Privacy & Data Protection Policy

1. Purpose

This policy defines how Green Sahel Consulting (GSCO) collects, processes, stores, protects, and discloses personal data in compliance with ISO 27001 information security principles, international data protection best practices, applicable Mauritanian regulations, and GDPR-inspired privacy standards.

2. Scope

This policy applies to GSCO website users, clients and prospects, business partners, employees, subcontractors, and any individual whose personal data is processed by GSCO.

3. Definitions

Personal Data refers to any information identifying a natural person. Processing means any operation performed on personal data. Data Subject refers to the person whose data is processed. Controller refers to GSCO. Processor refers to any third party processing data on behalf of GSCO.

4. Governance & Responsibility

Overall accountability rests with the Managing Director. Compliance monitoring is under the responsibility of the CFAO. Technical safeguards are managed by the IT Manager. Employee data is governed by HR. All staff are bound by confidentiality obligations.

5. Data Categories

GSCO may process identification data (name, company, job title), contact data (email, phone, address), technical data (IP address, browser type, website logs), and business data (contracts, invoices, correspondence).

6. Data Collection Methods

Data is collected through website contact forms, emails, phone calls, contracts, cookies, and business meetings.

7. Processing Purposes

GSCO processes personal data strictly for business communication, service delivery, contract management, billing and accounting, legal compliance, security monitoring, and continuous improvement.

8. Lawful Basis

Processing is justified by explicit consent, contractual necessity, legal obligation, and legitimate business interest.

9. Data Minimization

GSCO applies purpose limitation, data minimization, accuracy control, and periodic review. Only strictly necessary data is collected.

10. Data Retention

Client data is retained for the contract duration plus five years. Accounting data is retained for ten years. Website logs are retained for twelve months. HR data is retained for the contract duration plus the legal retention period. Data is securely deleted after expiry.

11. Data Sharing

GSCO shares data only with authorized internal staff, approved subcontractors, banks, auditors, and regulatory authorities when required by law. GSCO does not sell or commercially exploit personal data. All partners are bound by confidentiality agreements.

12. International Transfers

When applicable, GSCO ensures adequate safeguards, contractual protection, and encryption for any international data transfer.

13. Information Security Controls

GSCO applies role-based access control, secure servers, encrypted storage, backup systems, incident response procedures, staff awareness training, and periodic risk assessments in line with ISO 27001.

14. Data Subject Rights

Individuals have the right to access, correct, erase, restrict, object to processing, and request data portability. Requests must be sent to elhadj@greensahel.com

Response time does not exceed 30 days.

15. Cookies Management

GSCO uses cookies to improve website performance, analyze traffic, and enhance user experience. Users may disable cookies through browser settings.

16. Breach Management

In the event of a data breach, GSCO records the incident, assesses risk, applies corrective measures, notifies authorities where required, and informs affected individuals when applicable.

17. Third-Party Websites

GSCO is not responsible for external websites or their privacy practices.

18. Compliance Monitoring

This policy is reviewed annually, audited internally, and updated whenever necessary.

19. Disciplinary Measures

Any violation of this policy may result in internal sanctions, contract termination, or legal action.

20. Contact

El Hadj Mohamed Abdellahi EDHMINE, CEO – GSCO | Email: elhadj@greensahel.com | Phone: +222 42 69 99 99 

Peinda El Hadj BA, CFAO – GSCO | Email: peinda@greensahel.com  | Phone: +222 43 99 98 11 

Address: Lot Nᵒ 335 Module M Tevragh Zeina - Nouakchott, Mauritania

21. Approval

This policy is approved by GSCO Management and formally adopted.

22. References

ISO 27001, ISO 27701, GDPR Articles 5–32, Mauritanian ICT regulations.

Compliance Statement

This policy aligns with ISO 27001, ISO 27701, GDPR principles, and corporate governance best practices.

Document Reference: GSCO-POL-IT-PP-001 | Version: 1.0 | Effective Date: January 1st 2026 | Approved by: CEO | Owner: CFAO