1. Introduction

As part of its social responsibility, TIFA Research is committed to local and international compliance with data protection laws, regulation, and rules. This privacy & data protection policy (“Policy” or “Data Protection Policy”) applies worldwide to the TIFA Research ecosystem and is based on Kenya accepted basic principles on data protection. This Policy adopts the fundamental principles of the Kenya Data Protection Act 2019 (“DPA”) as the minimum standard to which TIFA Research, its employees and suppliers must adhere to.

TIFA Research depends on the collection and analysis of information about identifiable living individuals (“Data Subjects”) to carry out its market research and associated business. Maintaining respondents’ and the public’s confidence requires that respondents do not suffer direct adverse consequences, risk or harm as a result of providing TIFA Research with their information or their Personal Data (for a definition and explanation of this term and other capitalized terms, please see the Glossary at the end of this document) being processed for TIFA Research’s business purposes. The information may be obtained from any kind of individual or organization.

To conduct its business, TIFA Research also needs to collect and process certain types of information, including Personal Data, about people with whom TIFA Research deals. These include current, past and prospective employees, suppliers, clients and others with whom it might communicate. In addition, TIFA Research may occasionally be required by law to process certain types of Personal Data to comply with certain legal requirements.

This Policy describes the minimum standards of how Personal Data must be processed, collected, handled and stored to meet TIFA Research’s data protection standards.

Data processors are obliged to comply with this Policy when processing Personal Data on TIFA Research’s behalf. Any breach of this Policy may result in disciplinary action, up to and including dismissal from TIFA Research.

2. Scope

This Policy will form the minimum standard to which all TIFA Research employees and suppliers must adhere, regardless of whether DPA directly applies to any specific activity or territory.

Everyone who works for TIFA Research has some responsibility for ensuring Personal Data is collected, stored and handled appropriately.

It is everyone’s responsibility that Personal Data is handled and processed in line with this Policy and its data protection principles.

TIFA Research also expects that its suppliers/vendors comply with the principles as set out herein.

3. Application of National Laws and Codes of Conduct

This Data Protection Policy adopts the internationally accepted privacy principles as enhanced by the DPA. It is subsidiary to and supplements any applicable national legislation. The relevant national laws will take precedence if there is a conflict with this Policy or if it has stricter requirements than this Policy. Any registration, notification or reporting requirement for data processing under national laws must be observed. The contents of this Policy must also be observed in the absence of corresponding national legislation or where national legislation has a lower standard.

In the event of conflict between national legislation and the Data Protection Policy, TIFA Research will work with the relevant company to find a practical solution that meets the requirements and satisfy the purposes of this Policy as well as applicable legislation.

In addition to this Policy, for its market research business, TIFA Research adheres to the Professional Codes of Conduct of MSRA, and ESOMAR. We hold a research license from Kenya National Commission for Science, Technology and Innovation (NACOSTI).

4. Principles for Processing Personal Data

All Personal Data must be dealt with properly, irrespective of how they are collected, recorded and processed - whether on paper, in a computer file, database, or recorded on other material. There are generally accepted principles to safeguard this, as set out in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, as well as relevant safeguards in various statutes across the world, including the DPA.

TIFA Research regards the lawful and correct treatment of Personal Data and maintaining the confidence of those with whom it deals in TIFA Research’s appropriate dealing with Personal Data as a vital component of its business operations and is committed to act ethically and responsibly in respect of these Personal Data and always to provide a high degree of confidentiality and security.

To demonstrate these commitments, TIFA Research adheres to the principles relating to the processing of Personal Data found in the DPA which are themselves an embodiment of the OECD principles. TIFA Research respects the following principles, which are explained in more detail, concerning Personal Data. Personal Data will be:

• Processed fairly and lawfully.
• Processed for limited purposes and in an appropriate way.
• Adequate, relevant and not excessive for the purpose.
• Accurate.
• Not kept longer than necessary for the purpose.
• Processed in line with Data Subjects' rights.
• Secure.
• Not transferred to people or organizations situated in other countries without adequate protection and consent.

4.1. Lawfulness, Fairness and Transparency

Personal Data must be processed and collected lawfully, fairly and in a transparent manner in relation to the Data Subject. Furthermore, Data Subjects must be informed of how his/her data is being handled, usually in the form of a privacy policy or terms and conditions. In general, Personal Data must be collected directly from the individual concerned. Where this is not the case, the legal basis on which the processing is nevertheless justified must be documented. The DPO must be consulted on whether a Data Protection Impact Assessment (DPIA) must be conducted.

4.2. Purpose Limitation

Personal Data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Subsequent changes to the purpose are only allowed to a limited extent and require substantiation and validation. The DPO must be consulted on whether a DPIA must be conducted.

4.3. Data Minimization

Personal Data must be adequate, relevant, and limited to what is necessary in relation to the purpose for which they are processed. It must be determined whether and to what extent the collection and processing of Personal Data is necessary to achieve the purpose for which the processing is undertaken. Where the purpose allows and where the expense involved is in proportion to the risks to Data Subjects, anonymized data must be used instead of Personal Data.

4.4. Accuracy

Personal Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard for the purpose for which they are processed, are erased, or rectified without delay.

4.5. Storage Limitation

Personal Data must not be retained in a form which permits identification of Data Subjects for longer than is necessary for the purpose for which the Personal Data are processed. TIFA Research will not keep Personal Data longer than is necessary for the purpose or purposes for which they were collected. TIFA Research will take all reasonable steps to destroy, or erase from its systems, all Personal Data which is no longer required. This does not apply to anonymized data.

Whilst TIFA Research has contractual agreements with data controllers about the maximum retention periods for Personal Data, it is also TIFA Research’s policy to reduce such retention periods whenever possible, either by deleting or anonymizing the relevant Personal Data.

4.6. Integrity and Confidentiality

Personal Data must be processed in a manner that ensures appropriate security of the Personal Data from being revealed, disseminated, accessed, or manipulated. Therefore, where methodologically possible and the expense is not disproportionate to the Data Subject’s risks, Personal Data must be pseudonymized as soon as possible and be used for no other further processing – REMINDER: pseudonymized data remains and is Personal Data!

Once the purpose of the processing has been achieved; usually once quality control has been completed, the Personal Data must be anonymized.

4.7. Restriction on Transfers

Personal Data must not be transferred to other countries that do not offer an adequate level of protection. TIFA Research has introduced various measures to adduce such adequate level of protection on a general basis (see also paragraph 6 for more detail), however, various countries may have stricter, further and/or different requirements that must be adhered to.

4.8. General Measures and Considerations

Additionally, in respect of its market research business, TIFA Research complies with the ICC/ESOMAR International Code on Market, Opinion, and Social Research and Data Analytics and Esomar’s Data Protection Checklist.

5. Legal Grounds for Data Processing

TIFA Research will be collecting, processing, and using Personal Data only under the following legal bases, always provided that such legal basis exists under applicable national law. One of these legal bases is also required if the purpose of collecting, processing, and using the Personal Data is to be changed from the original purpose, unless there is clear compatibility between the original purpose and the new purpose. See also paragraph 4.2 and any potential additional compliance requirements.

5.1. Respondent Data

Respondents are the most common Data Subjects in TIFA Research’s business. Consequently, the correct treatment of their Personal Data is at the heart of TIFA Research’s business.

5.2. Consent to Data Processing

Personal Data can be processed following consent by the Data Subject. Before giving consent, the Data Subject must be informed in accordance with the transparency principle as set out under paragraph 4.1. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In some circumstances, such as telephone surveys, consent can be given verbally. In all cases, the granting of consent must be documented.

Any consent will only be valid if it constitutes a freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which it gives a statement, by a clear affirmative action signifying agreement to the processing of the Personal Data relating to him/her.

5.3. Data Processing for a Contractual Relationship

Apart from consent, Personal Data may be processed where this is necessary in the context of a contract with such Data Subjects to fulfil the contracts relevant obligations and rights. This applies also where such processing is necessary in order to establish or terminate a contract. This applies in particular to respondents (including mystery shoppers) in the sign up to the TIFA Research panels.

Entering a contract is a form of consent.

5.4. Data Processing Pursuant to Legal Authorization

The processing of Personal Data is also permitted if legislation requests, requires, or allows this. The type and extent of data processing must be necessary for the legally authorized data processing activity and must comply with the relevant legal provisions.

5.5. Data Processing Pursuant to Legitimate Interest

Personal Data may also be processed, if it is necessary for the legitimate interests of TIFA Research and where national legislation provides for this basis (e.g. GDPR Article 6(1)(f)). The legal basis of legitimate interest for processing is not recognized in every country, and relevant national legislation will take precedence. Generally, Personal Data of children may not be processed based on legitimate interest and it does not apply to special categories of Personal Data.

In any event, Personal Data may not be processed on the basis of a legitimate interest if, in the individual case, there is evidence that the interests of the Data Subject merit protection and that this protection takes precedence. Before Personal Data is processed on the legitimate interest basis, it is necessary to undertake a legitimate interest assessment (in the form of a DPIA with a particular focus on the legitimate interest).

5.6. Processing of Special Categories of Personal Data

Special categories of Personal Data can be processed only if the law requires this or the Data Subject has given his/her explicit consent. Special categories of Personal Data can also be processed if this is mandatory for asserting, exercising, or defending legal claims. Within Kenya, special categories of Personal Data may also be processed for scientific and historical research and for statistical purposes, subject to appropriate additional measures. Before relying on these provisions, a DPIA must be conducted.

5.7. User Data and Internet

If Personal Data is collected, processed, and used on websites or in apps, the Data Subject must be informed of this in a privacy statement including, if applicable, information about cookies or similar technical measures. The privacy statement and any cookie information must be integrated so that it is easily identified, directly accessible, easily understandable, and consistently available by and for the Data Subject.

If user profiles (tracking) are created to evaluate the use of websites and apps, the Data Subjects must always be informed accordingly in the privacy statement. Tracking of Data Subjects online may only be affected, if it is permitted under national law or upon consent of the Data Subjects. Even if tracking uses a pseudonym for the Data Subject, is conducted using cookies, beacons, tags, pixels or any other tracking technique, as a minimum the Data Subject should be given the chance to opt out in the privacy statement; in respect of online audience measurement without prior opt-in.

If websites or apps can access Personal Data in an area restricted to registered users/respondents, the identification and authentication of the Data Subject must offer sufficient protection during access.

As part of TIFA Research’s commitment to adhere to the Esomar Code, the rules and requirements set out in Esomar’s other guidelines like Online Research Guideline and Guideline on Research and Data Analytics with Children, Young People, and Other Vulnerable Individuals also apply to TIFA Research as part of this Policy. Also to be considered is the additional guidance published by Esomar as part of its web-based complaints process at www.trustinresearch.org.

5.8. Personal Data Provided by Clients

Transmission of Personal Data to TIFA Research by its clients is a common occurrence. It usually happens to provide us with samples or to enhance existing samples. In respect of any Personal Data so received, TIFA Research will be the Processor and may only Process these Personal Data in accordance with the instructions agreed with or received from the client. These instructions may include restrictions on transfers to other parties (including other TIFA Research companies or suppliers) or transfers to other countries as well as specific security requirements. Any such restrictions must be complied with. It is imperative that such instructions are documented in writing and agreed before any relevant contractual arrangements are accepted by TIFA Research, to ensure that TIFA Research is actually able to comply with any such client-specific restrictions or requirements.

Irrespective of any client requirements, any Personal Data provided by a client may only be:

1. Processed for the purpose they were provided for;
2. Not be kept for longer than is required for the purpose; and
3. Subject to the same security requirements applicable to TIFA Research’s own Personal Data.

5.9. Employee Data

5.9.1. Data Processing for the Employment Relationship

In employment relationships, Personal Data can be processed if needed to initiate, carry out and terminate the employment agreement. When initiating or considering an employment relationship, the applicant’s Personal Data can be processed. If the candidate is rejected his/her data must be deleted in observance with the required retention period unless the applicant has agreed (such agreement to be documented) to remain on file for a future selection process. Consent is also needed to use the data for further application processes before sharing the application with other third parties.

In an existing employment relationship, data processing must always relate to the purpose of the employment agreement if none of the following circumstances for authorized data-processing apply.

If it should be necessary during the application procedure to collect information on an applicant from a third party, the requirements of the corresponding national laws must be observed. In cases of doubt, consent must be obtained from the Data Subjects.

There must be legal authorization to process Personal Data that is related to the employment relationship but was not originally part of performance of the employment agreement. This can include legal requirements, collective regulations with employee representatives, consent of the employee or the legitimate interest of the company.

5.9.2. Data Processing Pursuant to Legal Authorization

Please see above at paragraph 5.4 for the further requirements. This typically relates to tax reporting or other statutory reporting requirements.

5.9.3. Collective Agreements on Data Processing

If a data processing activity exceeds the purposes for fulfilling a contract, it may be permissible if authorized through a collective agreement between the employer and employee representatives, within the scope allowed under the relevant employment law.

The agreements must cover the specific purpose of the intended further data-processing activity and must be drawn up within the parameters of national data protection and employment legislation.

5.9.4. Consent to Data Processing

Employee data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. Within Kenya, consent generally does not constitute a valid legal basis for the processing in the employment context as there is a legal presumption that such consent was not submitted voluntarily, and any processing will have to rely on one of the other legal bases available. Involuntary consent is void to the extent that consent is a valid basis for processing. In any event consent can normally be withdrawn, thereby preventing any further processing, making another legal basis preferable in any event.

5.9.5. Data Processing Pursuant to Legitimate Interest

Personal Data may also be processed if it is necessary to enforce a legitimate interest of TIFA Research, provided the applicable law allows for the processing of Personal Data based on a legitimate interest. Within the employment context, legitimate interests are generally of a legal or financial nature.

Monitoring, control or supervisory measures that require processing of employee data may only be taken if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measures must also be assessed before such measures are applied. The justified interests of the company in applying the control measure (e.g. compliance with internal company rules or security interests) must be weighed against any privacy interest that the employees affected by the measure may have meriting protection and the measure cannot be performed unless found to be appropriate. The legitimate interests of the company and any interests of the employee meriting protection must be identified and documented before any measures are taken by undertaking a legitimate interest assessment (in the form of a DPIA with a particular focus on the legitimate interest). Moreover, any additional requirements under national law (e.g. works councils, rights of co-determination for the employee representatives and information rights of the Data Subjects) must be taken into account.

5.9.6. Processing of Special Categories of Personal Data

Special categories of Personal Data can be processed only if the law requires this or the Data Subjects has given his/her explicit consent. These data can also be processed if it is mandatory for asserting, exercising or defending legal claims.

5.9.7. Automated Decisions

If Personal Data is processed automatically as part of the employment relationship and specific personal details are evaluated for decision making (e.g. as part of personnel selection process or the evaluation of scores), this automatic processing cannot be the sole basis for decisions that would have negative consequences or have significant implications for the affected employee. To avoid erroneous decisions, the automated process must ensure that a natural person evaluate the content of the situation, and that this evaluation is the basis for the decision. The Data Subjects must also be informed of the facts and results of automated decisions and given the possibility to respond.

5.9.8. Telecommunications and Internet

Telephone equipment, email addresses, intranet and Internet along with internal social networks are provided by TIFA Research primarily for work-related assignments. They are a tool and a company resource. They can be used within the applicable legal regulations and internal company policies, in particular the Information Security Policy. In the event of authorized use for private purposes, the law on secrecy of telecommunications in the relevant national telecommunication laws must be observed, if applicable.

TIFA Research is utilizing web-filtering technology and other defensive technologies for ensuring compliance with its Acceptable Use Policy, internet traffic measurement and analysis, other legal compliance obligations and to defend against attacks on the IT infrastructure or individual users.

Protective measures can be implemented for the connections to the TIFA Research network that block technically harmful content and for analyzing the attack patterns. For security reasons, the use of telephone equipment, email addresses, the intranet/Internet and internal social networks can be locked permanently or on a temporary basis for individual addresses/locations or connection types. Evaluations of this data from a specific person can be made only in a concrete, justified case of suspected violations of law or policies of the TIFA Research or an immediate threat to the IT infrastructure and has to be authorized by any of the persons who may authorize a “legal hold”. The relevant national laws must be observed in the same manner as the group regulations.

5.10. Marketing Contacts

Generally, marketing contacts are no different than respondents in respect of the privacy protections accorded to them. Their contact details constitute Personal Data, even if they are business related. Only if the contact details are truly generic like “contact@acme.com”, will they not fall under this Policy.

Marketing communications are often subject to specific legal requirements, particularly if they are sent electronically or made by phone.

It has to be assumed, that marketing contacts have not requested the marketing materials. In other words, the recipients have not requested to receive marketing communications from TIFA Research. To proceed legally, the conditions concerning legal basis, in particular, consent requirements set out in paragraph 1 apply here as well.

Exceptionally a 'soft opt-in' can be applied, if the below conditions are met:

• where the Data Subject’s details were obtained in the course of a sale or negotiations for a sale of TIFA Research services;
• where the messages are only marketing similar services;
• where the person is given a simple opportunity to refuse marketing when their details are collected; and at the time of the first marketing communication the right to object is brought to the explicit attention, presented clearly and separate from other information, and they are given a simple way to do so in all future messages.

6. Transmission of Personal Data

Transmission of Personal Data to recipients outside or inside TIFA Research is subject to the authorization requirements for processing Personal Data under paragraph 4.7 Restriction on Transfers. The data recipient (be this another TIFA Research company or any supplier) must be required to use the data only for the defined purposes. For external transfers to suppliers, the requirements of this paragraph and those of paragraph 7 Outsourced/Third Party Data Processing apply cumulative.

If Personal Data is transmitted to a recipient outside the TIFA Research, this recipient must agree in writing to maintain a data protection level equivalent to this Data Protection Policy or as required under applicable law. For example, the DPA stipulates various requirements that must be complied with, before any transfer may occur. This does not apply if transmission is based on a legal obligation. A legal obligation of this kind can be based on the laws of the domiciliary country of the company transmitting the data. In the alternative, the laws of the domiciliary country of the company may acknowledge the purpose of data transmission based on the legal obligations of a third country.

Where Personal Data is transmitted by a third party (like a sample supplier) to TIFA Research, it must be ensured that the Personal Data can be used for the intended purpose.

If Personal Data is transferred from a TIFA Research company with its registered office in one country to a TIFA Research company with its registered office in another country, the company importing the data is obligated to cooperate with the enquiries made by the relevant supervisory authority in the country in which the party exporting the data has its registered office and to comply with any observations made by the supervisory authority with regard to the processing of the transmitted data.

If a Data Subject claims that this Data Protection Policy has been breached by a TIFA Research company located in another country that is importing the data, the TIFA Research company that is exporting the Personal Data undertakes to support the Data Subject concerned, in establishing the facts of the matter and also asserting his/her rights in accordance with this Data Protection Policy against the TIFA Research company importing the data. In addition, the Data Subject is also entitled to assert his or her rights against the TIFA Research company exporting the data. In the event of claims of a violation, it is the exporting company’s obligation to demonstrate to the Data Subjects that the company importing the Personal Data did not violate this Data Protection Policy

Each TIFA Research company transmitting Personal Data to a TIFA Research company located in another country, shall remain liable for any violations of this Data Protection Policy committed by the TIFA Research company that received the Personal Data, as if the violation had been committed by the TIFA Research company transmitting the Personal Data.

7. Outsourced/Third Party Data Processing

In many cases TIFA Research is using external suppliers/providers to process Personal Data. In these cases, an agreement on data processing on behalf of TIFA Research must be concluded with such provider/supplier. This can be done either by way of including appropriate provisions in the agreement governing the overall relationship with the provider/supplier or in a separate and specific document. In respect of processing on behalf of TIFA Research, the provider/supplier may only process the Personal Data as per the written instructions from TIFA Research. When instructing a provider/supplier, the following requirements must be complied with:

• Where the Personal Data in question fall under paragraph 5.8 (client data), any relevant client requirements need to be passed down to the provider/supplier.
• The provider/supplier must be chosen based on its ability to cover the required technical and organizational protective measures and in line with TIFA Research supplier approval process.
• The provider/supplier must not subcontract the processing further without TIFA Research’s prior written consent.
• The instructions must be in writing by way of an appropriate contract. The instructions on data processing and the responsibilities of TIFA Research and provider/supplier must be documented.
• Before the data processing begins, TIFA Research must be confident that the provider/supplier will comply with its duties. A provider/supplier can document its compliance with data security requirements in particular by presenting suitable certification(s). Depending on the risks of the data processing, the reviews must be repeated on a regular basis during the term of the contract. TIFA Research should retain the right to audit the provider’s/supplier’s compliance.

In the event of cross-border contract data processing, the relevant national requirements for transferring Personal Data abroad must be met. In particular, the Personal Data from the Kenya can be processed in a third country only if the provider/supplier can prove that it has a data protection standard equivalent to the DPA and this Data Protection Policy. Suitable tools can be:

• an agreement based on EU standard contract clauses for contract data processing in third countries with the provider. Similar agreements will be required for any subcontractor of the provider/supplier.
• Participation of the provider/supplier in a certification system accredited by the EU for the provision of a sufficient data protection level.

8. Rights of the Data Subject

Every Data Subject has the rights set out in this Section, whether they are provided for under applicable legislation or not. This obviously does not affect any further or extensive rights Data Subject might enjoy under national legislation, including DPA. Their request pursuant to these rights is to be handled immediately by the relevant TIFA Research company and may not result in any disadvantage to the Data Subject. Where the relevant Personal Data is being processed by TIFA Research under paragraph 5.2 Personal Data Provided by Clients, the relevant client contract must be consulted in respect of any process to be followed and the client has to be informed about such request immediately.

Right of access:

• The Data Subjects may request information on which Personal Data relating to him/her has been stored, how the data was collected and for what purpose.
• If Personal Data is transmitted to third parties, information must be given about the identity of the recipient or the categories of recipients, including other TIFA Research companies.

Right to rectification:

If Personal Data is incorrect or incomplete, the Data Subject can demand that it is corrected or supplemented.

Right to withdraw consent:

Where the Personal Data is processed on the basis of consent, the Data Subject can object to the processing at any time. These Personal Data must be blocked from the processing that it has been objected to.

Right to erasure:

The Data Subject may request his or her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.

Right to object:

The Data Subject generally has a right to object to his/her data being processed and this must be taken into account if the protection of his/her interest takes precedence over the interests of the data controller owing to the particular personal situation. This does not apply, if a legal provision requires that the Personal Data is to be processed.

The Data Subject has the right to request that the Personal Data held by TIFA Research is provided to him/her and be made available to such Data Subject in an easily readable format, like a Word or Excel document.