In its everyday business operations, Koa makes use of a variety of data about identifiable individuals. In collecting and processing the information Koa is required to comply with the Right to Privacy as stated in Article 31 of the Constitution of Kenya, 2010, the Data Protection Act, 2019 and the National Payment System Act (collectively referred to as the “Data Protection Laws”). The purpose of this policy is to describe the steps that Koa is taking to ensure compliance with the law. This policy applies to all systems, people and processes that constitute Koa’s information systems, including, management, employees, consultants, clients, suppliers and other third parties who have access to Koa’s systems. Any breach of the Data Protection Act 2019 or our Data Protection Policies is a serious matter and could lead to disciplinary action or criminal proceedings in extreme cases. Other agencies and individuals working with us, and who have access to personal information held by us are required to comply with this policy.The following policies and procedures are part of this policy:
(Collectively referred to as our Policies).
DefinitionsAct means the Data Protection Act, No. 24 of 2019 Laws of Kenya and the relevant Regulations thereunder.
Anonymization means the removal of personal identifiers from personal data so that the data subject is no longer identifiable.
Consent means any voluntary, specific and informed expression of will of a data subject to process personal data.
Data Commissioner means the person appointed under the Data Protection Act, 2019.
Data subject means an identified or identifiable natural person who is the subject of personal data.
Identifiable natural person means a person who can be identified directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or social identity.
Koa means Koasave Africa Limited, a limited liability company duly incorporated in accordance with the laws of Kenya with its registered address at Ten Metropolitan Estate, Riverside Drive and of P.O. Box 41911-00100 Nairobi.
Koap Cooperative means a registered savings and credit co-operative duly licensed and regulated by the Commissioner of Co-operative Societies under registration number CS/2636 and duly authorized to accept deposits from Members and provide our Services through the Koa App.
Koa Platform means the digital savings and investment platform that enables Members to access our digital mobile application and website providing customers access to savings and investment products.
“Personal data” means any information relating to an identified or identifiable natural person.
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Processing” means any operation or sets of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as:
“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, and such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
“Sensitive personal data” means data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, sex or the sexual orientation of the data subject, marital status, family information such as the names of their children, spouse or spouses, property information.
“Third party” means natural or legal person, public authority, agency or other body, other than the data subject, data controller, data processor or persons who, under the direct authority of the data controller or data processor, are authorized to process personal data.
Description of types data retained
In its day to day functions Koa retains data about:
The information we retain may include:
Data privacy is critically important to us. When handling personal data, we apply the following fundamental principles:
Sensitive personal data
Koa collects personal data such as data revealing an individual’s biometric data, property details, marital status, family details including names of the person's children, parents, spouse or spouses, sex or the sexual orientation.Where we collect sensitive data, the data shall be processed in accordance with the law and under the legally provided grounds set out below.
Protection of personal data & rights of data subjects
As Koa, we will ensure that we support the rights of persons whose personal data we collect. These rights include the right:
Principles for data protection The Act provides principles for data protection. It requires Koa to ensure that personal data is:
Koa will ensure that it complies with all of these principles both in the processing it carries out and as part of new methods of processing such as new IT systems.
Exercise of the rights of the Data subject
In order to exercise any of the rights of the data subject Koa has in place procedures to enable you to do the following:
To access the procedure please contact the officer in charge at the following email email@example.com.
How do we use the personal data we collect?
We use information we collect in the following ways:
We may associate one or more categories of information with any other category of information that we see fit to and this combined information will be treated as personal data in accordance with the provisions set out in this policy, for as long as it is combined.
Processing of personal data
Koa will process the personal data we collect based on a lawful basis allowed under Data Protection Laws being:
Disclosure of personal data
Koa will not share personal information with any other individual, or Third Party except in the following cases:
Where we share personal data in the cases listed above we take all necessary steps to ensure that: the data is processed lawfully, we only disclose what is necessary, and the data is kept secure and all safeguards are put in place to ensure its protection.
Data Retention Policy
We only retain personal data for as long as it is necessary to do so in line with the provisions of Data Protection Laws. Once it is no longer necessary to retain the data we anonymize or pseudonymize the personal data. We ensure that we retain and maintain all relevant records in a manner that is: secure, confidential, accurate and up to date. How we handle data retention is more elaborately explained in our Data Retention Policy.
Exercise of Rights of the Data Subject
Every data subject has the right to:
In order to comply with these requirements, Koa has established the following procedures:
These procedures can be found in the Data Requests Procedures Manual.
Koa is dedicated to keeping personal data secure. We shall endeavor to keep an up to date security procedure which shall include:
At Koa we ensure that we take all possible steps to safeguard all personal data that we store. However, in the event that there is a breach on our system and personal data has been accessed by an unauthorized person and there is real risk of harm to the data subject we shall:
The notification above will contain:
When a breach occurs we record the information, particularly: facts relating to the breach, effects of the breach, and the remedial action to be taken. We shall maintain a record of all security incidents at all times.
Data Protection Impact Assessment
At Koa we will undertake a Data Protection Impact Assessment (DPIA) whenever necessary where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
The DPIA will follow the following phases:
Phase 1 detailed listing of the data processing including: the data to be used, the legal basis or retention periods applied to the data
Phase 2 identify the legal and risk treatment controls which are currently implemented. This phase involves the current and existing set of measures from a legal, technical, physical and business point of view.
Phase 3 list the risk sources to the data processing.
Phase 4 analyze and list potential negative events and threats to the data processing focusing on data subjects’ personal data, and potential impact of the new processing.
Phase 5 write and present a report that summarizes the analysis, the current controls, the risks to the business and the threats to personal data.
Transfer of personal data outside Kenya
We may transfer any identifiable personal data about a data subject outside Kenya. In the event that we are required to transfer any data outside of Kenya, we shall ensure that we seek the necessary consent from you (where necessary).Any transfer of data will be done with adequate safeguard measures put in place to ensure that there is no risk of a data breach.
All complaints from data subjects regarding the way data is handled will be forwarded to firstname.lastname@example.org.
A complaint can be made either orally or in writing but where an oral complaint is made the designated officer will as soon as practicable reduce the oral complaint into writing.
We will investigate every complaint that we receive and get back to you within 14 days of receiving the complaint.
If you are not satisfied with the findings you have the right to appeal or to lodge a complaint to the Data Commissioner established under the Act.
Changes to our Policies
We reserve the right to update or change our Policies at any time and you should check our Website periodically. Your continued use of our services after we post any modifications to our Policies on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Policies.
If we make any material changes to our Policies, we will notify you either through the email address you have provided us, or by placing a prominent notice on our website or at our office.
The purpose of this Policy is to ensure that necessary records and documents are adequately protected and maintained and to ensure that records that are no longer needed by Koa or are of no value are discarded at the proper time in accordance with Koa’s policies and prevailing laws and regulations.This Policy is also for the purpose of aiding employees and consultants of Koa in understanding their obligations in retaining all personal information in written paper for or electronic documents - including e-mail, Web files, text files, sound and movie files, PDF documents, and all Microsoft Office or other formatted files. All employees and consultants of Koa, contractors and external parties with access to Koa’s information systems are bound by this Policy.
Description of types data retainedIn
its day to day functions Koa retains data about:
The information we retain may include:
Guidelines and Procedures
It is our intention to ensure that all records and the information contained therein is:
Documents are always retained in a secure location, with authorized personnel being the only ones to have access. Once the retention period has elapsed, the documents are either deleted, erased, anonymized or pseudonymized depending on their purpose, classification and action type.
All records retained during their specified periods are traceable and retrievable. Any file movement, use or access is tracked and logged, including inter-departmental changes. All information is retained, stored and destroyed in line with legislative and regulatory guidelines. For all data and records obtained, used and stored by Koa, we:
Where it is not possible to define a statutory or legal retention period, as per the law Koa will identify the criteria by which the period can be determined and provide this to the data subject on request.
Destruction and Disposal of Records and Data
All information of a confidential or sensitive nature on paper or electronic media must be securely destroyed when it is no longer required after a period of seven (7) years. This ensures compliance with the Data Protection laws and the duty of confidentiality we owe to our employees, clients and customers.We are committed to the secure and safe disposal of any confidential waste and information assets in accordance with our contractual and legal obligations and that we do so in an ethical and compliant manner.
Suspension of record disposal in event of litigation or claims
In the event Koa is served with any request for documents or any employee/consultant becomes aware of a governmental investigation or audit concerning Koa or the commencement of any litigation against or concerning Koa, such employee/consultant shall inform Koa’s Management and any further disposal of documents shall be suspended until such time as Koa’s Management, with the advice of counsel, determines otherwise. Koa’s Management shall take such steps as is necessary to promptly inform all staff of any suspension in the further disposal of documents.
Right to erasure and rectification
We recognize that data subjects have the right to request us to:
The procedure for making a request for erasure or rectification can be found in the Data Requests Procedure manual.
Retrieval of data
All requests for data shall be made by filling a data request form which shall be lodged with the relevant department and the designated data protection officer (where applicable). Every customer has the right to access their information held by Koa and shall be guided to do so as set out in our Policies.Retrieval of online records shall not exceed 30 days unless there are certain prevailing circumstances preventing compliance in which case, the requesting customer shall be informed of the delay immediately.Where any information requested is required for purposes of protection of life or liberty of a person, the duration for retrieval shall be within 48 hours from the time of request. Koa may, where such retrieval requires an extensive search through a large amount of information and meeting the stipulated time will unreasonably interfere with its activities or where consultations are necessary before the information is released, extend the period to not more than fourteen (14) days or as the law may provide from time to time.
Appropriate information handling is critical to the protection of customer data, employees’ information, third party information and for the security of Koa’s operations. Any employee who does not comply with this policy shall be subject to disciplinary action.Any third party who has access to Koa and its customers’ information who does not comply with this policy shall be in breach of their contractual terms and obligations.All employees/consultants shall be responsible for the implementation and maintenance of the requirements of the law and this policy.Koa shall be accountable for ensuring that appropriate security controls are identified, and their compliance measured and shall audit the security controls from time to time.
Where systems, procedures or processes are not able to meet these requirements they should be reviewed by Koa’s Management. Where an appropriate business justification exists, exceptions may be sought.