Skip links

Data Policy

Data Protection Policy

1. Purpose and Scope
1.1. Purpose

United Winners Sacco values customer information privacy and we aim to ensure that we are
up-to date with the recent developments in Data Protection, the Data Protection Act which
came into force in 2019.

1.2. Scope
This policy is meant to guide United Winners Sacco, it’s employees and where applicable
partners in how to ensure compliance with the Data Protection laws and other laws relating to the privacy of personal data.

2. Definitions
2.1. Personal data: Any information relating to an individual who can be directly or
indirectly identified. This might be by reference to an identifier, such as a name, an
identification number, location data, and an online identifier, or to one or more
factors specific to the identity of that individual.

2.2. Sensitive personal data: Personal data which reveals any of the following
“sensitive categories” about a data subject’s:

  • Race
  • Ethnic social origin
  • Health status
  • Conscience
  • Belief
  • Genetic or biometric data
  • Property details
  • Marital status
  • Family details
  • Spouse or spouses
  • Sex or the sexual orientation

2.3. Data subject: This means an identified or identifiable natural person who is the subject of personal data.

2.4. Processing: Any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, alteration, retrieval, dissemination, restriction, erasure or destruction.

2.5. Anonymized data: Data that was once personal but has been converted into a form in which it no longer identifies individuals, and where the likelihood of reidentification of individuals (by TransUnion or anybody else) is reasonably impossible.

2.6. Pseudonymized data: Personal data that has been modified so the information in it cannot be attributed to individuals without the use of additional information that is kept separately and is subject to appropriate technical and organizational measures
to ensure it’s not used to re-identify the relevant data subjects.

2.7. Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.

2.8. Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

2.9. Data Protection Act, 2019 and implementing regulations, 2021: The Data Protection Act, 2019 is a Kenyan law on data protection and privacy. 

2.10. Data Protection Commissioner: The national data protection authority for the Kenya; a local regulator for data protection law.

3. Data protection principles United Winners Sacco is committed to processing data in accordance with its responsibilities under the Data Protection Act including the principles. The Data Protection Act has laid out principles that guide the processing of personal data and

a. Right to Privacy: processing of personal data shall be in accordance with the right to privacy of the data subject.
b. Lawfulness, fairness and transparency: personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals;
c. Legal basis: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
d. Data Minimisation: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
e. Accuracy: personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
f. Storage Limitation: personal data shall be kept in a form which kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and 

g. Cross border data transfer: not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

1.1. Lawful, fair and transparent processing

a. To ensure processing of data is lawful,fair and transparent, the Organization shall maintain an inventory of processing activities.
b. The Register of Systems and processing activities shall be reviewed at least annually or upon the introduction of any new product/ solution or when the business procures new data from a data subject or a new data provider.
c. Individuals have the right to access their personal data and any such requests made to the Organization shall be dealt with in a timely manner.

1.2. Lawful purposes
a. All data processed by the Organization must be done on one of the following lawful bases:
i. Consent: the data subject should have consented to processing for one or more specified purposes.
ii. Necessity
a) Contract:for the performance of a contract in which the data subject is a party or where the data subject requires the same prior to entering into a contract.
b) Legal obligation: if the processing is in compliance with a legal obligation in which the Data Controller is subject.
c) Vital interests: in order to protect the vital interests of the data subjects or other natural person.
d) Public interest: for the exercise, by any person in the public interest, of any other functions of a public nature.
e) Legitimate interests: for the legitimate interests pursued by the data controller by a third party to whom the data is disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests
of the data subject
b. The Organisation shall note the appropriate lawful basis in the inventory of processing activities.
c. Where consent is relied upon as a lawful basis for processing data, evidence of opt- in consent shall be kept with the personal data.
d. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the
Organisation’s systems.

1.3. Data minimisation
a. The Organisation shall ensure that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

1.4. Accuracy
a. The Organisation shall take reasonable steps to ensure personal data is accurate.
b. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.

1.5. Archiving / removal
a. To ensure that personal data is kept for no longer than necessary, the Organisation shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
b. The organisation shall also maintain a data retention schedule which shall detail the periods for which data is retained in the organisation’s systems.
c. The archiving policy shall consider what data should/must be retained, for how long, and why.

4. Security
a. The Organisation shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
b. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information. The business shall maintain a record for who and what access is given to each employee. The organisation shall also consider having a timeline lapse for such access given.
c. When personal data is deleted, this should be done safely such that the data is irrecoverable. However, there should be an audit trail for who, why, when and how the deletion happened.
d. Appropriate back-up and disaster recovery solutions shall be in place.

5. Breach
This policy is meant to ensure that personal data is not exposed to risk however, it is impossible to be immune to breach. Therefore, In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Organisation shall promptly assess the risk to data subject’s rights and freedoms and report this breach to the Office of the Data Protection Commissioner pursuant to the Data Protection Act.

6. Data Subject Rights
7.1. Information
A data subject has a right to be informed of the use for which their personal data is put.

7.2. Access
A data subject as a right to request for information held regarding them by a data controller or data processor. They are also entitled to information as to:
a) The purposes for the processing of their data;
b) Categories of personal data concerned;
c) Recipients of the information whether in the past, present or the future. These should also include recipients abroad.;
d) The retention period for the personal data. If this cannot be provided then a criterion that will be used to determine the period; and
e) Where information is not collected from the data subject, the source of the information should be provided.

7.3. Portability
A data subject has a right to port or copy their data or have their right transferred from one Data Controller or Processor to another.

7.4. Withdrawal of consent
A data subject shall have a right to withdraw their consent to the processing of their personal data at any time.

7.5. Rectification
A data subject may request the rectification of information which is: misleading, untrue, incomplete, inaccurate, outdated or incomplete. This request shall not be subject to any charges.

7.6. Restriction
A data subject has a right to request for the restriction of the processing of all or part of their personal data under the following grounds:
a) Where they contest the accuracy of their personal data;
b) Where personal data has been processed unlawfully and the data subject does not want the information deleted but requests for restriction instead;
c) Where we need the information for the establishment, exercise or defence of a legal claim;
d) Where a data subject has objected to the processing of their data but we are considering legitimate grounds for such processing.

7.7. Objection
A data subject is entitled to object to the processing of all or part of their data. Where processing is for direct marketing purposes, this serves as an absolute right.

7.8. Deletion
Also referred to as the right of erasure, a data subject has a right to request a data
controller or processor to delete or erase personal information they hold where:
a) The personal data is no longer necessary for the purpose for which it was collected;
b) The data subject withdraws the consent which was the legal basis for which the data was processed;
c) The data subject objects to the processing of the data and no overriding interest is present for the processing of the data;
d) The data subject objects to the processing of personal data for direct marketing activities;
e) The processing is unlawful;
f) Erasure is necessary to comply with a legal obligation.

7.9. Automated Decision Making
Data subjects have a right not to be subjected to automated decision making including profiling.

7. General provisions
a. This policy applies to all personal data processed by the Organisation.
b. The Responsible Person shall take responsibility for the Organisations’ ongoing compliance with this policy.
c. This policy shall be reviewed at least annually.
d. The Organization shall register with the Office of the Data Protection Commissioner as an organization that processes personal data.

🍪 This website uses cookies to improve your web experience.
Contact Us