DHANUR ENTERPRISES T/A RAPID RIDE – DATA PROTECTION POLICY

Background

This Data Privacy Policy details the data sharing and processing activities undertaken by Dhanur Enterprises, trading as Rapid Ride (also referred to as ‘Rapid Ride’). It will govern the processing of personal data, protect the privacy of Data Subjects, allow them to exercise their rights, and ensure compliance with the relevant laws.

In addition, all of our employees, contractors, or consultants, independent or otherwise, will be required to act consistently with this Data Privacy Policy.

Rapid Ride is committed to upholding the privacy of Data Subjects and all personal data processed by us, and reiterate our commitment to safeguarding this personal data from unauthorised access, transfer, or processing.

This policy shall govern personal data that is processed by Rapid Ride or by a Rapid Ride appointed controller or processor, be it physical or digital form.

Registration

Through the appointed officer and / or external consultant, Rapid Ride shall register with the Office of the Data Protection Commissioner (‘ODPC’) as a Data Controller. The application for registration shall be filled out in the form prescribed by law and duly submitted to the ODPC via their online portal.

Renewal:

Rapid Ride’s registration shall be renewed within 14 days before the date that the existing registration certificate is set to lapse.

• Responsibilities of Rapid Ride as a Data Processor and Controller

Rapid Ride has a mandate to ensure that any personal data that they process is guided by various principles. They shall ensure that all data is:

• Processed in accordance with the rights of the data subject
• Processed lawfully, fairly and in a transparent manner.
• Collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes.
• Adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed.
• Accurate and, where necessary, kept up to date.
• Not transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject.

Data protection impact assessment

Rapid Ride, through its officials, shall carry out a data protection impact assessment where it is adjudged that an intended processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes.

Where such assessment relates to access by a third party to Rapid Ride’s Data Subject information, the third party shall be actively involved in response to safeguards and measures they have in place to promote compliance with this policy as well as those that promote compliance with the law.

Outcomes of all impact assessments shall be communicated to the Directors within three (3) days of finalization.

All data impact assessments carried out by Rapid Ride shall be submitted to the Office of the Data Protection Commissioner sixty days prior to the processing of data as facilitated by Rapid Ride’s chosen staff member for overseeing this task.

A Data Impact Assessment shall also be carried out after any major incidences of breach and before resumption of data processing operations.

• Data Privacy and Protection Risk Management

Rapid Ride personnel shall have management over identified risks relating to personal data collected, controlled and processed by Rapid Ride. Rapid Ride personnel shall ensure that where necessary, they carry out a mapping on all exposures facing Rapid Ride pertaining to Data privacy.

• Rapid Ride Data Subjects

Rapid Ride has several categories of data subjects whose data will be processed and controlled, due to regulatory, operational and / or other needs.

Employees
These are individuals directly or indirectly employed by Rapid Ride. Rapid Ride may control and process data related to employees to allow for identification, validation as well as processing of regulatory information such as remittances on taxes and other key data required by the Government of Kenya. Such data may also be shared with authorised third parties where necessary for fulfilment of a contractual obligation with the respective Data Subject or based on consent.

The data processed may also include sensitive personal / health data for e.g. biometric access control, or where applicable, for the provision of medical insurance / healthcare to the Employees. Whenever this is the case, consent of the Data Subject will always be sought along with an explanation as to the use to which the said data will be put, save for emergencies or life-threatening instances in which consent is not obtainable.  

Clients
This category includes all identifiable clients who procure services and / or products from Rapid Ride and / or other third-party partners with whom Rapid Ride collaborates with to provide services and products.

Rapid Ride may share personal data with authorised third parties in furtherance of their obligations to the Client, e.g. for service / product delivery of ordered products or where certain services are sought.

Rapid Ride may control and process data related to Clients including their photograph to allow for identification, validation as well as processing of regulatory information, and such data may also be shared with authorised third parties where necessary for fulfilment of a contractual obligation with the Client or based on consent.

The data processed may also include live location data for efficient provision of the services sought by the Client, as well as for safety and security purposes.

Rapid Ride partners

These are all Rapid Ride partners who have a business relationship, collaborative initiative, and existing connection either directly and or indirectly that would necessitate the processing and control of personal data. Such processing and control might be due to regulatory compliance, internal processes and or other assessed need in line with Rapid Ride policy, and accordingly, may be shared with authorised third parties or Clients.

Rapid Ride may also control and process data related to partners including their photograph to allow for identification, validation as well as processing of regulatory information such as remittances on taxes and other key data required by the Government of Kenya. Such data may also be shared with authorised third parties where necessary for fulfilment of a contractual obligation or based on consent.

The data processed may also include live location data for efficient provision of the services sought, to link the partner with any nearby Clients as well as for safety and security purposes.

RIGHTS OF RAPID RIDE DATA SUBJECTS

Rapid Ride is committed to the promotion and enforcement of the rights of Data Subjects. These include, but are not limited to, the right:

• To be informed of the use to which their personal data is to be put;
• To access their personal data in the custody of data controller or data processor;
• To object to the processing of all or part of their personal data;
• To correction of false or misleading data; and
• To deletion of false or misleading data about them.

Data subject consent

Rapid Ride shall ensure that before collection of data, the data subject is aware that Rapid Ride shall collect, store, and use their personal data. Rapid Ride shall further strive to ensure that the data subject, where applicable, approves such collection, preservation, and use.

Consent on data on minors

Rapid Ride considers all data subjects under the age of 18 as minors. In the rare instances that such data is processed, Rapid Ride shall ensure that there are appropriate mechanisms for age verification and consent to allow for the processing of personal data of a minor.

In the unlikely event that any personal data of minors is processed, Rapid Ride shall acquire from a guardian/parental authority to process said data. Irrespective of whether such consent has been received, Rapid Ride shall not process data relating to a minor unless the processing is done in a manner that protects and advances the rights and best interests of the child.

Withdrawal & revision of consent

Data subjects can, subject to the applicable laws and regulations, request the withdrawal or revision of their personal data held by Rapid Ride. Such revision and / or withdrawal request shall be responded to within 72 hours of receipt of the same by a Rapid Ride official.

Where the data controller has shared such personal data with a third party for processing purposes, the data controller or data processor shall take all reasonable steps to inform third parties processing such data, that the data subject has withdrawn right to process such data or requested for a revision of such data as might be held.

All withdrawal notices received by Rapid Ride on data held by third parties shall initiate a surrender of information held by such third parties. Rapid Ride shall make all reasonable effort to ensure that such surrender is completed and that all record of such data has satisfactorily been deleted / expunged from third party systems and or gadgets or other storage location and / or format that might exist.

Data Collection

Rapid Ride shall employ various options in the collection of personal information. Rapid Ride shall further ensure that such collection, storage and use of personal data shall be lawful, specific, and explicitly defined.

Information can be voluntarily and directly collected such as during the onboarding of a client / employee / supplier / partner or indirectly where, inter alia:

• The data is contained in a public record or the data subject has made the data public.
• Where collection of data from another source is necessary for:
  • The prevention, detection, investigation, prosecution, and punishment of crime.
  • The enforcement of a law which imposes a penalty, or
  • The protection of the interests of the data subject or another person

Access & Transfer of Personal Data

Rapid Ride data subjects have a right of access and transfer of all personal data that is held by Rapid Ride. Requests for such access should be made to Rapid Ride in writing, to the attention of (insert address here).  

Within 36 hours of receipt of the request, a Rapid Ride officer shall communicate in writing or through other official medium of Rapid Ride’s intention to comply (or whichever decision is taken) with the request and if the former, the expected timeline within which such data shall be available for collection, viewing and transmission.

Where a request is received to transfer such data to an external data controller or data processor, Rapid Ride shall, upon appropriate deliberation of the same, take all necessary steps and make reasonable effort to facilitate such transfer. Where a direct transfer of such data is requested, Rapid Ride shall assess the impact and implication of such direct transfer and only proceed in instances where associated risk has been assessed to be minimum. By default, Rapid Ride in those instances shall submit the data to the Data Subject for onward submission to the external party.

• Data deletion

Unless where legal mandate precludes Rapid Ride from executing an erasure, Rapid Ride’s Data Subjects have a right to request Rapid Ride to erase or anonymise personal data that Rapid Ride is no longer authorised to retain, or personal data that is irrelevant or excessive.

Where the data controller has shared such personal data with a third party for processing purposes, the data controller or data processor shall, depending on the circumstances, take reasonable steps to inform third parties processing such data that the data subject has requested such erase.

In all instances where legal mandates preclude such deletion, Rapid Ride shall ensure that all Data processing (other than that legally mandated) ceases on such data immediately and that the Data Subject is informed within a reasonable time that such deletion cannot occur but that all processing has ceased.

DATA STORAGE AND ASSOCIATED TREATMENT

Storage of all Rapid Ride-controlled personal data shall be under Rapid Ride owned infrastructure and / or infrastructure under contractual Rapid Ride ownership.

EMPLOYEE RECORDS

Rapid Ride is committed to the secure storage and preservation of all data that pertains to our employees. Such personal data refers to both digital and physical records kept.

Physical records
All physical personal employee records shall be kept under lock and key and shall be under the sole control of the Human Resources Department and / or their appointee. Such records shall be bound by the following controls:

• There shall be no copying, sharing and distribution of employee records other than that which is authorised by the Data Subject and / or necessary for the Accounts or other Department(s) to carry out their function.
• The Head of Human Resources shall make the sole decision at their discretion on whether to share such information in so far as restricting access does not impede any ongoing legal investigation and / or independent internal review as shall be assigned by the Directors.

Digital Records

The Head of Human Resources is the chief custodian of all personal employee digital records. Determination of what constitutes as personal records shall be guided by the principle of sensitivity of such personal data.

Digital employee personal data shall be stored in a secure gadget and / or server as the need may be with access restricted to the Head of Human Resources and / or their appointee.

Access to these gadgets, locations and or apps (including E-mail) shall be monitored with the assistance of Rapid Ride IT Team to ensure that safeguards in place are sufficient and working.

For operational purposes, the Head of Human Resources may share digital employee personal data with various other Rapid Ride functions such as those relating to payroll processing.

CLIENT DATA

For purposes of this policy, client personal data refers to all retained information that identifies a client by name, number and or other unique identification. Such client personal data can be associated with digital information as captured for sales, and it can also refer to physical records kept.

Rapid Ride shall ensure that the below functions are undertaken, where applicable, to mitigate risks associated with such records:

• They shall take all necessary measures to ensure that client personal data is stored in a secured location.
• Such location shall be under Rapid Ride ownership and / or contractual ownership with the right to retention, deletion and purging of all data held by the third-party installation.
• Rapid Ride staff shall consult the Directors in all instances where the reasons and / or action to take is not immediately clear.

Any Rapid Ride personnel who come into contact with any Data Subject’s personal data and who directly cause breach of such personal data as a result of negligence and / or unreasonable action including unsanctioned access shall bear personal responsibility for such breach.

In addition, Rapid Ride shall exercise their option to institute disciplinary procedures against these personnel as a result of and in line with Rapid Ride policy.

DATA PROCESSING

Rapid Ride shall only process data when the data subject consents to processing for one or more specified purposes or where such processing is necessary for any of the below to occur:

• The performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract.
• For compliance with any legal obligation(s) to which Rapid Ride is subject, including those imposed by applicable Regulatory bodies / Government entities;
• In order to protect the vital interests of the data subject or another natural person;
• For the performance of a task carried out in the public interest or in the exercise of official authority vested in Rapid Ride.
• The performance of any task carried out by a public authority.
• Where processing is carried out in the course of legitimate activities with appropriate safeguards by a foundation, association, or any other not-for profit body.
• For the exercise, by any person in the public interest, of any other functions of a public nature.
• For the legitimate interests pursued by Rapid Ride or by a third party to whom the data is disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject.
• For the purpose of historical, statistical, journalistic, literature and art or scientific research.
• The processing relates to personal data which is manifestly made public by the data subject.
• Where processing is necessary for:
  • The establishment, exercise, or defense of a legal claim.
  • The purpose of carrying out the obligations and exercising specific rights of Rapid Ride or of the data subject.
  • Protecting the vital interests of the Data Subject or another person where the Data Subject is physically or legally incapable of giving consent.

Processing personal health data

Rapid Ride shall, in the course of employment operations, come into knowledge of personal health data belonging to some Data Subjects. Rapid Ride shall process such personal data when:

• Determining when employment should be offered to applying candidates, as well as our subsequent responsibilities as an employer, including for biometric fingerprint access to restricted areas, as well as the provision of health / medical insurance, where applicable.

Commercial use of processed Data

Rapid Ride may from time to time rely on collected data to make commercial decisions. Where such need is deemed necessary, and there is personal data involved, Rapid Ride shall, where practicable, anonymise the data in such a manner as to ensure that the data subject is no longer identifiable.

Personal data will only be used for commercial marketing of products where the data subject has consented to the same, or in the case of personal data already held for existing subjects, a clear opt-out or ‘unsubscribe’ mechanism will be provided. 

Rapid Ride Subject Data processed and controlled by a Rapid Ride partner / authorised Third Party

Rapid Ride shall ensure that all personal data in their control is not accessed by a third party unless where necessary for the performance of their contractual obligations or where the subject has been informed of the same.

Where a third-party Data Processor, their employee and / or other person with access to their systems whether, authorised or not, processes personal data other than as instructed by Rapid Ride, the data processor shall be deemed to be a data controller in respect of that processing and shall bear all risks and associated costs as a result of such contravention including reparation / compensation to the Data Subject should they successfully complain / pursue legal action for such use of their personal data.

Conditions for Rapid Ride Data Transfer to another jurisdiction

Rapid Ride may, for given business purposes, financial / banking reporting reasons, and / or business operations need to transfer data to another jurisdiction. Such transfer shall only be under any of the below conditions:

• Where the legitimate reason has been shared with the Subject and their consent has accordingly been given;
• For the conclusion or performance of a contract concluded in the interest of the data subject between Rapid Ride and another entity;
• For any matter of public interest that necessitates such transfer;
• For the establishment, exercise or defense of a legal claim under advice of Rapid Ride’s legal counsel in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; and

Deletion of Personal Data from Rapid Ride records

Rapid Ride shall set limits on the storage of all personal Data collected depending on the need / use for such collection, noting that the same should not exceed the limit imposed by the respective statutes and applicable legislation. At the expiration of such limit, Rapid Ride shall erase, anonymize or pseudonymise personal data not necessary to be retained.

Unless where legal mandates preclude Rapid Ride from taking such action, Rapid Ride shall make all reasonable effort to ensure that the Data is deleted / erased / expunged from all known Rapid Ride storage locations.

  BREACH OF PERSONAL DATA

Where personal data controlled and processed by Rapid Ride has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorised access, Rapid Ride Directors shall appoint an officer with the relevant skillset to manage, control, and spearhead the breach-related actions outlined in this Policy.

The appointed officer shall initiate the below steps:

• A preliminary report on the incident shall be prepared by the appointed officer within fourty-eighty hours of being made aware of the breach and such report shared with the Directors.
• Such report shall detail:
  • The nature of breach.
  • Exposure / Risks to Data Subject and to Rapid Ride
  • Estimated costs associated with the breach including security measures to address the same.
  • Current status of the exposure.
• The appointed officer shall notify the Data Commissioner within seventy-two hours of becoming aware of such breach. Where the notification to the Data Commissioner is not made within seventy-two hours, the notification shall be accompanied by reasons for the delay.
• The appointed officer shall communicate to the Data Subject in writing within a reasonably practical period in cases where the identity of the Data Subject can be established.
• The appointed officer shall then carry out an exhaustive impact assessment on the breach including measures that have been put in place to mitigate future occurrence and or exposure.

  Breach of Personal Data held by a third-party Data Processor

Where a third-party data processor becomes aware of a personal data breach, the data processor shall notify Rapid Ride without delay and where reasonably practicable, within forty-eight hours of becoming aware of such breach.

Once Rapid Ride receives notification of such breach, it shall:

• Immediately initiate a cessation of processing of all Rapid Ride’s Data Subject Data managed by the third party through notice to the data processor.
• The appointed officer shall request for a detailed incident report of the facts of the breach including measures that have been put in place to mitigate further occurrence within twenty-four hours of receipt of notice of breach.
• A Rapid Ride officer shall carry out an impact assessment on the breach including an assessment of the state of exposure of data under third party control as well as recommendations on further action(s), if any, to shield such exposure within twenty four hours of receiving an incident report from the external Data Processor.
• A Rapid Ride officer shall further indicate in the impact assessment report whether such breach was due to negligence on the part of the external Data Processor.
• Where negligence has been established, Rapid Ride shall, in consultation with the Office of the Data Protection Commissioner, make a determination on whether to pursue legal action. All costs arising from such breach shall be borne by the negligent party.
• Rapid Ride shall notify the Data Subject(s) in writing within a reasonably practical period in cases where the identity of the Data Subject can be established. This notification, depending on the circumstances, should include a description of the breach, the measures that Rapid Ride intends to take or has taken to address the same, and the contact point from whom more information may be obtained.

  Other provisions – Data Breach

For purpose of this policy and as provided for under the applicable laws, Rapid Ride may delay or restrict communication with the Data Subject as is necessary and proportionate for purposes of prevention, detection or investigation of an offence by the concerned relevant body.

The communication of a breach to the data subject may not be required where Rapid Ride and / or Rapid Ride’s agent has implemented appropriate security safeguards which may include encryption of affected personal data and where breach has been assessed as not posing risk(s) to the Data Subject.

All instances of Breach of Personal Data that are the subject of hacking, fraud and or unauthorised external access shall be reported by Rapid Ride to the relevant authorities for onward investigation and as required by the law.

• EXEMPTIONS UNDER LAW

There are various exemptions under law where Rapid Ride is exempt from certain provisions of the Data Protection Act, 2019 as regards processing of personal data. These may include:

• If it is necessary for national security or public interest.
• Where disclosure is required by or under any written law or by an order of the Court.
• Where processing is undertaken by a person for the publication of a literary or artistic material on condition that it can be demonstrated that the processing is in compliance with any self-regulatory or issued code of ethics in practice and relevant to the publication in question. Such publication shall further be on condition that published material does not identify the Data Subject.
• Where Rapid Ride reasonably believes that, in all the circumstances, compliance with the provision is incompatible with any special purposes that might arise.

None of the provisions above shall exempt Rapid Ride from complying with data protection principles relating to lawful processing, minimisation of collection, data quality, and adopting security safeguards to protect personal data.

• Data Commissioner Audits

Rapid Ride commits to cooperate with any requests as submitted by auditors representing the Office of the Data Commissioner and / or their appointed agents.

• Complaints forwarded by Data Subjects to the Data Commissioner

In the event that a Data Subject forwards a complaint pertaining to Rapid Ride and / or a Rapid Ride’s appointed Data processor’s conduct to the Office of the Data Protection Commissioner, the below shall apply:

1. Having received summons/notice and or instructions regarding to the complaint, a Director-appointed Rapid Ride officer shall take charge of the matter and proceed accordingly.
2. Such complaint notice shall then be forwarded by said officer to Rapid Ride’s legal counsel within twenty-four to fourty-eight hours of receipt.

• The officer shall write to the Office of the Data Protection Commissioner within fourty-eight hours of receipt of the said notice in consultation with Rapid Ride’s legal counsel responding to the complaint and / or other claim as presented. Such communication shall commit to cooperation with the Data Protection Commissioner in honoring all requests / summons and information submissions in consultation with Rapid Ride’s legal counsel.

1. Rapid Ride officer shall conduct an impact assessment of the complaint showing the merits of the complaint including existing exposure and measures that have been put in place / need to be put in place to mitigate such exposure.
2. Where information has been requested by the Data Protection Commissioner and / or their agent, Rapid Ride shall to the best of our ability provide this information in the manner requested. Such information should be limited to the Data Subject and should be as basic as necessary to limit exposure on competitive business data processing and / or other information not necessary to the request.
3. Where a judgement is issued against Rapid Ride as a result of a complaint as submitted by a Data Subject to the Office of the Data Protection Commissioner, they may, depending on the circumstances of the same, appeal to the High Court of Kenya under the advice of Rapid Ride’s Legal Counsel.

• Rapid Ride Policy Conflicts

Where the provisions of this policy conflict with any provisions of the Kenyan law, the provisions of the Kenyan law shall take precedence.

Where the provisions of this policy conflict with other internal policies as relates to the control and processing of data, the provisions of this policy shall take precedence.