ADROIT CREDIT LIMITED PRIVACY POLICY

1.0 PURPOSE OF THE POLICY

This Policy is intended to provide minimum standards with respect to the protection of personal data that is collected, received, processed and stored on Adroit Credit Limited owned physical and electronic databases and will cover the use of personal data about all individuals, including employees, customers and other third parties, that deal with Adroit Credit Limited. It shall apply to all users of Adroit Credit Limited applications, software, databases, websites, social media platforms and all other suchlike resources.

2.0 DEFINITIONS

2.1 The main terms used in this Policy are defined in Appendix A of this Policy.

3.0 POLICY GUIDELINES

3.1.      The Company shall in dealing with personal information and data ensure that the information/ data is processed without infringing the privacy rights of the data subject;

1. in a lawful manner; and
2. in a reasonable manner

3.2.      The collection, use, storage and transfer of personal data will only be done in a manner guided by the fundamental principles of Adroit Credit Limited.

3.3. The data shall be collected for purposes of decision making and provide an idea of the financial integrity and credit worthiness of the client(s).

4.0 ACCURACY

4.1. The Company shall store personal data/information as accurately as possible and update and systematically review it to ensure it fulfills the purpose(s) for which it is processed.

4.2. The data subject may request the correction of personal data that is inaccurate, incomplete, unnecessary, or excessive.

4.3. When personal data is corrected, the Company will notify, as soon as is reasonably practicable to the data subject.

5.0 TYPE OF INFORMATION COLLECTED

Adroit Credit Limited will collect and hold personal client information either electronically or written in a language they can understand for its operational purposes. This may include:

1. Contact details such as name address, email address and phone numbers.
2. Nationality
3. National ID and Passport information
4. Date of birth
5. Gender
6. Information about race and ethnicity
7. Bank account details
8. Employment details
9. Tax and residency status for statutory requirements
10. References from employers
11. Contact details for family members and next of kin.
12. Details of criminal convictions (where necessary)

Adroit Credit Limited will ensure that the client is notified of collection of personal data before being prompted to provide the said data.

6.0 REASONS FOR DATA COLLECTION

Personal data can be processed only for the purpose that was defined before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation.

7.0 PERSONAL DATA PROTECTION PRINCIPLES

In processing personal data, Adroit Credit Limited shall be guided by the principles of data protection as captured in the Data Protection Act, to ensure that personal data

is:

1. Processed in accordance with the right to privacy of the data subject;
2. Processed lawfully, fairly and in a transparent manner in relation to any data subject.
3. Collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes.
4. Adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed.
5. Collected only where a valid explanation is provided whenever information relating to family or private affairs is required.
6. Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay.
7. Kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected.

In complying with the stated data protection principles, Adroit Credit Limited will observe the

following:

8.0 LAWFUL AND FAIR PROCESSING

8.1. Data processing shall be carried out in a lawful and fair manner for specified and legitimate purposes without prejudicing the fundamental rights and freedoms of data subjects.

8.2.  The processing shall only be justified based on one (or more) of the legal basis including:

1. data subject giving his or her consent
2. the processing is necessary for the performance of a contract with the data subject
3. to meet legal compliance obligations
4. to protect the data subject’s vital interests or any other person who may be indirectly affected
5. public interest
6. to pursue the Company’s legitimate interests which are not overridden because the processing prejudices the interests or fundamental rights and freedoms of data subjects

9.0 TRANSPARENCY

The data subject must be informed of how his/her data is being handled. In general,

personal data must be collected directly from the individual concerned. When the data is

collected, the data subject must either be aware of, or informed of:

1. a) The identity of the Data Controller
2. b) The purpose of data processing
3. c) Third parties or categories of third parties to whom the data might be transmitted, if any.

10.0 FACTUAL ACCURACY; UP-TO-DATE DATA

Personal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented, or updated within 7 days.

11.0 FURTHER PROCESSING

11.1. Further processing for research purposes shall be compliant with the conditions outlined to be compatible with the purposes for which the data is obtained.

11.2. Personal data which is processed for research purposes may be exempt from provisions of this policy if the results of the research and statistical data is not made available in a form which identifies the data subject.

11.3. Further processing of data shall comply with the data protection principles set out in this policy, in particular in ensuring the security and confidentiality of sensitive personal data.

12.0 CONFIDENTIALITY

12.1. The confidentiality of personal data must be always respected by the Company when processing data with access to the same limited on a need-to-know basis.

12.2. ACL shall maintain the confidentiality of the personal data throughout and even after the user is no longer of concern to the Company.

12.3. The data controller may specify other categories of personal data that will require additional safeguards and restrictions and may be classified as sensitive personal data.

12.4. In the processing of sensitive personal data, the data controller will specify further grounds on which these categories will be processed with consideration of:

1. the increased risk of significant harm that may be caused to the data subject by processing this category of personal data.
2. the degree of confidentiality attached to the category of personal data.
3. the level of protection afforded by provisions applicable to personal data

13.0 DATA SECURITY

13.1. ACL will ensure and implement a high level of data security that is appropriate to the risks presented by the nature and processing of personal data taking into account the level of technology available and existing security conditions as well as the costs of implementing additional security measures.

13.2. In order to ensure and respect confidentiality, personal data will be filed and stored in a way that is accessible only to authorized staff and transferred only through the use of protected means of communication.

13.3. In order to ensure the confidentiality of the personal data, the Company shall take appropriate technical and organizational data security measures.

13.4. The nature of risks will include but not be limited to risk of accidental or unlawful/illegitimate destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

13.5. Access to personal data/content/knowledge shall be restricted to authorized personnel using it in the performance of their duties and as determined by appropriate authorization of both the employees, supervisor and data subjects.

13.6. Personal data/content/knowledge may not be used by any employee for purposes other than the business of the Adroit Credit Limited’s business.

13.7. Staff and volunteers allowed access of personal data/content/knowledge of the Company shall sign a non-disclosure agreement banning them from using the content for business other than Adroit Credit Limited’s core mandate.

13.8.  Private email accounts shall not be used to transfer Personal Data.

13.9. Information technology will be used to process, communicate and store company data and information which will be classified as Confidential Information (CI).

13.10. Data security measures will be routinely reviewed and upgraded as deemed appropriate to ensure the level of protection is commensurate to the degree of sensitivity applied to personal data and considering the possible development of new technology in enhancing data security.

14.0 DATA SUBJECT RIGHTS

Individuals have certain rights with respect to their personal data, including the right to access, rectify, erase, restrict processing, object to processing, and data portability. Adroit Credit Limited will respond to requests from individuals regarding their rights in accordance with applicable data protection laws and regulations.

15.0 COMPLAINTS HANDLING MECHANISMS

Any person/s may lodge a complaint in their own name or on behalf of another person against the company or staff in respect of a service rendered by the company or staff of the company.

The complaint may be lodge by an individual complainant or a group or institution acting on behalf of a complaint; or anonymously.

All complaint shall be received and processed free of charge by the company.

16.0 ACCOUNTABILITY

16.1. Adroit Credit Limited will be responsible for compliance and will be required to demonstrate that appropriate measures have been employed within the organization to comply with the data protection guidelines.

16.2. ACL will implement data protection training programs for all employees.

16.3. ACL will bear the burden of proof to establish the data subjects’ consent of the processing of their personal data for a specific purpose.

16.4. ACL will ensure that it is as easy to withdraw as it is to give consent.

17.0 RIGHTS OF DATA SUBJECTS

17.1. A data subject has a right to—

1. be informed of the use to which their personal data is to be put.
2. withdraw consent at any time.
3. access their personal data in custody of data controller or data processor.
4. object to the processing of all or part of their personal data.
5. correction of false, inaccurate or misleading data.
6. deletion of false or misleading data about them.
7. request for erasure of their personal data where it is irrelevant, excessive or was obtained unlawfully.

18.0 DATA COLLECTION

18.1. When collecting personal data from the user, Adroit Credit Limited shall inform the user of the following in writing/orally and in a manner and language that is understandable to the user:

1. The specific purpose(s) for which the personal data or categories of personal data will be processed.
2. Whether such data will be transferred to third parties and the specific third parties.
3. The data subject’s right to request access to their personal data, or correction or deletion of it.
4. How to lodge a complaint with the data controller.
5. The mandate and contact details of the data controller.

18.2. Where data is not collected directly from the data subject either electronically, orally or in writing, other means will be considered as far as is practicable such as online postings and any other appropriate method of transmission.

18.3. At the request of the data subject the data controller may restrict the processing of personal data where:

1. The accuracy of the data is contested by the data subject.
2. The data subject has objected to the processing.

19.0 DATA PROTECTION IMPACT ASSESSMENTS

19.1. Where a type of processing using new technology, and considering the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

19.2. A single assessment may address a set of similar processing operations that present similar high risks.

19.3. A data protection impact assessment shall in particular be required in the case of:

a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or

a systematic monitoring of a publicly accessible area on a large scale.

19.4. The assessment shall contain at least:

a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

1. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
2. an assessment of the risks to the rights and freedoms of data subjects; and
3. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Policy taking into account the rights and legitimate interests of data subjects and other persons concerned.

20.0 DATA RETENTION AND DISPOSAL

20.1. Data will not be kept in a form that allows data subjects to be identified for longer than needed for the legitimate Company’s purposes or other purposes for which the Company collected it.

20.2. The purposes of data retention shall include satisfying any legal, contractual, accounting or reporting requirements.

20.3. Personal data may be retained for a longer period in the event of a complaint there is reasonable belief that there is a prospect of litigation in respect to the Company’s relationship with the data subject.

20.4. Adroit Credit Limited shall take all reasonable steps to destroy or erase from its systems all personal data that are no longer than required.

21.0 TRANSFER OF PERSONAL DATA TO THIRD PARTIES

21.1. In order to mitigate risks associated with transfer of data to third parties, the Company will only transfer data to a third party if:

1. The data is stripped off personal and identifiable information;
2. The transfer is based on one or more legitimate basis including:
3. explicit consent by the data subject;
4. compliance with national or international law;
5. or in exercise, establishment and defense of any contractual or legal obligations;
6. The personal data to be transferred is adequate, relevant, necessary and not excessive in relation to the purpose(s) for which it is being transferred; The data subject has been informed either at the time of the collection or subsequently, about the potential transfer of his/her personal data.
7. The third party maintains a high level of data security that protect personal data against the risk of accidental or unlawful/illegitimate destruction, loss, alteration unauthorized disclosure of, or access to it.

21.2. The Company will also ensure that transferring personal data does not negatively impact:

1. The safety and security of Adroit Credit Limited’s employees and beneficiaries.
2. The effective functioning of an operation or compromise in the Company’s mission, vision or fundamental principles, for example due to the loss of trust and confidence between Adroit Credit Limited and persons of concern.

21.3. The processing of sensitive personal data out of Kenya shall only be effected upon obtaining consent of a data subject and on obtaining confirmation of appropriate safeguards.

22.0 DATA TRANSFER RECORDS

22.1. The Company shall keep and maintain full and accurate records reflecting all phases of data management cycle, including records of data subjects’ consents and procedures for obtaining consent, where consent is the legal basis of processing.

22.2. The data transfer records shall include, at a minimum:

1. the name and contact details of the individual entity authorizing the transfer;
2. clear descriptions of the personal data types;
3. data subject types;
4. processing activities;
5. processing purposes;
6. third-party recipients of the personal data;
7. personal data storage locations;
8. personal data transfers;
9. the personal data’s retention period; and
10. a description of the security measures in place.

23.0 DATA TRANSFER AGREEMENTS

23.1. Adroit Credit Limited will require all third parties to comply with this Policy through an agreement or an MOU as part of the signing of partnership agreements. Such agreements will specify the specific purpose(s) and legitimate basis for the processing or transfer of personal data.

23.2. Data transfer agreements shall;

address the purpose(s) for data transfer, specific data elements to be transferred as well as data protection and data security measures to be put in place;

require the third party to undertake that its data protection and data security measures are in compliance with this Policy; and

stimulate consultation, supervision, accountability and review mechanisms for the oversight of the transfer for the life of the agreement.

23.3. Adroit Credit Limited Legal Representatives shall review and approve all data transfer agreements and maintain copies of final agreements.

24.0 DATA BREACH

24.1. Adroit Credit Limited will maintain a register of all data breaches.

24.2. Adroit Credit Limited employees will notify their supervisors as soon as possible upon becoming aware of a personal data breach.

24.3. The member of staff will record the breach.

24.4. If a personal data breach is likely to result in personal injury or harm to a data subject, the data controller will communicate the personal data breach to the data subject and take mitigating measures as appropriate without undue delay. In such cases, the data controller shall also notify the Secretary General of the personal data breach.

24.5. The notification will describe:

1. The nature of the personal data breach, including the categories and number of data subjects and data records concerned.
2. The known and foreseeable adverse consequences of personal data breach; and
3. The measures taken or proposed to be taken to mitigate and address the possible adverse impacts of the personal data breach.

25.0 EXTERNAL USE AND LEGAL PROVISIONS

25.1. Title to all data belonging to Adroit Credit Limited resulting from data processing shall reside in the company and shall be protected by data protection laws of the Country.

25.2. Third parties may not process data belonging to Adroit Credit Limited without consultation with the company.

25.3. Any data processed jointly shall be jointly owned by Adroit Credit Limited and third party with whom the joint processing was done.

25.4. Nothing in this policy will prevent legal action from being undertaken against a person who violates the provisions of this policy or of any Kenyan laws and regulations.

25.5. All matters arising out of or relating to this policy shall be governed by and are to be construed in accordance with the Laws of Kenya, excluding any conflict of law provisions, with Kenyan courts having exclusive jurisdiction in all disputes arising therein.

25.6 Periodic review of this policy every three years or when need arises; or whichever comes first.

26.0 Collection of Personal Data about Vulnerable Segment of the community, including children and the criteria applied.

Adroit Credit Limited collects only the data strictly necessary for assessing credit risk and does not engage in the collection of vulnerable or sensitive personal data. This includes data related to race, ethnicity, tribe, sexual orientation, political affiliations, religious beliefs, genetic data, biometric data, or any other categories considered sensitive by international standards. In cases involving vulnerable segments of the community, including children, we adhere to the highest standards of data protection and apply stringent criteria to ensure the data collected is relevant only to credit risk evaluation. Where it is deemed extremely necessary to collect vulnerable data—although we do not currently do so—strict legal and ethical standards would be enforced. This includes obtaining explicit consent from parents or guardians for children, ensuring compliance with international privacy laws, and implementing robust security measures to protect such information. Adroit Credit Limited’s commitment to data minimization ensures that no unnecessary or irrelevant personal data is collected, and only data directly related to credit risk assessment is processed.

27.0 Appendix A: Definitions of key terms

This part of the policy defines key terms

Anonymization: Irreversible removal of personal identifiers from information so that the data subject is no longer identifiable.

Collection: The act of gathering, acquiring, or obtaining Personal Data from any source, including third parties and whether directly or indirectly by any means.

Consent: Any freely given specific and informed indication of the wishes of the data subject by which they signify their agreement to personal data relating to them being processed.

Control: An agency, natural or legal person, public authority, organization or any other body which alone or jointly with others has the power to determine the purposes and means of the processing of data, and the manner in which the data is processed.

Critical system: Any system whose ‘failure’ could threaten human life, the system’s environment or the existence of the organization which operates the system. Such systems include but not limited to electric grid, manufacturing system, transportation system, financial institutions, water treatment facilities and water supply systems.

Data: All data including personal data in electronic or manual form.

Data controller: A person who either alone or jointly with other persons or in common with other persons or as a legal duty determines the purpose for and the manner in which data is processed or is to be processed.

Data Processor: In relation to personal data, any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Data Subject: A Natural person whose personal data is held by the data controller.

Disclosure: Making data available to others outside the Agencies

Encryption: The process of converting information or data into code, to prevent unauthorized access

Investigation — means an investigation relating to:

1. A breach of this policy;
2. A contravention of any written law or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or

1. A circumstance or conduct that may result in a remedy or relief being available under any law;

1. National Interest — includes national security, defense, public security, the conduct of international affairs and the financial and economic interest of Kenya;

Notification: Notifying the Data Protection Regulator/Data Subject about the data breach.

Office of the Data Protection Regulator / Supervisory authority: An independent public authority established by state to regulate compliance with data protection law by Data Controllers and Processors and take enforcement action in the case of non-compliance.

Personal data: Any information relating to an identified or identifiable natural person (Data Subject) an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number, passport number, birth certificate or to one or more specific factors like physical or physiological.

Processing: Any operation performed on personal data, such as collecting, creating, recording, structuring, organizing, storing, retrieving, accessing, using, seeing, sharing, communicating, disclosing, altering, adapting, updating, combining, erasing, destroying or deleting personal data, or restricting access or changes to personal data or preventing destruction of the data Restriction of processing: The marking of stored personal data with the aim of limiting their processing in the future.

Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable person. Pseudonymized data is therefore re-identifiable and falls within the definition of personal data

Sensitive personal data means personal data as to:

1. The racial, ethnic or social origin,
2. The political opinions or the religious or conscience belief, culture dress language or birth) of the data subject.
3. Gender
4. Whether the data subject is a member of a trade-union.
5. disability
6. Sexual life or orientation
7. Pregnancy
8. Color
9. Age
10. Marital status
11. Health Status
12. the commission or alleged commission of any offence by the data subject, or
13. Any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.
14. Biometrics (where needed for identification)

Third Party-Third party, in relation to personal data, means any person/entity other than the data subject, the data controller, or data processor or other person authorized to process data for the data controller or processor.