Data Protection Policy
Document Version: 1.0
Effective Date: 10th January 2025
Last Reviewed: 2nd July 2025
1. Introduction and Purpose
This Data Protection Policy (the "Policy") outlines the commitment of Tenders Afrique EA Gateway Limited ("the Platform", "we", "us", or "our") to protecting the personal data of its users, employees, partners, and all other individuals whose data we process. This Policy is developed in accordance with the Data Protection Act, 2019 of Kenya (the "Act") and the guidance issued by the Office of the Data Protection Commissioner (ODPC).
The purpose of this Policy is to:
Ensure the Platform complies with its legal and ethical obligations regarding data protection.
Provide a clear framework for the lawful, fair, and transparent processing of personal data.
Protect individuals' rights concerning their personal data.
Establish clear responsibilities for all personnel involved in data processing activities.
Mitigate risks associated with data processing, including data breaches.
This Policy applies to all personal data processed by the Platform, regardless of how it is collected, stored, or used, and covers all employees, contractors, consultants, and any third parties acting on behalf of the Platform.
2. Definitions
For the purpose of this Policy, the following terms shall have the meanings ascribed to them:
Data Controller: A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purpose and means of processing personal data.
Data Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller.
Data Subject: An identified or identifiable natural person to whom personal data relates.
Personal Data: Any information relating to a data subject. This includes, but is not limited to, names, identification numbers, location data, online identifiers, e.t.c.
Processing: Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Consent: Any unambiguous indication of the data subject’s wishes, given by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.
Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
ODPC: Office of the Data Protection Commissioner, the regulatory body in Kenya responsible for enforcing the Data Protection Act, 2019.
3. Data Protection Principles
The Platform adheres to the following principles when processing personal data, as stipulated by the Data Protection Act, 2019:
Lawfulness, Fairness, and Transparency: Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
Purpose Limitation: Personal data shall be collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Minimization: Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy: Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage Limitation: Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and Confidentiality (Security): Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
Accountability: Tenders Afrique EA Gateway Limited shall be responsible for, and be able to demonstrate compliance with, the principles.
4. Types of Data Collected and Processed
The Platform collects and processes various types of personal data necessary for the provision of its e-procurement services. This may include, but is not limited to:
Identity Data: Names, usernames, company registration details.
Contact Data: Email addresses, phone numbers, physical addresses.
Financial Data: Bank account details, shareholding status, payment information (for transactions related to tenders/contracts).
Professional Data: Job titles, company names, tender application details, bid submissions, contract information, qualifications, certifications.
Technical Data: IP addresses, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and other technology on the devices used to access the Platform.
Usage Data: Information about how users interact with the Platform, products, and services.
Marketing and Communications Data: Preferences in receiving marketing from us and our third parties, and communication preferences.
5. Lawful Basis for Processing Personal Data
The Platform will only process personal data when there is a lawful basis to do so, as defined by the Data Protection Act, 2019. The common lawful bases we rely on include:
Consent: The data subject has given clear consent for us to process their personal data for a specific purpose.
Contract: The processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract (e.g., for tender participation).
Legal Obligation: The processing is necessary for compliance with a legal obligation to which the Platform is subject.
Vital Interests: The processing is necessary to protect the vital interests of the data subject or another natural person.
Legitimate Interests: The processing is necessary for the purposes of the legitimate interests pursued by the Platform or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
When relying on legitimate interests, the Platform will conduct a legitimate interest assessment to ensure that the processing is proportionate and that the data subject's rights and interests are adequately protected.
6. Data Subject Rights
The Platform respects the rights of data subjects concerning their personal data. Data subjects have the following rights under the Data Protection Act, 2019:
Right to be Informed: To be informed of the use to which their personal data is to be put.
Right of Access: To access their personal data held by the Platform.
Right to Object: To object to the processing of all or part of their personal data.
Right to Rectification: To demand the rectification of false or misleading data.
Right to Erasure (Right to be Forgotten): To demand the erasure of false or misleading data about them.
Right to Restriction of Processing: To request the restriction of processing of their personal data.
Right to Lodge a Complaint: To lodge a complaint with the ODPC.
Procedure for Exercising Rights: Data subjects wishing to exercise any of these rights should submit a written request to the Data Protection Officer (DPO). Tenders Afrique EA Gateway Ltd will respond to legitimate requests within one (1) month of receipt. In complex cases or where there are numerous requests, this period may be extended by a further two (2) months, with the data subject being informed of the extension and the reasons for it.
7. Data Security Measures
Tenders Afrique EA Gateway Ltd implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:
Confidentiality, Integrity, and Availability: Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
Restoration of Availability: The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
Regular Testing: A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Access Controls: Strict access controls and authentication mechanisms to prevent unauthorized access to personal data.
Staff Training: Regular training for all staff on data protection and security best practices.
Physical Security: Measures to ensure the physical security of data storage locations.
Vendor Management: Due diligence and contractual agreements with buyers to ensure they meet our data protection standards.
Firewalls and Antivirus: Robust network security measures, including firewalls and up-to-date antivirus software.
8. Data Breaches
In the event of a personal data breach, Tenders Afrique EA Gateway Ltd has established procedures for detection, assessment, and response.
Notification to ODPC: The Platform will notify the ODPC without undue delay, and where feasible, not later than seventy-two (72) hours after having become aware of it, unless the personal data breach is unlikely to result in a high risk to the rights and freedoms of natural persons.
Notification to Data Subjects: When the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, Tenders Afrique EA Gateway Ltd will communicate the personal data breach to the data subject without undue delay.
Investigation and Remediation: The Platform will immediately investigate the breach, take all necessary steps to mitigate its effects, and implement measures to prevent future occurrences.
Record Keeping: All data breaches, their effects, and the remedial action taken will be documented.
9. Data Retention
Personal data will be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. The retention periods will be determined based on:
The purpose for which the data was collected.
Any legal or regulatory obligations
Contractual requirements.
The necessity for dispute resolution or legal proceedings.
Once the retention period expires, personal data will be securely deleted or anonymized.
10. Roles and Responsibilities
Data Controller (Tenders Afrique EA Gateway Ltd ): Responsible for ensuring overall compliance with the Data Protection Act, 2019, and this Policy. This includes implementing appropriate technical and organizational measures, maintaining records of processing activities, and responding to data subject requests.
Data Protection Officer (DPO): Tenders Afrique EA Gateway Ltd’s Data Protection Officer will be responsible for:
Advising the Platform and its employees on their obligations under the Act.
Monitoring compliance with the Act and this Policy.
Cooperating with and acting as the contact point for the ODPC.
All questions pertaining to this policy can be directed to us via our Contact page.
All Employees and Personnel: All individuals handling personal data within the Platform are responsible for understanding and adhering to this Policy and related data protection procedures. They must report any suspected data breaches or privacy concerns immediately to the DPO.
12. Training and Awareness
The Platform is committed to ensuring that all employees and personnel who handle personal data receive appropriate data protection training. This training will be provided regularly and will cover:
The principles of data protection.
Their responsibilities under this Policy and the Act.
How to identify and report data breaches.
Best practices for data security.
13. Policy Review
This Policy will be reviewed at least annually, or more frequently if there are significant changes in legislation, technology, or the Platform's data processing activities. Any updates will be communicated to all relevant personnel.
14. Contact Information
For any questions or concerns regarding this Data Protection Policy or the Platform's data processing practices, please write to us via our Contact page.