Data Security & Privacy Policy

1. Purpose of this Policy

Komaza takes its responsibility regarding the management of our stakeholders’ data very seriously. This policy sets out how the organisation manages those responsibilities.

Komaza obtains, uses, stores and otherwise processes Personal Data relating to its stakeholders, such as potential, current and former staff, current and former workers, contractors, website users, vendors, customers and farmer partners and their families, collectively referred to in this policy as Data Subjects.

As an organisation that was founded, and continues to carry out its obligations with and through international funding, we heavily draw our data policy guidelines from the General Data Protection and Regulations (the GDPR) which came into force in 2018. When processing Personal Data, Komaza is obliged to fulfill individuals’ reasonable expectations of privacy by complying with the GDPR, the Data Protection Act, No. 24 of 2019 of the Laws of Kenya (the DPA), and other relevant data protection legislation.

This policy seeks to ensure that we:

  1. are clear about how Personal Data must be processed and Komaza’s expectations for all those who process Personal Data on its behalf;
  2. comply with existing data protection laws and with good practice;
  3. protect Komaza’s reputation by ensuring the Personal Data entrusted to us is processed in accordance with Data Subjects’ rights; and
  4. protect Komaza from risks of Personal Data Breaches and other breaches of data protection law.

2. Definitions of Key Terms

Consent: agreement which must be freely given, express, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of Personal Data relating to them.

Data Commissioner: the person appointed under Section 6 of the Data Protection Act, No. 24 of 2019 for the time being.

Data Controller: the person or organisation that determines when, why and how to process Personal Data. The Data Controller is responsible for establishing practices and policies in accordance with the GDPR and DPA. Komaza Forestry Limited is the Data Controller of all Personal Data relating to it and used in all purposes connected with its business purposes.

Data Processing: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing

also includes transmitting or transferring Personal Data to third parties. In brief, it is anything that can be done to Personal Data from its creation to its destruction, including both creation and destruction.

Data Protection Officer (DPO): the person appointed as such under the GDPR and the DPA in accordance with its requirements.

Data Subject: a living, identified or identifiable natural person about whom we hold Personal Data.

Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes sensitive Personal Data and pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal Data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

Personal Data Breach: any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, Personal Data, where that breach results in a risk to the Data Subject. It can be an act or omission.

Profiling: any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of automated processing.

3. Scope of this Policy

This policy applies to all Personal Data we process regardless of the location where that Personal Data is stored (e.g. on an employee’s own device, Komaza servers, Komaza website, etc.) and regardless of the Data Subject. All staff and others processing Personal Data on Komaza’s behalf must read it. A failure to comply with this policy may result in disciplinary action.

The Komaza IT and BI Departments are responsible for ensuring that all staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls and training to ensure that compliance.

Komaza’s Chief Technology Officer is responsible for overseeing this policy. The Komaza IT Manager is the DPO and can be reached at itsupport@komaza.org.

4. Why do we process personal information?

We may collect and use Personal Data if it is necessary for our legitimate interest and so long as it is used in a fair and balanced manner for legitimate reasons and does not infringe on anyone’s rights. For example, to process an employment application, for use in research, etc.

We may collect and use personal information only upon being granted Consent by the Data Subject. The Data Subject to whom the information relates can withdraw their Consent for this at any time in writing to the DPO.

We may also collect and use personal information as required to fulfil our legal obligations as a registered employer.

Usually, we will only process Personal Data if we have Consent. In extreme situations, we may share Personal Data with emergency services if we believe it is in someone’s vital interests to do so. For example, if someone is taken ill during working hours.

5. How do we collect personal information?

We collect and use personal information about:

  • Funding partners
  • Implementing partners and agencies
  • Individuals from organisations we work with
  • Members of the Board of Directors
  • Employees
  • Job applicants
  • Volunteers
  • Interns
  • Researchers
  • Consultants
  • Suppliers
  • Farmers and their families
  • Service providers
  • Reviewers
  • Advisors
  • Website visitors, among others

We may collect information from different sources, for example:

  • From Data Subjects directly when they:
    • Apply for a consultancy from us
    • Participate in a campaign
    • Complete a survey
    • Apply to work or volunteer with us
    • Register to be a farmer partner
    • Subscribe for updates via our website
  • From other people who think that someone may be interested in collaborating in our work
  • From the public domain when we think that our interests may overlap
  • From someone who applies to work for us, or from third parties such as a previous or current employer so we can verify details about an applicant
  • From external sources such as publications and works, external reviewers or advisors
  • From CVs provided to us in our applications
  • We may also collect limited data from external and public databases, partners, social media platforms, and other outside sources and such information is therefore information available to the general public.

6. What personal information do we use?

We only collect personal information that we genuinely need. This may include:

  • Contact details such as name address, email address and phone numbers
  • Nationality
  • Date of birth
  • Gender
  • Qualifications
  • Interests
  • Bank account details
  • National ID and Passport information
  • National Hospital Insurance Fund Number
  • National Social Security Fund Number
  • Medical information under the supervision of a qualified healthcare professional
  • Benefits received
  • Employment details
  • Photographs and video recordings
  • Tax and residency status for statutory requirements

We only collect personal information that we genuinely need. This may include:

  • GPS locations
  • bank account details, tax and residency status
  • references from previous employers or educational institutions
  • contact details for family members and next of kin
  • information concerning health and medical conditions under the supervision of a qualified healthcare professional
  • information about race, ethnicity
  • details of criminal convictions

7. Personal Data Protection Principles

When we process Personal Data, we should be guided by the following principles, which are set out in the GDPR and the DPA. Komaza is responsible for, and must be able to demonstrate compliance with, the data protection principles listed below:

    1. Fairness and lawfulness:

      When processing Personal Data, the individual rights of the Data Subjects must be protected. Personal Data must be collected and processed in a legal and fair manner.

    2. Restriction to a specific purpose:

      Personal Data can be processed only for the purpose that was defined at the time the Consent of the Data Subject was obtained. Subsequent changes to the purpose are only possible to a limited extent and require substantiation and the Consent of the Data Subject.

    3. Transparency

      The Data Subject must be informed of how his/her data is being used. In general, Personal Data must be collected directly from the Data Subject concerned. When the data is collected, the Data Subject must either be aware of, or informed of:

      • The identity of the Data Controller
      • The purpose of Data Processing
      •  Third parties or categories of third parties to whom the data might be transmitted, if any.
    4. Data retention and data economy:

      Before processing Personal Data, we must determine whether and to what extent the processing of Personal Data is necessary in order to achieve the purpose for which it is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymized or statistical data must be used. Personal Data may not be collected in advance and stored for potential future purposes except for purposes permitted by law. Personal Data must only be retained for purposes permitted by law, as a requirement of the law, subject to the Consent of the Data Subject, and for historical, statistical, journalistic literature and art or research purposes.

    5. Deletion:

      Personal Data that is no longer needed after the expiration of the period and purpose for which they were obtained must be deleted. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been realized, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.

    6. Factual accuracy; up-to-date data:

      Komaza makes best efforts to have personal data on file as correct, complete, and up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data is deleted, corrected, supplemented or updated at the request of the Data Subject or upon the realization of an inaccuracy in the entering of such data by the Data Processor.

    7. Confidentiality and data security:

      Personal Data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organisational and technical measures to prevent unauthorised access, illegal processing or distribution, as well as accidental loss, modification or destruction.

8. Rights of the Data Subject

Every Data Subject has the following rights:

  1. The right to be informed of the use to which their Personal Data is to be put;
  2. The right to access their Personal Data in custody of Data Controller or Data Processor;
  3. The right to object to the processing of all or part of their Personal Data where such data is incorrect or such processing is unlawful or such data is pending verification;
  4. The right to correction of false or misleading data; and
  5. The right to deletion of false or misleading data about them.

Every request/complaint from a Data Subject must be directed to the DPO who must address the request/complaint at the earliest opportunity without any undue delay.

9. Data Responsibilities

1. Organisational responsibilities

As the Data Controller, Komaza is responsible for:

  1. Establishing policies and procedures in order to comply with the relevant and applicabledata protection law(s);
  2. Appointing the DPO;
  3. Collecting and lawfully processing data;
  4. Facilitating the transfer of data from its databases to any other database at the request ofthe Data Subject at a reasonable cost;
  5. Using such data for lawful and or purposes for which Consent was granted;
  6. Obtaining the Consent of the Data Subject; and
  7. Protecting the data obtained.

2. Data Protection Officer responsibilities

The DPO is responsible for:

  1. advising Komaza and its staff of its obligations under relevant data protection laws and regulations;
  2. monitoring compliance with this policy and other relevant data protection law, Komaza’s policies with respect to this, and monitoring training and audit activities that relate to data protection compliance;
  3. to provide advice where requested on data protection impact assessments;
  4. have due regard to the risk associated with processing operations, considering the nature, scope, context and purposes of processing; and
  5. cooperating with the Data Commissioner and any other authority on matters relating to the protection of data collected and processed by Komaza and its staff and any related complaints filed with the Data Commissioner against Komaza.

3. Staff responsibilities

Staff members who process Personal Data about current and previous staff, applicants, farmers, consultants, customers, interns, or any other Data Subjects must comply with the requirements of this policy. Staff members must ensure that:

  1. all Personal Data is kept securely;
  2. no Personal Data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
  3. Personal Data is kept in accordance with the Komaza’s retention schedule;
  4. any queries regarding data protection, including subject access requests and complaints, are promptly directed to the DPO;
  5. any data protection breaches are swiftly brought to the attention of the Talent Services team and the DPO, and that they support the team in resolving breaches; and
  6. where there is uncertainty around a data protection matter advice is sought from the ESG team and the DPO.

Where members of staff are responsible for supervising external consultants doing work which involves the processing of personal information (for example in research projects), they must ensure that they are aware of the organizational Data Protection principles and abide by them.

Staff who are unsure about who are the authorised third parties to whom they can legitimately disclose Personal Data should seek advice from the Talent Services team or the DPO.

4. Third-Party Data Processors

At Komaza we commit to doing our utmost best to ensure that any third parties that we will grant access to data in our databases in the course of business have corresponding privacy policies and commit to adhering to those corresponding privacy policies and all the data privacy laws prevailing or enacted to give effect to Article 31 of the Constitution of Kenya, 2010.

However, where external companies are used to process Personal Data on behalf of the organisation, responsibility for the security and appropriate use of that data remains with Komaza.

Where a third-party Data Processor is used:

  1. a Data Processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of Personal Data;
  2. reasonable steps must be taken that such security measures are in place;
  3. a written contract establishing what Personal Data will be processed and for what purpose must be set out; and
  4. a data processing agreement, must be signed by both parties.
  1. Contractors, Short-Term and Voluntary Staff

Komaza is responsible for the use of Personal Data by anyone working on its behalf. Anyone who employs contractors, short term or voluntary staff must ensure that they are appropriately vetted for the data they will be processing. Generally, where we deem it appropriate to share data with contractors and consultants, short-term employees, and voluntary staff, we will ensure that such data is not used for purposes beyond the legally acceptable basis for which it was provided or requested.

In addition, managers should ensure that:

  1. any Personal Data collected or processed in the course of work undertaken for Komaza is kept securely and confidentially;
  2. all Personal Data is returned to Komaza upon completion of the work or at the termination of the services of such parties, including any copies that may have been made.
  3. Komaza receives prior notification of any disclosure of Personal Data to any other organisation or any person who is not a direct employee of the contractor;
  4. any Personal Data made available by Komaza, or collected in the course of the work, is neither stored nor processed outside Kenya unless written Consent to do so has been received from the organisation;
  5. all practical and reasonable steps are taken to ensure that contractors, short term or voluntary staff do not have access to any Personal Data beyond what is essential for the work to be carried out properly.

10. How we use personal information

Generally, we will only use your personal information for the purpose which it was provided to us for and in ways that you would reasonably expect. The purposes for the collection and processing of your data therefore include but are not limited to:

  1. Identification
  2. Processing of requests from Data Subjects
  3. Provision of services
  4. Profiling as defined
  5. Redressal of complaints from Data Subjects or the Data Commissioner
  6. The correction, deletion, alteration and pseudonymization of data in our databases

  7. General administrative purposes which include but are not limited to management of company records and archives.

11. Partnership agreements with organisations and individuals

We collect and use personal information from organisations and individuals who:

  1. Are interested in applying for a partnership opportunity with us
  2. Apply for a partnership opportunity
  3. Enter into a partnership agreement with us

We process this personal information to pursue our legitimate interests (and the interests of the applicant) and fulfill our strategic aims.

The prime use of the personal information is to conduct research, and to process and manage partnership opportunities between us. We also use it for monitoring, evaluation and reporting purposes so that we can consider important factors such as trends in funding areas, the impact and reach of our funding, and the demographic make-up of funding areas.

When legally obliged, we may share our partners’ personal information with relevant statutory bodies as required.

We may need to share it with external reviewers and advisors (e.g. funding partners, program monitors, evaluation specialists) to review, monitor or evaluate these partnership opportunities. We may need to share your contact details with suppliers.

12. Case Studies

We only use personal information in case studies when you have Consented for us to do so. We will make it clear to you how we might use your information and who we may share it with; again, we will only do so with your Consent. Our legal basis for using your personal information in case studies is your Consent.

13. Photographs and recordings

We use photographs and recordings to promote Komaza and the work that we do. These can be used in the form of reports, news stories on our website, documentation of impact stories, information in our annual reports, on our website, and other such materials that seek to explain or promote our work.

We take photographs and recordings of people who agree to be the subject during our documentation endeavours. We always obtain Consent from the individual or group to take and use their image(s) and explain how we intend to use it. Our legal basis for using personal information for this purpose is Consent.

14. Research and surveys

If someone chooses to take part in one of our research projects or surveys, we will use the personal information that is provided to process the results of the survey and undertake relevant analysis. We will not share the personal information that is provided in a survey with any other organisations, unless Consent is first sought for this. Survey results will be anonymised before being shared or published. Our legal basis for using the personal information that someone chooses to provide to us in a survey is legitimate interest and Consent.

15. Travel Arrangements

We will use the personal information provided, including passport and medical information, when making travel arrangements for employees, board members, consultants, and any other relevant personnel. We may share some of this information with our insurance company and travel agents. Our legal basis for processing this personal information is legitimate interest. We will obtain your Consent when collecting and using information relating to your health.

16. Employee, interns and volunteer recruitment

If someone provides us with information, such as a resume or curriculum vitae in connection with a job or volunteer application or enquiry, we may use this information to process the enquiry. We will not store this information for any purpose other than that relating to the application. Our legal basis for using information in this way is for our legitimate interest.

17. Employee administration and payroll

We will process personal information of our employees to fulfill our contract with them. This includes payroll processing and the provision of training. We are required by law to share some financial information with the Kenya Revenue Authority (KRA), National Social Security Fund (NSSF), National Hospital Insurance Fund (NHIF), National Industrial Training Authority (NITA), and other public and statutory bodies. We may also need to share some personal information with other organisations, for example insurance providers, and pension providers. We process employee personal information to fulfill our contracts with our employees and meet our legal obligations as an employer. This should be done in strict confidentiality at all times.

18. Processing expenses and honoraria

If someone claims expenses from Komaza or if we are required to pay an honorarium, we will use personal information, including bank account details to process a claim. Our legal basis for using such information for this is legitimate interest.

19. Governance

We process relevant personal information about existing and potential board of directors, committee members and directors for governance purposes.

We may undertake necessary checks to identify any criminal and other activity we need to be aware of. We will do this with Consent.

We will share some personal information with the relevant regulatory authorities to meet our legal obligations, both within and outside the country.

20. Health and safety

We are legally obliged to collect personal information of employees, volunteers, and consultants, for health and safety purposes. We may be required to share some of this information with our insurance provider.

21. Volunteers and Interns

We will process personal information of volunteers and interns if they choose to volunteer or undertake an internship opportunity with us. We will keep a record of contact details, experience and qualifications. Our legal basis for using this information in this way is for our legitimate interest. It may also be necessary to run necessary checks to identify any activities we need to be aware of; we will seek Consent before doing so.

22. Researchers

We will use the personal information of Researchers to commission research. Our legal basis for using such personal information in this way is for the performance of a contract.

23. Consultants

We will use the personal information of consultants to provide various services to Komaza. Our legal basis for using such personal information in this way is for the performance of a contract.

24. Suppliers

We will use the personal information of suppliers’ contacts to pay and communicate with them. Our legal basis for using such personal information in this way is for the performance of a contract.

25. Complaints and general inquiries

If a complaint is raised with us, we will process the personal information that is provided to us to manage and resolve the complaint. Our legal basis for using personal information for this purpose is the resolution of such complaints and the handling of such inquiries.

26. Cookies and aggregate information

We may use cookies and log files on our website to store information about how someone uses our website using Google Analytics. A cookie is a piece of data stored on the user’s computer tied to information about the user. This information may include an IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of service use. This enables us to analyse the use of our website and services. We may also create a profile which details someone’s viewing preferences. We use a profile to tailor someone’s visit to our website, to make navigation easier and direct the visitor to information that best corresponds to interests and country.

The legal basis for this processing is our legitimate interests, monitoring and improving our website and services. Please see our cookie statement for more information.

27. Sharing personal information

We will not exploit your personal information for commercial reasons without your Consent.

We will only share personal information where we are required to fulfill a contract, or legitimate interest, where we have Consent, or we are required to do so by law.

We may share personal information with third party organisations who will process it on our behalf, for example an external software development consultant. Everything an external service provider does is strictly governed by a contract and the terms and conditions of this privacy policy. In addition, before we share any information with those service providers, we will put in place a signed data processing agreement which confirms that the personal information we provide will only be used for the purposes we specify and will be processed in line with data protection legislation.

We may share some personal information in relation to partnership applications with:

  1. Auditors and reviewers
  2. Funding partners
  3. Partners and third parties such as universities and research institutes and for the purposes of monitoring, evaluation, research and learning
  4. We may also share personal information with our bank to process a payment; our professional advisers (such as our legal advisers) where it is necessary to obtain their advice; our pension provider; our insurance provider; and our IT support and data storage providers.

Where required, we will process personal information to comply with our legal obligations. In this respect we may use Personal Data to comply with subject access requests; tax legislation; for the prevention and detection of crime; and to assist the police and other competent authorities with investigations including criminal and safeguarding investigations.

28. Confidentiality of Personal Data

Personal Data shall be kept confidential. Any unauthorized collection, processing, or use of such data by employees is prohibited. Any Data Processing undertaken by an employee that he/she has not been authorized to carry out as part of his/her legitimate duties is unauthorized. The “need to know” principle applies. Employees may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities.

Employees are forbidden to use Personal Data for private or commercial purposes, to disclose it to unauthorized persons, or to make it available in any other way. Managers must inform their employees at the start of the employment relationship about the obligation to protect data secrecy. This obligation shall remain in force even after employment has ended.

29. Data Processing Security 

Personal Data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of Data Processing, particularly new IT systems, technical and organisational measures to protect Personal Data must be defined and implemented. These measures must be based on the state of the art, the risks of processing, and the need to protect the data (determined by the process for information classification).

In particular, the responsible department or staff can consult with Komaza’s Information Technology Manager. The technical and organisational measures for protecting Personal Data are part of our data security management and must be adjusted continuously to the technical developments and organisational changes.

30. For how long do we keep personal information

We will hold personal information for as long as is necessary to realize the purpose for which you gave your Consent. We will not retain personal information if it is no longer required or if the purpose for which it was obtained has been realized. In some circumstances, we may legally be required to retain personal information, for example for finance, employment, audit purposes, historical or even legal reasons.

31. Changes to this policy

This Data Protection and Privacy Policy may change from time to time. Komaza will notify affected parties of any such changes.