Introduction

  1. Purpose

The purpose of this policy is to provide guidelines relating to the processing of personal data by Melin Software Solutions Limited (hereinafter referred to as “Melin Software Solutions”).

  1. Scope

This policy covers data collected, received and stored on Melin Software Solutions owned physical and electronic databases. It shall apply to all staff and third-party service providers. It shall also apply to all users of Melin Software Solutions’ applications, software, databases, websites, social media platforms and all other suchlike resources.

This policy shall cover all of Melin Software Solutions resources including but not being limited to web portal and application and communication tools such as photos, videos, social and main stream media.

  1. Definitions
    1. Consent means any freely given, unambiguous and informed indication by a statement or by a clear positive action, signifies an agreement by the user to the processing of his/her personal data
    2. Data controller means a natural or legal person, public authority, agency or other body which has authority to oversee the management of, and to determine the purposes for the processing of personal data.
    3. Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller
    4. Data processing means converting of data into information. This includes collecting, recording, analysis, storage, alteration, retrieval, use, transmission, dissemination, erasure or destruction of data.
    5. Data subject means an individual or business whose personal data is subject to processing
    6. Data transfer means all acts that make personal data accessible to third parties outside of Melin Software Solutions on paper, via electronic means, on internet or through other means.
    7. Data Transfer Agreement means an agreement between Melin Software Solutions and a third party that states the terms and conditions of use of personal data, including which data components are to be shared, the mode of transfer, how the data may be used, data security measures and other related issues.
    8. Personal data means any data related to a user who can be identified from that data; from that data and other information; or by means reasonably likely to be used related to that data. Personal data includes biographical data (bio data) such as name / business name, sex, date of birth, country of origin or Identification Number.
    9. Personal data breach means a breach of data security leading to the accidental or unlawful/illegitimate destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transferred, stored or otherwise processed.
    10. Person of concern means a person whose protection and assistance needs are of interest to Melin Software Solutions.
    11. Processing of personal data means any operation, or set of operations, automated or not, which is performed on personal data, including but not limited to the collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, transfer, dissemination or otherwise making available, correction, or destruction.
    12. Third party means any natural or legal person other than the user. Examples of third parties are national governments, international governmental or non-governmental organizations, private sector entities or individuals.
  2. Policy guidelines


 

  1. Melin Software Solutions shall in dealing with personal information and data ensure that the information/ data is processed
    1. without infringing the privacy rights of the data subject;
    2. in a lawful manner; and
    3. in a reasonable manner
  2. The collection, use, storage and transfer of personal data will only be done in a manner guided by the policies of Melin Software Solutions. 
  3. This policy will guide Melin Software Solutions Acceptable Use Policy, the Record Retention and Destruction Policy and the Accountability Framework.
  1. Accuracy
    1. Melin Software Solutions shall store personal data/information as accurately as possible and update and systematically review it to ensure it fulfills the purpose(s) for which it is processed.
    2. The data subject may request the correction of personal data that is inaccurate, incomplete, outdated, unnecessary or excessive.
    3. When personal data is corrected, Melin Software Solutions will notify, as soon as is reasonably practicable, all third parties to whom the relevant personal data was transferred and to the data subject.
  2. Lawful and fair processing
    1. Data processing shall be carried out in a lawful and fair manner for specified and legitimate purposes without prejudicing the fundamental rights and freedoms of data subjects.
    2. The processing shall only be justified based on one (or more) of the legal basis including:
      1. data subject giving his or her consent
      2. the processing is necessary for the performance of a contract with the data subject
      3. to meet legal compliance obligations
      4. to protect the data subject’s vital interests or any other person who may be indirectly affected
      5. public interest
      6. to pursue Melin Software Solutions’ legitimate interests which are not overridden because the processing prejudices the interests or fundamental rights and freedoms of data subjects
  3. Further processing
    1. Further processing for research purposes shall be compliant with the conditions outlined in order to be compatible with the purposes for which the data is obtained.
    2. Personal data which is processed for research purposes may be exempt from provisions of this policy if the results of the research and statistical data is not made available in a form which identifies the data subject.
    3. Further processing of data shall comply with the data protection principles set out in this policy, in particular in ensuring the security and confidentiality of sensitive personal data.
  4. Confidentiality
    1. The confidentiality of personal data must be respected by Melin Software Solutions when processing data at all times with access to the same limited on a need-to-know basis.
    2. Melin Software Solutions shall maintain the confidentiality of the personal data throughout and even after the user is no longer of concern to Melin Software Solutions.
    3. The data controller may specify other categories of personal data that will require additional safeguards and restrictions and may be classified as sensitive personal data.
    4. In the processing of sensitive personal data the data controller will specify further grounds on which these categories will be processed with consideration of:
      1. the increased risk of significant harm that may be caused to the data subject by processing this category of personal data.
      2. the degree of confidentiality attached to the category of personal data.
      3. the level of protection afforded by provisions applicable to personal data.


 

  1. Security
    1. Melin Software Solutions will ensure and implement a high level of data security that is appropriate to the risks presented by the nature and processing of personal data taking into account the level of technology available and existing security conditions as well as the costs of implementing additional security measures.
    2. In order to ensure and respect confidentiality, personal data will be filed and stored in a way that is accessible only to authorized staff and transferred only through the use of protected means of communication.
    3. In order to ensure the confidentiality of the personal data, Melin Software Solutions shall take appropriate technical and organizational data security measures.
    4. The nature of risks will include but not be limited to risk of accidental or unlawful/illegitimate destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
    5. Access to personal data/content/knowledge shall be restricted to authorized personnel using it in the performance of their duties at Melin Software Solutions and as determined by appropriate authorization of both the staff and data subjects.
    6. Personal data/content/knowledge may not be used by any employee or staff for purposes other than the business of Melin Software Solutions.
    7. Staff allowed access of personal data/content/knowledge of Melin Software Solutions shall sign a non- disclosure agreement banning them from using the content for business other than Melin Software Solutions’s core mandate.
    8. Private email accounts shall not be used to transfer Personal Data.
    9. Information technology will be used to process, communicate and store data and information which will be classified as Confidential Information (CI).
    10. Data security measures will be routinely reviewed and upgraded as deemed appropriate to ensure the level of protection is commensurate to the degree of sensitivity applied to personal data and considering the possible development of new technology in enhancing data security.
  2. Accountability
    1. Melin Software Solutions will be responsible for compliance and will be required to demonstrate that appropriate measures have been employed within the organization to comply with the data protection guidelines.
    2. Melin Software Solutions will implement data protection training programs for all staff.
    3. Melin Software Solutions will bear the burden of proof to establish the data subjects’ consent of the processing of their personal data for a specific purpose.
    4. Melin Software Solutions will ensure that it is as easy to withdraw as it is to give consent.
  3. Rights of data subjects
    1. A data subject has a right to—
      1. be informed of the use to which their personal data is to be put.
      2. withdraw consent at any time.
      3. access their personal data in custody of data controller or data processor.
      4. object to the processing of all or part of their personal data.
      5. correction of false, inaccurate, outdated or misleading data.
      6. deletion of false or misleading data about them.
      7. request for erasure of their personal data where it irrelevant, excessive or was obtained unlawfully.
  4. Data collection
    1. When collecting personal data from the user, Melin Software Solutions shall inform the user of the following in writing/orally and in a manner and language that is understandable to the user:
      1. The specific purpose(s) for which the personal data or categories of personal data will be processed.
      2. Whether such data will be transferred to third parties and the specific third parties.
      3. The data subject’s right to request access to their personal data, or correction or deletion of it.


 

  1. How to lodge a complaint with the data controller.
  2. The mandate and contact details of the data controller.
  1. At the request of the data subject the data controller may restrict the processing of personal data where:
    1. The accuracy of the data is contested by the data subject.
    2. The data subject has objected to the processing.
  1. Data Protection Impact Assessments
    1. Where a type of processing in particular using new technology, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
    2. A single assessment may address a set of similar processing operations that present similar high risks.
    3. A data protection impact assessment shall in particular be required in the case of:
      1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or
      2. a systematic monitoring of a publicly accessible area on a large scale.
    4. The assessment shall contain at least:
      1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
      2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
      3. an assessment of the risks to the rights and freedoms of data subjects; and
      4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Policy taking into account the rights and legitimate interests of data subjects and other persons concerned.
  2. Data retention and disposal
    1. Data will not be kept in a form that allows data subjects to be identified for longer than needed for the legitimate  purposes or other purposes for which Melin Software Solutions collected it.
    2. The purposes of data retention shall include satisfying any legal, contractual, accounting or reporting requirements.
    3. Personal data may be retained for a longer period in the event of a complaint there is reasonable belief that there is a prospect of litigation in respect to Melin Software Solutions’ relationship with the data subject.
    4. Melin Software Solutions shall take all reasonable steps to destroy or erase from its systems all personal data that are no longer required in accordance with Melin Software Solutions’ Record Retention and Destruction Policy.
  3. Transfer of personal data to third parties
    1. Melin Software Solutions may transfer personal data to third parties through the data controller.
    2. Melin Software Solutions may only transfer personal data/content/knowledge to third parties on condition that the third party affords a level of data protection the same or comparable to this Policy.
    3. In order to mitigate risks associated with transfer of data to third parties, Melin Software Solutions will only transfer data to a third party if:
      1. The data is stripped off personal and identifiable information;
      2. The transfer is based on one or more legitimate basis including:
        1. explicit consent by the data subject;
        2. compliance with national or international law; or
        3. in exercise, establishment and defense of any contractual or legal obligations;
      3. The personal data to be transferred is adequate, relevant, necessary and not excessive in relation to the purpose(s) for which it is being transferred;


 

  1. The data subject has been informed either at the time of the collection or subsequently, about the potential transfer of his/her personal data;
  2. The third party has in the past respected the confidentiality of personal data transferred to them by Melin Software Solutions; and
  3. The third party maintains a high level of data security that protect personal data against the risk of accidental or unlawful/illegitimate destruction, loss, alteration unauthorized disclosure of, or access to it.
  1. Melin Software Solutions will also ensure that transferring personal data does not negatively impact:
    1. The safety and security of Melin Software Solutions staff and beneficiaries.
    2. The effective functioning of an operation or compromise in Melin Software Solutions’ mission, vision or fundamental principles, for example due to the loss of trust and confidence between Melin Software Solutions and persons of concern.
  2. The processing of sensitive personal data out of Kenya shall only be effected upon obtaining consent of a data subject and on obtaining confirmation of appropriate safeguards.
  1. Data transfer records
    1. Melin Software Solutions shall keep and maintain full and accurate records reflecting all phases of data management cycle, including records of data subjects’ consents and procedures for obtaining consent, where consent is the legal basis of processing.
    2. The data transfer records shall include, at a minimum:
      1. the name and contact details of the individual entity authorizing the transfer;
      2. clear descriptions of the personal data types;
      3. data subject types;
      4. processing activities;
      5. processing purposes;
      6. third-party recipients of the personal data;
      7. personal data storage locations;
      8. personal data transfers;
      9. the personal data’s retention period; and
      10. a description of the security measures in place.
  2. Data transfer agreements
    1. Melin Software Solutions will require all third parties to comply with this Policy through an agreement or an MOU as part of the signing of partnership agreements. Such agreements will specify the specific purpose(s) and legitimate basis for the processing or transfer of personal data.
    2. Data transfer agreements shall;
      1. address the purpose(s) for data transfer, specific data elements to be transferred as well as data protection and data security measures to be put in place;
      2. require the third party to undertake that its data protection and data security measures are in compliance with this Policy; and
      3. stimulate consultation, supervision, accountability and review mechanisms for the oversight of the transfer for the life of the agreement.
    3. The Legal Department of Melin Software Solutions shall review and approve all data transfer agreements and maintain copies of final agreements.
  3. Data breach
    1. Melin Software Solution will maintain a register of all data breaches.
    2. Melin Software Solutions’ staff will notify their line managers as soon as possible upon becoming aware of a personal data breach.
    3. The member of staff will record the breach.
    4. If a personal data breach is likely to result in personal injury or harm to a data subject, the data controller will communicate the personal data breach to the data subject and take mitigating measures as appropriate without undue delay. In such cases, the data controller shall also notify the Chief Executive Officer of the personal data breach.


 

  1. The notification will describe:
    1. The nature of the personal data breach, including the categories and number of data subjects and data records concerned;
    2. The known and foreseeable adverse consequences of personal data breach; and
    3. The measures taken or proposed to be taken to mitigate and address the possible adverse impacts of the personal data breach.
  1. External use and legal provisions
    1. Title to all data belonging to Melin Software Solutions resulting from data processing shall reside in Melin Software Solutions and shall be protected by data protection laws of the Country.
    2. Third parties may not process data belonging to Melin Software Solutions without consultation with Melin Software Solutions.
    3. Any data processed jointly shall be jointly owned by Melin Software Solutions and third party with whom the joint processing was done.
    4. Nothing in this policy will prevent legal action from being undertaken against a person who violates the provisions of this policy or of any Kenyan laws and regulations.
    5. All matters arising out of or relating to this policy shall be governed by and are to be construed in accordance with the Laws of Kenya, excluding any conflict of law provisions, with Kenyan courts having exclusive jurisdiction in all disputes arising therein.
  2. Periodic review of the knowledge management policy
    1. This policy will be reviewed every three years or when need arises, whichever comes first.

Want to get Started?

Find out how we can give you more time to focus on growing your business. Its never been more simple to manage business expenses.