1. About British Chambers of Commerce Kenya.

• We, British Business Association of Kenya registration number 9660 / British Chambers of Commerce Kenya a company registered with registration number CPR/2014/156782 (the Chamber, we, us, our). We are a part of a network of the Chambers of Commerce globally affiliated by the United Kingdom British Chambers of Commerce.
• We are registered with the Office of the Data Protection Commissioner as a Data Controller (Serial No 03488, date 27/11/2023).
• We honour the rights of our members, employees and other users’ including website visitors’ right to privacy and data protection.
• Processing of personal data is governed by the Data Protection Act, 2019(‘the Act’), The Data Protection General Regulations 2021, The Data Protection (Registration of Data Controllers and Data Processors) 2021, The Data Protection (Complaints Handling and Enforcement Procedures) Regulations 2021 and as may be amended from time to time, and any other regulations made thereunder (collectively, “the Data Protection Legislation”).
• This Privacy Notice (“Notice”) describes how we collect, uses, share, and retain Personal Data provided by users of this website. The Policy is effective as of 3^rd May 2024.

 

2. About this Notice

• In order to provide our Services, we may need to process Personal Data from time to time (that is information about someone who can be identified or is identifiable from the data). This is Personal Data may be about you or other people. This Notice explains how we will use the Personal Data we hold.
• The Notice will be continuously assessed against new technologies, business practices, regulatory changes and the evolving needs of the Chamber and the membership’s services provided the Chamber. So please do keep an eye on our notice before giving us any Personal Data.

 

3. Who do we hold Personal Data about.

• We collect and hold a variety of personal data including names, email addresses, phone numbers, payment information, social media profiles, business addresses, demographic information such and details of our services the users may be interested in such as international trade opportunities, events and training courses.
• We collect information directly from individuals or from the parent companies of the individuals. The information could be collected through e-mails, phone calls, online registration forms, event registration forms and face to face meetings.
• We do not process children’s data. In the event we must process the personal data for children we will ensure we have consent from parents or guardians.
• We do not collect personal data about individuals except when there is a lawful basis or a legitimate business requirement.

Details of the Individuals (Data Subjects):

INDIVIDUALS	DESCRIPTION
Client contacts	that is any party which has engaged us to provide services (including key contact data);
Membership	that is any party who or which has signed up to be a member of our organisation (including any individuals in their companies);
Supporters	that is anyone who has contacted us to find out about what we do or otherwise supported us, other than through Membership;
Beneficiaries	that is any individuals who receive our services.

 

4. How we process the Personal Data we hold, purpose for processing and what is our lawful basis.

• We hold and process Personal Data as a Controller, which means we must have a ‘lawful basis’ for doing so. We have set out how we use Personal Data along with our lawful basis in the table below.

Purpose/Activity	Type of data	Lawful basis for processing including basis of legitimate interest
To register you as a new member	(a) Identity  (b) Contact	Performance of a contract with you.
To process and deliver your order or when you are purchasing items from our stores including:  (a) Manage payments, fees and charges.  (c) Deliver services to you (we may need to share your details with a third party providing a service, such as event providers and hotels)	(a) Identity  (b) Contact  (c) Financial  (d) Transaction  (e) Marketing and Communications	(a) Performance of a contract with you.    (b) Necessary for our legitimate interests.
To manage our relationship with you which will include:  (a) Notifying you about changes to our terms or privacy policy.  (b) Sending you legally required information relating to information about our services.	(a) Identity  (b) Contact  (c) Profile	(a) Performance of a contract with you    (b) Necessary to comply with a legal obligation    (c) Necessary for our legitimate interests (to keep our records updated, to study how customers use our services, to provide you with the best service and to understand how we can improve our service based on your experience)
To enable you to take part in our events or complete a survey and to allow us to administer any of our events.	(a) Identity  (b) Contact	(a) Performance of a contract with you.    (b) Explicit Consent for photos and images (which consent you may withdraw at any time).
For commercial marketing, to make suggestions and recommendations to you about services that may be of interest to you	(a) Identity  (b) Contact	Explicit Consent (which consent you may withdraw at any time)

 

• Anywhere we are relying on legitimate interest we believe that such processing is necessary for the purposes of our legitimate interest, which in this case is to function as a business. We consider such use goes no further than the Data Subject would reasonable expect; is likely to align with the Data Subject’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of the Data Subject.
• We may perform statistical analyses of user behaviour and characteristics to measure interest in and the use of various sections of the website.
• The personal data held by us may also be used on an aggregate basis without any personal identifiers to provide third parties with information, such as the composition of membership, and to help us develop new member services, improve the features and content of the website or other marketing material, and to provide sponsors and others with aggregate information about our members, website users and their usage patterns in relation to services and/or the website.

 

5. Your rights under the Data Protection Legislation.

Under the Data Protection Legislation, you have the following rights, which we will always work to respect and uphold:

 

• The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions.
• The right to access the personal data we hold about you.
• The right to have your personal data corrected if any of your personal data held by us is false, erroneous or misleading.
• The right to ask us to delete or otherwise dispose of any of your personal data that we hold.
• The right to restrict (i.e. prevent) the processing of your personal data.
• The right to object to us to our use of your personal data for a particular purpose or purposes.
• The right to withdraw consent. This means that, if we are relying on your consent as the lawful basis for using your personal data, you are free to withdraw that consent at any time.
• The right to data portability. You have a right to request your personal data, which you have provided to us in a structured and commonly used format for your own use across different services.
• Rights relating to automated decision-making and profiling. We do not use your personal data in this way.

 

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights), such as full name, address, telephone number, email address, member number. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

For more information about our use of your personal data or exercising your rights as outlined above, please contact us by email as set out in Part 9.

It is important that your personal data is kept accurate and up-to-date. If any of the personal data we hold about you changes, please keep us informed as long as we have that data.

If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Office of the Data Protection Commissioner. We would welcome the opportunity to resolve your concerns ourselves, however, so please contact us first.

 

Time limit to respond.

We try to respond to all legitimate requests within 7 to 30 days. Occasionally it may take us longer than the stipulated time period if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

 

6. How we share your personal data.

All data sharing will be undertaken in line with the Data Protection Legislation.

Transfer of your personal data outside of the Republic of Kenya.

Subject to one or more appropriate safeguards set out in the Data Protection Legislation, we may from time to time transfer your personal data to the United Kingdom for the purposes described in this Privacy Notice.

When transferring your personal data we will ensure that it is protected in the same way as if it was being processed in the Republic of Kenya. 

We will ensure that the recipient country of your personal data has equivalent data protection laws in place and we will put in place a written contract with the recipient that means they must protect it to the same standards as the Republic of Kenya.

 

7. Security of your Personal Data

• We use reasonable measures to safeguard your personal data.
• We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
• We limit access to your personal data to only those employees, contractors or agents who have a legitimate business need to have access to that data. The employees, contractors or agents will process your personal data in accordance with our instructions. They will be subject to a duty of confidentiality and due care with respect to handling the personal data.
• We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
• Our employees are trained on data security and information protection. Relevant areas of the our website will employ Secure Socket Layer (“SSL”) or Transport Layer Security (“TLS”) encryption technology to enhance data privacy and help prevent loss, misuse, or alteration of the information collected and retained by us.

 

8. How long do we keep your Personal Data.

We are required under the Data Protection Legislation to keep your personal data only for specific period as lawfully required. Some of the considerations we take into account when deciding on the retention of your data is:

1. Where it is stipulated under the law; and
2. the necessary time your data is needed for us to deliver the service to you.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

 

9. How to Contact us

If you wish to contact us in respect of part of this Privacy Notice or have any questions or would like further information regarding our handling of your personal data, please contact us by email:

Designation: The Office Administrator  

Physical Address:  British Council Complex

Email address: privacy@bcckenya.org

 

10. Changes to your personal data

 Please keep us informed of any changes to your personal data by emailing us with full details of the changes at membership@bcckenya.org