EHA Clinics
Privacy Policy

Online Analytics and Advertising

EHA Clinics utilizes web analytics to improve the user experience of our digital health platforms. However, we recognize the inherent privacy risks associated with persistent tracking and are committed to upholding the data subject's right to "informational self-determination."

To comply with GAID Article 19, EHA Clinics employs "conspicuous" cookie banners on the first visible section of our website. In alignment with NDPA Section 26, these banners do not rely on pre-checked boxes, silence, or inactivity. We distinguish between:

• Necessary Cookies: Essential for core security, network stability, and basic site functionality.
• Elective Tracking: Used for analytics and service optimization, requiring a clear, affirmative action (Opt-In).

We explicitly critique the industry practice of placing banners at the bottom of pages; GAID Article 19(l) identifies this as a "lack of transparency." By placing notices prominently, we ensure you remain the primary gatekeeper of your digital footprint. This control extends to how your information is handled when it must move beyond our internal systems.

How We Share and Disclose Your Information

Strategic data sharing is a necessity for modern, integrated clinical operations. EHA Clinics discloses information to service providers, professional advisers, and regulatory agencies only when necessary, upholding the "Integrity and Confidentiality" principle of the NDPA.

Authorized third parties include auditors, financial institutions, and health maintenance organizations (HMOs). To mitigate "liability by association," EHA mandates that all third-party processors execute a Data Processing Agreement (DPA) as defined in GAID Article 34. These agreements require processors to provide "Verifiable Evidence of Conformity" to our standards. Critically, per our DPA standards, all processors must promptly and within 10 business days of the cessation of services delete or return all copies of personal data. This rigorous oversight ensures our partners are as committed to your privacy as we are, though we recognize that sharing is always secondary to your active marketing choices.

Your Marketing Choices

Under NDPA Section 36, you possess the "Right to Object" to the processing of your data for marketing purposes. EHA Clinics adheres to the high-threshold requirements for direct marketing established in GAID Article 18.

• Withdrawal of Consent: You may withdraw consent at any time. Per NDPA Section 26, we ensure that withdrawing consent is "as easy as giving consent."
• Objecting to Profiling: You have the specific right to object to any profiling related to direct marketing.

This framework represents a strategic shift from "implied consent" to "clear, affirmative action," empowering you to control your digital interactions. These choices are particularly vital given the sensitive nature of the health information we process.

Third-Party Services and Notice About Health Information

Health, genetic, and biometric data are classified as "Sensitive Personal Data" under NDPA Section 30. In a clinical setting, this data is of the highest strategic importance and carries a significant "Duty of Care" to prevent "significant harm."

Because EHA Clinics processes health information at a scale significant to the society and security of Nigeria, we are classified as a Data Controller of Major Importance (DCPMI) under GAID Article 8. This classification triggers higher regulatory thresholds, placing EHA within the Ultra-High Level (UHL) or Extra-High Level (EHL) tiers. Consequently, we conduct mandatory Data Privacy Impact Assessments (DPIAs) for our health care services in accordance with GAID Article 28. These high regulatory requirements necessitate the robust technical safeguards discussed in the following section.

How We Protect Your Information

Security at EHA Clinics is a core governing principle, not merely a technical checkbox. We integrate "Privacy by Design and by Default" (GAID Article 28) into every layer of our infrastructure to ensure "Availability" and "Resilience" as required by NDPA Section 39.

Our technical measures include:

• Network Defense: Network Access Control (NAC) and Firewall/Intrusion Prevention Systems (IPS) to block unauthorized traffic.
• Endpoint Security: Anti-malware, Data Loss Prevention (DLP), and encryption on all organization-owned devices.
• Access Management: Strict adherence to the "Principle of Least Privilege" and Multi-Factor Authentication (MFA).
• Offsite Protection: Secure remote work via Virtual Private Networks (VPN).

By applying these global best practices, EHA Clinics establishes a "Global Privacy Baseline" that satisfies multi-jurisdictional requirements, including those of California and Nevada.

Privacy Information for California Residents

EHA Clinics is committed to global adequacy. Our standards, anchored by the NDPA and GDPR, meet the high-bar transparency requirements of the California Consumer Privacy Act (CCPA) and CPRA.

California residents may exercise rights that are functionally equivalent to those found in NDPA Part VI:

• Right to Access/Know: Request categories of data processed (Mapping to NDPA Section 34).
• Right to Rectification: Correct inaccurate information (Mapping to NDPA Section 34).
• Right to Erasure: Request deletion when data is no longer necessary.
• Right to Portability: Receive data in a structured, commonly used format.
• Right to Opt-Out: Request that your information not be "sold" or "shared."

Our adherence to Global Best Practice on Data Ethics (GAID Article 42) ensures that all data subjects receive a world-class standard of protection.

Privacy Information for Nevada Residents

Nevada law provides residents with a specific "Right to Opt-Out" of the sale of their personal information.

EHA Clinics does not sell personal information as defined by Nevada law. Our role as a Data Controller is grounded in the "Purpose Limitation" principle, prioritizing lawful patient care over data monetization. This commitment to ethics extends to the temporal aspect of data: how long we retain it.

Retention of Your Information

The "Storage Limitation" principle (NDPA Section 24) dictates that data must not be kept longer than necessary for its original purpose. EHA Clinics maintains a strict Retention Schedule to ensure compliance and reduce our "attack surface."

• Contractual Data: Per GAID Article 21, if a contract does not materialize, personal data is destroyed within six months.
• Active Use vs. Archiving: We distinguish between "active use" and "archiving in the public interest" (NDPA Section 24), such as medical records kept for community health research.

Structured deletion ensures we do not hold unnecessary data that could be targeted in a breach.

Revisions to Our Privacy Policy

Transparency is a dynamic obligation. EHA Clinics reviews and updates this policy at least annually (current Version 1.1) to reflect changes in law and technology.

Significant changes require notification to the Nigeria Data Protection Commission (NDPC) under Section 44 of the NDPA. These annual reviews are not merely good practice but a statutory requirement to maintain "Global Adequacy" for cross-border data flows. This continuous review is part of an effective compliance regime overseen by our primary point of contact.

Contacting Us

You have the right to "Lodge a Complaint" with the Commission under NDPA Section 46. Having a designated, certified DPO (GAID Article 14) ensures that your Data Subject Access Requests (DSARs) are handled with professional proficiency, independence, and the highest ethical standards.

If you have any questions about this Privacy Policy or EHA Clinics’ privacy practices, please contact us at:

Address: No 12 Asba & Dantata Street, Off Life Camp Roundabout, Jabi, Abuja

Tel: 0800-342 254 6427

Email: info@eha.ng