1. Introduction

Kweli Capital is committed to protecting the privacy and security of personal data. This policy outlines how we collect, use, store, and protect personal data in compliance with the Kenyan Data Protection Act, No. 24 of 2019, and any other applicable data protection laws and regulations.

2. Scope

This policy applies to all employees, contractors, and third-party service providers who handle personal data on behalf of Kweli Capital. It covers all personal data processed by the company, including but not limited to client data, employee data, and supplier data.

3. Definitions

3.1. Personal Data - Any information relating to an identified or identifiable natural person.
3.2. Data Subject - An individual whose personal data is being processed.
3.3. Data Controller - The entity that determines the purposes and means of processing personal data.
3.4. Data Processor - The entity that processes personal data on behalf of the Data Controller.
3.5. Processing - Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

4. Principles of Data Protection

4.1. Lawfulness, Fairness, and Transparency : Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject. Kweli Capital ensures that data subjects are informed about the processing of their personal data, including the purpose of processing, data retention periods, and any third parties with whom data is shared.

4.2. Purpose Limitation : Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Kweli Capital only collects personal data for legitimate business purposes and ensures that data is not used for purposes outside the scope of the original intent without obtaining additional consent from the data subject.

4.3. Data Minimization : Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. Kweli Capital ensures that only the necessary amount of personal data is collected and processed, avoiding excessive or irrelevant data collection.

4.4. Accuracy : Personal data shall be accurate and, where necessary, kept up to date. Inaccurate personal data shall be erased or rectified without delay. Kweli Capital maintains mechanisms for data subjects to update their personal data and ensures regular reviews of data accuracy.

4.5. Storage Limitation : Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Kweli Capital implements data retention policies to ensure personal data is deleted or anonymized when it is no longer needed.

4.6. Integrity and Confidentiality : Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical or organizational measures. Kweli Capital employs strong security measures, including encryption, access controls, and regular security audits, to protect personal data.

4.7. Accountability : The data controller shall be responsible for, and able to demonstrate compliance with these principles. Kweli Capital maintains records of data processing activities and conducts regular audits to ensure compliance with data protection laws.

5. Rights of Data Subjects

5.1. Right to be Informed : Data subjects shall be informed of the use to which their personal data is to be put. Kweli Capital provides clear and accessible information about data processing activities in its privacy notices and consent forms.

5.2. Right of Access : Data subjects have the right to access their personal data held by the data controller. Kweli Capital has procedures in place for data subjects to request access to their personal data and receive responses within statutory timeframes.

5.3. Right to Object : Data subjects have the right to object to the processing of all or part of their personal data. Kweli Capital respects the right of data subjects to object and provides mechanisms for them to do so, unless there are compelling legitimate grounds for the processing.

5.4. Right to Correction : Data subjects have the right to correct false or misleading data. Kweli Capital ensures that data subjects can update their personal data and correct inaccuracies.

5.5. Right to Deletion : Data subjects have the right to request the deletion of false or misleading data about them. Kweli Capital honors requests for data deletion, provided there are no overriding legitimate grounds for retaining the data.

5.6. Right to Restriction of Processing : Data subjects have the right to request the restriction of processing of their personal data under certain conditions. Kweli Capital allows data subjects to restrict the processing of their data in specific circumstances, such as when the accuracy of the data is contested.

5.7. Right to Data Portability : Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit those data to another controller. Kweli Capital facilitates data portability requests where applicable.

6. Lawful Processing of Personal Data

6.1. Consent : The data subject has given consent to the processing of their personal data for one or more specific purposes. Kweli Capital obtains explicit consent from data subjects for specific processing activities and ensures that consent is freely given, informed, and revocable.

6.2. Contract : Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

6.3. Legal Obligation: Processing is necessary for compliance with a legal obligation to which the data controller is subject.

6.4. Vital Interests : Processing is necessary to protect the vital interests of the data subject or another natural person.

6.5. Public Interest : Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

6.6. Legitimate Interests : Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

7. Data Protection Impact Assessment (DPIA)

7.1. Description of Processing Operations : A systematic description of the envisaged processing operations and the purposes of the processing.

7.2. Necessity and Proportionality Assessment : An assessment of the necessity and proportionality of the processing operations in relation to the purposes.

7.3. Risk Assessment : An assessment of the risks to the rights and freedoms of data subjects.

7.4. Risk Mitigation Measures: The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data.

8. Data Breach Notification

8.1. Notification to Data Commissioner : Kweli Capital shall notify the Data Commissioner without undue delay and, where feasible, within 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification shall include the nature of the personal data breach, categories and approximate number of data subjects affected, categories and approximate number of personal data records affected, contact details of the DPO, likely consequences of the breach, and measures taken or proposed to address the breach.

8.2. Communication to Data Subjects : Kweli Capital shall communicate the data breach to the affected data subjects without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons, providing clear and specific information about the breach and advice on how to mitigate its potential adverse effects.

9. Data Protection Officer (DPO)

9.1. Monitoring Compliance : The DPO is responsible for overseeing the implementation of this policy and ensuring compliance with the Kenyan Data Protection Act and other applicable data protection laws.

9.2. Point of Contact : The DPO serves as the point of contact with the Data Commissioner and data subjects for any issues related to data protection.

9.3. Training and Awareness : The DPO conducts regular training and awareness programs for employees on data protection principles and practices.

9.4. Advising on DPIAs: The DPO advises on the necessity and execution of Data Protection Impact Assessments.

10. Data Security

10.1. Pseudonymization and Encryption : Kweli Capital implements pseudonymization and encryption of personal data to protect against unauthorized access.

10.2. Access Controls : Kweli Capital ensures that only authorized personnel have access to personal data, based on the principle of least privilege.

10.3. Data Backup : Kweli Capital regularly backs up personal data and maintains secure backup storage to ensure data can be restored in case of data loss incidents.

10.4. Security Measures : Kweli Capital ensures ongoing confidentiality, integrity, availability, and resilience of processing systems and services through regular security assessments and the implementation of robust security protocols.

10.5. Incident Response Plan : Kweli Capital develops and maintains an incident response plan to address data breaches and security incidents promptly and effectively.

10.6. Regular Testing : Kweli Capital regularly tests, assesses, and evaluates the effectiveness of technical and organizational measures for ensuring the security of processing, including penetration testing and security audits.

11. Data Retention and Disposal

11.1. Retention Schedule : Kweli Capital establishes and adheres to a data retention schedule that specifies retention periods for different types of personal data.

11.2. Secure Disposal : Kweli Capital implements procedures for the secure disposal of personal data that is no longer needed, ensuring that data is rendered irretrievable.

11.3. Regular Review : Kweli Capital conducts regular reviews of retained personal data to ensure compliance with retention policies and legal requirements.

12. Third-Party Processing

12.1. Due Diligence : Kweli Capital conducts due diligence on third-party service providers to assess their data protection practices.

12.2. Data Processing Agreements : Kweli Capital enters into data processing agreements with third-party service providers, outlining their data protection obligations, including data security, confidentiality, and data breach notification requirements.

12.3. Monitoring and Audits : Kweli Capital regularly monitors and audits third-party service providers to ensure ongoing compliance with data protection requirements.

13. Data Protection Training

13.1. Induction Training : Kweli Capital provides data protection training to new employees as part of their induction process.

13.2. Ongoing Training : Kweli Capital conducts regular refresher training sessions for all employees to keep them updated on data protection practices and legal requirements.

13.3. Specialized Training : Kweli Capital offers specialized training for employees handling sensitive personal data or involved in high-risk processing activities.

14. Review and Update of the Policy

14.1. Annual Review : This policy is reviewed annually and updated as necessary to ensure continued compliance with the Kenyan Data Protection Act and other relevant laws and regulations.

14.2. Communication of Changes : Changes to the policy are communicated to all employees, contractors, and third-party service providers.

15. Compliance and Enforcement

15.1. Preventive Measures : Kweli Capital implements robust data protection practices and procedures to prevent data breaches and ensure compliance.

15.2. Detective Measures : Kweli Capital conducts regular audits and monitoring to detect potential compliance issues and data breaches.

15.3. Corrective Measures : Kweli Capital takes prompt corrective actions in response to identified compliance issues or data breaches, including disciplinary actions against employees who violate the policy.

For any questions or concerns regarding this policy or data protection practices at Kweli Capital, please contact us.

This Data Protection Policy is hereby approved and adopted by Kweli Capital. This document reaffirms our commitment to maintaining the highest standards of regulatory compliance and ethical conduct.