INTRODUCTION

1.1 Echo House Ghana (hereinafter referred to as ‘The Company’) is a company
incorporated under the laws of the republic of Ghana and are the organizers of
various marketing campaigns and Events.
1.2 As part of our business operations, we may collect your SPDI and the
protection and privacy of this data is of primary importance to us.
1.3 We value the trust and confidence of our employees, clients, and stakeholders
which is why this Data Protection and Privacy Policy (hereinafter referred to as
‘The Policy’) outlines our commitment to protecting the personal data of our
employees, clients and stakeholders in accordance with applicable laws and
regulations.
1.4 This Policy applies to all our employees, clients and stakeholders and it is
meant to help them understand the data we may collect, the reason we collect
the data, the means by which we may collect, use or share them, the steps we
take to protect personal data and the choices you are provided, with respect to
the use of this information.
1.5 This Policy also applies to anyone who visits any of the Company’s websites
or events, engages with any of the Company’s social media channels,
purchase a ticket, a hospitality table or any other product and/service,
collectively referred to as ‘Products and Services’.

  1. PURPOSE
    The purpose of this Policy is to:

2.1 Protect the personal data of employees, clients and stakeholders whose
information are taken from time to time from unauthorized access, disclosure,
alteration, or destruction.
2.2 Ensure compliance with applicable laws and regulations related to data
protection.
2.3 Establish procedures for collecting, processing, storing, and disposing of
employee personal data.

  1. SCOPE

This Policy applies to all our employees, including full-time, part-time, and contract
employees, clients and stakeholders, covering all personal data collected, processed, stored,
or transmitted in the course of our business operations.

  1. DEFINITIONS
    Anti-Money Laundering
    Act

Means the Anti-Money Laundering Act, 2008 (Act749)
including its amendments and regulations.

Authorized Personnel Means an individual or entity appointed by the Company
for the purposes of this Policy, authorized to receive all
the SPDI required pursuant to providing services to the
Company.

Client (s) Means the individual or entity who is obtaining or is
desirous of obtaining services from the Company and
whose SPDI is subject matter for protection and security
under this Policy

Cyber Security Act Means the Cyber Security Act, 2020 (Act 1038) including

its amendments and regulations.

Data Protection Act Means the Data Protection Act, 2012 (Act 843) including

its amendments and regulations.

DPO Data Protection Officer
Data Subject An individual whose personal data is being collected,

processed, stored, or transmitted.

Electronic Transaction Act Means the Electronic Transaction Act, 2008 (Act 772),

including its amendments and regulations.

RSPP Reasonable Security Practices and Procedures, where

they become necessary

SPDI Means Sensitive Personal Data or Information as per the

relevant laws.

The Company Echohouse Ghana and its affiliates
The Policy Echohouse Ghana Data Protection and Privacy Policy

  1. PRINCIPLES

The Company adheres to the principles stipulated below in handling collected data from
employees, clients and stakeholders.

5.1 Lawfulness, Fairness, and Transparency:
We collect and process personal data in accordance with applicable laws and
regulations, fairly and transparently.
5.2 Purpose Limitation:
We collect personal data for specified, legitimate purposes and use it only for
those purposes.
5.3 Data Minimization:
We collect only the minimum amount of personal data necessary to achieve
the specified purposes.
5.4 Accuracy
We ensure that personal data is accurate and up-to-date.
5.5 Storage Limitation:
We store personal data for only as long as necessary to achieve the specified
purposes.
5.6 Security:
We implement robust security measures to protect personal data from
unauthorized access, disclosure, alteration, or destruction.
5.7 Accountability:
We are accountable for our actions and decisions regarding personal data.

  1. TYPE OF DATA WE COLLECT
    The categories of Data the Company processes may include the following though not limited
    to the outline below.

6.1 Identity Data – such as your name, email address and telephone number;
gender; date of birth, age and/or age range; account login details etc.
6.2 Audio/Visual Data – Recordings and images collected from surveillance
cameras, social media surveillance of the event.
6.3 Transaction Data-Information about the Services the Company provides to you
and about transactions you make with the Company or other companies for
events and services at the Company’s Events and Venues, and similar
information. 

6.4 Contact Data-Identity Data the Company can use to contact you, such as email
and physical addresses, phone numbers, social media or communications
platform usernames/handles.
6.5 Device / Network Data-Browsing history, search history, and information
regarding your interaction with a website, application, or advertisement (e.g.
session navigation history and similar browsing metadata, and other data
generated through applications and browsers, including cookies and similar
technologies or other device identifiers or persistent identifiers)
6.6 General Location Data- Non-precise location data, e.g. location information
derived from social media tags/posts, or general areas of the Company’s
Events and Venues you visited.
6.7 Sensitive Personal Data-like your national identification card, account log-in
and password, financial account, debit card, or credit card number; precise
location data; racial or ethnic origin, religious or philosophical beliefs.

  1. PROCEDURE
    The data we collect go through the procedure spelt out below:
    7.1 Collecting Data – The data we collect are only for specified, legitimate purposes,
    and we ensure that employees, clients and stakeholders are aware of the purposes and
    scope of data collection.
    7.2 Processing Data – The data is processed in accordance with this Policy and
    applicable laws and regulations.
    7.3 Storage of Data – The data is stored securely, using robust security measures
    to protect against unauthorized access, disclosure, alteration, or destruction.
    7.4 Disclosure of Collected Data – Collected data is only disclosed to authorized
    individuals or organizations, and we ensure that they are bound by confidentiality and data
    protection obligations.
    7.5 Data Breach Response – There are procedures in place to respond to data
    breaches and security incidents, including notification of affected persons and regulatory
    authorities.
  2. THIRD PARTY WEBSITES

Except for processing by the Company’s service providers, this Privacy Policy does not apply
to third party websites, products, or services.

  1. DISCLOSURE/SHARING OF PERSONAL DATA
    The Company may share your data for the following reasons and with the following groups of
    people:

9.1 Subsidiary Companies:
To streamline the Company’s business operations, the Company may share
your data with other companies or subsidiaries under or connected to the
Company.
9.2 Service providers
The Company may share your Personal Data with service providers who
provide certain services or process data on our behalf in connection with our
general business operations.
9.3 Social media platforms, sponsors and advertisers
The Company may share some personal data with social media platforms,
advertisers, ad exchanges, data management platforms, or sponsors for
business, marketing and commercial purposes.
9.4 Venue and event partners:
To the extent that the law permits, or with your consent, we will share your data
with event promoters and producers, venues and hospitality services providers,
artists, or sponsors that perform or operate an Event or our venue.
9.5 Other data processors or aggregators
The Company may share your data with data processors or aggregators in the
performance and enhancement of our business and provision of the Company’s
services.

9.6 Successors
In case of a business transition such as a joint venture, merger, acquisition, sale
of a portion (or all) of the Company’s assets or liquidation, your personal data
may be part of the transferred assets or may be disclosed during, for instance,
the performance of due diligence processes for a potential transaction.
9.7 Legally required/approved recipients

Under certain circumstances, the Company may be legally obligated to grant
access or disclose your data and/or communications sent or received by you
and any other information that we may have gathered from or about you to the
extent of our belief that such disclosure is legally required to prevent or respond
to a crime, to contribute to an investigation of a crime, or of the Company’s
Event Policy. However, in our discretion (without obligation), the Company may
object to such disclosure.

  1. WHY YOUR DATA IS COLLECTED
    The Company is committed to safeguarding the privacy and security of all the data that is
    gathered. The purposes for which The Company collects your data include, but are not limited
    to, the listed below.

10.1 Account Registration
Where any of the Company’s websites require a login or any of the Company’s
events require collection of data, the Company may use your data to create and
maintain your account, to provide the products and services you request and for
other business and commercial purposes like promotions and marketing.
The Company does not sell or “share” payment data or use it for purposes not
permitted under applicable law.
10.2 Purchases and transactions
The Company may use your data when you complete a purchase transaction.
The Company does not permanently store your Payment Data, except at your
request and process your Personal Data as necessary to perform or initiate a
transaction with you, process your order, payment, or refund, carry out
fulfillment and delivery, document transactions, and for the Company’s business
purposes like marketing.
10.3 Marketing communications
We use your data for marketing emails, SMS, push notifications, or similar
communications. You may receive marketing communications if you consent.
10.4 Visiting events and venue
The Company processes data when you visit our Events and other venues. The
Company may collect Audio/Visual Data in relation to the use of security
cameras or any footage taken by the Company or any attendee of our events.

The Company process Data as necessary to operate its Events and provide its
services to you, for the Company’s business, and its other legitimate interests,
including:
 verifying your identity for authentication;
 security purposes;
 to help return lost property;
 to ensure our event attendees and participants/customers are genuine and;
 to prevent fraud;
 managing access to specific areas of our Events venues.

  1. OBLIGATIONS OF THE COMPANY
    The Company for the purposes of this Policy hereby undertakes to stand by the following
    obligations.

11.1 The Company and/or its Authorised Personnel only shall be responsible
for the usage, disclosure and processing of the SPDI for reasonable and
practical purposes being solely purposes as agreed at the time the SPDI was
being taken.
11.2 The Company shall inform its employees, clients, and stakeholders about
any change in the Authorized Personnel within 24 hours from the time of such
change through the means by which SPDI is being collected.
11.3 The Company shall ensure that the Authorized Personnel possesses full
and appropriate knowledge about the content of this Agreement and also the
technicalities and specifications for RSPP, where they become necessary.
11.4 The Company shall have a well-defined and standardized information
and data security system in place for the purposes of this Agreement and shall
conduct a risk-taking analysis in order to check the information and data
security systems and how well they work.
11.5 Any usage, disclosure or process of SPDI on order of any Court or any
other legal purposes shall be done only after informing the employees, clients,
and stakeholders.
11.6 The Company and/or its Authorised Personnel shall not at any time
transfer SPDI under any circumstances beyond its possession without prior
written consent of the employees, clients, and stakeholders.

Provided always that where the transfer is necessitated by the Laws of
Ghana, informing the employees, clients, and stakeholders shall suffice.
11.7 The Company shall provide an undertaking to comply with RSPP as per
the applicable Law after information has been transferred with the consent of or
upon informing the employees, clients, and stakeholders, to keep the SPDI
secure and protected.
Provided always that where such security and protection cannot be
guaranteed, the employees, clients, and stakeholders shall be informed
before the transfer is done.
11.8 The Company shall along with the transferee comply with any other
conditions put in by the employees, clients, and stakeholders on transfer of
SPDI.
11.9 The Company and/or its Authorised Personnel shall take all possible
measures for physical, logical and technical security of SPDI to prevent
copying, leaking, usage, disclosure, modification or destruction or any other act
relaxed thereto likely to result in disclosure or destruction of SPDI.
11.10 The Company and/or its Authorised Personnel shall comply with all
applicable laws for security and protection of the SPDI.
11.11 The Company and/or its Authorised Personnel shall ensure that the
accuracy and originality of SPDI is maintained at all times and shall rectify any
error perceived by the employees, clients, and stakeholders within five (5)
working days on written request of the employees, clients, and stakeholders.
11.12 The Company or its Authorised Personnel shall not under any
circumstances, retain the SPDI in any form further than the term specified for
the collection of the SPDI.
11.13 The Company shall on the written request of the clients and
stakeholders, return or delete and/or instruct the transferee(s) to return or
delete, the SPDI as the case may be and forward a written confirmation of the
said act to the one who made the request.

  1. RIGHTS OF EMPLOYEES, CLIENTS, AND STAKEHOLDERS

The Rights below inure to the benefit of the employees, clients, and stakeholders from
the Company and within the context of this Policy.
12.1 Access
Employees, clients, and stakeholders have the right to request for access to
their personal data.
12.2 Rectification
Employees, clients, and stakeholders have the right to request for correction or
update of their personal data.
12.3 Erasure
Employees, clients, and stakeholders have the right to request deletion of their
personal data
Provided always that Employees only have the said right where they are no
longer in the employ of the Company.
12.4 Restriction
Employees, clients, and stakeholders have the right to request for restriction
of the processing their personal data
Provided always that Employees only have the said right where they are no
longer in the employ of the Company.
12.5 Objection
Employees, clients and stakeholders have the right to object to processing of
their personal data
Provided always that Employees only have the said right where they are no
longer in the employ of the Company.

  1. MINORS
    The Company’s Services are neither directed at nor intended for use by persons under the
    age of 18 in Ghana. The Company generally collects information relating to this age group
    only from parents or with parental consent and the Company only knowingly collect Personal
    Data from such individuals directly in limited circumstances where reasonably necessary to
    provide the Service (such as underage talents that may or may not be part of families or
    dance groups or groups of a creative sort). The Company does not otherwise knowingly

collect information from such individuals. If the Company learns that it has inadvertently done
so, the Company will promptly delete such Personal Data if required by law.

  1. DATA SECURITY
    The Company uses and consistently maintains commercially reasonable security measures to
    secure your Data privacy and prevent it from unauthorized processing. While the Company
    endeavors to protect your data from unauthorized access, modification, use and disclosure,
    the Company cannot absolutely guarantee that any information, during transfer or while being
    stored in the Company’s systems, will be completely safe from intrusion by others.
  2. DATA RETENTION
    The Company retains Personal Data for so long as it is reasonably necessary to achieve the
    relevant processing purposes described in this Privacy Policy, or for as long as is required by
    law.
  3. GOVERNING LAW
    This policy shall be governed by the laws of the Republic of Ghana. 
  4. UPDATE TO THIS POLICY
    17.1 The Company reserves the right to update this policy from time to time to
    reflect changes in its business operations, applicable laws and regulations, or
    industry best practices.
    17.2 The Company shall notify employees, clients and stakeholders of any
    changes via emails and updated copies on Company’s website(s), and the
    “Last Updated” date will be revised accordingly.
    17.3 Any changes to this Policy that may materially affect the Company’s
    practices with regard to the information the Company has previously collected.
  5. DATA PROTECTION OFFICER (DPO)
    The Company shall designate a Data Protection Officer (DPO) to oversee data protection
    activities for the purposes of this Policy, which shall include:
    a. Ensuring compliance with this Policy, applicable laws and regulations.
    b. Providing guidance and training to employees on data protection.

c. Handling data subject requests and complaints.
d. Investigating data breaches and security incidents.

  1. ACKNOWLEDGEMENT
    By acknowledging this Policy, employees, clients, and stakeholders confirm that they
    understand and agree to comply with its terms
    Provided always that the Company shall provide training and support to ensure that
    employees are aware of their responsibilities and obligations under this Policy.
  2. Implementation
    20.1 This Policy is effective as of the date it is sent out via email and/or posted
    on the websites of the Company, which ever first precedes the other, and will
    be reviewed and updated regularly to ensure compliance with applicable laws
    and regulations.
    20.2 By implementing this Policy, the Company demonstrates its commitment
    to protecting the personal data of its employees, clients and stakeholders, and
    maintaining a culture of data protection and security. ‎
  3. CONTACT US

Any questions, concerns and or help on this Policy may be addressed to the DPO through
The email address – [email protected].