AT MONEZA LIMITED

Scope

This policy applies to Moneza personnel (“you”, “your”) and all information resources. You    must read, understand and comply with this Data Protection policy when processing Personal Data on our behalf.

All individual business areas, units, departments, and line managers are responsible for ensuring all company personnel comply with this Data Protection Policy and need to implement appropriate practices, processes, controls, and training to ensure compliance.
 
The DPO is responsible for overseeing this Data Privacy and Protection Policy and, as applicable, developing related policies and privacy guidelines. That post is held by APL Privacy and Legal LLP, and they can be reached at apl@outlook.com.

Please contact the DPO with any questions about the operation of this Data Protection Policy or the applicable data protection legislation, or if you have any concerns that this Data Protection Policy is not being or has not been followed. 

Purpose

This Data Protection Policy establishes Moneza’s (“we”, “our”, “us”, “the Company”) commitment to implement data protection principles and to provide for organizational, physical, and technical security measures in its data processing operations. It sets out how we handle the Personal Data of our customers, suppliers, employees, workers, and other third parties. 

Definitions

Anonymization – This means the removal of personal identifiers from personal data such that the data subject is no longer identifiable and cannot be re-identified. 

Applicable Data Protection Regulation -Means any law, statute, rule, or regulation issued by a governmental authority in relation to data protection and applicable to Moneza by virtue of its operations and activities, including but not limited to the Kenyan Data Protection Act, 2019; and the respective implementing regulations.

Applicable Data Protection Regulator -Means the primary government office or authority mandated to enforce the Applicable Data Protection Regulation, including but not limited to the Office of the Data Protection Commissioner. 

Automated Decision-Making (ADM) – Means when a decision is made that is based solely on automated processing (including profiling) which produces legal effects or significantly affects an individual. The DPA prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing.

Automated Processing – Means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Profiling is an example of Automated Processing.

Consent – Means agreement which must be freely given, specific, informed, and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the Processing of Personal Data relating to them.

Data Controller – Means an entity that controls the processing of personal data and that, alone or jointly with others, determines the purpose and means of processing personal data, or that instructs another to process personal data on its behalf.

Data Processor – Means an entity to whom the processing of personal data has been delegated or outsourced by the data controller.


Data Subject – Means an identified or identifiable natural person whose personal data is being processed.


KDPA – Means Kenya Data Protection Act, 2019. 


DPO – Means the Data Protection Officer.

Explicit Consent – Means consent which requires a very clear and specific statement (that is, not just action).


Personal Data – Means any information that directly or indirectly relates to a data subject, which shall include personally identifiable information (PII) and sensitive personal information (SPI). Personal Data specifically includes, but is not limited to, names, ID number, date of birth, telephone number, postal address, location data, IP address, cookie ID, advertising identifier, family member’s data, health data, account number, photos, biometrics, and financial details.


Personal Data Breach – Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.


Personally Identifiable Information (PII) – Means data that, on its own or in combination with other data, can identify an individual, or from which the identity of an individual is apparent or can be reasonably and directly ascertained.


Privacy Impact Assessment (PIA) or Data Protection Impact Assessment (DPIA)


Means the documented review and consultation process undertaken to identify, evaluate, and manage the privacy risks arising from a particular project, program, process, or measure.


Privacy by Design – Means implementing appropriate technical and organizational measures in an effective manner to ensure compliance with the KDPA.


Processing or Data Processing – Means any operation or set of operations performed on personal data, including, but not limited to, the collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, destruction, or other use of such personal data.


Pseudonymization – Means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, and such additional information is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.


Related Policies  -The Company’s policies, operating procedures, or processes issued from time to time related to this Data Protection Policy and designed to protect the Company’s information resources 

Security Incident – Means an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It includes incidents that would result in a personal data breach, if not for safeguards that have been put in place.

Sensitive Personal Information (SPI) – Means personal data entitled to special protections under the Applicable Data Protection Regulation, including but not limited to personal data: about an individual’s race, ethnic origin, conscience, belief, genetic data, biometric data, property details, marital status, age, color, and religious, philosophical or political affiliations or beliefs; about an individual’s health, education, sex and sexual orientation or preference, family details including names of the data subject’s first-degree relatives, or criminal record or history; issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and specifically required to be kept classified by the Applicable



Data Protection Regulation.
Principles for Data Processing 

Transparency 

Data subjects shall be informed of the nature, purpose, and extent of the processing of their personal data, including the risks and safeguards involved, and how their data subject rights can be exercised. 

Policies, communication, and other information relating to the processing of personal data shall be made accessible to data subjects and shall be expressed in clear and plain language. 

Whenever we collect Personal Data directly from Data Subjects, including for human resources or employment purposes, we must provide the Data Subject with all the information required by the KDPA through a Privacy Policy which must be presented when the Data Subject first provides the Personal Data.

When Personal Data is collected indirectly (for example, from a third party or publicly available source), we must provide the Data Subject with all the information required by the KDPA as soon as possible after collecting or receiving the data. We must also check that the Personal Data was collected by the third party in accordance with the KDPA and on a basis which contemplates our proposed Processing of that Personal Data.

If you are collecting Personal Data from Data Subjects, directly or indirectly, then you must provide Data Subjects with a Privacy Policy in accordance with our Related Policies and Privacy Guidelines.

Lawfulness or Legitimate Purpose 

The processing of personal data shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.

Processing shall be ceased, except for storage, when the lawful basis or declared purpose no longer applies and there is no new purpose compatible with the initial purpose.

The DPA allows Processing for specific lawful purposes, some of which are set out below:
 the Data Subject has given his or her Consent;
 the Processing is necessary for the performance of a contract with the Data Subject;
 to meet our legal compliance obligations; 
 to protect the Data Subject’s vital interests;
 to pursue our legitimate interests for purposes where they are not overridden because Processing prejudices the interests or fundamental rights and freedoms of Data Subjects. The purposes for which we process Personal Data for legitimate interests need to be set out in applicable Privacy Notices; or
 You must identify and document the legal ground being relied on for each Processing activity in accordance with the Company’s guidelines on Lawful Basis for Processing Personal Data.

Consent  

Moneza will only process Personal Data on the basis of one or more of the lawful bases set out in the DPA, which include Consent.

A Data Subject consents to Processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the Processing. Consent requires affirmative action, so silence, pre-ticked boxes, or inactivity are unlikely to be sufficient. If Consent is given in a document which deals with other matters, then the Consent must be kept separate from those other matters.
 
Data Subjects must be easily able to withdraw Consent to Processing at any time, and withdrawals must be promptly honored. Consent may need to be refreshed if you intend to Process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first consented. 

When processing Sensitive Personal Information, we will usually rely on a legal basis for processing other than Explicit Consent or Consent if possible. Where Explicit Consent is relied on, you must issue a Privacy Notice to the Data Subject to capture Explicit Consent.  

You will need to evidence Consent captured and keep records of all Consents in accordance with Related Policies so that the Company can demonstrate compliance with Consent requirements.

Proportionality, Purpose Limitation, and Data Minimization 

Processing of personal data shall be relevant, necessary, and not excessive in relation to a declared and specified purpose. 

Personal data shall be processed with reasons compatible with the purpose of the collection. 

Personal Data shall not be Processed for new, different, or incompatible purposes from that disclosed when it was first obtained unless you have informed the Data Subject of the new purposes and they have Consented where necessary.

Data flows should be made efficient to avoid the creation of more copies or entry points for data collection than necessary.

You may only collect Personal Data that you require for your job duties: do not collect excessive data.
Moneza should regularly review whether the processing is necessary for the purpose for which the data was collected and test the design against purpose limitation.

Data no longer necessary for the purpose shall be anonymized or deleted according to Moneza’s data retention guidelines.

Confidentiality, Integrity, and Availability  

Moneza shall manage its policies and procedures for information security in accordance with its Information Security Management System.

SPI should be kept separate from the rest of personal data where possible.

Moneza shall implement procedures to detect, handle, report, and learn from data breaches.

You must maintain data security by protecting the confidentiality, integrity, and availability of the Personal Data, defined as follows:
 Confidentiality means that only people who have a need to know and are authorized to use the Personal Data can access it.
 Integrity means that Personal Data is accurate and suitable for the purpose for which it is processed; and
 Availability means that authorized users are able to access Personal Data when they need it for authorized purposes. 

Accuracy and Data Quality 

The correctness of personal data should be verified with the data subject before and at different stages of processing.

You will ensure that the Personal Data we use and hold is accurate, complete, and kept up to date.

Inaccurate data shall be rectified or erased. You must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.

You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. 

Storage limitation  

Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.

The Company will maintain retention policies and procedures to ensure Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires that data to be kept for a minimum time. 


Fairness 

Data subjects should be given autonomy and control with respect to their personal data.

Moneza shall minimize biases that automated decision-making processes may create.

Moneza’s models should be regularly tested to ensure fairness and accuracy


Privacy by Design 

Moneza shall ensure that relevant data protection mechanisms are embedded in the processing of Personal Data and shall design technical and organizational measures to safeguard and implement the principles of data protection as set out under this clause. 

We will develop, implement, and maintain safeguards appropriate to our size, scope, and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including the use of encryption and Pseudonymization where applicable) to ensure compliance with data privacy principles.

We will regularly evaluate and test the effectiveness of those safeguards to ensure the security of our Processing of Personal Data.

You must follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. 

You may only transfer Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.

Moneza shall integrate data protection measures at the earliest stages of the development and implementation of projects, programs, and processes by taking into account the following:
 the state of the art;
 the cost of implementation;
 the nature, scope, context, and purposes of Processing; and
 the risks of varying likelihood and severity for the rights and freedoms of Data Subjects posed by the Processing.

Data Life Cycle 

Collection 

Personal data should only be collected directly from the data subject, unless the data subject consents to the collection of personal data from another source (in which case the data subject must be informed of the indirect data collection within 14 days).

Data subjects shall be furnished with information on the nature, purpose, and extent of the processing of their personal data before the collection of their personal data or at the next practical opportunity, in accordance with their right to be informed.

Where consent is the basis for the collection of data, such consent must be obtained through an affirmative act indicating voluntary, specific, informed, and unambiguous agreement. 

Cross-Border Transfer 

Cross-border transfers of data shall only be done when there is Explicit Consent from the data subject after being informed of any potential risks;
 there is a legal instrument containing appropriate safeguards for the protection of personal data binding the intended recipient, such as binding corporate rules (BCR), standard contractual clauses approved for use in Kenya, an approved code of conduct, or a certification mechanism, a copy of which can be obtained from the DPO; 
appropriate safeguards exist to protect personal data, such as encryption of data;

 the transfer is necessary for one of the other reasons set out in the DPA including the performance of a contract between us and the Data Subject, reasons of public interest, to establish, exercise, or defend legal claims, or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent and, in some limited cases, for our legitimate interest.

An adequacy decision is made by the Data Commissioner for example, where it is determined by the Data Commissioner that the intended recipient has in place an adequate level of personal data protection mechanisms.

Commensurate data protection laws exist, for example, that the intended recipient has ratified the African Union Convention on Cyber Security and Personal Data Protection or has in place a reciprocal data protection agreement with Kenya.

Moneza shall keep a record of;
 the date and time of transfer, 
 the name of the recipient, 
 the justification for the transfer, and 
 the description of the personal data transferred.

Data shall not be further transferred by the recipient without authorization from Moneza.

If there are any Cross-border transfers among Moneza affiliates, they shall be governed by binding corporate rules.

All transfers of personal data shall be done in accordance with any requirements in the Data Processing Agreement where applicable. 

Usage and Access 

PII may be processed for the following purposes:
 The purposes specified in the Privacy Policy, for which the data subject has given consent;
 Purposes compatible with the fulfilment of a contractual agreement between Moneza and the data subject, such as a credit or service agreement; 
 Compliance with a legal requirement, such as know-your-customer and other anti-money laundering obligations; 
 Pursuit of legitimate interests of the Company.

SPI shall not be processed except for the following purposes:
 The purposes specified in the Privacy Policy, for which the data subject has given consent;
 compliance with a legal requirement, such as know-your-customer and other anti-money laundering obligations.
 Access to personal data shall be limited in accordance with the Principle of Least Privilege under the Access Control Policy, which is incorporated by reference herein.
 Processing of personal data for purposes of debt collection shall be done in accordance with the terms and conditions which is incorporated by reference herein.

Moneza shall maintain a record of processing activities describing (a) the data processing systems, data flows, and data life cycle within the organization; (b) the responsibilities of individuals who will have access to personal data; and (c) other security measures in place.

Data Sharing, Outsourcing, and Disclosure 

Personal data shall not be shared to another data controller unless the data subject has given separate consent, or it is specified in the Privacy Policy, for which the data subject has given consent.

Data sharing arrangements shall be covered by appropriate agreements containing the prescribed contractual clauses. 

Moneza should only outsource the processing of personal data to a data processor that observes data protection principles and that implements appropriate security measures to safeguard the personal data. Data processors shall be subject to a risk assessment. 

Personal data processing or outsourcing arrangements shall be covered by appropriate agreements containing the prescribed contractual clauses, substantially in the form provided in the data processing agreements. 

You may only share the Personal Data we hold with third parties, such as our service providers, if:
 they have a need to know the information for the purposes of providing the contracted services; 
 sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained;
 the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
 the transfer complies with any applicable cross-border transfer restrictions; and 
 a fully executed written contract that contains DPA-approved third party clauses has been obtained.

Personal data may be disclosed to government entities (such as regulatory bodies, credit bureaus, anti-money laundering and/or law enforcement authorities, licensing bodies, taxation authorities, and labor and social welfare agencies) in compliance with regulatory requirements.

All disclosures and sharing of personal data shall be done in accordance with the data processing agreement or any other policy. 

Storage, Retention, and Recordkeeping 

Moneza shall implement the data retention schedule.

Moneza should conduct a review of records containing personal data at least on an annual basis. 

Personal data that is no longer needed for the specified purpose or that is beyond the retention period shall be deleted or anonymized. This includes requiring third parties to delete that data where applicable.

You will ensure Data Subjects are informed of the retention policies for which data is stored in any applicable Privacy Policy.

Deletion  

Personal data shall be disposed of in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other entity.

Organizational, Physical, and Technical Security Measures 

Security Measures 

The organizational, physical, and technical security measures and requirements of the Company shall be as set forth in the Company’s information security and human resource policies. You must comply with all applicable aspects of the above-mentioned Company Policies and others that may be formulated from time to time; and not attempt to circumvent the administrative, physical, and technical safeguards we implement and maintain in accordance with the KDPA and relevant standards to protect Personal Data.

Appointment of a DPO 

Moneza shall appoint a DPO to oversee the Company’s compliance with the Applicable Data Protection Regulation
The DPO should have sufficient understanding of the Applicable Data Protection Regulation and the processing operations being carried out by the Company, including its information systems, data security, and data protection needs.

The DPO may perform other functions as an employee, provided that such functions do not give rise to a conflict of interest against the functions of a DPO.

The DPO should be given sufficient autonomy, time, and resources necessary to carry out their tasks effectively and efficiently.

The DPO should be included in all relevant working groups that deal with personal data processing activities and shall be involved at the earliest stage possible.

The DPO may be reached by email for any concern relating to data protection. 

Please contact the DPO with any questions about the operation of this Data Protection Policy or the KDPA or if you have any concerns that this Data Protection Policy is not being or has not been followed. In particular, you must always contact the DPO in the following circumstances: 
 if you are unsure of the lawful basis which you are relying on to process Personal Data (including the legitimate interests used by the Company); 
 if you need to rely on Consent and/or need to capture Explicit Consent 
 if you need to draft Privacy Notices; 
 if you are unsure about the retention period for the Personal Data being Processed;
 if you are unsure about what security or other measures you need to implement to protect Personal Data;
 if there has been a Personal Data Breach;
 if you are unsure on what basis to transfer Personal Data outside;
 if you need any assistance dealing with any rights invoked by a Data Subject; 
 whenever you are engaging in a significant new, or change in a Processing activity which is likely to require a DPIA or plan to use Personal Data for purposes other than what it was collected for; 
 if you plan to undertake any activities involving automated processing including profiling or Automated Decision-   Making;
 if you need help complying with applicable law when carrying out direct marketing activities; or
 if you need help with any contracts or other areas in relation to sharing Personal Data with third parties (including our vendors).

Conduct of a DPIA 

A DPIA should be conducted prior to any new processing operation or a change in any aspect of processing that may result in a higher risk to data subjects including:
 use of new technologies (programs, systems or processes) or changing technologies (programs, systems or processes);
 automated processing, including profiling; 
 large-scale Processing of Sensitive Personal Information; and 
 large-scale, systematic monitoring of a publicly accessible area.

A DPIA should likewise be conducted to evaluate the impact of regulatory or policy changes on existing systems.

The DPIA should be made in the form provided by the DPO. 

Training, Awareness and Audit 

Employees should participate in capacity building, orientation, or training programs in relation to data protection and security policies and practices, at least on an annual basis.

Moneza should implement data protection awareness programs for all employees involved in the processing of personal data.

Records of training and awareness efforts shall be kept on file.

Incident Response and Management 

Investigation and Documentation 

If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the person or team designated as the key point of contact for Personal Data Breaches (the DPO) who will liaise with the Incident Response Team.

In accordance with the internal incident management procedures, the Incident Response Team shall immediately:
conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof, and 
execute measures to mitigate the adverse effects of the incident or breach.

Security incidents and personal data breaches shall be documented through written reports, which shall be kept on file.

Notification 

In the event of a personal data breach that may result in a real risk of harm to a data subject, Moneza shall make the appropriate notification in writing to the Regulator and to the affected data subject within 72 hours from discovery of such personal data breach. Real risk of harm shall be taken to be present if the personal data breach relates to:
 the data subject’s full name and identification number;
 the data subject’s Moneza account number, Person ID, or other Moneza identifier;
 the data subject’s password, PIN, security code, access code, security question response, biometric data, or other data that is used to allow access to or use of the individual’s account
 wages, salary, fee, commission, bonus, gratuity, allowance, or other remuneration paid or payable to the data subject;
 the income of the data subject from a sale of goods or property;
 the number of any credit card, charge card, or debit card in the name of the data subject;
 the account number of the data subject with any bank or financial institution;
 any private key of or relating to the data subject that may be used:
 to create a secure electronic record or secure electronic signature; 
 to verify the integrity of a secure electronic record; 
 to verify the authenticity or integrity of a secure electronic signature;
 the net worth or creditworthiness of a data subject;
 the deposit or withdrawal of funds by a data subject with any entity or payment system;
 the payment of funds or transfer of property by any person to the data subject, including the amount of funds paid or the value of the property transferred;
 the grant by a person of advances, loans, and other facilities by which the data subject, being a customer, has access to funds or financial guarantees;
 the existence of any debt and its amount due or outstanding, whether:
 owed by the data subject to an entity, or 
 owed by an entity to the data subject;
 the incurring of any liability on behalf of the data subject;
 any term and condition, premium or benefits payable, or any detail relating to the condition of health, from an accident, health, or life policy of which the data subject is the policy owner or beneficiary;
 the assessment, diagnosis, treatment, prevention, or alleviation by a health professional of any medical condition or procedure;
 any history of abuse involving or alleged to involve the data subject;
 any other category of personal data that is subject to specific protection requirements under the Applicable Data Protection Regulation.

DIRECT MARKETING 

We are subject to certain rules and privacy laws when marketing to our customers.

For example, a Data Subject’s prior consent is required for electronic direct marketing (for example, by email, text, or automated calls). The limited exception for existing customers known as “soft opt-in” allows organizations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar products or services, and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.

The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information.

A Data Subject’s objection to direct marketing must be promptly honored. If a customer opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

AUTOMATED PROCESSING & AUTOMATED DECISION MAKING 

Generally, ADM is prohibited when a decision has a legal or similar significant effect on an individual, unless: 
a Data Subject has Explicitly Consented; 
the Processing is authorized by law; or 
the Processing is necessary for the performance of or entering into a contract. 

If certain types of Sensitive Categories of Personal Data are being processed, then grounds (b) or (c) will not be allowed, but the sensitive Categories of Personal Data can be Processed where it is necessary (unless less intrusive means can be used) for substantial public interest like fraud prevention.

If a decision is to be based solely on Automated Processing (including profiling), then Data Subjects must be informed when you first communicate with them of their right to object. This right must be explicitly brought to their attention and presented clearly and separately from other information. Further, suitable measures must be put in place to safeguard the Data Subject’s rights and freedoms, and legitimate interests. 

We must also inform the Data Subject of the logic involved in the decision making or profiling, the significance and envisaged consequences, and give the Data Subject the right to request human intervention, express their point of view, or challenge the decision. 

A DPIA must be carried out before any Automated Processing (including profiling) or ADM activities are undertaken.

Data Subject Rights and Requests 

Requests and Complaints from Data Subjects 

Data subjects may exercise their data subject rights by submitting the relevant request substantially in the form recommended under the Applicable Data Protection Regulation.

Data subject rights shall be respected, and requests shall be implemented with no undue delay. 

Data subjects may authorize representatives to exercise the rights on their behalf in the following circumstances:
where the data subject is a minor, by a person who has parental authority, or by a guardian;
where the data subject has a mental or other disability, by a person duly authorised to act as their guardian or administrator; or 
in any other case, by a person duly authorized by the data subject.

For this purpose, the Company shall implement a process for the appointment of duly authorized representatives. Where there is uncertainty as to the authority of the representative, the Company may restrict the request until sufficient proof of authorization is provided.

Complaints involving an alleged violation of data subject rights should be brought to the attention of the DPO.

Right to Be Informed 

Data subjects shall be furnished with the following information before the processing of their personal data or at the next practical opportunity:
The identity of Moneza and/or its affiliates as the data controller;
The purpose for each processing operation;
The types or categories of personal data collected and used;
The basis for processing, when processing is not based on consent;
The use of automated decision-making, including meaningful information about the logic involved;
The third parties with whom personal data shall be shared or to whom the processing will be outsourced;
The existence of data subject rights, including the right to withdraw consent, and the implications of withdrawing such consent;
A description of the technical and organizational security measures taken to ensure the confidentiality and integrity of data;
Information about the cross-border transfer of data and the possible risks of such transfers;
The period for which the information shall be stored;
Any request for personal data sharing, specifying the applicable purpose, duration, and safeguards;
Contact information for the DPO.

Information provided to data subjects should be sufficiently clear and simple such that an average number of the target audience will understand the information communicated.

Right to Restrict or Object  

When the basis for data processing is consent or legitimate interest, the data subject has the right to restrict or object to such processing. 

A data subject may also request Moneza to restrict the processing of their personal data on grounds that: 
the data subject contests the accuracy of their personal data; 
the personal data has been unlawfully processed, and the data subject opposes the erasure and requests restriction instead; 
the data subject no longer needs their personal data but the data controller or data processor requires the personal data to be kept in order to establish, exercise or defend a legal claim; or 
a data subject has objected to the processing of their personal data and a data controller or data processor is considering legitimate grounds that override those of the data subject.

Data Subjects also have the right to object to the processing of personal data for direct marketing, profiling, or automated processing where the personal data will be the sole basis for any decision that will affect them. For this purpose, Data Subjects must be informed of the effect of the exercise of the right to object vis-à-vis the provision of services by the Company.

If the Data Subject exercises the right to object, the Company must cease further processing, except for the purpose of storage.

Moneza may decline to comply with a request for restriction in processing if the request is manifestly unfounded or excessive or if other lawful basis exists for the processing.

The Company must inform the Data Subject of the lawful basis or compelling reason to continue the processing.

Right to Access 

The data subject shall have the right to obtain confirmation on whether their personal data is being processed, and the right to access information on the following:
Contents of their personal information in the Company’s records and categories of data that were processed;
Sources from which personal information were obtained, if the data was not collected from the data subject;
Purposes of processing; 
the categories of personal data concerned;
Manner by which such data were processed; 
Information on automated processes where the processed data will or is likely to be made as the sole basis for any decision that significantly affects or will affect the data subject; 
Names and addresses of recipients of the personal data, and the reasons for the disclosure of the personal data to recipients;
Date when the data subject’s personal data was last accessed or modified;
Period for which particular categories of information will be stored; and 
The designation, name or identity, and address of the DPO.

The data subject should have the ability to proactively access or examine their personal data.

The data subject should have the ability to retain a copy of their personal data.

The right to access shall not apply to analyses made by the Company with respect to a data subject’s personal data, such as inferred, derived, modelled, or business-generated data.


Right to Rectification 

The data subject shall have the right to dispute the inaccuracy or error in their personal data and request its correction.

The Company should ensure the accessibility of both the new and retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients. 

Upon reasonable request of the data subject, the Company should also inform prior recipients of the data of the fact of inaccuracy and the rectification of the data.

Where a request for rectification is declined, Moneza shall, in writing, notify the data subject of that refusal within seven days and shall provide reasons for refusal.

Right to Erasure or Blocking 

The data subject has the right to request for the suspension, withdrawal, blocking, removal, or destruction of their personal data from the Company’s records, in both live and backup systems, when there is substantial proof that the personal data:
is processed on the basis of consent, and such consent has been withdrawn;
is no longer necessary for the purpose for which it was collected;
is incomplete, outdated, false, or unlawfully obtained;
is used for an unauthorized or unlawful purpose;
must be deleted to comply with a legal obligation; 
contains information that is prejudicial to the data subject, unless otherwise authorized;
the data subject objects to the processing of their data, and there is no overriding legitimate interest to continue the processing.
the processing of personal data is for direct marketing purposes and the individual objects to that processing; or
the erasure is necessary to comply with a legal obligation.
The request for erasure or blocking may be denied when the personal data is necessary for:
fulfilment of the purpose for which the data was obtained; 
compliance with a legal obligation;
establishment, exercise, or defense of any legal claim.

Right to Data Portability 

Where the processing:
is based on consent or contract and 
is done in an electronic means structured in a commonly used format, the data subject shall have the right to obtain a copy of the personal data and/or to have the same transmitted from Moneza to another data controller.
Where you decline the portability request, you shall, within seven days, notify the data subject of the decline and the reasons for such decline in writing. 

The right to data portability is limited to:
data actively and knowingly provided by the data subject (e.g., name, address, age); and
observed data provided by the data subject by virtue of the use of the service or device (e.g. access logs, transaction history, location data, etc.).

Right to Damages 

The data subject shall have the right to be indemnified for any damage sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of their personal data.

Right to File a complaint in accordance with the complaints procedure in the KDPA. 

Accountability 

Moneza will implement appropriate technical and organizational measures in an effective manner to ensure compliance with data protection principles. Moneza is responsible for, and must be able to demonstrate, compliance with the data protection principles. 

You must follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction.

The Company must have adequate resources and controls in place to ensure and to document DPA compliance including:
appointing a suitably qualified DPO (where necessary) and an executive accountable for data privacy 
implementing Privacy by Design when Processing Personal Data and completing DPIAs where Processing presents a high risk to the rights and freedoms of Data Subjects; 
integrating data protection into internal documents including this Data Protection Policy, Related Policies, Privacy Guidelines or Privacy Notices;
regularly training Employees on the DPA, this Data Protection Policy, Related Policies and Privacy Guidelines and data protection matters including, for example, Data Subject’s rights, Consent, legal basis, DPIA and Personal Data Breaches. The Company must maintain a record of training attendance by Employees; and 
regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using the results of testing to demonstrate compliance improvement efforts.

Employees must regularly review all the systems and processes under your control to ensure they comply with this Data Protection Policy and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.

Enforcement 

Board Oversight 

This Data Protection Policy shall be approved by the Board of Directors.

The Board of Directors, where applicable, and the Senior Management shall be ultimately responsible for ensuring compliance with the Applicable Data Protection Regulation. Inputs on such compliance should be periodically requested from the DPO and other relevant stakeholders.

Penalties for Violations 

This Data Protection Policy sets out what we expect from you for the Company to comply with applicable law. Your compliance with this Data Protection Policy is mandatory. Potential violations are subject to notification of non-compliance and may result in disciplinary actions as described in the applicable human resource policy. 

Amendments 

Moneza reserves the right to amend, update, or vary this policy. Notice will be given via our intranet, website, and office memos and will be effective immediately or as at the date referred to in such notifications. 
This Data Protection Policy does not override any applicable national data privacy laws.