42, Edith Cavell Street,
Port-Louis,
Mauritius
202 7500
© 2024 - Kasa Group
This policy outlines the Company’s processes and procedures to ensure privacy ofpersonal data held and compliance with the Data Protection Act 2017.
Published Date 18/10/2024 VERSION 1.0
ABSTRACT
This policy outlines the Company’s processes and procedures to ensure compliance with the Data Protection Act 2017.
Published Date: 18/10/2024
Version: 1.0
1.1 The European Union General Data Protection Regulation 2016 (‘GDPR’) and the Mauritius Data Protection Act 2017 (‘DPA’) have been enacted to further protect the rights and freedoms of natural persons (i.e., living individuals) and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.
1.2 In this General Privacy Policy, ‘KGL’ refers to KASA GROUP LTD, and all the words and expressions used in this Privacy Notice shall be interpreted and construed in line with the definitions used in KGL’s General Data Protection Policy.
1.3 KGL has its registered office situated at 42, Edith Cavell Street, Port-Louis, Republic of Mauritius, and its administrative headquarters situated at the same address. KGL’s other contact details are as follows:
Telephone Number: +230 2027500
1.4 Although established, based, and domiciled in Mauritius, KGL has expanded its business activities beyond the jurisdiction of Mauritius, including but not limited to parts of the European Union.
| Term | Definition |
|---|---|
| Personal data | Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. |
| Sensitive and/or Special categories of personal data | Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. |
| Data Controller | The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
| Data Processor | The natural or legal person, public authority, agency, or other body who processes personal data for and on behalf of the Data Controller. |
| Data Subject | The person whose personal data is processed by the Data Controller. |
| Processing | Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction. |
| Profiling | Any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior. This definition is linked to the right of the Data Subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling, and the envisaged effects of profiling on the individual. |
| Third party | A natural or legal person, public authority, agency, or body other than the Data Subject, the Data Controller, the Data Processor, and persons who, under the direct authority of the Data Controller or the Data Processor, are authorised to process personal data. |
| Supervisory Authority | The independent public authority responsible for the enforcement of the GDPR and the DPA and the regulation and supervision of data processing. In Mauritius, a Data Protection Office, headed by the Data Protection Commissioner, has been established under the DPA. |
1.6 The GDPR and the DPA apply to the processing of personal data wholly or partly by automated means (i.e., by computer) and to the processing other than by automated means of personal data (i.e., paper records) that form part of a filing system or are intended to form part of a filing system.
1.7 The DPA will apply to all Data Controllers and Data Processors that are established in the Republic of Mauritius who process the personal data of Data Subjects.
1.8 The GDPR will apply to all Data Controllers and Data Processors that are established in the European Union who process the personal data of Data Subjects, in the context of that establishment. It will also apply to Data Controllers and Data Processors outside of the European Union that process personal data in order to offer goods and services, or monitor the behavior of Data Subjects who are resident in the European Union.
1.9 In light of the definitions of ‘Data Controller’ and ‘Data Processor’ set out in paragraph 1.5 above and in view of the matters set out in paragraph 1.4 above, KGL is a Data Controller and a Data Processor under both the GDPR and the DPA.
2.1 The Board of Directors and management of KGL are committed to compliance with all relevant laws in respect of personal data including the GDPR and the DPA for the protection of the rights and freedoms of individuals whose information KGL collects and processes in the course of its activities.
2.2 KGL’s compliance with the GDPR and the DPA is described by this General Data Protection Policy as supplemented by the other documents namely:
2.3 The GDPR, the DPA, this General Data Protection Policy and the documents referred to in paragraph 2.2 above shall apply to all of KGL’s personal data processing functions, including those performed on customers’, potential customers’, clients’, potential clients’, employees’, suppliers’, distributors’, contractors’ and other stakeholders’ and/or partners’ personal data, and any other personal data KGL processes from any source.
2.4 Any breach of the GDPR, the DPA, this General Data Protection Policy and/or any of the documents referred to in paragraph 2.2 above by an employee or préposé of KGL will be dealt with under KGL’s disciplinary policy. And should such a breach appear to give rise to a criminal offence, the matter will be reported as soon as possible to the appropriate authorities. Furthermore, KGL will report any breach to the relevant data protection supervisory authority and also inform the Data Subject whose data has been breached.
2.5 Partners and any third parties working with or for KGL, and who have or may have access to personal data, will be expected to have read, understood and undertaken to comply with this General Data Protection Policy. No third party may access personal data held by KGL without having first entered into a data confidentiality or privacy agreement with KGL, which imposes on the third-party obligations no less onerous than those to which KGL is committed. In that respect, KGL has implemented third-parties’ agreements as Supplier Privacy Agreements and Distributor Privacy Agreements.
2.6 In order to foster a data protection and privacy culture amongst its stakeholders, KGL will provide ongoing and appropriate training so as to further protect the rights and freedoms of data subjects. In that respect, KGL has elaborated and implemented a Training Policy.
3.1 KGL is both a Data Controller and a Data Processor under both the GDPR and the DPA.
3.2 Top Management and all those in managerial or supervisory roles throughout KGL are responsible for developing and encouraging good information handling practices within KGL.
3.3 Furthermore, the Board of Directors of KGL has appointed a Data Protection Officer whose identity and contact details are as follows:
3.4 KGL’s Data Protection Officer is accountable to the Board of Directors of KGL for the management of personal data within KGL and for ensuring that compliance with data protection legislation and that good practice can be demonstrated. This accountability includes:
3.5 KGL’s Data Protection Officer, who the Board of Directors of KGL considers to be suitably qualified and possessing all the relevant expertise, has been appointed to also take responsibility for KGL’s compliance with this General Data Protection Policy on a day-to-day basis and, in particular, has direct responsibility for ensuring that KGL complies with the GDPR and the DPA.
3.6 KGL’s Data Protection Officer has specific responsibilities in respect of procedures such as the Data Subject request and is the first point of call for Data Subjects seeking clarification on any aspect of data protection compliance.
3.7 Notwithstanding the role and responsibilities of KGL’s Data Protection Officer, compliance with data protection legislation is the responsibility of all employees and préposés of KGL who process personal data for and on behalf of KGL.
3.8 Employees and préposés of KGL are responsible for ensuring that any personal data about them and supplied by them to KGL is accurate and up-to-date. The rights and freedoms of employees and prospective employees of KGL under both the GDPR and DPA are more specifically dealt with in KGL’s Employment (Privacy) Notice and Recruitment (Privacy) Notice respectively.
All processing of personal data will be conducted by KGL in accordance with the data protection principles as set out in the GDPR and the DPA. KGL therefore undertakes to comply with the following principles:
4.1.1 KGL will at all times:
4.1.2 The information that KGL will provide to the Data Subjects includes:
4.1.3 All such information will be readily available in KGL’s General Privacy Policy.
4.2.1 KGL shall at all times ensure that where personal data is obtained for a specified purpose, the said data will not be used for another purpose that differs from the purpose initially notified to the Data Subject in KGL’s General Privacy Policy.
4.2.2 KGL shall, in its General Privacy Policy, define upfront what the personal data will be used for and limit the processing to only what is necessary to meet that purpose.
4.3.1 KGL shall at all times ensure that the personal data it processes is adequate, relevant and limited to what is necessary for the processing.
4.3.2 KGL will not collect from the Data Subject information that is not strictly necessary for the purpose for which it is obtained as explained in KGL’s General Privacy Policy.
4.3.3 All data collection forms (electronic or paper-based), including data collection requirements in new information systems, will include a fair processing statement via a link to KGL’s General Privacy Policy.
4.3.4 Through Data Protection Impact Assessments (‘DPIAs’), KGL will every year ensure that all data collection methods are reviewed by either an internal audit or external expert to ensure that collected data continues to be adequate, relevant and not excessive.
4.4.1 Data that is stored by KGL will be reviewed and updated as necessary. No data will be kept unless it is reasonable to assume that it is accurate.
4.4.2 All KGL staff are trained in the importance of collecting accurate data and maintaining it.
4.4.3 It is also the responsibility of the Data Subject to ensure that data held by KGL is accurate and up to date. Data Subjects will from time to time be requested by KGL to fill-in forms and check-lists which will include a statement that the data contained therein is accurate.
4.4.4 Employees of KGL are required to notify KGL promptly of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of KGL to ensure that any notification regarding change of circumstances is recorded and acted upon.
4.4.5 KGL is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, considering the volume of data collected, the speed with which it might change and any other relevant factors.
4.4.6 On at least an annual basis, KGL will review the retention dates of all the personal data processed by it, by reference to its Data Inventory, and will identify any data that is no longer required. This data will be securely deleted/destroyed.
4.4.7 KGL’s Data Protection Officer is responsible for responding to requests for rectification from Data Subjects within one month. This can be extended to a further two months for complex requests. If KGL decides and is justified in law not to comply with the request, KGL’s Data Protection Officer will respond to the Data Subjects to explain KGL’s reasoning and justification and inform them of their rights to complain to the supervisory authorities.
4.4.8 KGL’s Data Protection Officer is responsible for making appropriate arrangements, where third-party organizations may have been passed inaccurate or out-of-date personal data, to inform them that the information is inaccurate and/or out of date and is not to be used; and for passing any correction to the personal data to the third party where this is required.
4.5.1 Personal data will always be kept by KGL in a form such that the Data Subject can be identified only as long as is necessary for processing.
4.5.2 Where personal data is retained beyond the processing date, it will be encrypted and/or pseudonymized in order to protect the identity of the Data Subject.
4.5.3 Personal data will be retained in line with KGL’s Retention of Records Procedure. Once its retention date is passed, it will be securely destroyed as set out in the Retention of Records Procedure save and except if the further storage and retention of the data is necessary for KGL’s legitimate interests (such as defending itself in possible legal proceedings) and/or for KGL to comply with a legal obligation.
4.6.1 KGL will at all times process personal data in a manner that ensures appropriate security of the said data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
4.6.2 In that respect, KGL’s Data Protection Officer will carry out a risk assessment considering all the circumstances of KGL’s controlling or processing operations.
4.6.3 In determining appropriateness, KGL’s Data Protection Officer will also consider the extent of possible damage or loss that might be caused to individuals (e.g. staff or customers) if a security breach occurs, the effect of any security breach on KGL itself, and any likely reputational damage including the possible loss of customer trust.
4.6.4 When assessing appropriate technical measures, KGL’s Data Protection Officer will consider the following:
4.6.5 When assessing appropriate organisational measures, KGL’s Data Protection Officer will consider the following:
5.1 KGL wishes to most unequivocally inform Data Subjects at large that they have the following rights regarding data processing, and the data that is recorded by KGL about them:
5.2 KGL will further ensure that Data Subjects may exercise the aforesaid rights as follows:
4.7.1 KGL will be responsible for demonstrating compliance with the above principles, including by providing the necessary evidence to demonstrate compliance as set out in the previous sections of this Article.
4.7.2 KGL’s Data Protection Officer will be responsible for ensuring that the privacy rights of Data Subjects are respected and acted upon within the statutory time limits set out in the GDPR and the DPA.
4.7.3 KGL will at all times ensure that the necessary training and awareness programs are provided to its staff to ensure that they are fully aware of the requirements of this Policy.
6.1 KGL understands ‘consent’ to mean that it has been explicitly and freely given, and is a specific, informed and unambiguous indication of the Data Subject’s wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The Data Subjects can withdraw their consent at any time.
6.2 As and when required as per either the GDPR or the DPA, consent requests will be separate from other terms and conditions and will not be a precondition of signing up to a service unless it is necessary for that service.
6.3 When requesting Data Subjects to give their consent to a particular processing operation, KGL will not use pre-ticked opt-in boxes. Only unticked opt-in boxes or similar active opt-in methods will be used.
6.4 Furthermore, KGL will at all times give Data Subjects granular options to consent separately to different types of processing wherever appropriate.
6.5 Also, KGL will always keep records of consents given by Data Subjects in order to show what they have consented to, including what they were told, and when and how they consented.
6.6 KGL also understands ‘consent’ to mean that the Data Subject has been fully informed of the intended processing and has signified his or her agreement, while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing.
6.7 At no point in time will KGL imply that consent has been given. Consent will not be inferred from non-response to a communication.
6.8 For the processing of Sensitive Personal Data or Special Categories Personal Data, KGL will invariably request and obtain explicit written consents of Data Subjects prior to processing the same unless an alternative legitimate basis for processing exists under either the GDPR or the DPA.
7.1 All the employees of KGL are responsible for ensuring that any personal data that KGL holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorised by KGL to receive that information. In that respect, KGL has entered into confidentiality agreements such as Non-Disclosure Agreements with its employees.
7.2 All personal data will be accessible only to those employees of KGL who need to use it. All personal data will be treated by KGL with the highest security and will be kept:
7.3 Upmost care will be taken to ensure that PC screens and terminals at KGL are not visible except to authorised employees of KGL.
7.4 Manual records will not be left where they can be accessed by unauthorised personnel and will not be removed from business premises without explicit authorisation. As soon as manual records are no longer required for day-to-day client support, they will be removed from secure archiving.
7.5 Personal data will only be deleted or disposed of in line with KGL’s Retention of Records Procedure. Manual records that have reached their retention date will be shredded and disposed of. Hard drives of redundant PCs will be removed and immediately destroyed before disposal.
7.6 As the processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft or damage to personal data, KGL staff will, in exceptional circumstances and only for the legitimate interests of KGL’s business, have to be specifically authorised to process data off-site.
8.1 KGL will ensure that personal data is not disclosed to unauthorised third parties without the consent of the Data Subject concerned save and except if the information is required for one or more of the following purposes:
8.2 All requests to provide data for one of the reasons set out in paragraph 8.1 above must be supported by appropriate written evidence and/or paperwork and all such disclosures must be specifically authorised by KGL.
9.1 KGL will not keep personal data in a form that permits identification of Data Subjects for longer a period than is necessary, in relation to the purpose(s) for which the data was originally collected.
9.2 KGL may store data for longer periods if the personal data will be processed solely for:
9.3 subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the Data Subjects concerned.
9.4 Where personal data needs to be disposed of, KGL will do so securely in accordance with the principle set out in paragraph 4.6 above, thereby protecting the rights and freedoms of Data Subjects.
10.1 As a rule, personal data lawfully collected by KGL from a particular jurisdiction (‘the Original Jurisdiction’) shall not be transferred to a jurisdiction other than the Original Jurisdiction (‘Other Jurisdiction’) unless KGL is satisfied that there is an appropriate level of protection for the fundamental rights and freedoms of the Data Subjects in the Other Jurisdiction similar to the level of protection afforded in the Original Jurisdiction (hereinafter referred to as the ‘Adequacy Test’).
10.2 In carrying out the Adequacy Test, KGL will consider the following factors:
10.3 Should KGL not be satisfied by the level of data protection afforded in the Other Jurisdiction after carrying out the Adequacy Test, KGL will not transfer the data to the Other Jurisdiction unless:
11.1 KGL shall establish a data inventory and data flow process as part of its approach to address risks and opportunities throughout its GDPR and DPA compliance project.
11.2 KGL’s data inventory and data flow relate to:
11.3 KGL is aware of risks associated with the processing of particular types of personal data and the level of risks to individuals associated with the processing of their personal data.
11.4 Consequently, DPIAs will be carried out every year in relation to the processing of personal data by KGL, and in relation to processing undertaken by other organisations on behalf of KGL.
11.5 KGL shall manage the risks identified by the DPIAs in order to reduce the likelihood of a non-conformance with this General Data Protection Policy.
11.6 Where a type of processing, in particular using new technologies and considering the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, KGL shall, prior to the processing, carry out a DPIA of the impact of the envisaged processing operations on the protection of personal data. A single DPIA may address a set of similar processing operations that present similar high risks.
11.7 Where, as a result of a DPIA, it is clear that KGL is about to commence processing of personal data that could cause damage and/or distress to Data Subjects, the decision as to whether or not KGL may proceed must be escalated for review to its Data Protection Officer and/or its Board of Directors as the case may be. The latter shall, if there are significant concerns, either as to the potential damage or distress, or the quantity of data concerned, escalate the matter to the supervisory authority.
KASA GROUP LTD is the owner of this document.
This document and all other related documents referred to herein may, from time to time, be reviewed in line with any changes in the law.
This General Data Protection Privacy Policy as well as all the other documents referred to herein have been duly approved by the Board of Directors of KGL on 18 October 2024.
By order of the Board of Directors of KGL.
Made in good faith on 18 October 2024 at 42, Edith Cavell Street, Port-Louis, Republic of Mauritius.
42, Edith Cavell Street,
Port-Louis,
Mauritius
202 7500
© 2024 - Kasa Group