Privacy Policy
Last modified: July 2024
-
1. Introduction
-
2. Definitions
-
3. The Regulations
-
4. Purpose of this policy
-
5. Application/Scope of the Policy
-
6. Ownership
-
7. Changes to this Policy
-
8. Lawful Basis for processing your information
-
9. Exercise of Rights of Data Subjects
-
10. Data protection principles
-
11. Collection of Personal Data
-
12. Data Retention
-
13. Security
-
14. Breach
-
14.1 Breach Notification as a data processor
-
14.2 Breach Notification as a data controller
-
15. Disclosure of Information
-
16. Contact Us
-
17. Amendments to this Statement
1. Introduction
Your privacy is important to us. This privacy statement explains the personal data Sky World Limited (“Sky World Limited”) collects, how Sky World Limited processes it, and for what purposes.
This statement should be read together with the Terms and Conditions of Use for other Sky World Limited products and services. Where there is a conflict, this statement will prevail.
2. Definitions
The “Act” means The (Kenya) Data Protection Act no. 24 of 2019.
“GDPR” means the General Data Protection Regulation.
“Data Subject” means an identified or identifiable natural person.
“Personal Data” means any information relating to an identified or identifiable natural person.
A “Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
“Sensitive Personal Data” means data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex, or the sexual orientation of the data subject.
“Responsible Person” means the Data Protection Officer for Sky World Limited.
3. The Regulations
- The Data Protection (General) Regulations, 2021 – Legal Notice No. 263;
- The Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 —Legal Notice No. 264.
- The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 —Legal Notice No. 265.
4. Purpose of this policy
The policy provides guidance on how Sky World Limited will handle the data it collects. It helps Sky World Limited to abide by the data protection law and protect the rights of data subjects.
5. Application/Scope of the Policy
This policy applies to all personal data we process regardless of the location where that personal data is stored (e.g., on an employee’s own device, Sky World Limited’s servers, Sky World Limited’s website, physical records etc.) and regardless of the data subject. All Sky World Limited staff and others processing personal data on Sky World Limited’s behalf must read it. A failure in strict compliance with this policy shall result in severe disciplinary actions. Sky World Limited Heads of Departments are responsible for ensuring that all staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls, and training to ensure compliance.
6. Ownership
Sky World Limited has appointed Easy Fiber Limited, Data Protection Consultant, which is responsible for overseeing the implementation of this policy. If you have any questions about this policy, including any requests to exercise your legal rights, please contact Easy Fiber Limited using the email below.
Email Address: info@easyfibre.co.ke
7. Changes to this Policy
This policy shall be reviewed on an annual basis or whenever there are changes to the data protection regulations and/or changes in our internal processes. Please visit this web page periodically to keep up to date with the changes in this policy
Email Address: info@easyfibre.co.ke
8. Lawful Basis for processing your information
We will process your personal information based on any of the lawful basis provided for under the Data Protection Law:
The performance of a Product/Service Agreement with you;
Sky World Limited’s legitimate business interests;
Compliance with a mandatory legal obligation;
Consent you provide;
Public interest;
Your vital interest.
9. Exercise of Rights of Data Subjects
Sky World Limited commits to its stakeholders, partners and general data subjects to always collect, process, store, and transfer personal data with the utmost professionalism and in accordance with its responsibilities as stipulated under the Act, the Regulations, the GDPR, and other relevant legislation. Sky World Limited shall ensure that personal data is —
- Processed in accordance with the right to privacy of the data subject;
- Processed lawfully, fairly, and in a transparent manner in relation to any data subject;
- To ensure its processing of data is lawful, fair, and transparent, Sky World Limited shall maintain a Register of Systems. The Register of Systems shall be reviewed at least annually.
- Sky World Limited’s clients and partners have the right to access their data and any such requests made to Sky World Limited shall be dealt with in a timely manner.
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
- All data processed by Sky World Limited must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests.
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent shall be clearly available and systems should be in place to ensure such revocation is reflected accurately in Sky World Limited’s systems.
- Collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes;
- Adequate, relevant, and limited to what is necessary for relation to the purposes for which it is processed;
- Sky World Limited shall ensure that personal data is adequate, relevant, and strictly limited to what is necessary in relation to the purposes for which they are processed.
- Collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
- Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
- Kept in a form that identifies the data subjects or no longer than is necessary for the purposes for which it was collected; and not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
10. Data protection principles
Sky World Limited commits to its stakeholders, partners and general data subjects to always collect, process, store, and transfer personal data with the utmost professionalism and in accordance with its responsibilities as stipulated under the Act, the Regulations, the GDPR, and other relevant legislation. Sky World Limited shall ensure that personal data is —
- Processed in accordance with the right to privacy of the data subject;
- Processed lawfully, fairly, and in a transparent manner in relation to any data subject;
- To ensure its processing of data is lawful, fair, and transparent, Sky World Limited shall maintain a Register of Systems. The Register of Systems shall be reviewed at least annually.
- Sky World Limited’s clients and partners have the right to access their data and any such requests made to Sky World Limited shall be dealt with in a timely manner.
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
- All data processed by Sky World Limited must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests.
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent shall be clearly available and systems should be in place to ensure such revocation is reflected accurately in Sky World Limited’s systems.
- Collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes;
- Adequate, relevant, and limited to what is necessary for relation to the purposes for which it is processed;
- Sky World Limited shall ensure that personal data is adequate, relevant, and strictly limited to what is necessary in relation to the purposes for which they are processed.
- Collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
- Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
- Kept in a form that identifies the data subjects or no longer than is necessary for the purposes for which it was collected; and not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
11. Collection of Personal Data
Sky World Limited shall collect data directly from the data subject in a secure channel. Sky World Limited shall collect personal data indirectly where.
- The data is contained in a public record
- The data subject has deliberately made the data public
- The data subject has consented to the collection from another source
- The data subject has an incapacity, the guardian appointed has consented to the collection from another source.
- The collection from another source would not prejudice the interests of the data subject.
- Collection of data from another source is necessary.
- For the prevention, detection, investigation, prosecution, and punishment of crime.
- For the enforcement of a law that imposes a pecuniary penalty.
- For the protection of the interest of the data subject or another person.
12. Data Retention
Sky World Limited shall retain personal data only if may be reasonably necessary to satisfy the purpose for which it is processed unless the retention is required or authorized by law, reasonably necessary for a lawful purpose, authorized or consented by the data subject or for historical, statistical, journalistic literature and art or research purposes.
Where retention is not required under the above-mentioned grounds, then the data processor or controller shall delete, erase, anonymize or pseudonymize personal data not necessary to be retained under sub-section (1) of the Data Act in a manner as may be specified at the expiry of the retention period.
13. Security
Sky World Limited shall conduct periodic data protection impact assessments (DPIA) to ensure the integrity, availability, and reliability of data are not compromised and that personal data is processed, controlled, transferred, and stored securely using modern software that is kept up to date.
Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorized sharing of information.
When personal data is deleted this shall be done safely such that the data is irrecoverable.
Appropriate backup and disaster recovery solutions shall be in place. Sky World Limited has put in place technical and operational measures to ensure integrity and confidentiality of your data via controls around: information classification, access control, cryptography, physical and environmental security and monitoring and compliance.
14. Breach
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data, Sky World Limited shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Data Commissioner as per the set guidelines per set Regulations and as per the provisions of the Act. Sky World Limited shall notify the data commissioner of a data breach within seventy-two hours of becoming aware of the breach. In case the delay is not made within the specified time, Sky World Limited shall submit a written document stating the reason for the delay.
14.1 Breach Notification as a data processor
Whenever there is a personal data breach Sky World Limited shall notify the relevant data controller within forty-eight hours of becoming aware of the breach.
14.2 Breach Notification as a data controller
Sky World Limited may restrict communication of a breach for the purpose of prevention, detection, or investigation of the incident. Sky World Limited may choose not to communicate the personal data breach to data subjects where the appropriate security safeguard has been implemented.
14.2 Breach Notification as a data controller
Sky World Limited may restrict communication of a breach for the purpose of prevention, detection, or investigation of the incident. Sky World Limited may choose not to communicate the personal data breach to data subjects where the appropriate security safeguard has been implemented.
15. Disclosure of Information
Any disclosure of your information shall be in accordance with applicable law and regulations. Sky World Limited shall assess and review each application for information and may decline to grant such information to the requesting party.
We may disclose your information to:
- Law-enforcement agencies, regulatory authorities, courts or other statutory authorities in response to a demand issued with the appropriate lawful mandate and where the form and scope of the demand is compliant with the law.
- Our subsidiaries, associates, partners, software developers or agents who are involved in delivering Sky World Limited products and services you order or use.
- Fraud prevention and Anti money laundering agencies, credit reference agencies.
- Publicly available and/or restricted government databases to verify your identity information in order to comply with regulatory requirements.
- Survey agencies that conduct surveys on behalf of Sky World Limited.
- Emergency service providers when you make an emergency call (or where such disclosure to emergency service providers is necessary for your rescue, health and safety) including your approximate location.
- Any other person that we deem legitimately necessary to share the data with.
We shall not release any information to any individual or entity that is acting beyond its legal mandate.
We will get your express consent before we share your personal data with any third party for direct marketing purposes.
16. Contact Us
Please contact our Data Protection Officer if you (i) have any questions or concerns about how Sky World Limited processes your personal data or (ii) want to exercise any of your rights in relation to your personal data, on +254 726 713 580 or by writing to us on email: dpo@skyworld.co.ke
17. Amendments to this Statement
Sky World Limited reserves the right to amend or modify this privacy statement from time to time and your continued use of our products and services constitutes your agreement to be bound by the terms of any such amendment or variation. You can access the most current version of the privacy statement from www.skyworld.co.ke and Any amendment or modification to this statement will take effect from the date of notification on the Sky World Limited website.