Data Protection Policy
Background
Modesty Credit Limited operates as a financial services provider, offering loan facilities in Kenya
to small and medium sized enterprises. MCL is committed to safeguarding the privacy of personal
data and to full compliance with the laws and applicable regulations.
Concerns about the security of personal data stored in institutions have led to Governments
enacting data protection regulations. In 2018 the European Union (EU) operationalized the General
Data Protection Regulations (GDPR) that govern how companies handle personal data.
Consequently, in 2019 Kenya enacted its own Data Protection Act. The regulations seek to protect
the privacy of individuals by enforcing responsible processing of personal data. This includes
embedding principles of lawful processing, minimizing the collection of data, ensuring the
accuracy of data and adopting security safeguards to protect personal data.
MCL is committed to ensuring that every employee complies with the Data Protection Act to
safeguard the confidentiality of any personal data held by MCL in whatever medium. This policy
provides guidance on how MCL will handle the data it collects. It helps MCL comply with the
data protection law, protect the rights of the data subjects and protects MCL from risks related to
breaches of data protection. Two key concepts to be considered when collecting and using personal
data are those of purpose and transparency. MCL and all its employees, Agents or others who
process or use personal data must ensure that they follow these concepts at all times.
In order to ensure that this happens, MCL shall devise specific data protection, retention and
security policies and procedures as required and will be ensuring that same comply with these
concepts. Additionally, MCL shall implement appropriate security, technical and organizational
measures as to ensure and be able to demonstrate that the processing of personal data is performed
in accordance with the Data Protection Act and Data Protection Regulations.
General Purpose
Modesty Credit Limited hereinafter referred to as “the Company”) acknowledges privacy is the
fundamental right of an individual and shall be protected by the Company in our best endeavors.
The Company is dedicated to treating the information of our employees, customers, clients, and
all relevant parties with the utmost care and confidentiality. The Company is committed to
creating a safe and confidential environment for all parties to freely share their information by
ensuring that we gather, store, and utilize all collected information fairly and transparently.
The purpose of this policy is:
To set out policies and procedures implemented by the Company for protecting the privacy
of our employees, customers, and clients; and
To provide guidance for our employees to ensure all information to which they have access
to, in the course of their work is collected, handled and stored safely.
This policy applies to all levels of employees who are currently under a fixed- term contract, text: Visitor comments may be checked through an automated spam detection service.permanent contract part-time contract, interns, and casual workers, subject to the eligibility as
stated below. This policy is endorsed and fully supported by the Company and its senior
management. The Company reserves all rights to amend the content of the policy at any time.
Interpretation of terms
Unless the context otherwise requires:
Data Controller means all and any persons who decide the purpose and means of a certain kind
of processing of personal information.
Data Processor means all and any persons who process Personal Information.
Data Subjects means the people to whom the Personal Information relates.
Personal Data means any information relating to an identifiable individual. Such information
includes, but is not limited to:
(i) Name, date of birth, identity document number, and photography;
(ii) Contact information such as an address, email address, IP address and phone number;
(iii) Gender and marital status information;
(iv) Financial account information;
(v) Health or medical information;
(vi) Information collected during the application and hiring process;
(vii) Information related to employee benefits, including all personal information of data subjects’
dependents, beneficiaries, and insurance policy information; and
(viii) Process means any actions performed on the Personal Data. Such actions include but are not
limited to: collecting, recording, organizing, modifying, gathering, handling, transferring,
retaining, and deleting.
The Company’s Procedures
General Principles
The Company will only process Personal Data with the purpose or a reasonably related purpose
for which the data was collected. The Company will not process such Personal Data in a manner
that is incompatible with such purposes unless the relevant Data Subject has provided consent
upon such action. In addition, the Company will perform at its best endeavor to ensure Personal
Data being processed is accurate and up-to-date. Purposes for processing Personal Data must be
legal and reasonable, which include and are not limited to:
Performance of legitimate business interests of the Company;
Performance of legitimate operational interests of the Company; and
Compliance with legal obligations.The Company will document records of processing and such documentation will be stored with
full security in the Company’s database. They will be reviewed and accessed on a need-to-know
basis.
The Company will not retain Personal Data for a period longer than necessary for the purpose for
which they were collected unless they are necessary to be retained to comply with statutory`
The Company will not sell, transfer, or disclose any Personal Data to other third parties without
Data Subjects’ consent. However, the Company may share the Personal Data with its corporate
affiliates provided that all procedures are complied with.
The Company will organize regular trainings to ensure all employees have sufficient knowledge
about this policy and the correct procedure for processing Personal Data. The Company’s
management and/or Human Resource Department are responsible for designing and conducting
appropriate training sessions.
What data is collected?
The information the Company collects and stores about the Customer includes but is not limited
to the following:
Their identity and registration information, including their name, photograph, address,
location, phone number, identity document type and number, date of birth, email address,
age, gender and mobile number portability records.
Transactions when they use the Company’s services.
Their preferences for particular products and services, based on information provided by
them or from their use of the Company’s products and services.
Name, family details, age, profiling information such as level of education, bank account
status, income brackets, etc. collected as part of surveys conducted by the Company or our
agents on behalf of the Company.
Customer contacts, such as when they call the Company or interact with the Company
through social media, ‘snail mail’, email (the Company may record the conversations,
social media or other interactions with the Company), register the Customer’s biometric
information such fingerprints etc.
The Customer’s account information, such as handset type/model, deposits; subscriptions,
billing statements, withdrawals and mobile money transactions.
The Company will collect the Customer’s personal information when the Customer visits
the Company for the purposes of accident and incident reporting.
Lawful and fair processing of data
The Company will only process data where they have a lawful basis to do so. Processing personal
data will only be lawful where the data subject has given their consent for one or more specific
purposes or where the processing is deemed necessary: For the performance of a contract to which the data subject is a party (for instance a contract
of employment).
To comply with the Company’s legal obligations.
To perform tasks carried out in the public interest or the exercise of official authority.
To protect the vital interests of the customers or another person.
To pursue MCL’s legitimate interests where those interests are not outweighed by the
interests and rights of data subjects.
For historical, statistical, journalistic, literature and art or scientific research.
Updating personal data
The Company will at all times ensure that the personal data it collects and processes is accurate,
kept up to date, corrected or deleted (where necessary) without delay.
All relevant records must be updated should staff be notified of inaccuracies. Inaccurate or out of
date records must be deleted or destroyed.
Obtaining Data Subjects’ Consent
The Company must obtain consent from Data Subjects in an appropriate manner before any
processing conducts are performed by any employees in the Company as we acknowledge Data
Subjects have the right to receive information about the conducts performed on their Personal
Information. Such information includes:
(i) Identity of Data Controller;
(ii) Purpose and methods of processing Personal Data;
(iii) Scope of Personal Information processed; and
(iv) Any third parties involved to which the Personal Data might be transferred or disclosed
to.
In order to reduce potential disputes, Data Subjects’ consent must be provided orally, in writing,
or electronically. The Company will not take any actions of Data Subject as implied consent. For
Data Subjects who are not capable of providing their consent, such as children, elderly, and
patients with mental disorders, the Company will obtain consent from their legal guardian(s).
However, the Company need not obtain Data Subject’s consent under the following special
circumstances:
When the Personal Data can be publicly accessed and collected;
When the processing is necessary for the Company’s legitimate business interest; and
When the processing is necessary for the public interest.
The Company hereby acknowledges privacy as a fundamental right and respects decisions made
by Data Subjects to withdraw their consent by giving legal and reasonable notice to the Company.
However, Data Subjects might not receive benefits and services prior to their withdrawal of
consent after the Company accepts their withdrawal.
Data Subjects’ RightsData Subjects have the following rights and these rights can be exercised by giving legal and
reasonable notice to the Company:
(i) Right to Access: The Company will grant permission for Data Subjects to check on details of
their Personal Data being processed upon request. The Company will provide legitimate
reasons if we wish to reject such requests.
(i) Right to Correct: Data Subjects have the right to make requests for the correction of any
incorrect or misleading Personal Data about themselves. Evidence should be supplemented
with such requests.
( i) Right of Erasure: Data Subjects have the right to request their Personal Data to be erased from
the Company’s database.
Confidentiality and Security
The Company will perform at its best endeavor to protect the confidentiality and security of
Personal Data and such a duty extends to all interactions with third parties such as employees and
clients. All terms and conditions stated in the Confidentiality Agreement signed by employees
upon their employment apply.
The Company takes all breaches of this policy very seriously and hereby promise all allegations
of breach will be thoroughly investigated by the Human Resource Department confidentially and
fairly.
Complaints Handling Mechanism
This is well captured in our Customer Redress Mechanism Policy
Processing data relating to a child
The Company will not process data relating to a child unless consent is given by the child’s
guardian or parent and the processing is in such a manner that protects and advances the rights and
best interests of the child in line with the relevant laws.
The Company will institute adequate mechanisms to verify the age and obtain consent before
processing the data.
Processing sensitive personal data
The Company will process sensitive personal data only when:
The processing is carried out in the course of legitimate activities with appropriate
safeguards and that the processing relates solely to the staff or to persons who have regular
contact with the Company, and the personal data is not disclosed outside that the Company
without the consent of the data subject.
The processing relates to personal data that has been made public by the data subject.
Processing is necessary for:
The establishment, exercise or defense of a legal claim.
The purpose of carrying out the obligations and exercising specific rights of the controller
or of the data subject. Protecting the vital interests of the data subject or another person where the data subject is
physically or legally incapable of giving consent.
Transferring personal data out of Kenya
The Company will transfer personal data out of Kenya only when they have:
Proof of appropriate measures for security and protection of the personal data, and the
proof provided to the Data Protection Commissioner in accordance with Kenya’s Data
Protection Act, 2019, such measures include that data is transferred to jurisdictions with
commensurate data protection laws.
The transfer is necessary for the performance of a contract, implementation of pre-
contractual measures such as:
For the conclusion or performance of a contract to which the data subject is part of.
For matters of public interest.
For legal claims.
To protect the vital interests of data subjects.
For compelling legitimate interests pursued by the data controller or data processor which
are not overridden by the interests, rights and freedoms of the data subjects.
The Company will process sensitive personal data out of Kenya only after obtaining the consent
of a data subject and on receiving confirmation of appropriate safeguards.
Information Sharing
We keep all your personal data confidential. However, in order to be able to service your needs to
the best of our ability, we may share any information you provide to us with support service or
data providers, wherever located. If you have provided information to our partners, those entities
may also share that information with us. We will ensure that if we share such information with
third parties, any such disclosure is at all times in compliance with Data Protection Legislation.
To help us provide services, your data will be processed internally and externally by other third
parties. We use third parties for [administrative, servicing, monitoring and storage of your data].
We will outsource some services to third parties whom we consider capable of performing the
required processing activities so that there is no reduction in the service standard provided to you
by us.
The recipients or categories of recipients, of your information may be:
Any revenue service or tax authority including to the Kenya Revenue Authority, Regulators
like the Central Bank of Kenya, if obliged to do so under applicable regulations.
Anyone to whom we may transfer our rights and/or obligations;
Any other person or organization after a restructure, sale or acquisition, as long as that
person uses your information for the same purposes as it was originally given to us or used
by us (or both).
Credit reference, identity and address verification organizations who may record and use
your information and disclose it to other lenders, financial services organizations andinsurers. Your information may be used by those third parties to make assessments in
relation to your creditworthiness for debt tracing.
Fraud prevention agencies and law enforcement agencies who will use it to prevent fraud
and money-laundering and to verify your identity if false or inaccurate information is
provided by you and fraud is identified. We, fraud prevention agencies and law
enforcement agencies may access and use your information for example, when:
Checking details on applications for credit and credit related or other facilities;
Recovering debt.
Checking details on proposals and claims for all types of insurance.
Fraud prevention agencies can hold your personal data for different periods of time. If they’re
concerned about a possible fraud or money laundering risk, your data can be held by them for up
to six years or as required by law.
Policy Violations
This Privacy Policy applies to all employees and their compliance is mandatory. All employees
are required to carefully read and understand the Policy upon their employment. The Company
takes all breaches of this policy very seriously and hereby promise all allegations of breach will
be thoroughly investigated by the Human Resource Department confidentially and fairly.
Employees should contact the Human Resource Department as soon as possible should they wish
to raise an allegation of a breach under the policy. Any allegations made in good faith will be
fully supported by the Company with all appropriate measures and investigation being taken out,
regardless of the conclusion of the allegation and the subjective view of any senior management.
There will never be any reprisals against employees who raise allegations of a breach under the
policy. Nevertheless, allegations or attempts to make allegations in bad faith, for whatever
reasons, will be classified as misconduct and may lead to disciplinary measures by the Company.
Anyone who breaches this policy will be subject to disciplinary measures depending on the
severity of the breach.
Reporting A Personal Data Breach
The Data Protection Act requires MCL Limited to notify any Personal Data Breach to the Office
of the Data Protection Commissioner (ODPC) and, in certain circumstances, the Data Subjects
impacted by the breach.
Incidents must be communicated to the Data Protection Officer (DPO) immediately as MCL
Limited is required to notify the ODPC within seventy-two (72 hours).
If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the
matter yourself. Immediately contact the DPO. You should preserve all evidence relating to the
potential Personal Data Breach.
Training And AwarenessThe Company will train staff on the contents and implementation of this policy. Staff who join the
Company will be required to go through an induction process that entails familiarization with this
policy. The Company will ensure that the requirements of this policy form part of its agreement
with its grantees, contractors and third parties who process the Company’s data.
Revision Date
This policy was approved as fit to support the business of Modesty Credit Limited in June 2024
by the Board of Directors.
