KWAL PRIVACY NOTICE (CUSTOMER AND SUPPLIER INFORMATION)
Purpose of this policy
Kenya Wine Agencies Limited (“KWAL”) is committed to protecting the privacy and security of your personal information. The Data Protection Act 2019 (DPA) is a Kenyan law, effective 25th November 2019, which governs the collection, processing and protection of personal data.
This privacy notice describes how we collect and use personal information about you during and after your business relationship with us, in accordance with the DPA.
This notice is subject to periodic review and may change from time to time. In these instances, you will be provided with an updated copy.
As your business partner, KWAL has the responsibility to collect, keep and process information about you for normal business purposes. The information we hold and process will be used for our management and administrative use only. The information is kept and used to enable us to run the business, to meet various administrative and legal obligations (e.g. tax purposes) and manage our relationship with you effectively, lawfully and appropriately, during the registration process, whilst you have a business relationship with us, at the time when our business relationship ends and after it has ended.
This includes using information to enable us to perform and comply with the business contract, to comply with any legal requirements, pursue the legitimate interests of KWAL and protect our legal position in the event of legal proceedings. If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.
PERSONAL DATA HELD BY US
Your personal information we hold, is primarily information you provided when applying for your initial position, supplemented by information generated during onboarding and in the course of your employment. These may include the following:
a) Your name and surname;
b) Your photograph;
c) Your contact details (e.g. physical address, contact number, mobile number, email address);
d) Date of birth / Identification number / Passport number;
e) Supporting documentation (copies of ID and/or passport);
f) Banking details (for payments);
g) KRA PIN*;
h) Details and documents of your business size and experience;
i) Your application;
k) Business Contract;
l) Driving license, driving test reports, police clearance certificates of your employees (if required); m) Immigration compliance (if required);
n) Conflict of Interest declarations;
o) Performance reviews;
p) Accidents at our premises (health and safety obligations);
q) Training provided and obtained for your employees, including assessments and certifications;
r) CCTV footage and other information obtained through electronic means for security and access control such as identification documents, fingerprints for biometric access, access readers for vehicles and swipe card records;
s) Information about your use of KWAL information and communications systems, such as website.
INFORMATION COLLECTION AND USE
We collect process and store your personal information for the following purposes:
a) To perform our contractual obligations to you;
b) To comply with the law and maintain correct business records;
c) To conduct necessary reference checks;
d) As required by legislative and regulatory requirements (including audit and record keeping requirements);
e) To provide physical access to the Company premises for all business partners and their employees or agents, and to parts of the premises based on our business relationship;
f) To provide IT access to company IT equipment, systems and data if required based on our business relationship;
g) For communication purposes such as for training offered and/or that you may have offered your employees relevant to our business relationship;
h) For administrative purposes (e.g. in order to process payments to you, statutory payments, check policy compliances);
i) To conduct performance reviews, manage performance and determine performance requirements based on the relationship;
j) To monitor any use of KWAL information and communication systems to ensure compliance with our ICT policies and ICT security;
SHARING AND TRANSFER OF INFORMATION
We may share personal data with the following sources for the purposes stated above or where we are legally required to do so:
a) Board of Directors;
b) Distell Limited South Africa;
c) Referrals, during the application and registration process;
d) Business partners and service providers (e.g. company bankers, industry bodies, insurance brokers and insurers in relation to any insurance claims);
e) Regulators (e.g. KRA, DOSH*);
g) Company consultants providing services (e.g. trainers, coaches, mentors, security services providers);
h) External and internal auditors.
We share your personal data with Distell Limited South Africa, which is the parent company of KWAL. This will involve transferring your data outside Kenya. Whenever we transfer your personal data out of Kenya, we ensure a similar degree of protection is afforded to it and that there are appropriate safeguards with respect to the security and protection of personal data.
Any personal data collected under this policy shall be processed in accordance with KWAL’s Data Protection Policy.
To ensure that your personal information receives an adequate level of protection, we will put in place appropriate safeguards.
RETENTION OF RECORDS
We will keep your personal data only as long as is necessary for the purpose(s) for which it was collected and to protect KWAL legal position in the event of legal proceedings, and in accordance with KWAL Policies. Data will be securely destroyed when no longer required.
a) Under the Data Protection Act 2019 (DPA) you have a number of rights with regard to your personal data. You have the right:
i. to be informed of the use to which your personal data is to be put,
ii. to access your personal data in KWAL custody or custody of a data processor,
iii. object to the processing of all or part of your personal data,
iv. to correction of false or misleading data,
v. to deletion of false or misleading data about you,
vi. in certain circumstances, the right to data portability.
b) The law permits us to process your personal data for the performance of our business contract and to allow us to comply with legal obligations to which we are subject. However, there may be circumstance where we do ask you for consent for a particular processing activity. In these limited instances only, if you have provided consent for the processing of your data you have the right to withdraw that consent at any time, which will not affect the lawfulness of the processing before your consent was withdrawn.
c) Personal data shall be collected directly from you except in the following circumstances:
i. the data is contained in a public record;
ii. you have deliberately made the data public;
iii. you have consented to the collection from another source;
iv. you have an incapacity, the guardian appointed has consented to the collection from another source;
v. the collection from another source would not prejudice your interests;
vi. collection of data from another source is necessary— – for the prevention, detection, investigation, prosecution and punishment of crime; – for the enforcement of a law which imposes a pecuniary penalty; or – for the protection of your interests or those of another person.
d) You have the right to lodge a complaint to the Data Commissioner under the DPA if you believe that we have not complied with the requirements of the DPA with regard to your personal data.
DATA PROTECTION CONTACT
If you have any questions about this privacy notice, please contact Doris Thangei, Legal Services Director: email@example.com or the HR Director Rosemaryngayu@kwal.co.ke
*KRA- Kenya Revenue Authority,
*DOSH- Directorate of Occupational Safety and Health Services