Data Protection Policy

Introduction

Article 31 of the Constitution of Kenya ensures the right to privacy for every individual. This right is reinforced by the Data Protection Act 2019, enacted in November 2019, which regulates the collection and processing of personal data. The Act emphasizes the importance of managing personal data in a responsible, purposeful, secure, transparent, and time-bound manner to protect individual rights.

At Bunifu Technologies Limited we are committed to upholding these standards and ensuring that personal data is handled in compliance with legal requirements.

Purpose and scope of this policy

This Policy establishes minimum standards for safeguarding personal data collected, processed, and stored by Bunifu Technologies Limited and applies to all forms of personal data regarding individuals such as consumers, employees, customers, and other third parties engaging with Bunifu and its affiliated entities. Key objectives of the Policy at Bunifu include:

• Adherence to both local and relevant international data protection laws and regulations.
• Protection of the rights of employees, consumers, customers, and business partners.
• Promotion of transparency in the collection, processing, and storage of personal data.
• Prevention of data breaches and mitigation of associated risks.The specific terms used in this Policy are elaborated in Appendix 1.

Every member of Bunifu is obligated to uphold the confidentiality and trust of data subjects who provide their personal data. Adherence to this Policy is compulsory, and any violation may lead to disciplinary measures.

The Data Protection Officer at Bunifu is tasked with supervising the implementation and periodic review of this Policy. They can be reached at [email protected] any inquiries or concerns.

Data protection principles

Right to Privacy

Bunifu Technologies Limited is committed to safeguarding the privacy of data subjects. Where feasible, data will be anonymized in alignment with the processing purpose, ensuring the data subject’s identity remains concealed.

Lawfulness and Fairness

Bunifu Technologies Limited collects personal data for lawful reasons, clearly explaining the specific purpose to the data subject. Prior to data processing, the lawful basis will be documented. Data processing at Bunifu is considered lawful if it meets at least one of the following criteria:

• Consent from the data subject for one or more specific purposes.
• Necessity for contract performance involving the data subject.
• Compliance with legal obligations.
• Processing required for public interest.
• Necessary for Bunifu’s legitimate interests, without infringing on data subject’s rights and dignity.

Legitimate Purpose

Bunifu ensures data collection serves legitimate purposes, striving to minimize privacy impact on the data subject.

Purpose Limitation

Data processing and control at Bunifu are restricted to the original collection purpose. Data collection is specific, explicit, and legitimate, and limited to what is necessary for processing. Use of data for new, incompatible purposes requires fresh consent from the data subject.

Data Minimization

Bunifu members and agents collect only the personal data essential for the intended legitimate purpose.

Storage Limitation

Efforts are made to store personal data without identifying the data subject. Data is not kept longer than necessary, except for legal, audit, or tax obligations. Regular data reviews are conducted to determine if destruction is required. Compliance with Records Management Policy and retention periods is mandatory.

Data Security

Bunifu implements reasonable safeguards to protect personal data against loss, unauthorized access, destruction, use, modification, or disclosure.

Data Migration

As part of a group, Bunifu may share data with affiliates, including those outside Kenya. Data transfer ensures the recipient entity and country have adequate protection measures against data loss or breach.

Rights of the data subject

Bunifu Technologies Limited acknowledges and respects the rights of the data subject under the Act, which include:

• Right to be Informed: Individuals have the right to know why their personal data is being collected, including the purposes and methods of processing.
• Right of Access: Data subjects can obtain a copy of the personal data held by Bunifu and an explanation of how it has been processed.
• Right to Withdraw Consent: If the data collection is based on consent, data subjects have the right to withdraw their consent at any time, without needing to provide a reason. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
• Right to Rectification: The right to have any inaccurate personal data corrected.
• Right to Erasure (Right to be Forgotten): The right to request Bunifu to delete or destroy personal data in situations such as withdrawal of consent, when the data is no longer needed for its original purpose, or when retaining the data is not in the best interest of the data subject.
• Right to Restrict Processing: The right to limit data processing if there are concerns about the accuracy of the data, if processing was unlawful, or if the data subject’s interests outweigh Bunfiu’s legitimate reasons for processing.
• Right to Data Transfer: Where applicable, the right to receive, or request that Bunfiu transfers, their personal data in a structured, commonly used, machine-readable format to a third party.
• Right to Object to Direct Marketing: Data subjects have the right to request that their personal data not be used for direct marketing purposes.
• Right to be Notified of a Personal Data Breach: The right to be informed about a personal data breach likely to result in a high risk to their rights, freedoms, or dignity.
• Right to Complain: The right to lodge a complaint with the Data Commissioner regarding the handling of their personal data by Bunifu.

Compliance and audit

The Board at Bunifu Technologies Limited may conduct periodic audits to verify adherence to this Policy. All employees are required to cooperate with these audits and any resulting outcomes, including the implementation of remediation plans.

Interpretation

Should there be any discrepancies between the terms of this Policy and any newly enacted laws, regulations, or standards applicable to Bunifu, the latter will take precedence. This Policy will be amended accordingly to align with the new legal requirements.

Review

The Audit Committee is tasked with reviewing this policy biennially. Any recommended changes will be presented to the Board for approval.

Policy approval

This Policy was officially approved by the management of Bunifu Technologies Limited on 16th January 2024.

Appendix

Definition of Terms

Consent – Refers to a clear, express, unequivocal, specific, and informed indication of the data subject’s wishes, either through a statement or a clear affirmative action, signifying agreement to the processing of personal data related to them.

Data Subject – An identified or identifiable natural person who is the subject of personal data.

Data Controller – A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.

Data Processor – A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.

Sensitive Data or Sensitive Personal Data – Data revealing a natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details (including names of children, parents, spouse or spouses), sex, or sexual orientation.

Personal Data – Any information relating to an identified or identifiable natural person.

Processing – Operations or sets of operations performed on personal data or sets of personal data, whether or not by automated means. This includes:

a) Collection, recording, organization, structuring;
b) Storage, adaptation, or alteration;
c) Retrieval, consultation, or use;
d) Disclosure by transmission, dissemination, or otherwise making available;
e) Alignment or combination, restriction, erasure, or destruction.