15.1.We may periodically review and update this Privacy Notice to ensure its compliance with applicable laws, regulations, and industry practices. We reserve the right to modify or amend this policy at any time. If we make any material changes to the policy, we will notify you through appropriate channels.

• C&R is a leading Share Registry Service provider with operations in Kenya and Uganda. We seek to develop long-term client relationships based on trust, delivery and service excellence. We believe in listening to our clients in order to attain an appreciation of their specific business and transactional needs so as to provide them with the most appropriate skills and services.
• Our Head Office is located at 5^thNgong Avenue, IKM Place, Tower B, 1^st

• This Job Applicant Privacy Policy applies to all personal information collected, processed, and stored by the Company during the job application and recruitment process. It encompasses all stages of recruitment, including the submission of applications, interviews, assessments, and background checks.
• This policy applies to all job applicants, whether they apply through our website, email, or any other method.
• This policy does not cover the privacy practices of third-party websites or services that may be linked to or accessible through our website. We encourage you to review the privacy policies of those third parties before providing any personal information.
• By submitting your application and personal information, you acknowledge that you have read and understood this Job Applicant Privacy Policy.

• In the context of this Job Applicant Privacy Policy, “processing” refers to any operation or set of operations performed on personal data, whether automated or manual.
• Processing includes, but is not limited to, the collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction of personal data.
• Processing of personal data occurs throughout the entire job application and recruitment process, starting from the initial submission of the application until the final decision regarding the job applicant’s suitability for the position.

• As part of our recruitment process, we collect and process personal data relating to Job Applicants: –

• Please note that the lawful basis for collection may vary depending on applicable data protection laws and the specific circumstances of data processing.
• The Company does not usually request information regarding your race, ethnicity, political opinions, religion and religious beliefs, trade union membership, details of your spouse or children, sexual orientation, or political affiliation as part of your application. Unless specifically responding to a question, please do not include this type of personal data. If we require this information in connection with your application, we will inform you of the reasons and lawful basis for the collection.
• If you fail to provide the required information or provide inaccurate or incomplete information, it may hinder our ability to properly evaluate your application. This could result in the rejection of your application or the inability to proceed with the recruitment process.

We collect information about you from various sources, including: –

• Directly from you during the interview process,which may take place in person or through video conferencing platforms and after the interview process for successful candidates.
• Indirectly: –

• from our recruitment and background check services providers.
• from your employment references.
• when you access our premises through CCTV Cameras.
• when you interact with our website or other social media platforms such as Facebook, Instagram, LinkedIn, Twitter and YouTube (in this case we collect cookies and online identifiers

• We retain the personal information of unsuccessful job candidates for a period of three years from the date of the decision or completion of the recruitment process. This retention period allows us to defend ourselves in case of any legal claims or disputes that may arise.
• For successful job candidates who are hired, we retain their personal information for the duration of their employment with our company and for a period of five years after the termination of their employment. This extended retention period ensures compliance with legal, contractual, and regulatory requirements, as well as for potential reference purposes.
• During the retention period, appropriate measures will be taken to protect the personal information from unauthorised access, use, disclosure, alteration, or destruction.
• After the expiration of the respective retention periods, we will securely dispose of or anonymise the personal information in a manner that complies with applicable data protection laws and regulations.

• To fulfill the purposes outlined in clause 6 of this Privacy Policy, your data may be transferred via our IT cloud systems.
• We will only transfer your personal data outside Kenya where such transfer is compliant with the provisions of the Data Protection Act 2019 and the Data Protection (General) Regulations,2021.
• To ensure that your personal data receives adequate levels of protection, we carefully select third party services providers who can provide sufficient guarantees regarding adequate security measures to safeguard your personal information.

• We take great care to ensure that your personal information is only accessed by authorised individuals.
• We may share your Personal Data in the following ways:
• With third party service providers:We may make certain Personal Data available to third parties who provide services to us, such as background checks services providers. When we share your personal information with these third parties, we do so on a need-to-know basis and under clear contractual terms and instructions for the processing of Personal Data.
• With other third parties:We may also share your information with other types of third parties when required, such as law enforcement or legal authorities.
• Whenever we authorise third parties to access your Personal Data, we take steps to ensure they have appropriate security measures in place and that they only use the Personal Data confidentially and in a manner that is consistent with this Privacy Policy.

• We have implemented comprehensive technical, administrative, physical, and procedural security measures, consistent with local and international information practices and regulations, to protect the personal data from misuse, unauthorised access or disclosure, loss, alteration, or destruction. These measures include:
• Physical safeguards such as secure lockable cabinets, controlled access to our facilities, and secure destruction of media containing personal data.
• Technical Safeguards such as use of anti- virus and endpoint protection software, passwords, encryption, and regular security audits to out IT infrastructure to ensure compliance with our security policies.
• Organisational safeguards, including conducting regular training on data protection and cyber security for all our employees and persons that process personal data on our behalf. These measures ensure that they understand the importance of safeguarding personal data. We also enforce IT and data protection policies that govern how we collect, use and safeguard your personal data.
• Ifyou suspect any misuse, loss, or unauthorised access to your personal data, please let us know immediately by sending us an email on DP@candrgroup.co.ke.

• The Data Protection Act accords you with several rights over your data:
• right to information: you have a right to be informed how the Company uses and protects your personal data.
• right of access: you are entitled to access your personal data that is held by us.
• right to object:  you can object to the processing of all part of your personal data, except in cases where we can demonstrate a compelling legitimate interest for the processing which overrides your interests or for legal claims.
• right to rectification: You have the right to request the correction of inaccurate, outdated, incomplete, or misleading personal data held by us.
• right to erasure: You can request the deletion or destruction of personal data that we are no longer authorised to retain, or if it is irrelevant, excessive, or obtained unlawfully.
• right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller or processor, where technically feasible.
• Rights related to automated decision: You have the right not to be subject to decisions based solely on automated processing, including profiling. You can also request a reconsideration of such decisions or request a new decision based on non-automated processing.
• right of restriction: You have the right to request the restriction of processing your personal data under certain circumstances, such as when you contest its accuracy, when it is no longer necessary, when the processing is unlawful, or when you have objected to the processing pending verification of legitimate interests.

• If you wish to exercise any of the rights stated in clause 14, please write an email to the Data Protection Officer (DPO) on DP@candrgroup.co.ke
• We will endeavor to respond to all inquiries via email within the timelines stipulated in law.
• When your information is processed by third-party services providers, we will promptly request third parties to your personal data.
• In order to ensure that we release information to the correct individual, we may request identification verification.
• In some cases, we will not be able to comply with your request. If this happens, you will be duly notified.

• Providing accurate information: It is your responsibility to provide accurate and up-to-date personal information during the job application process. This includes details such as your contact information, employment history, educational background, and any other relevant information requested by the employer.
• Security measures: While we take appropriate measures to protect your personal information, it is important for job applicants to also take precautions to safeguard their own information. This includes using secure internet connections when submitting online applications, keeping login credentials confidential, and being cautiouswhen sharing personal information through email or other communication channels.
• Reference information confidentiality: As a job applicant, it is your responsibility to respect the confidentiality of information related to your references. When providing references, you should seek their consent and inform them that their contact information and any relevant details will be shared with the employer for the purpose of evaluating your application. You should also advise them to refrain from disclosing any confidential or sensitive information about themselves or others during the reference process. By ensuring the confidentiality of reference information, you help maintain trust and protect the privacy of all individuals involved in the job application process.

• We reserve the right to update or modify this Job Applicant Privacy Policy from time to time. Any changes will be effective immediately upon posting the revised policy on our website or notifying you through other appropriate means. It is your responsibility to review this policy periodically to stay informed about any updates or modifications.
• By continuing to use our services or submitting job applications after any changes to this policy, you acknowledge and agree to the revised terms. If you disagree with any changes to this policy, you should refrain from using our services or submitting job applications.
• We encourage you to regularly check this page for the most up-to-date version of our Job Applicant Privacy Policy.

• If you have any questions, concerns, or inquiries regarding the processing of your personal data or this Job Applicant Privacy Policy, please feel free to reach out to our designated Data Protection Officer (DPO) atDP@candrgroup.co.ke. The DPO is responsible for overseeing data protection matters and will be able to assist you with any privacy-related queries.
• Additionally, if you have specific concerns or requests related to your personal data, you may also contact us through the contact details provided in clause 16 of this policy. We will strive to address your inquiries and provide the necessary assistance in a timely manner.

• C&R reserves the right to make changes to this Privacy Policy to reflect any changes in data protection legislation. Please visit our website you want to stay up to date, as we will post any changes here.

• This Policy is directly tied to data protection and helps prevent unauthorized access to company premises and information.
• Unauthorized access to the company premises including employee offices, stores or restricted areas such as the company archives and strong room can expose confidential data, leading to potential data breaches or information leakage.
• Compliance with this policy is essential for meeting legal and regulatory requirements related to data protection.

• This policy outlines the purpose, use and management of our CCTV monitoring system.
• C&R has installed the CCTV system to:
• provide verification data for shareholders assist in the prevention and detection of crime
• assist with potential investigation and identification of offenders
• protect company assets
• as a means of assistance to employees in case of emergency situations.
• CCTV systems are owned and operated by C&R.
• C&R understands that all systems, information, documents and recordings obtained and used as data is protected by the Data Protection Laws.
• The viewing and copying of the images will be strictly controlled. Provision of images to externalagencies will only be provided in line with clause 7

• The Executive Senior Management team has the ultimate responsibility for ensuring that C&R complies with this policy.
• The Data Protection Officer is responsible for: –
• the overall management and operation of the CCTV system, including activities relating to installations, recording, reviewing, monitoring, and ensuring compliance with this policy.
• the privacy and data protection aspects of this policy. Any questions you may have about this policy should be referred to the DPO.
• This policy shall be reviewed annually by the Data Protection Officer.

• MANAGEMENT AND CONTROL OF THE CCTV SYSTEM
• The CCTV system is owned and managed by C&R. The Data Protection Officer is in charge of the day-to-day running of the system.
• For purposes of images collected and processed through our CCTV cameras, C&R is a Data Controller.This means that the Company is responsible for determining the purposes for collecting and using CCTV images.
• The CCTV system operates to meet the requirements of the Data Protection Laws and the relevant CCTV regulatory standards in Kenya and internationally.

• DESCRIPTION OF SYSTEM
• C&R’s CCTV cameras are located in various locations within the Company.
• The CCTV system is operational and is capable of being monitored for 24 hours a day, every day of the year.
• CCTV signs are placed at conspicuous places within C&R to inform visitors to the company premises and members of the public that the Company is under CCTV surveillance. The signage indicates that the system is managed by C&R.
• Any proposed new CCTV installation is subject to a Data Protection Impact Assessment.

• POSITIONING OF CAMERAS

• Cameras are sited to ensure that they secure C&R’s premises as far as is possible by monitoring vulnerable public facing areas.

• Cameras are positioned for clear pictures of shareholders undergoing verification processing
• Cameras are sighted in prominent positions where they are clearly visible.

• Cameras are not sited to focus on areas not intended to be monitored.
• C&R will make all reasonable efforts to ensure that areas outside of our premises are not recorded.
• Cameras will not be cited in areas where individuals have heightened expectation of privacy such as washrooms.

• In its administration of the CCTV system, C&R complies with the Data Protection Laws. Specifically, we: –
• respect the privacy of an individual when processing personal data.
• process personal information lawfully, fairly and transparently.
• collect data for specify the explicit and legitimate purposes and restricts processing to those purposes.
• retain your images/likeness for no longer than necessary for the purpose to which the information is collected.
• shall not transfer your images outside the country. Where we do so, we have put in place appropriate technical and organizational measures to safeguard your personal information.
• process personal data in a manner that ensures appropriate security and confidentiality of that information. We employ appropriate technical or organizational measures to protect your data against unauthorized access accidental loss destruction or damage.

• Any individual whose data is collected or otherwise processed through the CCTV System has rights to that personal data. In particular, a person has the following rights:

• Right to information
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Right to automated decision making
  • Data Subject request will be handled according to our Policy Procedures for Handling Data Subject Rights and Requests.
  • Where C&R is unable to comply with a Data Subject request without disclosing the personal data of another individual who is identified from that information, we are not obliged to comply with the request.

• In limited circumstances it may be appropriate to disclose images collected on our CCTV system to third parties.
• We may disclose personal information to third parties when it is required by law, in relation to the prevention or detection of a crime, or to comply with a written law or court order.

• Such disclosures will be made at the discretion of the Data Protection Officer in collaboration the CEO and the Legal department.
• Where a suspicion of misconduct arises, CCTV images may be disclosed to be used in employee disciplinary cases.

• Images on our CCTV system are automatically overwritten after 60 days from the date of recording.
• Where it is necessary to hold an image for longer than the period indicated above, for example for evidentiary purposes, the investigation of an offence or as required by law, this request will be in writing and directed to the Data Protection Officer.
• The images held beyond their retention period will be reviewed and any not required for evidentiary purposes will be deleted.

• The DPO shall receive all inquiries and complaints related to the privacy of a Data Subject and, where necessary, institute investigations. All complaints shall be sent to

• Data Subjects may inquire or request for any information regarding any matter relating to the processing of their personal data under the custody of C&R, including data privacy and security policies implemented to ensure the protection of their personal data. They may write to the DPO and briefly discuss the inquiry, together with their contact details for reference.
• The DPOshall maintain a log of all inquiries and complaints.

• Compliance with the CCTV Policy will be periodically monitored by the Data Protection Officer (DPO).
• Non-compliance may result in disciplinary action, up to and including termination of employment.

• C&R reserves the right to modify this manual from time to time to accurately reflect the regulatory environment and data protection laws.

• This policy will be reviewed annually by the Data Protection Officer to reflect current legislation and trends in the CCTV monitoring field.
• Where any material changes are made to this manual, C&R shall without undue delay notify people through publication on the website.