Data Protection Policy

Welcome to the Palazzo Limited’s Data Protection Policy.
This Policy sets out all the information you need to know about how we look after your personal data and tells you about your privacy rights and how the law protects you.
1. Policy Brief & Purpose
1.1. Our Company Data Protection Policy refers to our commitment to treat information of employees, customers, stakeholders and other interested parties with the utmost care and confidentiality.
1.2. We are required under the Data Protection Legislation to notify you of the information contained in this Policy. With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.
1.3. Palazzo Limited is a company incorporated in Kenya and is the proprietor of One Africa Place. is a privately owned building so please note that management reserves the right to refuse entry of anyone who does not wish to comply with our building requirements.
1.4. We make sure our privacy policy is kept up to date and reserve the right to amend or modify this Policy from time to time.
2. Collection of Personal Data
2.1. This policy applies to all parties who provide any of their personal information to us. It sets out the requirements for the protection of personal data in manual, electronic or any other form collected by our Palazzo Limited.
2.2. As part of our operations, we need to obtain and process information including any offline or online data that makes a person identifiable. This may include names, digital footprints, photographs, signatures & Identification Cards.
2.3. We recognise the importance of protecting privacy where children below the age of 18 are involved and are committed to protecting the privacy of children who visit One Africa Place. The parent, guardian or the holder of parental responsibility of any child aged below 18 years of age is required to consent to the collection and use of the child’s information when visiting One Africa Place.

2.4. Our company collects and keeps this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply.

Our data will be:

2.4.1. Accurate and kept up-to-date;
2.4.2. Collected fairly, transparently and for lawful purposes only;
2.4.3. Processed by the company within its legal and moral boundaries;
2.4.4. Protected against any unauthorized or illegal access by internal or external parties;
2.4.5. Stored for as long as is necessary for the user’s convenience to enter the building unless the individual requests for it to be deleted.

Our data will NOT be:

2.4.6. Distributed to any party (exempting legitimate requests from law enforcement authorities). We won’t disclose the information given to us to anyone else unless;

2.4.6.1. It is necessary to do so to comply with any of our legal obligations; and
2.4.6.2. Where there is a substantial public interest to do so (including where is necessary for reasons of public health) or another relevant statutory body.

2.5. In addition to the way in which we shall handle the data, the company has a direct obligation towards people to whom the data belongs. Specifically, we shall:

2.5.1. Let people know which of their data is being collected.
2.5.2. Inform people about how we shall process their data.
2.5.3. Inform people about who has access to their information/data.
2.5.4. Have provisions in cases of lost, corrupted or compromised data.
2.5.5. Allow people to request that we modify, erase, reduce or correct data contained in our databases.
2.6. How is your personal data collected?

We use different methods to collect data from and about you as follows:

2.6.1. Direct interactions. You may give us your identity and contact by filling in forms or by corresponding with us by phone, email or otherwise;
2.6.2. When you visit, One Africa Place;
2.6.3. When you use any of our websites;
2.6.4. When you give us feedback or contact us;
2.6.5. Through automated technologies and your equipment such as through the CCTV, Visitor Management System and Parking System at One Africa Place.
2.6. How is your personal data collected?

We use different methods to collect data from and about you as follows:

2.6.1. Direct interactions. You may give us your identity and contact by filling in forms or by corresponding with us by phone, email or otherwise;
2.6.2. When you visit, One Africa Place;
2.6.3. When you use any of our websites;
2.6.4. When you give us feedback or contact us;
2.6.5. Through automated technologies and your equipment such as through the CCTV, Visitor Management System and Parking System at One Africa Place.
2.7. The data we collect about you

2.7.1. Personal data, or personal information, means any information about an individual from which that person can be identified.
2.7.2. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data includes first name, last name
  • Contact Data includes email address and telephone numbers.
  • Automated Data such as data captured on Closed Circuit Television (CCTV) surveillance recordings; Visitor Management System and Parking System at One Africa Place.
2.8. Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Most commonly, we will use your personal data in the following circumstances:

2.8.1. Where we need to perform the contract we are about to enter into or have entered into with you.; and
2.8.2. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Processing Operations Type of data The Lawful Basis of Processing
Video recording (CCTV) (a) Profile
(b) Identity
This is necessary for our legitimate interests to provide a safe and secure environment in our building as part of our commitment to security and crime prevention.
The video-surveillance system forms part of the broader security measures and helps prevent, deter, and if necessary, investigate unauthorised physical access to the premises.
In addition, video-surveillance helps prevent, detect and investigate theft of equipment or assets owned by tenants and visitors and threats to the general safety of tenants and visitors.
It complements other physical security systems such as access control systems and physical intrusion control systems.
Biometric processing including facial recognition and fingerprint processing (a) Identity
(b) Contact
(c) Profile
(d) Biometric data through the Visitor Management System and Parking Management System
This is necessary for our legitimate interests to provide a fast and efficient way for you to access a secure building whenever you want to visit.
The facial recognition biometric processing that occurs at One Africa Place is utilized as a security and access control measure.
The facial recognition software is used on all visitors who consent to use the system and all tenants for purposes of accessing the building.
The fingerprint biometric processing is utilized by tenants to access the parking garage in the building.
Collecting personal data via website (a) Identity
(b) Contact
The processing of personal data that occurs on the One Africa Place website is in furtherance of Palazzo Limited’s legitimate business interests (for marketing and letting purposes). Interested individuals who wish to let the premises fill in their details to be contacted by the Company for letting purposes.
This is necessary for our legitimate interests (to engage with potential tenants to inform them about our building).
Recording National ID/Passport Data (processing visitor data) in the visitor book (a) Identity
(b) Contact
This is necessary for our legitimate interests.
The processing of personal data that occurs at One Africa Place serves as a security measure for identification purposes.
Collecting personal data (processing tenant data) (a) Identity
(b) Contact
This is necessary for the performance of contract. The processing of personal data by Palazzo Limited is done for legitimate business interests when creating lease agreements with its tenants.
This is necessary for our legitimate interests (to provide a fast and efficient way for you to access a secure building, for letting purposes, access control and security).
We collect and retain your personal data (name, telephone number, and vehicle registration details) when you request for a parking space in One Africa Place.
3. What are the legal rights of whoever gives out their personal information?

You have rights under data protection laws in relation to your personal data. These include the following:

3.1. Right to access to personal information;

3.2. Right to information as to whether personal data is being processed;
3.3. The right to rectification if the information held is inaccurate or incomplete or requires to be updated;
3.4. The right to restrict processing of personal data;
3.5. The right to complain (as would be appropriate to One Africa Place, the processor or regulator being the Office of the Data Protection Commissioner);
3.6. The right to erasure; and
3.7. The right to withdraw consent (noting that such withdrawal does not affect the lawfulness of any processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the processing of your Personal Data in reliance upon any other available legal bases).
4. Who has access to the data?
4.1. One Africa Place has retained the exclusive rights of control and use over the information which will not be made available to third parties except our contractor’s which are organisations that carry out a service on our behalf.
4.1.1. Our IT and Security team (outsourced services), have restricted privileges which means they cannot process the information without our express approval.; and
4.1.2. Our managing agents act on our behalf which means that we may share any information with them that is necessary for the effective management of the building. We do this because it is necessary for the performance of a contract or in order to fulfil our legal obligations. Where this does not apply, we do this on the basis of our legitimate interests.
4.2. All our contractors operate under the terms and conditions of a legally enforceable contract and will not use your information for anything other than carrying out a service on behalf of Palazzo Limited.
4.3. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
4.4. We have put in place rigorous security measures which prevent any form of data from being hacked or downloaded without proper authority.
4.5. Our contractors who have access to the data shall be required to;

4.5.1. Inform the data subject about the data processing activities and the rights of data subject under the law
4.5.2. Rely on consent as a condition for processing personal data.
4.5.3. Only collect and use personal data in accordance with lawful conditions.
4.5.4. Develop internal data protection policies and procedures.
4.5.5. Notify the regulator of any data breach.
5. Data retention

How long will you use my personal data for?

5.1. We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for.
5.2. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal and regulatory requirements.
5.3. Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us through palazzo@dmi.work
6. International transfers

We do not transfer your personal data outside Kenya.

7. Contact Us:

We welcome questions, comments and requests regarding this privacy policy which can be sent to: : palazzo@dmi.work