PERSONAL DATA PROTECTION POLICY

SECTION I – PURPOSE AND SCOPE

1. 1.1 This Policy sets out the rules relating to the protection of individuals, including Staff Members, with regards to the processing of their Personal Data by Jamii Telecommunications Ltd ("JTL") or on its behalf (hereinafter the "Policy").
2. 1.2 The implementation of any processing of Personal Data by the JTL is subject to compliance with this Policy and any other relevant rules of the JTL adopted for its implementation.
3. 1.3 This Policy protects all Personal Data relating to individuals, whether collected by the JTL or disclosed to the JTL by a third party.

SECTION II - DEFINITIONS

For the purposes of the present Policy, the following terms are defined as follows:

2.1 Personal Data

means any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. Company registration numbers, generic email addresses (such as info@company.com) and anonymised data are not considered Personal Data.

2.2 Processing

means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, by manual or automated means (including the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data).

2.3 Data Controller

means any Staff Member who has the authority to determine, alone or jointly with others, the purposes, conditions and means of the processing of Personal Data on behalf of JTL.

2.4 Data Processor

means any Staff Member or other individual, legal entity, public authority or similar body, including a third party, authorized to process Personal Data on behalf and under the direct authority of the Data Controller.

2.5 Recipient

means the individual, legal entity, public authority or similar body to which Personal Data are disclosed.

2.6 Personal Data Breach

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

2.7 Sensitive Data

means data related to or revealing the national registration number, genetic data, judicial data (such as litigations, suspicions, prosecutions, criminal convictions etc.), data revealing racial or ethnic origin, data concerning health or sex life, political opinions, trade-union membership, and religious or philosophical beliefs.

2.8 Consent

means the freely given, specific, informed and unambiguous permission expressed by an individual by which he or she agrees with the processing of his/her Personal Data. This consent is given either by a written statement or by a clear affirmative action.

2.9 Data Protection Officer

means the Staff Member appointed by the company to perform the duties listed in this Policy or assigned to him/her by decision of the Chief Regulatory Officer.

2.10 Staff Members

means any staff member of the JTL.

SECTION III – PRINCIPLES RELATING TO PROCESSING AND TRANSFER OF PERSONAL DATA

A. Processing of Personal Data

1. 3.1 JTL shall ensure that Personal Data disclosed to JTL is collected and processed according to the principles expressed in this Policy.
2. 3.2 Personal Data shall be processed and used lawfully, fairly and in a transparent manner ('lawfulness, fairness and transparency').
3. 3.3 Personal Data shall be collected for specified, explicit and legitimate purposes consistent with JTL's official activities ('purpose limitation').
4. 3.4 The Processing of Personal data shall always be adequate, relevant and limited to what is necessary in relation to the purposes for which they are collected and/or further processed ('data minimization').
5. 3.5 Personal Data stored by JTL shall be accurate and, where necessary, kept up-to-date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy').
6. 3.6 Personal Data shall be kept or stored for no longer than is reasonably necessary for the purposes for which it is processed ('storage limitation').
7. 3.7 Personal Data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures ('integrity and confidentiality').
8. 3.8 JTL shall not process Sensitive Data, except if:
   1. the Processing is in reference to medical or social protection under the applicable JTL internal rules, including health insurance coverage and the payment of family or other social benefits by JTL;
   2. the Processing is for the copying of passports where a Staff Member uses JTL's assistance when requesting either a visa for entering the duty country or applying for any other visa in connection with official travel for JTL;
   3. individuals have given Consent to the processing of Sensitive Data or made the Sensitive Data manifestly public. JTL may be asked to prove that the individual has explicitly and without reservation consented to the processing of such Sensitive Data for the purpose at stake.

   In case Sensitive Data is processed, JTL shall take all appropriate and necessary measures to ensure the security and confidentiality of such Sensitive Data.

9. 3.9 Should JTL intend to use Personal Data for the purposes of direct marketing, Consent shall be received regarding the Processing of data resulting from participation in events and activities of JTL. Electronic means shall be used to ensure that participants have consented to the processing of their Personal Data for the purposes of direct marketing. The opt-in regime shall be seen as the general rule in order to ensure that participants have provided their Consent.

B. Transfer of Personal Data

10. 3.10 Personal Data may be transferred within JTL on the following conditions:
    1. the Personal Data are necessary for the performance of tasks covered by the activities of the Recipient;
    2. only the Personal Data necessary for the performance of these tasks shall be transferred; and
    3. the Recipient may process the Personal Data only for the purposes for which they are transferred.
11. 3.11 JTL may transfer Personal Data to other third parties with which JTL entered into an agreement, in only one of the following cases:
    1. the JTL Members, international organizations or other third parties observe this Policy and any other relevant rules which JTL may adopt for its implementation; or
    2. sufficient safeguards exist, including effective enforcement mechanisms and appropriate measures put in place by the third parties, to ensure a continuing level of security and protection consistent with this Policy and any other relevant rules which JTL may adopt for its implementation; or
    3. the concerned individual has explicitly consented to the proposed transfer; or
    4. the transfer is necessary for the establishment, exercise or defense of legal claims;
    5. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the concerned individual between the Data Controller and another natural or legal person;
    6. the transfer is necessary to protect the vital interests of the concerned individual; or
    7. to allow JTL to achieve its legitimate aims and to carry out its official activities.
12. 3.12 Where the Data Controller intends to instruct a Data Processor to process Personal Data on its behalf, the Data Controller shall use only Data Processors providing sufficient adequate guarantees of compliance with the level of security and protection of the Personal Data set forth by this Policy to ensure the protection of the rights of individuals.
13. 3.13 In the context of events of JTL and the distribution of a list containing participants' Personal Data, JTL shall ensure that it has received consent from the individuals before issuing such a list. Such Consent shall also be obtained using the opt-in regime.

SECTION IV – RIGHTS OF INDIVIDUALS

A. Information to be given to the individuals

1. 4.1 Upon request by the concerned individual, JTL shall provide the individual with the following information on the Processing of data which is personal to him/her:
   1. the identity and the contact details of the Data Controller;
   2. the contact details of the Data Protection Officer;
   3. the purpose of the Processing for which the personal data are intended as well as the legal basis for the processing;
   4. the categories of Personal Data concerned;
   5. the Recipients or category of Recipients of the Personal Data;
   6. where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the reason why no such period is fixed;
   7. where applicable, the fact that JTL intends to transfer Personal Data to a third party and the reasons for such transfer; and
   8. the existence of the right to request access, rectification or erasure of Personal Data and to submit claims.
2. 4.2 The section above shall not apply where the provision of such information proves impossible or would involve a disproportionate effort. In such instances, JTL shall take appropriate measures to protect the concerned individuals' rights and legitimate interests to the extent reasonably possible.

B. Right to access

3. 4.3 Every individual shall have the right to obtain from the Data Controller at any time, on request, confirmation as to whether or not Personal Data relating to him/her are being processed.

C. Right to rectification and erasure

4. 4.4 Individuals have the right to obtain, without undue delay, the rectification or completion of their inaccurate or incomplete Personal Data.
5. 4.5 Individuals shall have the right to obtain from the Data Controller erasure of their Personal Data without undue delay, and the Data Controller shall have the obligation to erase Personal Data without undue delay where one of the following grounds applies:
   1. the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; or
   2. the Personal Data have been processed in such a way that does not comply with this Policy.
6. 4.6 Where JTL is not the Data Processor, JTL shall make every reasonable effort to ensure that the third party Data Processor complies with the request of the concerned individuals.
7. 4.7 The above section does not apply to the extent that the Processing is necessary for statistical or archiving purposes, for the delivery of JTL's services, in so far as the erasure is likely to render impossible or seriously impair the achievement of the objectives of that Processing.

D. Right to object

8. 4.8 Every individual shall have at any time the right to submit a request objecting, on grounds relating to his or her particular situation, to the Processing of Personal Data concerning him or her. The Data Controller shall no longer process the personal data unless the Data Controller demonstrates that such Processing is necessary for the performance of the task carried out in the exercise of JTL's official activities or in the framework of its responsibilities.

E. Right to data portability

9. 4.9 Each individual shall have the right to receive the Personal Data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Data Controller to which the Personal Data have been provided, where technically feasible and as long as it shall not adversely affect the rights and freedoms of others.

SECTION V – DATA PROTECTION OFFICER

A. APPOINTMENT

1. 5.1 A Data Protection Officer (hereinafter the "DPO") shall report directly to the Chief Regulatory Officer and dotted line reporting to the Head of Management Information Services.
2. 5.2 The DPO shall act independently, in a neutral and impartial manner and shall not accept instructions conflicting with his/her responsibilities.

B. DUTIES

3. 5.3 The DPO shall monitor the application of this Policy and the Data Protection Act.
4. 5.4 The DPO shall, on request or on his/her initiative, advice individuals on their rights and Data Controllers on their rights and obligations.

C. COOPERATION OF DATA CONTROLLERS WITH THE DPO

5. 5.5 Data Controllers shall cooperate with the DPO by assisting the DPO and making available any information necessary for the DPO to carry out his/her tasks. Data Controllers shall involve the DPO in the process of designing new information systems and to ensure that measures of data protection are built in those systems from the beginning.

SECTION VI - SETTLEMENT OF CLAIMS

1. 6.1 Any individual may complain in writing to the DPO (dpo@jtl.co.ke) about any matter relating to his/her Personal Data, including any Personal Data Breach.
2. 6.2 The DPO must acknowledge receipt in writing and decide on the complaint within sixty (60) days of receipt. The DPO may extend the time limit with thirty (30) days if it considers the complaint requires further assessment. In such case, the DPO shall give notice to the complainant.
3. 6.3 Any individual may further challenge the decision of the DPO if he/she considers it affects him/her adversely in accordance with the procedures established below.
4. 6.4 Any Staff Member may challenge the decision of the DPO if he/she considers it affects him/her adversely. He/she shall proceed in accordance with the dispute settlement procedures as detailed in the applicable Staff Manual.

SECTION VII - REVIEW, AMENDMENT AND PUBLICITY

1. 7.1 This Policy may be amended at any time upon decision of the DPO.
2. 7.2 The Policy shall be published and accessible on both the JTL's intranet and public website.