Privacy Policy

 Data Protection Policy

Sipranda Capital Limited

1.INTRODUCTION
The Data Protection Act 2019 (DPA) was introduced to make provision for the regulation of the processing of Personal Data; to provide for the rights of Data Subjects and obligations of Data Controllers and Data Processors. Sipranda Capital Limited, as a Data Controller, is responsible for ensuring compliance with the data protection requirements guided by the DPA and as set out in this policy.
2.PURPOSE

The Data Protection Policy (DPP) outlines how Sipranda Capital Limited collects, handles, processes personal data, and at the same time ensure compliance with the legal obligations regarding data privacy laws and regulations.

3.    SCOPE

This policy sets out how Sipranda Capital Limited collects, uses, and discloses personal data for various data subjects irrespective of where it is stored. While this policy applies to Sipranda Capital Limited and its affiliates, each affiliate shall have its own Data Protection Policy specific to their local compliance requirements.

4.    OBJECTIVES

This Data Protection Policy seeks to ensure that Sipranda Capital Limited:

  1. Ensures that the collection, storage and usage of all sources of personal data is regulated in order to protect its interests and those of the Data Subjects from risks of data breaches.
  2. Protects its rights and the Data Subject’s rights by ensuring that personal data collected and used is in accordance with local laws and regulations.
5.    DEFINITIONS
  1. Data Controller means Sipranda Capital Limited.
  2. Data Processor(s) means a natural or legal person, public authority, agency, or other body, which processes Personal Data on behalf of the Data Controller.
  3. Data Protection Officer means a person appointed by Sipranda Capital Limited who shall advise the management on compliance requirements, ensure that the regulations in law and stipulated in this policy are complied with, provide advice on data protection impact assessment and be the liaison between Sipranda Capital Limited and the Data Commissioner.
  4. Data Subject means an identified or identifiable natural person who is the subject of personal data and includes but not limited to, potential, current and former employees, clients, outsourced or third-party providers and Group agents (collectively referred to as Partner(s)).
  5. Employee means any person employed by Sipranda Capital Limited (or any of its affiliates) in any capacity and includes any director.
  6. Partner(s) means a natural or legal person, public authority, agency, other body who may use Sipranda Capital Limited’ Services or provide services to Sipranda Capital Limited to support its activities and operations.
  7. Personal Data means any information relating to an identified or identifiable natural person.
  8. Sensitive Data means data that reveals the Data Subject’s race, health status, ethnic, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses sex, or the sexual orientation of the data subject
  9. Services means the provision of all business activities engaged in by Sipranda Capital Limited.
6.    REFERENCES
  1. Data Protection Act 2019 (DPA)
  2. The Data Protection (General) Regulations 2021
  3. ODPC Guidance Note on Data Protection Impact Assessment
  4. Data retention policy
  5. Data security breach management policy and procedures
7.    RESPONSIBILITIES
  1. The Board of Sipranda Capital Limited has the overall responsibility to ensure that Sipranda Capital Limited’ activities resulting in collection, storage and use of Personal Data complies with the data protection laws and regulations.
  2. The Data Protection Officer is responsible to ensure:
    1. Effective implementation of this policy to ensure compliance with Sipranda Capital Limited’ policies and data protection laws and regulations.
    2. Bring to the attention of the Board of Directors any review and changes to this policy.
  • The Data Protection Officer is ultimately responsible for ensuring the initial dissemination and understanding of this policy and the implications of its non-compliance to all data subjects and carry out continuous sensitization and trainings of data subjects as may be required.
  1. Cooperate with all relevant supervisory and regulatory authorities responsible of the subject matter of data protection.
  2. Act as the contact point on issues relating to the processing of personal data by Sipranda Capital Limited.
  3. Oversee the implementation of other data protection policies. This will include but not limited to; The data breach management policy and the data retention policy.
  1. The ICT Manager is ultimately responsible for ensuring:
    1. That all systems, services and equipment used currently or to be used in future for processing and/or storing Personal Data adhere to internationally acceptable standards of security and data safeguarding and is regularly updated to continue to comply with such standards.
    2. Issue appropriate, clear, regular rules and directives for use of various systems, software, hardware, technology, whether for the entire Group or any department thereof, in accordance with the ICT policy.
  • All employees are aware of their obligations and responsibilities in the use of any ICT resource that would be linked to Personal Data.
  1. All employees shall continually be responsible for ensuring the safeguarding, protection and avoidance of any unauthorised disclosure or breach of Personal Data in the execution of employment duties and services to Sipranda Capital Limited, or otherwise while rendering services or being associated with Sipranda Capital Limited.
8.    DATA PROTECTION POLICY STATEMENT

Sipranda Capital Limited’ management is committed to ensuring the effective and continued implementation of this policy and expects all Employees and Business Partners to adhere and implement this policy as may be applicable to them.Sipranda Capital Limited, by use of this policy, aims to ensure the implementation of the obligations of a Data Controller, observe the rights of Data Subjects and control the collection, storage, and use of Personal Data in accordance with the provisions of the DPA.

This policy reflects Sipranda Capital Limited’ commitment in conducting its activities in accordance with the relevant data protection laws and regulations in the regions it operates in and in accordance with best practice guidelines.

This policy reflects Sipranda Capital Limited’s commitment to upholding the principles of data protection as outlined in section 25 of the Data Protection Act 2019 (DPA), and further expanded on in Part V of the Data Protection Regulations 2021. These principles include:

  1. Data protection by design or default
  2. Principle of lawfulness, fairness, and transparency
  • Principle of purpose limitation
  1. Principle of integrity, confidentiality, and availability
  2. Principle of data minimisation
  3. Principle of accuracy
  • Principle of storage limitation

This policy is subject to review at least once every two years or as required due to changes in business activities or laws and regulations and any changes shall be approved by the Board of Sipranda Capital Limited.

9.    PERSONAL DATA AND INFORMATION

 Collection of personal data and information

Sipranda Capital Limited collects and uses certain Personal Data to operate with and/or provide a Data Subject access service. This includes information that is voluntarily provided, collected automatically when a Data Subject visits, applies for employment, or is employed by Sipranda Capital Limited, interacts or transacts with Sipranda Capital Limited, information contained anywhere in any record that is publicly available, or consent given by a Data Subject to collect from another source.

This information includes, without limitation:

  • names, addresses, telephone numbers, e-mail addresses and other contact
  • confidential personal data from data subjects, employees, and job candidates such as KRA Pin Number, NSSF, NHIF, National ID and Passport number.
  • car details (about those who use our car parking facilities)
  • biometric information.
  • bank details and other financial information, g., clients who pay for materials to Sipranda Capital Limited
  • past, present, and prospective employees’, and biometric attendance records (including information about any special needs), and examination scripts and
  • where appropriate, information about individuals’ health, and contact details for their next of
  • references given or received by Sipranda Capital Limited about employees, and information provided by previous affiliated companies and/or other professionals or organisations working with
  • images of employees (and occasionally other individuals) engaging in Group activities, and images captured by Sipranda Capital Limited’ CCTV system (in accordance with Sipranda Capital Limited’ policy on taking, storing, and using images of children)

Generally, Sipranda Capital Limited receives personal data from the individual directly. This may be via a form, or simply in the ordinary course of interaction or communication (such as email).

In some cases, third parties (for example another Group, or other professionals or authorities working with that individual) may supply personal data.

While collecting personal data, the following data protection principles must be observed.

  • Data subject’s right to privacy – consent must obtain unless the personal data is provided in accordance with other lawful basis.
  • Lawful and transparent processing – Sipranda Capital Limited’ representative should always ensure: Data subjects are informed of the data to be collected and the purpose; Data is provided through consent or through contractual arrangements.
  • Legitimate purpose – Personal data collected must be aligned to a specific purpose. That purpose must be communicated to the data subject at the point of collection.
  • Minimization – Information collected should only be that which is necessary to the purpose.
  • Accuracy – Validate information to identification documents at the point of collection.
  • Notification of collection and use of Personal data

 As per Regulation 23 of the Data Protection Regulations 2021, Sipranda Capital Limited shall publish a privacy policy on its website and other digital platforms. This policy will be reviewed at least once every two years (or more often if necessary).As far as it is practicable before collecting personal data, Sipranda Capital Limited will seek to inform the data subject of their rights, the fact that personal data is being collected, and other relevant information as laid out in section 29 of the Data Protection Act 2019 (DPA).

 Use of Personal Data

Sipranda Capital Limited shall process Personal Data in accordance with Section 30 of the Data Protection Act 2019 (DPA) and recognises that processing of Personal Data shall be in accordance with the purpose of collection. Where data is not processed based on the consent of the Data subject it will be processed in accordance with sub-section 30(1)(b) of the Data Protection Act 2019 (DPA), including where the processing is necessary to fulfil Sipranda Capital Limited’ contractual, statutory or legal obligations, and to pursue its legitimate interests. When personal data is processed in accordance with sub-section 30(1)(b) of the Act, it shall only rely on one legal basis at a time, which shall be established before the processing.

The legitimate interests of Sipranda Capital Limited include but are not limited to:

  • for the purposes of client and employee selection (and to confirm the identity of prospective clients, and employees)
  • maintaining relationships with employees and Sipranda Capital Limited’ community, including direct marketing or fundraising activity
  • for the purposes of management planning and forecasting, research, and statistical analysis, including that imposed or provided for by law (such as diversity or gender pay gap analysis and taxation records)
  • to enable relevant authorities to monitor Sipranda Capital Limited’ performance and to intervene or assist with incidents as appropriate.
  • to give and receive information and references about past, current and prospective employees, including relating to outstanding fees or payment history, to/from any Group that the employee worked for; and to provide references to potential employers of past employees.
  • to safeguard employees’ welfare and provide appropriate care.
  • to monitor (as appropriate) use of Sipranda Capital Limited’ IT and communications systems in accordance with Sipranda Capital Limited’ Acceptable Use of IT Policy
  • to make use of photographic images of employees in Group publications, on Sipranda Capital Limited’ website and (where appropriate) on Sipranda Capital Limited’ social media channels in accordance with the minor model release consent form procedures.
  • for security purposes, including CCTV.
  • In case of emergency related to health of a Data Subject, Personal Data may be shared with the health care providers.
  • where otherwise reasonably necessary for Sipranda Capital Limited’ purposes, including to obtain appropriate professional advice and insurance for Sipranda Capital Limited

In addition, Sipranda Capital Limited may need to process special category personal data (concerning health, ethnicity, religion) or criminal records information (such as when carrying out background checks) in accordance with rights or duties imposed on it by law, or from time to time by explicit consent where required. These reasons may include:

  • to safeguard employees’ welfare and provide appropriate counselling (and where necessary medical care), and to take appropriate action in the event of an emergency, incident, or accident, including by disclosing details of an individual’s medical condition where it is in the individual’s interests to do so, for example for medical advice, social services, insurance purposes or to organizers of Group trips.
  • in connection with employment of its staff, for example background checks, welfare, or pension plans
  • to run any of its systems that operate on biometric data, such as for security and other forms of employee identification.
  • for legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with its legal obligations and duties of care.

As set out in the Data Protection Regulations 2021 Sub-Regulation 15(1), Sipranda Capital Limited may use Personal Data, other than sensitive personal data, collected from data subjects for the purposes of direct marketing where the data subject has consented and not made an opt-out request.

  1. Whenever Sipranda Capital Limited communicates with data subjects on direct marketing Sipranda Capital Limited shall include a visible statement drawing the attention of the data subject to the fact that they may make an opt-out request
  2. This opt-out mechanism must be clear, visible and easily understood, take minimal time and effort, free of charge, and easily accessible.
  • Sipranda Capital Limited shall use an opt-out mechanism that provides the data subject with the opportunity to indicate their direct marketing communication preferences, including the extent to which they want to opt-out. This shall include the ability to opt out of all future direct marketing communications.
  • Data protection impact assessment

As per section 49(1) of the Data Protection Guidelines 2021 and section A of the ODPC Guidance note on Data Protection Impact Assessment, Sipranda Capital Limited recognises that some processing operations could pose a high risk to the rights and freedoms of a Data Subjects.

  • Sipranda Capital Limited may determine that a processing operation falls within the above criteria but still consider it as not to be “likely to result in a high risk”, and thus that a DPIA is not needed.
  • Sipranda Capital Limited will review its existing Personal Data collection and processing operations to determine if any fall under the above criteria. Sipranda Capital Limited will then do DPIAs for any operation it deems as potentially high risk.
  • Whenever Sipranda Capital Limited plans to introduce new systems and/or business processes that may result in collection and/or processing of Personal Data the relevant heads of departments or line managers must submit this to the Data Protection Officer for consideration to determine whether a DPIA is required.
  • If Sipranda Capital Limited deems that a business process, technology, or processing operation is likely to result in a high risk to the rights of a Data Subject, it shall prior to the processing and implementation of such systems carry out a data protection impact assessment.  This Data Protection Impact Assessment shall be conducted using the template from the ODPC guidance note on Data Protection Impact Assessments. The report of this assessment will be shared with the Board of Governors for its consideration.

With the guidance of the board of directors, Sipranda Capital Limited shall consult the Data Commissioner prior to the processing if a Data Protection Impact Assessment indicates that the processing of the data would result in a high risk to the rights and freedoms of a data subject. Sipranda Capital Limited must submit the DPIA to the Data Commissioner sixty days prior to the commencement of the processing of personal data.

  1. Sharing and transfer of Personal Data to other parties

Sipranda Capital Limited may access and share Personal Data as follows:

  1. To satisfy legal and statutory obligations (such as filing returns and forms with local government, tax or law authorities or responding to a request or providing information in accordance with existing laws);
  2. Data Processors that host, maintain, manage, or provide other services to Sipranda Capital Limited that enable it to provide its services and pursue its legitimate interests (including those Data Processors that may be located outside the local jurisdictions where Sipranda Capital Limited or its affiliates is domiciled).
  • For other legal reasons, such as to monitor compliance with and enforce Sipranda Capital Limited’ terms and conditions, protect its rights, privacy, safety, or property, and/or that of our affiliates, protect against criminal activities, and for risk management purposes; and
  1. Where it is necessary to protect vital interest of the employees such as in cases of sharing medical records with a medical health services provider.

For the most part, personal data collected by Sipranda Capital Limited will remain within Sipranda Capital Limited and will be processed by appropriate individuals only in accordance with access protocols (i.e., on a ‘need to know’ basis). Particularly strict rules of access apply in the context of:

  • Medical records -held and accessed only by Sipranda Capital Limited Nurse and appropriate medical staff under his/her supervision, or otherwise in accordance with express consent; and
  • Counselling files held and accessed by Sipranda Capital Limited Counsellor.

Employees are reminded that Sipranda Capital Limited is under duties imposed by law and statutory guidance to record or report incidents and concerns that arise or are reported to it, in some cases regardless of whether they are proven, if they meet a certain threshold of seriousness in their nature or regularity. This may include file notes on personnel or safeguarding files, and in some cases referrals to relevant authorities such as the police.

Whenever Sipranda Capital Limited Share Personal data with a Data Processor, they shall enter into a contract which shall provide that the data processor shall act only on instructions received from the data controller and shall be bound by obligations of the data controller as specified in the Data Protection Regulations 2021.

Personal Data may be transferred outside Sipranda Capital Limited’ and its affiliate’s domiciliation, subject to sections 48, 49, and 50 of the Data Protection Act 2019 (DPA), and sections 39-48 of the Data Protection Regulations 2021.

Further, Sipranda Capital Limited will determine if the transfer is based on one of the following permissible reasons:

  1. Appropriate data protection safeguards;
  2. An adequacy decision made by the Data Commissioner (as posted on the Data Commissioner’s website);
  • Transfer as a necessity (as per section 48 of the Data Protection Act 2019 (DPA)); or
  1. Consent of the Data subject

In all cases where data is transferred outside Kenya, Sipranda Capital Limited shall document the transfer and provide this documentation to the Data Commissioner on request.

Storage and protection of Personal Data

Personal Data may be stored electronically, digitally, written or printed on paper, or on other materials.

  1. Where such data is stored on paper, it will always be kept in a secure place where an unauthorised person cannot access or see it.
  2. Where such data is stored electronically, it must be protected from unauthorised access, accidental deletion or any risk of exposure to malicious hacking attempts: Protected by strong passwords that are changed regularly and never shared between employees in accordance with the ICT policy guidelines; Removable media such as a USB drive, CD or a DVD must at all times be locked away securely when not in immediate use; Storage shall be on authorised and designated drives and servers and shall only be uploaded to approved cloud computing services;
  • All servers containing Personal Data will be in secure locations and access to such rooms and areas will be restricted to authorised persons.
  1. All servers and computers containing Personal Data will have approved security software, and one or more firewalls installed.

Sipranda Capital Limited shall retain Personal data for only as long as necessary to satisfy the purpose for which it was processed:

  1. Any data that Sipranda Capital Limited needs to retain to meet its statutory, legal, or contractual obligations will be retained for at least as long as required by those obligations.
  2. Any data Sipranda Capital Limited collects to pursue its legitimate interests and/or provide services in the interest of the data subject shall be retained as per the data schedule.
  • As per section 19(2)(a) of the Data Protection Regulations 2021, Sipranda Capital Limited shall establish a personal data retention schedule that defines these timelines and the provision for an audit of the personal data retained every 2 years. This audit shall identify the best course of action where personal data retention period lapses – including anonymising or pseudonymising the data or deleting the data.
  1. Processing sensitive personal data

Sipranda Capital Limited will process Sensitive Personal Data in accordance with the Data Protection Act. Sipranda Capital Limited will process sensitive data if:

  1. The processing is carried out in the usual course of legitimate activities with appropriate safeguards.
  2. The processing relates solely to the employees who have regular contact with Sipranda Capital Limited and such personal data is not disclosed outside Sipranda Capital Limited without the consent of the data subject.
  • The processing relates to personal data that has been made public by the data subject; and
  1. Processing is necessary for the establishment, exercise or defense of a legal claim; The purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject; and protecting the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent.

In processing sensitive personal data, Sipranda Capital Limited shall have regard to the risk of significant harm that may be caused to a data subject, confidentiality attached to such personal data, significant harm that may be caused to a discernible class of data and adequacy of protection in place to safeguard such sensitive personal data.

10.  NOTIFICATION AND COMMUNICATION OF A PERSONAL DATA BREACH

 As per section 43 of the Data Protection Act 2019 (DPA) and section 38 of the Data Protection Guidelines 2021, Where personal data has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorised access, a data controller shall:

  1. Notify the Data Commissioner within 72 hours of becoming aware of the breach.
  2. Record important information relating to the breach, including: The facts relating to the breach, its effects, and the remedial action taken.Sipranda Capital Limited shall communicate the breach to the data subject in a reasonably practicable time unless the identity of the data subject cannot be established.
  3. Communication of such breaches or unauthorised access to Data Subjects will not be required where Sipranda Capital Limited has appropriate security measures including encryption of Personal Data.
  4. The Data Controller may delay or restrict communication referred to under (iii) above as necessary for purposes of prevention, detection, or investigation of an offence.

Refer to the breach management policy and procedures manual for more details.

11.  ENABLING THE RIGHTS OF THE DATA SUBJECT

Sipranda Capital Limited recognises the rights of the Data Subject as laid out in the Data Protection Act 2019 (DPA) and further expanded on in the Data Protection Regulations 2021 Part II. Sipranda Capital Limited seeks to uphold these rights and to act in a transparent manner when obtaining and processing Personal Data.

A data subject may request Sipranda Capital Limited to:

  1. restrict the processing of their personal data.
  2. not to process all or part of their personal data, for a specified purpose or in a specified manner
  3. provide confirmation as to whether personal data concerning them is being processed, and, where that is the case, access to the personal data.
  4. rectify their personal data, which is untrue, inaccurate, outdated, incomplete or misleading.
  5. port or copy their personal data from Sipranda Capital Limited to another data controller or processor.
  6. erase or destroy personal data held by Sipranda Capital Limited

Objection to processing

Whenever a data subject objects to processing of their data, management must ensure the objection is complied with. All received objections (written or oral) must be recorded in a record that must be maintained by the DPO.In cases where data had been shared with 3rd parties, the DPO must communicate the data subject’s request within 7 days upon receipt of the request. It will be the DPO’s responsibility to ensure the 3rd party complies with the request and also communicate back to the data subject within the given time (14 days from receipt of the request).

Personal data access and portability

Sipranda Capital Limited shall provide access to personal data and in case where the data subject requires copies of the data, the DPO shall provide that access with 14 days and provide copies (if needed) within 30 days as provided by the law.Should the copies required include other data subject’s personal data, the DPO must ensure either the rest of data is masked/deleted or just extract the required information.Unless the cost of providing that data is significant, Sipranda Capital Limited shall not charge any fees. The significance of that cost shall be determined by the [designated person] and approved by [designated person].In case portability request is declined for whatever reason, the DPO shall communicate the decision and reasons to the data subject within 7 days from the date of the request.All request, to be processed, shall be submitted in the format prescribed in the Data Protection (General) regulations, 2021.

Personal data rectification or erasure

The DPO shall oversee recording and processing requests for rectification or erasure of personal data. Such requests must be acted on within 14 days and communicated back to the data subject. The DPO shall maintain a record of all requests and indicate the actions taken by Sipranda Capital Limited.All request, to be processed, shall be submitted in the format prescribed in the Data Protection (General) regulations, 2021.Sipranda Capital Limited shall update its systems and processes to enable it to comply with the above rights of the Data Subject.

12.  LINKS TO DIGITAL CHANNELS

Sipranda Capital Limited website or any digital platform to access its information may contain links to other websites. Sipranda Capital Limited is not responsible for the privacy or information security practices of other websites. The Data Subject is advised to carefully review the applicable privacy and information security policies and notices for any other websites he/she uses.

13.  SECURITY AND PROTECTION

Sipranda Capital Limited uses appropriate technical and organizational measures to safeguard Personal Data within the organization against loss, theft, breach, and unauthorized use, disclosure, or modification. Only the Data Controller or Data Processor shall be entitled to access Personal Data. Employees may be authorised from time to time to access Personal Data if it is deemed necessary in the execution of their work or required outputs.

14.  COMPLIANCE

All Employees are expected to comply with the Data Protection Policy both during his/her employment, and to the extent applicable, after separation from Sipranda Capital Limited.Any breach of this policy may result in disciplinary action in case of Employees or Sipranda Capital Limited undertaking any legal redresses available under law or contractual terms in case of Sipranda Capital Limited’ Partners.