Riana Group

Menu

Riana Infotech Data Protection Policy

Introduction

Riana Infotech Limited (“Riana” “we” or “us” or “our”) respects the privacy of our users (“user” or “you” or “client organization”). This Data Protection Policy explains how we collect, use, disclose, and safeguard your information when you use our provisioned software solution, surveillance platform and/or visit our websites, including any other media form, media channel, mobile website, or mobile applications and SMS gateway related or connected thereto (collectively, the “software application” and the “Site”).

This policy statement applies to all our provisioned solutions, please read it carefully. If any portion of it is not clear, you may contact us on dataprotection@riana.co for any clarifications or queries. or rather if you do not agree with the terms of this privacy policy, please do not access the service(s).

We are committed to protecting your personal data and ensuring that your privacy is protected. This Data Privacy Policy explains the types of personal data we collect, how we use and protect that data, and your legal rights regarding your personal data.
In addition, all of our employees, contractors, or consultants, independent or otherwise, will be required to act consistently with this Data Protection Policy.

Riana Responsibilities

Riana has a mandate to ensure that any personal data that we process is guided by various principles. We shall ensure that all data is:

  • Processed in accordance with the rights of the data subject
  • Processed lawfully, fairly and in a transparent
  • Collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Adequate, relevant, limited to what is necessary in relation to the purposes for which it is
  • Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified.
  • Not transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject.

Data Processing

Personal data is information that identifies you as an individual, such as your name, email address, phone number, address, PIN, and surveillance records. Riana shall only process personal data when the data subject consents to processing for one or more specified purposes, or where such processing is necessary for any of the below to occur:

  • The performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract.
  • For compliance with any legal obligation(s) to which Riana is subject, including those imposed by applicable Regulatory bodies / Government entities;
  • In order to protect the vital interests of the data subject or another natural person;
  • For the performance of a task carried out in the public interest or in the exercise of official authority vested in Riana.
  • The performance of any task carried out by a public
  • For the exercise, by any person in the public interest, of any other functions of a public
  • For the legitimate interests pursued by Riana or by a third party to whom the data is disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data
  • For the purpose of historical, statistical, journalistic, literature and art or scientific
  • The processing relates to personal data which is manifestly made public by the data
  • Where processing is necessary for:
    • The establishment, exercise, or defense of a legal
    • The purpose of carrying out the obligations and exercising specific rights of Riana or of the data subject.

Protecting the vital interests of the Data Subject or another person where the Data Subject is physically or legally incapable of giving consent.

Data Collection

We may collect personal data from you when you visit our Site, when you register on the Site, or when you use our services.

We will only collect and process your personal data in accordance with the Kenya Data Protection Act, 2019. We will collect your personal data only for specific, explicit, and legitimate purposes and will not process your personal data in any way that is incompatible with these purposes.

Riana has several categories of data subjects whose data will be processed and controlled, due to regulatory, operational and / or other needs.

Employees

These are individuals directly or indirectly employed by Riana. Riana may control and process data related to employees to allow for identification, validation as well as processing of regulatory information such as remittances on taxes and other key data required by the Government of Kenya. Such data may also be shared with authorised third parties where necessary for fulfilment of a contractual obligation with the respective Data Subject or based on consent.

The data processed may also include sensitive personal / health data for e.g. biometric access control, and where applicable, for the provision of medical insurance / healthcare to the Employees. Whenever this is the case, consent of the Data Subject will always be sought along with an explanation as to the use to which the said data will be put, save for emergencies or life-threatening instances in which consent is not obtainable.

Clients

This category includes all identifiable clients who procure services and/or products from Riana and/or other third-party partners with whom Riana collaborates with to provide services and products. Riana may share personal data with authorised third-parties in furtherance of their obligations to the Client, e.g. for sought-after/required services/products to be rendered to or provided to the Client.

Riana may control and process personal data related to our customers and/or clients in furtherance of a contractual obligation, due to legal obligations and/or due to other operational processes.

Riana partners

These are all Riana partners who have a business relationship, collaborative initiative, and existing connection either directly and or indirectly that would necessitate the processing and control of personal data. Such processing and control might be due to regulatory compliance, internal processes and or other assessed need, and accordingly, may be shared with authorised third parties.

Riana Data Subjects

Riana is committed to the promotion and enforcement of the rights of Data Subjects. These include, but are not limited to, the right:

  • To be informed of the use to which their personal data is to be put;
  • To access their personal data in the custody of data controller or data processor;
  • To object to the processing of all or part of their personal data;
  • To correction of false or misleading data; and
  • To deletion of false or misleading data about

Data Use

We use your personal data to provide our services to you and/or the client organization. Your contact details may be used to communicate with you as part of the service delivery including but not limited to managing the collection and storage of End User data. We may use personal data to improve our services.

We may also use your personal data to send you promotional materials, newsletters, and other communications that we believe may be of interest to you.

You, however, have the right to opt out of these communications at any time.

Data Storage and Transfer

Digital records:

Riana is committed to the secure storage and preservation of all the personal identifiable information captured in its information systems.

We may acquire storage hosting services thereby transfer your personal data to third parties facility, including those located in other jurisdictions, only if appropriate safeguards are in place to protect the data, such as the use of standard contractual clauses, binding corporate rules, or compliance with other lawful mechanisms.

Storage of all Riana-controlled personal data shall be under Riana owned infrastructure and / or infrastructure under contractual Riana ownership.

Physical records:

All physical records containing personal identifiable information shall be kept under lock and key and shall be under the sole control of the People and Culture Executive. Such records shall be bound by the following controls:

  1. There shall be no copying, sharing, and distribution of employee records other than that which is authorised by the Data Subject and/or necessary for other Department(s) to carry out their
  2. The Riana official shall make the sole decision at their discretion on whether to share such information in so far as restricting access does not impede any ongoing legal investigation and or independent internal review.
  3. All personal information shared amongst internal functions / Departments within Riana shall be for a stated purpose.
  4. The Directors shall be consulted in all instances where the reasons and/or action to take is not immediately clear.

 

Riana shall ensure that all accessed personal data in third party custody is surrendered after culmination of any sanctioned exercise.

 

Data Disclosure

We may disclose your personal data to third parties as required by law or as necessary to provide our services to you and to the client organization. We may also disclose your personal data to our service providers and those associated to the client organization, such as our software and website hosting providers, email providers or marketing service provider, who process your data on our behalf.

Data Security

We will retain the collected personal data for as long as necessary to provide our services to you and the client organization, and as long as required by law.

Data Breaches

Where personal data in our custody has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorised access, the Riana Director shall appoint an officer with the relevant skillset to manage, control, and spearhead the breach-related actions outlined in this Policy.

The appointed officer shall initiate the following steps:

  • A preliminary report on the incident shall be prepared by the appointed officer within forty-eight hours of being made aware of the breach and such report shared with the Director.
  • Such report shall detail:
    • The nature of the
    • Exposure / Risks to Data Subject and to Riana
    • Estimated costs associated with the breach including security measures to address the
    • Current status of the
  • The appointed officer shall notify the Data Commissioner within seventy-two hours of becoming aware of such breach. Where the notification to the Data Commissioner is not made within seventy-two hours, the notification shall be accompanied by reasons for the
  • The appointed officer shall communicate to the Data Subject in writing within a reasonably practical period in cases where the identity of the Data Subject can be established.
  • The appointed officer shall then carry out an impact assessment on the breach including measures that have been put in place to mitigate future occurrence and or exposure.

 

Third-party Data Breach

Where a third-party data processor becomes aware of a personal data breach, the data processor shall notify Riana without delay and where reasonably practicable, within forty-eight hours of becoming aware of such breach.

Once Riana receives notification of such breach, it shall:

  • Immediately initiate a cessation of processing of all Riana’s Data Subject Data managed by the third party through notice to the data processor.
  • An appointed Riana officer shall request for a detailed incident report of the facts of the breach including measures that have been put in place to mitigate further occurrence within twenty-four hours of receipt of notice of breach.
  • A Riana officer shall carry out an impact assessment on the breach including an assessment of the state of exposure of data under third-party control as well as recommendations on further action(s), if any, to shield such exposure within twenty-four hours of receiving an incident report from the external Data Processor.
  • A Riana officer shall further indicate in the impact assessment report whether such breach was due to negligence on the part of the external Data Processor.
  • Where negligence has been established, Riana shall, in consultation with the Office of the Data Protection Commissioner, make a determination on whether to pursue legal All costs arising from such breach shall be borne by the negligent party.
  • A Riana officer shall further make a determination, based on measures in place and the associated risk whether to continue relying on a data processor for services rendered.
  • Where a decision is made to retain the services of the Data processor, it shall be under consideration of all measures in place, culpability for breach, and other considerations as may be determined by Riana.

Riana shall then notify the Data Subject(s) in writing within a reasonably practical period in cases where the identity of the Data Subject can be established. This notification, depending on the circumstances, should include a description of the breach, the measures that Riana intends to take or has taken to address the same, and the contact point from whom more information may be obtained.

Sharing Your Information

We do not sell, trade, or otherwise transfer your personal information to third parties without your consent, except in the following situations:

  • We may share your information with our service providers and partners who we have entered a business partnership with or who help us provide the services you have requested.
  • We may share your information with government authorities, law enforcement officials, or other third parties as required by law, legal process, or to address legal issues. 

Legal Rights

Data subjects can, subject to the applicable laws and regulations, withdraw or revise the terms of use of their personal data held by us. Such revision and/or withdrawal request shall be responded to within 72 hours of receipt of the same by a Riana official.

A revision/correction request can be presented in instances where such data is inaccurate, outdated, incomplete, or misleading.

We shall cease processing of data in the below situations:

  • Where the accuracy of the personal data is contested by the data subject, and in the intervening period until we verify the accuracy of the data, depending on the nature and type of personal data referred to.
  • Where personal data is no longer required for the purpose of the processing, unless where may be required by us for the establishment, exercise, or defense of a legal
  • Where a Data Subject has objected to the processing, pending verification as to whether the legitimate interests of Riana override those of the data subject.

Where the data controller has shared such personal data with a third party for processing purposes, the data controller or data processor shall take all reasonable steps to inform third parties processing such data, that the data subject has withdrawn right to process such data or requested for a revision of such data as might be held.

All withdrawal notices received by us in respect of data held by third parties shall initiate a surrender of information held by such third parties. We shall make all reasonable efforts to ensure that such surrender is satisfactory and that all record of such data has satisfactorily been deleted/expunged from third-party systems and/or gadgets or other storage location and/or format that might exist.

If you wish to exercise any of your legal rights regarding your personal data, please contact us using the contact details provided below.

Riana commits to cooperate with any requests as submitted by auditors representing the Office of the Data Commissioner and / or their appointed agents.

Contact Us

If you have any questions or concerns about our data privacy policy or our use of your personal data, please contact us at:

Riana Infotech Limited
P.O. Box 24910 – 00100
6th Floor, Segen Plaza, 96 Riverside Drive, Nairobi.

dataprotection@riana.co

Policy Changes

We reserve the right to change this Data Privacy Policy at any time. If we make any material changes to this Data Privacy Policy, we will notify you by email or by posting a notice on the Site.