Legal
Data Protection
(NDPR & NDPA)
CANWYF's compliance statement under the Nigeria Data Protection Regulation (NDPR) 2019
and the Nigeria Data Protection Act (NDPA) 2023.
Last updated: March 2026
CANWYF (Community Advocacy Network for Women, Youth and Farmers) is committed to
the responsible handling of personal data in compliance with the Nigeria Data
Protection Regulation (NDPR) 2019 issued by the National Information Technology
Development Agency (NITDA) and the Nigeria Data Protection Act (NDPA) 2023,
administered by the Nigeria Data Protection Commission (NDPC).
1. Data Controller Identity
Organisation: Community Advocacy Network for Women, Youth and Farmers (CANWYF)
Type: CAC Incorporated Trustee, Nigeria
Address: Araromi Ekiti, Ijero Local Government Area, Ekiti State, Nigeria
Email: info@canwyf.org
2. Categories of Data Subjects
- Farmers: Smallholder farmers enrolled in iTONA AFRICA
- Coordinators: Field agents conducting farm verification visits
- Donors and supporters: Individuals and organisations contributing to CANWYF programmes
- Website visitors: Persons accessing canwyf.org
- Institutional partners: NGOs, grant agencies, corporate ESG programmes
3. Categories of Personal Data Processed
- Identification data: name, NIN hash (one-way), phone number, email
- Location data: GPS coordinates of farm plots and visit locations
- Biometric-adjacent data: audio recordings (voice), photographs (farm and farmer)
- Agricultural data: crop types, harvest volumes, income data
- Financial data: AgroWallet NGN balance records, forward contract records
- Device data: IP address, user agent (website visitors)
4. Lawful Basis for Processing
CANWYF processes personal data on the following lawful bases under the NDPR/NDPA:
- Consent: Farmers consent to enrollment, data collection, and use of their profile for donor impact cards at the point of enrollment. Consent is obtained verbally (in Ekiti Yoruba) and recorded by Coordinators.
- Contractual necessity: Coordinator and donor data is processed to fulfil the terms of their participation agreements.
- Legitimate interest: Aggregated impact data is processed for programme improvement and grant reporting, where no individual's rights are overridden.
- Legal obligation: Data may be processed where required by Nigerian law.
5. Data Subject Rights Under NDPR/NDPA
All data subjects have the following rights, which CANWYF will honour within 30 days of a valid request:
- Right to access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate data
- Right to erasure: Request deletion of your data (subject to legal obligations — e.g., we may retain verification records for audit purposes)
- Right to data portability: Request your data in a portable format
- Right to withdraw consent: Withdraw consent at any time (this does not affect processing prior to withdrawal)
- Right to object: Object to processing based on legitimate interest
- Right to complain: Lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpb.gov.ng
6. Data Retention
- Farmer verification records: Retained indefinitely (these form the farmer's permanent agricultural identity credential)
- Proof of visit audio: Retained for 5 years from date of recording
- Donor contact data: Retained for 3 years after last interaction or until unsubscribe request
- Coordinator session data: Retained for 3 years after last active session
- Website server logs: Retained for 90 days
7. International Transfers
CANWYF does not routinely transfer personal data outside Nigeria.
Weather and soil data requests to external APIs (Open-Meteo, SoilGrids, NASA POWER)
include only GPS coordinates — no personal data is shared with these services.
Credential hashes are stored in the iTONA database and are verifiable at canwyf.org/verify.
which operates on distributed infrastructure. Only the credential hash (not personal
No personal identifiers are included in public verification records.
8. Data Protection Impact Assessment
CANWYF has conducted a Data Protection Impact Assessment (DPIA) for the
iTONA AFRICA farmer enrollment process, specifically addressing:
- Audio recording of farmers in their own language (Ekiti Yoruba)
- GPS tracking of Coordinator locations during farm visits
- NIN handling and hashing protocol
- On-chain credential minting in Phase 4
The DPIA is available on request to institutional partners and grant agencies.
9. Third-Party Data Processors
CANWYF uses the following third parties who may process personal data as
sub-processors, each bound by appropriate data protection agreements:
- Web hosting provider: Server infrastructure for canwyf.org and app.canwyf.org
- iTONA Platform: Credential verification infrastructure (canwyf.org/verify)
- Google Fonts: Font delivery (IP addresses may be logged; font data is not personal data)
10. Security Measures
CANWYF implements the following technical and organisational measures:
- HTTPS encryption for all data in transit
- AES-256 encryption for audio recordings at rest
- Role-based access control for iTONA admin dashboard
- One-way hashing for NIN data (SHA-256)
- Regular security training for Coordinators and admin staff
- Incident response procedure with 72-hour NDPC notification for reportable breaches
11. Contact the Data Controller
For any data protection enquiry, rights request, or complaint:
CANWYF · Araromi Ekiti, Ijero LGA, Ekiti State, Nigeria
Email: info@canwyf.org
To escalate to the regulator:
Nigeria Data Protection Commission (NDPC) · ndpb.gov.ng
See also: Privacy Policy · Terms of Use