REGISTRATION FOR DATA CONTROLLERS AND DATA PROCESSORS:
ADBUD TECH LTD DATA PROTECTION POLICY
Preamble
In 2019 Kenya enacted the Data Protection Act (DPA). The DPA and its Regulations seek to protect the privacy of individuals by enforcing responsible processing of personal data. These includes embedding principles of lawful processing, minimising the collection of data, ensuring the accuracy of data and adopting appropriate security safeguards to ensure the protection of personal data. This Data Protection Policy provides guidance on how Adbud Tech Ltd will handle the Personal Data it collects, in compliance with the DPA.
Definitions and Interpretations
“Automated Decision-Making (ADM)” refers to when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual
“Automated Processing” refers to any form of automated processing i.e., processing without any human involvement, of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual
“Company Personnel” refers to all employees, workers, contractors, agency workers consultants, directors, members and others
“Consent” means an agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement, or by a clear positive action, signify agreement to the Processing of Personal Data relating to them
“Data Controller” means a means a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purpose and means of the processing of Personal Data
“Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller
Data Subject” means an identified or identifiable natural person who is the subject of Personal Data
“Data Privacy Impact Assessment” refers to tools and assessments used to identify and reduce risks of a data processing activity in accordance with section 31 of the DPA. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programmes involving the Processing of Personal Data
“Data Protection Officer” means the appointed data protection officer of the Data Controller, being Professor Nicholas N Kimani, PhD Advocate
“DPA” means the Data Protection Act, 2019
“Personal Data” refers to any information relating to an identified or identifiable natural person
“Personal Data Breach” means a breach of securing leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
“Policy” means this Data Protection Policy
“Privacy by Design” means implementing the data protection principles and appropriate technical and organisational measures in an effective manner to ensure compliance with the DPA
“Privacy Guidelines” mean the Company privacy and DPA-related guidelines provided to assist in interpreting and implementing their Data Protection Policy and Related Policies, available on the Intranet, or from the Line Manager, or from the DPO
“Privacy Notices” refer to separate notices setting out information that may be provided to Data Subjects when the Company collects information about them. These notices may take the form of:
- general privacy statements applicable to a specific group of individuals (for example employee privacy notices, or the website privacy notice;
- stand-alone, one-time privacy statements covering Processing related to a specific notice
“Processing” or “Process” means any operation or sets of operations which is performed on Personal Data or on sets of Personal Data whether or not by automated means, such as:
- collection, recording, organisation, structuring;
- storage, adaptation or alteration;
- retrieval, consultation or use;
- disclosure by transmission, dissemination or otherwise making available; or
- alignment or combination, restriction, erasure or destruction
“Pseudonymisation or Pseudonymised” means the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific data subject without the use of additional information, and such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person
“Related Policies” refer to the Company’s policies, operating procedures or processes related to the Data Protection Policy and designed to protect Personal Data available on the Website, Intranet, Line Managers or from the DPO
“Sensitive Personal Data” means the natural person’s race, health status, ethnic, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family detail including names of the person’s children, parent, spouse or spouses, sex or the sexual orientation of the data subject
3 Introduction
3.1 This Data Protection Policy sets out how We, Adbud Tech Ltd, handle the Personal Data of our customers, prospective customers, suppliers, employees, workers, business contacts and other Third Parties
3.2 This Data Protection Policy applies to all Personal Data we process regardless of the media on which that data is stored or whether it relates to past or present employees, workers, clients, supplier contacts, shareholders, website users, or any other Data Subject
3.3. This Data Protection Policy applies to all Company Personnel (‘you’’, ‘your’). You must read, understand, and comply with this Data Protection Policy when Processing Personal Data on our behalf and attend training on its requirements. Data Protection is the responsibility of everyone within the Company and this Data Protection Policy sets out what we expect from you when handling Personal Data to enable the Company to comply with applicable law. Your compliance with this Data Protection Policy is mandatory. Related Policies and Privacy Guidelines are available to help you interpret and act in accordance with this Data Protection Policy. You must also comply with all those Related Policies and Privacy Guidelines. Any breach of this data Protection Policy may result in disciplinary action.
3.4 When you have a specific responsibility in connection with Processing, such as capturing consent, reporting a Personal Data Breach or conducting a DPIA as referenced in this Data Protection Policy or otherwise, then you must comply with the Related Policies and Privacy Guidelines.
3.5 This Data Protection Policy (together with related policies and privacy guidelines) is an internal document and cannot be shared with third parties, clients or regulators without prior authorisation from the DPO
4 Scope of Policy
4.1 We recognise that the correct and lawful treatment of Personal Data will maintain trust and confidence in the organisation and will provide for successful business operations. Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we taken seriously at all times. The Company is exposed to potential fines for failure to comply with the DPA and its Regulations
4.2 All line managers, departments, individual business areas and other responsible parties are responsible for ensuring all Company Personnel comply with this Data Protection Policy, and need ot implement appropriate practices, processes, controls, and training to ensuring that compliance
4.3 The DPO is responsible for overseeing this Data Protection Policy and, as applicable, developing Related Policies and Privacy Guidelines. That post is held by Professor Nicholas Kimani, PHD Advocate, legal@adbud.tech; +254700161401
4.4 Please contact the DPO with any questions about the operation of this Data Protection Policy or the DPA or if you have any concerns that this Data Protection Policy is not being or had not been followed. In particular, you must always contact that DPO in the following circumstances:
- a) if you are unsure of the lawful basis on which you are relying to process Personal Data (including the legitimate interests of the Company;
- b) if you need to rely on Consent or need to capture Explicit Consent;
- c) if you need to draft Privacy Notices;
- d) if you are unsure about the retention period for the Personal Data being Processed;
- e) if you are unsure what security or other measures you need to implement to protect Personal Data;
- f) if there has been a Personal Data Breach;
- g) if you are unsure on what basis to transfer Personal Data outside Kenya;
- h) if you need any assistance dealing with any rights invoked by a Data Subject;
- i) whenever you are engaging in a significant new, or change in, Processing activity which is likely to require a DPIA or plan to use Personal Data for purposes other than for which it was collected;
- j) if you plan to undertake any activities involving Automated Processing including profiling or Automated Decision-making;
- k) if you need help complying with applicable law when carrying out direct marketing activities; or
- L) if you need help with any contracts or other areas in relation to sharing Personal Data with third-parties (including our vendors)
5 Personal data protection principles
5.1 We adhere to the principles relating to the Processing of Personal Data set out in the DPA which require Personal Data to be:
- a) Processed in accordance with the right to privacy of the data subject (right to privacy);
- b) Processed lawfully, fairly and in a transparent manner (lawfulness fairness and transparency);
- c) collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (purpose limitation);
- d) Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (data minimisation);
- e) Collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
- f) Accurate and, where necessary kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay (accuracy);
- g) Kept in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the data is Processed (storage limitation);
- h) Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (security, integrity and confidentiality);
- I) Not transferred outside Kenya unless there is proof of adequate data protection safeguards in place or consent from the data subject (transfer limitation); and
- j) Made available to Data Subjects and allow Data Subjects to exercise certain rights in relation to their Personal Data (data subject’s rights and requests).
5.2 We are responsible for and must be able to demonstrate compliance with the data protection principles listed above
6 Lawfulness, fairness and transparency in processing of Data
6.1 Personal data must be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject
6.2 You may only collect, Process and share Personal Data fairly and lawfully and for specified purposes. The DPA restricts our actions regarding Personal Data to specified lawful purposes. These restrictions are not intended to prevent Processing but ensure that we Process Personal Data lawfully and fairly and without adversely affecting the Data subject
6.3 The DPA allows Processing for specific purposes, some of which are set out below:
- a) the Data Subject has given their Consent;
- b) The Processing is necessary for the performance of a contract with the Data Subject;
- c) for use ot be able to comply with our legal compliance obligations and exercise specific rights of the Company
or for the data subject;
- d) to protect the Data Subject’s vital interests;
- e) to pursue our legitimate interests (or those of a third party) for purposes where they are not overridden because the Processing prejudices the interest or fundamental rights and freedoms of Data Subjects. The purposes for which we process Personal Data for legitimate interests need to be set out in applicable Privacy Notices; or
- f) to establish, exercise or defence of a legal claim
6.4 You must identify and document the legal ground being relied on for each Processing activity in accordance
with the Company’s guidelines on the Lawful Basis for Processing Personal Data.
7 Consent
7.1 A data Controller or Data Processor must only process Personal Data on one or more of the lawful bases set out
in the DPA, which include Consent.
7.2 A Data Subject consents to Processing of their Personal Data if they clearly indicate agreement to the
Processing. Consent requires affirmative action, so silence or inactivity will not be sufficient to indicate consent. If Consent is given in a document which deals with other matters, then the Consent must be kept separate from those other matters;
7.3 A Data Subject must be easily able to withdraw Consent to Processing at any time and withdrawal must be promptly honoured. Consent may need to be refreshed if you intend to Process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first consented;
7.4. When processing Sensitive Personal Data we will usually rely on a legal basis for processing other than Consent or Consent in possible;
7.5 You will need to evidence Consent captured and keep record of all Consents in accordance with Related Policies and Privacy Guidelines, so that the Company can demonstrate compliance with Consent requirements
8 Transparency (notifying Data Subjects)
8.1 The DPA requires a Data Controller to provide detailed, specific information to a Data Subject depending on whether
the information was collected directly from the Data Subject or from elsewhere. The information must be provided through an appropriate Privacy Notice which must be concise transparent, intelligible, easily accessible and in clear and plain language so that a Data Subject can easily understand them;
8.2 Whenever we collect Personal Data directly from a Data Subject, including for HR or employment purposes, we must
provide the Data Subject with all the information required by the DPA including the identity of the Controller and DPO, and how and why we will us, Process, disclose, protect and retain that Personal Data through a Privacy Notice which must be presented when the Data Subject first provides the Personal Data;
8.3 When Personal Data is collected indirectly (for example, from a third-party or publicly available source), we must
provide the Data Subject with all the information required by the DPA as soon as possible after collecting or receiving the data. We must also check that the Personal Data was collected by the third-party in accordance with the DPA and on a basis which contemplates our proposed Processing of that Personal Data;
8.4 If you are collecting Personal Data from a Data Subject, directly or indirectly, then you must provide the Data Subject
with a Privacy Notice in accordance with our Related Policies and Privacy Guidelines.
9 Purpose Limitation
9.1 Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further
Processed in any manner incompatible with those purposes;
9.2 You cannot use Personal Data for new, different or incompatible purposes from that disclosed when it was first
obtained unless you have informed the Data Subject of the new purposes and they have Consented where necessary;
9.3 If you want to use Personal Data for new, or different purposes, from that which it was obtained, you must first contact the DPO for advice on how to do this in compliance with both the law and this Data Protection Policy
10 Data minimisation
10.1 Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which
it is Processed;
10.2 You may only Process Personal Data when performing your job duties requires it. You cannot Process Personal
Data for any reason unrelated to your job duties;
10.3 You may only collect Personal Data that you require for your job duties; do not collect excessive data. You must
ensure that any Personal Data collected is adequate and relevant for the intended purposes.
10.4 You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or
anonymised in accordance with the Company’s data retention guidelines.
Accuracy
11.1 Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without
delay when inaccurate;
11.2 You must ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to
the purpose for which we collected it. You must check the accuracy of any Personal Data at the point of
collection and at regular intervals afterwards. You must take all reasonable steps to destroy or amend inaccurate or out-of-data Personal Data
12 Storage Limitation
12.1 Personal Data must not be kept in an identifiable form for longer than is necessary for the purpose for which the data is
processed;
12.2 The Company will maintain retention policies and procedures to ensure Personal Data is deleted after an appropriate
time, unless a law requires that data to be kept for a minimum time. You must comply with the Company’s Data
Retention Policy, and/ or relevant provisions of the DPA.
12.3 You must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed
for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements;
12.4 You will take all reasonable steps to destroy, erase from our systems all Personal Data that we no longer require in
accordance with the Company’s applicable records retention schedules and policies. This includes requiring third parties to delete that data where applicable;
12.5 You will ensure Data Subjects are provided with information about the period for which data is stored and how that
period is determined in any applicable Privacy Notice
13 Security Integrity and Confidentiality
13.1 Personal Data must be secured by appropriate technical and organisational measures against unauthorised or
unlawful Processing, and against accidental loss, destruction or damage;
13.2 We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available
resources, the amount of Personal Data that we own or maintain on behalf of others, and identified risks
(including use of encryption and Pseudonomynisation where applicable). We will regularly evaluate and test the
effectiveness of those safeguards to ensure security of our Processing or Personal Data. You are responsible for protecting the Personal Data we hold. You must implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data. You must exercise particular care in protecting Sensitive Personal Data from loss and unauthorised access, user or disclosure
13.3 You must follow all procedures and technologies we put in place to maintain the security of all Personal Data
from the point of collection to the point of destruction. You may only transfer Personal Data to third-party
service providers who agree to comply with the required policies and procedures and who agree to put adequate
measures in place, as requested
13.4 You must maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
- a) Confidentiality: only people who have a need to know and are authorised to use the Personal Data can access it;
- b) Integrity: Personal Data is accurate and suitable for the purpose for which is it processed; and
- c) Availability: authorised users are able to access the Personal Data when they need it for authorised purposes.
13.5 You must comply with and not attempt to circumvent the administrative, physical and technical safeguards that
we implement and maintain in accordance with the DPA and relevant standards to protect Personal Data.
14 Reporting a Personal Data Breach
14.1 the DPA requires Controllers to notify any Personal Data Breach to the Office of the Data Protection
Commissioner (ODPC) and, in certain circumstances, the Data Subject. The DPA requires us to report any data breach to the OPDC within 72 hours of being aware of the breach; and communicate to the data subject in writing within a reasonably practical period unless the identity of the data subject cannot be established
14.2 If you known or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter
yourself. Immediately contact the DPO. You should preserve all evidence relating to the potential Personal Data Breach.
15 Transfer of Personal Data out of Kenya
15.1 The DPA restricts data transfers out of Kenya unless such transfer meets the criteria set out within the statute to ensure
that the level of data protection afforded to individuals by the DPA is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that data in or to a different country;
15.2 You must comply with the Company’s guidelines on cross-border data transfers;
15.3 You may only transfer Personal Data outside Kenya if one of the following conditions applies:
- a) Kenya has issued regulations confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subject’s rights and freedoms;
- b) there is proof of adequate safeguards for security and protection of the Personal Data and the proof provided to the ODPC in accordance with the DPA. Such measures include that data is transferred to jurisdictions with commensurate data protection laws;
- c) the Data Subject has provided Consent to the proposed transfer after being informed of any potential risks; or
- d) the transfer is necessary for one of the other reasons set out in the DPA, including
- i) the conclusion or performance of a contract between the Company and the Data Subject or implementation of pre-contractual measures taken at the data subject’s request;
- ii) the conclusion or performance of a contract concluded in the interest of the Data Subject between the Company and another person;
iii) reasons of public interest;
- iv) to establish, exercise or defend legal claims;
- v) to protect the vital interests of the Data Subject or of other persons where the Data Subject is physically or legally incapable of giving Consent;
- vi) for compelling legitimate interests pursued by the Company which are not overridden by the interests, rights and freedoms of the Data Subjects.
- Rights of a Data Subject’s rights and requests
16.1 A Data Subject has rights when it comes to how we handle their Personal Data. These include rights to:
- a) be informed
of the user to which their personal data is to be put;
- b) access their personal data in custody of Data Controller or Data Processer;
- c) object to the processing of all or part of their personal data;
- d) correction of false or misleading data;
- e) deletion of fall or misleading data about them;
- f) withdraw Consent to Processing at any time;
- g) receive certain information about our Processing activities;
- h) prevent our use of their Personal Data for direct marketing purposes;
- i) restrict Processing in specific circumstances;
- j) request a copy of an agreement under which Personal Data is transferred outside of Kenya;
- k) object to decisions made solely on Automated Processing, including profiling;
- l) be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
m); make a complaint to the ODPC; n) in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format;
16.2 You must verify the identity of an individual requested data under any of the rights listed above (do not allow third
parties to persuade you into disclosing Personal Data without proper authorisation);
16.3 You must immediately forward any Data Subject’s request you receive to the DPO and comply with the Company’s
Response procedures for data subject requests
17 Accountability
17.1 The Company will implement appropriate technical and organisational measures in an effective manner to
ensure compliance with data protection principles. The Company is responsible for, and must be able to demonstrate, compliance with data protection principles
17.2 The Company must have adequate resources and controls in place to ensure and to document compliance with
the DPA including:
- a) appointing a suitably qualified DPO (where necessary) and an executive accountable for data privacy;
- b) implementing Privacy by Design when Processing Personal Data and completing DPIAs where Processing
presents a high risk to rights and freedoms of Data Subjects;
- c) integrating data protection into internal documents including this Data Protection Policy, Related Policies, Privacy Guidelines or Privacy Notices;
- d) regularly training Company Personnel on the DPA, this Data Protection Policy, Related Policies and Privacy Guidelines and data protection matters including, for example, a Data Subject’s rights, Consent, legal basis, DPIA and Personal Data Breaches. The Company will maintain a record of training attendance by Company Personnel;
- e) regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort;
18 Record Keeping
18.1 The DPA requires us to keep full and accurate records of all our Data Processing activities;
18.2 You must keep and maintain accurate corporate records reflecting our Processing including records of Data Subjects’
Consents and procedures for obtaining Consents;
18.3 These records should include, at a minimum: a) the name and contact details of the Controller Company and the DPO;
and clear descriptions of:
- the Personal Data types;
- the Data Subject types;
- the Processing activities;
- the Processing Purposes;
- the third-party recipients of the Personal Data;
- the Personal Data storage locations;
- the Personal Data transfers;
- the Personal Data’s retention period;
- the security measures in place
18.4 To create the records, data maps should be created which should include the details set out above together with
appropriate data flows.
19 Training and Audit
19.1 We are required to ensure all Company Personnel have undergone adequate training to enable them to comply
with data privacy laws .We must also regularly test our systems and processes to assess compliance;
19.2 You must undergo all mandatory data privacy-related training and ensure your team undergoes similar
mandatory training in accordance with the Company’s mandatory training guidelines;
19.3 You must regularly review all the systems and processes under your control to ensure they comply with this
Data Protection Policy and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.
20 Privacy by Design and Data Protection Impact Assessment
20.1 We are required to implement Privacy by Design measures when Processing Personal Data by implementing
appropriate technical and organisational measures (like Pseudonomynisation and Encryption) in an effective
manner, to ensure compliance with data privacy principles;
20.2 You must assess what Privacy by Design measures can be implemented on all programmes, systems or
processing that Process Personal Data by taking into account the following:
- a) the state of the art;
- b) The cost of implementation;
- c) The nature, scope, context and purposes of Processing;
- d) The risks of varying likelihood and severity for rights and freedoms for the Data Subject posed by the
Processing.
20.3 The Company must also conduct a Data Protection Impact Assessment (DPIA) in respect to high risk
Processing;
20.4 You should conduct a DPIA (and discuss your findings with the DPO) when implementing major system or
business change programs, involving the Processing of Personal Data, including:
- Use of new technologies (programs, systems, or processing, including the use of AI), or changing technologies (programs, systems or processes);
- Automated Processing, including profiling and ADM;
- Large-scale Processing of Sensitive Personal Data;
- Large-scale systematic monitoring of a publicly accessible area
20.5 A DPIA must include:
- A systematic description of the envisaged Processing operations, its purposes and the Company’s legitimate interests, if appropriate;
- An assessment of the necessity and proportionality of the Processing in relation to its purpose;
- An assessment of the risk and freedoms of the data subjects;
- the risk mitigation and security measures in place and demonstration of compliance with the DPA.
- Automated Processing (including profiling) and Automated Decision-Making
21.1 Generally, ADM is prohibited when a decision or similarly significant effect on an individual unless:
- a) a Data Subject has consented;
- b) the Processing is authorised by law to which the Company is subject and which lays down suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests; or;
- c) the Processing is necessary for the performance of or entering into a contract
21.2 If a decision is to be based solelely on Automated Processing (including profiling), then the Data Subject must be
informed when you first communicate with them of their right to object. This right must be explicitly brought to their attention and presented clearly and separately from other information. Further, suitable measures must be put in place to safeguard the Data Subject’s rights and freedoms and legitimate interests;
21.3 The Company must also inform the Data Subject of the logic involved in the decision-making or profiling, the
significance and the envisaged consequences, and give the Data Subject the right to request human intervention, express their point of view or challenge the decision;
21.4 A DPIA must be carried out before any Automated Processing (including profiling) or ADM activities are
undertaken.
- Direct Marketing
22.1 We are subject to certain rules and privacy laws when engaging in direct marketing to our customer and
prospective customers (for example when sending marketing emails or making telephone sales calls);
22.2 For example in a business to consumer context, a Data Subject’s prior consent is generally required for
electronic direct marketing (for example by email, text or automated calls). The limited exception allows an organisation to send marketing texts or emails without consent if it:
- has collected the personal data from the data subject;
- a data subject is notified that direct marketing is one of the purposes for which Personal Data is collected;
- the data subject has consented to the use or disclosure of the personal data for the purpose of direct marketing;
- a simplified opt-out mechanism is provided to the Data Subject to request not to receive direct marketing communications; or
- the data subject has not made a opt-out request;
22.3 The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so
that it is clearly distinguishable from other information;
22.4 A Data Subject’s objection to direct marketing must always be promptly honoured. If a customer opts out of
marketing at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future;
22.5 You must comply with the Company’s guidelines on direct marketing to customers and you should consult the
DPO I if you are unsure regarding how to comply with either the Company’s guidelines or the law.
23 Sharing Personal Data
23.1 Generally, we are not allowed to share Personal Data with third parties unless certain safeguards and
contractual arrangements have been put in place;
23.2 You may only share the Personal Data we hold with another employee, agent or representative of our group
(which includes our subsidiaries and our ultimate holding company along with its subsidiaries) if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions
23.3 You may only share the Personal Data we hold with third parties, such as our service providers, if:
- they have a need to know the information for the purposes of providing the contracted services;
- sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained;
- the third party has agreed to comply with the required data security standards, policies and procedures, and put adequate security measures in place;
- the transfer complies with any applicable cross-border transfer restrictions, and;
- a fully executed written contract that contains DPA-approved third party clauses has been obtained.
- Review of this Data Protection Policy
24.1 We keep this Data Protection Policy under regular review. The Data Protection Officer is responsible for
ensuring that this Data Protection Policy is reviewed regularly.
24.2This Data Protection Policy does not override any applicable national data privacy laws and regulations in
countries where the Company operates
ADBUD TECH LTD:
PRIVACY NOTICE
Introduction
Welcome to Adbud Tech Ltd’s privacy notice. We are committed to protecting your personal data and respecting your privacy. This notice explains how we collect, use, and protect your personal information.
- Information We Collect
We may collect and process the following data about you:
- Personal identification information (e.g., name, email address, phone number)
- Technical data (e.g., IP address, browser type, operating system)
- Usage data (e.g., information about how you use our website)
- How We Use Your Information
We use your personal data to:
- Provide and improve our services
- Respond to your inquiries and requests
- Send you marketing communications (if you have opted in)
- Analyze website usage and improve our website
- Data Sharing
We may share your personal data with:
- Service providers who assist us in operating our website and providing our services
- Legal authorities if required by law
- Data Security
We implement appropriate security measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction.
- Your Rights
You have the right to:
- Access your personal data
- Request correction of inaccurate data
- Request deletion of your data (under certain conditions)
- Object to the processing of your data
- Cookies
Our website uses cookies to enhance your browsing experience. You can manage your cookie preferences through your browser settings.
- Contact Us
If you have any questions or concerns about this privacy notice or your personal data, please contact us at info@adbud.tech, Stanley@adbud.tech, +254-723-950-092
ADBUD TECH LTD
DPO Profile
Our Data Protection Officer (DPO)
Professor Nicholas Kimani, LLB, LLM, Grad Dip (LPC), Grad Dip (KSL), PhD
He is a Business Lawyer, based in Nairobi and Pretoria, providing legal services for start-ups, local and foreign investors and non-profit entities. He has over 27 years of experience providing legal advice, as well as documentation for contracts and business legal matters. Below are some of the Data Protection Compliance Services he offers:
- Gap Analysis: identifying extent of compliance with the Data Protection Act, 2019. This exercise entails assessment of personal data-flows and data inventory management; identifying the laws and regulations applicable for the data flows; advisory and assessment of any gaps identified as necessary for compliance purposes; assessment of whether a Data Protection Impact Assessment is required;
- Remediation Measures—such as review of contractual documentation with vendors, controllers and processers, review of existing company policies and procedures, assessment of marketing practices
- DPO Services– including regular reviews of data compliance; strategic advisory on data protection issues; liaison with the Office of the Data Protection Commissioner
- Data Protection Training—including training staff on compliance and best-practices including on data protection and marketing of bespoke services
Data Subject Access Request (DSAR):
From:
[Your Name]
[Email Address]
[Phone Number]
[Date]
To:
Data Protection Officer
Adbud Tech Ltd
Legal@adbud.tech
Subject: Data Subject Access Request
Dear Sir
I am writing to formally request access to my personal data that your organization holds, in accordance with the Data Protection Act 2019
Details of Request:
Personal Information:
Full Name: [Your Full Name]
Date of Birth: [Your Date of Birth]
Address: [Your Address]
Email Address: [Your Email Address]
Phone Number: [Your Phone Number]
Specific Information Requested:
[Specify the personal data you are requesting, e.g., employment records, medical records, etc.]
Additional Information:
[Include any additional details that may help locate your data, such as account numbers, dates, or specific interactions.]
Preferred Format:
I would prefer to receive the information in [electronic format/paper format].
Please confirm receipt of this request and provide the requested information within the statutory period of one month. If you need any further information to process this request, please let me know as soon as possible.
Thank you for your assistance.
Yours sincerely,
[Your Name]
Section 2: PERSONAL DATA
[Category of Data Subjects Description of Personal Data to be Processed Purpose of Processing]
- Description: Employees:
Type: Name, contact details (address, phone number, email), national identification number, bank account details, emergency contact information, employment history, performance reviews.
Purpose: Payroll processing, internal communications, performance management, benefits administration.
- Description: Brand Custodian
Type: Company Name, contact details, industry, marketing goals, budget information, website browsing behavior, social media engagement (if applicable).
Purpose: Know Your Customer (KYC) compliance, personalized marketing campaigns, product recommendations, customer interactions; Client relationship management, project delivery, campaign performance reporting, Survey data:
- Description: Suppliers:
Type: Company name, contact details, financial information, product/service details.
Purpose: Contract-management, order fulfilment, payment processing, vendor performance evaluation.
- Description: Data-Subjects
Type: Website cookies, demographics (age, gender, location—if required), purchase history, product preferences, website browsing behavior, social media data (if applicable), Survey Data, attention, footfall, vehicle, mood (if required), Start- time , Presence, attention
Purpose: Personalized marketing campaigns, product recommendations, customer interactions; Campaign performance reporting, Survey data:
Section 3: DATA PROTECTION IMPACT ASSESSMENT: (Key Information Details)
Name of Project/System: [KCB] OOH Monitoring
Date Published 20/12/2023
Version: — —-
Document Type Data Protection Impact Assessment
Document Status (Draft/Final)
Author Adbud Tech Limited
Owner Adbud Tech Limited
Contact Stanley@adbud.tech,Cyrus@adbud.tech, info@adbud.tech
Description of processing activities
- Project outline: what and why: Explain broadly what the project aims to achieve, what type of processing it involves and what will be done to the personal data?
Adbud Tech Limited has exclusive relationship with Quividi, as their sub-data processor. Quividi is a European company based in Paris, France. Quividi’s product line includes software solutions used to detect and qualify the presence of people in front of an object of interest and, in particular, in front of screens in a Digital Signage installation. Quividi’s solution is used in public places for audience measurement, content adaptation and interactivity purposes. The solution is deployed in a variety of venues, including shopping centers, shops, agencies, services, and transportation networks. It is important to note that the audience measurement data generated by Quividi’s software solutions adhere to consumer data privacy best practices, and includes a GDPR-certificate. Quividi’s VidiReports has been audited by German privacy specialist ePrivacy GmbH, who granted their EU ePrivacySeal to the software. This seal guarantees the compliance of Quividi’s solution with ePrivacy’s criteria catalogue, which includes the requirements imposed by the General Data Protection Regulation (GDPR)
Our software solution, Quividi’s VidiReports software, uses images from a camera sensor (usually a webcam) and a suite of proprietary real-time image processing algorithms to:
- detect the presence of human faces in the digital images provided by the camera sensor;
- estimate the time spent by a detected person in the camera sensor’s field of vision and the time spent looking at the screen
- optionally assign a set of anonymous qualifying tags to each detected person, such as gender or age information.
Quividi’s VidiReports converts video images into a set of abstract numeric descriptors, while fully respecting privacy since:
- VidiReports does not perform face recognition but only face detection;
- image processing takes place in real time and at no point in the processing chain is the visual information stored on non-volatile memory or relayed elsewhere;
- the abstract numeric descriptors constitute aggregate anonymous data;
- multiple VidiReports installations are totally independent and do not communicate locally, thereby preventing long-range tracking of people moving about a public space.
Quividi’s solution is used in public places for audience measurement, content adaptation and interactivity purposes. The solution is deployed in a variety of venues, including shopping centers, shops, agencies, services, and transportation networks.
Audience Measurement – To assist the brand custodian in understanding the impact of their Billboard audiences in layers of granularity. e.g., Age, gender, attention, footfall, vehicle and mood. The Data that we collect is anonymized and only for reporting purposes. Our tool makes it easier for marketers to understand the performances of their communication and enhance the quality and the relevance of their billboards. It also gives the ability to support a more relevant and more contextual communication, by playing content in tune with the people in front of the screen. The solution processes images with people’s faces in it, which could be considered personal data.
The video image is cached in RAM of the player attached to screen for the time necessary for analysis and processing. This time depends on the player’s computing power, but is usually between 60 and 200 milliseconds. The images are deleted immediately after being processed. The volatile memory on which images are cached is overwritten each time a new image is received. The only data that is kept is the metadata (which is fully anonymous) produced from the image processing, which provides insights about the audience of a screen or of specific content running on that screen. The information that our software generates from processing these images is a set of metadata in the following form for each detected person:
-
- Counter, machine ID, start time, presence, attention, distance, gender, age, mood, where ‘Counter’ is a consecutive number for the (qualifying) data set. Machine-ID is the identification number of the machine processing the data
- Start- time is the date and time of the identification start Presence is the sum of the time a person spends in the camera sensor’s field of vision
- Attention is the sum of the time the viewer spends on the screen Distance is the person’s average distance from the object of interest(i.e. the camera sensor)
- Gender (optional) is the gender of the individual
- Age (optional) is the age of the person or the estimated age Mood (optional) is the person’s estimated mood from very sad to very happy
- Demographic and mood information can be turned off, by the end-customer, if desired.
- What is the class of data subjects? e.g., employee data, customer data, contractor data, third party/vendor data etc.
Passers-by in front of a screen equipped with the Quividi solution
- Are there any vulnerable groups/children that form part of the data subjects?
Yes, faces of any age are classified. It is possible, if desired, to exclude metadata of minors from audience reports. This is because we observe all data protection protocols & we work on parameters set by the Brand Custodian based on the Key Performance Indicators.
Note that demographic and feature-based information can be turned off if desired and that VidiReports can be shipped without the necessary components to perform demographic analysis. Furthermore, no form of facial biometric data is ever computed by the software so that it is impossible for VidiReports to re-identify a person once the person has left the field of view of the camera. In other words, the system permanently “forgets” detected people as soon as they are no longer visible.
- What are the types of personal data to be collected (i.e., Names, IDs, Contacts etc.,)
Images with people’s faces in it
- Describe the information flow within the project. Describe the collection, use and deletion of personal data here. It may be in a flow diagram or another format explaining data flows.
API calls to collect Video stream (Encrypted) for display in 3rd party app audience data
Local network Internet connection
Camera Reports—VidiCloud–CMS back office (local automated processing)–(cloud service)–(3 party)
Real Time Adbud API–Online private dashboard Local export(CSV)
- a) What is the source of the personal data and how is personal data collected?
A digital video image captured by a camera sensor, installed on a screen, is sent as a sequence of binary values to the player where our software solution is installed and operating. The physical layer between the camera sensor and the player is usually a USB connection, but can also be an Ethernet connection. The video image is cached in the player’s RAM only for the time necessary for analysis and processing. This time depends on the player’s computing power, but is usually between 60 and 200milliseconds. No image is sent to a server for processing. All processing is done locally, at the player level. The volatile memory on which images are cached is overwritten each time a new image is received. No image or no uniquely identifiable data is stored in a database. As a consequence, our software solution cannot recognize a particular person and cannot recognize that a person was at a sequence of diffrent locations, or visited the same location twice. Also, our software solution, as most image processing systems, employs longer-term processing for computer vision tasks such as background extraction and motion estimation. These algorithms rely on long-term averages of video information which, by definition, are entirely static and do not contain any information which could be used to identify people or activities visually.
b)Where will the data be stored?
The personal data isn’t stored anywhere. It transits on the RAM memory of the local player before being immediately deleted. With regards to the anonymous metadata:We rent physical servers that are hosted at 2 different datacenters in France and Germany (Scaleway and Hetzner).
- For how long will the data be stored?
- How long are you planning to retain the personal data? On expiry of the retention period, how will personal data be securely destroyed or alteratively, anonymized so that it is no longer personal data? The video image is cached in RAM for the time necessary for analysis and processing. This time depends on the player’s computing power, but is usually between 60 and 200 milliseconds. The images are deleted immediately after being processed. The volatile memory on which images are cached is overwritten each time a new image is received.
- To what extent will the data be processed?
The video image is cached in RAM for the time necessary for analysis and processing. We anticipate that whilst this timee will ultimately depend on the player’s computing power,we believe the time taken will range between 60 and 200 milliseconds. Thereafter the images will be deleted immediately after being processed. Furthermore, please note that the volatile memory on which images are cached is overwritten each time a new image is received.
- e) Where shall the data be transferred to?
- Provide a complete list of the countries where the personal data will be stored and transferred to. There is no transfer of personal data. With regards to anonymous metadata: We rent physical servers that are hosted at 2 different datacenters in France and Germany (Scaleway and Hetzner)
- Describe how the data processing flow complies with the below seven data protection principles
- Lawfulness, fairness, and transparency.
Have you notified the individuals of the uses and disclosures made of their personal data and of the purposes of this data processing. Explain
The Article 29 Working Party considers that the interests of the data subject would prevail if the data subject has no reasonable expectations of the process. We will ensure that the process is transparent and that data subjects have knowledge of the processing and can reasonably expect the process. To this end, we will provide our clients with the text for GDPR-compliant information notices to be put on the screens and/or at the entrance of the commercial area concerned.
We can work closely with KCB & Agency to have an addendum that notifies the Audience that the Out of home site is being monitored.
- Purpose limitation
This means we should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose The images are processed only to provide audience insights. The solution isn’t used for any other purpose (eg security).
- Data minimization
This means we should limit the collection of personal information to what is directly relevant, necessary and adequate to accomplish a specified purpose. Images are immediately deleted after being processed, in few milliseconds.
The information that we generate from processing these images is a set of metadata in the following form for each detected person:[counter, machine ID, start time, presence, attention, distance, gender, age, mood], where:
– Counter is a consecutive number for the (qualifying) data set -Machine_ID is the identification number of the machine processing the data
– Start_time is the date and time of the identification start
– Presence is the sum of the time a person spends in the camera sensor’s field of vision
– Attention is the sum of the time the viewer spends on the screen – Distance is the person’s average distance from the object of interest (i.e.the camera sensor)
– Gender (optional) is the gender of the individual
– Age (optional) is theage of the person or the estimated age
-Mood (optional) is the person’s estimated mood from very sad to very happy
- Accuracy How do you verify and keep up to date the accuracy of the data collected
The accuracy of our model, evaluated on the public IMDB-WIKI dataset gives the following results:
Vehicles
Detection distance
Vehicle detection accuracy
Vehicle type classification accuracy
Bodies
Detection distance
Body detection accuracy
Presence time estimation accuracy
Faces
Detection distance
Face detection accuracy
Gender accuracy
Age accuracy
Attention time estimation
accuracy up to 200m
98% daytime,92% nighttime
90% up to 40m
98%: +/-1 sec up to 15m 98%
95%: +/-10 years of real age in 85% of cases
+/-0.2 sec
- Storage limitation
What procedures do you have in place to delete the data when its no longer necessary
The images are deleted immediately after being processed. The volatile memory on which images are cached is overwritten each time a new image is received.
- Integrity and confidentiality
How have you ensured that you process the data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Images are processed locally, on the volatile memory (RAM) of the player. No image w/ personal data is ever sent online to be processed. The images are deleted immediately after being processed.
- Accountability
This involves demonstrating a clear and ongoing commitment to following privacy principles and ensuring that the necessary measures are in place to protect individuals’ data rights. We have designed a response plan:
- To identify the source of the data breach and assess if this results from a breach.
- To communicate in due time with the Data Controller and the Supervisory authorities concerned, We exchange further with the Data Controller within 48 hours after the occurrence of the data breach.
Supervisory authorities can thus be informed by the Data Controller within 72 hours in accordance with Art. 55 GDPR.
- To resolve the breach. During the time of the resolution, all licenses concerned by the breach are deactivated
Part 2: An Assessment of the necessity and proportionality of the processing operations in relation to the purpose
- What is your lawful basis for processing the personal data. What sets out the legal basis from the list below.
Demonstrate on the right column: Legitimate interests: The processing is necessary for KCB or a third party’s legitimate interests, which are not overridden by the rights or interests of individuals. You should be as specific as possible about what these interests are; Explicit Consent: That the individual has given his/her freely given, specific, informed, and unambiguous consent to the processing; Contractual Performance: The processing is necessary to enter into or perform a contract with the individual (note it cannot be a contract with a third party)’; Legal Compliance: The processing is necessary for compliance with a legal obligation imposed on KCB, other than under a contract; Compliance with employment law: The processing of special categories of personal data or sensitive personal data is necessary in the context of employment law or laws relating to social security and social protection
Legitimate Interest
The legitimate interest is a valid legal basis for the controller using our reports in consideration of the guarantees which are taken in compliance with the GDPR, Kenya’s Data Protection Act 2019 and guidance from the European Data Protection Board –Article 29 Working Party. According to Article 6 of the GDPR, the legitimate interest can be used as a legal basis, except where the interests of the controller are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The GDPR recital n°47 gives examples of processing that would constitute a legitimate interest of a data controller and recital 47explicitly refers to the fact that marketing purposes can be a legitimate interest. Therefore, processing for economic purposes can be considered as based on the legitimate interests of the individuals as a valid legal basis. We have also taken several guarantees to protect the interests and rights of individuals, in accordance with Article 29 Working Party’s guidance. Indeed,the Working Party’s guidance provides five elements to consider in assessing the balance of interests:
The Article 29 Working Party considers that depending on the nature and sensitivity of the data, the interests of the data subject could prevail, thus:
- Legal Defense: The processing is necessary in defense of a legal claim.
- In case, there is no sensitive data involved which would fall within the scope of Article 9 of the GDPR, and no location data. Only images of anonymous individuals are collected and kept for a fraction of second before being automatically destroyed. Our report generates only anonymous metadata.
- if the data subject may experience negative consequences. In our case, as our reports are not able to identify the data subjects, this cannot possibly trigger any interaction with the data subjects. Moreover, images of anonymous individuals are collected for a very short fraction of time and destroyed. The software only keeps metadata in an anonymous form; individuals are not recognizable. Therefore, there is no way the processing can be intrusive. Thus, there are no consequences for the data subject and furthermore no negative consequences.
- if the data subject has no reasonable expectations of the process. We ensure that the process is transparent and that data subjects have knowledge of the processing and can reasonably expect the process. To this end, we provide customers with the text for GDPR-compliant information notices to be put on the screens and/or at the entrance of the commercial area concerned.
- if there are significant imbalances in power between the data controller and the data subject. In our case, there is no imbalance of power, since we and our customers cannot exercise any power against individuals, who are not known to us or to our customers.
- How is the consent obtained, if at all?
We don’t collect the consent of data subjects, since we merely detect the presence of individuals in front of digital signage screens without identifying them, for marketing and communication purposes, in order to understand the performances of the communication and enhance the quality and relevance of the content that is played on the screens. We do not rely on facial recognition of individuals, which would require our solution to collect more information tconcerning the individual than it is designed to do.
- Does the processing actually achieve your purpose? What steps will you take to ensure that the personal data are not further used for any purpose other than the objectives stated above?
Yes the processing achieves our purpose, while addressing people’s privacy by processing images locally and deleting them in real time.
- Is there another way to achieve the same outcome?
At the moment none
- How will you achieve data quality and minimization?
- What steps are you taking to ensure you only process minimum personal data for the purposes set out in this document?
Our solution relies on face detection not on face recognition. While processing images, our solution only looks at broad facial characteristics to estimate the gender, age and mood of individuals. VidiReports doesn’t analyze the general actions or activities of people passing in the camera sensor’s field of vision. It doesn’t process any biometric data.
Explanation and justification of data quality
This isn’t relevant as no personal data is retained after the image processing.
- How do you ensure that the personal data processed is accurate and up to date?
Our solution relies on face detection not on face recognition. While processing images, our solution only looks at broad facial characteristics to estimate the gender, age and mood of individuals. VidiReports doesn’t analyze the general actions or activities of people passing in the camera sensor’s field of vision. It doesn’t process any biometric data.
- What information will you give individuals?
How are you going to notify the individuals of the uses and disclosures made of their personal data and of the purposes of this data processing? Are you using a privacy policy or other data protection statement?
A public notice, explaining the data processing in play, should be added to the OOH content (billboard copy) and/or at the entrance of the activation venue.
PUBLIC NOTICE
This media unit runs anonymous software, used to generate statistics about audience counts, gender, mood, footfall, presence, distance. To ensure your privacy, no images and no data unique to an individual person is recorded by the camera on this unit. Images are processed in a few milliseconds before being immediately and permanently deleted. For more information on the anonymous software and our Privacy Policy, please visit [www.adbud.tech or scan this QR Code [linking to DATA CONTROLLER PRIVACY PAGE].
ADBUD TECH PRIVACY POLICY
Adbud Tech Ltd uses a camera sensor and anonymous software, so as to generate statistics about audience counts, gender, mood, footfall, presence, distance. To ensure your privacy, no images and no data unique to an individual person is recorded by the camera on this unit. Images are processed in a few milliseconds before being immediately and permanently deleted.
We use this anonymous metadata to build aggregated audience reports or to play more relevant content. The metadata is produced for marketing and communication purposes, such as counting the audience of a screen of a message that is played back on the screen; or transacting media inventory against this audience data.
We have chosen to use this software as it fully respects people’s privacy: no image on which individuals can be identified and no data unique to an individual are ever recorded. Images with personal data are processed in a few milliseconds before being immediately and permanently deleted.
How does this technology work? Our software processes the images of a camera sensor to count and analyse, in real-time, the audience passing in front of an equipped screen. Images with persona data are processed locally in milliseconds before being immediately and permanently deleted. Only the data produced from the processing of the images, i.e., the age, gender, mood, and some facial characteristics of the audience, is kept and aggregated. This data is fully anonymous, as there is no way to link it back to you.
The software relies on face detection, not on face recognition. These are two different technologies. Face detection only looks for the presence of a face whereas facial recognition looks for and identifies a particular person. The software cannot recognize a particular person and cannot recognize that a person was at a sequence of different locations, or visited the same location twice. It forgets about that person as soon as she/he has walked out of the field of view of the camera sensor. So if a person leaves the field of view of the camera sensor and comes back, the Quividi software will think that this is a new person as it has no memory of the face it saw previously.
What is our legal basis to perform this measurement process? Our legal basis is Adbud Tech Ltd’s legitimate interest to measure the audience of its screens and to improve the relevance of the content
For more information about the software solution and your rights, please click here
(https://quividi.com/privacy) or send a request to [Office of the Data Protection Commissioner, www.odpc@go.ke. For any other information, please contact [Adbus Tech Ltd’s Data Protection Officer:
- How will you help to support data subject rights? Will you be able to supports data subjects’ requests; amend, erase and provide information to the individual in an easy-to-read format, on request. Can we comply with a demand to cease using or processing personal data on request? Are you relying solely on automated means or algorithms to process personal data and support business decisions without any human intervention? If applicable, will project systems allow the individual to object to any processing? Please describe this in detail
Determination and description of controls for the rights of access and to data portability as well as the rights to rectification and erasure. The rights of access, data portability, rectification and erasure are not applicable. All images are immediately deleted after being processed. Determination and description of controls for the rights to restriction of processing and to object. As VidiReports 7 can’t recognize any individual, the right to object is not applicable. The only way to provide a consistent opt-out would be by using a facial recognition solution, which is radically different to the solution that we provide.
Intellectual brand: BLB Brand strategy and design; Brand Audit: which industry? How soon? Which market
Patrice, ex-BAT, supply chain director at Umeme; looking to make money; consultancy or advisory or processed (MRP2, yaka brand (branding), delinked it from the main company, multi-choice
- What measures do you take to ensure compliance by the controller and processor? Have you signed data sharing agreements or data processing agreements?
Through data processing agreeements with:
a sub-data processor (Quividi &Adbud)
– data controller (KCB)
Processor’s name: Adbud
Purpose: Audience Analytics for OOH
Scope: OOH Monitoring of Billboards
Contract reference: tbd
Compliance: A Data Processing Agreement must be signed between Adbud (Data Processor) and KCB (Data Controller).
Transfer: There isn’t any transfer. No image is sent to a server for processing. All processing is done locally, at the player level.
- What parties are involved in the processing and what are their specific roles?
- Are these parties registered with their respective data commission.
- Describe what each party will be doing with personal data
TBD
[KBC]: data controller
Adbud: data processor
Quividi: sub-data processor (provider of the software solution
- How do you safeguard the processing of the personal data?
This is really about the privacy-by-design nature of our platform and how images are processed:
– we rely on body and face detection algorithms and not on face recognition.- images are processed locally, on the volatile memory (RAM) of the player. No image w/ personal data is ever sent online to be processed.- Our software is not a video surveillance system: it does not record or relay any video
image, it does not compute biometric descriptors and no video feed is provided to an external operator or device during use.
- How do you safeguard any international data transfers?
No international transfer. Personal data is deleted immediately after processing in a few milliseconds.
Part 3: An assessment of the risks to the rights and freedoms of data subjects.
Explain what practical steps you will take to ensure that you identify and address privacy risks
Yes (Please give explanations)
No(Please give explanations)
- Will the project involve the collection of new identifiable or potentially identifiable data about data subjects?
Yes by capturing images with individuals through the use of camera sensors. Adbud secures the network where the cameras and players operate.
- Will the project compel data subjects to provide information about themselves i.e., where they will have a little awareness or choice?
No, the project will not compel the data subjects to provide data about themselves, where they will have a little awareness or choice, given disclosure stickers will have to be displayed at the entrance of the venue and/or on screens
- Will identifiable information about the data subjects be shared with other organizations or people who have not previously had routine access to the information?
No, no data will be shared with any other parties.
- Are you using information about data subjects for a purpose it is not currently used for in a new way i.e., using data collected to provide care for an evaluation of service development?
No, We are not using information about the data subjects in any new way
- Where information about data subjects is being used, would this be likely to raise privacy concerns or expectations i.e., will it include health records, criminal records, or other information that people may consider to be sensitive and private and may cause them concern or distress?
No: The data that we report on is face detection and it’s anonymized and hence doesn’t raise any privacy concerns or expectations
- Will the project require you to contact data subjects in ways, which they may find intrusive such as telephoning or emailing them without their prior consent
No, the project doesn’t require us to contact data subjects in any way.
- Will the project result in you making decisions in ways which can have significant impact on data subjects i.e., will it affect the services a person receives?
No, the project doesn’t require making decisions which have significant impact on data subjects
- Does the project involve you using new technology which might be perceived as being privacy intrusive i.e., using biometrics, facial recognition or automated decision making?
Our Tool Involves Facial Detection. Our tool processes images from the camera sensor to determine if individuals are passing or looking toward the billboard while they are in the field of vision of the sensor. The algorithms involved in the process require that the two eyes, the nose and the mouth of a person, are visible to register an on-looker. The estimation of total footfall (OTS) is a mathematical formula involving just a comparison of the total movement of pixels and the movement of pixels for an average person. Our tool analyzes the images, in real time, to produce anonymous metadata, which describe the size and characteristics of the audience. Only the metadata is kept, aggregated, and accessible online No image and no uniquely identifiable data is ever stored.
Our tool relies on face detection technology, not on face recognition. These are two different technologies. Face detection only looks for the presence of a face whereas facial recognition looks for biometric descriptors that can be used to identify a particular person. We cannot recognize a particular person and cannot recognize that a person was at a sequence of different locations, or visited the same location twice. It forgets about that person as soon as she/he has walked out of the field of vision of the camera sensor.
- Is service being transferred to a new supplier (re-contracted) and the end of an existing contract?
No, the service is not to be transferred to any new suppliers.
- Is processing of identifiable/potentially identifiable data being moved to a new organization (but with same staff and process)
No data is moved to any new organizations.
Part 4: The measures envisaged addressing the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Data Protection Act
Risk: Illegitimate Access to Data
Source: An ill-disposed employee from us, from the end-customers or from their technical partners
Main Threat: Accessing remotely the live video feed of the camera sensor via Our Reports Configuration Interface
Main Potential Impact: Sharing the live video feed online
Main controls reducing the severity and likelihood: The live video feed of the camera sensor is disabled after 2minutes
Severity: Limited
Likelihood: Limited
Risk: Unauthorized Access:
Source: Hackers or malicious insiders might try to access personal data for various reasons.
Main Threat: Privacy Breaches
Main potential impact: accidental or intentional data leaks expose personal information.
Main controls reducing the severity and impact: Implement access controls like multi-factor authentication and role-based data access involving only authorized personnel; regularly review and update access privileges; Develop a comprehensive data security policy outlining data handling procedures, data encryption for sensitive information, and secure disposal methods for outdated data; Regularly train employees on data security best practices.
Severity: Limited
Likelihood: Limited
Risk: Human Error
Source: Employee negligence
Main Threat: Data breaches, such as sending emails with sensitive information to the wrong recipient
Main Potential Impact: sensitive information being sent to the wrong recipient
Main controls reducing the severity and likelihood: Implement a culture of data security awareness through regular training programs on data handling best practices, phishing scams, and password security.
Severity: Limited
Likelihood: Limited
Risk: Physical Security Threats:
Source: Theft of physical devices like laptops or hard drives containing personal data can occur.
Main potential impact: loss of personal data
Main controls reducing the severity and likelihood Enforce strong physical security measures, including restricting access to our offices and requiring strong passwords and encryption for laptops and portable devices; Maintain a visitor logbook to track access to company premises, especially areas with sensitive data storage; Develop a clear privacy policy that outlines the type of data collected, its purpose, and user rights regarding their data.
Severity: Limited
Likelihood: Limited
Risk: Third-Party Data Sharing
Source: Sharing personal data with vendors or partners
Main Threat: Failure to secure personal data belonging to employees, suppliers, clients or data subjects
Main Potential Impact: loss of personal data
Main controls reducing the severity and likelihood: Conduct thorough due diligence on third-party vendors before sharing data. Ensure they have robust security measures in place and sign non-disclosure agreements (NDAs) to protect data confidentiality.
Severity: Limited
Likelihood: Limited
Part 5: Sign Off and Record Outcomes
Item Name/position Sign Date
Documented by:
Reviewed by; (Line manager/Head):
Data Protection Officer (DPO) Review and approval