will rely on one of the following legal basis as appropriate having regard to the purpose of Processing:
When we process your Sensitive Personal Data, we will rely on one of the following legal basis as appropriate having regard to the purpose of Processing:
You have given explicit consent to the Processing of your Sensitive Personal Data for one or more specified purposes. You may withdraw such consent at any time;
Processing is necessary for the purposes of fulfilling the obligations and exercising your or MTN’s specific rights in the field of employment and social security and social protection law;
Processing is necessary to protect your vital interests or of another natural person and you are physically or legally incapable of giving consent;
Processing relates to Sensitive Personal Data which was intentionally made public by you;
Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, medical diagnosis, the provision of health or social care or treatment or pursuant to contract with a health professional who is subject to the obligation of professional secrecy in terms of local law or rules established by national competent bodies;
Processing is necessary for scientific or historical research purposes or statistical purposes provided such Processing is proportionate to the aim pursued, MTN respects the essence of the right to data protection and MTN provides for suitable and specific measures to safeguard your fundamental rights and the interests;
Processing of Personal Data related to criminal behaviour is obtained and used in accordance with the Local Regulatory Requirements.
Is it mandatory to provide MTN the Personal Data asked for?
There will be limited circumstances where we seek your consent to collect your Personal Data whilst employed at MTN. In these circumstances, the provision of your Personal Data is completely voluntary. For example, you may voluntarily choose whether or not to participate in MTN competitions, pilot programmes for new services / products, share your dietary preferences for catering purposes or be filmed or photographed as part of MTN’s campaigns or events.
MTN will indicate to you, at the time of collection, whether the provision of the Personal Data is mandatory either in its forms, written or verbal correspondence. When the provision of Personal Data is mandatory you are obliged to provide your Personal Data to us, and we have established a lawful basis to collect that Personal Data from you. If you do not provide your Personal Data to us, we may either not be able to conduct the employment with you or, at least, you may be prejudiced when participating in certain processes such as performance feedback or career development.
It is voluntary for past employees to provide their Personal Data once their employment with MTN has concluded (for example in circumstances that past employees would like to participate in surveys or join the MTN Alumni).
Does MTN Process my Personal Data automatically?
MTN does not perform any automated decision making (including profiling) which results in legal consequences for you and/or which affects you in a similarly significant manner. Should this change in the future, we will notify you and update this privacy notice accordingly.
How long does MTN keep my Personal Data for?
We make reasonable efforts to retain Personal Data only for so long as:
- the Personal Data is necessary to comply with our obligations to you in terms of our employment contract, policies, and procedures; and/or
- is necessary to comply with legal, regulatory or internal policy requirements that may apply.
The retention of MTN Employee records will be in accordance with our retention policies and retention schedule which is available to current employees on the 212 space. These policies or relevant extracts may be requested by former employees by contacting the Data Protection Officer at dataprotectionofficeUG@mtn.com
Does MTN transfer my Personal Data to third parties?
Yes, we may share Personal Data with third parties, as necessary for our legitimate business needs, to conduct your requests, and/or as required or permitted by Local Regulatory Requirements and Applicable Data Privacy Law(s). This may include, but not limited to:
Our service providers: We transfer your Personal Data to our third-party service providers, such as our (IT) systems providers, our hosting providers, our payroll providers, consultants (such as legal advisers, auditors) and other goods and services providers. These providers process your Personal Data on behalf of MTN in terms of a binding agreement with appropriate security safeguards. MTN will only transfer Personal Data to them when they meet our strict standards on the Processing of data and security. We only share Personal Data that allows our service providers to provide their services and they are not allowed to process your Personal Data for any other purpose.
If we are reorganized or sold to another organization: MTN will typically also disclose Personal Data in connection with the sale, assignment, or other transfer of the business to which the data relates.
Courts, tribunals, law enforcement, or regulatory bodies: MTN will disclose Personal Data in order to respond to requests of courts, tribunals, government, or law enforcement agencies or where it is necessary or prudent to comply with Local Regulatory Requirements, court or tribunal orders or rules, or government regulations.
Audits: disclosures of Personal Data will also be needed by our auditors including to perform financial audits, data privacy or security audits and/or to investigate or respond to a complaint or security threat.
Insurers: our business requirements mean that we carry significant insurance cover in respect of business activities. There are several different participants in the insurance market (e.g., brokers, insurers, and reinsurers, as well as their professional advisors and other third parties involved should there be a claim). Some of these insurance market participants will require that we disclose Personal Data about you to them. The information will be used by the insurance market participants in the underwriting and ongoing administration of the insurance products, where there is a claim that you are relevant to and to allow the insurance market participants to comply with their legal and regulatory obligations. Some of these insurance market participants will manage this information on our behalf (like our service providers described above), but others will want to process information about you independent of us.
Does MTN transfer my Personal Data internationally?
Yes, MTN may transfer Personal Data outside of Uganda but only if such transfers are permitted in accordance with Local Regulatory Requirements / Applicable Data Privacy Law(s).
MTN may transfer your Personal Data to other entities within the MTN group of companies. All MTN entities are bound by binding corporate rules which ensures that the MTN entity receiving your Personal Data protects your Personal Data in accordance with those binding corporate rules.
MTN may also transfer certain Personal Data outside of Uganda to third parties collaborating with us or on our behalf for the purposes described in this Employee Privacy Notice. When transferring Personal Data internationally to third parties we will ensure your Personal Data will continue to be protected for example, by entering into binding data transfer agreements or by ensuring there are adequate data privacy laws, which requires the relevant third party to adhere to the data handling and data protection requirements, acceptable to MTN.
How does MTN secure my Personal Data?
MTN secures the integrity and confidentiality of the Personal Data in its possession or under its control by implementing appropriate, reasonable technical, physical, and organisational measures to prevent:
- accidental loss of, damage to, or unauthorised destruction of your Personal Data;
- unlawful or unauthorised access to / dissemination of your Personal Data; and
- unlawful or unauthorised Processing of your Personal Data.
As part of its processes, MTN takes reasonable measures to regularly identify and assess all reasonably foreseeable internal and external risks to Personal Data in its possession or under its control and implements reasonable and appropriate technical, physical, and organisational security measures to protect against the identified risks.
How does MTN manage Personal Data Breaches?
While MTN implements reasonable measures to prevent or reduce the likelihood and impact of Personal Data Breaches, this risk cannot be completely eliminated. If MTN becomes aware of or reasonably suspects a Personal Data Breach has occurred or that the integrity or confidentiality of Personal Data has been compromised, MTN adheres to its Personal Data Breach Incident Management and Notification Guidelines governing the handling and reporting of Personal Data Breaches. This guideline is available to MTN Current Employees on the 212 space.
What are my rights?
If MTN processes Personal Data about you, you have the following rights:
Access and correction: you have the right to access the Personal Data retained by MTN. This is sometimes called a ‘Data Subject Access Request.’ If we agree that we are obliged to provide Personal Data to you, we will provide it to you free of charge. Before providing Personal Data to you, we may ask for proof of identity and sufficient information about your interactions with us that we can locate your Personal Data. If the Personal Data we hold about you is incorrect, you are entitled to ask us to correct any inaccuracies in the Personal Data.
Object to Processing: you have the right to object to us Processing your Personal Data, on grounds relating to your particular situation, under certain circumstances. For example, if we are Processing your Personal Data on the basis that is necessary for purposes of our or a third party’s legitimate interest or in the public interest. You may object to us Processing your personal data for purposes of direct marketing. You may also object if you believe there is no legal basis for us to process your Personal Data anymore.
Withhold consent: you have the right to withhold your consent without any fear of negative repercussions in circumstances that we seek your consent to process your Personal Data. If you experience any intimidation or negative repercussions for withholding your consent, you should report this to your local whistleblower hotline at email@example.com and Telephone number: 0800 212 800.
Withdraw consent: you also have the right to withdraw your consent at any time and we cease Processing your Personal Data unless there is an alternative legal basis to continue Processing your Personal Data. We will advise you if we intend to continue Processing your Personal Data in these circumstances.
Disposal / Restrictions: in addition, you may have rights to have your information deleted / destroyed if we are keeping it too long or have no legal basis to process it. You may also request that the Processing of your Personal Data is restricted in certain circumstances.
Lodge complaints: you have the right to lodge a complaint regarding the way your Personal Data is being processed with MTN or if you believe there has been a breach of MTN privacy policies and/or data privacy laws.
You can make a request or exercise these rights by contacting MTN at dataprotectionofficeUG@mtn.com and we will make all reasonable and practical efforts to comply with your request, so long as it is consistent with Local Regulatory Requirements, Applicable Data Privacy Law(s) and internal policies.
Finally, you always have the right to lodge a complaint with the supervisory authority in charge of protecting Personal Data, the Personal Data Protection Office, Uganda, whose contact details are:
- [Email Address:] firstname.lastname@example.org
- [Telephone number:] 0417801008/9
- [Website:] www.pdpo.go.ug
If you have any questions or concerns regarding this Employee Privacy Notice and would like further information about how we protect your information and/or when you want to contact the Data Protection Officer (DPO), please email us at dataprotectionofficeUG@mtn.com
You may also lodge any perceived non-compliance with privacy policies and/or breach of privacy laws at email@example.com and 0800 212 800.
MTN may modify this Employee Privacy Notice from time to time to reflect our current privacy practices. When we make changes to this notice, we will revise the “effective” date at the top of this notice and any changes affecting you will be communicated to you through an appropriate channel, depending on how we normally communicate with you.