Bitwise Digital Solutions Limited Data Protection Policy Page 1 of 7

DATA PROTECTION POLICY

1. PURPOSE

The purpose of this policy is to provide guidelines relating to the processing of personal data by Bitwise

Digital Solutions Limited (hereinafter referred to as “Bitwise”).

2. SCOPE

This policy covers data collected, received and stored on Bitwise owned physical and electronic databases and

resource centre. It shall apply to all staff and clients of Bitwise. It shall also apply to all users of the Bitwise’s

applications, software, databases, websites, social media platforms and all other suchlike resources.

This policy shall cover all data/ information collection tools of Bitwise including but not being limited to

websites, social media platforms, mobile applications, research publications and communication tools such as

photos, videos, social and main stream media.

3. DEFINITIONS

3.1. Consent means any freely given, unambiguous and informed indication by a statement or by a

clear positive action, signifies an agreement by the user to the processing of his/her personal data.

3.2. Data controller means a natural or legal person, public authority, agency or other body which

has authority to oversee the management of, and to determine the purposes for the processing of

personal data.

3.3. Data processor means a natural or legal person, public authority, agency or other body which

processes personal data on behalf of the data controller.

3.4. Data processing means converting of data into information. This includes collecting, recording,

rationalizing, storage, alteration, retrieval, use, transmission, dissemination, erasure or

destruction of data.

3.5. Data subject means an individual whose personal data is subject to processing

3.6. Data transfer means all acts that make personal data accessible to third parties outside Bitwise

on paper, via electronic means, on internet or through other means.

3.7. Data Transfer Agreement means an agreement between Bitwise and a third party that states

the terms and conditions of use of personal data, including which data components are to be

shared, the mode of transfer, how the data may be used, data security measures and other related

issues.

3.8. Personal data means any data related to a user who can be identified from that data; from that

data and other information; or by means reasonably likely to be used related to that data. Personal

data includes biographical data (bio data) such as name, sex, date of birth, country of origin,

Identification Number as well as blood type.

3.9. Personal data breach means a breach of data security leading to the accidental or

unlawful/illegitimate destruction, loss, alteration, unauthorized disclosure of, or access to,

personal data transferred, stored or otherwise processed.

3.10. Person of concern means a person whose protection and assistance needs are of interest to

Bitwise.

3.11. Processing of personal data means any operation, or set of operations, automated or not,

which is performed on personal data, including but not limited to the collection, recording,

organization, structuring, storage, adaption or alteration, retrieval, consultation, use, transfer,

dissemination or otherwise making available, correction, or destruction.

3.12. Third party means any natural or legal person other than the user. Examples of third parties are

national governments, international governmental or non-governmental organizations, private

sector entities or individuals.

Bitwise Digital Solutions Limited Data Protection Policy Page 2 of 7

4. POLICY GUIDELINES

4.1. The Bitwise shall in dealing with personal information and data ensure that the information/ data

is processed.

a) without infringing the privacy rights of the data subject;

b) in a lawful manner; and

c) in a reasonable manner.

4.2. The collection, use, storage and transfer of personal data will be subject to the provisions of the

Data Protection Act, 2019.

4.3. This policy will guide on ICT Acceptable Use Policy, the Record Retention and Destruction Policy

and the Accountability Framework.

5. ACCURACY

5.1. Bitwise shall store personal data/information as accurately as possible and update and

systematically review it to ensure it fulfils the purpose(s) for which it is processed.

5.2. The data subject may request the correction of personal data that is inaccurate, incomplete,

unnecessary or excessive.

5.3. When personal data is corrected, Bitwise will notify, as soon as is reasonably practicable, all third

parties to whom the relevant personal data was transferred and to the data subject.

6. LAWFUL AND FAIR PROCESSING

6.1. Data processing shall be carried out in a lawful and fair manner for specified and legitimate

purposes without prejudicing the fundamental rights and freedoms of data subjects.

6.2. The processing shall only be justified based on one (or more) of the legal basis including:

a) data subject giving his or her consent

b) the processing is necessary for the performance of a contract with the data subject

c) to meet legal compliance obligations

d) to protect the data subject’s vital interests or any other person who may be indirectly affected

e) public interest

f) to pursue Bitwise’s legitimate interests which are not overridden because the processing

prejudices the interests or fundamental rights and freedoms of data subjects.

7. FURTHER PROCESSING

7.1. Further processing for research purposes shall be compliant with the conditions outlined in order

to be compatible with the purposes for which the data is obtained.

7.2. Personal data which is processed for research purposes may be exempt from provisions of this

policy if the results of the research and statistical data is not made available in a form which

identifies the data subject.

7.3. Further processing of data shall comply with the data protection principles set out in this policy,

in particular in ensuring the security and confidentiality of sensitive personal data.

8. CONFIDENTIALITY

8.1. The confidentiality of personal data must be respected by Bitwise when processing data at all times

with access to the same limited on a need to know basis.

8.2. Bitwise shall maintain the confidentiality of the personal data throughout and even after the user

is no longer of concern to Bitwise.

Bitwise Digital Solutions Limited Data Protection Policy Page 3 of 7

8.3. The data controller may specify other categories of personal data that will require additional

safeguards and restrictions and may be classified as sensitive personal data.

8.4. In the processing of sensitive personal data the data controller will specify further grounds on

which these categories will be processed with consideration of:

a) the increased risk of significant harm that may be caused to the data subject by processing

this

category of personal data.

b) the degree of confidentiality attached to the category of personal data.

c) the level of protection afforded by provisions applicable to personal data.

9. SECURITY

9.1. Bitwise will ensure and implement a high level of data security that is appropriate to the risks

presented by the nature and processing of personal data taking into account the level of technology

available and existing security conditions as well as the costs of implementing additional security

measures.

9.2. In order to ensure and respect confidentiality, personal data will be filed and stored in a way that

is accessible only to authorized staff and transferred only through the use of protected means of

communication.

9.3. In order to ensure the confidentiality of the personal data, Bitwise shall take appropriate technical

and organizational data security measures.

9.4. The nature of risks will include but not be limited to risk of accidental or unlawful/illegitimate

destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

9.5. Access to personal data/content/knowledge shall be restricted to authorized personnel using it in

the performance of their duties at Bitwise and as determined by appropriate authorization of both

the staff or supervisor and data subjects.

9.6. Personal data/content/knowledge may not be used by any employee or staff for purposes other

than the business of Bitwise.

9.7. Staff and volunteers allowed access of personal data/content/knowledge of Bitwise shall sign a

non-disclosure agreement banning them from using the content for business other than Bitwise’s

core mandate.

9.8. Private email accounts shall not be used to transfer Personal Data.

9.9. Information technology will be used to process, communicate and store Bitwise’s data and

information which will be classified as Confidential Information (CI).

9.10. Data security measures will be routinely reviewed and upgraded as deemed appropriate to ensure

the level of protection is commensurate to the degree of sensitivity applied to personal data and

considering the possible development of new technology in enhancing data security.

10. ACCOUNTABILITY

10.1. Bitwise will be responsible for compliance and will be required to demonstrate that appropriate

measures have been employed within the company to comply with the data protection guidelines.

10.2. Bitwise will implement data protection training programs for all staff.

10.3. Bitwise will bear the burden of proof to establish the data subjects’ consent of the processing of

their personal data for a specific purpose.

10.4. Bitwise will ensure that it is as easy to withdraw as it is to give consent.

Bitwise Digital Solutions Limited Data Protection Policy Page 4 of 7

11. RIGHTS OF DATA SUBJECTS

A data subject has a right to: -

a) be informed of the use to which their personal data is to be put.

b) withdraw consent at any time.

c) access their personal data in custody of data controller or data processor.

d) object to the processing of all or part of their personal data.

e) correction of false, inaccurate or misleading data.

f) deletion of false or misleading data about them.

g) request for erasure of their personal data where it irrelevant, excessive or was obtained unlawfully.

12. DATA COLLECTION

12.1. When collecting personal data from the user, Bitwise shall inform the user of the following in

writing/orally and in a manner and language that is understandable to the user:

a) The specific purpose(s) for which the personal data or categories of personal data will be

processed.

b) Whether such data will be transferred to third parties and the specific third parties.

c) The data subject’s right to request access to their personal data, or correction or deletion of it.

d) How to lodge a complaint with the data controller.

e) The mandate and contact details of the data controller.

12.2. Where data is not collected directly from the data subject either orally or in writing, other means

will be considered as far as is practicable such as radio communication, posters and flyers in an

accessible location, online postings and any other appropriate method of transmission.

12.3. At the request of the data subject the data controller may restrict the processing of personal data

where:

a) The accuracy of the data is contested by the data subject.

b) The data subject has objected to the processing.

13. DATA COLLECTION AND IMPACT ASSESSMENTS

13.1. Where a type of processing in particular using new technology, and taking into account the nature,

scope, context and purposes of the processing, is likely to result in a high risk to the rights and

freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment

of the impact of the envisaged processing operations on the protection of personal data.

13.2. A single assessment may address a set of similar processing operations that present similar high

risks.

13.3. A data protection impact assessment shall in particular be required in the case of:

a) a systematic and extensive evaluation of personal aspects relating to natural persons which is

based on automated processing, including profiling, and on which decisions are based that

produce legal effects concerning the natural person or similarly significantly affect the natural

person; or

b) a systematic monitoring of a publicly accessible area on a large scale.

13.4. The assessment shall contain at least:

a) a systematic description of the envisaged processing operations and the purposes of the

processing, including, where applicable, the legitimate interest pursued by the controller;

b) an assessment of the necessity and proportionality of the processing operations in relation to

the purposes;

c) an assessment of the risks to the rights and freedoms of data subjects; and

Bitwise Digital Solutions Limited Data Protection Policy Page 5 of 7

d) the measures envisaged to address the risks, including safeguards, security measures and

mechanisms to ensure the protection of personal data and to demonstrate compliance with

this Policy taking into account the rights and legitimate interests of data subjects and other

persons concerned.

14. DATA RETENTION AND DISPOSAL

14.1. Data will not be kept in a form that allows data subjects to be identified for longer than needed for

the legitimate purposes or other purposes for which the Bitwise collected it.

14.2. The purposes of data retention shall include satisfying any legal, contractual, accounting or

reporting requirements.

14.3. Personal data may be retained for a longer period in the event of a complaint there is reasonable

belief that there is a prospect of litigation in respect to the Bitwise’s relationship with the data

subject.

14.4. The Bitwise shall take all reasonable steps to destroy or erase from its systems all personal data

that are no longer required in accordance with Bitwise’s Record Retention and Destruction Policy.

15. TRANSFER OF PERSONAL DATA TO THIRD PARTIES

15.1. Bitwise may transfer personal data to third parties with the data controller.

15.2. Bitwise may only transfer personal data/content/knowledge to third parties on condition that the

third party affords a level of data protection the same or comparable to this Policy.

15.3. In order to mitigate risks associated with transfer of data to third parties, Bitwise will only transfer

data to a third party if:

a) The data is stripped off personal and identifiable information;

b) The transfer is based on one or more legitimate basis including:

(i) explicit consent by the data subject;

(ii) compliance with national or international law; or

(iii) in exercise, establishment and defense of any contractual or legal obligations;

c) The personal data to be transferred is adequate, relevant, necessary and not excessive in

relation to the purpose(s) for which it is being transferred;

d) The data subject has been informed either at the time of the collection or subsequently, about

the potential transfer of his/her personal data;

e) The third party has in the past respected the confidentiality of personal data transferred to

them by Bitwise; and

f) The third party maintains a high level of data security that protect personal data against the

risk of accidental or unlawful/illegitimate destruction, loss, alteration unauthorized disclosure

of, or access to it.

15.4. Bitwise will also ensure that transferring personal data does not negatively impact:

a) The safety and security of Bitwise staff.

b) The effective functioning of an operation or compromise in Bitwise’s mission, vision or

fundamental principles, for example due to the loss of trust and confidence between the

Bitwise and persons of concern.

15.5. The processing of sensitive personal data out of Kenya shall only be effected upon obtaining

consent of a data subject and on obtaining confirmation of appropriate safeguards.

Bitwise Digital Solutions Limited Data Protection Policy Page 6 of 7

16. DATA TRANSFER RECORDS

16.1. Bitwise shall keep and maintain full and accurate records reflecting all phases of data management

cycle, including records of data subjects’ consents and procedures for obtaining consent, where

consent is the legal basis of processing.

16.2. The data transfer records shall include, at a minimum:

a) the name and contact details of the individual entity authorizing the transfer;

b) clear descriptions of the personal data types;

c) data subject types;

d) processing activities;

e) processing purposes;

f) third-party recipients of the personal data;

g) personal data storage locations;

h) personal data transfers;

i) the personal data’s retention period; and

j) a description of the security measures in place.

17. DATA TRANSFER AGREEMENTS

17.1. Bitwise will require all third parties to comply with this Policy through an agreement or an MOU

as part of the signing of partnership agreements. Such agreements will specify the specific

purpose(s) and legitimate basis for the processing or transfer of personal data.

17.2. Data transfer agreements shall;

a) address the purpose(s) for data transfer, specific data elements to be transferred as well as

data protection and data security measures to be put in place;

b) require the third party to undertake that its data protection and data security measures are in

compliance with this Policy; and

c) stimulate consultation, supervision, accountability and review mechanisms for the oversight

of the transfer for the life of the agreement.

17.3. Bitwise’s Legal Department shall review and approve all data transfer agreements and maintain

copies of final agreements.

18. DATA BREACH

18.1. Bitwise will maintain a register of all data breaches.

18.2. Bitwise’s staff will notify their line managers as soon as possible upon becoming aware of a

personal data breach.

18.3. The member of staff or volunteer will record the breach.

18.4. If a personal data breach is likely to result in personal injury or harm to a data subject, the data

controller will communicate the personal data breach to the data subject and take mitigating

measures as appropriate without undue delay. In such cases, the data controller shall also notify

the Secretary General of the personal data breach.

18.5. The notification will describe:

a) The nature of the personal data breach, including the categories and number of data subjects

and data records concerned;

b) The known and foreseeable adverse consequences of personal data breach; and

c) The measures taken or proposed to be taken to mitigate and address the possible adverse

impacts of the personal data breach.

Bitwise Digital Solutions Limited Data Protection Policy Page 7 of 7

19. EXTERNAL USE AND LEGAL PROVISIONS

19.1. Title to all data belonging to Bitwise resulting from data processing shall reside at Bitwise and shall

be subject to the provisions of the Data Protection Act, 2019.

19.2. Third parties may not process data belonging to Bitwise without consultation with Bitwise.

19.3. Any data processed jointly shall be jointly owned by Bitwise and third party with whom the joint

processing was done.

19.4. Nothing in this policy will prevent legal action from being undertaken against a person who

violates the provisions of this policy or of any Kenyan laws and regulations particularly relating to

the Data Protection Act, 2019.

19.5. All matters arising out of or relating to this policy shall be governed by and are to be construed in

accordance with the Laws of Kenya, excluding any conflict of law provisions, with Kenyan courts

having exclusive jurisdiction in all disputes arising therein.

20. PERIODIC REVIEW OF THE KNOWLEDGE MANAGEMENT POLICY

This policy will be reviewed every three years or when need arises, whichever comes first.

DOCUMENT MANAGEMENT FRAMEWORK

Author Department

Date Approved

Name of Approver

Proposed Revision Date

Date of Revision

Proposed Revision Date