Telkom Kenya Limited (hereinafter “Telkom” “us” “we”) respects the privacy of our users hereinafter (“You”). This Privacy Statement explains how we collect, use, disclose, and safeguard your information. Please read this Privacy Statement carefully.
We reserve the right to make changes to this Privacy Statement at any time and for any reason. We will alert you about any changes by updating the “Last updated” date of this Privacy Statement. Notice of at least 7 days will be given of any substantial changes and will be effective as at the date referred in such notifications. You are encouraged to periodically review this Privacy Statement to stay informed of updates. You will be deemed to have been made aware of, will be subject to, and will be deemed to have accepted the changes in any revised Privacy Statement after the date such revised Privacy Statement is posted.
1.1 The type of information we may collect includes:
(a) Your name, address, phone and/or mobile number, your date of birth, gender and email address.
(b) Your traffic data. This is data we see as part of providing you with connectivity, like the numbers you call, the time and duration of the call or how you are using data.
(c) Your location data. This can be precise where it uses Global Positioning System (GPS) data or by identifying nearby mobile phone masts and Wi-Fi hotspots and you enable location-based services or features. Or less precise where, for example, a location is derived from your IP address or data such as a postal code or name of a town or city.
(d) Your Credit or debit-card information, information about your bank account numbers.
(e) Your contact with us such as a recording of a call you make to one of our contact centers, an email or letter sent, or other records of any contact with us such as when you visit our Telkom Shops.
(f) Your account information such as dates of payment owed or received, subscriptions you use, account numbers or other information related to your account.
(g) Credential information – we’ll collect passwords, hints and similar security information used for authentication and access to accounts and services.
(h) Your preferences for particular products, services and lifestyle activities when you tell us what they are, or we assume what they are, based on how you use the products and services.
(i) Information we obtain from other sources, such as credit agencies, fraud-prevention agencies, and from other data providers. This includes demographic data, interest-based data, and internet browsing behavior.
1.2 We may collect information about you in a variety of ways. The information we may collect depends on the services and products you use, and includes:
(a) Buy or use any of our products and services
(b) Demographic and other personally identifiable information (such as your name and email address) that you voluntarily give to us when choosing to use Telkom services and products
(c) Use our network or other Telkom Kenya Limited products and services
(d) Register for a specific product or service including SIM Card Registration, Post Pay subscriptions and T-Kash
(e) Subscribe to alerts or other services from us
(f) Contact us through various channels, or ask for information about a product or service
(g) Visit or browse our website
(h) Have given permission to other companies to share information about you
(i) Where your information is publicly available
(j) We may also collect information about you on CCTV when you visit our premises or on other security cameras as part of our security and crime prevention measures.
(k) We may collect your information from other organizations such as fraud-prevention agencies, credit reference bureaus and business directories.
2.1We may share information we have collected about you in certain situations. Your information may be disclosed as follows:
i. By Law or to Protect Rights
If we believe the release of information about you is necessary to respond to a legal process, to investigate or remedy potential violations of our policies, or to protect the rights, property, and safety of others, we may share your information as permitted or required by any applicable law, rule, or regulation. This includes exchanging information with other entities for fraud protection and credit risk reduction.
ii. Third-Party Service Providers
We may share your information with third parties that perform services for us or on our behalf, including payment processing, data analysis, email delivery, hosting services, customer service, and marketing assistance.
iii. Marketing Communications
With your consent, or with an opportunity for you to withdraw consent, we may share your information with third parties for marketing purposes, as permitted by law.
We may share your information with our affiliates, in which case we will require those affiliates to honor this Privacy Statement. Affiliates include our parent company and any subsidiaries, joint venture partners or other companies that we control or that are under common control with us.
v. Business Partners
We may share your information with our business partners to offer you certain products, services or promotions.
vii. Other Third Parties
We may share your information with advertisers and investors for the purpose of conducting general business analysis.
2.2Where we have shared Your personal data with a third party as above in clause 2.1 save for clause 2.1 (i) for processing purposes, we shall take all reasonable steps to inform third parties processing such data, that you have requested the erasure or destruction of such personal data that may have been obtained unlawfully.
2.3 Where Telkom is required to erase Your personal data, but the personal data is required for the purposes of evidence such as in clause 2.1 (i) above, we shall, instead of erasing, restrict its processing and inform you within a reasonable time.
We use strict administrative, technical, and physical security measures to help protect your personal information. Your personal information will be kept for a certain period of time depending on individual circumstances.
Telkom shall ensure that your personal data is:
4.1 Processed in accordance with your right to privacy;
4.2 Processed lawfully, fairly and in a transparent manner in relation to you;
4.3 Collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
4.4 Adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
4.5 Collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
4.6 Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
4.7 Kept in a form which identifies you for no longer than is necessary for the purposes which it was collected; and
4.8 Not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from you.
5.1 You have the right to receive personal data concerning you in a structured, commonly used and machine-readable format.
5.2 You have the right to transmit the data obtained to another data controller or data processor without any hindrance.
5.3 Where technically possible, you shall have the right to have the personal data transmitted directly from one data controller or processor to another.
5.4 The right under this section shall not apply in circumstances where:
(a) processing may be necessary for the performance of a task carried out in the public interest or in the exercise of an official authority; or
(b) it may adversely affect the rights and freedoms of others.
5.5 Telkom shall comply with data portability requests, at reasonable cost and within a period of thirty days. Where the portability request is complex or numerous, the timeline may be extended for a further period as may be determined in consultation with the Data Commissioner.
6.1 Telkom shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed unless the retention is:
(a) Required or authorized by law;
(b) Reasonably necessary for a lawful purpose;
(c) Authorized or consented by you; or
(d) For historical, statistical, journalistic literature and art or research purposes.
6.2 We shall delete, erase, anonymise or pseudonymise personal data not necessary to be retained (as above) in a manner as may be specified at the expiry of the retention period.
7.1 You may request us to:
(a) rectify without undue delay personal data in its possession or under its control that is inaccurate, out-dated, incomplete or misleading; or
(b) erase or destroy without undue delay personal data that Telkom is no longer authorised to retain, irrelevant, excessive or obtained unlawfully.
7.2 Where we have shared the personal data with a third party for processing purposes, we shall take all reasonable steps to inform third parties processing such data, that you have requested:
(a) the rectification of such personal data in their possession or under their control that is inaccurate, out-dated, incomplete or misleading; or
(b) the erasure or destruction of such personal data that Telkom is no longer authorised to retain, irrelevant, excessive or obtained unlawfully.
7.3 Where Telkom is required to rectify or erase personal data, but the personal data is required for the purposes of evidence, we shall, instead of erasing or rectifying, restrict its processing and inform you within a reasonable time.
8.1 Telkom shall implement appropriate technical and organizational measures which are designed to;
(a) implement the data protection principles in an effective manner; and
(b) integrate necessary safeguards for that purpose into the processing.
8.2 We shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose is processed, taking into consideration:
(a) the amount of personal data collected;
(b) the extent of its processing;
(c) the period of its storage;
(d) its accessibility; and
(e) the cost of processing data and the technologies and tools used.
8.3 To give effect to the above we shall consider measures such as;
(a) identification of reasonably foreseeable internal and external risks to personal data under the person's possession or control;
(b) establishing and maintaining appropriate safeguards against the identified risks;
(c) Pseudonymisation and encryption of personal data;
(d) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(e) To verify that the safeguards are effectively implemented; and
(f) To ensure that the safeguards are continually updated in response to new risks or deficiencies.
8.4 We shall take all reasonable steps to ensure that any person employed by or acting under the authority of Telkom, complies with the relevant security measures.
9.1 Telkom shall only process personal data relating to a child where:
(a) consent is given by the child's parent or guardian; and
(b) the processing is in such a manner that protects and advances the rights and best interests of the child.
9.2 We shall incorporate appropriate mechanisms for age verification and consent in order to process personal data of a child. These mechanisms shall be determined on the basis of:
(a) Available technology;
(b) Volume of personal data processed;
(c) Proportion of such personal data likely to be that of a child;
(d) Possibility of harm to a child arising out of processing of personal data
9.3 The mechanisms for age verification include filling in a form (digital or physical) where input of date of birth is required. Where a person is below the age of 18 years, the child’s parent or guardian shall be required to consent to the processing.
10.1 Telkom shall, at your request, restrict the processing of personal data where:
(a) you contest the accuracy of the personal data for a period enabling the data controller to verify the accuracy of the data;
(b) personal data is no longer required for the purpose of the processing, unless we require the personal data for the business, exercise or defence of a legal claim;
(c) processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead; or
(d) You have objected to the processing, pending verification as to whether Telkom’s legitimate overrides your’s.
10.2 Where processing of personal data is restricted:
(a) the personal data shall, unless the data is being stored, only be processed with your consent or for the business, exercise or defence of a legal claim, the protection of the rights of another person or for reasons of public interest; and
(b) We shall inform you before withdrawing the restriction on processing of the personal data.
10.3 Telkom shall implement mechanisms to ensure that time limits established for the rectification, erasure or restriction of processing of personal data, or for a periodic review of the need for the storage of the personal data, is observed.
11.1 You have a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or significantly affects you .
11.2Where Telkom takes a decision, which produces legal effects or significantly affects the data subject based solely on automated processing:
(a) We must, as soon as reasonably practicable, notify you in writing that a decision has been taken based solely on automated processing; and
(b) You may, after a reasonable period of receipt of the notification, request us to:
(i) Reconsider the decision; or
(ii) Take a new decision that is not based solely on automated processing.
11.3 Telkom, upon receipt of such a request shall within a reasonable period of time:
(a) Consider the request, including any information provided by you that is relevant to it;
(b) Comply with the request; and
(c) By notice in writing, inform you of:
(i) The steps taken to comply with the request; and
(ii) The outcome of complying with the request.
12.1 You have a right to object to the processing of your personal data, unless Telkom demonstrates compelling legitimate interest for the processing which overrides your interests, or for the business, exercise or defence of a legal claim.
12.2 Where Telkom uses personal data for commercial purposes, we shall, where possible, anonymise the data in such a manner as to ensure that you are no longer identifiable.
13.1 Telkom may transfer personal data to another country only where it has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of personal data, and the appropriate safeguards including jurisdictions with commensurate data protection laws.
13.2 Telkom may transfer personal data to another country only where the transfer is necessary;
(i) for the performance of a contract between you and Telkom or implementation of pre contractual measures taken at your request;
(ii) for the conclusion or performance of a contract concluded in your interest between Telkom and another person;
(iii) for any matter of public interest;
(iv) for the company, exercise or defence of a legal claim;
(v) in order to protect your vital interests or of other persons, where you are physically or legally incapable of giving consent; or
(vi) for the purpose of compelling legitimate interests pursued by Telkom which are not overridden by your interests, rights and freedoms.
The processing of sensitive personal data out of Kenya shall only be effected upon obtaining your consent.
14.1Telkom shall collect personal data directly from you.
14.2 We may also collect your Personal data indirectly where:
(a) Your data is contained in a public record;
(b) You have deliberately made the data public;
(c) You have consented to the collection from another source;
(d) You have incapacity and your appointed guardian has consented to the collection from another source;
(e) The collection from another source would not prejudice your interests;
(f) Collection of data from another source is necessary;
14.3 Telkom shall collect, store or use personal data for a purpose which is lawful, specific and explicitly defined.
14.4 Telkom shall, before collecting personal data, in so far as practicable, inform you of:
(a) Your rights;
(b) The fact that personal data is being collected;
(c) The purpose for which the personal data is being collected;
(d) The third parties whose personal data has been or will be transferred to, including details of safeguards adopted;
(e) Telkom’s contacts and on whether any other entity may receive the collected personal data;
(f) A description of the technical and organizational security measures taken to ensure the integrity and confidentiality of the data;
(g) The data being collected pursuant to any law and whether such collection is voluntary or mandatory; and
(h) The consequences if any, where you fail to provide all or any part of the requested data.
15.1 Telkom shall not process personal data, unless:
(a) You consent to the processing for one or more specified purposes; or
(b) The processing is necessary:
(i) For the performance of a contract to which you are a party or in order to take steps at your request before entering into a contract;
(ii) For compliance with any legal obligation to which Telkom is a subject;
(iii) In order to protect your vital interests or another natural person;
(iv) For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(v) The performance of any task carried out by a public authority;
(vi) For the exercise, by any person in the public interest, of any other functions of a public nature;
(vii) For the legitimate interests pursued by the data controller or data processor by a third party to whom the data is disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject; or
(viii) for the purpose of historical, statistical, journalistic, literature and art or scientific research
16.1 A data protection impact assessment means an assessment of the impact of the envisaged processing operations on the protection of personal data.
16.2 Where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes, Telkom shall, prior to the processing, carry out a data protection impact assessment.
16.3 A data protection impact assessment shall include the following:
(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by Telkom;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
(c) an assessment of the risks to your the rights and freedoms;
(d) the measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Data Protection Act, taking into account your rights and legitimate interests and other persons concerned.
16.4 The data impact assessment reports shall be submitted sixty days prior to the processing.
If you have questions or comments about this Privacy Statement, please contact us at:
Head Office: Telkom Plaza – Ralph Bunche Rd.
Postal Address: P.O. Box 30301-00100, Nairobi.
Front Office Desk: 020 4952000
Customer Care Telkom Mobile Number: 100
Customer Care Other Networks: 020 222 1000
Corporate Customer Care Telkom Mobile: 200
Corporate Customer Care Other Networks: 020 4600 200
Twitter: - @TelkomCare_Ke