- Identity Data including first name, last name;
- Contact Data including email address and telephone numbers;
- Information contained on a form of identification (such as ID card, passport or driver licence);
- Motor Vehicle Registration Information;
- Kenya Revenue Authority Tax PIN number,
- Employment details;
- Automated Data such as data captured on Closed Circuit Television (CCTV) surveillance recordings at One Africa Place; or
- Complaint details.
- Direct interactions. You may give us your identity and contact by filling in forms or by corresponding with us by phone, email or otherwise;
- From your representatives (e.g. legal advisers);
- From our contractors;
- When you visit, One Africa Place;
- When you use our website and by other electronic communication channels; and
- Through automated technologies and your equipment such as the CCTV System at One Africa Place.
- We maintain retention policies and procedures to ensure Personal Data is deleted after an appropriate time, unless a law requires that data to be kept for a minimum time in accordance with our retention schedules and policies.
- We keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal or reporting requirements.
- We take all reasonable steps to destroy or erase from our systems all Personal Data that we no longer require in accordance with all our applicable records retention schedules and policies which includes requiring third parties to delete that data where applicable; and
- We ensure that Data Subjects are provided with information about the period for which data is stored and how that period is determined in accordance with our retention schedules and policies.
- We maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
- Confidentiality: only people who have a need to know and are authorised to use the Personal Data can access it;
- Integrity: Personal Data is accurate and suitable for the purpose for which it is processed; and
- Availability: authorised users are able to access the Personal Data when they need it for authorised purposes.
- We only transfer Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place to ensure the security of Personal Data.
- Appointing a Compliance Manager;
- implementing Privacy by Design, Privacy by Default and complete data protection risk assessment as part of Data Protection Impact Assessment (DPIA) where processing presents a high risk to rights and freedoms of Data Subjects;
- taking appropriate technical and organisational security measures to safeguard personal information; and
- auditing data security and compliance with this policy on a periodic basis.
- The right to be informed including the right to information as to whether personal data is being processed and receive certain information about the Processing activities;
- The right to access the Personal Data that we hold. You may request access to your Personal Data by contacting our Compliance Manager using the contact details provided at the end of this Policy. We will respond to your request within seven (7) days from the date of receipt of the request;
- The right to withdraw consent to Processing at any time, noting that such withdrawal does not affect the lawfulness of any processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the processing of your Personal Data in reliance upon any other available legal bases. To withdraw your consent, please contact us using the contact details provided at the end of this Policy;
- The right to rectification. If information we have about you is inaccurate, out of date or incomplete you have the right to have it rectified, or updated. We will respond to your request within fourteen (14) days from the date of receipt of the request. Where we decline your request we shall inform you within seven (7) days of receiving your request and give you reasons our decision for refusal;
- The right to erasure. You have the right ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data. If you wish to exercise your right to erasure, please submit a written request to Compliance Manager using the contact details provided at the end of this Policy. We will respond to your request within fourteen (14) days from the date of receipt of the request.
We will review your request and assess its eligibility based on the following criteria:
- The personal data is no longer necessary for the purposes for which it was collected;
- Where you withdraw your consent on which the processing is based, and there is no other legal ground for the processing;
- Where you object to the processing, and there are no overriding legitimate grounds for the processing;
- Where the processing of data is for direct marketing purposes and you object to such processing;
- The personal data has been unlawfully processed; and
- The personal data must be erased to comply with a legal obligation
Please note that there may be circumstances where we are not able to fulfill your request for erasure, such as when the processing of your personal data is necessary:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation;
- For the performance of a task carried out in the public interest or in the exercise of official authority;
- For archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- For the establishment, exercise or defence of a legal claim.
Once your request is received and confirmed as eligible, we will take reasonable steps to erase your personal data from our systems and notify any third parties who have received your data from us, unless such notification is impossible or requires disproportionate effort. If your request for erasure is denied, we will provide you with the reasons for our decision.
- The right to restrict Processing of Personal Data in specific circumstances. You have the right to request the restriction of processing when one of the following applies:
- You contest the accuracy of your personal data, and we are verifying the accuracy;
- The processing is unlawful, and you oppose the erasure of your personal data and request the restriction instead;
- You no longer need the personal data for the purposes of processing, but we require it for the establishment, exercise, or defense of legal claims; and
- You have objected to the processing of your personal data, but we are considering whether our legitimate grounds for processing override yours.
If you wish to exercise your right to restrict processing, please contact our Compliance Manager using the contact details provided at the end of this Policy. We will respond to your request within fourteen (14) days, confirming the initiation of the restriction of processing or declining to comply with your request and give you reasons our decision for refusal.
During the period of restriction, we will store your personal data but will not process it for any other purpose. We may, however, continue to process your data if:
- You have provided your explicit consent to such processing;
- It is necessary for the establishment, exercise, or defense of legal claims;
- It is necessary to protect the rights of another individual or legal entity; and
- It is in the public interest or for reasons of important public health.
We will inform you before the restriction of processing is lifted. If the grounds for restriction cease to exist, or the restriction period expires, we will inform you before resuming normal processing activities.
- The Right to object to processing. You can object to us processing your Personal Data based on our legitimate interests unless we are able to demonstrate compelling legitimate grounds for doing so. You can also object to us using your information for profiling or for direct marketing purposes;
If you wish to exercise this right, please contact our Compliance Manager using the contact details provided in this policy. We will confirm receipt of your objection and set out the time frame we require to investigate your complaint and provide you with a response. We will endeavor to respond as quickly as possible, which will typically be within fourteen (14) days of receiving your objection.
Please note that there might be cases where we have compelling legitimate grounds to continue processing your data even if you object, but we will communicate this to you if applicable. In cases where the processing is based on consent or is necessary for the performance of a contract, you have a stronger basis to object. However, if the processing is required for legal obligations or vital interests, your objection might not be possible.
- The Right of data portability: In limited circumstances you have the right to receive or ask for your Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format;
- The right to lodge a complaint as would be appropriate to One Africa Place, the processor or the regulator being the Office of the Data Protection Commissioner.
We will confirm receipt of your complaint and set out the time frame we require to investigate your complaint and provide you with a response. We will endeavor to respond as quickly as possible, which will typically be within (seven 7) days of receiving your complaint.
If you are unhappy about the way we have handled your data and we have been unable to resolve your complaint, you have the right to lodge a complaint with the Office of the Data Protection Commissioner.
- the Data Subject has given their Consent;
- the Processing is necessary for the performance of a contract with the Data Subject;
- to meet our legal compliance obligations;
- to protect the Data Subject’s vital interests;
- Where it is necessary to pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects; and
- Where the processing is necessary for the performance of a task carried out in the public interest or exercise of official authority and the task or function has a clear basis in law.
- Consent is a clear indication by the data subject that they agree to the processing of their Personal Data. Such a clear indication may take the form of a statement or a positive action. Silence, pre-ticked boxes, or inactivity are unlikely to amount to consent.
- Where consent is given in a document which includes other matters, the section dealing with consent must be kept clearly separate from such other matters.
- Data subjects are free to withdraw consent at any time and it must be made easy for them to do so. If a data subject withdraws consent, their request must be honoured in accordance with this Policy.
- If Personal Data is to be processed for a different purpose that is incompatible with the purpose or purposes for which that personal data was originally collected that was not disclosed to the data subject when they first provided their consent, consent to the new purpose or purposes may need to be obtained from the data subject.
- In all cases where consent is relied upon as the lawful basis for collecting, holding, and/or processing personal data, records must be kept of all consents obtained in order to ensure that the Company can demonstrate its compliance with consent requirements.
|Processing Operations||Type of data||The Lawful Basis of Processing|
|Video recording (CCTV)||(a) Images
(b) Motor Vehicle Car Registration Number
The video-surveillance system forms part of the broader security measures and helps prevent, deter, and if necessary, investigate unauthorised physical access to the premises, monitor movement in the building and investigate incidences that occur in the building, as well as account for the people within the building in the event of an emergency.
|Video recording (CCTV)||(a) Profile
This is necessary for our legitimate interests to provide a safe and secure environment in our building as part of our commitment to security and crime prevention.
The video-surveillance system forms part of the broader security measures and helps prevent, deter, and if necessary, investigate unauthorised physical access to the premises.
In addition, video-surveillance helps prevent, detect and investigate theft of equipment or assets owned by tenants and visitors and threats to the general safety of tenants and visitors.
It complements other physical security systems such as access control systems and physical intrusion control systems.
|Collecting personal data via website (Form)||(a) Name
(b) Email Address
(c) Phone Number
|Collecting data via website (Cookies)||(a) Cookies|
|Processing visitor data in the visitor book at One Africa Place||(a) Name
(b) Identity Card/Passport Number (c) Telephone Number (d) Signature
The processing of personal data that occurs at One Africa Place serves as a security measure for identification purposes.
|Processing tenant data||(a) Name
(b) Address (c) Nationality (d) Passport Number (e) Kenya Revenue Authority Tax PIN
This is necessary for the performance of a contract.
- Our IT and Security team (outsourced services), have restricted privileges which means they cannot process the information without our express approval.;
- Our managing agents act on our behalf which means that we may share any information with them that is necessary for the effective management of the building.
- We only process the Personal Data that we need for our purposes and we only use the data for those purposes;
- We ensure that Personal Data is automatically protected in our business practice so that individuals should not have to take any specific action to protect their privacy;
- We provide contact information of those responsible for data protection both within our organization and to individuals; and
- We only enter into written agreements with use data processors that provide sufficient guarantees of their technical and organizational measures for data protection by design.
- Risk Assessment;
- Data types, collection, scope, storage, use context and deletion methodologies;
- Legal basis for processing;
- Information flows processes and procedures (data map);
- Consultation; and
- Evaluation of privacy by design.
- the Office of the Data Protection Commissioner (ODPC) has issued an adequacy decision confirming that the country to which we transfer the Personal Data has an adequate level of protection for the Data Subject’s rights and freedoms;
- appropriate safeguards are in place to protect that data including having in place a binding agreement with the recipient of the personal data;
- the Data Subject has provided explicit consent to the proposed transfer after being informed of any potential risks; or
- the transfer is necessary for:
- the performance of a contract between us and the Data Subject;
- reasons of public interest;
- to establish, exercise or defend legal claims;
- to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent; and
- in some limited cases, for our legitimate interest.