Effective Date: 15th January, 2023
In its everyday business operations, Koa makes use of a variety of data about identifiable individuals. In collecting and processing the information Koa is required to comply with the Right to Privacy as stated in Article 31 of the Constitution of Kenya, 2010, the Data Protection Act, 2019 and the National Payment System Act (collectively referred to as the “Data Protection Laws”). The purpose of this policy is to describe the steps that Koa is taking to ensure compliance with the law. This policy applies to all systems, people and processes that constitute Koa’s information systems, including, management, employees, consultants, clients, suppliers and other third parties who have access to Koa’s systems. Any breach of the Data Protection Act 2019 or our Data Protection Policies is a serious matter and could lead to disciplinary action or criminal proceedings in extreme cases. Other agencies and individuals working with us, and who have access to personal information held by us are required to comply with this policy.The following policies and procedures are part of this policy:
(Collectively referred to as our Policies).
Definitions Act means the Data Protection Act, No. 24 of 2019 Laws of Kenya and the relevant Regulations thereunder.
Anonymization means the removal of personal identifiers from personal data so that the data subject is no longer identifiable.
Consent means any voluntary, specific and informed expression of will of a data subject to process personal data.
Data Commissioner means the person appointed under the Data Protection Act, 2019.
Data subject means an identified or identifiable natural person who is the subject of personal data.
Identifiable natural person means a person who can be identified directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or social identity.
Koa means Koasave Africa Limited, a limited liability company duly incorporated in accordance with the laws of Kenya with its registered address at Ten Metropolitan Estate, Riverside Drive and of P.O. Box 41911-00100 Nairobi.
Koa Platform means the digital financial solutions platform that enables Users to access our digital web application that provides them access to banking and financial services.
“Personal data” means any information relating to an identified or identifiable natural person.
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Processing” means any operation or sets of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as:
“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, and such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
“Sensitive personal data” means data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, sex or the sexual orientation of the data subject, marital status, family information such as the names of their children, spouse or spouses, property information.
“Third party” means natural or legal person, public authority, agency or other body, other than the data subject, data controller, data processor or persons who, under the direct authority of the data controller or data processor, are authorized to process personal data.
Description of types data retained
In its day to day functions Koa retains data about:
The information we retain may include:
Data privacy is critically important to us. When handling personal data, we apply the following fundamental principles:
Sensitive personal data
Koa collects personal data such as data revealing an individual’s biometric data, property details, marital status, family details including names of the person's children, parents, spouse or spouses, sex or the sexual orientation.Where we collect sensitive data, the data shall be processed in accordance with the law and under the legally provided grounds set out below.
Protection of personal data & rights of data subjects
As Koa, we will ensure that we support the rights of persons whose personal data we collect. These rights include the right:
Principles for data protection
The Act provides principles for data protection. It requires Koa to ensure that personal data is:
Koa will ensure that it complies with all of these principles both in the processing it carries out and as part of new methods of processing such as new IT systems.
Exercise of the rights of the Data subject
In order to exercise any of the rights of the data subject Koa has in place procedures to enable you to do the following:
To access the procedure please contact the officer in charge at the following email firstname.lastname@example.org.
How do we use the personal data we collect?
We use information we collect in the following ways:
We may associate one or more categories of information with any other category of information that we see fit to and this combined information will be treated as personal data in accordance with the provisions set out in this policy, for as long as it is combined.
Processing of personal data
Koa will process the personal data we collect based on a lawful basis allowed under Data Protection Laws being:
Disclosure of personal data
Koa will not share personal information with any other individual, or Third Party except in the following cases:where we have obtained the data subject’s consent;for legal reasons where there is a court order or a legal obligation which we have to comply with; orit is necessary for public interest or national security.Where we share personal data in the cases listed above we take all necessary steps to ensure that: the data is processed lawfully, we only disclose what is necessary, and the data is kept secure and all safeguards are put in place to ensure its protection.
Data Retention Policy
We only retain personal data for as long as it is necessary to do so in line with the provisions of Data Protection Laws. Once it is no longer necessary to retain the data we anonymize or pseudonymize the personal data. We ensure that we retain and maintain all relevant records in a manner that is: secure, confidential, accurate and up to date. How we handle data retention is more elaborately explained in our Data Retention Policy.
Exercise of Rights of the Data Subject
Every data subject has the right to:
In order to comply with these requirements, Koa has established the following procedures:
These procedures can be found in the Data Requests Procedures Manual.
Koa is dedicated to keeping personal data secure. We shall endeavor to keep an up to date security procedure which shall include:
At Koa we ensure that we take all possible steps to safeguard all personal data that we store. However, in the event that there is a breach on our system and personal data has been accessed by an unauthorized person and there is real risk of harm to the data subject we shall:
The notification above will contain:
When a breach occurs we record the information, particularly: facts relating to the breach, effects of the breach, and the remedial action to be taken. We shall maintain a record of all security incidents at all times.
Data Protection Impact Assessment
At Koa we will undertake a Data Protection Impact Assessment (DPIA) whenever necessary where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
The DPIA will follow the following phases:
Phase 1 detailed listing of the data processing including: the data to be used, the legal basis or retention periods applied to the data
Phase 2 identify the legal and risk treatment controls which are currently implemented. This phase involves the current and existing set of measures from a legal, technical, physical and business point of view.
Phase 3 list the risk sources to the data processing.
Phase 4 analyze and list potential negative events and threats to the data processing focusing on data subjects’ personal data, and potential impact of the new processing.
Phase 5 write and present a report that summarizes the analysis, the current controls, the risks to the business and the threats to personal data.
Transfer of personal data outside KenyaWe may transfer any identifiable personal data about a data subject outside Kenya. In the event that we are required to transfer any data outside of Kenya, we shall ensure that we seek the necessary consent from you (where necessary). Any transfer of data will be done with adequate safeguard measures put in place to ensure that there is no risk of a data breach.
All complaints from data subjects regarding the way data is handled will be forwarded to email@example.com
A complaint can be made either orally or in writing but where an oral complaint is made the designated officer will as soon as practicable reduce the oral complaint into writing.
We will investigate every complaint that we receive and get back to you within 14 days of receiving the complaint.
If you are not satisfied with the findings you have the right to appeal or to lodge a complaint to the Data Commissioner established under the Act.
Changes to our Policies
We reserve the right to update or change our Policies at any time and you should check our Website periodically. Your continued use of our services after we post any modifications to our Policies on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Policies.
If we make any material changes to our Policies, we will notify you either through the email address you have provided us, or by placing a prominent notice on our website or at our office.