Privacy policy

SOKO MAKUENI PRIVACY POLICY

 

Table of Contents

LIST OF ABBREVIATIONS. 2

1. About this Policy. 2

1.1. Purpose. 2

1.2. Scope. 2

1.3. Application. 2

2. What is personal data?. 2

3. How to manage personal data: the key principles of personal data protection. 3

3.1. Lawfulness and fairness 3

3.2. Transparency. 3

3.3. Purpose limitation and data minimisation. 3

3.4. Accuracy. 3

3.5. Data Subject’s rights and requests. 4

3.6. Storage limitation. 4

3.7. Security, integrity and confidentiality. 4

3.8. Transfer limitation. 4

4. Privacy Impact Assessments: what are they and when do you need one?. 5

5. Record keeping. 5

6. How does Soko Makueni manage data privacy breaches?. 5

7. What are the consequences of violation of this Policy?. 5

8. APPENDIX.. 5

 

 

 

 

LIST OF ABBREVIATIONS

CCTV- Closed Circuit Television

IP- Internet Protocol

ID- Identity Card

DPA-Data Protection Act 2019

1. About this Policy

1.1. Purpose

In the course of our business, Soko Makueni collects, handles and stores personal data of our customers, employees, sellers, suppliers, contractors and other individuals (“Data Subjects”). This information is a valuable and sensitive asset, that must be managed respectfully, and in accordance with all applicable local and international laws.

This privacy policy complies with national and international laws on the protection of personal data and information to the highest standards possible.

This Policy explains how any personal information which we process (or others process on our behalf) must be used in accordance with the law, and for Soko Makueni’s legitimate business purposes only.

1.2. Scope

This Policy covers:

  • all personal data held by or on behalf of Soko Makueni, regardless of the media on which that data is stored, or of which individuals own that personal data; and
  • all processing of such personal data, including all collection, recording, organisation, storage, use, disclosure, transfer, deletion and any other handling of personal data.

1.3. Application

This Policy applies to all Soko Makueni’s employees and agents; and to Soko Makueni’s sellers, suppliers, contractors and other third parties responsible for processing personal data for or on behalf of Soko Makueni, referred to in this Policy as our “Partners”.

We expect all Partners to maintain our standards of data privacy, as set out in this Policy.

 

2. What is personal data?

Personal data is any information relating to an identified or identifiable person, including: name; address; date or place of birth; photographs or videos (including CCTV footage); contact details (e.g. telephone number, email, address); national identifiers (e.g. ID numbers); professional status (e.g. job title, employer); location; online identifiers (e.g. IP addresses); and personal preferences (e.g. shopping and browsing habits), among numerous other types of personal data. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, mental, economic, cultural or social identity.

Sensitive personal data or special category personal data contains information relating to a person's race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health and sexual life or orientation.

3. How to manage personal data: the key principles of personal data protection

Soko Makueni adheres to the highest personal data protection standards which require personal data to be processed in accordance with the principles set out below.

3.1. Lawfulness and fairness

Personal data must be processed fairly and lawfully.

Soko Makueni shall only process personal data if so required to comply with applicable laws (e.g. for the purpose of employee tax deductions) or if it has received affirmative consent i.e. the Data Subject must make a positive statement or tick a box by way of consent.

Processing of personal data in reliance on any other legal basis, and without consent of the Data Subject, requires express written approval from the Makueni County Attorney, and is otherwise strictly prohibited.

Processing of sensitive data requires express written approval from the Makueni County Attorney, and is otherwise strictly prohibited.

3.2. Transparency

Personal data must be processed in a responsible and transparent manner.

Soko Makueni ensures that Data Subjects are duly informed before they disclose their personal data, by a clear and comprehensive privacy notice.

3.3. Purpose limitation and data minimisation

Personal data must be collected only for specified, explicit and legitimate purposes. Data collected must be adequate, relevant and limited to what is necessary for the identified purpose.

Collecting personal data that the business does not require for a specified purpose exposes Soko Makueni to unnecessary legal risks.

3.4. Accuracy

Personal data must be accurate and kept up to date where necessary. Soko Makueni endeavors to maintain the accuracy of our records through:

  • Self-service systems e.g. our vendor centre enables sellers to update their details periodically;
  • regular verification exercises; and
  • by providing information to individuals so they know who to contact if their details change.

3.5. Data Subject’s rights and requests

Data Subjects are entitled to exercise various rights with respect to their own personal data, including but not limited to the following:

  • withdrawing consent to processing of their personal data;
  • requesting access to their personal data; and
  • requesting erasure of their personal data in certain circumstances.

Soko Makueni’s Data Subject Rights Handling Guidance sets out processes for managing and responding to Data Subject requests, including mechanisms for communicating with Partners who may hold the relevant personal data in order to execute such responses.

3.6. Storage limitation

Personal data must not be kept for any longer than is necessary. Soko Makueni requires personal data to be anonymized or destroyed once the purpose for retaining that data, or the relevant time in the Document Retention Policy, has expired.

3.7. Security, integrity and confidentiality

Personal data must be processed in a manner which ensures its security using appropriate technical and organisational measures to protect against accidental loss, destruction or damage.

Security measures should be proportionate to the level of confidentiality and sensitivity of the personal data.

It is Soko Makueni’s goal to ensure security of personal data by:

  • anonymising or pseudonymizing personal data wherever this is possible without compromising the purpose;
  • putting in place appropriate contractual arrangements to ensure an appropriate level of protection for personal data when it is shared with a third party; and
  • carrying out due diligence, as part of the supplier onboarding process, to verify that any third party suppliers who hold or have access to personal data on our behalf, meet our data protection standards.

3.8. Transfer limitation

Personal data must not be transferred across borders without the appropriate safeguards and consents being in place.

Soko Makueni maintains a record of all personal data transfers and requires you to inform and obtain approval from the Makueni County Attorney in respect of any personal data that is transferred across borders.

4. Privacy Impact Assessments: what are they and when do you need one?

Privacy Impact Assessments are tools which allow you to identify, assess and mitigate privacy risks. They can also help you to design more efficient and effective processes for handling personal data.

Soko Makueni requires a Privacy Impact Assessment to be completed where the activity falls outside Soko Makueni’s existing data map e.g. transferring data to a new supplier or collecting a new category of data.

5. Record keeping

Soko Makueni maintains a full and accurate data map of all personal data processing activities and data flows, including details of records of Data Subjects consents and the procedures for obtaining consents.

We expect our Partners to maintain detailed data maps in respect of all personal data that they process on behalf of Soko Makueni, and to make this information available to Soko Makueni.

6. How does Soko Makueni manage data privacy breaches?

Soko Makueni has in place procedures to deal with any suspected personal data breach and will notify affected individuals and applicable regulators where legally required to do so.

If you know or suspect that a personal data breach has occurred, immediately contact sokocompliance@makueni.go.ke

7. What are the consequences of violation of this Policy?

Failure to comply with this Policy is a serious compliance breach.

Non-compliance is a disciplinary matter for employees. If you are a contractor, seller or supplier, it may constitute a breach of your contract with Soko Makueni and we may review, and/or terminate, your assignment with us.

8. APPENDIX

The following documents contain further helpful information on how Soko Makueni manages personal data:

APPENDIX 1: Soko Makueni Privacy Impact Assessments Template and Guidance 

APPENDIX 2: Soko Makueni Online Privacy & Cookie Notice 

APPENDIX 3: Soko Makueni Document Retention Policy 

APPENDIX 4: Soko Makueni Data Subject Rights Handling Guidance

If you are an employee of Soko Makueni and you have any questions about this Policy, or require approval, please contact the Office of the County Attorney Makueni.

If you are a Partner of Soko Makueni and you have any questions about this Policy or you require any approvals, please contact sokocompliance@makueni.go.ke