EAGLE LIGHTS
Currency
0

ELIMN LIMITED

DATA PROTECTION POLICY

1.  INTRODUCTION

This Data Protection Policy outlines the principles and procedures that Elimn Limited and its subsidiaries (Eagle Lights, Fuego, and Shinobi) ("the Company") adhere to when processing personal data in accordance with the Kenya Data Protection Act, 2019 ("the Act"). The Company is committed to protecting the privacy and confidentiality of personal data collected, processed, and stored during the provision of all its services. This policy governs the collection, use, storage, and disclosure of personal data by the Company and applies to all employees, contractors, and third parties acting on behalf of the Company.

2.  DEFINITIONS

Personal Data: refers to any information relating to an identified or identifiable individual as defined in the Kenya Data Protection Act, 2019.

Data Subject: means the individual to whom the personal data relates.

Processing: means any operation performed on personal data, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.

Data Controller: means the Company, which determines the purposes and means of the processing of personal data.

Data Processor: means any person or entity processing personal data on behalf of the Data Controller.

3.  SCOPE

This policy applies to all employees, contractors, third-party service providers, and any other individuals or entities associated with the Company who process personal data on behalf of the Company.

4.  PRINCIPLES OF DATA PROTECTION

The Company is committed to adhering to the following principles of data protection:

4.1  Lawfulness, Fairness, and Transparency: The Company will process personal data lawfully, fairly, and in a transparent manner. Individuals will be informed of the purpose and lawful basis for data processing.

 

4.2  Purpose Limitation: Personal data will be collected for specified, explicit, and legitimate purposes. The data will not be further processed in any manner incompatible with these purposes.

 

4.3  Data Minimization: The Company will only collect and process personal data that is adequate, relevant, and necessary for the intended purposes.

 

4.4  Accuracy: Reasonable steps will be taken to ensure that personal data is accurate, and efforts will be made to rectify any inaccuracies promptly.

 

4.5  Storage Limitation: Personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable laws and regulations.

 

4.6  Integrity and Confidentiality: The Company will implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

 

4.7  Accountability: The Company will take responsibility for ensuring compliance with data protection laws and regulations and will maintain records of data processing activities.

 

5.  THE RIGHTS OF THE DATA SUBJECT

5.1  Right to Access: Data subjects have the right to obtain confirmation from the Company as to whether or not their personal data is being processed, and if so, to access their personal data and obtain information about the purposes, categories of data, recipients, and retention periods.

 

5.2  Right to Rectification: Data subjects can request the rectification of inaccurate or incomplete personal data held by the Company. We will make reasonable efforts to update the data accordingly and inform relevant third parties, if applicable.

 

5.3  Right to Erasure (Right to be Forgotten): Data subjects have the right to request the erasure of their personal data under specific circumstances, such as when the data is no longer necessary for the purposes it was collected or when the data subject withdraws consent.

 

5.4  Right to Restriction of Processing: Data subjects may request the restriction of processing their personal data in certain situations, such as when the accuracy of the data is contested or when the processing is unlawful.

 

5.5  Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to have it transferred to another controller when technically feasible.

 

5.6  Right to Object: Data subjects have the right to object to the processing of their personal data, particularly in cases of direct marketing or processing based on legitimate interests.

 

5.7  Rights in Automated Decision Making and Profiling: Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning them or significantly affect them.

 

5.8  Right to Withdraw Consent: If the processing of personal data is based on consent, data subjects have the right to withdraw their consent at any time. This withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.

 

5.9  Right to Lodge a Complaint: Data subjects have the right to lodge a complaint with the relevant data protection authority if they believe that the processing of their personal data infringes the Kenya Data Protection Act.

At the Company, we are committed to upholding these rights and ensuring that data subjects can exercise them in an effective and transparent manner. Our Data Protection Officer (DPO) is available to assist with any inquiries or requests related to data subject rights. We aim to provide a safe and secure environment for personal data processing while respecting the rights and privacy of individuals.

6.  DATA COLLECTION AND PURPOSE OF PROCESSING

At the Company, we collect and process personal data in accordance with the relevant data protection laws and regulations, including the Act. We are committed to being transparent about the data we collect, the purposes for which we process it, and ensuring that the processing is lawful and fair.

6.1  Types of Data Collected: We may collect various types of personal data, including but not limited to:

a)  Contact Information: Names, addresses, phone numbers, email addresses, etc.

b)  Identification Data: National ID, passport details, etc.

c)  Employment Information: Resumes, CVs, employment history, etc.

d)  Financial Information: Bank account details, payment information, etc.

e)  Technical Data: IP addresses, device information, browsing history, etc.

f)  Car Details: Car Make, Car Model, and Year of Manufacture.

 

6.2  Purpose of Processing: We collect and process personal data for specific and legitimate purposes, which include, but are not limited to:

a)  Recruitment and Employment: Processing data for recruitment and employment purposes, such as evaluating job applications and managing employment contracts.

b)  Customer Engagement: Contacting and interacting with customers, responding to inquiries, and providing requested information or services.

c)  Marketing and Promotions: Sending promotional materials, updates, and offers related to our products and services, subject to individual consent where applicable.

d)  Compliance and Legal Obligations: Fulfilling legal and regulatory requirements, including tax, reporting, and record-keeping obligations.

e)  Business Operations: Conducting everyday business activities, internal administrative tasks, and communications with stakeholders.

 

6.3  Lawful Basis for Processing: We ensure that the processing of personal data is based on one or more lawful grounds as defined by the Act, such as:

a)  Consent: Data subjects have provided explicit consent for specific processing activities.

b)  Contractual Necessity: Processing is necessary for the performance of a contract with the data subject.

c)  Legal Obligation: Processing is necessary to comply with applicable laws and regulations.

d)  Legitimate Interests: Processing is necessary for legitimate business interests, provided that such interests do not override the rights and freedoms of data subjects.

 

6.4  Data Minimization and Retention: We only collect and retain personal data that is necessary for the intended purposes. We strive to minimize the amount of data collected and ensure that it is accurate, up-to-date, and relevant. Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

 

6.5  Special Categories of Data: We do not collect or process special categories of personal data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic or biometric data, or data concerning health, unless required by law or with explicit consent.

 

7.  CONSENT FOR DATA PROCESSING

At the Company, we value the privacy and autonomy of our data subjects. We recognize the importance of obtaining clear and informed consent for the processing of personal data. Where applicable, we will seek consent from data subjects before processing their personal data for specific purposes.

7.2  Voluntary Nature of Consent: Consent is a voluntary choice, and data subjects have the right to withhold or withdraw their consent at any time. Providing or withdrawing consent will not result in adverse consequences or discriminatory treatment.

 

7.3  Obtaining and Recording Consent: We will obtain consent in a clear, unambiguous, and easily understandable manner. Consent may be obtained through written, electronic, or oral means, depending on the circumstances. Data subjects will be informed of the specific purposes for which their data will be processed, and any other relevant information necessary to make an informed decision.

 

7.4  Revoking Consent: Data subjects have the right to revoke their consent at any time by providing notice to the Data Protection Officer (DPO) or the designated point of contact. Revoking consent will not affect the lawfulness of processing based on consent before its withdrawal.

 

7.5  Limitations of Consent: Consent is one of the lawful bases for processing personal data, but it is not the only basis. In cases where processing is necessary for the performance of a contract, compliance with legal obligations, protection of vital interests, or legitimate interests pursued by the Company or a third party, consent may not be required.

 

7.6  Consent for Direct Marketing: Where personal data is processed for direct marketing purposes, explicit consent will be sought from data subjects. Data subjects will have the right to object to such processing, and marketing communications will include clear opt-out mechanisms.

 

7.7  Consent for Cross-Border Transfers: In cases where personal data is transferred to countries outside the jurisdiction of the Act, explicit consent will be obtained from data subjects unless such transfers are subject to appropriate safeguards as defined by the Act.

 

7.8  Review and Update of Consent: Consent records will be regularly reviewed and updated to ensure that they accurately reflect data subjects' preferences and any changes in processing activities. Records of consent will be maintained in accordance with applicable legal requirements.

 

8.  DATA ACCURACY AND MINIMIZATION

8.1  Data Accuracy: The Company acknowledges the importance of maintaining accurate and up-to-date personal data. We will take reasonable steps to ensure that the personal data we collect is accurate, relevant, and kept up-to-date. Data subjects are encouraged to inform us of any changes or inaccuracies in their personal data, and we will promptly update our records accordingly.

 

8.2  Data Minimization: We will only collect personal data that is necessary for the purposes for which it is processed. Data subjects' personal data will be processed in a manner that is proportionate to the intended purposes. We will not collect excessive or irrelevant personal data.

 

8.3  Retention Period: Personal data will be retained for the minimum duration necessary to fulfill the purposes for which it was collected, or as required by law. Once the data is no longer needed for the specified purposes, we will securely and permanently dispose of or anonymize it in accordance with our data retention policy.

 

8.4  Review and Update: We will periodically review the personal data we hold to ensure its accuracy and relevance. Data subjects will be given the opportunity to review and update their personal data to ensure it remains accurate and complete.

 

8.5  Data Quality Control: To maintain data accuracy and minimize errors, we will implement data quality control measures. These measures include regular data cleansing and validation processes to identify and correct inaccuracies.

 

8.6  Access to Personal Data: Data subjects have the right to access their personal data and request corrections or updates if necessary. Requests for access and rectification should be directed to the Data Protection Officer (DPO) or the designated point of contact.

 

8.7  Anonymization and Pseudonymization: Where appropriate and feasible, we will use anonymization or pseudonymization techniques to protect the identity of data subjects while still achieving the intended purposes of data processing.

 

8.8  Data Minimization in Projects and Systems: When developing new projects or implementing systems that involve personal data processing, we will adopt a data minimization approach. Personal data will only be collected and processed to the extent necessary to achieve the project's objectives.

 

9.  DATA SECURITY

9.1  Confidentiality and Access Control: The Company recognizes the critical importance of maintaining the confidentiality and security of personal data. We will implement strict access control measures to ensure that personal data is only accessible to authorized personnel who have a legitimate need to access it for the purposes of their roles.

 

9.2  Technical and Organizational Measures: We will implement appropriate technical and organizational measures to safeguard personal data from unauthorized access, disclosure, alteration, or destruction. These measures will be regularly reviewed and updated to stay in line with best practices and to address emerging security risks.

 

9.3  Encryption and Secure Transmission: Sensitive personal data will be encrypted during storage and transmission to prevent unauthorized access or interception. Secure transmission protocols will be utilized to protect data while it is being transferred over networks.

 

9.4  Data Breach Incident Response: In the event of a data breach or security incident, the Company will promptly respond to contain and mitigate the impact. We have established an incident response plan that outlines the steps to be taken to assess, notify affected parties, and remedy any breaches or incidents that may occur.

 

9.5  Employee Training and Awareness: Employees who have access to personal data will receive training on data security, privacy best practices, and their responsibilities in protecting personal data. Regular awareness programs will be conducted to keep employees informed about the latest security threats and preventive measures.

 

9.6  Data Transfer Security: When personal data is transferred to third-party processors or other entities, the Company will ensure that adequate security measures are in place to protect the data during transit and at the recipient's location.

 

9.7  Physical Security: Physical access to areas where personal data is stored will be restricted to authorized personnel only. We will implement security measures such as access cards, biometric controls, and surveillance to prevent unauthorized physical access.

 

9.8  Security Audits and Assessments: Regular security audits and assessments will be conducted to identify potential vulnerabilities and gaps in our data security practices. Findings from these assessments will be used to improve our security posture continuously.

 

9.9  Data Security Incident Reporting: Employees will be required to report any security incidents or potential breaches they encounter promptly. A clear reporting process will be established to ensure that incidents are appropriately addressed.

 

9.10  Confidentiality Agreements: To reinforce the importance of data security, employees and third-party vendors who have access to personal data will be required to sign confidentiality agreements to protect the data they handle.

 

10.  DATA TRANSFERS

The Company acknowledges that in the course of providing services, it may be necessary to transfer personal data to third-party service providers and business partners. Such transfers will only occur when it is essential for the delivery of the requested services and will be carried out in full compliance with applicable data protection laws and regulations.

10.1  Legitimate Basis for Data Transfers: The Company will ensure that data transfers to third parties are based on a legitimate purpose and necessary for the performance of the services requested by data subjects. We will not transfer personal data for any other purposes without obtaining explicit consent from the data subject, unless permitted or required by law.

 

10.2  Data Transfer Agreements: Before engaging in data transfers with third-party service providers and business partners, the Company will enter into data transfer agreements that include contractual provisions to safeguard the personal data during transit and at the receiving end. These agreements will require the third parties to comply with the same level of data protection as provided under this policy.

 

10.3  Adequate Safeguards: The Company will assess the adequacy of data protection measures implemented by third-party service providers and business partners to ensure that personal data remains secure during transfer and processing. The selection of such providers will be guided by their ability to meet stringent data protection standards.

 

10.4  International Data Transfers: If personal data is to be transferred to countries outside the jurisdiction of the Act, the Company will ensure that the receiving country offers an adequate level of data protection or put in place appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the relevant authorities.

 

10.5  Data Sharing with Business Partners: In cases where the Company engages in joint ventures or partnerships with other organizations, personal data may be shared to facilitate collaboration. The sharing of data with business partners will be governed by specific agreements that define the purpose, scope, and responsibilities regarding the shared data.

 

10.6  Transparent Data Sharing Practices: Data subjects will be informed of any intended data transfers to third parties, and explicit consent will be sought where required. We will provide clear and transparent information about the nature of the data transfer and the purposes for which it will be used.

 

11.  DATA BREACH NOTIFICATION

The Company recognizes the critical importance of promptly responding to and mitigating data breaches to protect the rights and freedoms of data subjects. In the event of a data breach that is likely to result in a risk to the rights and freedoms of individuals, the Company shall adhere to the requirements set forth by the Act regarding data breach notification.

11.1  Data Breach Assessment: Upon becoming aware of a data breach, the Company will conduct a comprehensive assessment to determine the nature and scope of the breach, as well as the potential risks it may pose to the affected individuals.

 

11.2  Notification to Relevant Authorities: Where applicable and as required by the Act, the Company will notify the relevant authorities of the data breach. The notification will include all relevant information regarding the breach, the number of affected individuals, the potential consequences, and the measures taken to address the breach.

 

11.3  Notification to Data Subjects: If a data breach is likely to result in a high risk to the rights and freedoms of individuals, the Company will notify the affected data subjects without undue delay. The notification will be provided in clear and plain language and will include information about the nature of the breach, the data involved, the potential consequences, and the steps individuals can take to protect themselves.

 

11.4  Communication and Support: Throughout the breach notification process, the Company will maintain open communication with affected individuals, providing ongoing support and guidance as needed. We are committed to being transparent about any security incidents that may affect personal data and will take all necessary steps to minimize the impact on data subjects.

 

11.5  Remedial Actions and Preventive Measures: Following a data breach, the Company will take immediate remedial actions to contain the breach, prevent further unauthorized access, and enhance data security measures. We will conduct a thorough investigation to identify the root cause of the breach and implement preventive measures to avoid similar incidents in the future.

 

12.  DATA PROTECTION OFFICER

To ensure effective oversight and compliance with data protection regulations, the Company has appointed a dedicated Data Protection Officer (DPO). The DPO is responsible for overseeing all data protection matters and serves as a point of contact for customers, employees, and other stakeholders regarding data privacy concerns.

 

12.1  Responsibilities of the Data Protection Officer: The Data Protection Officer's key responsibilities include:

 

a)  Monitoring the Company's data protection practices and ensuring compliance with the Act and other relevant data protection laws.

b)  Providing guidance and advice to the Company and its employees on data protection best practices.

c)  Conducting regular assessments and audits to evaluate the effectiveness of data protection measures.

d)  Addressing data subject inquiries and concerns related to their personal data processing.

e)  Collaborating with relevant departments to implement data protection policies and procedures.

f)  Ensuring that data protection training and awareness programs are conducted for employees.

 

12.2  Contacting the Data Protection Officer:

 

a)  For any inquiries, requests, or concerns regarding data protection, customers may contact the Data Protection Officer using the following contact details:

Date Protection Officer

elimn@elimn.com

0785173374

 

b)  Customers can trust that their concerns will be handled promptly and professionally by the Data Protection Officer, ensuring transparency and accountability in all data protection matters.

 

13.  TRAINING AND AWARENESS

The Company shall provide data protection training to its employees and ensure awareness of data protection policies and procedures.

14.  REVIEW AND UPDATES

This Data Protection Policy shall be reviewed regularly to ensure compliance with the Kenya Data Protection Act, 2019, and other relevant data protection laws. Any updates or changes to this policy shall be communicated to customers and other relevant stakeholders.

By availing of any services provided by the Company, customers acknowledge that they have read and understood this Data Protection Policy and consent to the collection, processing, and storage of their personal data in accordance with the principles outlined herein.

...
Added to cart
View CartClose
- There was an error adding to cart. Please try again.
Close
Quantity updated
- An error occurred. Please try again later.
Deleted from cart
- Can't delete this product from the cart at the moment. Please try again later.