Data Protection Policy

Welcome to Palazzo Limited’s Data Protection Policy.
Palazzo is committed to complying with Data Protection Laws, in order to protect the personal privacy of all individuals whose data we hold. We are registered with the Office of the Data Protection Commissioner as Data Controllers and Data Processors.
This Data Protection Policy sets out how Palazzo Limited (“we”, “our”, “us”, “the Company”) handles the Personal Data of our tenants, suppliers, website users, other third parties any other Data Subject and tells you about your privacy rights and how the law protects you.
1. Policy Brief & Purpose
1.1. This Policy applies to all Personal Data we Process regardless of the media on which that data is stored or whether it relates to past or present tenants, or suppliers, website users, other third parties or any other Data Subject.
1.2. Data Subject means the individual about whom we hold personal data. Data subjects may be nationals or residents of any country and may have legal rights regarding their personal data.
1.3. Personal Data, or personal information, means any information about an individual from which that person can be identified.
1.4. Processing or Process means any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties
1.5. We may collect, use, store and transfer different kinds of personal data about during our business operations you as follows:

  • Identity Data including first name, last name;
  • Contact Data including email address and telephone numbers;
  • Information contained on a form of identification (such as ID card, passport or driver licence);
  • Motor Vehicle Registration Information;
  • Kenya Revenue Authority Tax PIN number,
  • Employment details;
  • Automated Data such as data captured on Closed Circuit Television (CCTV) surveillance recordings at One Africa Place; or
  • Complaint details.
1.6. We use different methods to collect data from and about you as follows:

  • Direct interactions. You may give us your identity and contact by filling in forms or by corresponding with us by phone, email or otherwise;
  • From your representatives (e.g. legal advisers);
  • From our contractors;
  • When you visit, One Africa Place;
  • When you use our website and by other electronic communication channels; and
  • Through automated technologies and your equipment such as the CCTV System at One Africa Place.
1.7. We are required under the Data Protection Act 2019 and the Data Protection Regulations, 2021 (“the Data Protection Laws”) to notify you, the Data Subject, of the information contained in this Policy. With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.
1.8. We make sure our privacy policy is kept up to date and reserve the right to amend or modify this Policy from time to time.
2. Data Protection Principles
2.1. We adhere to the principles relating to Processing of Personal Data set out in the Data Protection Laws which require Personal Data to be:

a. Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency);
The Data Protection Laws restrict our actions regarding Personal Data to specified lawful purposes. These restrictions are not intended to prevent Processing but ensure that we Process Personal Data fairly and without adversely affecting you.
b. collected only for specified, explicit and legitimate purposes (purpose limitation);
We collect Personal Data only for specified, explicit and legitimate purposes and ensure that the data collected is not Processed in any manner incompatible with the specified purposes.
c. adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (data minimisation);
We collect Personal Data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed. When Personal Data is no longer needed for specified purposes, it is disposed in accordance with our records retention schedules and policies.
d. accurate and where necessary kept up to date (accuracy);
We ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. We check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards and take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
e. not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (storage limitation);

  • We maintain retention policies and procedures to ensure Personal Data is deleted after an appropriate time, unless a law requires that data to be kept for a minimum time in accordance with our retention schedules and policies.
  • We keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal or reporting requirements.
  • We take all reasonable steps to destroy or erase from our systems all Personal Data that we no longer require in accordance with all our applicable records retention schedules and policies which includes requiring third parties to delete that data where applicable; and
  • We ensure that Data Subjects are provided with information about the period for which data is stored and how that period is determined in accordance with our retention schedules and policies.
f. Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (security, integrity and confidentiality);

  • We maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
    • Confidentiality: only people who have a need to know and are authorised to use the Personal Data can access it;
    • Integrity: Personal Data is accurate and suitable for the purpose for which it is processed; and
    • Availability: authorised users are able to access the Personal Data when they need it for authorised purposes.
  • We only transfer Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place to ensure the security of Personal Data.
2.2. We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (accountability) including

  • Appointing a Compliance Manager;
  • implementing Privacy by Design, Privacy by Default and complete data protection risk assessment as part of Data Protection Impact Assessment (DPIA) where processing presents a high risk to rights and freedoms of Data Subjects;
  • taking appropriate technical and organisational security measures to safeguard personal information; and
  • auditing data security and compliance with this policy on a periodic basis.
3. Your rights as a data subject
3.1. A Data Subject has rights when it comes to how we handle their Personal Data. These include:

  • The right to be informed including the right to information as to whether personal data is being processed and receive certain information about the Processing activities;
  • The right to access the Personal Data that we hold. You may request access to your Personal Data by contacting our Compliance Manager using the contact details provided at the end of this Policy. We will respond to your request within seven (7) days from the date of receipt of the request;
  • The right to withdraw consent to Processing at any time, noting that such withdrawal does not affect the lawfulness of any processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the processing of your Personal Data in reliance upon any other available legal bases. To withdraw your consent, please contact us using the contact details provided at the end of this Policy;
  • The right to rectification. If information we have about you is inaccurate, out of date or incomplete you have the right to have it rectified, or updated. We will respond to your request within fourteen (14) days from the date of receipt of the request. Where we decline your request we shall inform you within seven (7) days of receiving your request and give you reasons our decision for refusal;
  • The right to erasure. You have the right ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data. If you wish to exercise your right to erasure, please submit a written request to Compliance Manager using the contact details provided at the end of this Policy. We will respond to your request within fourteen (14) days from the date of receipt of the request.

    We will review your request and assess its eligibility based on the following criteria:

    • The personal data is no longer necessary for the purposes for which it was collected;
    • Where you withdraw your consent on which the processing is based, and there is no other legal ground for the processing;
    • Where you object to the processing, and there are no overriding legitimate grounds for the processing;
    • Where the processing of data is for direct marketing purposes and you object to such processing;
    • The personal data has been unlawfully processed; and
    • The personal data must be erased to comply with a legal obligation

    Please note that there may be circumstances where we are not able to fulfill your request for erasure, such as when the processing of your personal data is necessary:

    • To exercise the right of freedom of expression and information;
    • To comply with a legal obligation;
    • For the performance of a task carried out in the public interest or in the exercise of official authority;
    • For archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
    • For the establishment, exercise or defence of a legal claim.

    Once your request is received and confirmed as eligible, we will take reasonable steps to erase your personal data from our systems and notify any third parties who have received your data from us, unless such notification is impossible or requires disproportionate effort. If your request for erasure is denied, we will provide you with the reasons for our decision.

  • The right to restrict Processing of Personal Data in specific circumstances. You have the right to request the restriction of processing when one of the following applies:
    • You contest the accuracy of your personal data, and we are verifying the accuracy;
    • The processing is unlawful, and you oppose the erasure of your personal data and request the restriction instead;
    • You no longer need the personal data for the purposes of processing, but we require it for the establishment, exercise, or defense of legal claims; and
    • You have objected to the processing of your personal data, but we are considering whether our legitimate grounds for processing override yours.

    If you wish to exercise your right to restrict processing, please contact our Compliance Manager using the contact details provided at the end of this Policy. We will respond to your request within fourteen (14) days, confirming the initiation of the restriction of processing or declining to comply with your request and give you reasons our decision for refusal.

    During the period of restriction, we will store your personal data but will not process it for any other purpose. We may, however, continue to process your data if:

    • You have provided your explicit consent to such processing;
    • It is necessary for the establishment, exercise, or defense of legal claims;
    • It is necessary to protect the rights of another individual or legal entity; and
    • It is in the public interest or for reasons of important public health.

    We will inform you before the restriction of processing is lifted. If the grounds for restriction cease to exist, or the restriction period expires, we will inform you before resuming normal processing activities.

  • The Right to object to processing. You can object to us processing your Personal Data based on our legitimate interests unless we are able to demonstrate compelling legitimate grounds for doing so. You can also object to us using your information for profiling or for direct marketing purposes;

    If you wish to exercise this right, please contact our Compliance Manager using the contact details provided in this policy. We will confirm receipt of your objection and set out the time frame we require to investigate your complaint and provide you with a response. We will endeavor to respond as quickly as possible, which will typically be within fourteen (14) days of receiving your objection.

    Please note that there might be cases where we have compelling legitimate grounds to continue processing your data even if you object, but we will communicate this to you if applicable. In cases where the processing is based on consent or is necessary for the performance of a contract, you have a stronger basis to object. However, if the processing is required for legal obligations or vital interests, your objection might not be possible.

  • The Right of data portability: In limited circumstances you have the right to receive or ask for your Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format;
    • The right to lodge a complaint as would be appropriate to One Africa Place, the processor or the regulator being the Office of the Data Protection Commissioner.

    We will confirm receipt of your complaint and set out the time frame we require to investigate your complaint and provide you with a response. We will endeavor to respond as quickly as possible, which will typically be within (seven 7) days of receiving your complaint.

    If you are unhappy about the way we have handled your data and we have been unable to resolve your complaint, you have the right to lodge a complaint with the Office of the Data Protection Commissioner.

3.2. In the event that you wish to exercise any of your above rights, please contact our Compliance Manager directly by sending an email to palazzo@dmi.work.
3.3. When you submit your request, we will need to verify your identity and may ask you to provide sufficient information in order to allow us to reasonably verify you are the person about whom we have collected Personal Data.
4. Children
4.1. We recognise the importance of protecting privacy where children are involved and are committed to protecting the privacy of children who visit One Africa Place. A child is anyone below the age of 18.
4.2. Children merit additional protections because they are less likely to be familiar with the risks, consequences and safeguards regarding their personal and public data
4.3. We do not knowingly collect data from or about children without the permission of their parent or guardian. The parent, guardian or the holder of parental responsibility of any child is required to consent to the collection and use of the child’s information when visiting One Africa Place.
4.4. When consent is granted on behalf of a child, the child whose data is being collected must be informed of their right to withdraw consent at any time. Children are also entitled to be informed as to how their data is being used and what rights they have with respect to their data.
5. Lawful Bases for processing data
5.1. We only collect, Process and share Personal Data fairly and lawfully and for specified purposes some of which are set out below:

  • the Data Subject has given their Consent;
  • the Processing is necessary for the performance of a contract with the Data Subject;
  • to meet our legal compliance obligations;
  • to protect the Data Subject’s vital interests;
  • Where it is necessary to pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects; and
  • Where the processing is necessary for the performance of a task carried out in the public interest or exercise of official authority and the task or function has a clear basis in law.
5.2. If consent is relied upon as the lawful basis for collecting, holding, and/or processing personal data, the following shall apply:

  • Consent is a clear indication by the data subject that they agree to the processing of their Personal Data. Such a clear indication may take the form of a statement or a positive action. Silence, pre-ticked boxes, or inactivity are unlikely to amount to consent.
  • Where consent is given in a document which includes other matters, the section dealing with consent must be kept clearly separate from such other matters.
  • Data subjects are free to withdraw consent at any time and it must be made easy for them to do so. If a data subject withdraws consent, their request must be honoured in accordance with this Policy.
  • If Personal Data is to be processed for a different purpose that is incompatible with the purpose or purposes for which that personal data was originally collected that was not disclosed to the data subject when they first provided their consent, consent to the new purpose or purposes may need to be obtained from the data subject.
  • If explicit consent is relied upon, the data subject in question must be issued with a suitable privacy policy in order to capture their consent.
  • In all cases where consent is relied upon as the lawful basis for collecting, holding, and/or processing personal data, records must be kept of all consents obtained in order to ensure that the Company can demonstrate its compliance with consent requirements.
5.3. We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Processing Operations Type of data The Lawful Basis of Processing
Video recording (CCTV) (a) Images
(b) Motor Vehicle Car Registration Number
Legitimate Interest
The video-surveillance system forms part of the broader security measures and helps prevent, deter, and if necessary, investigate unauthorised physical access to the premises, monitor movement in the building and investigate incidences that occur in the building, as well as account for the people within the building in the event of an emergency.
Video recording (CCTV) (a) Profile
(b) Identity
This is necessary for our legitimate interests to provide a safe and secure environment in our building as part of our commitment to security and crime prevention.
The video-surveillance system forms part of the broader security measures and helps prevent, deter, and if necessary, investigate unauthorised physical access to the premises.
In addition, video-surveillance helps prevent, detect and investigate theft of equipment or assets owned by tenants and visitors and threats to the general safety of tenants and visitors.
It complements other physical security systems such as access control systems and physical intrusion control systems.
Collecting personal data via website (Form) (a) Name
(b) Email Address
(c) Phone Number
Consent
By using our websites https://www.oneafricaplace.com/ and/or providing your personal information to us you consent to us handling your personal Data in accordance with this Privacy Policy.
Collecting data via website (Cookies) (a) Cookies
Processing visitor data in the visitor book at One Africa Place (a) Name
(b) Identity Card/Passport Number (c) Telephone Number (d) Signature
-Legitimate Interest
The processing of personal data that occurs at One Africa Place serves as a security measure for identification purposes.
Processing tenant data (a) Name
(b) Address (c) Nationality (d) Passport Number (e) Kenya Revenue Authority Tax PIN
Legal Obligation
This is necessary for the performance of a contract.
6. Who Has Access to The Data?
6.1. Palazzo Limited has retained the exclusive rights of control and use over the Personal Data we collect which will not be made available where disclosure is required or permitted by law or to third parties suppliers which are organisations that carry out a service on our behalf.
6.2. We share your data with the following entities:

  • Our IT and Security team (outsourced services), have restricted privileges which means they cannot process the information without our express approval.;
  • Our managing agents act on our behalf which means that we may share any information with them that is necessary for the effective management of the building.
6.3. We may be obliged to send your information to local authorities if this is required by law or as part of an inquiry.
6.4. All our suppliers operate under the terms and conditions of a legally enforceable contract and will not use your information for anything other than carrying out a service on behalf of Palazzo Limited.
6.5. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our written instructions.
7. Privacy by Design and Data Protection Impact Assessment (DPIA)
7.1. We have implemented Privacy by Design measures when processing Personal Data by implementing appropriate technical and organizational measures in an effective manner, to ensure compliance with data privacy principles.

  • We only process the Personal Data that we need for our purposes and we only use the data for those purposes;
  • We ensure that Personal Data is automatically protected in our business practice so that individuals should not have to take any specific action to protect their privacy;
  • We provide contact information of those responsible for data protection both within our organization and to individuals; and
  • We only enter into written agreements with use data processors that provide sufficient guarantees of their technical and organizational measures for data protection by design.
7.2. When Palazzo Limited undertakes the use of new technologies or will be involved in the processing of data that contains a high risk to the rights and freedoms of data subjects, it will undertake a Data Protection Impact Assessment (DPIA) before commencing the processing.
7.3. The scale and nature of each DPIA will be shaped on a case-by-case basis, with the objective of capturing the following information to inform the decision-making process:

  • Risk Assessment;
  • Data types, collection, scope, storage, use context and deletion methodologies;
  • Legal basis for processing;
  • Information flows processes and procedures (data map);
  • Consultation; and
  • Evaluation of privacy by design.
8. Data Retention
8.1. The Data Protection Laws require us to keep full and accurate records of all our data Processing activities.
8.2. We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal and regulatory requirements.
8.3. Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us through palazzo@dmi.work
9. Reporting Personal Data Breach
9.1. The Data Protection Laws require us to notify any Personal Data Breach to the Office of the Data Protection Commissioner and, in certain instances, the Data Subject.
9.2. We have put in place procedures to deal with any suspected Personal Data Breach and will notify the Data Subject or any applicable regulator where we are legally required to do so.
10. Cookies
10.1. Palazzo Limited uses cookies and other tracking technologies on its website. To find out more about how we use cookies and how to configure them, please consult our Cookie Policy.
11. International Transfers
11.1. Palazzo Limited does not intend to transfer personal information outside Kenya.
11.2. Where this is required, the Data Protection Laws provide that we may only transfer Personal Data outside Kenya if one of the following conditions applies:

  • the Office of the Data Protection Commissioner (ODPC) has issued an adequacy decision confirming that the country to which we transfer the Personal Data has an adequate level of protection for the Data Subject’s rights and freedoms;
  • appropriate safeguards are in place to protect that data including having in place a binding agreement with the recipient of the personal data;
  • the Data Subject has provided explicit consent to the proposed transfer after being informed of any potential risks; or
  • the transfer is necessary for:
    • the performance of a contract between us and the Data Subject;
    • reasons of public interest;
    • to establish, exercise or defend legal claims;
    • to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent; and
    • in some limited cases, for our legitimate interest.
11.3. Where personal data is to be transferred to a country outside Kenya, we shall put adequate measures to ensure data security, in jurisdictions with appropriate safeguards including jurisdictions with commensurate data protection laws.
12. Contact Us

We welcome questions, comments and requests regarding this privacy policy which can be sent to: palazzo@dmi.work