Privacy Policy

1. Introduction

The government of Kenya, concerned with the recent security of personal data that companies store, has enacted the Data Protection Regulations. Enacted in 2019, Kenya's Data Protection Act is a data privacy law closely modeled after the GDPR of the EU. It protects individuals and lays down rules on how companies use individuals' data. It seeks to protect the privacy rights of the data subjects in Kenya by ensuring that Organizations or Companies do not abuse their users' data.

2. Policy Statement

Epicapp Limited is committed to complying with the relevant legislation in Kenya and any other applicable international legislation. Epicapp Limited acknowledges that an individual's protection through legitimate, lawful, and responsible processing and utilization of personal data is an essential human right. Epicapp Limited will ensure that it protects data subject's rights, collects data, and processes it according to the required legislation. Epicapp Limited employees must comply with this policy, and an employee who breaches must face disciplinary action.

3. Purpose

This policy offers guidance on how Epicapp Limited will protect personal data. It sets out principles, guidelines, and rules that inform how Epicapp Limited will ensure ongoing compliance with the data protection laws.

5. Definitions

According to the Data Protection Act,

Data subject means an identified or identifiable natural person who is the subject of personal data.

Personal data means any information relating to an identified or identifiable natural person.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Sensitive personal data means data that reveals the natural person's race, health status, ethnic, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details, including names of the person's children, parents, spouse or spouses sex, or the sexual orientation of the data subject.

Processing data means any operation or sets of operations performed on personal data whether or not by automated means, such as (a) collection, recording, organization, structuring; (b) storage, adaptation, or alteration; (c) retrieval, consultation, or use; (d) disclosure by transmission, dissemination, or otherwise making available; or (e) alignment or combination, restriction, erasure or destruction.

6. Principles

Epicapp Limited will ensure that:

  1. During data processing, confidentiality, integrity, due diligence, and due care must be practiced.
  2. Data is collected only for legitimate, specific, and explicit purposes and processed in a manner compatible with that purpose.
  3. Data on file is complete, accurate, and kept up to date.
  4. Data is processed in a manner that ensures its security using appropriate organizational and technical measures to protect against unlawful and unauthorized processing and destruction, accidental loss, or damage.
  5. Data is not transferred outside Kenya unless there is proof of consent from the data subject and adequate data safeguard.
  6. Personal data is adequate, relevant, and limited to what is necessary concerning the purpose of processing the data.
  7. Personal data is not kept for more extended periods than is necessary to achieve the purpose for which the data was collected and processed.
  8. All data controllers and processors are responsible for protecting personal data and must demonstrate compliance with Data Protection principles.

7. Roles and Responsibility

  1. i. Data Protection Officer

Epicapp Limited has designated the Chief Operating Officer to be the Data Protection Officer (DPO) who will:

  1. Advise Epicapp Limited employees on the requirements for data protection.
  2. Ensure that Epicapp Limited processes personal data in compliance with the applicable data protection rules.
  3. Cooperate with external regulators on matters relating to data protection.
  1. ii. All Staff must:
  1. Read, understand and comply with the contents of this policy
  2. Report suspicions of breaches promptly
  1. iii. The Chief Executive Officer (CEO) is responsible for ensuring employees, vendors, and partner organizations are aware of the policy and are supported to implement and work by it, as well as creating a management culture that encourages a focus on data protection.
  1. iv. Partners of Epicapp Limited must report breaches of Epicapp Limited's data in their custody within 48 hours using the emails provided above.
    Partners must also abide by this policy and institute adequate mechanisms to safeguard the privacy of individuals' data.

8. Rights of Data Subjects

Epinapp Limited must notify data subjects of their rights. Therefore, it will inform the data subjects of their rights to:

  1. To be informed of the use to which their data is to be put.
  2. To access their data in Epicapp Limited custody.
  3. To object to the processing of all or part of their data.
  4. To the correction of false or misleading data.
  5. To deletion of false or misleading data about them.

9. Lawful Purpose for Processing Personal Data

Epicapp Limited will only process data where they have a lawful basis to do so. Personal data processing will only be lawful where the data subject's consent is obtained for one or more specific purposes.

Epicapp Limited will not process any personal data for which it did not obtain consent, and should such a need arise, consent must be obtained from the data subject.

Epicapp Limited will collect and process adequate, relevant, and limited data to what is necessary. Epicapp Limited employees must not access data they are not authorized to access.

Data must only be collected for the performance of duties and tasks, and employees must not ask data subjects to provide personal data unless it is strictly necessary for the intended purpose.

Employees must ensure that they delete, destroy, or anonymize any personal data that is no longer needed for the specific purpose for which they were collected.

10. Security and Record-Keeping

Epicapp Limited instituted data security measures laid out in the Information Security Policy and Procedure. These measures serve to safeguard personal data and must be complied with accordingly.

Where necessary, Epicapp Limited will maintain adequate records to demonstrate that consent was obtained before personal processing data. Data will not be processed after a data subject withdraws consent.

11. Data Breach Notification Procedures

The data protection officer must establish and document a formal process for identifying a possible breach, assessing the breach, determining the nature and possible impact, and notifying the data process controller of the breach within 72 hours of becoming aware of the breach.

The data protection officer of Epicapp Limited must minimize the impact of the breach as quickly as possible and document the steps taken when dealing with the incident. Epicapp Limited will also communicate the data breach to the data subject as soon as is practical unless the data subject's identity cannot be established.

12. Data Protection Impact Assessmant

Epicapp Limited will undertake a data protection impact assessment whenever they identify that the processing operation will likely result in a high risk to the rights and freedoms of any data subject. The data protection impact assessment will be done before processing the data. It is the responsibility of the DPO to carry out the impact assessment.

13. Processing Sensitive Personal Data

Epicapp Limited will only process sensitive personal data when:

  1. The processing is carried out in legitimate activities with appropriate safeguards. The personal data is not disclosed outside Epicapp Limited without the data subject's consent.
  2. The processing relates to personal data made public by the data subject.
  3. The processing is necessary for:
    • (a) The establishment, exercise, or defense of a legal claim.
    • (b) The purpose of carrying out the obligations and exercising specific rights of the controller or the data subject.
    • (c) Protecting the vital interest of the data subject or another person where the data subject is legally or physically incapable of giving consent.

14. Transferring Personal Data Outside Kenya

Epicapp Limited will transfer personal data out of Kenya only when they have:

  1. Proof of appropriate measures for security and protection of the personal data, and the proof provided to the Data Protection Commissioner following Kenya's Data Protection Act, 2019; such measures include that data is transferred to jurisdictions with commensurate data protection laws.
  2. The transfer is necessary for the performance of a contract implementation of pre-contractual measures such as:
    • For the conclusion or performance of a contract the data subject is part of.
    • For matters of public interest.
    • For legal claims.
    • To protect the vital interests of data subjects.
    • For compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights, and freedoms of the data subjects.

Epicapp Limited will process sensitive personal data out of Kenya only after obtaining the consent of a data subject and receiving confirmation of appropriate safeguards.

1. Training and Awareness

Epicapp Limited will train employees on the contents and implementation of this policy. Employees who join Epicapp Limited will be required to go through an induction process that entails familiarization with this policy.

Epicapp Limited will ensure that the requirements of this policy form part of its agreement with its contractors and any third parties who process the Epicapp Limited data.

16. Audit

The adequacy and effectiveness of Epicapp Limited's data protection procedures are subject to regular internal audit reviews where necessary Epicapp Limited may call an external review to assure the integrity.

17. Data retention

Legitimate needs determine the Data retention period in Epicapp Limited. Adequate records of decision-making will be maintained to show cause.

18. Policy Review

The policy will be reviewed annually by the management of Epicapp Limited.

19. Related Policies

The policy should be read together with the company's code of conduct, misconduct, disciplinary and grievance policy, and information security policy.