This policy applies to all personal data we process regardless of the location where that personal data is stored (e.g. on an employee’s own device, Sava servers, Sava website, etc.) and regardless of the data subject. All staff and others processing personal data on Sava’s behalf must read it. A failure to comply with this policy may result in disciplinary action.
The Sava IT Department is responsible for ensuring that all staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls and training to ensure that compliance.
We may collect and use your personal data if it is necessary for our legitimate interest and so long as its use is fair, balanced and does not unduly impact your rights. For example, to process an employment application, for use in research, etc.
We may collect and use your personal information with your consent. For example, to send you marketing emails, to take and use your photograph, to collect relevant medical information. You can withdraw consent for this at any time.
We may also collect and use personal information as required to fulfill our legal obligations as a registered charity and employer. Usually, we will only process sensitive personal data if we have your explicit consent. In extreme situations, we may share your personal details with the emergency services if we believe it is in your ‘vital interests’ to do so. For example, if someone is taken ill during one of our events.
We only collect personal information that we genuinely need. This may include:
When you process personal data, you should be guided by the following principles, which are set out in the GDPR and Kenya’s Data Protection Bill 2018. Sava is responsible for, and must be able to demonstrate compliance with, the data protection principles listed below:
When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal and fair manner.
Personal data can be processed only for the purpose that was defined before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation.
The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be aware of, or informed of:
Personal data that is no longer needed after the expiration of legal or business process-related periods must be deleted. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.
Personal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated.
Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.
Every data subject has the following rights. Their assertion is to be handled immediately by the responsible unit and cannot pose any disadvantage to the data subject.
The data subject may request information on which personal data relating to him/her has been stored, how the data was collected, and for what purpose. If there are further rights to view the employer’s documents (e.g. personnel file) for the employment relationship under the relevant employment laws, these will remain unaffected.
If personal data is transmitted to third parties, information must be given about the identity of the recipient or the categories of recipients. If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented.
The data subject can object to the processing of his or her data for purposes of advertising or market/opinion research. The data must be blocked from these types of use.
The data subject may request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.
The data subject generally has a right to object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.
Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.
We will only use your personal information for the purpose which it was provided to us for and in ways that you would reasonably expect.
When legally obliged, we may share our partners’ personal information with relevant statutory bodies as required.
We may need to share it with external reviewers and advisors (e.g. funding partners, program monitors, evaluation specialists) to review, monitor or evaluate these partnership opportunities.
We may need to share your contact details with suppliers.
We will collect personal information from our existing partners and the public domain to research and identify potential new funders and partners. Our legal basis for using your personal information in this way is legitimate interest.
We will use the contact details of new and existing supporters to inform you about our work. We will send you relevant information by email. Our legal basis for using your personal information in this way is legitimate interest. You can opt out or unsubscribe from receiving these communications at any time
If you opt in to our mailing list we will use the information that you provide to email you information about our work, events, campaigns and other items of interest. You can opt out or unsubscribe from receiving this information at any time if you wish. Our legal basis for using your personal information in this way is your consent.
We only use your personal information in case studies when you have consented for us to do so. We will make it clear to you how we might use your information and who we may share it with; again, we will only do so with your permission. Our legal basis for using your personal information in case studies is your consent.
If you choose to take part in one of our research projects or surveys, we will use the personal information that you provide to process the results of the survey and undertake relevant analysis. We will not share the personal information that you provide in a survey with any other organizations, unless consent is first sought for this. Survey results will be anonymized before being shared or published. Our legal basis for using the personal information that you choose to provide to us in a survey is legitimate interest and consent.
We will use the personal information you provide, including passport and medical information, when making travel arrangements for employees, board members, consultants, civil servants and any other relevant personnel. We may share some of this information with our insurance company and travel agents. Our legal basis for processing this personal information is legitimate interest. We will obtain your consent when collecting and using information relating to your health.
If you provide us with information about yourself, such as a resume or curriculum vitae, in connection with a job or volunteer application or enquiry, we may use this information to process your enquiry. We will not store this information for any purpose other than that relating to your application. Our legal basis for using your information in this way is for our legitimate interest.
We will process personal information of our employees to fulfill our contract with them. This includes payroll processing and the provision of training. We are required by law to share some financial information with the Kenya Revenue Authority (KRA), National Social Security Fund (NSSF), National Hospital Insurance Fund (NHIF), National Industrial Training Authority (NITA), and other public and statutory bodies. We may also need to share some personal information with other organizations, for example insurance providers, and pension providers. We process employee personal information to fulfill our contracts with our employees and meet our legal obligations as an employer. This should be done in strict confidentiality at all times.
We process relevant personal information about existing and potential board of directors, committee members and directors for governance purposes.
We may undertake necessary checks to identify any criminal and other activity we need to be aware of. We will do this with your consent.
We will share some personal information with the relevant regulatory authorities to meet our legal obligations, both within and outside the country.
We are legally obliged to collect personal information of employees, volunteers, and interns, for health and safety purposes. We may be required to share some of this information with our insurance provider.
We will process your personal information if you choose to volunteer or undertake an internship opportunity with us. We will keep a record of your contact details, experience and qualifications. Our legal basis for using your information in this way is for our legitimate interest. It may also be necessary to run necessary checks to identify any activities we need to be aware of; we will seek your consent before doing so.
We will use the personal information of Researchers to commission research. Our legal basis for using your personal information in this way is for the performance of a contract.
We will use the personal information of consultants to provide various services to Sava. Our legal basis for using your personal information in this way is for the performance of a contract.
We will use the personal information of suppliers’ contacts to pay and communicate with them. Our legal basis for using your personal information in this way is for the performance of a contract.
If a complaint is raised with us, we will process the personal information that is provided to us to manage and resolve the complaint. Our legal basis for using personal information for this purpose is legitimate interest.
We may use cookies and log files on our website to store information about how you use our website using Google Analytics. A cookie is a piece of data stored on the user’s computer tied to information about the user. This information may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. This enables us to analyse the use of our website and services. We may also create a profile which details your viewing preferences. We use your profile to tailor your visit to our website, to make navigation easier and direct you to information that best corresponds to your interests and country. The legal basis for this processing is our legitimate interests, monitoring and improving our website and services. Please see our cookie statement for more information.
We will only share your personal information where we are required to fulfill our contract with you, or legitimate interest, where we have your consent, or we are required to do so by law.
We may share your personal information with third party organizations who will process it on our behalf, for example a mailing house, our website administrator or printers. Everything an external service provider does is strictly governed by a contract. In addition, before we share any information with those service providers, we will put in place a signed data processing agreement which confirms that the personal information we provide will only be used for the purposes we specify and will be processed in line with data protection legislation.
We may share some personal information in relation to partnership applications with:
Personal data is subject to data secrecy. Any unauthorized collection, processing, or use of such data by employees is prohibited. Any data processing undertaken by an employee that he/she has not been authorized to carry out as part of his/her legitimate duties is unauthorized. The “need to know” principle applies. Employees may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities.
Employees are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or to make it available in any other way. Supervisors must inform their employees at the start of the employment relationship about the obligation to protect data secrecy. This obligation shall remain in force even after employment has ended.
Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organisational measures to protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing, and the need to protect the data (determined by the process for information classification).
In particular, the responsible department or staff can consult with Sava’s Information Technology Officer and data protection coordinator. The technical and organisational measures for protecting personal data are part of our data security management and must be adjusted continuously to the technical developments and organisational changes.
We will hold your personal information for as long as is necessary. We will not retain your personal information if it is no longer required. In some circumstances, we may legally be required to retain your personal information, for example for finance, employment or audit purposes.
This Data Protection and Privacy Policy may change from time to time. Please visit this web page periodically to keep up- to-date with the changes in this policy.