PRIVACY AND DATA PROTECTION POLICY -2025

 

1. INTRODUCTION

Okavya recognizes the importance of collecting and utilizing personal information in order to fulfill its mandate and carry out its day-to-day operational activities. We collect personal data from various sources, including users, service providers, partners and affiliates. This data encompasses information such as names, email addresses, phone numbers and identification numbers. It is Okavya’s steadfast commitment to process all personal information in compliance with the Data Protection Laws. The purpose of this policy is to establish a framework that enables Okavya to meet its legal and statutory obligations under data protection laws. This policy sets forth clear principles and procedures for the collection, use, storage, disclosure, transfer, and disposal of personal data. By adhering to these guidelines, Okavya aims to ensure the protection, privacy, and security of personal data in its possession. This policy serves as a commitment to responsible data management practices, as well as the promotion of transparency, accountability, and compliance within Okavya.

 

2. APPLICABILITY AND SCOPE

This Privacy and Data Protection Policy applies to all individuals and entities who directly or indirectly interact with Okavya including but not limited to its employees (whether the permanent, fixed term, or temporary working onsite or remotely) service providers, and users, among others. It encompasses all operations, processes, and systems involving the collection, use, storage, transfer, disclosure and disposal of personal and sensitive personal data collected and processed by Okavya, regardless of the format or medium in which it is stored. To ensure ongoing compliance, this policy is subject to regular review and updates to align with changes in applicable laws, regulations, and best practices in the field of privacy and data protection. Compliance with this policy is mandatory. All personnel, individuals and entities   acting on behalf of Okavya falling within the scope of this policy are expected to comply with its provisions.

 

3. POLICY STATEMENT

Okavya is committed to upholding privacy and protecting the personal data of its users, employees, service providers, partners, and all individuals with whom it interacts.  This Privacy and Data Protection Policy Statement serves as a testament to Okavya’s unwavering commitment to maintaining the highest standards of privacy and data protection. It underscores Okavya’s determination to comply with applicable laws and regulations while fostering an environment of trust and transparency in our data practices.

Okavya is committed to ensuring that:

    i. It adheres to the principles of privacy and data protection and respects the rights of data subjects.

  ii. Data subjects are provided with clear and transparent information regarding the purpose of collecting and processing their personal data.

  iii. Every practice, function, and process carried out by Okavya is monitored to ensure compliance with data protection laws and principles.

  iv. Personal data is processed only when it has been verified and meets the requirements for lawful processing.

     v.         All staff, individuals, and entities acting on behalf of Okavya are aware of their obligations regarding privacy and data protection and receive training on relevant laws, principles, regulations, and guidelines.

   vi.         Robust controls and procedures are in place for managing and handling data breaches and complaints related to data protection, including identification, investigation, review,  and reporting.

  vii.         Auditing  and  monitoring  programs  are  established  to  regularly  assess  the acquisition,  usage, storage, transfer, sharing, and disposal of personal data processed by Okavya.

viii.         Employees are informed of their own privacy and data protection rights.

   ix.         A record of processing activities is maintained to ensure transparency and accountability.

     x.         Appropriate   technical   and   organizational   measures   and   controls   are developed, documented, and implemented to ensure the security of personal data, supported by a robust information security program.

 

4. DEFINITIONS

“Act” means the Data Protection Act (Act No. 24 of 2019)

 “Consent” any manifestation of express, unequivocal, free, specific and informed indication of the data subject's wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.

 “Data breach” is a security breach  leading to the  accidental or  unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. This definition extends to breaches that result from, malicious conduct, lack of appropriate security controls, system or human failure, or error.

“Data controller” is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.

“Data processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

“Data protection laws” the constitution of Kenya, the Data  Protection Act and any other statutory provision relating to privacy and data protection having force in Kenya from time to time;

“Data subject” is an identified or identifiable natural person who is the subject of personal data.

“Encryption” is the process of converting the content of any readable data using technical means into coded form.

“Personal data” is any information relating to an identified or identifiable natural person.

“Processing” is any operation or sets of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as

(a)   collection, recording, organization, structuring;

(b)    storage, adaptation or alteration;

(c)   retrieval, consultation or use;

(d)   disclosure by transmission, dissemination, or otherwise making or available, or

(e)   alignment or combination, restriction, erasure or destruction.

 “Sensitive personal data” data revealing the natural person's race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property  details, marital status, family details including names of the person's children, parents, spouse or spouses, sex, or the sexual orientation of the data subject.

“Service provider” is…………….

“Third Party” natural or legal person, public authority, agency or other body, other than the data subject, data controller, data processor or persons who, under the direct authority of the data controller or data processor, are authorized to process personal data.



5.    DATA PROTECTION PRINCIPLES

   5.1 Lawfulness, Fairness, and Transparency - Okavya will process personal data in a      lawful, fair, and transparent manner. Personal data will only be collected for specified,   explicit, and legitimate purposes, and individuals will be informed of the purposes    and legal basis for processing their data.

5.2  Purpose Limitation: Personal data collected by Okavya will be used only for the purposes for which it was collected unless further processing is required for a lawful purpose compatible with the original purpose.

 

5.3 Data Minimization: Okavya will collect and process only personal data that is adequate, relevant, and necessary for the specified purposes. Personal data will not be retained for longer than is necessary to fulfill those purposes.

 

5.4 Accuracy: Okavya will take reasonable steps to ensure that personal data is accurate, complete, and up-to-date. Individuals will have the right to rectify or update their personal data held by Okavya.

 

5.5 Security: Okavya will implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration. Okavya will regularly assess and evaluate the effectiveness of these measures to ensure the ongoing security of personal data.

 

5.6 Accountability: Okavya is responsible for ensuring compliance with this policy and applicable data protection laws. Okavya will maintain records of its data processing activities and conduct regular audits to assess compliance.

 

6. DUTY TO NOTIFY


Okavya acknowledges its duty to provide data subjects with essential information prior to collecting their data. This includes the following:

6.1 The rights granted to data subjects as specified under Section 26 of the Act;

6.2 The acknowledgment that personal data is being collected by Okavya;

6.3 The purpose for which the personal data is being collected;

6.4 The identity of any third parties to whom the personal data has been or will be transferred, along with details of the safeguards implemented to protect the data;

6.5 The contact information of Okavya and any other relevant entities that may receive the collected personal data;

6.6 A description of the technical and organizational security measures implemented by Okavya to ensure the integrity and confidentiality of the data;

6.7 The legal basis for collecting the data, including any statutory requirements, and whether  the collection is voluntary or mandatory; and

6.8  The potential consequences if a data subject fails to provide all or any part of the requested data.


7.    DATA SUBJECTS’ RIGHTS

Okavya acknowledges and upholds the rights of data subjects as an integral aspect of this policy. Data subjects may exercise their rights by submitting written requests to Okavya via the official email address hello@okavya.com. Okavya shall, in as far as practically possible, respond to these requests promptly and efficiently within the time limit specified. Save for a data portability request, all other requests shall be processed free of charge.

 

These rights include;

7.1         Right to Access: Data subjects have the right to access their personal data held by Okavya and obtain information about its processing. Upon request, Okavya will provide individuals with a copy of their personal data and any additional information about how their data is being processed within seven days from the date of request.

7.2       Right to Rectification: Data subjects have the right to request the correction or updating of inaccurate, untrue, outdated or incomplete personal data. Okavya will address such requests within fourteen days and ensure that the corrected data is accurately reflected in its records. Where such a request is declined, Okavya will communicate its decision in writing to the data subject seven days of the refusal, providing clear and specific reasons for the refusal.

7.3         Right to Erasure: Data subjects have the right to request the deletion or removal of their personal data held by Okavya. The right  to erasure may be exercised where the personal data is no longer necessary for the purpose for which it was collected; the data subject withdraws their consent that was the lawful basis for retaining the personal data; the data subject objects to the processing of their data and there is no overriding legitimate interest to continue processing; the processing of personal data is for direct marketing purposes and the individual objects to that processing; the processing of personal data is unlawful including in breach of the lawfulness requirement or the erasure is necessary to comply with a legal obligation. Okavya shall comply with such request within fourteen days of the request.

7.4        Right to Restrict Processing: Data subjects have the right to request the restriction of processing of their personal data in certain circumstances. Upon receiving an application for restriction, Okavya will promptly review and evaluate the request, within four teenfourteen days from the date of application. The right to restriction is not absolute, and Okavya may decline a request if it is deemed manifestly unfounded or excessive. In such cases, Okavya will communicate its decision in writing to the data subject within f our teenfourteen days of the refusal, providing clear and specific reasons for the denial. 

7.5       Right to Object: Data subjects have the right to object to the processing of their personal data, including for direct marketing purposes or when processing is based on legitimate interests. The right is absolute where it involves direct marketing. Upon receiving a request from the data subject, Okavya will review the request within fourteen days. Where the right is not absolute, Okavya may decline a request if it can demonstrate a compelling legitimate interest in the processing of such data. In such a case, Okavya will communicate its decision in writing to the data subject within fourteen days of the refusal, providing clear and specific reasons for the refusal.

7.6       Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller. Okavya will facilitate such requests where applicable and technically feasible, within thirty days of the request subject to such charges as it may deem reasonable for purposes of processing the request. Okavya may decline to comply with such request and in such case, a written communication of such refusal shall be made to the data subject within seven days providing clear and specific reasons for the refusal.


8.    PROCESSING OF SENSITIVE PERSONAL DATA

Okavya shall process sensitive personal data under the following circumstances:

8.1        Legitimate Activities with Appropriate Safeguards: Sensitive personal data may be processed by Okavya in the course of its legitimate activities, provided that appropriate safeguards are in place. This includes processing that is related solely to the members of Okavya or individuals who have regular contact with Okavya in connection with its purposes. Personal data of this nature shall not be disclosed outside of Okavya without the explicit consent of the data subject.

8.2         Manifestly Public Personal Data: Okavya may process sensitive personal data that has been manifestly made public by the data subject themselves. Such processing shall be in compliance with applicable data protection laws and regulations.

8.3         Legal Basis: This shall include;

  Establishment, Exercise, or Defense of Legal Claims.

  Fulfillment of Obligations and Exercise of Rights.

  Protection of Vital Interests.

 

9.    DATA BREACH MANAGEMENT

9.1 Data Breach

A data breach refers to an unauthorized or accidental incident where sensitive, protected, or confidential information is accessed, disclosed, altered, or destroyed by unauthorized individuals or entities. It involves the compromise of data security, potentially leading to the loss, theft, or exposure of personal, financial, or sensitive information. The consequences of a data breach may include identity theft, financial loss, reputational damage, and violation of privacy rights. Okavya has a legal and ethical responsibility to protect the data they hold and to take appropriate measures to prevent and address data breaches.


9.2         Incidences When a Data Breach Can Occur

Data breaches can occur in various circumstances, including but not limited to the following:

a)   Unauthorized Access: When unauthorized individuals gain access to personal data, whether through external hacking, internal breaches, or physical theft;

b)  Human Error: Accidental loss, misplacement, or improper disclosure of personal data by employees, or other authorized individuals;

c) System  Vulnerabilities:  Exploitation  of  vulnerabilities  in  Okavya's  information

systems,  software, or network infrastructure, leading to unauthorized access or data compromise;

d)    Insider Threats: Intentional misuse or unauthorized access to personal data by individuals within Okavya who have legitimate access privileges;

e)  Third-Party Incidents: Data breaches that occur at external service providers, partners, or vendors with access to Okavya's data or systems;

f)    Loss or theft of equipment containing personal information (e.g., memory sticks, disks, laptops);

g)    E-mails sent to the wrong address or person or incorrect file attached to an e- mail;

h)    Inappropriate postings on social media.

9.3         Addressing Data Breaches

Okavya is committed to responding promptly and effectively in the event of a data breach. The following steps outline the general approach to addressing data breaches:

a)  Incident Identification and Assessment: Okavya will implement measures to promptly identify and verify potential data breaches.  This includes monitoring systems, conducting regular security assessments, and fostering a culture of incident reporting.

b)    Incident  Response  Team:  Okavya  will  establish  an  incident  response  team comprising key personnel, including the Data Protection Officer (DPO), IT professionals, legal advisors, and relevant stakeholders. The team will be responsible for coordinating the breach response and implementing the necessary actions.

c)  Containment and Mitigation: Upon identification of a data breach, Okavya will take immediate steps to contain the incident, prevent further unauthorized access, and mitigate potential harm. This may involve inter alia isolating affected systems, changing access credentials, or temporarily suspending affected services.

d)    Assessment and Notification: Okavya will conduct a thorough assessment of the data breach to determine the nature and scope of the incident, including the types of data compromised, the potential risks to affected individuals, and any legal obligations for notification. If required by applicable laws and regulations, Okavya will notify the relevant supervisory authorities and affected individuals without undue delay.

e)   Communication and Support: Okavya recognizes the importance of transparent communication during a data breach. Regular updates will be provided to affected individuals, informing them of the incident, the potential risks involved, and the actions being taken to address the breach. Okavya will also provide guidance and support to affected individuals, including recommended measures to protect themselves from potential harm.

f)    Remediation and Preventive Measures: Following a data breach, Okavya will take appropriate measures to remediate the breach, restore the integrity of its systems, and prevent future incidents. This includes conducting a comprehensive investigation, implementing necessary security enhancements, and reviewing existing policies and procedures to strengthen data protection practices.

g)   Documentation and Reporting: Okavya will maintain proper documentation of all data breaches, including incident details, response actions, and outcomes. This documentation will be used for internal review, regulatory compliance, and as a reference for future incident management and prevention efforts.

h)  Continuous Improvement: Okavya is committed to continuous improvement in data breach management. Lessons learned from each incident will be analyzed, and necessary updates to policies, procedures, and training programs will be implemented to enhance the organization's overall data protection capabilities.

 

10. TRANSFER OF PERSONAL DATA OUT OF KENYA AND ACCESS TO PERSONAL DATA BY THIRD PARTIES.

Okavya recognizes that there may be instances where it is necessary to transfer personal data to a third party located outside of Kenya or share/ grant access to such data to third parties. In so doing, Okavya shall be guided by the following practices;

10.1      Consent and Legal Basis

Okavya will only transfer personal data to third parties with the explicit consent of the data subject or when it is legally permissible to do so. Okavya will ensure that your consent is freely given, specific, informed, and unambiguous, and will inform the data subject of the purposes of the data transfer.

10.2      Legitimate Interests

In some cases, Okavya may transfer personal data to third parties based on our legitimate interests. These legitimate interests will be balanced with the data subject’s rights and freedoms. Okavya shall ensure that this data is protected throughout the transfer process.

10.3     Data Protection Safeguards

Before transferring personal data to a third party, Okavya will ensure that appropriate safeguards are in place to protect the data. This may include implementing contractual agreements, conducting due diligence on the third party's data protection practices, and verifying that they have adequate security measures in place.

 

10.4   Transfers within Kenya

Okavya may transfer or grant third parties within Kenya access to personal data in its control if it is necessary for the performance of a contract or if the third party has adequate data protection measures in place. Okavya will ensure that such data is handled in accordance with Kenyan law and that the data subjects’ rights are protected.

 

10.5    International Transfers

Okavya shall put in place appropriate safeguards to protect the data to be transferred. In so doing, Okavya may utilize legal instruments that are necessary and binding on the recipient to ensure the protection of personal data.  Additionally, the transfer of personal data will be based on an adequacy decision made by the Commissioner and/or the consent of the data subject, where appropriate. When the transfer involves sensitive personal data, explicit consent from the data subject will be obtained.

 

Okavya will also consider other relevant factors, such as relying on standard contractual clauses that have been approved by the relevant authorities, to ensure the lawful and secure transfer of personal data.

 

Okavya will maintain comprehensive documentation pertaining to international transfers. This documentation will include the date and time of the transfer, the name of the recipient, the justification for the transfer, and a detailed description of the data being transferred.

 

10.6      Exceptions and Legal Obligations

Okavya may be required to transfer your personal data to third parties without the data subject’s consent if it is necessary to comply with a legal obligation, protect vital interests, or defend legal claims. In such cases, Okavya will ensure that the transfer is carried out in accordance with applicable laws and regulations.

10.7      Data Subject’s Rights and Recourse

Where concerns or queries are raised by a data subject regarding the transfer of their personal data to third parties, the data subject shall have the right to seek clarification, access their data, rectify inaccuracies, request erasure, and restrict or object to the processing of your data.

 

 

11  DATA RETENTION AND DISPOSAL

11.1    Legal and Operational Requirements

The Okavya will retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable laws and regulations. The specific retention periods may vary depending on the nature of the data and the legal or operational requirements that apply. The Okavya will ensure that the retention periods for different categories of data are clearly documented and communicated to all relevant stakeholders.

11.2   Retention Periods

The Okavya will establish and maintain a comprehensive data retention schedule that specifies the retention periods for different categories of data. The schedule will take into account factors such as legal obligations, business needs, historical significance, and potential litigation or disputes. The retention periods will be reviewed periodically to ensure compliance with changing legal and operational requirements.


11.3 Data Minimization

To minimize the amount of personal data retained, the Okavya will implement procedures to regularly  review and update the data held. Where possible and practical, the Okavya will anonymize or pseudonymize personal data to remove identifying information, while still allowing for the necessary analysis and processing.

11.4  Data Disposal

Once the retention period for personal data has expired or when it is no longer necessary for the purposes it was collected, the data will be disposed of securely. Disposal methods will be designed to prevent unauthorized access, loss, or disclosure of the data. The Okavya will establish and follow appropriate procedures for the destruction of data, including electronic files, and any other media containing personal data. The methods used for disposal will be appropriate to the nature of the data and will take into account factors such as sensitivity and the potential for re-identification.

11.5   Documentation and Audit Trail

The Okavya will maintain records of data disposal activities, including the date, method, and reason for disposal. These records will be retained in accordance with applicable legal and operational requirements. The Okavya will periodically review and audit the data disposal processes to ensure compliance with this policy.

11.6  Training and Awareness

The Okavya will provide apspropriateappropriate training and awareness programs to all employees, and stakeholders involved in the handling of personal data. These programs will include guidance on data retention and disposal practices, emphasizing the importance of securely managing data throughout its lifecycle.

12.0 RESPONSIBILITIES

Okavya Management: Okavya management shall be responsible for ensuring that this policy is implemented, maintained, and reviewed regularly. They will provide appropriate training to staff to ensure compliance with data protection obligations.

Data Protection Officer (DPO): Okavya will appoint a Data Protection Officer who will be responsible for overseeing data protection activities, providing advice and guidance on data protection matters, and acting as a point of contact for data subjects and regulatory authorities.

Staff: All staff members of Okavya must comply with this policy and handle personal data in accordance with its principles. They must ensure the confidentiality, integrity, and security of personal data and report any data breaches or potential risks to the DPO.

13.1         DATA PROTECTION AUDITS

To ensure ongoing compliance with data protection laws, the Okavya (Okavya) will conduct annual data protection audits. These audits will be carried out by an independent and impartial auditing body designated for this purpose.

The responsibilities of the auditing body will encompass the following:

a)     Systematically verifying compliance with the requirements of data protection laws.

b)    Investigating any significant breaches of data protection.

c)    Assessing the effectiveness of data processing practices.

Okavya will provide the auditing body with all relevant data assessment reports and complaints that require investigation before the scheduled audit date. The scope and intensity of the data protection audits will be determined based on factors such as the nature of the personal data being processed, the technology employed to ensure data security, the potential consequences of improper data processing practices, and the associated costs of conducting the audits.

By conducting regular data protection audits, Okavya aims to proactively identify areas of improvement, address any non-compliance issues, and enhance its data processing practices to ensure the highest standards of privacy and data protection for individuals. The audit findings will serve as a valuable resource for refining policies, procedures, and security measures, ultimately strengthening Okavya's commitment to safeguarding personal data.

14.0 INQUIRIES AND COMPLAINTS

 Okavya recognizes the importance of open communication with data subjects. Okavya acknowledges the right of data subjects to file complaints regarding the processing of their personal information.

14.1 Inquiries 

To facilitate inquiries regarding the processing of personal information held by Okavya, the following channels of communication are available:

a)  Email: Data subjects may write an email to the office of the DPO to request information or clarification on matters related to the processing of their personal information by Okavya. The email address of the DPO will be provided for this purpose.

b)    Physical Inquiries: Data subjects also have the option to visit the office of the DPO in person. They can submit a printed copy of their inquiry letter, including their contact details for reference, to the designated office of the DPO.

14.2 Complaints

To initiate a complaint process, the following procedures should be followed:

a)   Submission: Complaints should be filed by submitting three (3) printed copies of the complaint to the Office of the DPO. Alternatively, complaints may be sent electronically to the official email address of the DPO. The contact details and email address of the DPO will be made available to data subjects.

b) Confirmation: The Office of the DPO will acknowledge the receipt of the complaint to the complainant, confirming that the complaint has been received and is being processed.

c)     Internal Investigation: Upon validation of the complaint, the DPO will initiate an official internal investigation. This investigation will aim to thoroughly examine the complaint, gather relevant information, and assess the compliance of Okavya with applicable data protection laws and regulations.

Okavya is dedicated to addressing complaints in a fair and impartial manner, ensuring that appropriate actions are taken to resolve any concerns raised by data subjects.

15.0 SEPARABILITY CLAUSE

 If for any reason, any portion or provision of this Policy is declared unconstitutional, other parts or provisions thereof which are not affected thereby shall continue to be in full force and effect.

16.0 REVIEW OF THIS POLICY

 This policy will undergo a comprehensive review every two years, or as necessary based on emerging needs and changes in regulations, whichever comes first. The review process will include an evaluation of its effectiveness and relevance to ensure its continued alignment with best practices and legal requirements.

17.1        EFFECTIVE DATE

The provisions of this Policy shall become effective upon internal approval by Okavya management.  

CONTACT

If you have any questions regarding this Privacy and Data Protection Policy, please contact our Data Protection Officer:

Email: hello@okavya.com

Website: www.okavya.com


LEGAL BASIS FOR DATA PROCESSING


PROCESSOR TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Okavya shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which is necessary for each specific purpose is processed, taking into consideration (a) the amount of personal data collected; (b) the extent of its processing; (c) the period of its storage; (d) its accessibility; and (e) the cost of processing data and the technologies and tools used.


ORGANISATIONAL MEASURES


TECHNICAL MEASURES