1.1 Policy Statement
This protection and privacy statement set out the basis which GenAfrica may collect, use, disclose or otherwise process personal data during or after your relationship with us, in accordance with the Data Protection Act, 2019 (DPA), its attendant regulations, and with all other relevant legislation in all the jurisdictions that we operate in and applicable global legislations.
1.2 Definitions of terms
a) “GenAfrica”, “we”, “us”, “our” or the “Company”) refers to GenAfrica Asset Managers Limited a company incorporated in the Republic of Kenya and all its subsidiaries and branches whether established within Kenya or in a foreign country.
b) “Data subject”, “you” refers to our clients including any person that you authorise to give us instructions, employees, service providers, agents, visitors, anyone who accesses our website, portals and applications and other stakeholders.
c) The DPA defines personal information as “information relating to a natural person who is or can be identified, directly or indirectly.
1.3 Who we are?
We are a leading fund manager providing investment management services to both institutional and retail investors. We also offer investment advisory for wealth and treasury management.
1.4 Principles and obligations of personal data protection
We commit to apply the principles of data protection in processing personal data and in compliance with the DPA, its attendant regulations, and with all other relevant legislation in all the jurisdictions that we operate in and applicable global legislation. We shall ensure that your personal data is:
(a) Processed in accordance with your right to privacy.
(b) Processed lawfully, fairly and in a transparent manner.
(c) Collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes.
(d) Adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed.
(e) Collected only where a valid explanation is provided whenever information relating to family or private affairs is required.
(f) Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay.
(g) Kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected.
(h) Not transferred outside Kenya or any other jurisdiction that we operate in unless there is proof of adequate data protection safeguards or consent from you.
1.5 Personal data that GenAfrica collects and process about you?
We may collect, process, store, and transfer different kinds of personal data about you. Below is a table that outlines the type of personal data including sensitive (special) data that we collect and process about you
1.6 How we collect personal data
We collect personal data about you or and any other person whose details you provide to us in accordance with the relevant laws, either:
a) Directly when you:
i. Fill out application form for any of our products or services in hard copy, through our website, our mobile apps, from our agents etc.
ii. Apply for employment.
iii. Attend a sponsored event by GenAfrica or register for the event through our website.
iv. Subscribed and/or visited any of our online services, newsletter, Short Message Service (SMS), email or social media platforms.
v. Ask for more information about our products or services.
b) Indirectly when you visit our website, mobile app, office, agent, you have been identified as a next of kin and or beneficiary by our client or employee.
c) From third parties such as other GenAfrica entities, public databases, credit bureaus and fraud prevention agencies.
Additionally, if you start filling out information on our website or other online forms and abandon, we will still collect the information you started with. We may use this information to contact you to remind you to complete any outstanding information and if requested by you will delete this information or limit its use to sharing new products and offerings with you.
In offering our products and services, our customers are obliged to provide us with personal data as per the relevant legal and regulatory requirements and obligations. Your failure to provide us with the required information may result in us not being able to provide you with our products or services or undertaking a contractual obligation with you.
1.7 How we use personal data collected
Personal data collected by us will be used, but not limited, for the following purposes:
a) Performing customer due diligence as per the regulations and guidelines issued by the Capital Markets Authority in relation to our conduct as a market intermediary and supported by our internal policies and procedures.
b) Complying with applicable regulatory requirements and obligations on Know Your Customer (KYC).
c) Providing you with our products and services and establish a relationship with you.
d) Login and authorization into our interactive features when you opt to do so.
e) Staff onboarding and human resource management.
f) To execute a transaction in accordance with your instructions.
g) To fulfil our contractual obligations with you or take the actions required to establish a relationship with you.
h) To provide customer service and support.
i) Providing marketing information.
j) Anti-money laundering/counter terrorism financing and sanctions monitoring.
k) To provide you with investment advice.
l) Planning, conducting, and monitoring our business including research and statistical analysis with the aim of improving our interactive systems, products, and services.
m) We reserve the right to monitor all internet communications including web and email traffic into and out of our domains, to safeguard the security of our digital channels and systems, protect our staff, record transactions and for the detection and prevention of unlawful activity and fraud.
1.8 To whom personal data may be disclosed
We will only disclose or share with third parties your personal data, subject to your request or consent and if there is a legitimate reason to do so. Examples of third parties that we may disclose or share your personal data with:
a) Group companies such as GenAfrica (UG) Asset Managers Limited and other entities within GenAfrica.
b) Service providers such as administrators, custodians, agents, securities brokers or external auditors and other third-party businesses who we have contracted to conduct some aspects of our business.
c) Governmental agencies, self-regulatory organizations, industry associations and similar bodies in order to fulfil legal and regulatory requirements.
However, please note that we are also legally obligated to disclose or share your personal data without your consent, to comply with any relevant legislation, to comply with legal process and if required by any regulatory authority.
1.9 International transfer of personal data
We will only transfer personal data outside Kenya or any other jurisdiction that we operate in only when:
a) We have proof of appropriate measures for security and protection of the personal data. Our measures also include ensuring data is transferred to jurisdictions with commensurate data protection laws. For example, when we store your personal data in cloud applications, we will ensure that the service provider is based in a jurisdiction that is compliant with the international General Data Protection Regulations (GDPR).
b) The Office of the Data Protection Commissioner (ODPC) will publish a list of countries with appropriate data protection measures from time to time. We will ensure that we only transfer data to these countries.
c) We have your consent to the processing and storing of personal data outside the country of jurisdiction.
d) The transfer is necessary for the performance of a contract, implementation of pre-contractual measures such as:
i. For the conclusion or performance of a contract to which you are part of.
ii. For matters of public interest.
iii. For the establishment, exercise, or defence of a legal claim.
iv. To protect your vital interests or of other persons vital interest, where you are physically or legally incapable of giving consent.
v. For compelling legitimate interests pursued by GenAfrica, which are not overridden by your interests, rights, and freedom.
Information passing over the internet may be transmitted internationally (even when sender and recipient are located in the same country) via countries with weaker privacy and data protection laws than in your country of residence. In this regard, we cannot be held responsible or liable for the confidentiality, security, or integrity of your information in connection with its transmission over the internet.
1.10 How we secure personal data collected, processed, and retained and the retention period
a) We will retain personal data for as long as it is necessary in order for us to fulfil the purpose for which we collected it for, including satisfying any legal, regulatory, tax, accounting or reporting requirements. In this regard, data will be stored in a secure, accurate and complete form as we have implemented appropriate physical, technical and organisational information security measures.
b) We will continually endeavour to update our information systems, physical and organisational security measures to secure your personal data from vulnerability of the Information Communication Technology (ICT) Systems from unforeseen and emerging risks and threats. However, please note there is no method of transmission over the internet or method of electronic storage that is completely secure hence we do not guarantee absolute security. It is your responsibility to maintain the secrecy of any user ID and login password you hold.
c) Generally, the law requires us to retain personal data for a period of 7 years upon which the personal data will be deleted or erased from our systems or physical storage space in accordance with our record retention and destruction policy.
d) Your personal data may be retained for a longer period in the event of a complaint and there is reasonable belief that there is a prospect of litigation in respect to our relationship with you.
e) In the event that we have contracted third parties to process your information, we will ensure that a service level agreement is in place obligating them to apply the appropriate security practices on retained data.
1.11 Accessing your personal data and other rights that you have
Subject to legal and contractual exceptions, you have a right to;
a) Be informed that we are collecting personal data from you.
b) Be informed of the purpose for which we are collecting your personal data.
c) Withdraw consent at any time. To exercise this right, you will fill in the statutory form ‘Request for access of personal data’.
d) Access personal data in our custody. To exercise this right, you will fill the statutory form ‘Request to confirm possession of personal data’.
e) Object to the processing of all or part of your personal data. To exercise this right, you will fill the statutory form ‘Request for restriction or objection to the processing of personal data’.
f) Restrict processing of personal data. To exercise this right, you will fill the statutory form ‘Request for restriction or objection to the processing of personal data’.
g) Correction of false, inaccurate, or misleading data. To exercise this right, you will fill the statutory form ‘Request for rectification’.
h) Deletion of false or misleading data about you.
i) Request for erasure also referred to as “the right to be forgotten” of your personal data where it is irrelevant, excessive, or was obtained unlawfully.
j) Data portability in a universally machine-readable format or for that data to be ported to another service. To exercise this right, you will fill the statutory form ‘Request for data portability’.
k) Compensation for the damage – material or non-material suffered if your rights have been found to be violated.
l) Right to an effective judicial remedy where you consider that your personal data was not processed in compliance with the law.
m) Right not to be subjected to a decision based solely on our automated processing, including profiling, which legally and significantly affects you.
n) Right to complain to the ODPC or the data protection authority/office in the jurisdiction that we have offices in.
If you wish to exercise any of the rights set out above, please fill in the statutory forms and contact us on compliance@genafrica.com. The statutory forms are available in our websites, the ODPC website or on the website of the data protection authority/office in the jurisdiction that we have offices in.
GenAfrica will try to respond to all legitimate requests in a timely manner. However, if your request is particularly complex or if you have made several requests, it may take us a little longer to respond to you. In this case, we will notify you and keep you informed.
Where you withdrawal consent to any part of the processing, we shall restrict the part of the processing in respect of which consent is withdrawn. We will inform you of the implications of withdrawing consent.
However, please note that there are instances when we may process data without your consent if the processing is necessary for any reason set out in the DPA Act, its attendant regulations, and with all other relevant legislation in all the jurisdictions that we operate in and applicable global legislations.
1.12 Complaints
If you feel that your right to privacy has been violated or not complied to, with regards to personal data, you have a right to complain. You can exercise this right by filing the complaint form available in our website and send to our Data Protection Officer on compliance@genafrica.com or you can visit our offices and fill the complaint form. We endeavour to handle and resolve all complaints received in a fair, prompt, and effective manner. You also have a right to lodge the complaint with the ODPC in Kenya or the data protection authority/office in the jurisdiction that we operate in.
1.13 Cookies
Cookies are small text file downloaded and stored on your computer or smartphone when you visit some websites and will alert the website when you return. Cookies also store some information about your preferences or past actions. We use cookies for:
a) Performance and design of our website.
b) To remember your preferences, interests, and personalised settings to enable you have a personalized interactive session.
c) For security purposes.
If you do not want to receive cookies from the website, you can configure your browser to alert you before a cookie is sent so that you can choose whether to accept it or not. However, please be aware that if you disable “cookies’’ in your browser you will not be able to fully experience some of the features of the website such as automatic log-on and other personalisation features.
1.14 Links to other website
Our website may contain links to other websites that we do not have control over and hence this privacy statement does not apply to those website that the links direct you to. We strongly advise that you read the privacy statements on those websites.
1.15 Clickstream data and use of google analytics
We may on several occasions use clickstream data and google analytics to track and report traffic in our website and provide better customer experience with our website. Example of information that we may collect are; your IP address, search terms used, pages accessed, links that you have clicked on our website, date and time you visited our website, referring website, type of browser that you use etc.
The data collected is aggregate and does not identify you. Our website analysis will also respect any installed ‘do not track’ setting on your browser.
1.16 Marketing
We may occasionally send you marketing information of our financial products and services through the personal information that you have provided but always subject to your right to opt out of receiving such marketing information. You can opt out of receiving such marketing communication when you are providing your data or in subsequent marketing communications. This can be done by clicking “unsubscribe” in the email or text message you receive from us or through our other contact channels.
1.17 Processing Data Relating to a Child
We will not knowingly process data relating to a child unless consent is given by the child’s guardian or parent and the processing is in such a manner that protects and advances the rights and best interests of the child.
GenAfrica will institute adequate mechanisms, such as request for birth certificate, to verify the age and obtain parental or guardian consent before processing personal data of children.
1.18 Changes to this data protection statement
This data protection and privacy statement was last updated in November 2022. Please note that we may update this statement from time to time and especially if there are significant changes in regulatory landscape on data protection in any jurisdiction that we operate in. Updated version will be posted on our website. We shall notify you on any material changes via email or through our website. However, we advise that you regularly check our website to ensure that you are aware of the updated protection and privacy statement.
1.19 Contact us /Further Information
If you have any enquiries, request or feedback on your personal data or queries or feedback about our personal data protection policies, and procedures, please contact our DPO on compliance@genafrica.com. You may also visit our offices.