Overview

Most recent technological advancements have laid bare the need to
create better protection frameworks where data collection is concerned.
In 2018 the European Union (EU) operationalized the General Data
Protection Regulations (GDPR) that govern how companies handle
personal data. Consequently, in 2019 Kenya enacted its own Data
Protection Act. The regulations seek to protect the privacy of individuals
by enforcing responsible processing of personal data. This includes
embedding principles of lawful processing, minimizing the collection of
data, ensuring the accuracy of data and adopting security safeguards to
protect personal data.

1. 1. Policy Statement
      SAIF GROUP OF COMPANIES (hereinafter referred to as “the
      Company”) is committed to complying with all relevant Kenyan
      legislation and applicable global legislations.
      The Company recognizes that the protection of individuals through
      lawful, legitimate, and responsible processing and use of their personal
      data is a fundamental human right.
      The Company will ensure that it protects the rights of data subjects and
      that the data it collects, and processes is done in line with the required
      legislation.
      The Company’s staff must comply with this policy, breach of which could
      result in disciplinary action.

1. 1. Purpose
      The purpose of this policy is to provide guidelines relating to the processing
      of personal data by SAIF GROUP OF COMPANIES.

1. 1. Scope
      This policy covers data collected, received and stored on the Company’s
      owned physical and electronic databases and resource centres.
      It shall apply to all staff and members of the Company, its foreign branches,
      its sister Companies, its subsidiaries and all its associated parties such as
      implementing partners.
      It shall also apply to all users of the Company’s applications, software,
      databases, websites, social media platforms and all other suchlike
      resources.
      This policy shall cover all data/ information collection tools of the Company
      including but not being limited to assessment tools, client databases,
      financial databases, third-party databases, mobile applications, research
      publications and communication tools such as photos, videos, social and
      main stream media.

1. 1. Definitions
      5.1 Consent means any freely given, unambiguous and informed
      indication by a statement or by a clear positive action, signifies an
      agreement by the user to the processing of his/her personal data.
      5.2 Data controller means a natural or legal person, public authority,
      agency or other body which has authority to oversee the
      management of, and to determine the purposes for the processing
      of personal data.
      5.3 Data processor means a natural or legal person, public authority,
      agency or other body which processes personal data on behalf of
      the data controller.
      5.4 Data processing means converting of data into information. This
      includes collecting, recording, rationalizing, storage, alteration,
      retrieval, use, transmission, dissemination, erasure or destruction
      of data.
      5.5 Data subject means an individual whose personal data is subject
      to processing.
      5.6 Data transfer means all acts that make personal data accessible to
      third parties outside of the Company on paper, via electronic
      means, on internet or through other means.
      5.7 Data Transfer Agreement means an agreement between the
      Company and a third party that states the terms and conditions of
      use of personal data, including which data components are to be
      shared, the mode of transfer, how the data may be used, data
      security measures and other related issues.
      5.8 Personal data means any data related to a user who can be
      identified from that data; from that data and other information; or
      by means reasonably likely to be used related to that data.
      Personal data includes biographical data (bio data) such as name,
      sex, date of birth, country of origin, Identification Number, contact
      addresses, work places, occupation as well as the user’s next of kin
      details.
      5.9 Personal data breach means a breach of data security leading to
      the accidental or unlawful/illegitimate destruction, loss, alteration,
      unauthorized disclosure of, or access to, personal data transferred,
      stored or otherwise processed.
      5.10 Processing of personal data means any operation, or set of
      operations, automated or not, which is performed on personal
      data, including but not limited to the collection, recording,
      organization, structuring, storage, adaption or alteration, retrieval,
      consultation, use, transfer, dissemination or otherwise making
      available, correction, or destruction.
      5.11 Third party means any natural or legal person other than the user.
      Examples of third parties are national governments, international
      governmental or non-governmental organizations, private sector
      entities or individuals.

1. 1. Policy guidelines
      6.1 The Company shall, in dealing with personal information and data,
      ensure that the information/ data is processed:
      a) without infringing the privacy rights of the data subject;
      b) in a lawful manner; and
      c) in a reasonable manner.
      6.2 Data shall be collected only for specified, explicit and legitimate
      purposes and not further processed in a manner incompatible with
      that purpose.
      6.3 Data collected shall be adequate, relevant, and limited to what is
      necessary in relation to the purposes for which it is to be
      processed.
      6.4 Data collected shall be accurate and where necessary kept up to
      date.
      6.5 Data collected shall not be kept in a form which permits
      identification of data subjects for longer than is necessary for the
      purposes for which the data is processed.
      6.6 Data collected shall be processed in a manner that ensures its
      security using appropriate technical and organizational measures
      to protect against unauthorized or unlawful processing and
      accidental loss, destruction, or damage.
      6.7 Data collected shall not be transferred out of the material country
      of origin unless there is proof of adequate data
      safeguards/measures or consent from the data subject.
      6.8 The collection, use, storage and transfer of personal data will only
      be done in a manner guided by the fundamental principles of the
      SAIF GROUP OF COMPANIES.
      6.9 This policy will guide the Company’s ICT Acceptable Use Policy, the
      Record Retention and Destruction Policy and the Accountability
      Framework.

1. 1. Data protection officer
      The Company has designated the Group’s Chief Executive Officer, and
      any other person as may be duly authorised so to do from time to time,
      to be the Data Protection Office (DPO). Accordingly, the DPO will:
      a. Advise the Company staff on requirements for data protection,
      including data protection impact assessments.
      b. Ensure that the Company has complied with the legal
      requirements on data protection.
      c. Facilitate capacity building of staff involved in data processing
      operations; and,
      d. Cooperate with external regulators on matters relating to data
      protection.

1. 1. Accuracy
      8.1 The Company shall store personal data/information as accurately
      as possible and update and systematically review it to ensure it
      fulfills the purpose(s) for which it is processed.
      8.2 The data subject may request the correction of personal data that
      is inaccurate, incomplete, unnecessary or excessive.
      8.3 When personal data is corrected, the Company will notify, as soon
      as is reasonably practicable, all third parties to whom the relevant
      personal data was transferred and to the data subject.

1. 1. Lawful and fair processing
      9.1 Data processing shall be carried out in a lawful and fair manner
      for specified and legitimate purposes without prejudicing the
      fundamental rights and freedoms of data subjects.
      9.2 The processing shall only be justified based on one (or more) of the
      legal rationales including:
      a) data subject giving his or her consent
      b) the processing is necessary for the performance of a contract
      with the data subject
      c) to meet legal compliance obligations
      d) public interest considerations
      e) to protect the data subject’s vital interests or any other person
      who may be indirectly affected
      f) to pursue the Company’s legitimate interests which are not
      overridden because the processing prejudices the interests or
      fundamental rights and freedoms of data subjects

1. 1. Further processing
      10.1 Further processing for research or marketing purposes shall be
      compliant with the conditions outlined in order to be compatible
      with the purposes for which the data is obtained.
      10.2 Personal data which is processed for research or marketing
      purposes may be exempt from provisions of this policy if the
      results of the research and statistical data is not made available in
      a form which identifies the data subject.
      10.3 Further processing of data shall comply with the data protection
      principles set out in this policy, in particular in ensuring the
      security and confidentiality of sensitive personal data.

1. 1. Minimization of collection
      The Company will not process any personal data for a purpose for which it
      did not obtain consent. Should such a need arise, then consent must be
      obtained from the data subject.
      The Company will collect and process data that is adequate, relevant, and
      limited to what is necessary. The Company’s staff must not access data
      which they are not authorised to access nor have a reason to access.
      Data must only be collected for the performance of duties and tasks; staff
      must not ask data subjects to provide personal data unless that is strictly
      necessary for the intended purpose.
      Staff must ensure that they delete, destroy, or anonymize any personal data
      that is no longer needed for the specific purpose for which they were
      collected.

1. 1. Confidentiality
      12.1 The confidentiality of personal data must be respected by the
      Company when processing data at all times with access to the
      same limited on a need-to-know basis.
      12.2 The Company shall maintain the confidentiality of the personal
      data throughout and even after the user is no longer of concern to
      the Company.
      12.3 The data controller may specify other categories of personal data
      that will require additional safeguards and restrictions and may be
      classified as sensitive personal data.
      12.4 In the processing of sensitive personal data, the data controller will
      specify further grounds on which these categories will be processed
      with consideration of:
      a) the increased risk of significant harm that may be caused to the
      data subject by processing this category of personal data.
      b) the degree of confidentiality attached to the category of personal
      data.
      c) the level of protection afforded by provisions applicable to
      personal data.
      12.5 The data controller shall process personal data of children in a
      manner that protects their rights and best interests.
      12.6 The data controller will incorporate a process of obtaining parental
      consent and age verification in order to process personal data of
      children.

1. 1. Security
      13.1 The Company will ensure and implement a high level of data
      security that is appropriate to the risks presented by the nature
      and processing of personal data taking into account the level of
      technology available and existing security conditions as well as the
      costs of implementing additional security measures.
      13.2 In order to ensure and respect confidentiality, personal data will be
      filed and stored in a way that is accessible only to authorized staff
      and transferred only through the use of protected means of
      communication.
      13.3 In order to ensure the confidentiality of the personal data, the
      Company shall take appropriate technical and organizational data
      security measures.
      13.4 The nature of risks will include but not be limited to risk of
      accidental or unlawful/illegitimate destruction, loss, alteration,
      unauthorized disclosure of, or access to, personal data.
      13.5 Access to personal data/content/knowledge shall be restricted to
      authorized personnel using it in the performance of their duties at
      the Company and as determined by appropriate authorization of
      both the staff supervisor and data subjects.
      13.6 Personal data/content/knowledge may not be used by any
      employee or staff for purposes other than the business of the
      Company.
      13.7 Staff allowed access of personal data/content/knowledge of the
      Company shall sign a non-disclosure agreement banning them
      from using the content for business other than the Company’s core
      mandate.
      13.8 Private email accounts shall not be used to transfer Personal Data.
      13.9 Information technology will be used to process, communicate and
      store Company data and information which will be classified as
      Confidential Information (CI).
      13.10 Data security measures will be routinely reviewed and upgraded as
      deemed appropriate to ensure the level of protection is
      commensurate to the degree of sensitivity applied to personal data
      and considering the possible development of new technology in
      enhancing data security.

1. 1. Accountability
      14.1 The Company will be responsible for compliance and will be
      required to demonstrate that appropriate measures have been
      employed within the organization to comply with the data
      protection guidelines.
      14.2 The Company will implement data protection training programs for
      all staff.
      14.3 The Company will bear the burden of proof to establish the data
      subjects’ consent of the processing of their personal data for a
      specific purpose.
      14.4 The Company will ensure that it is as easy to withdraw as it is to
      give consent.

1. 1. Rights of data subjects
      15.1 A data subject has a right to—
      a) be informed of the use to which their personal data is to be put.
      b) withdraw consent at any time.
      c) access their personal data in custody of data controller or data
      processor.
      d) object to the processing of all or part of their personal data.
      e) correction of false, inaccurate or misleading data.
      f) deletion of false or misleading data about them.
      g) request for erasure of their personal data where it irrelevant,
      excessive or was obtained unlawfully.

1. 1. Data collection
      16.1 When collecting personal data from the user, the Company shall
      inform the user of the following in writing/orally and in a manner
      and language that is understandable to the user:
      a) The specific purpose(s) for which the personal data or categories of
      personal data will be processed.
      b) Whether such data will be transferred to third parties and the
      specific third parties.
      c) The data subject’s right to request access to their personal data, or
      correction or deletion of it.
      d) How to lodge a complaint with the data controller.
      e) The mandate and contact details of the data controller.
      16.2 Where data is not collected directly from the data subject either
      orally or in writing, other means will be considered as far as is
      practicable such as radio communication, posters and flyers in an
      accessible location, online postings and any other appropriate
      method of transmission.
      16.3 At the request of the data subject the data controller may restrict
      the processing of personal data where:
      a) The accuracy of the data is contested by the data subject.
      b) The data subject has objected to the processing.

1. 1. Data Protection Impact Assessments
      17.1 Where a type of processing in particular using new technology, and
      taking into account the nature, scope, context and purposes of the
      processing, is likely to result in a high risk to the rights and
      freedoms of natural persons, the controller shall, prior to the
      processing, carry out an assessment of the impact of the envisaged
      processing operations on the protection of personal data.
      17.2 A single assessment may address a set of similar processing
      operations that present similar high risks.
      17.3 A data protection impact assessment shall in particular be
      required in the case of:
      a) a systematic and extensive evaluation of personal aspects relating to
      natural persons which is based on automated processing, including
      profiling, and on which decisions are based that produce legal
      effects concerning the natural person or similarly significantly affect
      the natural person; or
      b) a systematic monitoring of a publicly accessible area on a large
      scale.
      17.4 The assessment shall contain at least:
      a) a systematic description of the envisaged processing operations and
      the purposes of the processing, including, where applicable, the
      legitimate interest pursued by the controller;
      b) an assessment of the necessity and proportionality of the processing
      operations in relation to the purposes;
      c) an assessment of the risks to the rights and freedoms of data
      subjects; and
      d) the measures envisaged to address the risks, including safeguards,
      security measures and mechanisms to ensure the protection of
      personal data and to demonstrate compliance with this Policy taking
      into account the rights and legitimate interests of data subjects and
      other persons concerned.

1. 1. Data retention and disposal
      18.1 Data will not be kept in a form that allows data subjects to be
      identified for longer than needed for the legitimate Company’s
      purposes or other purposes for which the Company collected it.
      18.2 The purposes of data retention shall include satisfying any legal,
      contractual, accounting or reporting requirements.
      18.3 Personal data may be retained for a longer period in the event of a
      complaint there is reasonable belief that there is a prospect of
      litigation in respect to the Company’s relationship with the data
      subject.
      18.4 The Company shall take all reasonable steps to destroy or erase
      from its systems all personal data that are no longer required in
      accordance with the Company’s Record Retention and Destruction
      Policy.

1. 1. Transfer of personal data to third parties
      19.1 The Company may transfer personal data to third parties with the
      data controller.
      19.2 The Company may only transfer personal data/content/knowledge
      to third parties on condition that the third party affords a level of
      data protection the same or comparable to this Policy.
      19.3 In order to mitigate risks associated with transfer of data to third
      parties, the Company will only transfer data to a third party if:
      a) The data is stripped off personal and identifiable information;
      b) The transfer is based on one or more legitimate basis including:
      i. explicit consent by the data subject;
      ii. compliance with national or international law; or
      iii. in exercise, establishment and defense of any contractual or
      legal obligations;
      c) The personal data to be transferred is adequate, relevant,
      necessary and not excessive in relation to the purpose(s) for which
      it is being transferred;
      d) The data subject has been informed either at the time of the
      collection or subsequently, about the potential transfer of his/her
      personal data;
      e) The third party has in the past respected the confidentiality of
      personal data transferred to them by the Company; and
      f) The third party maintains a high level of data security that protect
      personal data against the risk of accidental or
      unlawful/illegitimate destruction, loss, alteration unauthorized
      disclosure of, or access to it.
      19.4 The Company will also ensure that transferring personal data does
      not negatively impact:
      a) The safety and security of the Company staff, volunteers and
      beneficiaries.
      b) The effective functioning of an operation or compromise in the
      Company’s mission, vision or fundamental principles, for
      example due to the loss of trust and confidence between the
      Company and persons of concern.
      19.5 The processing of sensitive personal data out of Kenya shall only
      be effected upon obtaining consent of a data subject and on
      obtaining confirmation of appropriate safeguards.

1. 1. Data transfer records
      20.1 The Company shall keep and maintain full and accurate records
      reflecting all phases of data management cycle, including records
      of data subjects’ consents and procedures for obtaining consent,
      where consent is the legal basis of processing.
      20.2 The data transfer records shall include, at a minimum:
      a) the name and contact details of the individual entity authorizing
      the transfer;
      b) clear descriptions of the personal data types;
      c) data subject types;
      d) processing activities;
      e) processing purposes;
      f) third-party recipients of the personal data;
      g) personal data storage locations;
      h) personal data transfers;
      i) the personal data’s retention period; and
      j) a description of the security measures in place.

1. 1. Data transfer agreements
      21.1 The Company will require all third parties to comply with this
      Policy through an agreement or a non-disclosure agreement as
      part of the signing of any partnership agreements. Such
      agreements will specify the specific purpose(s) and legitimate basis
      for the processing or transfer of personal data.
      21.2 Data transfer agreements shall;
      a) address the purpose(s) for data transfer, specific data elements
      to be transferred as well as data protection and data security
      measures to be put in place;
      b) require the third party to undertake that its data protection and
      data security measures are in compliance with this Policy; and
      c) stimulate consultation, supervision, accountability and review
      mechanisms for the oversight of the transfer for the life of the
      agreement.
      21.3 The Legal Department of the Company shall review and approve all
      data transfer agreements and maintain copies of final agreements.

1. 1. Data breach
      22.1 The Company will maintain a register of all data breaches.
      22.2 The Company’s staff will notify their line managers as soon as
      possible upon becoming aware of a personal data breach.
      22.3 The member of staff will record the breach.
      22.4 If a personal data breach is likely to result in personal injury or
      harm to a data subject, the data controller will communicate the
      personal data breach to the data subject and take mitigating
      measures as appropriate without undue delay. In such cases, the
      data controller shall also notify the Company’s Director(s) of the
      personal data breach.
      22.5 The notification will describe:
      a) The nature of the personal data breach, including the categories
      and number of data subjects and data
      b) records concerned;
      c) The known and foreseeable adverse consequences of personal
      data breach; and
      d) The measures taken or proposed to be taken to mitigate and
      address the possible adverse impacts of the personal data breach.

 

Need help?

 

Contact us at {email} for questions related to refunds and returns.