31 March 2021
2. Who is SandRose?
SandRose is a project management and consulting firm specializing in supporting infrastructure projects across Africa with a specific focus on energy transition, infrastructure projects, industrial parks and sustainable cities. Our offices are situated at with offices off Timau Plaza, Off Timau Road, PO Box 25177 00100 Nairobi, Kenya.
3. What is the Purpose of this Policy?
4. Data Controller
SandRose is the data controller of the personal information which you provide or which We gather from you.
5. What is Personal Data?
6. What Personal data do We Collect and How Do We Use It?
We collect personal data about:
- Visitors to Our website
- People who email Us
- People who telephone Us
- People who contact Us about Our services or products
- People who use or services or products
- Project stakeholders
- Job applicants
6.1. Visitors to Our Website
When you visit www.sandrose-consulting.com, We use third party services such as Google Analytics to collect details of visitor behaviour patterns and standard internet log information such as IP (internet) address and browser type or version. The information is processed in such a way that it does not identify any specific individual. You can read Google’s overview of privacy and safeguarding data here: https://support.google.com/analytics/answer/6004245.
If We want to collect information which identifies an individual, We will tell you. For instance, you will be given the opportunity to fill in your contact details and to “opt-in” if you want to receive more information about Us or about Our services or Our products.
6.2. Cookies and other Technologies
Find out more about cookies, including how to disable/enable and delete them, at the following website www.aboutcookies.org.
6.3. People Who Email Us
We use Transport Layer Security (“TLS”) cryptographic protocol to encrypt and protect email traffic. If your email service does not support TLS cryptographic protocol, you should be aware that any emails you send or receive may not be protected in transit. We monitor emails sent to Us, including attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send to Us is within the bounds of the law.
6.4. People who Telephone Us
6.5. People Who Contact Us About Our Services or Products
Most of Our services and products are provided ‘business to business. But if you are an individual (for example an employee in a business, a sole trader, or a consumer of Our services in your own right) We will treat your personal data in accordance with data privacy principles. If you ask Us about Our services or products We will use your personal data to send you that information.
We will use the personal data to help Us understand your initial query and instructions and to determine what services or products are required from Us. If your enquiry becomes an order, instruction or contract, We will retain your information in accordance with Our internal archiving procedures.
If you decide not to instruct Us, We may retain your information in Our system. We maintain email archives for a period of 15 years.
6.6. People Who Use Our Services or Products (Our Clients)
Most of Our services and products are provided ‘business to business. But if you are an individual (for example an employee in a client business which buys Our services or products, a sole trader client who buys Our services or products, or a consumer of Our services in your own right) We will treat your personal data in accordance with data privacy principles.
We will use your personal data to provide the services or products including training, as per the contract between SandRose and you, the client (or where you are an employee of the client, to your employer, Our client).
We retain your information in line with Our internal archiving policies and procedures. Due to the nature of Our work, Our retention periods may be up to 30 years.
If you have opted to receive marketing communications, We will retain and use your personal details to send those. We will usually send this information by email to the email address you have given Us. You will be given the opportunity to opt out of further marketing emails each time We send you such an email.
Even if you have not opted in to receive marketing, We may still use your personal information to send you marketing emails relating to service or products which are similar to those which We have already supplied to you (or where you are an employee of a client), to your employer, Our client. You will be given the opportunity to opt out of such material each time We send you such an email.
If you do not wish to receive marketing material from Us, please let Us know. You can contact Us by email on email@example.com.
6.7. Project Stakeholders
In the course of carrying out Our duties, We hold various engagements with various individuals or groups of people living within communities where proposed projects are set to be implemented. Such engagements are conducted through face-to-face, audio or video recorded interviews, meetings or by administration of face-to-face or online questionnaires.
In some instances, We may collect the following data:
- Identification Information: your name, address, telephone number, email address, physical address, country of residence, age, ID numbers.
- Sensitive Personal Data: information about your ethnic social origin, conscience, belief, property details, marital status, family details including the names of your children, parents, spouse or spouses, gender or your sexual orientation. We do not typically request for such information through Our website. Where We collect such data, We will obtain your explicit consent before We collect, use or other process the below personal sensitive data.
6.8. Job Applicants
We use your personal data as part of Our selection process for Our approved suppliers. We will retain your personal data as stated in the data retention clause of your contract
7. Purposes, Legal Basis and Use
We may use, process, store or disclose the personal data We collect only where one or more of the below outlined principal legal grounds and specific business justifications exist:
|Activity||Our Purpose for Processing||Our Legal Basis|
New Client / Supplier
|Administration of surveys, questionnaire or focus-based groups||
|Job Application processing||
||As stated in the Job Applicant Policy|
|Online Identifiers, Cookies and Geo-location data||
||Necessary for Our legitimate interests (to study how customers use Our products/services, to develop them, to grow Our business and to inform Our marketing strategy)|
8. Data Retention
Due to the nature of Our business, We find it useful to retain project files and contact details for an indefinite period in case We need to refer back to the project.
For any other information such as supplier information, We will retain the data in accordance with your contract and Our data retention policies.
9. How We May Share the Information
We will not share your information with any third parties for the purposes of direct marketing.
We use data processors who are third parties who provide elements of services for Us. For example, Our email service is provided by Microsoft; We use Google Analytics to collect details of website visitor behaviour patterns and standard internet log information (see Visitors to Our website, above).
We may also need to share some personal information with other parties, such as external contractors and Our professional advisers, and with potential purchasers of some or all of Our business. The recipient of the information will be bound by confidentiality obligations.
We may also be required to share some personal information (for example with the government departments, border security or law enforcement) to comply with the law.
You have the following rights in relation to your Personal Data. Please note that these rights are available subject to certain criteria and exceptions in accordance The Kenya Data Protection Act, 2019.
10. Your Rights
10.1. Right to Transparency of Information
You are entitled to clear and transparent information about how We process your personal data.
10.2. Right of Access
You have the right to request for a copy of the personal data We are processing about you and to exercise that right easily and at reasonable intervals.
10.3. Right to Withdraw Consent
You have the right to withdraw consent where that is the legal basis of Our processing.
10.4. Right to Rectification
You have the right to have inaccuracies in personal data We hold about you rectified.
10.5. Right to Erasure
You have the right to have your personal data deleted where We no longer have any justification for retaining it subject to certain exemptions such as if the data is required for purposes of evidence.
10.6. Right to Object
We process your data pursuant to the reasons set out in this Policy. However, you can object to this processing, in which case We will make a new determination of whether your data should no longer be used for this purpose. We will stop the processing if your interest outweighs Our interest.
10.7. Right to Portability
You have the right to receive personal data concerning you in a structured, commonly used and machine-readable format.
- If you wish to exercise any of the rights outlined above, please write an email to the Data Protection Officer (DPO) on firstname.lastname@example.org
- We will endeavour to answer all questions via email within one month after receipt.
- That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. In that event, We will keep you informed of the progress on your request.
- If the provision of the data involves the data of third parties, these third parties can be asked in advance whether they have objections to the provision.
- We may ask for identification, because We need to know for certain whether We are issuing the data to the right person.
- In some cases, We will not be able to comply with your request. We may, for example, not be required to delete the data SandRose is legally obliged to retain.
10.9. To Whom Shall I Direct a Question or Complaint?
If you have any questions or complaints about the processing of personal data, you can contact SandRose on email@example.com.