www.thepacesettersleader.com

Data Privacy Policy

As a business, The Pacesetters Leadership Center takes its responsibility regarding the management of our people data very seriously. This policy sets out how the business manages those responsibilities.

The Pacesetters Leadership Center obtains, uses, stores and otherwise processes personal data relating to its people such as potential and current team members, former team members, current and former workers, contractors, website users and contacts, collectively referred to in this policy as data subjects.

As a business, when processing personal data, The Pacesetters Leadership Center is obliged to fulfil individuals’ reasonable expectations of privacy by complying with the GDPR, Kenyan Data Protection laws and other relevant data protection legislation.

This policy therefore seeks to ensure that we:
  1. are clear about how personal data must be processed and The Pacesetters Leadership Center’s  expectations for all those who process personal data on its behalf;
  2. comply with existing data protection laws and good practice;
  3. protect The Pacesetters Leadership Center’s reputation by ensuring the personal data entrusted to us is processed in accordance with data subjects’ rights
  4. protect The Pacesetters Leadership Center from risks of personal data breaches and other breaches of data protection law

Definition of Key Terms
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.

Data Controller: the person or organisation that determines when, why and how to process personal data. The Data Controller is responsible for establishing practices and policies in accordance with the GDPR. The Chief Executive of The Pacesetters Leadership Center is the Data Controller of all personal data relating to it and used in facilitating market systems development, conducting research and all other purposes connected with its business purposes.

Data Processing: any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. In brief, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction.

Data Protection Officer (DPO): the person appointed as such under the GDPR and in accordance with its requirements. A DPO is responsible for advising the business (including its team members) on their obligations under various data protection laws, for monitoring compliance with data protection law, as well as The Pacesetters Leadership Center’s policies, and providing advice.

Data Subject: a living, identified or identifiable individual about whom we hold personal data.

Personal Data: any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

Personal Data Breach: any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data, where that breach results in a risk to the data subject. It can be an act or omission.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of automated processing.

Scope of this Policy
This policy applies to all personal data we process regardless of the location where that personal data is stored (e.g. on a team member’s own device, The Pacesetters Leadership Center servers, The Pacesetters Leadership Center website, etc.) and regardless of the data subject. All team members and others processing personal data on The Pacesetters Leadership Center’s behalf must read it. A failure to comply with this policy may result in disciplinary action.

The Pacesetters Leadership Center team, in consultation with the Telecoms, Media & Technology provider is responsible for ensuring that all team members within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls and training to ensure that compliance.

The Pacesetters Leadership Center’s Chief Executive Officer is responsible for overseeing this policy.

Why do we process personal information?
We may collect and use your personal data if it is necessary for our legitimate interest and so long as its use is fair, balanced and does not unduly impact your rights. For example, to process a team member’s application, for research purposes, for registration into our products, etc.

We may collect and use your personal information with your consent. For example, to send you marketing emails, to take and use your photograph, to collect relevant medical information. You can withdraw consent for this at any time.

We may also collect and use personal information as required to fulfil our legal obligations as a registered business and employer.

Usually we will only process sensitive personal data if we have your explicit consent. In extreme situations, we may share your personal details with the emergency services if we believe it is in your ‘vital interests’ to do so. For example, if someone is taken ill while on duty or during one of our events.

How do we collect personal information?
We collect and use personal information about:
  • Strategic partners
  • Market actors
  • Clients
  • Individuals from organisations we work with
  • Team members
  • Job applicants
  • Volunteers
  • Interns
  • Researchers
  • Consultants
  • Suppliers
  • Service providers
  • Tenants
  • Participants
  • Website visitors, among others

We may collect information about you from different sources, for example:
From you directly when you:   
  •  Apply to work with us
  • Receive a support from us
  • Register for or at one of events and products
  • Complete a survey
  • Apply to work or volunteer with us
  • Subscribe for updates via our website
  • From other people who think that you may be interested in collaborating in our work
  • From the public domain when we think that our interests may overlap
  • From you when you make an application to work for us, or from third parties such as your previous or current employers so we can verify details about you
  • From external sources such as publications and works, patents and clinical trials, external reviewers or advisors
  • From CVs provided to us in our applications

What personal information do we use?
We only collect personal information that we genuinely need. This may include:
  • Contact details such as name address, email address and phone numbers
  • Nationality
  • Date of birth
  • Gender
  • Qualifications
  • Interests
  • Dietary requirements (where this may be required for catering purposes)
  • Payment/Bank account details
  • National ID and Passport information
  • Photographs and video recordings
  • Tax and residency status for statutory requirements

Personal Data Protection Principles
When we process personal data, we are guided by the following principles which are set out in the GDPR and Kenya’s Data Protection Bill 2018. The Pacesetters Leadership Center is responsible for, and must be able to demonstrate compliance with, the data protection principles listed below:
  • Fairness and lawfulness: When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal and fair manner.
  • Restriction to a specific purpose: Personal data can be processed only for the purpose that was defined before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation.
  • Transparency: The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be aware of, or informed of:
  1. The identity of the Data Controller
  2. The purpose of data processing
  3. Third parties or categories of third parties to whom the data might be transmitted, if any

  • Data reduction and data economy: Before processing personal data, we will determine whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which it is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymised or statistical data must be used. Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by national law.
  • Deletion: Personal data that is no longer needed after the expiration of legal or business process-related periods must be deleted. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.
  • Factual accuracy; up-to-date data: Personal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated.
  • Confidentiality and data security: Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organisational and technical measures to prevent unauthorised access, illegal processing or distribution, as well as accidental loss, modification or destruction.

Rights of the Data Subject
Every data subject has the following rights. Their assertion is to be handled immediately by the responsible person and cannot pose any disadvantage to the data subject.
  1. The data subject may request information on which personal data relating to him/her has been stored, how the data was collected, and for what purpose. If there are further rights to view the team members documents for the contractual relationship under the relevant employment laws, these will remain unaffected.
  2. If personal data is transmitted to third parties, information must be given about the identity of the recipient or the categories of recipients.
  3. If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented.
  4. The data subject can object to the processing of his or her data for purposes of advertising or market/opinion research. The data must be blocked from these types of use.
  5. The data subject may request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.
  6. The data subject generally has a right to object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.

Data Responsibilities
  • Organisational responsibilities: As the Data Controller, The Pacesetters Leadership Center is responsible for establishing policies and procedures in order to comply with the relevant and applicable data protection law(s).
  • Data Protection Officer responsibilities: The DPO is responsible for:
  1. advising The Pacesetters Leadership Center and its team of its obligations under relevant data protection laws and regulations
  2. monitoring compliance with this policy and other relevant data protection law, The Pacesetters Leadership Center’s policies with respect to this, and monitoring training and audit activities that relate to data protection compliance
  3. to provide advice where requested on data protection impact assessments
  4. the data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, considering the nature, scope, context and purposes of processing
  • Team responsibilities: Team members who process personal data about current and previous team members, applicants, interns, volunteers, or any other individual must comply with the requirements of this policy. Team members must ensure that:
  1. all personal data is kept securely;
  2. no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
  3. personal data is kept in accordance with The Pacesetters Leadership Center’s data retention schedule;
  4. any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Data Protection Officer
  5. any data protection breaches are swiftly brought to the attention of the Chief Executive Officer, and that they support the team in resolving breaches;
  6. where there is uncertainty around a data protection matter advice is sought from the Telecoms, Media & Technology Compliance team and the Data Protection Officer.

Where team members are responsible for supervising external consultants doing work which involves the processing of personal information (for example in mentoring, research projects), they must ensure that they are aware of the organisational Data Protection principles.

Team members who are unsure about who are the authorised third parties to whom they can legitimately disclose personal data should seek advice from the Chief Executive Officer or the Data Protection Officer.

  • Third-Party Data Processors: Where external companies are used to process personal data on behalf of the organisation, responsibility for the security and appropriate use of that data remains with The Pacesetters Leadership Center.

Where a third-party data processor is used:

  1. a data processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of personal data;
  2. reasonable steps must be taken that such security measures are in place;
  3. a written contract establishing what personal data will be processed and for what purpose must be set out;
  4. a data processing agreement, must be signed by both parties.
For further guidance about the use of third-party data processors please contact the Chief Executive Officer.

  • Contractors, Short-Term and Voluntary Staff: The Pacesetters Leadership Center is responsible for the use made of personal data by anyone working on its behalf.  Anyone who engages contractors, short term or voluntary team members must ensure that they are appropriately vetted for the data they will be processing. In addition, team leaders should ensure that:
  1. any personal data collected or processed in the course of work undertaken for The Pacesetters Leadership Center is kept securely and confidentially;
  2. all personal data is returned to The Pacesetters Leadership Center upon completion of the work, including any copies that may have been made. Alternatively, that the data is securely destroyed and The Pacesetters Leadership Center receives written notification in this regard from the contractor or short-term/ voluntary team member;
  3. all practical and reasonable steps are taken to ensure that any personal data made available by The Pacesetters Leadership Center, or collected in the course of the work, is stored and processed safely;
  4. all practical and reasonable steps are taken to ensure that contractors, short term or voluntary team members do not have access to any personal data beyond what is essential for the work to be carried out properly.
  5. The Pacesetters Leadership Center receives prior notification of any disclosure of personal data to any other organisation or any person who is not a direct employee of the contractor;
How we use personal information
We will only use your personal information for the purpose which it was provided to us for and in ways that you would reasonably expect.

Partnership agreements with organisations and individuals
We collect and use personal information from organisations and individuals who:
  • Are interested in applying to work with with us
  • Enter into a strategic partnership with us.

We process this personal information to pursue our legitimate interests (and your interests as an applicant) and fulfil our strategic aims. The prime use of the personal information is to maintain compliance in the course of our relationship.

When legally obliged, we may share our strategic partners’ personal information with relevant statutory bodies as required.
We may need to share your contact details with suppliers.

Raising awareness of our work
If you opt in to our mailing list we will use the information that you provide to email you information about our work, products and services, events, campaigns and other items of interest. You can opt out or unsubscribe from receiving this information at any time if you wish. Our legal basis for using your personal information in this way is your consent.

Photographs and recordings
We use photographs and recordings to promote The Pacesetters Leadership Center and the work that we do. These can be used in the form of reports, news, stories, documentation of impact stories, information in our annual reports on our website, and other such materials that seek to explain or promote our work.
We take photographs and recordings of people who agree to be the subject during our documentation endeavours in accordance with our Terms and Conditions of Use. Our legal basis for using personal information for this purpose is consent.

Research and Surveys
If you choose to take part in one of our research projects or surveys, we will use the personal information that you provide to process the results of the survey and undertake relevant analysis. We will not share the personal information that you provide in a survey with any other organisations, unless consent is first sought for this. Survey results will be anonymised before being shared or published. Our legal basis for using the personal information that you choose to provide to us in a survey is legitimate interest and consent.

Travel arrangements
We will use the personal information you provide, including passport, when making travel arrangements for team members, consultants, strategic partners and any other relevant person. We may share some of this information with our insurance company and travel agents. Our legal basis for processing this personal information is legitimate interest. We will obtain your consent when collecting and using information relating to your health.

Team member, interns and volunteer recruitment
If you provide us with information about yourself, such as a resume or curriculum vitae, in connection with a job or volunteer application or enquiry, we may use this information to process your enquiry. We will not store this information for any purpose other than that relating to your application. Our legal basis for using your information in this way is for our legitimate interest.

Payment Processing
We will process personal information of our team to fulfil our contract with them. This includes providing payment processing details and the provision of training as and when required by public and statutory bodies. We process personal information to fulfil our contracts and meet our legal obligations as a contractor. This should be done in strict confidentiality at all times.

Processing expenses and honoraria
If you claim expenses from The Pacesetters Leadership Center or if we are required to pay you an honorarium, we will use your personal information, including your bank account details to process your claim. Our legal basis for using your information for this is legitimate interest.

Governance
We process relevant personal information about existing and potential Advisors and committee members for governance purposes.
We may undertake necessary checks to identify any criminal and other activity we need to be aware of. We will do this with your consent.
We will share some personal information with the relevant regulatory authorities to meet our legal obligations, both within and outside the country.

Health and safety
We are legally obliged to collect personal information of team members, volunteers, and interns, for health and safety purposes. We may be required to share some of this information with contractors such as insurance providers.

Volunteers and Interns
We will process your personal information if you choose to volunteer or undertake an internship opportunity with us. We will keep a record of your contact details, experience and qualifications. Our legal basis for using your information in this way is for our legitimate interest. It may also be necessary to run necessary checks to identify any activities we need to be aware of; we will seek your consent before doing so.

Service Providers and Suppliers
We will use the personal information of service providers and suppliers’ contacts to pay and communicate with them. Our legal basis for using your personal information in this way is for the performance of a contract.

Complaints and general inquiries
If a complaint is raised with us, we will process the personal information that is provided to us to manage and resolve the complaint. Our legal basis for using personal information for this purpose is legitimate interest.

Cookies and aggregate information
We may use cookies and log files on our website to store information about how you use our website using Google Analytics. A cookie is a piece of data stored on the user’s computer tied to information about the user. This information may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. This enables us to analyse the use of our website and services. 

We may also create a profile which details your viewing preferences. We use your profile to tailor your visit to our website, to make navigation easier and direct you to information that best corresponds to your interests and country.
The legal basis for this processing is our legitimate interests, monitoring and improving our website and services. Please see our cookie statement for more information.

Sharing personal information
We will not sell or exchange your personal information.
We will only share your personal information where we are required to fulfill our contract with you, or legitimate interest, where we have your consent, or we are required to do so by law.

We may share your personal information with third party organisations who will process it on our behalf, for example a mailing house, our website administrator or printers. Everything an external service provider does is strictly governed by a contract. In addition, before we share any information with those service providers, we will put in place a signed data processing agreement which confirms that the personal information we provide will only be used for the purposes we specify and will be processed in line with data protection legislation.

We may also share your information with our bank to process a payment; our professional advisers (such as our legal advisers, accountant, auditor) where it is necessary to obtain their advice; our operations oversight, our pension provider; our insurance provider; and our telecoms, media & technology provider and data storage providers.
Where required, we will process personal information to comply with our legal obligations. In this respect we may use your personal data to comply with subject access requests; tax legislation; for the prevention and detection of crime; and to assist the police and other competent authorities with investigations including criminal and safeguarding investigations.

Confidentiality of Data Processing
Personal data is subject to data secrecy. Any unauthorised collection, processing, or use of such data by employees is prohibited. Any data processing undertaken by a team member that he/she has not been authorized to carry out as part of his/her legitimate duties is unauthorized. The “need to know” principle applies. Team members may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities.

Team members are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or to make it available in any other way. Team leaders must inform team members at the start of the contractual relationship about the obligation to protect data secrecy. This obligation shall remain in force even after employment has ended.

Data Processing Security
Personal data must be safeguarded from unauthorised access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organisational measures to protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing, and the need to protect the data (determined by the process for information classification).

In particular, the responsible department or team members can consult with The Pacesetters Leadership Center’s Chief Executive Officer. The technical and organisational measures for protecting personal data are part of our data security management and must be adjusted continuously to the technical developments and organisational changes.

For how long do we keep your personal information?
We will hold your personal information for as long as is necessary. We will not retain your personal information if it is no longer required. In some circumstances, we may legally be required to retain your personal information, for example for finance, employment or audit purposes.

Changes to this policy
This Data Protection and Privacy Policy may change from time to time. 

Terms of Use | Privacy Policy | Return & Refund Policy

2024 ©  The Pacesetters Leadership Center.  All Rights Reserved.