Privacy Policy

Pwani Oil Products Limited – Data Privacy Statement (2025 Edition) 

 

Effective Date: 1st January 2025 

Contact person: Aliasger Bharmal – Data Protection Officer 

Email: Contact Email
 

 

1. Introduction 

 

At Pwani Oil Products Limited (“POPL”), we are committed to protecting your personal data and ensuring transparency in how we collect, process, use, and store it. This privacy statement outlines how we handle personal data in accordance with the Data Protection Act, 2019 (Kenya), and its associated regulations. 

 

This statement applies to all persons whose personal data we process, including customers, suppliers, visitors, prospective employees, agents, dealers, and employees. It should be read in conjunction with any applicable contracts or platform-specific terms and conditions. 

 

1. Definitions 

 

“Personal Data” means any information relating to an identified or identifiable natural person, as defined under Section 2 of the Data Protection Act. 

“Sensitive Personal Data” includes biometric data, health data, and financial records. 

“Processing” includes collection, recording, storage, use, disclosure, and erasure. 

“Data Subject” refers to you — the individual to whom the data relates. 

“Data Controller” means POPL. 

“Data Processor” means any third-party processing data on our behalf. 

 

1. What Personal Data We Collect 

 

The data we collect depends on your interaction with us. It may include: 

 

1. Customers: 

 

Name, contact details, KYC documents, and transaction records. 

Consent for marketing and credit bureau reporting (with withdrawal options). 

 

1. Suppliers & Agents: 

 

Company information, director KYC documents, bank details, and contract history. 

 

1. Visitors: 

 

Name, ID number, phone number, organisation, host name, time in/out. 

CCTV footage may be recorded for security (visible but unlabeled cameras in use). 

 

1. Employees: 

 

Name, ID number, contact and next of kin details, biometrics (for attendance only), marital status, medical cover information, banking, tax identifiers, and GPS location (for sales vehicle tracking). 

 

1. Job Applicants: 

 

Personal and professional information submitted during application. 

 

1. How We Collect Personal Data 

 

1. Directly from you during onboarding, registration, visits, and transactions. 

1. Indirectly through our website, sales channels, mobile agents, or third-party platforms (e.g., Oracle, Microsoft Office 365). 

1. From hardcopy forms (secured under lock and key then digitized using AI tools for processing and storage). 

 

1. Lawful Basis for Processing 

 

1. Consent (Sections 32 & 33, DPA): e.g., for marketing, credit bureau sharing, recruitment. 

1. Contractual necessity: e.g., employee payroll, supplier payment processing. 

1. Legal obligation: e.g., statutory reporting to NSSF, NHIF, NITA. 

1. Legitimate interest: e.g., visitor logging, employee location tracking (security). 

1. Vital interests: e.g., medical emergencies. 

 

We document these bases in our internal Lawful Basis Matrix. 

 

1. Data Retention 

 

We retain personal data only as long as necessary for the purpose collected, in accordance with our Data Retention Policy, Records Management Policy and HR Records SOP. 

 

Where retention is no longer required, the data is securely disposed of or anonymized. Some anonymized data may be held indefinitely. 

 

1. Data Sharing and Disclosure 

 

We do not sell your data. We may share it: 

 

1. With regulatory, statutory, or enforcement bodies (on lawful demand). 

1. With contracted third-party service providers under Data Processing Agreements. 

1. With cloud providers (e.g., Microsoft), under Standard Contractual Clauses for international transfers. 

1. With survey agencies for service improvement (on consent). 

1. With licensed debt collectors or CRBs where contractually provided. 

 

No data is released to unauthorized or illegitimate entities. 

 

1. International Transfers 

 

Where personal data is transferred outside Kenya, we ensure appropriate safeguards are in place, including: 

 

1. Secure data hosting jurisdictions 

1. Contractual clauses aligned with Kenyan law 

1. Oversight of third-party obligations 

 

1. Data Subject Rights 

 

You have the right to: 

 

1. Be informed of how we process your data 

1. Access your personal data 

1. Request correction or deletion of your data 

1. Withdraw consent to processing or retention 

1. Object to or restrict processing 

1. Request data portability 

 

To exercise these rights, contact the  Data Protection Officer. We may request proof of identity to protect your data. We aim to respond within a reasonable time. 

 

1. Cookies and Web Tracking 

 

Our website uses cookies to enhance your experience. These store non-personal data like IP address, session timestamps, and pages visited. 

 

You can disable cookies in your browser. However, this may affect site functionality. 

 

1. Use of Hyperlinks 

 

Our website may contain links to third-party websites. We are not responsible for the content, privacy, or cookie policies of external sites. 

 

1. Security Measures 

 

We implement robust technical and organisational measures, including: 

 

1. Access controls (role-based) 

1. VPN access and encryption 

1. Antivirus protection 

1. CCTV monitoring 

1. Audit trails for consent, access, and breach events 

1. Staff NDAs, Departmental Data Champions, and mandatory bi-annual training 

 

1. Data Breach Notification 

 

POPL maintains an incident response plan and breach register. If a data breach occurs that may impact you, we will notify you and the ODPC within the statutory timelines. 

 

1. Non-Compliance 

 

Failure to comply with this policy by internal or external parties may result in: 

 

1. Disciplinary action 

1. Termination of contract 

1. Rejection of access or data requests 

 

1. Statement Updates 

 

We may update this Statement from time to time. The current version will always be available at https://www.pwani.net. Material changes will be communicated through appropriate channels.