DATA PRIVACY NOTICE

DATA PRIVACY NOTICE

The Zamara Group (‘Zamara’) is a financial services firm in the Republic of Kenya. Zamara understands that your privacy is important to you and that we care about how your personal data is used. We respect and value the privacy of all those whose lives we touch e.g., our customers and their beneficiaries and we will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the Data Protection legislation.

The Zamara Group of Companies in Kenya (“the Group”) include:

• Zamara Holdings Limited (“ZHL”)
• Zamara Actuaries, Administrators & Consultants Limited (“ZAAC”)
• Zamara Risk & Insurance Brokers Limited (“ZARIB”)
• Zamara Reinsurance Brokers Limited (“ZRBL”)
• Corporate & Pension Trust Services Limited (“C&P”)

And where the context so requires Zamara or Company shall refer to ZHL, ZAAC, ZARIB, or C&P as appropriate and Group shall refer to all the Companies.

This is Zamara Privacy Notice (“Privacy Notice”) which may be accessed from our webpage https://zamaragroup.com/ or a hard copy from our offices. We are referred to in this Privacy Notice as “Zamara”, “We” or “Our” or “Us”. An individual who is the subject of the personal data is referred to as “Customer”, “User” or “You”.

This Privacy Notice only covers all the data that we process including:

• data you provide directly about yourself or your beneficiaries; or
• data provided by your employer on your behalf; or
• data provided by the Trustees of a retirement benefits arrangement or a social security fund you belong to; or
• data provided by an insurance company for whom you are a customer.

Zamara’s employees or third-party vendors’ personal details are handled in-line with the terms of employment agreement or contractual relationships, or our separate policies that we provide, as relevant, independent of this Privacy Notice.

---

1. Information about us

Zamara Holdings Limited, Zamara Actuaries, Administrators & Consultants Limited, Zamara Risk & Insurance Brokers Limited, Zamara Reinsurance Brokers Limited, Corporate & Pension Trust Services Limited are all limited companies registered in the Republic of Kenya.

• Registered address: Ground Floor, Zamara Place, Chiromo Road/Wayaki Way, Westlands, Nairobi
• Postal Address: P.O. Box 52439-Code 00200
• Email address: info@zamara.co.ke
• Telephone number: +254 (20) 4969 000
• Website: https://zamaragroup.com/

2. What does this Privacy Notice cover?

2.1 This Privacy Notice explains how we use your personal data: how it is collected, how it is held and how it is processed. It also explains your rights under the law relating to your personal data.+1

2.2 We will process any personal data we collect from you in accordance with this Privacy Notice and our Contract (together with any other documents referred to in it). Kindly read this Notice carefully so that you can understand how we handle your personal data.

3. What Is personal data?

3.1 Processing of personal data is governed by the Data Protection Act, 2019 (‘the Act’), The Data Protection General Regulations 2021, The Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021, The Data Protection (Complaints Handling and Enforcement Procedures) Regulations 2021 as may be amended from time to time, and any other regulations made thereunder (collectively, “the Data Protection Legislation”).

3.2 Personal data means any information relating to an identified or identifiable natural person.

3.3 The personal data that we collect, and use is set out in Part 4, below.

4. How do we collect your personal data and how do we use your personal data?

A. PENSION SCHEME ADMINISTRATION AND CONSULTING SERVICES

Details of Personal Data Collected:

• Pension Scheme Members or Members of Social Security Funds: Name, Dates of Birth, Gender, Address, Contact Details (telephone and email), Medical Reports, Employment Details, Date of joining and exiting/retirement, Date of death, Identification documents (ID/Passport), Marital Status, Documents (ID copy, birth certificate, marriage/death certificate), Next of kin, Beneficiaries/dependants details, Financial data (salary, pension contributions, KRA PIN, Bank account details), Health status information.
• Trustees: Names, Dates of Birth, Gender, Telephone, Address, Academic Certificates.

How We Collect the Data: Most of the personal data is provided by yourself, your employer (current or previous), or the Trustees of a retirement benefits arrangement or social security fund.

Purpose of Processing:

• To provide pension scheme administration services including reconciliation of contributions, paying benefits, and safekeeping of data.
• Conducting regular statutory actuarial valuations.
• Perform fund accounting and fund administration.
• To provide advice regarding investment strategy.
• Lawful Basis: Performance of our contract with you, your employer, or the Trustees. In certain circumstances, legitimate interest of the data controller.

B. ACTUARIAL SERVICES – INSURANCE, HEALTHCARE, DATA ANALYTICS, DATA PRIVACY

Details of Personal Data Collected:

• Name, Dates of Birth, Gender, Health status, Employment Details, Identification documents, Beneficiaries/dependants details, Financial data (salary), KRA PIN, Bank account details, Contact details, Nationality.
• For health insurance: Date of admission/discharge, date of treatment, and health care centre visited.

How We Collect the Data: Directly from you, your employer, or the insurance company for whom you are a client.

Purpose of Processing:

• Conducting actuarial valuations and product design.
• Data analytics and developing dashboards.
• Determine and inform pricing of insurance products.
• Lawful Basis: Performance of our contract with you or your employer. In certain circumstances, legitimate interest.

C. INSURANCE BROKERAGE SERVICES

Details of Personal Data Collected:

• Name, Financial details (Salary, Bank account), Date of Birth, Health Status, Employment Details, Identification documents, Insurance Benefit Utilization & Scope, Treatment records, Family details, Next of Kin.

How We Collect the Data: Directly by you or by your employer (current or previous).

Purpose of Processing:

• Offer insurance brokerage services, scheme servicing, risk assessment, and facilitate claim processing.
• Lawful Basis: Performance of our contract with you or your employer.

D. MARKETING

Details of Personal Data Collected:

• Journalists (Name and Contact Details), Event attendees (Name, Photograph, Contact Details), Individual Clients (Name, Contact Details, ID Documents).

How We Collect the Data: Directly from you.

Purpose of Processing:

• Follow-up and collect leads, record visitor information, community management.
• Lawful Basis: Consent.

E. EVENTS & CONFERENCES

Details of Personal Data Collected:

• Contact Information, Photographs and Videos, Feedback and Surveys.

How We Collect the Data: Directly from you or the individual registering on your behalf. Photos/videos taken by the Zamara team.

Purpose of Processing:

• Event Management, Communication, Marketing, Promotional Material, Feedback.
• Lawful Basis: Implied consent.

F. INQUIRIES

Details of Personal Data Collected:

• Walk-ins: Name, Contact details, Identification documents.
• Call Center: Name, Contact details, Identification documents, Voice recording.

Purpose of Processing:

• Offer Customer Services and Support, Improving Services.
• Lawful Basis: Consent.

5. What are your rights under the Data Protection Legislation?

Under the Data Protection Legislation, you have the following rights, which we will always work to respect and uphold:

• 5.1 The right to be informed about our collection and use of your personal data.
• 5.2 The right to access the personal data we hold about you.
• 5.3 The right to have your personal data corrected if any of your personal data held by us is false, erroneous or misleading.
• 5.4 The right to ask us to delete or otherwise dispose of any of your personal data that we hold.
• 5.5 The right to restrict (i.e., prevent) the processing of your personal data.
• 5.6 The right to object to our use of your personal data for a particular purpose or purposes.
• 5.7 The right to withdraw consent. If we are relying on your consent, you are free to withdraw that consent at any time.
• 5.8 The right to data portability. You have a right to request your personal data in a structured and commonly used format.
• 5.9 Rights relating to automated decision-making and profiling. We do not use your personal data in this way.

If you wish to exercise any of the rights mentioned above, kindly submit your request to our Data Protection Officer at dpo@zamara.co.ke.

6. What sensitive personal data do we collect and how?

We may collect ‘sensitive’ personal data like data relating to your health status, gender, race, ethnic social origin, property details, marital status, family details including names and details of your children, parents, spouse or spouses, conscience, belief, genetic data, sex or the sexual orientation. We will only collect sensitive data about you if we have your explicit consent, or if authorised under the Data Protection Legislation.

7. Do we share your personal data?

All data sharing will be undertaken in line with the Data Protection Legislation.

8. Transfer of your personal data outside of the Republic of Kenya

We may occasionally need to transfer your personal data to service providers located outside the country to provide services. We verify that the destination country upholds data protection principles and establish comprehensive written agreements with recipients.

8.1 Within Zamara: We share some of your personal data among different departments at Zamara to ensure efficient administration. 8.2 Outside Zamara: We share information with organisations that assist us in delivering products, such as Insurance Companies, Auditors, Custodians, Fund Managers, Employers/Sponsors, and Trustees. We are also legally obliged to share requisite personal data with the Kenya Revenue Authority, Retirement Benefits Authority and Insurance Authority of Kenya.

9. We keep your personal data safe

We use a high level of protection, both organisational and technical measures, including:

• 9.1 Secure Servers: Equipped with firewalls and secure architecture.
• 9.2 Access Controls: Access is granted only to authorized personnel through secure log-in procedures.
• 9.3 Safeguarded Access to premises: Staff passes and keys required.
• 9.4 Encryption: We employ industry-accepted hashing algorithms.
• 9.5 Password Protection and Clear Desk Policy.
• 9.6 Anonymization and Pseudonymization.
• 9.7 Secure Paper Data Storage: Locked away with limited access.
• 9.8 Continuous Audits: Periodic privacy and information audits.
• 9.9 Empowered Staff: Rigorous training in handling personal data.

10. How long do we keep your personal data?

We keep your personal data only for specific periods as lawfully required. Considerations include where it is stipulated under the law and the necessary time needed to deliver the service.

11. How we use Cookies & Beacons

We employ cookies to gather and retain insights regarding your interaction with our website. Further details can be found in our Cookie Policy at https://zamaragroup.com/terms-conditions/.

12. How to Contact us

If you have questions regarding our handling of your personal data, please contact us: Address: Ground Floor, Zamara Place, Chiromo Road/Wayaki Way, Westlands, Nairobi, Kenya Postal: P.O. Box 52439 – Code 00200, City Square – Nairobi, Kenya Email: info@zamara.co.ke 

13. Amendments to this Privacy Notice

We may change, modify, or adopt a new Privacy Notice from time to time. If we do so, we will post it on our website.

14. Changes to your personal data

Please keep us informed of any changes to your personal data by emailing us with full details of the changes at info@zamara.co.ke.