THE DONUT FACTORY DATA PROTECTION POLICY
1. Policy Statement
The Donut Factory Limited (hereinafter “the Company”) recognises and respects the fundamental right to privacy protected under Article 31 of the Constitution of Kenya and the Data Protection Act, No. 24 of 2019 (“the Act”). The Company is dedicated to safeguarding personal data collected, processed, stored, or transmitted during its operations. This Policy sets out the principles and standards governing the processing of personal data within the Company, ensuring compliance with the Act and the Data Protection (General) Regulations, 2021.
2. Scope
This Policy applies to: - All personal data processed by the Company in any form—electronic, paper, or verbal. - All business operations of the Company, including its restaurant outlets, online ordering platforms, loyalty applications, CCTV monitoring, and data analytics. - All employees, directors, interns, contractors, and third-party service providers who process data on behalf of the Company.
3. Legal Framework
This Policy is developed in accordance with: - The Data Protection Act, No. 24 of 2019; - The Data Protection (General) Regulations, 2021; - The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021; and - Any other applicable Kenyan laws governing privacy and information security.
4. Registration with the ODPC
The Company shall register as a Data Controller and Data Processor with the Office of the Data Protection Commissioner (ODPC) in accordance with Section 18 of the Act and keep registration details up to date.
5. Data Protection Principles
The Company shall process personal data in accordance with the following principles: - Lawfulness, fairness, and transparency – Data shall be processed lawfully and in a manner that is fair and transparent to the data subject. - Purpose limitation – Data shall be collected for explicit, legitimate, and specified purposes only. - Data minimisation – Only the minimum data necessary for each purpose shall be collected. - Accuracy – Data shall be accurate and kept up to date. - Storage limitation – Data shall not be retained for longer than necessary. - Integrity and confidentiality – Data shall be processed securely to prevent unauthorised access, alteration, disclosure, or destruction. - Accountability – The Company shall be responsible for demonstrating compliance with these principles.
6. Lawful Basis for Processing
The Company shall only process personal data where a lawful basis exists under Section 30 of the Act, including: - Consent from the data subject; - Performance of a contract; - Compliance with a legal obligation; - Protection of vital interests of the data subject or another person; - Performance of a public duty or task in the public interest; or - Pursuit of legitimate interests not overridden by data subject rights.
7. Processing of Sensitive Personal Data
Sensitive personal data shall only be processed when: - The data subject has given explicit consent; - The data has been made public by the data subject; - Processing is necessary for legal claims, vital interests, or employment obligations; or - The processing is authorised by law.
All staff managing sensitive information must strictly follow this Policy and relevant legislation. Unauthorised handling may lead to disciplinary, civil, or criminal penalties.
8. Data Collection and Privacy Notices
The Company shall collect personal data directly from the data subject whenever possible. When collected indirectly, it shall ensure a lawful basis and proper notification. A Privacy Notice shall accompany all data collection activities, providing clear information on: - The purpose of collection; - Data categories and recipients; - Retention periods; - Data subject rights; and - Contact details of the Data Protection Officer (DPO) and ODPC.
(See Annex 2 – Privacy Notice Template)
9. Data Subject Rights
Data subjects have the following rights under the Act: - The right to be informed of data use; - The right to access personal data (Form DPG2); - The right to rectification (Form DPG3); - The right to erasure (Form DPG5); - The right to restriction and objection to processing; - The right to data portability (Form DPG4); - The right to object to automated decision-making and profiling.
Requests shall be responded to within 21 days, as specified in Regulation 8 of the General Regulations.
10. Data Protection Officer (DPO)
The Company shall appoint a Data Protection Officer responsible for: - Advising management on compliance with applicable laws; - Liaising with the ODPC on registration, audits, and investigations; - Conducting Data Protection Impact Assessments (DPIAs) under Section 31 of the Act; - Coordinating staff capacity building and awareness; - Monitoring compliance and reporting data breaches.
11. Data Protection Impact Assessments (DPIAs)
Before initiating any new technology or data processing activity that could pose a significant risk to individuals (e.g., CCTV systems, biometric systems, online ordering platforms), the Company shall perform a DPIA in accordance with Section 31 of the Act.
12. Data Retention and Disposal
The Company shall retain personal data only for as long as necessary for the purpose collected, or as required by law. Once expired, data shall be securely deleted, anonymised, or destroyed.
(See Annex 1 – Data Retention Schedule)
13. Data Sharing and Third-Party Processors
Personal data may only be shared when: - It is necessary for business operations or legal compliance; - The data subject has been informed in advance; and - A written Data Processing Agreement (DPA) compliant with Regulation 22 is in place.
Third-party processors (e.g., payroll, marketing, delivery, or IT service providers) must: - Process data only in accordance with documented instructions from the Company; - Implement appropriate security measures; - Maintain confidentiality; and - Allow audits to verify compliance.
14. Cross-Border Data Transfers
Personal data shall not be transferred outside Kenya unless: - The ODPC has issued an adequacy decision for the destination country; - Appropriate safeguards are in place; or - The data subject has given explicit consent.
15. Security Measures
The Company shall implement suitable technical and organisational measures, including: - Access control and authentication systems; - Encryption of sensitive data; - Secure storage and disposal practices; - Regular security audits; and - Employee training on privacy and data handling.
16. Data Breach Management
Any actual or suspected personal data breach must be reported immediately to the DPO. The Company shall: - Notify the ODPC within 72 hours of becoming aware of a breach; and - Notify affected data subjects if the breach presents a high risk to their rights and freedoms.
17. CCTV and Employee Data Processing
The Company employs CCTV surveillance and employee monitoring systems for security, loss prevention, and operational safety. Suitable signage will be displayed, and such data shall only be accessed by authorised personnel.
18. Complaints Handling
Data subjects can file complaints with the Company’s DPO. The Company will investigate and resolve complaints within 30 working days. If unsatisfied, the complainant may escalate the matter to the ODPC under Section 56 of the Act.
19. Training and Awareness
All employees must undergo regular training on data protection obligations and the secure handling of personal data. Attendance at training sessions shall be recorded.
20. Policy Review and Updates
This Policy shall be reviewed annually or sooner if required by legal or regulatory changes. All updates shall be approved by the Board of Directors.