Soko Makueni data subject rights procedure 2023
SOKO MAKUENI DATA SUBJECT RIGHTS PROCEDURE
Author: Soko Makueni
Approved by: County Attorney
Review due date: 2026
Current Version: 1.0
Version history: First Version of Document
Data Subject Rights Procedure
1. Introduction 2
2. Scope of procedure 2
3. Responsibilities 2
4. Personal Data Owners 3
5. Data subject rights 3
6. Self-service procedure 6
7. Formal data subject rights procedure 6
8. Timescales 8
9. Unreasonable requests 8
10. Complaints 8
1.1 This procedure has been developed to ensure that Soko Makueni complies with its legal obligations in respect of data subject rights under the relevant data protection legislation. The procedure is governed by the Data Protection Act, 2019. In the event of a conflict between this procedure and the Data Protection Act, 2019, the Data Protection Act, 2019 will take precedence.
2. Scope of procedure
2.1 This procedure applies to all personal data for which Soko Makueni acts as data controller or joint data controller. Where Soko Makueni is acting as a data processor, it will comply with any agreement in place with the relevant data controller.
3.1 Data Protection Officer
The Data Protection Officer is responsible for overseeing and implementing this procedure.
3.2 Personal Data Owners
Personal Data Owners are responsible for ensuring that the Data Protection Officer’s instructions are followed within their area of responsibility, which will include the allocation of sufficient resources. A list of Personal Data Owners is provided in section 4 below.
3.3 Other members of the Government of Makueni County
All members of the County Government, including staff, must comply with any instructions given by the Data Protection Officer or Personal Data Owners under this procedure.
3.4 Data processors
All data processors acting on behalf of the Soko Makueni must comply with any instructions given by Soko Makueni under this procedure, subject to any alternative arrangements or variations in the relevant agreement.
4. Personal Data Owners
5. Data subject rights
5.1 Data subjects have a number of specific rights under the Constitution of Kenya, which includes the Data Protection Act, 2019. In certain circumstances these rights will not apply to personal data for which the Soko Makueni acts as data controller. If a request to exercise a data subject right is made, and Soko Makueni feels that it does not apply to the processing in question, the reasons for this decision will be clearly stated within one month of receipt of the request. In line with section 8 of this procedure, data subjects will also be provided with information about how to complain to the Office of the Data Protection Commissioner’s Office. The data subject rights, and the relevant variations and exemptions, are as follows:
5.2 Right of access
Where it is acting as a controller, individuals have the right to obtain from Soko Makueni confirmation of whether or not their personal data are being processed, and if so, access to the personal data and the following information:
a. The purpose of the processing
b. The categories of personal data concerned
c. The recipients to whom the personal data have been or will be disclosed
d. The period for which the personal data will be stored
e. Where the data are not collected directly from the data subject, any available information about their source
f. Whether the data are used for automated decision-making, including profiling, and if so, details about such processing
5.3 This right does not apply to personal data processed for scientific or historical research purposes or statistical purposes.
5.4 Right to data portability
A data subject may request to receive personal data in a commonly used format that allows them to transmit the data to another controller. This right does not apply in the following circumstances:
a. Where the personal data are being processed for scientific or historical research purposes or statistical purposes.
b. Where the processing is in the public interest or is necessary for the County Government to exercise its official authority.
5.5 Right to rectification
Data subjects have the right to ask for any inaccurate personal data held by Soko Makueni to be corrected, and any incomplete data to be completed. In the case of incomplete data, Soko Makueni may request a supplementary statement from the data subject. This right does not apply to personal data processed for scientific or historical research purposes or statistical purposes.
5.6 Right to be forgotten
A data subject has the right to request that Soko Makueni erases any of their personal data in the following circumstances:
a. The data are no longer required to fulfil the purpose for which it was collected
b. Where the processing is based on consent and this is withdrawn, and where there are no other legal grounds for processing
c. Where the subject objects to the processing
d. Where the data are being unlawfully processed
e. Where the data has to be erased to comply with the County Government’s legal obligations
5.7 Soko Makueni may decline to erase the data where it considers that the processing is necessary for the following reasons:
a. To exercise the right of Soko Makueni or the County Government or any of its member to freedom of expression and information
b. To comply with Soko Makueni or the County Government’s legal obligations, or where the processing is in the public interest or is necessary for the County Government to exercise its official authority
c. For public interest reasons relating to public health
d. For archiving purposes in the public interest, for scientific or historical research, or for statistical purposes
e. To establish, exercise or defend legal claims
5.8 Right to request a restriction of processing
A data subject has the right to request that Soko Makueni restricts processing of their personal data in the following circumstances:
a. The accuracy of the data is contested by the subject, in which case the restriction applies for a period sufficient to enable Soko Makueni to verify the accuracy of the data
b. The processing is unlawful and the data subject prefers a restriction to processing over erasure
c. Soko Makueni no longer needs the data for processing, but the data subject needs it to establish, exercise or defend legal claims
d. The data subject has objected to the processing pending verification as to whether the legitimate grounds of the Soko Makueni override their rights
5.9 Where a legitimate request to restrict processing is made, Soko Makueni may nevertheless continue the processing activity in the following circumstances:
a. To establish, exercise or defend legal claims
b. To protect the rights of individuals
c. For public interest reasons
d. Where the data are processed for scientific or historical research purposes or statistical purposes.
5.10 Right to object to processing
A data subject may object to a processing activity if the processing is based on the following:
a. The public interest
b. The exercise of official authority or the legitimate interests of Soko Makueni or the County Government
5.11 Soko Makueni will stop the processing unless there are compelling and legitimate reasons to do so, or in the interests of establishing, exercising or defending legal claims. Where data are used for direct marketing purposes, a data subject may object to the processing at any time, in which case Soko Makueni will cease using the data for this purpose. This right does not apply to personal data processed for scientific or historical research purposes or statistical purposes.
5.12 Right not to be subject to automated decision making
A data subject has the right not to be subject to a decision based on purely automated processing which has a significant or legal effect on them. This right does not apply if the decision:
a. Is necessary to enter into a contract between Soko Makueni and the data subject
b. Is authorised by law
6. Self-service procedure
6.1 Soko Makueni aims to allow data subjects to exercise their rights in a quick and efficient manner. To this end, data subjects may find that the most straightforward means of exercising one or more of their rights is to contact the relevant department directly. A list of common data subject rights requests and solutions is available on the Soko Makueni website. This list is non-exhaustive, but data subjects are generally encouraged to contact the relevant department directly in the first instance to establish whether local assistance can be provided.
6.2 The following factors may make a request unsuitable for the self-service procedure (this list is non-exhaustive):
a. A unique or bespoke request
b. A substantial request, which may involve co-ordination across a number of requirements
c. A request relating to a complaint or legal claim
d. Any uncertainty as to the data subject’s rights under this procedure and other Soko Makueni documents relating to data protection
6.3 If a member of staff of the County Government is unsure about whether or not to respond to a request by a data subject, or feels that a request should be refused, they should contact the Data Protection Officer for advice.
7. Formal data subject rights procedure
7.1 Data subjects should submit a request to exercise a data subject right using the Data Subject Rights Application Form.
7.2 This form will be assessed by Soko Makueni’s Data Protection Officer, who may refer a data subject to the self-service information.
7.3 If a request is received by an external processor from a data subject for which Soko Makueni acts as a data controller or joint controller, the external processor should contact Soko Makueni’s Data Protection Officer immediately.
7.4 If a request to exercise a data subject right is received by any Soko Makueni staff member other than the Data Protection Officer, they should first consider whether the request can be met using the self-service procedure set out in section 6. If the request cannot be met using the self-service procedure, the staff member should contact the Data Protection Officer immediately.
7.5 Where the right to be exercised relates to personal data processed by a separate controller, the data subject will usually be referred to that controller and no further action will be taken.
7.6 Where the right to be exercised relates to personal data controlled by Soko Makueni, or by the platform as a joint controller, the Data Protection Officer will first seek to verify the data subject’s identity. The following forms of identification are acceptable:
a. National Identification card
b. Driving License (copy acceptable)
c. Passport (copy acceptable)
d. Employee card (if current staff member)
e. Student card (if current student)
7.7 Where an original document is provided, Soko Makueni will return this via standard postage.
7.8 If the data subject cannot produce satisfactory identification, the request will be rejected.
7.9 Once a data subject’s identity has been verified, the Data Protection Officer will consult the Soko Makueni’s Processing Activities Record to establish the scope of any processing and the relevant external processors.
7.10 If no personal data are processed within the parameters of the request, this will be confirmed to the data subject and the request will be closed.
7.11 If personal data are processed within the parameters of the request by Soko Makueni or one of its external processors, the Data Protection Officer will consider the legal basis on which the processing occurs and will determine whether any exemptions or variations apply.
7.12 If an exemption or variation applies which overrides the data subject’s right, the request will normally be rejected, with the reasons for the rejection communicated to the data subject.
7.13 If no exemption or variation applies, the Data Protection Officer will instruct the County Government officer or external processor to take the necessary action to comply with the request.
7.14 The department or external processor will be required to comply with this instruction within the time specified by the Data Protection Officer. If more time is needed, the County Government or external processor should contact the Data Protection Officer immediately.
7.15 Where extra time is requested, the Data Protection Officer will determine whether or not the County Government or external processor is entitled to additional time to comply with the request. The Personal Data Owner or external processor is responsible for ensuring that sufficient resources are allocated to comply with the request within the specified timescales.
7.16 Once the County Government or processor has taken the necessary action to comply with the request, this should be confirmed to the Data Protection Officer.
7.17 The Data Protection Officer, with support from the County government or external processor, and the Office of the County Attorney where appropriate, will consider whether any additional needs to be taken, including the redaction of any material to be provided to the data subject.
7.18 The Data Protection Officer will then confirm to the data subject that their request has been fulfilled, and will provide a copy of any relevant information, where required, using a secure method of transfer.
7.19 If the data subject is dissatisfied with the response, they can request that the Data Protection Officer takes additional steps to fulfill their request. The Data Protection Officer will consider whether any additional steps are required.
7.20 Where additional steps are required, the Data Protection Officer will instruct the County Government and external processors of the necessary actions, and confirm the outcome of these to the data subject in line with paragraph 7.18 of this procedure.
7.21 Where the Data Protection Officer considers that no additional action is required, they will confirm this to the data subject and inform them of their right to make a complaint to the Office of the Data Protection Commissioner’s Office under section 10 of this procedure.
8.1 Soko Makueni will normally respond to requests made under this procedure within one calendar month.
8.2 The date on which the request is taken as being received will be the date on which acceptable proof of a data subject’s identity is received.
8.3 Soko Makueni may determine that this timescale should be extended to two months where multiple or complex requests are made by a data subject. If Soko Makueni determines that it will require two months to respond to a request (or requests), this will be confirmed to the data subject within one month of receiving the request. Only the Data Protection Officer can authorise extending the timescale to two months.
8.4 Where a request under this procedure is rejected, Soko Makueni will write to the data subject to give written reasons for the decision within one month of the request being received.
9. Unreasonable requests
9.1 Where a data subject makes a request to exercise a data subject right under this procedure that is manifestly unfounded or excessive, which may be because it is part of a string of repetitive requests, Soko Makueni may take one of the following actions:
a. Refuse to act on the request
b. Charge a reasonable fee to act on the request, which will normally take into account the administrative costs of doing so
9.2 Where a request is refused in this way, the data subject will be given written reasons for the decision. Only the Data Protection Officer is authorised to refuse a request under this procedure.
10.1 If a request is made to exercise a data subject right under the self-service procedure outlined in section 5 and the data subject is dissatisfied with the response, they can contact Soko Makueni’s Data Protection Officer under the formal procedure outlined in section 6. The Data Protection Officer will follow this procedure determine whether an additional response can be provided.
10.2 If a data subject has any concerns about Soko Makueni’s handling of their personal data, they can make a complaint to the Office of the Data Protection Commissioner at email@example.com