Our VaaKenya Data Protection Policy refers to our commitment to treat information of employees, customers, stakeholders and other interested parties with the utmost care and confidentiality.
This policy refers to all parties (employees, job candidates, customers, suppliers etc.) who provide any amount of information to us.
B. Definition of Key Terms
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.
Data Controller: the person or organization that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the Law. VaaKenya is the Data Controller of all personal data relating to it and used in facilitating market systems development, conducting research and all other purposes connected with its business purposes.
Data Processing: any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. In brief, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction.
Data Protection Officer (DPO): the person appointed as such under the GDPR and in accordance with its requirements. A DPO is responsible for advising the organization (including its employees) on their obligations under various data protection laws, for monitoring compliance with data protection law, as well as with VaaKenya’s polices, and providing advice.
Data Subject: a living, identified or identifiable individual about whom we hold personal data.
Personal Data: any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Personal Data Breach: any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data, where that breach results in a risk to the data subject. It can be an act or omission.
Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of automated processing.
Employees of our Company and its subsidiaries must follow this policy. Contractors, consultants, partners and any other external entity are also covered. Generally, our policy refers to anyone we collaborate with or acts on our behalf and may need occasional access to data.
As part of our operations, we need to obtain and process information. This information includes any offline or online data that makes a person identifiable such as names, addresses, usernames and passwords, digital footprints, photographs, social security numbers, financial data etc.
Our Company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply.
Our data will be:
● Accurate and kept up-to-date
● Collected fairly and for lawful purposes only
● Processed by VaaKenya within its legal and moral boundaries
● Protected against any unauthorized or illegal access by internal or external parties
Our data will not be:
● Stored for more than a specified amount of time
● Transferred to organizations, states or countries that do not have adequate data protection policies
● Distributed to any party other than the ones agreed upon by the data's owner (exempting legitimate requests from law enforcement authorities)
In addition to ways of handling the data the VaaKenya has direct obligations towards people to whom the data belongs. Specifically we must:
● Let people know which of their data is collected
● Inform people about how we'll process their data
● Inform people about who has access to their information
● Have provisions in cases of lost, corrupted or compromised data
● Allow people to request that we modify, erase, reduce or correct data contained in our databases
To exercise data protection we're committed to:
● Restrict and monitor access to sensitive data
● Develop transparent data collection procedures
● Train employees in online privacy and security measures
● Establish clear procedures for reporting privacy breaches or data misuse
● Include contract clauses or communicate statements on how we handle data
● Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc.)
Our data protection provisions will appear on our website.
All principles described in this policy must be strictly followed. A breach of data protection guidelines will invoke disciplinary and possibly legal action.
D. Rights of the Data Subject - Every data subject has the following rights. Their assertion is to be handled immediately by the responsible unit and cannot pose any disadvantage to the data subject.
E. How we use personal information
We will only use your personal information for the purpose which it was provided to us for and in ways that you would reasonably expect.
F. Partnership agreements with organizations and individuals
We collect and use personal information from organizations and individuals who:
· Are interested in applying for a partnership opportunity with us
· Apply for a partnership opportunity
· Enter into a partnership agreement with us
· We process this personal information to pursue our legitimate interests (and your interests as an applicant) and fulfil our strategic aims.
· The prime use of the personal information is to conduct research, and to process and manage partnership opportunities between us. We also use it for monitoring, evaluation and reporting purposes so that we can consider important factors such as trends in funding areas, the impact and reach of our funding, and the demographic make-up of funding areas.
· When legally obliged, we may share our partners’ personal information with relevant statutory bodies as required.
· We may need to share it with external reviewers and advisors (e.g. funding partners, program monitors, evaluation specialists) to review, monitor or evaluate these partnership opportunities.
· We may need to share your contact details with suppliers.
G. Raising awareness of our work
We will collect personal information from our existing partners and the public domain to research and identify potential new funders and partners. Our legal basis for using your personal information in this way is legitimate interest.
We will use the contact details of new and existing supporters to inform you about our work. We will send you relevant information by email. Our legal basis for using your personal information in this way is legitimate interest. You can opt out or unsubscribe from receiving these communications at any time.
If you opt in to our mailing list we will use the information that you provide to email you information about our work, events, campaigns and other items of interest. You can opt out or unsubscribe from receiving this information at any time if you wish. Our legal basis for using your personal information in this way is your consent
H. For how long do we keep your personal information?
We will hold your personal information for as long as is necessary. We will not retain your personal information if it is no longer required. In some circumstances, we may legally be required to retain your personal information, for example for finance, employment or audit purposes.
I. Changes to this policy
SEALED by )
VAAKENYA LIMITED )
In the presence of: - )