Data Protection and Privacy Notice
This Data Protection and Privacy Notice informs you about how and for which purposes Watu Credit Limited, its subsidiaries and related entities in various countries (also referred to here as “Watu” “we” or “us”) will process your personal data and explain your rights under The Data Protection and Privacy Laws, and all other applicable Regulations across the different jurisdictions that it operates in. We remain dedicated to handling your personal data responsibly, diligently and in compliance with all legal requirements to ensure the integrity and security of your personal data.
For the purposes of this Data Protection and Privacy Notice, “personal data” means any information relating to an identified or identifiable individual.
1.1. Watu Credit Limited operates in a highly data-oriented environment which requires the processing and use of personal data to fulfill its core mandate of processing asset financing agreements to the public.
1.2. At Watu, we respect the privacy of individuals and recognize the importance of the personal data entrusted to us by our customers, our employees and other parties. It is our responsibility to -in a relevant and proper manner- process and protect all personal data compliant with the applicable data protection legislation and the regulations thereto.
1.3. This Data Protection and Privacy Notice explains the personal data we collect, how we process it and for what purpose and to whom your personal data may be disclosed by us in the context of our relation. It also describes how Watu handles your data that is in its possession and the controls that Watu has established to safeguard your data. Further, this Notice includes information regarding your rights with respect to the processing of your personal data.
1.4. We may, from time to time, amend this Data Protection and Privacy Notice, in keeping with amended legislation or business practices. We will effect all changes on our website, Applications, Agreements and Policies. The latest published version of our Notice will replace all earlier versions of it, unless otherwise stated and shall be available to notify all. We will inform you of important changes to this Notice via a notification on our website or via any other effective mode of communication.
1.5. The Data Protection and Privacy Notice applies to our visitors who either physically visit our premises or our website, customers, suppliers, agents, employees and all our stakeholders.
2. Definition of terms
2.1. We/our/ours/us/ means Watu Credit Limited (The Company and its subsidiaries and related entities).
2.2. Data Protection Officer is a person designated or appointed by The Company to monitor compliance with the Data Protection and Privacy Laws and the Regulations made under the various statutes.
2.3. Data Collection means gathering of information that relates to you.
2.4. Personal data means information about you that identifies you directly or indirectly as a unique individual such as name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person. The personal data that we collect will depend on the context of our relationship with you. We may collect, use, store and transfer different kinds of personal data about you or people connected to you.
2.5. Processing means any operation or sets of operations which is performed on your personal data whether by automated means, such as: collection, recording, organization or structuring; Storage, adaptation or alteration; Retrieval, consultation or use; Disclosure by transmission, dissemination, or otherwise making available; Alignment or combination, restriction, erasure or destruction.
2.6. Sensitive personal data is data revealing your racial or ethnic origin, political opinions, professional membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s gender.
2.7. Third Party – means a natural or legal person, public or private authority, agency or body other than you and Watu, who under the direct authority of Watu are authorized to process your personal data.
2.8. You/ Your (s) means:
2.8.1. Any person who has downloaded and uses any of our mobile applications.
2.8.2. Any person who has signed an Agreement with Watu.
2.8.3. Any staff who has been employed by Watu.
2.8.4. Any agent, dealer and/or merchants who has signed an agreement with Watu and is recognized as a merchant or agent in accordance with any applicable laws or Regulations.
2.8.5. Any visitor that is a person (including contractors/subcontractors or any third parties) who gains access to any Watu premises.
2.8.6. Any supplier/ service provider who has been contracted by Watu.
2.8.7. Any external lawyer who has signed a service level agreement with Watu.
2.8.8. Any other service provider or financial entity who has signed an agreement with Watu.
2.9. “Processing” collectively means handling, collecting, using, altering, merging, linking, organizing, disseminating, storing, protecting, retrieving, disclosing, erasing, archiving, destroying, or disposing of your personal data.
3. The general principles for protecting personal data within Watu are:
3.1. We are transparent on how we comply with applicable data protection legislation.
3.2. We limit the collection and processing of personal data as required by law. The information we collect about you will be for specified and legitimate purposes and will not be further processed in a manner incompatible with those purposes.
3.3. We process sensitive personal data only if the processing has a clear and explained legal ground.
3.4. We register details about individuals limited to achieving the purpose of the processing.
3.5. We inform individuals which personal data we collect and how this data will be stored and used.
3.6. We treat personal data as strictly confidential and take appropriate technical and organizational security measures to protect personal data against loss or unlawful access and processing.
3.7. We keep personal data only for as long as necessary to fulfill the purposes for which it was collected, or local law may require.
3.8. If our processing of personal data is likely to pose a high risk to individuals’ rights and freedoms, we will perform a data protection impact assessment and, if necessary, take appropriate security measures as guided by the Office of the Data Protection Commissioner in Kenya and in any other Country where we have operations in.
3.9. Our systems and processes support personal data protection. We maintain documentation showing that our systems and processes work as intended.
3.10. Where we outsource the processing of personal data, we impose contractual obligations to protect this data.
4. Why do we collect your personal data?
We collect your personal data for the following purposes:
4.1. Where we need to fulfill the contract that we are about to enter into or have entered with you.
4.2. To assess whether you are eligible for our products and services.
4.3. Where you consent to our use of your personal data.
4.4. Where we need to comply with or fulfill legal or regulatory obligations and protect ourselves and our customers against fraud.
4.5. Where we need to protect your vital interests and the vital interests of third parties (for example when contacting your listed beneficiaries/guarantor under an Agreement.
4.6. Where it is necessary for our legitimate interests (or those of a third party) such as maintaining our records, developing, assessing, and improving our services, risk evaluation, improving our customer administration and engagement as well as complying with our Know Your Customers (KYC) requirements.
4.7. To establish, exercise or defend our legal rights such as when we are faced with any legal claim or where we want to pursue any legal claims.
4.8. To communicate new products and services (please note that if you do not want to receive our marketing information you may opt out anytime by contacting us at any time).
4.9. To send you important notices such as changes to our terms, conditions and policies, any promotions, discounts, loan balances, or unusual activity with respect to your Agreement with us.
4.10. If you apply for an employment position at Watu or we note that you are a potential candidate for employment, we may use your personal data in evaluating your candidacy and to contact you about the employment opportunity.
4.11. When we receive your personal data from third parties, we may use it to validate the information you have provided to us or for fraud prevention purposes.
4.12. To enable us to register you for our services and verify your identity and authority to use our services.
4.13. To address fraud or safety concerns, or to investigate complaints or suspected fraud or illegality.
4.14. To monitor and analyze our platforms for system administration, operation, testing and support purposes.
4.15. To cooperate with, respond to requests from, and to report transactions and/or other activity to government, tax or regulatory bodies, or other intermediaries or counterparties, courts or other third parties.
5. Whose personal data do we collect?
We collect your personal data because you are our customer or other valued relation.
6. How do we collect your personal data?
We collect your personal information with your knowledge and consent. We may collect your personal data through any of the following ways: (please note that this list is not exhaustive):
6.1. Directly from you, such as when entering a contract with us as customer or contractor,
6.2. Visiting our premises or website,
6.3. Downloading our applications and registering,
6.4. Subscribing to our communications,
6.5. Registering for an event, applying for a job,
6.6. From other sources, such as business partners,
6.7. By interacting with our website. We collect this personal data by using cookies and similar technologies. You can find out more about this in our cookies and website policy,
6.8. From publicly available sources including:
6.9. Identity and contact data from the Government of Kenya’s e-citizen and Integrated Population Registration Services platforms as applicable in any other country where your data was collected.
6.10. Identity and contact data from publicly available sources such as the Companies Registry and the Business Registration Service.
6.11. Contact, financial and transaction data from land registries, industry databases such as credit reference agencies, fraud prevention agencies and providers of technical, payment and delivery services.
6.12. Medical professionals and hospitals.
6.13. Social media- If you are a potential candidate for employment with Watu, we may have received your personal data from third parties such as recruiters or external websites.
6.14. Directly from an individual.
6.15. Directly from a person who is making a claim or application, and they include information about you which is related to their claim or application.
6.16. From your family members when they make enquiries about obtaining an asset or including you as their next of kin.
6.17. Closed Circuit Television (CCTV) surveillance recordings. CCTV Devices are installed at strategic locations within Watu’s premises to provide a safe and secure environment.
By choosing to interact with us in any way specified under clause 6.0 above, you will be doing so with full knowledge and consent that we will collect and process your personal data. By consenting, you allow Us to collect, process, store, disclose and transfer your data as provided for under the Data Protection Act and the regulations thereto.
7. What personal data do we collect?
Personal data that we process may include:
7.1. Identification information such as name, date and place of birth, national identity card number, passport number, Revenue Authority personal identification number (PIN), photo, marital status, title, nationality, gender, and specimen signature.
7.2. Contact information such as email address, postal address, physical address, residential address, and telephone number.
7.3. Financial information such as bank account details, payment card details, mobile money statements, income, credit history, credit worthiness, bank statements, details about payments to or from you and other details of products and services you have obtained through us.
7.4. Information on your involvement in the matter giving rise to a claim.
7.5. Information about the nature of your business and commercial assets.
7.6. Employment information such as the name of the employer, position in the organization and office address.
7.7. Children’s personal data such as the name, date of birth and gender.
7.8. Sensitive personal information such as marital status, property details, health status and family details (such as next of kin and beneficiaries).
7.9. Marketing and communications information including your preferences in receiving marketing information from us and communication from us.
7.10. Online data whenever you access our website and mobile applications such as cookies, login data, IP address (your computer’s internet address), browser type and version, ISP or operating system, domain name, access time, page views and location data.
7.11. Geolocation Information- We may request access or permission to track location-based information from your mobile device, either continuously or while you are using our mobile application(s), to provide certain location-based services. If you wish to change our access or permissions, you may do so in your device’s settings.
7.12. Mobile Device Access- We may request access or permission to certain features from your mobile device, including your mobile device’s SMS messages, and other features. If you wish to change our access or permissions, you may do so in your device’s settings.
7.13. Mobile Device Data – We automatically collect device information (such as your mobile device ID, model, and manufacturer), operating system, version information and system configuration information, device and application identification numbers, browser type and version, hardware model Internet service provider and/or mobile carrier, and Internet Protocol (IP) address (or proxy server). If you are using our application(s), we may also collect information about the phone network associated with your mobile device, your mobile device’s operating system or platform, the type of mobile device you use, your mobile device’s unique device ID, and information about the features of our application(s) you accessed.
7.14. Push Notifications-We may request you to allow us to send you push notifications regarding your client account or certain features of the application(s). If you wish to opt out from receiving these types of communications, you may turn them off in your device’s settings.
If there is a justifiable need for information about other people connected to you, we may request you to provide the information in relation to those people. If you are providing information about another person, we expect you to ensure that they know that you are doing so and are content with their information being provided to us. It might be helpful to show them this data protection Statement and if they have any concerns, please contact us on the same.
8. With whom do we share your personal data?
8.1. We may share your personal data with other companies and subsidiaries within the Watu Group for processing your personal data in accordance with the purposes. Personal data may also be shared with Watu’s trusted partners, such as dealers, manufacturers and the specified third parties listed below, to achieve the purposes. We will ensure that appropriate contractual safeguards are implemented to ensure protection of your personal data when disclosing it to a third party.
8.2. Subject to your rights and the applicable laws, we may share your personal data with the third parties set out below:
8.2.1. Public authorities or governments when required by law, public interest, national security, regulation, legal process or enforceable governmental request.
8.2.2. Persons or entities that you explicitly request us to transfer your personal data to them.
8.2.3. Your relatives, guardians or persons acting on your behalf where you are incapacitated or for the purposes of settling your beneficiaries.
8.2 4. Insurers, reinsurers, and brokers for insurance services.
8.2.5. Our professional advisers such as auditors, tax advisers, insurers, reinsurers, medical agencies, legal advisers who act on our or your behalf, or who represent another third party.
8.2.6. Medical institutions and professionals where we may require access to your health records and assessments for specific purposes.
8.2.7. Debt collection agencies, credit reference agencies, fraud detection agencies and other agencies that we will contract to provide services to us.
In case personal data is being transferred outside the country of data collection and processing, appropriate measures will be taken to ensure protection of your personal data.
9. How do we store your personal data?
Watu maintains appropriate technical and organizational safeguards against unauthorized processing of personal data and against accidental loss, destruction, or damage.
10. How long do we store your personal data?
10.1. We will only retain your personal data for as long as may be reasonably necessary to fulfill the purpose we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting information.
10.2. We may retain your personal data for a longer period if the retention is:
10.2.1. required or authorized by law.
10.2.2. reasonably necessary for a lawful purpose.
10.2.3. authorized or consented by you.
10.2.4. is necessary for the purpose of responding to a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
10.2.5. for historical, statistical, journalistic, literature and art or research purposes.
11. How do we protect your personal data?
11.1. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.
11.2. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
12. What are your rights as a Data Subject and how can you exercise them?
You have the right to:
12.1. information about and access to your personal data;
12.2. rectify your personal data;
12.3. erasure of your personal data (‘right to be forgotten’);
12.4. restriction of processing of your personal data;
12.5. object to the processing of your personal data;
12.6. receive your personal data in a structured, commonly used and machine-readable format and, where technically feasible, to have your personal data transmitted to another organization;
12.7. lodge a complaint with the Office of Data Protection Commissioner in Kenya and with the Regulator in any other country where a breach or incident has occurred regarding the handling of your data by us.
To exercise your rights, please send an email to: [email protected]
There may be circumstances that restrict your rights, particularly if processing your personal data is required to meet our legal or regulatory obligations.
13. Our Security Practices
13.1. We are committed and obliged to implement all reasonable controls to safeguard access to your personal information.
13.2. Where third parties are required to process your personal information in relation to the purposes set out in this Statement and for other legal requirements, we ensure that they are contractually bound to apply the appropriate security practices.
13.3. All use of our website is protected through secure encryption in line with best practice international standards.
14. Do we collect personal data from minors?
14.1. We do not knowingly collect data from or carry out marketing activities to persons under 18 years of age, also referred to as minors/ children.
14.2. We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor/ dependent’s use of our Services. If we learn that personal information from users less than 18 years of age has been collected, we shall deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data, that we may have collected from children under age 18, please contact us at [email protected]
15. Personal use of emails and statement about checking on emails
15.1. Our communication and information systems are for business use. However, we realize that our employees occasionally use our systems for personal use.
15.2. Personal use includes sending or receiving personal emails within or outside Watu. Whilst our employees are bound by strict usage policies and security safeguards, we do not accept responsibility for the contents of personal emails sent by our employees using our systems.
15.3. Please note that we may intercept, check on and delete any communications created, stored, sent, or received using our systems, according to any Law that applies.
We have appointed a data protection officer who is responsible for overseeing questions in relation to this data Protection Statement. If you have any concerns about the use of your personal data, questions about this data protection Statement including any requests to exercise your legal rights under the law, please contact us using the details set out below:
Email address: [email protected]
Postal address: P.O. Box 15138-00100.
Physical address: Hill Park, Building- Upper Hill, Nairobi.
Telephone number: +254 701563623
Notice Effective Date: October 1st, 2023.
This Data Protection And Privacy Notice was last updated on (October 1st, 2023)