1/7
PERSONAL DATA PROTECTION POLICY
SECTION I – PURPOSE AND SCOPE
1.1 This Policy sets out the rules relating to the protection of individuals, including Staff
Members, with regards to the processing of their Personal Data by Jamii
Telecommunications Ltd (“JTL”) or on its behalf (hereinafter the “Policy”).
1.2 The implementation of any processing of Personal Data by the JTL is subject to
compliance with this Policy and any other relevant rules of the JTL adopted for its
implementation.
1.3 This Policy protects all Personal Data relating to individuals, whether collected by the JTL
or disclosed to the JTL by a third party.
SECTION II - DEFINITIONS
For the purposes of the present Policy, the following terms are defined as follows:
2.1 Personal Data means any information relating to an identified or identifiable individual.
An identifiable individual is one who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, identification number, location data, online
identifier or one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that individual. Company registration numbers,
generic email addresses (such as info@company.com) and anonymised data are not
considered Personal Data;
2.2 Processing means any operation or set of operations which is performed upon
Personal Data or sets of Personal Data, by manual or automated means (including the
collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction of Personal Data);
2.3 Data Controller means any Staff Member who has the authority to determine, alone
or jointly with others, the purposes, conditions and means of the processing of Personal
Data on behalf of JTL;
2.4 Data Processor means any Staff Member or other individual, legal entity, public
authority or similar body, including a third party, authorized to process Personal Data on
behalf and under the direct authority of the Data Controller;
2/7
2.5 Recipient means the individual, legal entity, public authority or similar body to which
Personal Data are disclosed;
2.6 Personal Data Breach means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal
Data transmitted, stored or otherwise processed;
2.7 Sensitive Data means data related to or revealing the national registration number,
genetic data, judicial data (such as litigations, suspicions, prosecutions, criminal
convictions etc.), data revealing racial or ethnic origin, data concerning health or sex life,
political opinions, trade-union membership, and religious or philosophical beliefs;
2.8 Consent means the freely given, specific, informed and unambiguous permission
expressed by an individual by which he or she agrees with the processing of his/her
Personal Data. This consent is given either by a written statement or by a clear affirmative
action;
2.9 Data Protection Officermeans the Staff Member appointed by the company to perform
the duties listed in this Policy or assigned to him/her by decision of the Chief Regulatory
Officer; and
2.10 “Staff Members” means any staff member of the JTL.
SECTION III – PRINCIPLES RELATING TO PROCESSING AND TRANSFER OF
PERSONAL DATA
A. Processing of Personal Data
3.1 JTL shall ensure that Personal Data disclosed to JTL is collected and processed
according to the principles expressed in this Policy.
3.2 Personal Data shall be processed and used lawfully, fairly and in a transparent manner
(‘lawfulness, fairness and transparency’).
3.3 Personal Data shall be collected for specified, explicit and legitimate purposes consistent
with JTL’s official activities (‘purpose limitation’).
3.4 The Processing of Personal data shall always be adequate, relevant and limited to what
is necessary in relation to the purposes for which they are collected and/or further
processed (‘data minimization’).
3.5 Personal Data stored by JTL shall be accurate and, where necessary, kept up-todate;
every reasonable step must be taken to ensure that Personal Data that are inaccurate,
having regard to the purposes for which they are processed, are erased or rectified
without delay (‘accuracy’).
3/7
3.6 Personal Data shall be kept or stored for no longer than is reasonably necessary for the
purposes for which it is processed (‘storage limitation’).
3.7 Personal Data shall be processed in a manner that ensures appropriate security of the
Personal Data, including protection against unauthorized or unlawful processing and
against accidental loss, destruction or damage, using appropriate technical or
organizational measures (‘integrity and confidentiality’).
3.8 JTL shall not process Sensitive Data, except if:
(i) the Processing is in reference to medical or social protection under the
applicable JTL internal rules, including health insurance coverage and the
payment of family or other social benefits by JTL;
(ii) the Processing is for the copying of passports where a Staff Member uses
JTL’s assistance when requesting either a visa for entering the duty country
or applying for any other visa in connection with official travel for JTL;
(iii) individuals have given Consent to the processing of Sensitive Data or made
the Sensitive Data manifestly public. JTL may be asked to prove that the
individual has explicitly and without reservation consented to the processing
of such Sensitive Data for the purpose at stake.
In case Sensitive Data is processed, JTL shall take all appropriate and necessary
measures to ensure the security and confidentiality of such Sensitive Data.
3.9 Should JTL intend to use Personal Data for the purposes of direct marketing, Consent
shall be received regarding the Processing of data resulting from participation in events
and activities of JTL. Electronic means shall be used to ensure that participants have
consented to the processing of their Personal Data for the purposes of direct marketing.
The opt-in regime shall be seen as the general rule in order to ensure that participants
have provided their Consent.
B. Transfer of Personal Data
3.10 Personal Data may be transferred within JTL on the following conditions:
(i) the Personal Data are necessary for the performance of tasks covered by the
activities of the Recipient;
(ii) only the Personal Data necessary for the performance of these tasks shall
be transferred; and
(iii) the Recipient may process the Personal Data only for the purposes for which
they are transferred.
3.11 JTL may transfer Personal Data to other third parties with which JTL entered into an
agreement, in only one of the following cases:
4/7
(i) the JTL Members, international organizations or other third parties observe
this Policy and any other relevant rules which JTL may adopt for its
implementation; or
(ii) sufficient safeguards exist, including effective enforcement mechanisms and
appropriate measures put in place by the third parties, to ensure a continuing
level of security and protection consistent with this Policy and any other
relevant rules which JTL may adopt for its implementation; or
(iii) the concerned individual has explicitly consented to the proposed transfer; or
(iv) the transfer is necessary for the establishment, exercise or defense of legal
claims;
(v) the transfer is necessary for the conclusion or performance of a contract
concluded in the interest of the concerned individual between the Data
Controller and another natural or legal person;
(vi) the transfer is necessary to protect the vital interests of the concerned
individual; or
(vii) to allow JTL to achieve its legitimate aims and to carry out its official activities.
3.12 Where the Data Controller intends to instruct a Data Processor to process
Personal Data on its behalf, the Data Controller shall use only Data Processors
providing sufficient adequate guarantees of compliance with the level of security
and protection of the Personal Data set forth by this Policy to ensure the
protection of the rights of individuals.
3.13 In the context of events of JTL and the distribution of a list containing participants’
Personal Data, JTL shall ensure that it has received consent from the individuals
before issuing such a list. Such Consent shall also be obtained using the opt-in
regime.
SECTION IV – RIGHTS OF INDIVIDUALS
A. Information to be given to the individuals
4.1 Upon request by the concerned individual, JTL shall provide the individual with the following
information on the Processing of data which is personal to him/her:
(i) the identity and the contact details of the Data Controller;
(ii) the contact details of the Data Protection Officer;
5/7
(iii) the purpose of the Processing for which the personal data are intended as
well as the legal basis for the processing;
(iv) the categories of Personal Data concerned;
(v) the Recipients or category of Recipients of the Personal Data;
(vi) where possible, the envisaged period for which the Personal Data will be
stored, or, if not possible, the reason why no such period is fixed;
(vii) where applicable, the fact that JTL intends to transfer Personal Data to a third
party and the reasons for such transfer; and
(viii) the existence of the right to request access, rectification or erasure of
Personal Data and to submit claims.
4.2 The section above shall not apply where the provision of such information proves
impossible or would involve a disproportionate effort. In such instances, JTL shall take
appropriate measures to protect the concerned individuals’ rights and legitimate interests
to the extent reasonably possible.
B. Right to access
4.3 Every individual shall have the right to obtain from the Data Controller at any time, on
request, confirmation as to whether or not Personal Data relating to him/her are being
processed.
C. Right to rectification and erasure
4.4 Individuals have the right to obtain, without undue delay, the rectification or completion
of their inaccurate or incomplete Personal Data.
4.5 Individuals shall have the right to obtain from the Data Controller erasure of their Personal
Data without undue delay, and the Data Controller shall have the obligation to erase
Personal Data without undue delay where one of the following grounds applies:
(i) the Personal Data are no longer necessary in relation to the purposes for
which they were collected or otherwise processed; or
(ii) the Personal Data have been processed in such a way that does not comply
with this Policy.
4.6 Where JTL is not the Data Processor, JTL shall make every reasonable effort to
ensure that the third party Data Processor complies with the request of the
concerned individuals.
6/7
4.7 The above section does not apply to the extent that the Processing is necessary
for statistical or archiving purposes, for the delivery of JTL’s services, in so far as
the erasure is likely to render impossible or seriously impair the achievement of
the objectives of that Processing.
D. Right to object
4.8 Every individual shall have at any time the right to submit a request objecting, on grounds
relating to his or her particular situation, to the Processing of Personal Data concerning
him or her. The Data Controller shall no longer process the personal data unless the Data
Controller demonstrates that such Processing is necessary for the performance of the
task carried out in the exercise of JTL’s official activities or in the framework of its
responsibilities.
E. Right to data portability
4.9 Each individual shall have the right to receive the Personal Data concerning him or her,
which he or she has provided to a Data Controller, in a structured, commonly used and
machine-readable format and have the right to transmit those data to another controller
without hindrance from the Data Controller to which the Personal Data have been
provided, where technically feasible and as long as it shall not adversely affect the rights
and freedoms of others.
SECTION V – DATA PROTECTION OFFICER
A. APPOINTMENT
5.1 A Data Protection Officer (hereinafter the “DPO”) shall report directly to the Chief
Regulatory Officer and dotted line reporting to the Head of Management Information
Services.
5.2 The DPO shall act independently, in a neutral and impartial manner and shall not accept
instructions conflicting with his/her responsibilities.
B. DUTIES
5.3 The DPO shall monitor the application of this Policy and the Data Protection Act.
5.4 The DPO shall, on request or on his/her initiative, advice individuals on their rights and
Data Controllers on their rights and obligations.
C. COOPERATION OF DATA CONTROLLERS WITH THE DPO
5.5 Data Controllers shall cooperate with the DPO by assisting the DPO and making
available any information necessary for the DPO to carry out his/her tasks. Data
Controllers shall involve the DPO in the process of designing new information systems
7/7
and to ensure that measures of data protection are built in those systems from the
beginning.
SECTION VI - SETTLEMENT OF CLAIMS
6.1 Any individual may complain in writing to the DPO (dpo@jtl.co.ke) about any matter
relating to his/her Personal Data, including any Personal Data Breach.
6.2 The DPO must acknowledge receipt in writing and decide on the complaint within sixty
(60) days of receipt. The DPO may extend the time limit with thirty (30) days if it considers
the complaint requires further assessment. In such case, the DPO shall give notice to the
complainant.
6.3 Any individual may further challenge the decision of the DPO if he/she considers it affects
him/her adversely in accordance with the procedures established below.
6.4 Any Staff Member may challenge the decision of the DPO if he/she considers it affects
him/her adversely. He/she shall proceed in accordance with the dispute settlement
procedures as detailed in the applicable Staff Manual.
SECTION VII - REVIEW, AMENDMENT AND PUBLICITY
7.1 This Policy may be amended at any time upon decision of the DPO.
7.3 The Policy shall be published and accessible on both the JTL’s intranet and public
website.