Data Protection Policy

1. POLICY STATEMENT

The purpose of the IXAfrica Data Centre Limited (“IXAfrica” or the “Company”) Data Privacy Policy (the “Policy”)is to provide a framework for the data sharing and processing activities undertaken by the Company. . The Policy will govern the processing of personal data, protect the privacy of Data Subjects, allow these Data Subjects to exercise their rights, and ensure compliance with the relevant laws.

2. SCOPE

The Policy applies to all Company employees, Directors, contractors, or consultants, independent or otherwise, and all parties will be required to act consistently with this Policy.

IXAfrica is committed to upholding the privacy of Data Subjects and all personal data processed by us, and to reiterate our commitment to safeguarding this personal data from unauthorised access, transfer, or processing.

This Policy shall govern personal data that is processed by IXAfrica or by an IXAfrica appointed controller or processor, be it in physical or digital form.

3. REGISTRATION

Through their appointed officer and / or external consultant, IXAfrica shall register with the Office of the Data Protection Commissioner (“ODPC”) as a Data Controller. The application for registration shall be filled out in the form prescribed by law and duly submitted to the ODPC via their online portal.

Renewal:

IXAfrica’s Certificate of Registration shall be renewed within 14 days before the date that the existing registration certificate is set to lapse.

Responsibilities of IXAfrica as a Data Processor and Controller

IXAfrica has a mandate to ensure that any personal data that they process is guided by various principles. They shall ensure that all data is:

Processed in accordance with the rights of the data subject
Processed lawfully, fairly and in a transparent
Collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those

Adequate, relevant, limited to what is necessary in relation to the purposes for which it is
Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified.
Not transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data

Data protection impact assessment

IXAfrica, through its officials, shall carry out a data protection impact assessment where it is adjudged that an intended processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes.

The assessment shall encompass

A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by
An assessment of the necessity and proportionality of the processing operations in relation to the purposes (the need for such processing to achieve claimed purpose).
An assessment of the risks to the rights and freedoms of data subjects as captured under this
The measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the law and this policy taking into account the rights, and legitimate interests of data subjects and other persons

Where such assessment relates to access by a third party to IXAfrica’s Data Subject information, the third party shall be actively involved in response to safeguards and measures they have in place to promote compliance with this policy as well as those that promote compliance with the law.

Outcomes of all impact assessments shall be communicated to the Directors within three (3) days of finalisation.

All data impact assessments carried out by IXAfrica shall be submitted to the Office of the Data Protection Commissioner sixty days prior to the processing of data as facilitated by IXAfrica’s chosen staff member for overseeing this task.

A Data Impact Assessment shall also be carried out after any major incidences of breach and before resumption of data processing operations.

Data Privacy and Protection Risk Management

IXAfrica officers shall have management over identified risks relating to personal data collected, controlled and processed by IXAfrica. IXAfrica personnel shall ensure that they carry out a risk review on all exposures facing IXAfrica pertaining to data privacy.

4. IXAFRICA DATA SUBJECTS

IXAfrica has several categories of data subjects whose data will be processed and controlled, due to regulatory, operational and / or other needs.

Employees

These are individuals directly or indirectly employed by the Company. IXAfrica may control and process data related to employees to allow for identification, validation, as well as processing of regulatory information such as remittances on taxes and other key data required by the Government of Kenya. Such data may also be shared with authorised third parties where necessary for fulfilment of a contractual obligation with the respective Data Subject or based on consent.

The data processed may also include sensitive personal / health data for e.g. biometric access control, and where applicable, for the provision of medical insurance / healthcare to the Employees. Whenever this is the case, consent of the Data Subject will always be sought along with an explanation as to the use to which the said data will be put, save for emergencies or life threatening instances in which consent is not obtainable.

Clients

This category includes all identifiable clients who procure services and / or products from IXAfrica and / or other third-party partners with whom IXAfrica collaborates with to provide services and products. IXAfrica may share personal data with authorised third parties in furtherance of their obligations to the Client, e.g. for service delivery or where certain advice is sought.

IXAfrica may control and process data related to our customers and / or clients in furtherance of a contractual obligation, due to legal obligations and / or due to other operational processes.

IXAFRICA partners

These are all IXAfrica partners’ who have a business relationship, collaborative initiative, and existing connection either directly and or indirectly that would necessitate the processing and control of personal data. Such processing and control might be due to regulatory compliance, internal processes and / or other assessed need in line with this Policy, and accordingly, may be shared with authorised third parties.

RIGHTS OF IXAFRICA DATA SUBJECTS

IXAfrica is committed to the promotion and enforcement of the rights of Data Subjects. These include, but are not limited to, the right:

To be informed of the use to which their personal data is to be put;
To access their personal data in the custody of data controller or data processor;
To object to the processing of all or part of their personal data;

To correction of false or misleading data; and
To deletion of false or misleading data about

5. DATA SUBJECT CONSENT

IXAfrica shall ensure that before collection of data, the data subject is aware that IXAfrica shall collect, store, and use personal data. IXAfrica shall further ensure that the data subject approves such collection, preservation, and use, where applicable.

While acquiring consent, IXAfrica shall strive to ensure that the Data Subject is aware of their rights and shall further provide the means for the exercise of such rights, where applicable.

Consent on data on minors

IXAfrica considers all data subjects under the age of 18 as minors. In the unlikely instance that such data is processed, IXAfrica shall ensure that there are appropriate mechanisms for age verification and consent to allow for the processing of personal data of a minor.

In the unlikely event that any personal data of minors is processed, IXAfrica shall acquire from a guardian/parental authority to process said data. Irrespective of whether such consent has been received, IXAfrica shall not process data relating to a minor unless the processing is done in a manner that protects and advances the rights and best interests of the child.

Withdrawal & revision of consent

Data Subjects can, subject to the applicable laws and regulations, withdraw or revise the terms of use of their personal data held by IXAfrica. Such revision and / or withdrawal request shall be responded to within 72 hours of receipt of the same by an IXAfrica official.

A revision/correction request can be presented in instances where such data is inaccurate, outdated, incomplete or misleading.

IXAfrica shall cease processing of data in the below situations:

Where the accuracy of the personal data is contested by the data subject, and in the intervening period until IXAfrica verifies the accuracy of the
Where personal data is no longer required for the purpose of the processing, unless where required by IXAfrica for record keeping, subject to the relevant laws, and / or the establishment, exercise or defense of a legal
Where a Data Subject has objected to the processing, pending verification as to whether the legitimate interests of IXAfrica overrides those of the data subject.

Where the data controller has shared such personal data with a third party for processing purposes, the data controller or data processor shall take all reasonable steps to inform third parties processing such data, that the data subject has withdrawn right to process such data or requested for a revision of such data as might be held.

All withdrawal notices received by IXAfrica on data held by third parties shall initiate a surrender of information held by such third parties. IXAfrica shall make all reasonable effort to ensure that such surrender is satisfactory and that all record of such data has satisfactorily been deleted / expunged from third party systems and / or gadgets or other storage locations or formats that might exist.

6. DATA COLLECTION

IXAfrica shall employ various options in the collection of personal information. Tje Company shall further ensure that such collection, storage and use of personal data shall be lawful, specific, and explicitly defined.

Information can be voluntarily and directly collected such as during the onboarding of a client

/ employee or indirectly where:

The data is contained in a public record or the data subject has made the data public.
The data subject has consented to the collection from another source.
The collection from another source would not prejudice the interests of the data
Where collection of data from another source is necessary for:
- The prevention, detection, investigation, prosecution, and punishment of
- The enforcement of a law which imposes a pecuniary penalty, or
- The protection of the interests of the data subject or another person

Before collection of personal information and data, IXAfrica shall as far as is practicable ensure that the data subject is reasonably informed of:

The use to which their personal data shall be put, their right to access their data, the right to object to processing of all or part of their data and the right to correction and deletion of false or misleading
The fact that personal data is being
The purpose for which the personal data is being

Access & Transfer of Personal Data

IXAfrica Data Subjects have a right of access and transfer of all personal data that is held by the Company. Requests for such access should be made to the Company in writing, to the attention of the Admin office.

Within 24 hours of receipt of the request, an IXAfrica officer shall communicate in writing or through other official medium of IXAfrica’s intention to comply (or whichever decision is taken) with the request and if the former, the expected timeline within which such data shall be available for collection, viewing and transmission.

IXAfrica shall ensure that the Data Subject receives personal data concerning them in a structured, commonly used format.

Where a request is received to transfer such data to an external data controller or data processor, IXAfrica shall take all necessary steps and make reasonable effort to facilitate such transfer. Where a direct transfer of such data is requested, IXfrica shall assess the impact and implication of such direct transfer and only proceed in instances where associated risk has been assessed to be minimum. By default, IXAfrica shall submit the data to the Data Subject for onward submission to the external party.

Data deletion

Unless where legal mandate precludes IXAfrica from executing an erasure, IData Subjects have a right to request the Company to erase or anonymise personal data that IXAfrica is no longer authorised to retain, or personal data that is irrelevant or excessive.

In all instances where legal mandates preclude such deletion, IXAfrica shall ensure that all Data processing (other than that legally mandated) ceases on such data immediately and that the Data Subject is informed within a reasonable time that such deletion cannot occur but that all processing has ceased.

7. DATA STORAGE AND ASSOCIATED TREATMENT

Storage of all IXAfrica-controlled personal data shall be under IXAfrica owned infrastructure and / or infrastructure under contractual IXAfrica ownership.

EMPLOYEE RECORDS

IXAfrica is committed to the secure storage and preservation of all data that pertains to our employees. Such personal data refers to both digital and physical records kept.

Physical records

All physical personal employee records shall be kept under lock and key and shall be under the sole control of the Human Resources Office and / or their appointee. Such records shall be bound by the following controls:

There shall be no copying, sharing and distribution of employee records other than that which is authorised by the Data Subject and or necessary for the Human Resources Department to carry out their function.
The Human Resource officer shall make the sole decision at their discretion on whether to share such information in so far as restricting access does not impede any ongoing legal investigation and or independent internal review as shall be assigned by the
All personal information shared by the Human Resources office to other functions or Departments within IXAfrica shall be for a stated purpose.

The Human Resource office shall consult the Directors in all instances where the reasons and / or action to take is not immediately
The Human Resource office shall ensure that all accessed personal data in third party custody is surrendered after culmination of any sanctioned exercise.
The Human Resource office shall further communicate the need to delete / purge and / or destroy any data held that is not necessary for the stated purpose of

Digital Records

The Human Resource Office is the chief custodian of all personal employee digital records. Determination of what constitutes personal records shall be guided by the principle of sensitivity of such personal data.

Digital employee personal data shall be stored in a secure gadget and / or server as the need may be with access restricted to the Human Resource officer and / or their appointee.

Emails to and from personnel of a personal nature to the Human Resources office qualify as personal data and fall under this category and all necessary restrictions to access of the mailbox as well as account shall be taken. Such restrictions can include passwords, among others.

Access to these gadgets, locations and / or apps (including E-mail) shall be monitored with the assistance of the IXAfrica IT Team to ensure that safeguards in place are sufficient and working.

For operational purposes, the Human Resource office may share digital employee personal data with various other IXAfrica functions such as those relating to payroll processing. All sharing of information whether as requested and / or for operational purposes shall be documented.

CLIENT DATA

For purposes of this Policy, client personal data refers to all retained information that identifies a client by name, number and or other unique identification. Such client personal data can be associated with digital information as captured for sales, and it can also refer to physical records kept.

IXAfrica shall ensure that the below functions are undertaken, where applicable, to mitigate risks associated with such records:

They shall take all necessary measures to ensure that client personal data is stored in a secured
Such location shall be under IXAfria ownership and / or contractual ownership with the right to retention, deletion and purging of all data held by the third-party installation.
All personal data & client information data shared to other functions within IXAfrica shall be for a stated
IXAfrica staff shall consult the Directors in all instances where the reasons and / or action to take is not immediately clear.

IXAfrica personnel who come into contact with any Data Subject’s personal data and who directly cause breach of such personal data as a result of negligence and / or unreasonable action including unsanctioned access shall bear personal responsibility for such breach.

In addition, IXAfrica shall exercise their option to institute disciplinary procedures against these personnel as a result of and in line with this Policy.

8. DATA PROCESSING

IXAfrica shall only process data when the data subject consents to processing for one or more specified purposes or where such processing is necessary for the below to occur:

The performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract.
For compliance with any legal obligation to which the Company is subject, including those imposed by applicable Regulatory bodies / Government entities;
In order to protect the vital interests of the data subject or another natural person;
For the performance of a task carried out in the public interest or in the exercise of official authority vested in
The performance of any task carried out by a public authority.
Where processing is carried out in the course of legitimate activities with appropriate safeguards by a foundation, association, or any other not-for profit body with a political, philosophical, religious or trade union aim and on condition that:
- The processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes, and
- The personal data is not disclosed outside that body without the consent of the Data
For the exercise, by any person in the public interest, of any other functions of a public
For the legitimate interests pursued by IXAfrica or by a third party to whom the data is disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data
For the purpose of historical, statistical, journalistic, literature and art or scientific
The processing relates to personal data which is manifestly made public by the data
Where processing is necessary for:
- The establishment, exercise, or defense of a legal
- The purpose of carrying out the obligations and exercising specific rights of IXAfrica or of the data subject.
- Protecting the vital interests of the Data Subject or another person where the Data Subject is physically or legally incapable of giving

Processing personal health data

IXAfrica shall, in the course of employment operations, come into knowledge of a Data

Subject’s personal health data. IXAfrica shall process such personal data when:

Determining when employment should be offered to applying candidates, our subsequent responsibilities as an employer, including for biometric fingerprint access to certain employees as well as the provision of health insurance, where applicable.

Commercial use of processed Data

IXAfrica may from time to time rely on collected personal data to make commercial decisions. Where such need is deemed necessary, IXAfrica shall where practicable, anonymise the data in such a manner as to ensure that the data subject is no longer identifiable.

Personal data will only be used for commercial marketing of products where the data subject has consented to the same, or in the case of personal data already held for existing subjects, a clear opt-out or ‘unsubscribe’ mechanism will be provided.

Subject Data processed and controlled by an IXAfrica partner / authorised Third Party

IXAfrica shall ensure that all personal data in their control is not accessed by a third party unless where necessary for the performance of their contractual obligations or where the subject has been informed of the same.

Where a third-party Data Processor, their employee and / or other person with access to their systems whether authorised or not processes personal data other than as instructed by IXAfrica, the data processor shall be deemed to be a data controller in respect of that processing and shall bear all risks and associated costs as a result of such contravention including reparation / compensation to the Data Subject should they successfully complain / pursue legal action for such use of their personal data.

Conditions for IXAfrica Data Transfer to another jurisdiction

IXAfrica may for given business purposes, financial / banking reporting reasons, and / or business operations need to transfer data to another jurisdiction. Such transfer shall only be under one of the below conditions:

Where the legitimate reason has been shared with the Subject and their consent has accordingly been given;
For the conclusion or performance of a contract concluded in the interest of the data subject between IXAfrica and another entity;
For any matter of public interest that necessitates such transfer;

For the establishment, exercise or defense of a legal claim under advice of IXAfrica’s legal counsel in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; and
For the purpose of compelling legitimate interests pursued by IXAfrica which are not overridden by the interests, rights, and freedoms of the data subjects.

Deletion of Personal Data from IXAfrica records

IXAfrica shall set limits on the storage of all personal data collected depending on the need / use for such collection, noting that the same should not exceed the limit imposed by the respective statutes and applicable legislation. At the expiration of such limit, IXAfrica shall erase, anonymize or pseudonymise personal data not necessary to be retained.

Unless where legal mandates preclude IXAfrica from taking such action, IXAfrica shall make all reasonable effort to ensure that the Data is deleted / erased / expunged from all known IXAfrica storage locations; external, internal and portable including but not limited to physical records as well as all related data held by third party partners.

Such purge is limited to the below unique situations where preservation is:

Required or authorised by
Reasonably necessary for a lawful
Authorised or consented to by the data subject, for
for historical, statistical, journalistic literature and art or research

9. BREACH OF PERSONAL DATA

Where personal data controlled and processed by IXAfrica has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorised access, IXAfrica Directors shall appoint an officer with the relevant skillset to manage, control, and spearhead the breach-related actions outlined in this Policy.

The appointed officer shall initiate the below steps:

A preliminary report on the incident shall be prepared by the appointed officer within fourty-eighty hours of being made aware of the breach and such report shared with the
Such report shall detail:
- The nature of
- Exposure/Risks to Data Subject and to IXAfrica
- Estimated costs associated with the breach including security measures to address the

Current status of the

The appointed officer shall notify the Data Commissioner within seventy-two hours of becoming aware of such breach. Where the notification to the Data Commissioner is not made within seventy-two hours, the notification shall be accompanied by reasons for the
The appointed officer shall communicate to the Data Subject in writing within a reasonably practical period in cases where the identity of the Data Subject can be
The appointed officer shall then carry out an exhaustive impact assessment on the breach including measures that have been put in place to mitigate future occurrence and or

Breach of Personal Data held by a third-party Data Processor

Where a third-party data processor becomes aware of a personal data breach, the data processor shall notify IXAfrica without delay and where reasonably practicable, within forty- eight hours of becoming aware of such breach.

Once IXAfrica receives notification of such breach, it shall:

Immediately initiate a cessation of processing of all IXAfrica‘s Data Subject Data managed by the third party through notice to the data processor.
The appointed officer shall request for a detailed incident report of the facts of the breach including measures that have been put in place to mitigate further occurrence within twenty-four hours of receipt of notice of breach.
An IXAfrica officer shall carry out an impact assessment on the breach including an assessment of the state of exposure of data under third party control as well as recommendations on further action(s), if any, to shield such exposure within twenty-four hours of receiving an incident report from the external Data
An IXAfrica officer shall further indicate in the impact assessment report whether such breach was due to negligence on the part of the external Data
Where negligence has been established, IXAfrica shall, in consultation with the Office of the Data Protection Commissioner, make a determination on whether to pursue legal action. All costs arising from such breach shall be borne by the negligent
An IXAfrica Officer shall further make a determination, based on measures in place and the associated risk whether to continue relying on the data processor for services rendered.
Where a decision is made to retain the services of the data processor, it shall be under consideration of all measures in place, culpability for breach and other considerations as may be determined by IXAfrica.
IXAfrica shall then notify the Data Subject(s) in writing within a reasonably practical period in cases where the identity of the Data Subject can be This notification, depending on the circumstances, should include a description of the breach, the measures

that IXAfrica intends to take or has taken to address the same, and the contact point from whom more information may be obtained.

Other provisions – Data Breach

For purpose of this Policy and as provided for under the applicable laws, IXAfrica may delay or restrict communication with the Data Subject as is necessary and proportionate for purposes of prevention, detection or investigation of an offence by the concerned relevant body.

The communication of a breach to the data subject shall not be required where IXAfrica and / or IXAfrica’s agent has implemented appropriate security safeguards which may include encryption of affected personal data and where breach has been assessed as not posing risk(s) to the Data Subject.

All instances of Breach of Personal Data that are the subject of hacking, fraud and / or unauthorised external access shall be reported by IXAfrica to the relevant authorities for onward investigation and as required by the law.

Exemptions Under Law

There are various exemptions under law where IXAfrica is exempt from certain provisions of the Data Protection Act, 2019 as regards processing of personal data. These are:

If it is necessary for national security or public
Where disclosure is required by or under any written law or by an order of the
Where processing is undertaken by a person for the publication of a literary or artistic material on condition that it can be demonstrated that the processing is in compliance with any self-regulatory or issued code of ethics in practice and relevant to the publication in Such publication shall further be on condition that published material does not identify the Data Subject.
Where IXAfrica reasonably believes that publication would be in the public
Where IXAfrica reasonably believes that, in all the circumstances, compliance with the provision is incompatible with any special purposes that might

None of the provisions above shall exempt IXfricaC from complying with data protection principles relating to lawful processing, minimisation of collection, data quality, and adopting security safeguards to protect personal data.

10. COMPLAINTS FORWARDED BY DATA SUBJECTS TO THE DATA COMMISSIONER

In the event that a Data Subject forwards a complaint pertaining to IXAfrica and / or a IXAfrica appointed Data processor’s conduct to the Office of the Data Protection Commissioner, the below shall apply:

Having received summons or notice and / or instructions regarding to the complaint, a Director-appointed IXAfrica officer shall take charge of the matter and proceed
Such complaint notice shall then be forwarded by said officer to IXAfrica’s legal counsel within twenty-four to fourty-eight hours of receipt.

The officer shall write to the Office of the Data Protection Commissioner within forty- eight hours of receipt of the said notice in consultation with IXAfrica’s legal counsel responding to the complaint and / or other claim as Such communication shall commit to cooperation with the Data Protection Commissioner in honoring all requests / summons and information submissions in consultation with IXAfrica’s legal counsel.

IXAfrica officer shall conduct an impact assessment of the complaint showing the merits of the complaint including existing exposure and measures that have been put in place / need to be put in place to mitigate such
Where information has been requested by the Data Protection Commissioner and / or their agent, IXAfrica shall to the best of its ability provide this information in the manner Such information should be limited to the Data Subject and should be as basic as necessary to limit exposure on competitive business data processing and / or other information not necessary to the request.
Where a judgement is issued against IXAfrica as a result of a complaint as submitted by a Data Subject to the Office of the Data Protection Commissioner, they may, depending on the circumstances of the same, appeal to the High Court of Kenya under the advice of IXAfrica’s Legal

IXAfrica Policy Conflicts

Where the provisions of this Policy conflict with any provisions of the Kenyan law, the provisions of the Kenyan law shall take precedence.

Where the provisions of this Policy conflict with other internal policies as relates to the control and processing of data, the provisions of this policy shall take precedence.