The Privacy Policy
The Job Applicant Privacy Policy
The CCTV Policy
The Privacy Policy
WEBSITE PRIVACY NOTICE
CONTENTS
1. POLICY STATEMENT 3
2. ABOUT US 3
3. WHO DOES THIS POLICY APPLY TO? 3
4. WHAT IS PERSONAL DATA? 3
6. HOW DO WE COLLECT YOUR PERSONAL DATA? 6
7. DATA SHARING 7
8. DATA SECURITY 8
9. INTERNATIONAL DATA TRANSFERS 8
10. PERSONAL DATA RETENTION 9
11. COOKIES 10
12. WHAT RIGHTS DO YOU HAVE OVER YOUR DATA? 10
13. YOUR RESPONSIBILITIES 11
14. CHANGES TO THIS POLICY 12
1.POLICY STATEMENT
1.1.At Custody and Registrars Services Limited (“C&R” We”, “Us”, “Our”, “Company”) the privacy of your personal information is our utmost concern. We are committed to processing your personal data in a lawful, fair and transparent manner and in accordance with data protection laws applicable in Kenya.
1.2.This Privacy Notice outlines how we collect, use, disclose, and protect personal information in connection with our services, including offering Share Registry Services.
1.3.Please take time to read this Privacy Notice to understand how and why we collect and use your information in connection with our services.
2.ABOUT US
2.1.Custody and Registrars Services Limited is a leading Share Registry Service provider with operations in Kenya and Uganda. We seek to develop long-term client relationships based on trust, delivery and service excellence.
2.2.Our Head Office in Nairobi is located at 5th Ngong Avenue, IKM Place, Tower B, 1st floor. In Uganda, our Head office is located at along Kampala Road, DTB Centre 1st Floor.
3.WHO DOES THIS POLICY APPLY TO?
3.1.This Privacy Notice applies to all shareholders, suppliers, office visitors, website users and any other individual whose personal data may be collected in the course of our business operations.
3.2.By accessing our website or using our services, you acknowledge that you have read and understood this Privacy Policy.
4.WHAT IS PERSONAL DATA?
4.1.In this Privacy Notice, Personal Data refers to any information relating to an identified or identifiable individual. This includes identification details such as name, ID/Passport, contact details, share transfer and immobilization details, information collected to process unclaimed dividends, your queries, complaints and special requests and any other data that can be used to directly or indirectly identify an individual.
4.2.Personal data may also include sensitive information, such as family details including children’s information, biometric data, property records and financial information.
5.TYPES OF INFORMATION COLLECTED PURPOSE AND LAWFUL OBLIGATION
5.1.We collect Personal Data directly from you as well as from other available sources to the extent permitted by law. We endeavour to only collect Personal Data that is necessary for the purpose(s) for which it is collected and to retain such data for no longer than necessary for such purpose(s). Subject to applicable law and practice, the categories of Personal Data that are typically collected and processed are:
Data subject Type of personal data collected Lawful Basis
Shareholders ▪Identification details: name, ID/Passport, nationality, KRA PIN, CDSC number, birth certificates, marriage certificates, death certificates, signature
▪Contact details: phone number, email address and postal address.
▪Information collected to verify, and process share immobilization certificates: share certificates, information contained in sworn affidavits and dividend notices
▪Statements of accounts: bank account details, CDSC or broker statements, bank statements.
▪Information collected to process unclaimed dividends: lost cheque details; dividend notice, information contained in sworn affidavit
▪Information collected to process lost/misplaced share certificates: police abstract for lost certificate and receipt, information contained in affidavits, dividend notice/share certificate, electricity utility bill, letter from the area chief.
▪Information relating to payment preference modes (EFT or Swift): bank account name, account number, swift code.
▪Information relating to payment preference modes (M-Pesa): M-Pesa number, share account number, dividend notice or share certificates.
▪Information contained in IPO/PPO Offer /Cash Offer/Bonds Issue/Rights Issue forms: number of shares applied for, preferred payment mode, acceptance instructions, value of notes applied for.
▪Information received from brokers, NSE and beneficiaries: share certificates, unpaid dividend cheques, grant of letters of administration/probate, certificate of confirmation of the grant, letters of administration, letter from public and summary indemnity letter, personal information contained in sales transfer form
▪Information received from Share Registrars and CDSC: number of shares held, and personal information contained in monthly reports, such as the Top 40 Shareholders Report.
▪Information collected to process unclaimed assets: duly filled claim forms,
▪Correspondence: queries, complaints, special requests and any other form of correspondence.
▪Customer surveys: customers’ opinion, statements and views.
▪Online identifiers such as cookies and related tags, IP addresses, Google Analytic reports
▪CCTV footage when you visit our offices Legal Obligation
Contract
Legitimate interests
Suppliers ▪Identification details: name, ID/Passport, KRA PIN
▪Contact details: name, phone number, email address.
▪Contract details
▪Payment details: credit terms supplier statements, bank account details
▪Online identifiers such as cookies and related tags, IP addresses, Google Analytic reports
▪CCTV footage when you visit our offices.
▪Complaints/requests Contract
Legal Obligation
Legitimate interests
Office Visitors ▪Contact details: phone number, email address.
▪Identification details: name, ID/passport
▪ Car registration number
▪CCTV footage when you visit our company premises.
▪Online identifiers such as cookies and related tags, IP addresses, Google Analytic reports
▪Complaints/requests Legitimate interests
Website Visitors ▪Identification details: name
▪Contact details: phone number, email address.
▪Unit preferences
▪Online identifiers such as cookies and related tags, IP addresses Consent
5.2.Please note that the lawful basis for collecting personal data may vary depending on applicable data protection laws and the specific circumstances of data processing.
5.3.If you fail to provide the required information or provide inaccurate or incomplete information, it may hinder our ability to provide to provide you with requested services or information. The specific consequences of not providing personal data will depend on the context and the purpose for which the data is requested.
6.PURPOSES FOR COLLECTING YOUR INFORMATION
6.1.We may collect and use your personal information for the following reasons: –
Shareholders: –
to process unclaimed dividends
to dematerialise share certificates to the central depository system
to process payment of dividends
to verify shareholders KYC
to processes bonds issue, rights issue, cash offers and bonus issue applications
to facilitate transmission of shares, to entitled beneficiaries
to process shareholders special requests
to send you promotional marketing materials
to safeguard company premises
to improve our services when you
to receive and respond to customer questions Suppliers: –
to fulfil our contractual obligations
to facilitate correspondence
Office Visitors: –
to safeguard company premises and assets
Website Users: –
to facilitate communication & follow up
Customer user preferences and experiences.
7.HOW DO WE COLLECT YOUR PERSONAL DATA?
We may collect your personal information from various sources including: –
7.1.Directly from you when you fill in our data collection forms, call or email u, visit our company premises
7.2.Indirectly: –
from institutions such as Unclaimed Financial Asset Authority (UFAA)(CDSC), the Central depository and Settlement Corporation, Nairobi Securities Exchange (NSE), the Capital Markets Authority (CMA) or from Central Depository Agents (CDAs)
when you interact with our website or other social media platforms such as Facebook, Instagram, LinkedIn, Twitter and YouTube (in this case we collect cookies and online identifiers
when you access our premises which are under CCTV surveillance
8.DATA SHARING
8.1.We may share your personal data within the Company to facilitate our internal operations and provide you with efficient services.
8.2.We may share your personal data with third parties in the following circumstances:
oService Providers: We may engage third-party service providers to perform various services on our behalf, such as IT data processors, bulk email service providers and legal services providers. These service providers will have access to your personal data as necessary to perform their functions but are strictly prohibited from using your personal data for any other purposes.
oBusiness Partners: We may share your personal data with trusted business partners who collaborate with us to provide products or services to you. These partners may use your personal data only for the purposes specified in our agreement with them.
oLegal Obligations: We may disclose your personal data if required to do so by law or in response to a valid legal request, such as a court order or government inquiry. For example, we may share your personal information with the Unclaimed Financial Asset Authority, the Central depository and Settlement Corporation, Nairobi Securities Exchange and the Capital Markets Authority.
oCorporate Transactions: In the event of a merger, acquisition, or any form of corporate restructuring, we may transfer your personal data to the involved parties, if they agree to treat your personal data in accordance with this privacy policy.
oConsent: We may share your personal data with third parties if you have given us explicit consent to do so. You have the right to withdraw your consent at any time.
8.3.When sharing your personal data with third parties, we prioritise the security and confidentiality of your information. We take stringent measures to ensure that these parties comply with strict data protection standards and handle your personal data in accordance with our instructions.
8.4.We carefully select and evaluate third-party service providers, business partners, and other recipients of your personal data. We enter into contractual agreements with these parties, imposing obligations to protect your personal data and restricting their use of the information solely for the specified purposes outlined in our agreement. Furthermore, we require these third parties to implement appropriate technical and organisational measures to prevent unauthorised access, disclosure, alteration, or destruction of your personal data.
9.DATA SECURITY
9.1.We understand the importance of keeping your personal data secure and take appropriate measures to protect it against unauthorized access, loss, misuse, or alteration. We have implemented robust technical and organisational measures to ensure the confidentiality, integrity, and availability of your information, including: –
oTechnical Safeguards: To protect your information during transmission, we utilize industry-standard encryption protocols, ensuring the confidentiality of your data. Our secure network infrastructure incorporates firewalls, intrusion detection systems, and other security measures to prevent unauthorised access and mitigate external threats. Additionally, access controls are in place, restricting data access to authorised individuals through unique user credentials, strong passwords, and role-based privileges. Regular data backups and recovery processes are performed to maintain data integrity and availability.
oOrganisational Safeguards: Our commitment to data security extends to our employees and third-party service providers. Strict confidentiality agreements bind them, emphasizing the importance of maintaining the security and confidentiality of your personal data. Regular training programs are conducted to educate employees on data protection best practices, security protocols, and their responsibilities. Access controls and authorization mechanisms ensure that only authorised personnel can access your data. We have established comprehensive data protection policies and procedures to guide the proper handling, storage, retention, and disposal of personal data. In the event of any security incidents, our incident response plan enables swift identification, mitigation, and notification, as well as measures to prevent future occurrences.
9.2.While we continually enhance our security measures, it is important to note that no security measure can provide absolute protection. However, we are dedicated to maintaining the highest possible standards of data security and will continue to invest in measures to safeguard your information.
9.3.If you suspect any misuse or loss of or unauthorised access to your personal data, please let us know immediately by sending us an email on dataprivacy@candrgroup.co.ke
10.INTERNATIONAL DATA TRANSFERS
10.1.To fulfill the purposes outlined in clause 5 of this Privacy Policy, we may transfer your personal data outside Kenya when we process your personal information over our cloud systems.
10.2.We will only transfer your personal data outside Kenya where such transfer is compliant with the provisions of the Data Protection Act 2019 and the Data Protection (General) Regulations,2021.
10.3.To ensure that your personal data receives adequate levels of protection, we carefully select third party services providers who can provide sufficient guarantees regarding adequate security measures to safeguard your personal information.
11.PERSONAL DATA RETENTION
11.1.We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, or as required by applicable laws and regulations.
11.2.Once the retention periods expire, we shall securely delete or anonymise your personal data in accordance with our Data Retention and Disposal Policy.
11.3.The retention periods for each category of data subjects and their respective personal data may vary based on the specific circumstances and legal requirements. Here are some general guidelines regarding data retention:
11.4.The retention periods for each category of data subjects and their respective personal data may vary based on the specific circumstances and legal requirements. Here are some general guidelines regarding data retention:
Shareholders: For shareholders, we typically retain personal data relating to immobilization of shares, transmission of shares, information required to process unclaimed dividends, immobilization of shares, information relating to processing IPO/PPOs, Bonus Issue, Cash Offers, Bonds issue and Rights Issue, indefinitely. This is necessary to maintain a historical record of ownership and ensure compliance with legal and regulatory obligations over the long term. We will retain any other information other than information relating to processing and transfer/transmission of shares, for the duration of your time with us and seven (7) years thereafter. However, such retention may be subject to any legal or regulatory requirements, further processing historical, statistical, journalistic, literature, art or research purposes or any you give consent for longer retention periods. Where we collect information based on consent, we retain your information until you withdraw your consent.
Suppliers: We will retain your personal information outlined in clause 5 of this Privacy Notice for the duration of the business relationship and for six [6] years thereafter. This allows us to maintain effective communication, fulfill contractual obligations, and comply with legal requirements.
Website User and Visitors to the Company premises: If you are a Website/ User or a visitor to the company premises, we will retain your personal data for as long as necessary which duration, we have determined to be one (1) year to achieve the purpose stipulated in clause 5 of this Privacy Policy. If this time has come or you have expressly indicated that you are not interested in our website, we will delete it from our systems unless we believe in good faith that the law or other regulation requires us to preserve it.
12.COOKIES
12.1.We use cookies and similar technologies on our website to enhance your browsing experience, personalize content, analyze website traffic, and track user interactions. A cookie is a small text file that is stored on your device when you visit our website.
12.2.We use different types of cookies on our website:
oEssential Cookies: These cookies are necessary for the functioning of our website and enable you to navigate through the site and use its features. They are essential for providing services that you have requested, such as accessing secure areas of the site or making use of online forms.
oAnalytical and Performance Cookies: These cookies collect information about how visitors use our website, such as which pages are visited most frequently or if any error messages occur. We use this information to analyse and improve the performance and functionality of our website.
oMarketing and Advertising Cookies: These cookies are used to deliver targeted advertisements and promotions that may be of interest to you. They are placed by third-party advertising networks with our permission. These cookies may track your browsing activities across different websites.
12.3.Cookie Consent: By using our website, you consent to the placement of cookies on your device as described in our Cookie Policy. You can manage or disable cookies through your browser settings. Please note that disabling certain cookies may impact the functionality and performance of our website.
12.4.Third-Party Cookies: We may allow certain third-party service providers to place cookies on our website for advertising, analytics, or other purposes. These third parties have their own privacy policies and may collect information about your browsing activities on our website and other websites.
12.5.Data Collected by Cookies: The information collected by cookies may include your IP address, browser type, device information, and browsing behaviour. We take appropriate measures to protect the security and confidentiality of cookie data. We ensure that any third parties that have access to cookies comply with strict data protection standards and process the information in accordance with our instructions.
13.WHAT RIGHTS DO YOU HAVE OVER YOUR DATA?
13.1.Under the Data Protection Act, 2019, you have serval rights regarding your personal data.
oright to information: you have a right to be informed of how the Company will use your personal data.
oright of access: you are entitled to access your personal data that is in our possession or custody.
oright to object: you can object to the processing of all part of your personal data, except when we can demonstrate a compelling legitimate interest for the processing which overrides your interests or for the establishment, exercise or defence of a legal claim.
oright to rectification: you have the right to request the correction of inaccurate, outdated, incomplete or misleading personal data in our possession or under our control, without undue delay.
oright to erasure: you have the right to request deletion or destruction, without undue delay, of personal data that we are no longer authorised to retain, or that is irrelevant, excessive, or obtained unlawfully.
oright to data portability: you have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format and to transmit the data to another data controller without hindrance. Where technically feasible, you may also request direct transmission of your personal data from us to another data controller or data processor.
oautomated decision making you have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects affects you. If we make automated decisions based on your personal data, you will be notified in writing. You can also request us to reconsider any decisions made solely through automated processing or to make a new decision that is not solely automated.
oright of restriction: You can request the restriction of processing your personal data in certain circumstances, such as when you contest the accuracy of the data, it is no longer needed for processing, it was processed unlawfully, or you have objected to the processing pending verification of our legitimate interests.
13.2.If you wish to exercise your rights, please write an email to the Data Protection Officer (DPO) on dataprivacy@candrgroup.co.ke. We will make every effort to address your inquiries and requests via email within the timelines specified by applicable data protection laws and regulations.
13.3.To ensure the security and accuracy of the personal data we provide, we may request additional information and verification of your identity. This is necessary to confirm that we are releasing the data to the rightful owner.
14.YOUR RESPONSIBILITIES
14.1.As a data subject, it is important that you understand and fulfil certain responsibilities to ensure the protection and privacy of your personal data. By providing your personal data to Custody and Registrars Services Limited you agree to adhere to the following responsibilities:
oAccuracy and Updates: You are responsible for providing accurate and up-to-date information to the Company. Please inform us promptly of any changes or updates to your information.
oThird-Party Data: If you give us personal data of third parties, such as entitled beneficiaries it is your responsibility to ensure that you have obtained the necessary consent or authority to share their information. Inform these individuals about the processing activities and possible international transfers of their data.
oReporting Concerns: If you have any concerns or complaints regarding the processing or transfer of your personal data, please contact our designated Data Protection Officer (DPO) at dataprivacy@candrgroup.co.ke We appreciate your feedback and will promptly address any issues raised.
15.CHANGES TO THIS POLICY
15.1.We may periodically review and update this Privacy Notice to ensure its compliance with applicable laws, regulations, and industry practices. We reserve the right to modify or amend this policy at any time. If we make any material changes to the policy, we will notify you through appropriate channels.
The Job Applicant Privacy Policy
1. INTRODUCTION
- Custody and Registrars Servicrs Limited (“C&R”, “Company” “We” “Us” “Our”), is committed to protecting the privacy and personal information of our job applicants.
- This Job Applicant Privacy Policy outlines the types of information we collect, how we use and protect it, and the rights of job applicants in relation to their personal data.
2. WHO IS CUSTODY AND REGISTRAS SERVICES LIMITED?
- C&R is a leading Share Registry Service provider with operations in Kenya and Uganda. We seek to develop long-term client relationships based on trust, delivery and service excellence. We believe in listening to our clients in order to attain an appreciation of their specific business and transactional needs so as to provide them with the most appropriate skills and services.
- Our Head Office is located at 5thNgong Avenue, IKM Place, Tower B, 1st
3. WHO DOES THIS POLICY APPLY TO?
- This Job Applicant Privacy Policy applies to all personal information collected, processed, and stored by the Company during the job application and recruitment process. It encompasses all stages of recruitment, including the submission of applications, interviews, assessments, and background checks.
- This policy applies to all job applicants, whether they apply through our website, email, or any other method.
- This policy does not cover the privacy practices of third-party websites or services that may be linked to or accessible through our website. We encourage you to review the privacy policies of those third parties before providing any personal information.
- By submitting your application and personal information, you acknowledge that you have read and understood this Job Applicant Privacy Policy.
4. WHAT DO WE MEAN BY “PROCESSING”?
- In the context of this Job Applicant Privacy Policy, “processing” refers to any operation or set of operations performed on personal data, whether automated or manual.
- Processing includes, but is not limited to, the collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction of personal data.
- Processing of personal data occurs throughout the entire job application and recruitment process, starting from the initial submission of the application until the final decision regarding the job applicant’s suitability for the position.
5. TYPES OF DATA COLLECTED, PURPOSES AND LAWFUL REASONS FOR COLLECTION
- As part of our recruitment process, we collect and process personal data relating to Job Applicants: –
Type of Information collected | Purpose for Collection | Lawful Reason |
Identification details: name, date of birth, ID no/passport number
|
to identify and verify job applicants.
|
Lawful obligations
|
Contact details: telephone number, personal email address, postal address. | · To communicate with job applicants regarding the application process | Legitimate interests |
Education & Work History: Information contained in CVs and Cover Letters, Academic and professional certificates | · To assess the qualifications, skills, and experience of job applicants. | Legitimate Interests
|
Interviews: interview dates, responses given during job interview, interview notes | · To assess the job applicant’s responses, qualifications, and suitability for the role | Legitimate Interests
|
Background search results including police clearance certificates and references from former employers, psychometric test results, information from referees | · To verify information provided by the job applicant | § Legitimate Interest
§ Legal Obligation
|
CCTV footage when you visit our offices | · To secure company premises and assets. | Legitimate interests |
Car Registration Details (if you visit our Company with a car) | · To manage parking facilities and ensure security on company premises | Legitimate interests
|
Correspondence: Any correspondence with job applicants through emails or phone calls | · To communicate with job applicants regarding the application process | Legitimate Interests
|
Online identifiers i.e., IP addresses, cookies, usernames etc.
|
To monitor and improve website functionality and user experience
|
§ Consent (where applicable)
§ Legitimate Interests
|
- Please note that the lawful basis for collection may vary depending on applicable data protection laws and the specific circumstances of data processing.
- The Company does not usually request information regarding your race, ethnicity, political opinions, religion and religious beliefs, trade union membership, details of your spouse or children, sexual orientation, or political affiliation as part of your application. Unless specifically responding to a question, please do not include this type of personal data. If we require this information in connection with your application, we will inform you of the reasons and lawful basis for the collection.
- If you fail to provide the required information or provide inaccurate or incomplete information, it may hinder our ability to properly evaluate your application. This could result in the rejection of your application or the inability to proceed with the recruitment process.
6. HOW IS YOUR PERSONAL DATA COLLECTED?
We collect information about you from various sources, including: –
- Directly from you during the interview process,which may take place in person or through video conferencing platforms and after the interview process for successful candidates.
- Indirectly: –
- from our recruitment and background check services providers.
- from your employment references.
- when you access our premises through CCTV Cameras.
- when you interact with our website or other social media platforms such as Facebook, Instagram, LinkedIn, Twitter and YouTube (in this case we collect cookies and online identifiers
7. RETENTION PERIOD
- We retain the personal information of unsuccessful job candidates for a period of three years from the date of the decision or completion of the recruitment process. This retention period allows us to defend ourselves in case of any legal claims or disputes that may arise.
- For successful job candidates who are hired, we retain their personal information for the duration of their employment with our company and for a period of five years after the termination of their employment. This extended retention period ensures compliance with legal, contractual, and regulatory requirements, as well as for potential reference purposes.
- During the retention period, appropriate measures will be taken to protect the personal information from unauthorised access, use, disclosure, alteration, or destruction.
- After the expiration of the respective retention periods, we will securely dispose of or anonymise the personal information in a manner that complies with applicable data protection laws and regulations.
8. INTERNATIONAL TRANSFERS
- To fulfill the purposes outlined in clause 6 of this Privacy Policy, your data may be transferred via our IT cloud systems.
- We will only transfer your personal data outside Kenya where such transfer is compliant with the provisions of the Data Protection Act 2019 and the Data Protection (General) Regulations,2021.
- To ensure that your personal data receives adequate levels of protection, we carefully select third party services providers who can provide sufficient guarantees regarding adequate security measures to safeguard your personal information.
9. WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
- We take great care to ensure that your personal information is only accessed by authorised individuals.
- We may share your Personal Data in the following ways:
- With third party service providers:We may make certain Personal Data available to third parties who provide services to us, such as background checks services providers. When we share your personal information with these third parties, we do so on a need-to-know basis and under clear contractual terms and instructions for the processing of Personal Data.
- With other third parties:We may also share your information with other types of third parties when required, such as law enforcement or legal authorities.
- Whenever we authorise third parties to access your Personal Data, we take steps to ensure they have appropriate security measures in place and that they only use the Personal Data confidentially and in a manner that is consistent with this Privacy Policy.
10. HOW DO WE PROTECT YOUR PERSONAL DATA?
- We have implemented comprehensive technical, administrative, physical, and procedural security measures, consistent with local and international information practices and regulations, to protect the personal data from misuse, unauthorised access or disclosure, loss, alteration, or destruction. These measures include:
- Physical safeguards such as secure lockable cabinets, controlled access to our facilities, and secure destruction of media containing personal data.
- Technical Safeguards such as use of anti- virus and endpoint protection software, passwords, encryption, and regular security audits to out IT infrastructure to ensure compliance with our security policies.
- Organisational safeguards, including conducting regular training on data protection and cyber security for all our employees and persons that process personal data on our behalf. These measures ensure that they understand the importance of safeguarding personal data. We also enforce IT and data protection policies that govern how we collect, use and safeguard your personal data.
- Ifyou suspect any misuse, loss, or unauthorised access to your personal data, please let us know immediately by sending us an email on DP@candrgroup.co.ke.
11. WHAT RIGHTS DO YOU HAVE OVER YOUR DATA?
- The Data Protection Act accords you with several rights over your data:
- right to information: you have a right to be informed how the Company uses and protects your personal data.
- right of access: you are entitled to access your personal data that is held by us.
- right to object: you can object to the processing of all part of your personal data, except in cases where we can demonstrate a compelling legitimate interest for the processing which overrides your interests or for legal claims.
- right to rectification: You have the right to request the correction of inaccurate, outdated, incomplete, or misleading personal data held by us.
- right to erasure: You can request the deletion or destruction of personal data that we are no longer authorised to retain, or if it is irrelevant, excessive, or obtained unlawfully.
- right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller or processor, where technically feasible.
- Rights related to automated decision: You have the right not to be subject to decisions based solely on automated processing, including profiling. You can also request a reconsideration of such decisions or request a new decision based on non-automated processing.
- right of restriction: You have the right to request the restriction of processing your personal data under certain circumstances, such as when you contest its accuracy, when it is no longer necessary, when the processing is unlawful, or when you have objected to the processing pending verification of legitimate interests.
12. HOW TO EXERCISE YOUR RIGHTS
- If you wish to exercise any of the rights stated in clause 14, please write an email to the Data Protection Officer (DPO) on DP@candrgroup.co.ke
- We will endeavor to respond to all inquiries via email within the timelines stipulated in law.
- When your information is processed by third-party services providers, we will promptly request third parties to your personal data.
- In order to ensure that we release information to the correct individual, we may request identification verification.
- In some cases, we will not be able to comply with your request. If this happens, you will be duly notified.
13. YOUR RESPONSIBILITIES
- Providing accurate information: It is your responsibility to provide accurate and up-to-date personal information during the job application process. This includes details such as your contact information, employment history, educational background, and any other relevant information requested by the employer.
- Security measures: While we take appropriate measures to protect your personal information, it is important for job applicants to also take precautions to safeguard their own information. This includes using secure internet connections when submitting online applications, keeping login credentials confidential, and being cautiouswhen sharing personal information through email or other communication channels.
- Reference information confidentiality: As a job applicant, it is your responsibility to respect the confidentiality of information related to your references. When providing references, you should seek their consent and inform them that their contact information and any relevant details will be shared with the employer for the purpose of evaluating your application. You should also advise them to refrain from disclosing any confidential or sensitive information about themselves or others during the reference process. By ensuring the confidentiality of reference information, you help maintain trust and protect the privacy of all individuals involved in the job application process.
14. CHANGES TO THIS POLICY
- We reserve the right to update or modify this Job Applicant Privacy Policy from time to time. Any changes will be effective immediately upon posting the revised policy on our website or notifying you through other appropriate means. It is your responsibility to review this policy periodically to stay informed about any updates or modifications.
- By continuing to use our services or submitting job applications after any changes to this policy, you acknowledge and agree to the revised terms. If you disagree with any changes to this policy, you should refrain from using our services or submitting job applications.
- We encourage you to regularly check this page for the most up-to-date version of our Job Applicant Privacy Policy.
15. TO WHOM SHOULD YOU DIRECT A QUESTION OR COMPLAINT?
- If you have any questions, concerns, or inquiries regarding the processing of your personal data or this Job Applicant Privacy Policy, please feel free to reach out to our designated Data Protection Officer (DPO) atDP@candrgroup.co.ke. The DPO is responsible for overseeing data protection matters and will be able to assist you with any privacy-related queries.
- Additionally, if you have specific concerns or requests related to your personal data, you may also contact us through the contact details provided in clause 16 of this policy. We will strive to address your inquiries and provide the necessary assistance in a timely manner.
16. CHANGES TO THIS POLICY
- C&R reserves the right to make changes to this Privacy Policy to reflect any changes in data protection legislation. Please visit our website you want to stay up to date, as we will post any changes here.
The CCTV Policy
1. POLICY STATEMENT
- Custody and Registrars Services Limited (“We”, “Our” “Company”) is committed to maintaining the highest standards of data protection and physical security. To ensure the security of company premises and confidentiality and integrity of sensitive information, we have implemented this CCTV Policy.
- This Policy is intended to regulate the management, operation, and use of CCTV within company premises. By adhering to this policy, we aim to minimize the risk of unauthorized access, data breaches, and information leakage.
2. DATA PROTECTION
- This Policy is directly tied to data protection and helps prevent unauthorized access to company premises and information.
- Unauthorized access to the company premises including employee offices, stores or restricted areas such as the company archives and strong room can expose confidential data, leading to potential data breaches or information leakage.
- Compliance with this policy is essential for meeting legal and regulatory requirements related to data protection.
3. PURPOSE OF THE CCTV SYSTEM
- This policy outlines the purpose, use and management of our CCTV monitoring system.
- C&R has installed the CCTV system to:
- provide verification data for shareholders assist in the prevention and detection of crime
- assist with potential investigation and identification of offenders
- protect company assets
- as a means of assistance to employees in case of emergency situations.
- CCTV systems are owned and operated by C&R.
- C&R understands that all systems, information, documents and recordings obtained and used as data is protected by the Data Protection Laws.
- The viewing and copying of the images will be strictly controlled. Provision of images to externalagencies will only be provided in line with clause 7
4. ROLES AND RESPONSIBILITIES
- The Executive Senior Management team has the ultimate responsibility for ensuring that C&R complies with this policy.
- The Data Protection Officer is responsible for: –
- the overall management and operation of the CCTV system, including activities relating to installations, recording, reviewing, monitoring, and ensuring compliance with this policy.
- the privacy and data protection aspects of this policy. Any questions you may have about this policy should be referred to the DPO.
- This policy shall be reviewed annually by the Data Protection Officer.
5. CCTV SYSTEM OVERVIEW
- MANAGEMENT AND CONTROL OF THE CCTV SYSTEM
- The CCTV system is owned and managed by C&R. The Data Protection Officer is in charge of the day-to-day running of the system.
- For purposes of images collected and processed through our CCTV cameras, C&R is a Data Controller.This means that the Company is responsible for determining the purposes for collecting and using CCTV images.
- The CCTV system operates to meet the requirements of the Data Protection Laws and the relevant CCTV regulatory standards in Kenya and internationally.
- DESCRIPTION OF SYSTEM
- C&R’s CCTV cameras are located in various locations within the Company.
- The CCTV system is operational and is capable of being monitored for 24 hours a day, every day of the year.
- CCTV signs are placed at conspicuous places within C&R to inform visitors to the company premises and members of the public that the Company is under CCTV surveillance. The signage indicates that the system is managed by C&R.
- Any proposed new CCTV installation is subject to a Data Protection Impact Assessment.
-
POSITIONING OF CAMERAS
- Cameras are sited to ensure that they secure C&R’s premises as far as is possible by monitoring vulnerable public facing areas.
- Cameras are positioned for clear pictures of shareholders undergoing verification processing
- Cameras are sighted in prominent positions where they are clearly visible.
- Cameras are not sited to focus on areas not intended to be monitored.
- C&R will make all reasonable efforts to ensure that areas outside of our premises are not recorded.
- Cameras will not be cited in areas where individuals have heightened expectation of privacy such as washrooms.
6. GUIDING PRINCIPLES
- In its administration of the CCTV system, C&R complies with the Data Protection Laws. Specifically, we: –
- respect the privacy of an individual when processing personal data.
- process personal information lawfully, fairly and transparently.
- collect data for specify the explicit and legitimate purposes and restricts processing to those purposes.
- retain your images/likeness for no longer than necessary for the purpose to which the information is collected.
- shall not transfer your images outside the country. Where we do so, we have put in place appropriate technical and organizational measures to safeguard your personal information.
- process personal data in a manner that ensures appropriate security and confidentiality of that information. We employ appropriate technical or organizational measures to protect your data against unauthorized access accidental loss destruction or damage.
7. DATA SUBJECT RIGHTS
- Any individual whose data is collected or otherwise processed through the CCTV System has rights to that personal data. In particular, a person has the following rights:
- Right to information
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Right to automated decision making
- Data Subject request will be handled according to our Policy Procedures for Handling Data Subject Rights and Requests.
- Where C&R is unable to comply with a Data Subject request without disclosing the personal data of another individual who is identified from that information, we are not obliged to comply with the request.
8. DISCLOSURE OF CCTV IMAGES
- In limited circumstances it may be appropriate to disclose images collected on our CCTV system to third parties.
- We may disclose personal information to third parties when it is required by law, in relation to the prevention or detection of a crime, or to comply with a written law or court order.
- Such disclosures will be made at the discretion of the Data Protection Officer in collaboration the CEO and the Legal department.
- Where a suspicion of misconduct arises, CCTV images may be disclosed to be used in employee disciplinary cases.
9. RETENTION OF IMAGES
- Images on our CCTV system are automatically overwritten after 60 days from the date of recording.
- Where it is necessary to hold an image for longer than the period indicated above, for example for evidentiary purposes, the investigation of an offence or as required by law, this request will be in writing and directed to the Data Protection Officer.
- The images held beyond their retention period will be reviewed and any not required for evidentiary purposes will be deleted.
10. INQUIRIES AND COMPLAINTS
- The DPO shall receive all inquiries and complaints related to the privacy of a Data Subject and, where necessary, institute investigations. All complaints shall be sent to
- Data Subjects may inquire or request for any information regarding any matter relating to the processing of their personal data under the custody of C&R, including data privacy and security policies implemented to ensure the protection of their personal data. They may write to the DPO and briefly discuss the inquiry, together with their contact details for reference.
- The DPOshall maintain a log of all inquiries and complaints.
11. MONITORING AND ENFORCEMENT
- Compliance with the CCTV Policy will be periodically monitored by the Data Protection Officer (DPO).
- Non-compliance may result in disciplinary action, up to and including termination of employment.
12. POLICY REVIEW
- C&R reserves the right to modify this manual from time to time to accurately reflect the regulatory environment and data protection laws.
- This policy will be reviewed annually by the Data Protection Officer to reflect current legislation and trends in the CCTV monitoring field.
- Where any material changes are made to this manual, C&R shall without undue delay notify people through publication on the website.