1. POLICY STATEMENTImaliPay’s Data Protection Policy refers to our commitment to treat information of employees, customers, stakeholders and other interested parties with the utmost care and confidentiality. With this policy, ImaliPay ensures that it gathers, stores and handles data fairly, transparently and with respect towards individual rights.
As part of ImaliPay’s operations, we need to obtain and process information. This information includes any offline or online data that makes a person identifiable such as names, addresses, usernames and passwords, digital footprints, photographs, social security numbers, financial data etc.
ImaliPay collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply. A. ImaliPay’s shall ensure that its data will be:
ImaliPay shall ensure that its data will not be:
- Accurate and kept up to date
- Collected fairly and for lawful purposes only
- Processed by the company within its legal and moral boundaries
- Protected against any unauthorized or illegal access by internal or external parties
In addition to ways of handling the data ImaliPay has direct obligations towards people to whom the data belongs. Specifically,
- Communicated informally
- Stored for more than a specified amount of time
- Transferred to organizations, states or countries that do not have adequate data protection policies
- Distributed to any party other than the ones agreed upon by the data's owner (exempting legitimate requests from law enforcement authorities)
ImaliPay must: a) Let people know which of their data is collected b) Inform people about how we'll process their datac) Inform people about who has access to their informationd) Have provisions in cases of lost, corrupted or compromised data e) Allow people to request that we modify, erase, reduce or correct data contained in our databases 1.2 Scope and ApplicabilityThe Policy sets the minimum standards and applies to all ImaliPay employees and its partners.
1.3 Functions and Obligations of Staff 1.3.1 Only those employees who have demonstrated honesty, integrity and discretion should be Authorized Users or have access to premises where Information Systems or media containing Personal Data are located. Staff should be bound by a duty of confidentiality in respect of any access to Personal Data.1.3.2 The necessary measures shall be adopted to train and make staff familiar with these minimum security requirements, any relevant policies and applicable laws concerning the performance of their functions and duties in respect of the Processing of Personal Data and the consequences of any breach of these requirements.1.3.3 The functions and obligations of staff having access to Personal Data and the Information Systems shall be clearly defined and documented.1.3.4 Authorized Users shall be instructed to the effect that electronic equipment should not be left unattended and made accessible during Processing sessions.1.3.5 Physical access to areas where any Personal Data are stored shall be restricted to Authorized Users.1.3.6 The disciplinary measures for a breach of the security plan shall be clearly defined and documented and communicated to staff.
3. DEFINITIONS AND INTERPRETATION
"Affiliate"means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity; "Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term "Controlled" shall be construed accordingly;“Data”means the quantities, characters, or symbols on which operations are performed by a computer, which may be stored and transmitted in the form of electrical signals and recorded on magnetic, optical, or mechanical recording media;"Data Protection Laws"means the General Data Protection Regulation (EU)2016/679 (GDPR), the Kenyan Data Protection Act 2019 and any legislation and/or regulation implementing or made pursuant, or which amends, replaces, re-enacts or consolidates them, including legislation of any relevant jurisdiction, and all other applicable laws relating to processing of Personal Data and privacy that may exist in any relevant jurisdiction, including, where applicable, the binding guidance and codes of practice issued by supervisory authorities.“Data Subject”means a natural person who can be identified directly or indirectly by reference to the Personal Data collected by the Parties; Data Controller (Controller) shall have the definition provided in the Data Protection Act and in this ImaliPay’s Clients. Data Processor (Processor) shall have the definition provided in the Data Protection Act and in this case is ImaliPay. "Personal Data"means any information relating to a Data Subject and containing an identifier such as a name, an identification number, location data, photo, email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to Media Access Control (MAC) address, Internet Protocol (IP) address, International Mobile Equipment Identity (IMEI) number, International Mobile Subscriber Identity (IMSI) number, Subscriber Identification Module (SIM). Personal Data shall include any online identifier or any one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject;“Processing and process"either mean any activity that involves the use of Personal Data or as the Data Protection Laws may otherwise define processing or process. It includes any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organising, structuring, storing, adapting or altering, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, Processing also includes transferring Personal Data to third parties;"Security Incident"means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Personal Data transmitted, stored or otherwise processed;“Security Measures”means processes adopted by each Party to protect its Data. Such measures include but not limited to protecting systems from hackers, cyberattacks, viral attack, data theft, damage by rain, fire or exposure to other natural elements. These measures also include setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling personal data (and other sensitive or confidential data), protection of email systems and continuous capacity building for staff; "Sensitive Data"means (a) passport number, driver's license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the masked (last four digits) of a credit or debit card); (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords; or (f) other information that falls within the definition of "special categories of data" under applicable Data Protection Laws; and "Sub-processor"means any processor engaged by a Processor or its Affiliates to assist in fulfilling its obligations with respect to providing the Service according to the Service Agreement or this DPA. Sub-processors may include third parties or Affiliates of the Processor but shall exclude the Processor’s employees or consultants.
4. GENERAL PROVISIONS OF THE POLICIES
a. This policy must be published and disseminated to all employees and third-party entities (including ImaliPay’s vendors, contractors, and business partners).b. All new ImaliPay’s Staff shall undergo a data protection training as part of their induction program or upon resumption.c. Data protection awareness is propagated using but not limited to the following methods; trainings, emails, posters, newsletters, memos and seminars at regular intervals and at the discretion of the .................... team.d. All ImaliPay’s employees and third-party entities must hold CONFIDENTIAL all customer data ensuring that at no point in time or during a business process is account data used for any purpose beyond business activities; and that all company policies and procedures are actively followed to protect data.e. All employees and third-party entities must inform management or their supervisors if they are aware of or suspect fraudulent use of account data.f. In the case of a data security breach to information, employees must adhere to the incident response actions detailed in the Incident Management Policy.
5. RESPONSIBILITIES OF A DATA CONTROLLER
The Data Controller will not provide (or cause to be provided) any Sensitive Data to Processor for processing without the express consent of the Data Subject.ImaliPay understand that Sensitive Data merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms of the Data Subject.Controller must ensure that:a. it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Personal Data and any processing instructions it issues to Processor; andb. it has obtained and will continue to obtain, all consents and rights necessary under Data Protection Laws for Processor to process Personal Data for the purposes described in the Agreement.c. Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Controller acquired Personal Data.d. Controller will ensure that Processor's processing of the Controller's Data following Controller's instructions will not cause Processor to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws.
6. RESPONSIBILITIES OF A DATA PROCESSOR
a. Processor shall adopt such measures to ensure a level of security appropriate to the sensitivity of the Data transferred to the Processor. These measures include the pseudonymization and encryption of personal data.b. Processor shall notify Controller in writing within 48 (forty-eight) hours, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any data processing instruction from Controller violates any Data Protection Law.c. Processor shall ensure it can restore the availability and access to Personal Data promptly in the event of a Security Incident.d. Processor shall ensure that any person who is authorized by Processor to process Personal Data (including its staff, agents and subcontractors) shall be under a contractual or statutory obligation of confidentiality.e. Processor shall in updating or modifying its Security Measures, ensure that such updates and modifications do not result in the degradation of the Processor’s Security Measures.f. Upon becoming aware of a Security Incident, Processor shalli. notify Controller without undue delay, and where feasible, in any event no later than 48 hours from becoming aware of the Security Incident;ii. provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Controller; andiii. promptly take reasonable steps to contain and investigate any Security Incident.
7.1 Controller agrees that the Processor may engage Sub-processors to process Personal Data on Controller's behalf.7.2 Processor shall notify Controller of any engagement or disengagement of a Sub-processor.7.3 Processor shall:7.3.1 enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Controller’s Data as those in this Agreement; and7.3.2 remain responsible for the Sub-processor’s compliance with the obligations of this Agreement and for the acts or omissions of such Sub-processor that cause Processor to breach any of its obligations under this Agreement.
8. INTERNATIONAL TRANSFERS
ImaliPay may transfer and process Personal Data outside of Kenya where as Processor, its Affiliates or its Sub-processors maintain data processing operations.ImaliPay shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and the Processor shall ensure the Processor transfers data to jurisdictions that have adequate Data Protection Laws.
9. RETURN OR DELETION OF DATA
Upon termination or expiration of an engagement, the Processor shall (at the Controller's election) delete or return to the Controller all Personal Data (including copies) in its possession or control, except that this requirement shall not apply to the extent where the Processor is required by applicable law to retain some or all of the personal data or the personal data is archived on back-up systems, which the Processor shall securely isolate, protect from any further processing and eventually delete in accordance with the Processor's deletion policies, except to the extent required by applicable laws.
10. MINIMUM SECURITY MEASURES
Minimum security measures have to be adopted for the purpose of protecting Personal Data and information, primarily with a view to meeting minimum pre-defined requirements of applicable data protection and Applicable privacy law across ImaliPay’s markets.Compliance with these minimum security measures does not guarantee that an appropriate level of protection has been provided - a holistic and comprehensive assessment of security must be undertaken depending upon the circumstances, type of data and processing to be performed.Information security techniques, and the threats to security, are continually evolving.Security must therefore be continually assessed in the light of the specific circumstances at hand to determine the appropriate level of protection.10.1 Security CategoriesThese minimum security requirements are divided into three categories to reflect the sensitivity of different types of data – Standard, Medium and High. The data types to which these three security categories apply are described below. a StandardThe standard security requirements apply to all Personal Data as identified by ImaliPay, including those categories of Personal Data referred to below in relation to the Medium and High categories.b) MediumThe font-semibold mr-1 security requirements apply to Personal Data as identified by ImaliPay, including those categories of Personal Data referred to below in relation to theHigh category:relating to Judicial Data or investigations, enquiries or disclosures for law enforcement purposes.sufficient to permit an assessment of an individual's personality.bank account, debit, credit or other payment card information.( c) HighThe high security requirements apply to the following data categories as identified by ImaliPay • Sensitive Personal Data. • Judicial Data or data relating to investigations, enquiries or disclosures for law enforcement purposes where such Location Data. data is also Sensitive Personal Data and/ or Traffic Data. Traffic Data. Content. 10.2 Security Plan and Document 10.2.1 The measures adopted to comply with these minimum security requirements shall be the subject of a security plan and set out in a security document, which shall be kept up to date, and revised whenever relevant changes are made to the Information System or to how it is organized. The security document shall record significant changes to the security measures or the Processing activities.10.2.2 The security plan shall address: Security measures relating to the modification and maintenance of the system used to Process Personal Data, including development and maintenance of applications, appropriate vendor support and an inventory of hardware and soft Physical security, including security of the buildings or premises where data Processing occurs, security of data equipment and telecommunication infrastructure and environmental controls.10.3 The security document shall be available to staff who have access to Personal Data and the Information Systems, and must cover the following aspects as a minimum:(a) The scope, with a detailed specification of protected resources;(b) The measures, standards, procedures, code of conduct rules and norms to guarantee security, including for the control, inspection and supervision of the Information Systems;(c) The functions and obligations of staff; d) The structure of files containing Personal Data and a description of the Information Systems on which they are Processed;(e) The purposes for which the Information Systems may be used;(f) The procedures for reporting, managing and responding to incidents;g) The procedures for making back-up copies and recovering data including the person who undertook the process, the data restored and, as appropriate, which data had to be input manually in the recovery process. The security document and any related records and documentation shall be retained for a minimum period of 7 years from the end of the Processing.
11. DATA SECURITY MECHANISMS FOR SECURING THE INTEGRITY AND CONFIDENTIALITY OF THE DATA, CLASSIFICATION OF THE DATA.
Security of computers and telecommunication systems including procedures for managing back-up copies, procedures dealing with computer viruses, procedures for managing signal/codes, security for software implementation, security related to databases, security for connecting systems to the Internet, inspection of circumvention of data system, mechanisms for keeping account of attempts to break system security or gain unauthorized access.The security plan shall include:11.2 Disaster Recovery Plan which shall set out: measures to minimize interruptions to the normal functioning of the system; limit the extent of any damage and disasters; enable a smooth transition of Personal Data from one computer system to another; if necessary, provide for alternative means of operating a computer system; educate, exercise and familiarize personnel with emergency procedures; provide for fast and smooth system recovery, and minimize the economic effects of any disaster event11.3 Contingency Plan which must address the following possible dangers to the system and appropriate criteria to determine when the Plan should be triggered: the critical functions and systems, the strategy for protecting the system and priorities in the event the Plan is activated; an inventory of relevant staff members to be called upon during an emergency, as well as telephone numbers of other relevant parties; a set of procedures for calculating the damage incurred; realistic time management plans to enable the recovery of the system; clearly allocated staff duties; possible use of alarms and special devices (e.g., air filters, noise filters); in the event of a fire, special equipment should be available (e.g., fire extinguisher, water pumps, etc.); devices or methods for determining temperature, humidity and other environmental factors (e.g., air conditioning, thermometers, etc.); special security software to detect breaches of security; special generators for dealing with power cuts; retention of copies of software or materials in other protected buildings to avoid inadvertent loss.
12. ACCESS RECORDA history of Authorized Users’ access to or disclosure of Personal Data shall be recorded on a secure audit trail.
13. PHYSICAL ACCESS RECORDOnly those staff duly authorized in the security document may have physical access to the premises where Information Systems and media storing Personal Data are stored. A record of staff who access such premises shall be maintained, including name, date and time of access
14. RECORD OF INCIDENTS
There shall be a procedure for reporting, responding to and managing security incidents such as data security breaches or attempts at unauthorized access. This shall include as a minimum: a) A procedure for reporting such incidents/ breaches to appropriate management within the processor;b) A clearly designated team for managing and coordinating the response to an incident led by the Security Officerc) A documented and tested process for managing the response to an incident including the requirement to keep appropriate issues and action logs to include the time at which the incident occurred, the person reporting the incident, to whom it was reported and the effects thereof;d) The requirement on the processor to notify the controller immediately if it appears that Personal Data was involved in the incident or breach or may be impacted or affected in some way; ande) The processor security/ incident management team should where appropriate work together with the controller’s security representatives until the incident or breach has been satisfactorily resolved.