PRIVACY STATEMENT
Tai Sacco Society Ltd is committed to keeping your personal data private and shall process any personal data collected from you in accordance with Data Protection Legislation and with provisions of our Data Privacy Policy.
Abbreviations and Acronyms
ABC – Alternative Business Channels
BOD – Board of Directors
CCTV – Closed Circuit Television
CEO – Chief Executive Officer
CRB – Credit Reference Bureau
DPIA – Data Protection Impact Assessment
DPO – Data Protection Officer
KYC – Know Your Customer
ODPC – Office of Data Protection Commissioner
EACC – Ethics and Anti – Corruption Commission
ICT – Information and Communication Technology
ID – Identification
NHIF – National Hospital Insurance Fund
NSSF – National Social Security Fund
SASRA – Sacco Societies Regulatory Authority
SLA – Service Level Agreement
Definition of Terms
Anonymization The removal of personal identifiers from personal data so that the data subject is no longer identifiable.
Biometric data Personal data resulting from specific technical processing based on physical, physiological or behavioural characterization including blood typing, fingerprinting, earlobe geometry, retinal scanning, face recognition and voice recognition.
Consent Agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.
Data Information which is processed by means of equipment operating automatically in response to instructions given for that purpose or recorded with intention that it should be processed by means of such equipment or recorded as part of a relevant filing system.
Data Controller The person or organisation that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the Data Protection Act. Tai Sacco is the Data Controller of all personal data relating to it and used in facilitating its business operations.
Data Processing Any activity that involves the use of personal data and includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. In brief, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction.
Data Protection Impact Assessment
This is a tool or procedure of identifying and reducing risks involved in any Processing activity that will involve personal data.
Data Protection Officer
The person appointed as such under the Data Protection Act and in accordance with its requirements. A data protection officer is responsible for advising the Sacco (including employees) on their obligations under various data protection laws, for monitoring compliance with data protection law, as well as with Tai Sacco polices.
Data Subject A living, identified or identifiable individual about whom the Sacco hold personal data.
Personal Data Any information identifying a data subject or information relating to a data subject that the Sacco can identify (directly or indirectly) from that data alone or in combination with other identifiers the Sacco possess or can reasonably access. Personal data includes sensitive personal data and pseudonymized personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour
Personal Data Breach
Any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data, where that breach results in a risk to the data subject.
Profiling Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of automated processing.
Third Party Any natural or legal person other than the data subject, Tai Sacco, or any implementing partner.
Collection of Personal Data
Tai Sacco will only collect your personal data to achieve the purposes set out in this privacy statement. We collect your personal information with your knowledge and consent and with exception to cases where prior consent cannot be obtained for real reasons or where the processing of the data is permitted by law.
Tai Sacco will collect your personal information when you do any of the following:
- Make an application and open an account with us for the purpose of patronizing any of our product and/or service or from third parties on our electronic and digital platforms.
- Use any of our product and/or service on a mobile or other device or in any of our branches or with any of our agents.
- Call Tai Sacco offices to ask more information about a product or service or contact Tai Sacco with a query or a complaint;
- When you visit or access any of Tai Sacco buildings/ premises;
- When you have been identified as a next of kin, contact person or nominee by our member or employee;
- Where you have applied for an employment at Tai Sacco;
- When you attend an event sponsored by Tai Sacco;
- Make an application to Tai Sacco or interact with us as a supplier, business partner, agent or dealer;
- Visit and access our websites
- When you respond to or participate in a survey, marketing promotion, prize competition or special offer;
Tai Sacco may also collect your information from other organizations including credit-reference bureaus, fraud prevention agencies, government agencies and business directories;
- When you engage our other service delivery organs eg. Aquila Insurance Agency or as a result of your relationship with one or more of our staff and members;
- When you engage our other sister organizations eg. Tai Housing Co-operative Society in patronizing our products / services and you enter into contract with us.
- When we require personal information from you in order to fulfil a statutory or contractual requirement, or where such information is necessary to enter into a contract or is otherwise an obligation, we will inform you and indicate the consequences of failing to do so;
- When you make an application or engage with our foundations eg. The Tai Foundation as a beneficiary.
This list is non-exhaustive. It is reflective of the varied nature of the personal information we may collect.
- Information we collect about Data Subjects
From individuals who are our Members and prospective Members, or are representatives of Members and prospective Members, we may collect personal information that includes but is not limited to the following:
- Personal Identification information that include; your title, name, photograph, marital Status, nationality, occupation, residence, address, location, phone number, identity document type and number, date of birth, age, gender and email address.
- Name of your employer, terms of employment and if on contract, expiry of the contract.
- Your estimated monthly proceeds/ income levels.
- Your biometric and signature specimen.
- Information about your Sacco account numbers and or other banking information.
- Your transaction information when you use our Alternative Business Channels, Branches, our Agents.
- Name, family details, age, profiling information such as level of education, Sacco account status, income brackets, etc. collected as part of surveys conducted by Tai Sacco or on behalf of Tai Sacco.
- Your contact with us, such as when you: calls us or interact with us through social media, email or visit our branches.
- Relevant information as required by regulatory authorities, Know Your Member and/or Anti Money Laundering regulations and as part of our member on boarding procedures. This may possibly include evidence of source of funds, at the outset of and possibly from time to time throughout our relationship with members, which we may request and/or obtain from third party sources. The sources for such verification may include documentation, which we request from you or through the use of online or public sources or both.
- We use Closed Circuit Television (CCTV) surveillance recordings. CCTV Devices are installed at strategic locations to provide a safe and secure environment in all our branches and Head Office premises as a part of our commitment to security and crime prevention.
- We maintain a register of visitors in which we collect and keep your personal data such as names, company/institution details, telephone number and National ID number. This information is collected for health, safety and security purposes.
- Information you provide to us for the purposes of attending meetings and events.
- We may use your medical information to manage our services and products to you.
- Where you use our fingerprint gadgets to collect and process your biometrics.
- We may collect details of a minor which include name, date of birth, birth certificate number, relationship with the applicant and any other information relevant for the provision of our products and services. We will only process such data where parental or legal guardian consent has been given. We will also ensure that the processing of such data will be done in a manner that protects and advances the rights and best interests of the child.
- Related Legal Entities
Corporate entities form part of our member base. These legal entities are not data subjects (i.e., natural persons to whom personal information relates). However, as part of our engagement with these members, we may receive personal information about individuals which may include but is not limited to:
- Full names.
- National identity card number or passport number;
- KRA Personal Identification Number (PIN).
- Date of birth
- Postal and business address.
- Residential address, telephone number and email address.
- Occupation or profession.
- Nature of ownership or control of the company.
- Number of Shares in the company.
These examples are non-exhaustive, which is reflective of the varied nature of the personal information.
- Use of Personal Data
This privacy statement aims to give you complete and transparent information on how Tai Sacco processes your personal data. We are committed to ensure that your personal information is processed in a way that is compatible with the specified, explicit, and legitimate purpose of collection.
Where personal data relates to a child, we will process the personal data only where parental or legal guardian consent has been given. The processing of such data will be done in a manner that protects and advances the rights and best interests of the child.
We may use personal data provided to us for any of the following purposes but are not limited to:
- Verifying your identity information through publicly available and/or restricted government databases to comply with applicable Know Your Customer (KYC) requirements.
- Assessing the purpose and nature of your business or principal activity, your financial status and the capacity in which you are entering into the business relationship with us.
- Creating a record of you on our system to verify your identity, provide you with the products and/or services you have applied for from us or from third parties on our ABC platforms.
- Communicate with and keep you informed about the products and/or services you have applied for.
- Verification of age and consent where the personal data relates to a child.
- Identifying you and verifying your physical address.
- Identifying your source of income and similar information.
- Authentication of your transactions with us.
- Assessing your personal financial circumstances and needs before providing advice to you.
- Responding to any of your queries or concerns, we may record or monitor telephone calls between us so that we can check instructions and make sure that we are meeting our service standards.
- Carrying out credit checks and credit scoring.
- To perform our obligations under a contractual arrangement with you.
- Fraud prevention, detection and investigation
- Any purpose related to the prevention of financial crime, including sanctions screening, monitoring of anti-money laundering and any financing of terrorist activities.
- Further processing for historical, statistical or research, survey and other scientific or business purposes where the outcomes will not be published in an identifiable format.
- Provide aggregated data (which do not contain any information which may identify you as an individual) to third parties for research and scientific purpose.
- In business practices including to quality control, training and ensuring effective systems operations.
- To understand how you use our products and services for purposes of developing or improving products and services.
- Administer any of our online platforms/websites.
- To comply with any legal, governmental, or regulatory requirement or for use by our lawyers in connection with any legal proceedings.
- For purposes relating to the assignment, sale, or transfer of any of our businesses, legal entities or assets, in whole or in part, as part of corporate transactions.
- Keeping you informed generally about new products and services and contacting you with offers or promotions based on how you use our or third-party products and services unless you opt out of receiving such marketing messages (you may contact Tai Sacco at any time to opt out of receiving marketing messages).
- Where you have applied for employment at Tai Sacco, we perform applicant screening and background checks.
- Where you are a Tai Sacco employee (including contractors), we create an employment record of you on our system to facilitate continuous monitoring during your employment with us.
- Where you are a Tai Sacco director, we create a record of you as a director on our system.
- Where you are a Tai Sacco supplier, we process your personal information for due diligence, risk assessment, administrative and payment purposes.
- For security purposes when accessing any of Tai Sacco buildings/premises; and
- Where you attend an event sponsored by Tai Sacco, we will be taking photos or videos of the event. These images or videos will be used by us to share news about the event, and may be used in press releases, printed publicly, and published on our website.
- Sensitive Personal Data
We may collect Special Categories of Personal Data about you (this includes details about your race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including details of your children, parents, spouse or spouses, sex or sexual orientation).
- Transfer of Personal Data
Tai Sacco may transfer your personal information for the purpose of effecting/implementing, administering, and securing any product or service that you have applied for or for other purpose set out in this privacy statement. We also share data with Tai Sacco-controlled affiliates and subsidiaries; with vendors working on our behalf; when required by law or to respond to legal process; to protect our Members; to protect lives; to maintain the security of our products; to comply with regulatory requirements and to protect the rights and property of Tai Sacco and its Members.
We may transfer or disclose the personal data we collect to regulatory, fiscal or supervisory authority, correspondent Saccos on transaction enquiries, third party contractors, subcontractors, and/or their subsidiaries and affiliates who provides support to Tai Sacco in providing its services. The third-party providers may use their own third-party subcontractors that have access to personal data (sub-processors). It is our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by Tai Sacco, and to flow those same obligations down to their sub-processors.
- Cross-Border Transfers
Tai Sacco membership is beyond Kenya’s boundaries. We serve diaspora members that we may need to transfer personal information outside the country to where a member is located. This includes countries that do not have laws that provide specific protection to your personal data.
Where we send your information outside the country, we will make sure that there is proof of adequate data protection safeguards in the recipient country or consent from you on transfer of your personal information.
- Other Disclosures
We may also disclose your personal information where required by law, to enforce other agreements, or to protect the rights, property, or safety of our business, our members, employees, or others.
Tai Sacco may disclose, respond, advise, exchange and communicate personal data and/or information in the Sacco’s possession relating to you outside Tai Sacco whether such personal data and/or information is obtained after you cease to be the Sacco’s Member or during the continuance of the Sacco-Member relationship or before such relationship was in contemplation, provided that such personal information is treated in confidence by the recipient:
- For fraud prevention, detection and investigation purposes.
- To licensed credit reference agencies or any other creditor if you are in breach of your obligations To the Sacco and for assessment of credit applications and for debt tracing or for determining your payment history.
- To the Sacco’s external lawyers, auditors, valuers, survey agencies, and sub-contractors, software developers or other persons acting as agents of Tai Sacco.
- To any person who may assume the Sacco’s rights within the confines of the law.
- To debt collection agencies.
- Providing income tax-related information to tax authorities.
- To any regulatory, fiscal or supervisory authority, any local or international law enforcement agencies, governmental agencies so as to assist in the prevention, detection, investigation or prosecution of criminal activities, courts or arbitration tribunal where demand for any personal data and/or information is within the law.
- To the Sacco’s subsidiaries, affiliates and their branches and offices (together and individually).
- Where the Sacco has a right or duty to disclose or is permitted or compelled to do so by law.
- For purposes of exercising any power, remedy, right, authority or discretion relevant to an existing contract with the Sacco and following the occurrence of an Event of Default, to any other person or third party as well.
- Legal Basis for The Processing of Personal Data
Tai Sacco will process your personal information as permitted by the applicable Data Protection Law and its internal policies:
- For the performance of a product/service contract which you are party to;
- Where processing is necessary for the purposes of legitimate business interests pursued by Tai Sacco or by a third party within the confines of the law;
- For the establishment, exercise or defense of a legal claim;
- Compliance with a mandatory legal obligation to which it is subject to;
- With your consent;
- Public interest;
- To protect your vital interest or the vital interests of any person.
- Direct Marketing
From time to time, Tai Sacco may also use your personal information to contact you for market research or to provide you with information about other services we think would be of interest to you. You may be required to opt-in or give any other form of explicit consent before receiving marketing messages from us. We respect your right to control your personal data depending on which of our products you use. Therefore, at a minimum, we will always give you the opportunity to opt-out of receiving such direct marketing or market research communications. You may exercise this right to opt-out at any time.
- Retention of Personal Data
Tai Sacco will retain your personal data only for as long as is necessary to achieve the purpose for which they were collected. We may retain your personal data and/or information for a period of up to seven (7) years or as may be required by law and maintains specific records management and retention policies and procedures, so that personal data are deleted after a reasonable time according to the following retention criteria:
- Where we have an ongoing relationship with you.
- To comply with a legal obligation to which it is subject.
- Where retention is advisable to safeguard or improve the Sacco’s legal position.
- Data Subject Rights
You have the right (in the circumstances and under the conditions, and subject to the exceptions, set out in applicable law to:
- Be informed that we are collecting personal data about you;
- Request access to your personal information that we have on record. This right entitles you to know whether Tai Sacco holds personal data of you and, if so, obtain information on and a copy of those personal data.
- Request Tai Sacco to rectify any of your personal data that is incorrect or incomplete.
- Object to and withdraw your consent to processing of your personal data. This right entitles you to request that Tai Sacco no longer processes your personal data. The withdrawal of your consent shall not affect the lawfulness of processing based on prior consent before its withdrawal. We may also continue to process your personal information if we have a legitimate or legal reason to do so.
- Request the erasure of your personal data. This right entitles you to request the erasure of your personal data, including where such personal data would no longer be necessary to achieve the purposes.
- Request the restriction of the processing of your personal data: This right entitles you to request that Tai Sacco only processes your personal data in limited circumstances, including with your consent.
- Request portability of your personal data. This right entitles you to receive a copy (in a structured, commonly used, and machine-readable format) of personal data that you have provided to Tai Sacco, or request Tai Sacco to transmit such personal data to another data controller in an electronic format.
Contact Us
Please contact our Data Protection Officer if you have any questions or concerns about how Tai Sacco process your personal data or you want to exercise any of your rights in relation to your personal data, on 0202010334 or by writing to us on email: dpo@taisacco.coop
Amendments to this Statement
Tai Sacco reserves the right to amend or modify this privacy statement from time to time. Patronizing our products and services will constitutes your agreement to be bound by the terms of any such amendment or variation. This privacy notice should be read together with the Terms and Conditions. Where in conflict, the privacy notice shall prevail.