1/7

PERSONAL DATA PROTECTION POLICY

SECTION I – PURPOSE AND SCOPE

1.1 This Policy sets out the rules relating to the protection of individuals, including Staff

Members, with regards to the processing of their Personal Data by Jamii

Telecommunications Ltd (“JTL”) or on its behalf (hereinafter the “Policy”).

1.2 The implementation of any processing of Personal Data by the JTL is subject to

compliance with this Policy and any other relevant rules of the JTL adopted for its

implementation.

1.3 This Policy protects all Personal Data relating to individuals, whether collected by the JTL

or disclosed to the JTL by a third party.

SECTION II - DEFINITIONS

For the purposes of the present Policy, the following terms are defined as follows:

2.1 “Personal Data” means any information relating to an identified or identifiable individual.

An identifiable individual is one who can be identified, directly or indirectly, in particular

by reference to an identifier such as a name, identification number, location data, online

identifier or one or more factors specific to the physical, physiological, genetic, mental,

economic, cultural or social identity of that individual. Company registration numbers,

generic email addresses (such as info@company.com) and anonymised data are not

considered Personal Data;

2.2 “Processing” means any operation or set of operations which is performed upon

Personal Data or sets of Personal Data, by manual or automated means (including the

collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval,

consultation, use, disclosure by transmission, dissemination or otherwise making

available, alignment or combination, restriction, erasure or destruction of Personal Data);

2.3 “Data Controller” means any Staff Member who has the authority to determine, alone

or jointly with others, the purposes, conditions and means of the processing of Personal

Data on behalf of JTL;

2.4 “Data Processor” means any Staff Member or other individual, legal entity, public

authority or similar body, including a third party, authorized to process Personal Data on

behalf and under the direct authority of the Data Controller;

2/7

2.5 “Recipient” means the individual, legal entity, public authority or similar body to which

Personal Data are disclosed;

2.6 “Personal Data Breach” means a breach of security leading to the accidental or

unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal

Data transmitted, stored or otherwise processed;

2.7 “Sensitive Data” means data related to or revealing the national registration number,

genetic data, judicial data (such as litigations, suspicions, prosecutions, criminal

convictions etc.), data revealing racial or ethnic origin, data concerning health or sex life,

political opinions, trade-union membership, and religious or philosophical beliefs;

2.8 “Consent” means the freely given, specific, informed and unambiguous permission

expressed by an individual by which he or she agrees with the processing of his/her

Personal Data. This consent is given either by a written statement or by a clear affirmative

action;

2.9 “Data Protection Officer” means the Staff Member appointed by the company to perform

the duties listed in this Policy or assigned to him/her by decision of the Chief Regulatory

Officer; and

2.10 “Staff Members” means any staff member of the JTL.

SECTION III – PRINCIPLES RELATING TO PROCESSING AND TRANSFER OF

PERSONAL DATA

A. Processing of Personal Data

3.1 JTL shall ensure that Personal Data disclosed to JTL is collected and processed

according to the principles expressed in this Policy.

3.2 Personal Data shall be processed and used lawfully, fairly and in a transparent manner

(‘lawfulness, fairness and transparency’).

3.3 Personal Data shall be collected for specified, explicit and legitimate purposes consistent

with JTL’s official activities (‘purpose limitation’).

3.4 The Processing of Personal data shall always be adequate, relevant and limited to what

is necessary in relation to the purposes for which they are collected and/or further

processed (‘data minimization’).

3.5 Personal Data stored by JTL shall be accurate and, where necessary, kept up-todate;

every reasonable step must be taken to ensure that Personal Data that are inaccurate,

having regard to the purposes for which they are processed, are erased or rectified

without delay (‘accuracy’).

3/7

3.6 Personal Data shall be kept or stored for no longer than is reasonably necessary for the

purposes for which it is processed (‘storage limitation’).

3.7 Personal Data shall be processed in a manner that ensures appropriate security of the

Personal Data, including protection against unauthorized or unlawful processing and

against accidental loss, destruction or damage, using appropriate technical or

organizational measures (‘integrity and confidentiality’).

3.8 JTL shall not process Sensitive Data, except if:

(i) the Processing is in reference to medical or social protection under the

applicable JTL internal rules, including health insurance coverage and the

payment of family or other social benefits by JTL;

(ii) the Processing is for the copying of passports where a Staff Member uses

JTL’s assistance when requesting either a visa for entering the duty country

or applying for any other visa in connection with official travel for JTL;

(iii) individuals have given Consent to the processing of Sensitive Data or made

the Sensitive Data manifestly public. JTL may be asked to prove that the

individual has explicitly and without reservation consented to the processing

of such Sensitive Data for the purpose at stake.

In case Sensitive Data is processed, JTL shall take all appropriate and necessary

measures to ensure the security and confidentiality of such Sensitive Data.

3.9 Should JTL intend to use Personal Data for the purposes of direct marketing, Consent

shall be received regarding the Processing of data resulting from participation in events

and activities of JTL. Electronic means shall be used to ensure that participants have

consented to the processing of their Personal Data for the purposes of direct marketing.

The opt-in regime shall be seen as the general rule in order to ensure that participants

have provided their Consent.

B. Transfer of Personal Data

3.10 Personal Data may be transferred within JTL on the following conditions:

(i) the Personal Data are necessary for the performance of tasks covered by the

activities of the Recipient;

(ii) only the Personal Data necessary for the performance of these tasks shall

be transferred; and

(iii) the Recipient may process the Personal Data only for the purposes for which

they are transferred.

3.11 JTL may transfer Personal Data to other third parties with which JTL entered into an

agreement, in only one of the following cases:

4/7

(i) the JTL Members, international organizations or other third parties observe

this Policy and any other relevant rules which JTL may adopt for its

implementation; or

(ii) sufficient safeguards exist, including effective enforcement mechanisms and

appropriate measures put in place by the third parties, to ensure a continuing

level of security and protection consistent with this Policy and any other

relevant rules which JTL may adopt for its implementation; or

(iii) the concerned individual has explicitly consented to the proposed transfer; or

(iv) the transfer is necessary for the establishment, exercise or defense of legal

claims;

(v) the transfer is necessary for the conclusion or performance of a contract

concluded in the interest of the concerned individual between the Data

Controller and another natural or legal person;

(vi) the transfer is necessary to protect the vital interests of the concerned

individual; or

(vii) to allow JTL to achieve its legitimate aims and to carry out its official activities.

3.12 Where the Data Controller intends to instruct a Data Processor to process

Personal Data on its behalf, the Data Controller shall use only Data Processors

providing sufficient adequate guarantees of compliance with the level of security

and protection of the Personal Data set forth by this Policy to ensure the

protection of the rights of individuals.

3.13 In the context of events of JTL and the distribution of a list containing participants’

Personal Data, JTL shall ensure that it has received consent from the individuals

before issuing such a list. Such Consent shall also be obtained using the opt-in

regime.

SECTION IV – RIGHTS OF INDIVIDUALS

A. Information to be given to the individuals

4.1 Upon request by the concerned individual, JTL shall provide the individual with the following

information on the Processing of data which is personal to him/her:

(i) the identity and the contact details of the Data Controller;

(ii) the contact details of the Data Protection Officer;

5/7

(iii) the purpose of the Processing for which the personal data are intended as

well as the legal basis for the processing;

(iv) the categories of Personal Data concerned;

(v) the Recipients or category of Recipients of the Personal Data;

(vi) where possible, the envisaged period for which the Personal Data will be

stored, or, if not possible, the reason why no such period is fixed;

(vii) where applicable, the fact that JTL intends to transfer Personal Data to a third

party and the reasons for such transfer; and

(viii) the existence of the right to request access, rectification or erasure of

Personal Data and to submit claims.

4.2 The section above shall not apply where the provision of such information proves

impossible or would involve a disproportionate effort. In such instances, JTL shall take

appropriate measures to protect the concerned individuals’ rights and legitimate interests

to the extent reasonably possible.

B. Right to access

4.3 Every individual shall have the right to obtain from the Data Controller at any time, on

request, confirmation as to whether or not Personal Data relating to him/her are being

processed.

C. Right to rectification and erasure

4.4 Individuals have the right to obtain, without undue delay, the rectification or completion

of their inaccurate or incomplete Personal Data.

4.5 Individuals shall have the right to obtain from the Data Controller erasure of their Personal

Data without undue delay, and the Data Controller shall have the obligation to erase

Personal Data without undue delay where one of the following grounds applies:

(i) the Personal Data are no longer necessary in relation to the purposes for

which they were collected or otherwise processed; or

(ii) the Personal Data have been processed in such a way that does not comply

with this Policy.

4.6 Where JTL is not the Data Processor, JTL shall make every reasonable effort to

ensure that the third party Data Processor complies with the request of the

concerned individuals.

6/7

4.7 The above section does not apply to the extent that the Processing is necessary

for statistical or archiving purposes, for the delivery of JTL’s services, in so far as

the erasure is likely to render impossible or seriously impair the achievement of

the objectives of that Processing.

D. Right to object

4.8 Every individual shall have at any time the right to submit a request objecting, on grounds

relating to his or her particular situation, to the Processing of Personal Data concerning

him or her. The Data Controller shall no longer process the personal data unless the Data

Controller demonstrates that such Processing is necessary for the performance of the

task carried out in the exercise of JTL’s official activities or in the framework of its

responsibilities.

E. Right to data portability

4.9 Each individual shall have the right to receive the Personal Data concerning him or her,

which he or she has provided to a Data Controller, in a structured, commonly used and

machine-readable format and have the right to transmit those data to another controller

without hindrance from the Data Controller to which the Personal Data have been

provided, where technically feasible and as long as it shall not adversely affect the rights

and freedoms of others.

SECTION V – DATA PROTECTION OFFICER

A. APPOINTMENT

5.1 A Data Protection Officer (hereinafter the “DPO”) shall report directly to the Chief

Regulatory Officer and dotted line reporting to the Head of Management Information

Services.

5.2 The DPO shall act independently, in a neutral and impartial manner and shall not accept

instructions conflicting with his/her responsibilities.

B. DUTIES

5.3 The DPO shall monitor the application of this Policy and the Data Protection Act.

5.4 The DPO shall, on request or on his/her initiative, advice individuals on their rights and

Data Controllers on their rights and obligations.

C. COOPERATION OF DATA CONTROLLERS WITH THE DPO

5.5 Data Controllers shall cooperate with the DPO by assisting the DPO and making

available any information necessary for the DPO to carry out his/her tasks. Data

Controllers shall involve the DPO in the process of designing new information systems

7/7

and to ensure that measures of data protection are built in those systems from the

beginning.

SECTION VI - SETTLEMENT OF CLAIMS

6.1 Any individual may complain in writing to the DPO (dpo@jtl.co.ke) about any matter

relating to his/her Personal Data, including any Personal Data Breach.

6.2 The DPO must acknowledge receipt in writing and decide on the complaint within sixty

(60) days of receipt. The DPO may extend the time limit with thirty (30) days if it considers

the complaint requires further assessment. In such case, the DPO shall give notice to the

complainant.

6.3 Any individual may further challenge the decision of the DPO if he/she considers it affects

him/her adversely in accordance with the procedures established below.

6.4 Any Staff Member may challenge the decision of the DPO if he/she considers it affects

him/her adversely. He/she shall proceed in accordance with the dispute settlement

procedures as detailed in the applicable Staff Manual.

SECTION VII - REVIEW, AMENDMENT AND PUBLICITY

7.1 This Policy may be amended at any time upon decision of the DPO.

7.3 The Policy shall be published and accessible on both the JTL’s intranet and public

website.