Your privacy is important to us. This privacy statement explains the personal data PS Kenya collects how we process it, and for what purposes.
This statement should be read together with the Terms and Conditions of Use for other PS Kenya products and services. Where there is a conflict, this statement will prevail.
This statement applies to all customers, suppliers, agents, merchants, dealers and all visitors frequenting any of PS Kenya premises.
References to “You” means:
PS Kenya protection policy is a document with regulations and procedures that shall be adopted to protect and secure all data consumed, managed, and stored by the organization. The policy covers all personal data that PSKENYA holds for either past, current or prospective persons in either electronic or paper format, from when it is created to when it is either destroyed or permanently preserved. It provides the rules of personal data protection, including related obligations of staff, stakeholders, research participants, suppliers and other third parties in ensuring responsible processing of personal data.
This policy demonstrates the organization’s commitment to ensure adequate level of protection and privacy of personal data as prescribed in the Data Protection Act, No. 24 of 2019.
The purpose of this policy is to provide guidelines on how the organization shall process the personal data of its staff, stakeholders, research participants, suppliers and other third parties in compliance with data protection law and to protect the data subject’s rights. The policy shall apply to all personal data the organization processes regardless of the format or media on which the data is stored or to whom it relates.
PSKENYA as an organization recognizes that protecting individuals through legitimate and responsible processing and using their personal data is an imperative human right. The organization is committed to complying with the legal requirements contained in the Data Protection Act and other required legislation. All PS KENYA stakeholders must comply with this policy failure to which could result in to disciplinary and/or legal actions.
This policy shall apply to all members of the organization, including staff, interns, stakeholders, vendors, contractors, partners, regulatory bodies and other parties that interact with the organization.
A minor: A person who has not attained the age of majority as per Kenyan law.
Consent: Agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by clear positive action, signifies agreement to the processing of personal data relating to them.
Data Subject: A living identified or identifiable natural person who is the subject of personal data. Data Protection Impact Assessment (DPIA): Tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major systems or business change programs involving processing personal data.
Data Protection Officer (DPO): A DPO is responsible for advising the Organization (including its employees) on their obligations under Data Protection Act, for monitoring compliance with the data protection policy
“DPP” means Data Protection Policy
Health data: Data related to the state of physical or mental health of the data subject.
Profiling: Any form of processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual to analyze or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior,location or movements.
Sensitive personal data: Data revealing the natural person’s race, health status, ethnic, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject.
Third party: A natural or legal person, public authority, agency or other body, other than the data subject, the organization or persons who, under the direct authority of the organization are authorized to process personal data.
Personal Data: Any information identifying a data subject or information relating to a data subject that can be identified (directly or indirectly) from that data alone or in combination with other identifiers the Organization possess or can reasonably access. Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Personal Data Breach: Any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data, where that breach results in a risk to the data subject. It can be an act or omission.
Privacy by Design and Default: implementing appropriate technical and organizational measures effectively to ensure compliance with the Data Protection Policy.
Privacy Notices: Separate notices setting out information that may be provided to data subjects when the Organization collects information about them. These notices may be general privacy statements applicable to a specific group of individuals (for example, employee, student and donor privacy notices or the website privacy policy), or they may be stand-alone, one-time privacy statements covering processes related to a specific purpose.
Processing or Process: Any activity that involves the use of personal data. It includes obtaining, recording or holding the data or carrying out any operation or set of operations on the data, including organizing, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. In brief, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction.
Pseudonymisation or Pseudonymised: Replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person,to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.
PS KENYA collects and works with certain types of Personal Data about the people with whom it deals, such as current, past and prospective vendors, stakeholders, employees, and those with whom it communicates. This information is collected for administrative purposes and to fulfil legal obligations to regulatory bodies. The Data Protection Act No 24 of 2019 requires that this Personal Data (PD) be processed lawfully, stored safely and not disclosed to any other person or body unless it is necessary to fulfil a contract or meet a legal obligation.
Protecting individuals via the lawful, legitimate and responsible processing and use of their data is a fundamental human right. Individuals may have a varying degree of understanding or concern for protecting their personal data. However, the organization must respect their right to have control over their personal data and ensure it always acts in full compliance with legislative and regulatory requirements. The Data Protection Policy (DPP) is the main document governing how the organization collects and processes personal data. PS KENYA is committed to protecting the rights and privacy of individuals in accordance with the requirements of the law.
Principles of data protection
PS KENYA shall ensure that personal data is:
Rights of a Data Subject
A data subject shall have the right to:
Exercise of Rights of Data Subjects
A right conferred on a data subject shall be exercised—
Collection of Personal Data
Duty to notify
The Organization shall, before collecting personal data, in so far as practicable, inform the data subject of—
Lawful processing of Personal Data
PS KENYA shall not process personal data unless.
a) PS KENYA shall not process personal data relating to a minor unless.
I. The minor’s parent or guardian gives consent.
II. The processing is in such a manner that protects and advances the rights and best interests of the minor.
b) PS KENYA shall incorporate appropriate mechanisms for age verification and consent to process a minor’s personal data.
c) Mechanisms contemplated under sub-section (b) shall be determined based on:
d) If the organization provides services to a minor, he/she may not be required to obtain parental consent as set out under sub-section (a) (I).
a) PS KENYA shall not process personal data relating to a minor unless.
I. The minor’s parent or guardian gives consent.
II. The processing is in such a manner that protects and advances the rights and best interests of the minor.
b) PS KENYA shall incorporate appropriate mechanisms for age verification and consent to process a minor’s personal data.
c)Mechanisms contemplated under sub-section (b) shall be determined based on:
d) If the organization provides services to a minor, he/she may not be required to obtain parental consent as set out under sub-section (a) (I).
The Organization shall:
a) Implement appropriate technical and organizational measures effectively to ensure compliance with data protection principles.
b) Be responsible for and be able to demonstrate compliance with the data protection principles.
c) Apply adequate resources and controls to ensure and document DPP compliance, including:
i. appointing a suitably qualified DPO.
ii. implementing Privacy by Design when processing personal data and completing a Data Protection Impact Assessment (DPIA) where processing presents a high risk to the privacy of data subjects.
iii. integrating data protection into the organization policies and procedures, in the way personal data is handled and by producing required documentation such as Privacy Notices, Records of Processing and records of Personal Data Breaches.
iv. Training staff on compliance with Data Protection Law (DPL) and keeping records accordingly.
v. regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using testing results to demonstrate compliance improvement efforts.
Organization Responsibilities
The PS KENYA shall establish and implement policies and procedures to comply with data protection laws.
Data Protection Officer
There is established the office of a Data Protection Officer (DPO) who shall be responsible for:
DPO shall, in the performance of his or her tasks, have due regard to the risk associated with processing operations, considering the nature, scope, context and purposes of the processing.
Staff Responsibilities
Staff members who process personal data about staff, applicants, interns, vendors or any other individual shall comply with the requirements of this policy.
Staff members shall ensure that:
Third-Party Data Processors
Where external companies are used to process personal data on behalf of the Organization, the responsibility for the security and appropriate use of that data shall remain with the Organization. Where a third-party data processor is used:
The external companies shall be made aware of the DPP and shall guarantee the organization that they understand and acknowledge that any disclosure and/or appropriation of any confidential information, including by its managers, employees, consultants and/or collaborators, as well as the violation of the legal requirements regarding the protection of the processing of personal data, are of a nature to the cause of serious and irreparable damage to the organization. Such violation shall attract such penalties stipulated in the present contract and the Kenyan Laws on data protection.
Contractors
All Contractors shall provide the organization with the data in accordance with the terms of this policy. Where personal data is provided by a contractor to the organization, and/or processed by the organization, both the contractor and the organization qualify as independent controllers for such Processing.
The terms of engagement between the organization and contractor shall stipulate the responsibilities of the organization and that of the contractor. The contract shall warrant and give an undertaking that the personal data shall be collected, processed and transferred in accordance with the DPP and any other applicable data protection laws. For purposes of this section, Contractor means a person engaged by the Organization through a service level agreement or equivalent which provisions require processing of personal data.
Short-Term and Voluntary Staff
The Organization shall be responsible for the use of personal data by anyone working on its behalf. short-term or voluntary staff shall be appropriately vetted for the data they shall be processing. Organization shall ensure that:
Staff Responsibilities
Staff shall be responsible for:
A data subject shall have a right to object to processing their personal data unless the organization demonstrates compelling legitimate interest for the processing, which overrides the data subject’s interests, or for the establishment, exercise or defense of a legal claim.
i) A data subject shall have the right to receive personal data concerning them in a structured, commonly used and machine-readable format.
ii) A data subject shall have the right to transmit the data obtained under sub-section (i) to a third party without any hindrance.
iii). Where technically possible, the data subject shall have the right to have the personal data transmitted directly from the organization to the third
iv). The right under this section shall not apply in circumstances where—
v.) The Organization shall comply with data portability requests within reasonable timelines; where costs are incurred, the data subject shall bear the cost.
Retention of Personal Data
vi.) The organization shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed unless the retention is.
a) Required or authorized by law.
b) Reasonably necessary for a lawful purpose.
c) Authorized or consented by the data subject.
d) For historical, statistical, journalistic literature and art or research purposes.
vii). The organization shall delete, erase, anonymize or pseudonymize personal data not necessary to be retained under subsection (i) in a manner as may be specified at the expiry of the retention period.
Right of Rectification and Erasure
viii). A data subject may request the organization.
a) To rectify without undue delay personal data in its possession or under its control that is inaccurate, outdated, incomplete or misleading.
b) to erase or destroy without undue delay personal data that the organization is no longer authorized to retain, irrelevant, excessive or obtained unlawfully.
ix). Where the organization has shared the personal data with a third party for processing purposes, the Organization shall take all reasonable steps to inform third parties processing such data that the data subject has requested.
a) The rectification of such personal data in their possession or under their control that is inaccurate, outdated, incomplete or misleading.
b) The erasure or destruction of such personal data that the organization is no longer authorized to retain, irrelevant, excessive or obtained unlawfully.
x). Where the organization is required to rectify or erase personal data under sub-section (i), but the personal data is required for the purposes of evidence, the organization shall, instead of erasing or rectifying, restrict its processing and inform the data subject within a reasonable time.
Data Protection by Design or by Default
xi). The organization shall implement appropriate technical and organizational measures which are designed to.
a) effectively implement the data protection principles; and
b) Integrate necessary safeguards for that purpose into the processing.
xii). The duty under subsection (i) applies both at the time of determining the means of processing the data and at the time of the processing.
xiii). The organization shall implement appropriate technical and organizational measures to ensure that, by default, only personal data which is necessary for each specific purpose is processed, taking into consideration.
a) the amount of personal data collected.
b) the extent of its processing.
c) the period of its storage.
d) its accessibility.
e) the cost of processing data and the technologies and tools used.
xiv). The organization shall consider measures such as.
(a) Identify reasonably foreseeable internal and external risks to personal data under the person’s possession or control.
(b) Establish and maintain appropriate safeguards against the identified risks.
(c) The pseudonymization and encryption of personal data.
(d) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
(e) Verify that the safeguards are effectively implemented.
(f) Ensure that the safeguards are continually updated in response to new risks or deficiencies.
i) In determining the appropriate measures, where the processing involves the transmission of data over an information and communication network, the organization shall have regard to the:
a) State of technological development available.
b) Cost of implementing any of the security measures.
c) Special risks that exist in the processing of the data.
d) Nature of the data being processed.
ii). Where the organization is using the services of a third party.
a) The organization shall opt for a third party who provides sufficient guarantees in respect of organization measures.
b) The organization shall enter into a written contract which shall provide that the third party shall act only on instructions received from the organization and shall be bound by obligations of the organization.
iii). The organization shall take all reasonable steps to ensure that any person employed by or acting under the authority of the organization complies with the relevant security measures.
i). Where personal data has been accessed or acquired by an unauthorized person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorized access, the organization shall.
a) Notify the Data Protection Officer without delay, within forty-eight (48) hours of becoming aware of such breach.
b) Communicate to the data subject in writing within a reasonably practical periodunless the data subject’s identity cannot be established.
ii). Where the notification to the Data Protection Officer is not made within forty-eight (48) hours, the notification shall be accompanied by reasons for the delay.
iii). The organization may delay or restrict communication referred to under subsection (i)(b) as necessary and proportionate for purposes of prevention, detection or investigation of an offence by the concerned relevant body.
iv). The notification and communication referred to under subsection (i) shall provide sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach, including.
a) Description of the nature of the data breach.
b) Description of the measures that the organization intends to take or has taken to address the data breach.Recommendation on the measures to be taken by the data subject to mitigate the adverse effects of the security compromise.
c) Where applicable, the identity of the unauthorized person who may have accessed or acquired the personal data shall be availed to the Data Protection officer.
v). The communication of a breach to the data subject shall not be required where the Organization has implemented appropriate security safeguards, including encryption of affected personal data.
vi). Where and to the extent that it is not possible to provide all the information mentioned in subsection (v) at the same time, the information may be provided in phases without undue delay.
vii). The Organization shall record the following information in relation to a personal data breach;
i. No category of sensitive personal data shall be processed unless data protection principles apply to that processing.
ii. Sensitive data shall comprise the following but are not limited to:-natural person’s race, health status, ethnicity, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details, including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject, organization records which include minutes, financial records, staff remuneration, templates, establishment, strategic and master plan.
(1) Personal data relating to the health of a data subject shall only be processed.
(a) by or under the responsibility of a health care provider; or
(b) by a person subject to the obligation of professional secrecy under any law.
(2) The condition under subsection (1) shall be met if the processing.
(a) is necessary for reasons of public interest in public health
(b) is carried out by another person who, in the circumstances, owes a duty of confidentiality under any law.
The organization recognizes the need to protect data generated from ideas, creative activities, innovation and projects from staff and vendors. Therefore, this section shall be read in concurrence with the Organization’s Intellectual Property Policy.
Further categories of sensitive personal data
(1) The organization may prescribe further categories of personal data, which may be classified as sensitive personal data.
(2) Where categories of personal data have been specified as sensitive personal data under subsection (1), the organization shall specify any further grounds on which such specified categories may be processed, having regard to:
(a) the risk of significant harm that may be caused to a data subject by the processing of such category of personal data.
(b) the expectation of confidentiality attached to such category of personal data.
(c) to whether a significantly discernible class of data subjects may suffersignificant harm from the processing of such category of personal data; and
(3) The Organization shall specify other categories of personal data, which may require additional safeguards or restrictions.
Automated individual decision making
(1) Every data subject shall have a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or significantly affects the data subject.
(2) Sub-section (1) shall not apply where the decision is:
(a) Necessary for entering, or performing, a contract between the data subject and the organization
(b) Authorized by a law to which the organization is subject and which lays
down suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests.
(c) Based on the data subject’s consent.
(3) Where the organization takes a decision which produces legal effects or significantly affects the data subject based solely on automated processing.
(a) the organization shall, as soon as reasonably practicable, notify the data subject in writing that a decision has been taken based solely on automated processing; and
(b) After a reasonable period of receipt of the notification, the data subject may request the organization to reconsider the decision; or take a new decision that is not based solely on automated processing.
(4) The organization, upon receipt of a request under subsection (3), shall within a reasonable period.
(a) Consider the request, including any information provided by the data subject that is relevant to it.
(b) Comply with the request.
(c) by notice in writing, inform the data subject of— (i) the steps taken to comply with the request; and (ii) the outcome of complying with the request.
(5) The Organization shall, by this policy, make further provisions to provide suitable measures to safeguard a data subject’s rights, freedoms and legitimate interests in connection with making decisions based solely on automated processing.
(1) Nothing in this part shall exempt the organization from complying with data protection principles relating to lawful processing, minimization of collection, data quality, and adopting security safeguards to protect personal data.
(2) The processing of personal data shall be exempted from the provisions of this policy if:
(a) It relates to the processing of personal data by an individual during a purely personal or household activity.
(b) if it is necessary for national security or public interest; or
(c) Disclosure is required by or under any written law or by order of the court.
Journalism, Literature and Art
i. The principles of processing personal data shall not apply where—
a) processing is undertaken by a person for the publication of literary or artisticmaterial.
b) the organization reasonably believes that publication would be in the public interest.
c) the organization reasonably believes that, in all the circumstances, compliance with the provision is incompatible with the special purposes.
ii. Subsection (1)(b) shall only apply where it can be demonstrated that the processing is compliant with any self-regulatory or issued code of ethics in practice and relevant to the publication in question.
Research, History and Statistics
(3) The further processing of personal data shall be compatible with the purpose of collection if the data is used for historical, statistical or research purposes. The organization shall ensure that further processing is carried out solely for such purposes and will not be published in an identifiable form.
(4) The organization shall take measures to establish appropriate safeguards against the records being used for any other purposes.
(5) Personal data which is processed only for research purposes is exempt from the provisions of this policy if.
(a) data is processed in compliance with the relevant conditions; and
(b) results of the research or resulting statistics are not made available in a form which identifies the data subject or any of them.
(6) The organization shall prepare a code of practice containing practical guidance for processing personal data for purposes of Research, History and Statistics.
Right to Lodge Complaint
You have the right to lodge a complaint with the relevant supervisory authority that is tasked with personal data protection within the Republic of Kenya.
Non-Compliance with this Statement
PSKENYA shall have the right to terminate any agreement with you for failure to comply with the provisions of this statement and reject any application for information contrary to this statement.
Amendments to this Statement
Amendments to this Statement
PSKENYA reserves the right to amend or modify this statement at any time.
If we amend this statement, you can access the most current version of the privacy statement by visiting the PS Kenya website so that you will always know how your personal information is being used or shared. Any amendment or modification to this statement will take effect from the date of notification on the PSKENYA website.
REFERENCE
Kenya Constitution of Kenya
Data Protection Act no. 24 of 2019
We use cookies to improve your experience on our site. By using our site, you consent to cookies.
Manage your cookie preferences below:
Essential cookies enable basic functions and are necessary for the proper function of the website.
Statistics cookies collect information anonymously. This information helps us understand how visitors use our website.
