Data Protection Compliance

Last updated:

1. Introduction

TajaCore is committed to compliance with the Data Protection Act, 2019 of Kenya. This page outlines how we comply with the Act's requirements and your rights as a data subject under Kenyan law.

2. Your Rights Under the Data Protection Act

As a data subject, you have the following rights under the Data Protection Act, 2019:

  • Right to be Informed: You have the right to be informed about the collection and use of your personal data
  • Right of Access: You have the right to obtain confirmation as to whether personal data concerning you is being processed and access to that data
  • Right to Rectification: You have the right to have inaccurate or incomplete personal data corrected
  • Right to Erasure: You have the right to request deletion of your personal data in certain circumstances
  • Right to Restrict Processing: You have the right to restrict the processing of your personal data
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used format
  • Right to Object: You have the right to object to processing of your personal data for direct marketing or legitimate interests
  • Rights Related to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that significantly affects you

3. How to Exercise Your Rights

To exercise any of your rights under the Data Protection Act, you can:

  • Contact us through our contact page
  • Email us at your registered email address
  • Use the privacy settings in your account dashboard

We will respond to your request within 30 days as required by the Data Protection Act. If your request is complex, we may extend this period by an additional 30 days, and we will inform you of this extension.

4. Lawful Basis for Processing

We process your personal data based on the following lawful bases under the Data Protection Act:

  • Consent: Processing based on your explicit consent, which you can withdraw at any time
  • Contract: Processing necessary for the performance of a contract with you
  • Legal Obligation: Processing necessary to comply with legal obligations under Kenyan law
  • Vital Interests: Processing necessary to protect your vital interests or those of another person
  • Public Interest: Processing necessary for the performance of a task carried out in the public interest
  • Legitimate Interests: Processing necessary for our legitimate business interests, provided your interests and fundamental rights do not override those interests

5. Data Protection Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and audits
  • Access controls and authentication mechanisms
  • Staff training on data protection
  • Incident response procedures
  • Regular backups and disaster recovery plans
  • Compliance with industry security standards

6. Data Transfers

Your personal data may be transferred to and processed in countries outside Kenya. When we transfer data outside Kenya, we ensure appropriate safeguards are in place, including:

  • Adequate data protection laws in the destination country
  • Standard contractual clauses approved by the Office of the Data Protection Commissioner
  • Binding corporate rules where applicable
  • Your explicit consent where required

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

  • For the duration of your account with us
  • As required by applicable Kenyan laws and regulations
  • To resolve disputes and enforce our agreements
  • For legitimate business purposes such as fraud prevention

When personal data is no longer needed, we securely delete or anonymize it in accordance with the Data Protection Act.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

  • Notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of the breach
  • Notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms
  • Provide clear information about the nature of the breach and the measures we are taking to address it

9. Data Protection Officer

If you have any questions or concerns about our data processing activities or wish to exercise your rights, please contact our Data Protection Officer through our contact page.

10. Office of the Data Protection Commissioner

You have the right to lodge a complaint with the Office of the Data Protection Commissioner if you believe that our processing of your personal data violates the Data Protection Act, 2019.

The Office of the Data Protection Commissioner can be contacted at:

11. Updates to This Policy

We may update this Data Protection Compliance page from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date.

12. Contact Us

For any questions regarding data protection compliance or to exercise your rights, please contact us at our contact page.