NDPR Compliance

Nigeria's National Data Protection Regulation (NDPR), issued by the National Information Technology Development Agency (NITDA) in January 2019 and strengthened by the Nigeria Data Protection Act 2023 (NDPA), establishes the legal framework for the protection of personal data in Nigeria. As a healthcare infrastructure platform processing sensitive personal and health data for Nigerian residents, MedLync treats NDPR and NDPA compliance as a core obligation — not an afterthought. This page explains how we achieve and maintain that compliance in practice.

Under the NDPR/NDPA, MedLync operates in two distinct capacities: Data Controller: When we determine the purposes and means of processing personal data — for example, when we manage patient identity verification, maintain the MedLync platform, or operate security and audit systems — we act as a data controller. Data Processor: When healthcare providers (hospitals, clinics, pharmacies, laboratories) use MedLync to store and exchange patient records, and they determine the purpose of that processing, MedLync acts as a data processor on their behalf. In both capacities, we are bound by the obligations set out in the NDPR and NDPA, and we ensure that appropriate data processing agreements (DPAs) are in place with all healthcare provider clients.

Health data is classified as sensitive personal data under the NDPR, attracting a higher level of protection. MedLync processes health data only where a lawful basis exists: Explicit Consent: Our primary basis for processing patient health records. Consent is collected in plain language, separately from terms of service, and is specific to each purpose. Patients can withdraw consent at any time through the Platform. Vital Interests: In genuine medical emergencies, where the processing is necessary to protect the life of a patient who cannot consent, we permit emergency access by authorised providers — with full audit logging. Legal Obligation: Where processing is required by Nigerian law, such as mandatory disease notification to the Nigeria Centre for Disease Control (NCDC) or reporting to the National Health Insurance Authority (NHIA). Legitimate Interests: For Platform security, fraud prevention, and service improvement — assessed through a balancing test to ensure these interests do not override patient rights. We maintain a records of processing activities (ROPA) documenting the lawful basis for each processing activity on the Platform.

MedLync's consent engine is the technical implementation of NDPR consent requirements at the patient level: Granular Consent: Patients grant consent by provider, by data category, and by time period. A patient can allow a hospital to view their lab results without granting access to mental health records. Revocable at Any Time: Consent can be withdrawn instantly through the Patient app or web portal. On withdrawal, the relevant provider loses access within seconds. Audit Trail: Every consent grant, modification, and withdrawal is recorded with a timestamp and the patient's authenticated identity — providing a full, tamper-evident audit trail. Emergency Override: In documented emergencies, providers may request temporary access without prior consent. Such accesses are flagged, reviewed within 24 hours, and reported to the patient as soon as it is clinically safe to do so. We do not use pre-ticked boxes, bundled consent, or consent as a condition of service unrelated to data processing.

We collect and process only the personal and health data that is strictly necessary for the defined purpose. Specifically: • Providers accessing patient records through MedLync see only the data categories for which they have been granted consent. • Analytics outputs are always aggregated and anonymised — individual patients are never identifiable in analytical reports. • De-identified datasets used for public health purposes are processed using internationally recognised anonymisation standards (k-anonymity, differential privacy) to prevent re-identification. • We do not process health data for advertising, profiling for non-health purposes, or sale to third parties — under any circumstances.

MedLync provides mechanisms for patients to exercise all rights guaranteed under the NDPR and NDPA: Right of Access (Article 2.1): Request a copy of all personal data we hold about you. Right to Rectification: Correct inaccurate or incomplete records. Right to Erasure: Request deletion of your data — subject to medical records retention obligations under Nigerian law (minimum 5 years for adult records). Right to Restrict Processing: Limit processing in specific circumstances. Right to Data Portability: Receive your health records in a structured, FHIR-compliant format that can be imported by any compatible system. Right to Object: Object to processing based on legitimate interests. Right to Withdraw Consent: At any time, without penalty. Requests are processed within 30 days. To submit a request: privacy@medlync.io

The NDPR requires organisations to implement appropriate technical and organisational security measures. MedLync exceeds the minimum requirements: Technical Measures: • AES-256 encryption at rest for all personal and health data. • TLS 1.3 for all data in transit. • Zero-trust network architecture with multi-factor authentication. • Hardware security modules (HSMs) for cryptographic key management. • Immutable audit logs with tamper-evident storage. Organisational Measures: • Data protection training for all staff with access to personal data. • Role-based access controls — staff see only the data necessary for their function. • Documented incident response plan with sub-hour response SLAs. • Quarterly third-party penetration testing and vulnerability disclosure programme. • Data processing agreements with all sub-processors and technology partners.

In line with NDPR requirements for data localisation, all personal and health data for Nigerian patients is stored in data centres located within Nigeria. Cross-border data transfers are only made where: • The destination country has been assessed to provide adequate data protection. • Appropriate safeguards — such as standard contractual clauses — are in place. • The transfer is strictly necessary for the provision of the service (e.g. international patient referrals). We do not transfer Nigerian patient health data to third countries without a lawful basis and adequate safeguards.

In the event of a personal data breach that is likely to result in risk to the rights and freedoms of individuals, MedLync will: • Notify NITDA within 72 hours of becoming aware of the breach, as required by the NDPR. • Notify affected data subjects without undue delay where the breach is likely to result in high risk to their rights. • Document all breaches — including those not meeting the notification threshold — in our breach register. Our security operations centre monitors the Platform 24/7. Any anomalous activity triggering a potential breach investigation is escalated immediately.

MedLync has appointed a Data Protection Officer (DPO) responsible for overseeing NDPR compliance across the organisation. The DPO: • Advises on data protection obligations and monitors compliance. • Acts as the primary point of contact for NITDA and data subjects. • Conducts and maintains Data Protection Impact Assessments (DPIAs) for high-risk processing activities. • Reviews and updates our data protection policies and procedures. Contact our DPO: dpo@medlync.io

Where we engage third-party service providers to process personal data on our behalf (e.g. cloud infrastructure providers, SMS gateway providers), we: • Enter into formal data processing agreements that impose equivalent data protection obligations. • Conduct due diligence on the security and compliance posture of all sub-processors. • Maintain a register of sub-processors, available on request. • Remain fully liable to data subjects for any processing carried out by sub-processors on our behalf.

In accordance with the NDPR Implementation Framework, MedLync is registered with NITDA as a data controller. Our registration is maintained and renewed in line with NITDA's published requirements.

MedLync undergoes regular internal and external compliance audits covering NDPR obligations. Audit findings are reviewed by the DPO and senior leadership, with remediation tracked to closure. We engage NITDA-licensed Data Protection Compliance Organisations (DPCOs) to conduct independent assessments of our compliance posture on an annual basis.

For NDPR-related enquiries or to exercise your data subject rights: Email: dpo@medlync.io MedLync Technologies Ltd, Nigeria If you are not satisfied with our response, you have the right to lodge a complaint with NITDA, the supervisory authority for the NDPR, at www.nitda.gov.ng.