1. Introduction
Acre Africa is committed to protecting and respecting the personal data that we hold. This privacy statement describes why and how we collect and use personal data and provides information about individuals’ rights. It applies to personal data provided to us, both by individuals themselves and by others. We may use personal data provided to us for the purposes described in this privacy policy or as made clear before collecting personal data.
Personal data is any information relating to an identified or identifiable living person. When collecting and using personal data, our policy is to be transparent about why and how we process personal data. We process personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose are set out in the relevant sections below. The personal data that is provided to us is either provided directly from the individual concerned or from third parties.
Where we receive personal data that relates to an individual from a third party, we request that this third party inform the individual of the necessary information regarding the use of their data. Where necessary, reference may be made to this fair processing statement.
2. Security
We take the security of all the data we hold seriously. Staff are trained in data protection, confidentiality and security. We will ensure we have appropriate physical and technological security measures to protect your information regardless of where it’s held. We have a framework of policies and procedures which ensure we regularly review the appropriateness of the measures we have in place to keep the data we hold secure.
All information you provide to us is stored on our secure servers. Where we have an agreement with a 3rd party to store such information, we will have confirmed that such 3rd party has put in place adequate measures to ensure that your information is secure.
Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
3. Data That We Hold
3.1 Purpose
We provide services to individuals as well as organisations. The exact data held will depend on the services to be provided. Where we engage with individuals, we may collect and process personal data in order to satisfy a contractual or operational obligation. We request that individuals only provide the personal data that is required for us to fulfil our contractual or operational obligation.
3.2 Why do we process data?
Where data is collected for professional services, it is used for a number of purposes, as follows;
- Providing insurance and insurance bundled products to you: Data is processed in accordance with the purpose which we have collected it, and may sometimes be further clarified in written documentation supplied before any data processing may occur. We provide a range of products and services and this includes Agri-Insurance.
- Providing contract monitoring services to insurance contracts or customers via observations of fields using satellite to determine whether a risk has occurred or not.
- Individual needs: When communicating with and assessing the needs of clients, personal data may be processed in order to ensure that their needs are appropriately satisfied. This may include assessing whether the insurance products and services provided to our clients are appropriate.
- Administration: In order to manage and administer our business and services, we may collect and process personal data. This may include (but is not limited to) maintaining internal business records, managing client relationships, hosting events, and maintaining internal operating processes. This also includes to communicate with you including to send you administrative communications about any account you may have with us or about future changes to this privacy statement. We may periodically send promotional SMS, emails, and social media about new products, special offers or other information which we think you may find interesting using the communication data which you have provided.
- Statistical, actuarial or climatic research undertaken by Acre Africa, the financial services industry or our regulators.
- Regulatory: In order for Acre Africa to do what it does, we may from time-to-time be required to collect and process personal data in order to fulfil regulatory, legal or ethical requirements. This may include (but is not limited to) the verification of the identity of individuals.
- Data matching, internal business and administrative purposes; to assist in law enforcement purposes, investigations by police or other government or regulatory authorities and to meet requirements imposed by applicable laws and regulations or other obligations committed to government or regulatory authorities;
- Other purposes as notified at the time of collection.
3.3 What data is processed?
The data that is processed is dependent on the product and/ or service that is being provided and on the recipient of this service.
Personal data may include name, contact details, demographic & geographic information and medical records, ID documents to identify who you are (national ID card, passport, driving license), qualifications and certificates, business and/ or employment information, criminal history, bank details, photographs, videos, Other information relevant to customer surveys and/or offers and any other specifically relevant data.
3.4 How long do we hold data for?
We retain the personal data processed by us for as long as is considered necessary for the purpose(s) for which it was collected; there may also be occasions which will require data to be kept for longer, however, this will typically be for legal purposes.
In addition, personal data may be securely archived with restricted access and other appropriate safeguards where there is a need to continue to retain it. We will periodically review this data, to ensure that it is still relevant and necessary.
Where personal data on business contacts is held, it is used for a number of purposes, as follows;
- Promote and develop our services and products.
- Hosting and facilitating of events.
- Relationship management.
- Administration and management.
3.5 Our people
We collect personal data for our people as part of the administration, management and promotion of our business activities. Our staff handbook explains further how personal data is held for our staff and partners.
Applicants: Where an individual is applying to work for Acre Africa, personal data is collected through the application process. There are a number of purposes for which personal data for applicants are collected.
- Employment: We process an applicant’s personal data in order to assess their potential employment at Acre Africa. This data includes criminal history which is part of the preemployment background check.
- Administration and management: We may also use this personal data in order to make informed management decisions and for administration purposes.
Personal data collected for applicants is held for as long as necessary in order to fulfil the purpose for which it was collected, or for a maximum of 7 years after the relationship is terminated or where those purposes no longer become necessary.
3.6 Suppliers
We collect and process personal data about our suppliers, subcontractors, and individuals associated with them. The data is held to manage our relationship, to contract and receive services from them, and in some cases to facilitate the provision of services to our clients.
3.7 Why do we process data?
- Receiving goods and services: We process personal data in relation to our suppliers and their staff as necessary to receive the services.
- Providing products and services to our clients: Where a supplier is helping us to deliver products and services to our clients, we process personal data about the individuals involved in providing the services in order to administer and manage our relationship with the supplier and the relevant individuals and to provide such products and/ or services to our clients.
- Administering, managing and developing our businesses and services: We process personal data in order to run our business, including:
- Managing our relationship with suppliers;
- Developing our businesses and services (such as identifying client needs and improvements in product and service delivery);
- Hosting or facilitating the hosting of events; and
- Administering and managing our website systems and applications.
- Security, quality and risk management activities: We have security measures in place to protect Acre Africa’s information and our clients’ information (including personal data), which involve detecting, investigating and resolving security threats. Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails. We have policies and procedures in place to monitor the quality of our services and manage risks in relation to our suppliers. We collect and hold personal data as part of our supplier contracting procedures. We monitor the services provided for quality purposes, which may involve processing personal data.
- Complying with any requirement of law, regulation or industry body of which we are a member: We are subject to legal, regulatory and professional obligations. We need to keep certain records to show we comply with those obligations and those records may contain personal data.
We will hold suppliers’ names, contact names, and contact details of suppliers.
We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation). Data may be held for longer periods where required by law or regulation and in order to establish, exercise or defend our legal rights.
3.8 People Who Use Our Applications
When people use our applications, personal data is collected both through automated tracking and interacting with various forms on the website or apps (collectively referred to as the applications).
Personal data may be collected when individuals fill in forms on our applications or by corresponding with us by phone, SMS, USSD, e-mail or otherwise. This includes information provided when a person registers to use our applications, subscribes to our service, or makes an enquiry.
3.9 Cookies
What is a cookie? Cookies are sets of information that our web server assigns to you when you visit our website. Cookies are used in a few areas of our site for maintaining information between pages. These cookies simply carry forward information that you submitted on one screen to the next screen, eliminating the need for redundant entry. We may use IP addresses to derive certain other information concerning businesses visiting our websites as described in this policy, but we do not analyze this information in a way which would reveal the identity of the individual browsing our websites. When you select one of our products or services, register for a newsletter or e-mail alert, fill out an online form, or complete a survey, we may try to identify your browser and we may combine information from cookies, Web beacons, and other information collected online with other data that we maintain about you. You do have a choice whether or not to accept the cookie, however, if you reject the cookie or if cookies are disabled on your web browser, some parts of the website will not be operable.
4. Sharing Personal Data
We will only share personal data with others when we are legally permitted to do so. When we share data with others, we put contractual arrangements and security mechanisms in place to protect the data and to comply with our data protection, confidentiality and security standards.
Personal data held by us may be transferred to:
- Third-party organisations that provide applications/functionality, data processing or IT services to us.
- We use third parties to support us in providing our services and to help provide, run and manage our internal IT systems. For example, providers of information technology, cloud-based software as a service provider, identity management, website hosting and management, data analysis, data back-up, security and storage services. The servers powering and facilitating that cloud infrastructure are located in secure data centres, and personal data may be stored in any one of them.
- Third-party organisations that otherwise assist us in research, providing goods, services or information.
- Agents who market and sell Our insurance products.
- Law enforcement or regulatory agencies or those required by law or regulations.
Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, and to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.
5. Locations Of Processing
Where possible, personal data resides within Kenya but may be transferred to, and stored at, a destination where our cloud-based services providers’ servers are located.
6. Our Commitment/Privacy Principles
- We will only collect and use your information where we have lawful grounds and legitimate business reasons to do so
- We will be transparent in our dealings with you and will tell you about how We will collect and use your information
- If We have collected your information for a particular purpose, we will not use it for anything else unless you have been informed and, where relevant, your permission obtained
- We will not ask for more information than we need for the purposes for which we are collecting it
- We will update our records when you inform us that your details have changed
- We will continue to review and assess the quality of our information
- We will implement and adhere to information retention policies relating to your information and will ensure that your information is securely disposed of at the end of the appropriate retention period
- We will observe the rights granted to you under applicable privacy and data protection laws and will ensure that queries relating to privacy issues are promptly and transparently dealt with
- We will ensure that when we outsource any processes the supplier has appropriate security measures in place and will contractually require them to comply with these Privacy Principles
- We will ensure that suitable safeguards are in place before personal information is transferred to other countries
7. Individual’s Rights
Individuals have certain rights over their personal data and data controllers are responsible for fulfilling these rights as follows:
- Individuals may request access to their personal data held by us as a data controller.
- Individuals may request Us to rectify personal data submitted to us.
- Individuals may request that We erase their personal data.
- Where We process personal data based on consent, individuals may withdraw their consent at any time by contacting Us or clicking on the unsubscribe link in an email received from us.
- Individuals may have other rights to restrict or object to our processing of personal data and the right to data portability.
- Individuals may request information about, or human intervention into, any automated data processing that we may undertake.
If you wish to exercise any of these rights, please send an email to: acreafricaict@acreafrica.com
7.1 Complaints
If you do want to complain about Our use of personal data, please send an email with the details of your complaint to: acreafricaict@acreafrica.com We will look into and respond to any complaints we receive.
7.2 Changes to our privacy policy
Updates to this privacy policy will appear on the website.