Privacy Policy
How we protect your data and respect your privacy in Kenya.
Onfon Mobile Privacy Policy - Kenya
01INTRODUCTION
In a changing technical world, majority of jurisdictions values the Privacy and the Protection of Personal Data. All the actors involved in the management of Personal Data are expected to respect the requirements of safeguarding Personal Data. Through the various legislations passed into law the world over is committed to protecting the privacy of individuals.
The aim of this policy is to protect personal data in order to guard against misuse and to eliminate the unwarranted invasion of privacy. The fundamental principles of the policy have been largely informed by global practices and the need to bridge the gaps that exist in contextualizing privacy and data protection in technological environment in Kenya.
02POLICY STATEMENT
Onfon Mobile Limited is committed to complying with all relevant jurisdictions, legislation and applicable global legislations. Onfon Mobile recognises that the protection of individuals through lawful, legitimate, and responsible processing and use of their personal data is a fundamental human right.
03PURPOSE
The policy provides guidance on how Onfon Mobile staff will handle the data it collects. It helps the company comply with the data protection law, protect the rights of the data subjects and protects Onfon Mobile from risks related to breaches of data protection.
Understand Laws
Staff members should be knowledgeable about data privacy laws like GDPR, CCPA, etc.
Data Collection
Only collect data necessary for legitimate business purposes with consent.
Storage & Security
Store data in secure environments with encryption and access controls.
Data Retention
Establish clear policies for data retention and deletion.
Access Control
Limit access on a need-to-know basis with role-based permissions.
Incident Response
Report any breaches or suspicious activities promptly.
04SCOPE
The policy applies to:
- Employees, Trustees, implementing partners, vendors, and contractors.
- All data subjects, whether resident in our jurisdictions or not.
- All formats including printed, digital, text, images, and audio.
05DEFINITIONS
Data Controller
Entity which determines the purpose and means of processing.
Data Processor
Entity which processes personal data on behalf of the controller.
Data Subject
Identified or identifiable natural person who is the subject of data.
Sensitive Data
Reveals race, health, ethnicity, beliefs, genetics, or sexual orientation.
06PRINCIPLES
Onfon Mobile will ensure that data is:
Processed lawfully, fairly and transparently.
Collected for specified, explicit purposes.
Adequate, relevant and limited to necessity.
Accurate and kept up to date.
Stored no longer than necessary.
Processed with security and integrity.
07. LEGAL GROUNDS
Processing is performed under legal mandates or explicit user consent.
08. DUTY TO NOTIFY
Data subjects have the right to:
- Be informed of how data is used.
- Access their data in our custody.
- Object to processing of their data.
- Correct or delete false information.
09. LAWFUL & FAIR PROCESSING
Processing is lawful only where the data subject has given consent or for contract performance, legal obligations, or public interest.
11. ACCURACY OF DATA
We ensure data is accurate, corrected, or deleted without delay. Inaccurate records are destroyed promptly.
12. SAFEGUARDS & SECURITY
Measures are instituded in our Information Security policy to safeguard personal data.
13. CHILDREN'S DATA
No processing of child data without parental/guardian consent and strict protection mechanisms.
14. IMPACT ASSESSMENT
Assessments are carried out for high-risk processing operations by the DPO.
15. SENSITIVE PERSONAL DATA
Processed only for legitimate activities with safeguards or if public/required for legal claims.
16. TRANSFERRING DATA OUT
Data transfer outside Kenya only occurs with appropriate security measures and legal proof.
17. ONWARD REPORTING
Breaches are reported to the DPO within 72 hours and to the subject as soon as practical.
18. TRAINING & AWARENESS
All staff undergo induction and regular training on data privacy policies.
19. GRANTEES & PARTNERS
Partners must report breaches within 48 hours and abide by strict safeguard mechanisms.
20. ROLES & RESPONSIBILITIES
The CEO and COO are responsible for policy awareness. The PIC provides governance oversight.
21. INDEPENDENT ASSURANCE
Effectiveness is subject to regular internal audit reviews and potential external audits.
22. DATA RETENTION
Retention periods are determined by legitimate needs and documented decision making.
23. POLICY REVIEW
Reviewed every two years by the COO and approved by Trustees.