Privacy Policy
1 Introduction
In carrying out its business operations, Shambani Pro expects to process personal data of persons affiliated with the organization. This may sometimes include the need to share personal data with other affiliates and/or third parties. In handling personal data there are inherent risks such as accidental loss or unauthorized disclosure. These concerns about the security of personal data have compelled governments to enact data protection laws. In 2018, the European Union enforced the General Data Protection Regulations. Given this, The Kenyan government enacted the Data Protection Act of 2019. This data protection policy is based on universally accepted principles of data protection. This policy is devised to comply with Kenyan laws and other applicable international laws and regulations including:
• Constitution of Kenya 2010
• The Kenya Data Protection Act, No. 24 of 2019
• Data Protection Regulations 2021
• Access to Information Act, No. 31 of 2016
• African Union Convention on Cyber Security and Personal Data
• The UN Guidelines for the Regulation of Computerized Personal Data Files
2 Policy Statement
Shambani Pro is committed to protecting the rights of data subjects whose data it processes. This data protection policy outlines the measures that Shambani Pro takes to ensure the protection of personal data and the rights of individuals whose data is processed.
3 Purpose
This policy gives guidelines on how Shambani Pro will handle the data it collects. It also helps Shambani Pro comply with data protection laws, protect the rights of data subjects, and protect Shambani Pro from risks related to data breaches.
4 Scope
a) This policy applies to all Shambani Pro’s representatives (staff, partners and contractors) and any third parties who handle and use Shambani Pro’s information. For this policy, the term "staff" refers to all persons who have signed a contract with Shambani Pro to work in any capacity at any given time (on regular or temporary terms, interns, volunteers, and consultants), including outsourced staff. “Partners” refers to individuals or institutions with whom Shambani Pro has a contractual agreement to deliver all or part of a project.
b) The Policy applies to all personal data that Shambani Pro holds relating to identifiable individuals. The company may obtain, hold, and process the personal data of data subjects to implement and manage all services. Without this, the company might not be able to provide services to these individuals or clients. These data include;
• Personal details such as; name, gender, race, family and social circumstances, signatures, contact details, photos and/or videos, passport information or other travel-related information, education and training records, employment and financial records.
• Details of any criminal allegations against a data subject obtained during routine due diligence checks.
• An assessment of a person’s work performance by an employer.
• Any other personal data routinely collected by Shambani Pro in its operations including during recruitment and other HR processes, provision of ICT support, finance and other company-organized activity through which personal data is collected.
c) The Policy applies to data in the company’s possession, collected from individuals within or outside the company as part of the following functional categories; • Personal data of employees/applicants: The company collects and processes personal and Special Category data of job applicants and employees as described in the Kenya Data Protection Act (DPA), 2019. The company's information is transmitted between and among internal units and divisions for necessary operational purposes.
• Personal data of customers: As part of its core business, and to implement and manage all services and processes relating to agricultural processing, including farmer onboarding, conducting value chain research, and publishing of intervention impact reports, the company will collect and hold the personal data of farmers.
d) This policy applies to data in the company’s possession in all formats, e.g., printed and digital information, text and images, documents and records, data and audio recordings.
5 Definition of Terms
Data controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data.
Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
Data subject means an identified or identifiable natural person who is the subject of personal data.
Personal data means any information relating to an identified or identifiable natural person.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Sensitive personal data means data that reveals the natural person’s race, health status, ethnic, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses sex, or the sexual orientation of the data subject.
Processing data means any operation or sets of operations performed on personal data whether or not by automated means, such as (a) collection, recording, organisation, structuring; (b) storage, adaptation or alteration; (c) retrieval, consultation or use; (d) disclosure by transmission, dissemination, or otherwise making available; or (e) alignment or combination, restriction, erasure or destruction.
6 Guiding Principles
Shambani Pro will process personal data in accordance with the following principles:
• Privacy and Confidentiality: Shambani Pro recognizes the right of a data subject to have control over how his or her personal data is collected, used, and/or disclosed. The company will only process data provided by a data subject willingly and, or with a legal basis as required by the law. The company will take reasonable measures to ensure that data in its possession is kept safe and only accessed by authorized individuals.
• Purpose Limitation: The Company will collect personal data for specified, explicit and legitimate purposes and will not further process in a manner that is incompatible with those purposes.
• Data Minimization: The Company will ensure that personal data that is collected and processed is adequate, relevant, and limited to what is necessary concerning the purposes for which it is processed.
• Integrity: The Company will maintain accurate records and where required, take necessary steps to ensure data accuracy and consistency of data in its possession.
• Accuracy: The Company will ensure personal data is accurate and, where necessary, kept up to date
• Storage limitation: The Company will ensure personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
• Not transferred out of Kenya unless there is proof of adequate data safeguards/measures or consent from the data subject.
7 Rights of Data Subjects
Data subjects have a right:
i. To be informed of the use to which their personal data is to be put;
ii. To access their personal data in the custody of the data controller or data processor;
iii. To object to the processing of all or part of their personal data;
iv. To correction of false or misleading data; and
v. To deletion of false or misleading data about them.
8 Policy Implementation
8.1 Data Systems
Shambani Pro will establish systems to guarantee the security of personal data of any form in line with the ICT policy and as outlined in the Data Sharing Guidelines and Procedures.
8.2 Oversight and Compliance
All Shambani Pro representatives have a responsibility to adhere to this policy and exercise utmost care when handling any personal data in their possession.
In accordance with the Kenya Data Protection Act 2019, Shambani Pro has designated the CEO to be the data protection officer. Accordingly, the data protection officer will:
1) Advise Shambani Pro staff on requirements for data protection, including data protection impact assessments.
2) Ensure that the Shambani Pro has complied with the legal requirements on data protection.
3) Facilitate capacity building of staff involved in data processing operations.
4) Cooperate with external regulators on matters relating to data protection.
9 Data Handling at Shambani Pro
9.1 Collection and Use of Personal Data
Shambani Pro collects personal data only for specified, explicit and legitimate purposes, such as:
• Making payments
• Conducting research
• Organizing events
• Publishing reports
• Ensuring compliance with legal obligations
9.2 Data Safety and Privacy
The right to access information is provided for by the Access to Information Act, of 2016. The Company will take technical and institutional measures against unauthorized or unlawful access, processing, accidental loss, destruction, or damage to secure all its data and data systems. Specifically, Shambani Pro employs a range of security measures as outlined in its ICT Policy to safeguard personal data against unauthorized access and disclosure and will continually evaluate them to ensure they are effective.
9.3 Data Access, Sharing and Transfer
Shambani Pro believes in the principle that data is a public good and should be made available to all authorized users in accordance with the Access to Information Act, 2016. Consequently, any individual or organization using or seeking to access data held by Shambani Pro will be required to abide by the provisions of the company’s Data Sharing Procedures and Guidelines.
9.4 Storage Limitations
Shambani Pro will store personal data in line with the provisions of various laws and regulations guiding the storage of different types of data. Employee data will be stored for as long as necessary in line with the provisions of the Data Protection Act 2019. Generally, the data retention period in Shambani Pro is determined by legitimate needs.
9.5 Marketing and Commercialization of Data
Shambani Pro has no intention of selling personal data or deriving any financial benefit from handling personal data. With unambiguous consent or as otherwise permitted by applicable law, the company may use personal information for purposes relating to the marketing of our products and services.
10 Non-compliance
All representatives of Shambani Pro are mandated to comply with the provisions of this policy. Disciplinary measures will be taken against Shambani Pro staff and partners who knowingly attempt to circumvent the administrative, physical, and technical safeguards that have been put in place to protect personal data of any type. Disciplinary measures will be as outlined in the HR Policies and Procedures manual. Disciplinary action does not preclude formal legal action by the affected or referral by the company to government authorities in accordance with the law.
11 Data Protection Impact Assessments (DPIAs)
Shambani Pro will conduct DPIAs where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals. The DPIA will assess the risks associated with the processing and identify measures to mitigate those risks.
12 Training and Awareness
Shambani Pro will provide training and raise awareness among members and stakeholders on their responsibilities concerning the protection of personal data and this policy. Staff who join Shambani Pro will be required to go through an induction process that entails familiarization with this policy.
Shambani Pro will ensure that the requirements of this policy form part of its agreement with its partners, contractors and third parties who process Shambani Pro’s data.
13 Policy Review
This policy is subject to revision whenever legal, pragmatic, or technological developments make revision necessary. In any case, the policy will be reviewed after every two years
©2024 Shambani Pro, a venture built by Enviu