Privacy Policy
1.0 Background
University of Nairobi Enterprise Services (UNES) Limited was registered as a private company limited by shares under the Companies Act (Chapter 486, Laws of Kenya) on 5 May 1996. The company is also listed as a Commercial State Corporation, under the State Corporations Act CAP 446. It is wholly owned by the University of Nairobi and thus the resources available to UNES are primarily those of the University. It is headed by a Board of Directors, which is responsible for the general policy and strategic direction of the company.
1.1 Principal Activities
The principal activities of UNES are:
- Managing the Consultancy unit that harnesses both the human and the physical resources of the University.
- Provision of Bookstore Services focusing on serving Universities, Tertiary Institutions and the General Public.
- Hospitality business that primarily serves the University Community and communities in its immediate surroundings.
- Provision of financial management services for income-generating activities within the University including, but not limited to, Chiromo Funeral Parlour, Diagnostic Imaging and Radiation Medicine, Dental Plaza and Jomo Kenyatta Memorial Library (JKML) Bindery Services.
1.2 The Mandate
The Mandate of the University of Nairobi Enterprises and Services (UNES) Limited is to offer Consultancy Services, Management Services, Hospitality Services, Bookstores and other entrepreneurial activities as approved from time to time by the Board.
UNES Articles and Memorandum of Association provide the following objectives for the company, among others:
- To harness the resources of the University of Nairobi with a view to enhancing the University’s teaching and research capabilities.
- To undertake consultancy work, research, production and other Income Generating Activities and to promote and facilitate such activities undertaken by the Faculties, Department, or other organs of the University of Nairobi.
- To Manage directly or provide managerial services for consultancies, research, production and other Income generating Activities undertaken by Faculties, Departments, or other organs of the University of Nairobi.
- To coordinate the Income Generating Activities undertaken by the Faculties, Departments, or other organs of the University of Nairobi.
- To have, legal rights in and register patents in any inventions, innovations, utility or rationalization model or industrial designs discovered or otherwise emanating from research undertaken, funded, promoted, assisted, guided, facilitated or otherwise initiated by the Company, and to participate in the leasing, assigning, sale or transfer or such invention, innovation utility or rationalization models or industrial design or otherwise participate as is appropriate in all that appertains to the publication, recognition protection and application of such invention, innovation, utility or rationalization model or industrial design.
- To borrow, whether or bank overdraft or otherwise, or raise money in such manner as the Company shall think fit, and in particular, by issue of debentures, mortgages, or other securities, or otherwise and to secure the repayment of any money borrowed, raised, or owing by charge chattel mortgage, debenture, or lien upon the whose or any part of the Company’s property or undertaking.
- To enter into any arrangements with any government or authority, municipal or otherwise, or any corporations, companies, or personas having objects which may seem conducive to the benefit of the Company and to obtain from such governments or authorities such rights and privileges as may be to the benefits of the Company.
- To amalgamate with or enter into partnership or any joint adventure or profit-sharing arrangements or co-operation with any company, firm, or person engaged in carrying on or conducting of any business or enterprise from with the Company would or might derive any benefit, whether direct or indirect;
2.0 Introduction
At University of Nairobi Enterprises and Services (UNES) Ltd. we are committed to protecting the privacy of our customers. This privacy policy explains the types of personal data we collect, how we use it, and the measures we take to protect it. This policy is in effect of the Data Protection Act of 2019 which regulates the access, processing and managing personal and institutional Data.
UNES is registered as a data processor and data controller by the Office of the Data Protection Commissioner (ODPC). UNES therefore has put in place mechanism to protect personal data collected from the customers, patients, students and suppliers from unauthorized access by third parties. We collect personal data such as names, addresses, phone numbers, and email addresses when customers create an account or place an order on our website. We also collect data through cookies and other tracking technologies when customers browse our websites.
We use personal data to fulfill orders, process payments, and communicate with customers about their orders. We may also use personal data for marketing purposes, such as sending newsletters or personalized product recommendations. We take measures to protect personal data from unauthorized access or misuse, including encryption and secure servers.
We retain personal data for as long as necessary to fulfill the purposes outlined in this policy. The length of keeping personal data in our systems is stipulated under the Records Management Regulations. Some data may be anonymized especially research data to ensure no privacy risks of any data subject is at risks.
Customers have the right to access their personal data and request that it be erased. If you have any questions or concerns about our data privacy practices, please contact us on Tel: +254 491 3912/14 or at unes@uonbi.ac.ke.
We may update this policy from time to time. Any changes will be reflected on this page, and we will notify customers of any significant changes.
3.0 Personal Data we collect
UNES ecommerce platforms may collect a variety of personal data from users in order to facilitate transactions and provide a personalized shopping experience. Also our UNES’ Enterprise resource planning (ERP) systems are used to manage various business functions, such as financial management, supply chain management, and human resources.
Some types of personal data that may be collected include:
- Contact information: This may include a user’s name, email address, and physical address.
- Financial information: This may include credit card or bank account information, as well as billing and shipping addresses.
- Demographic information: This may include a user’s age, gender, and interests, as well as information about their purchasing habits or preferences.
- Transaction history: UNES ecommerce platform may collect information about the products or services that a user has purchased in the past, as well as any returns or exchanges.
- Communication preferences: A user may be asked to provide information about how they prefer to be contacted, such as by email or phone.
- Social media information: If a user logs in to an ecommerce platform using their social media account, the platform may collect information from their social media profile, such as their friends or interests.
- Device information: UNES ecommerce platform may collect information about the devices that a user uses to access the platform, such as their IP address, browser type, and operating system.
- Employee information: UNES ERP system may collect personal data about employees, such as their name, contact information, job title, date of birth, place of birth, residence and salary.
- Customer information: UNES ERP system may collect personal data about customers, such as their name, contact information, and purchasing history.
- Financial information: UNES ERP system may collect financial data, such as billing and payment information, as well as data about financial transactions and accounts.
- Supply chain data: UNES ERP system may collect data about suppliers and vendors, including contact information and details about the products or services they provide.
- Human resources data: UNES ERP system may collect personal data related to employee benefits, training, and performance evaluations.
It’s important to note that the specific types of personal data collected by UNES ecommerce platforms will depend on the platform’s specific business needs and the products or services it offers.
4.0 Use of Personal Data
At UNES, Personal data can be used for a wide range of purposes, depending on the specific context in which it is collected.
Some common uses of personal data include:
- To facilitate transactions: Personal data may be collected and used by UNES to process orders, complete transactions, and deliver goods or services.
- To provide customer service: Personal data may be used by UNES to respond to customer inquiries, resolve complaints, or provide support.
- To personalize experiences: Personal data may be used to tailor products, services, or content to an individual’s preferences or interests.
- To improve products and services: Personal data may be used by UNES to gather feedback, identify trends, or make improvements to products or services.
- To communicate with customers: Personal data may be used by UNES to send marketing materials, newsletters, or other communications to individuals.
- To perform research and analysis: Personal data may be used by UNES or researchers to conduct studies, gather insights, or analyze trends.
- To comply with legal obligations: Personal data may be used by UNES to fulfill their legal obligations, such as reporting requirements or obligations related to data protection laws.
- Consent: Personal data may be processed if the individual has given their explicit consent to the processing. This means that the individual must have been provided with clear and concise information about the purposes for which their data will be used, and must have actively agreed to the processing.
- Contractual necessity: Personal data may be processed if it is necessary for the performance of a contract with the individual, or to take steps at their request prior to entering into a contract.
- Legal obligation: Personal data may be processed if it is necessary for the organization to comply with a legal obligation, such as a tax or reporting requirement.
- Vital interests: Personal data may be processed if it is necessary to protect the vital interests of the individual or another person.
- Public interest: Personal data may be processed if it is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the organization.
- Legitimate interests: Personal data may be processed if it is necessary for the legitimate interests of the organization, provided that these interests are not overridden by the interests or fundamental rights and freedoms of the individual.
UNES shall use personal data for purposes that are lawful and for which the individual has given their consent, unless there is another legal basis for processing the data.
5.0 Data Protection Measures
Personal data protection measures are the steps that individuals and organizations can take to safeguard personal information from unauthorized access or misuse.
Here are some examples of personal data protection measures:
- Use strong, unique passwords: Choose passwords that are difficult to guess and use different passwords for different accounts. Avoid using personal information, such as your name or birthdate, as passwords.
- Enable two-factor authentication: Two-factor authentication requires an additional step, such as entering a code sent to your phone, to access an account. This can provide an extra layer of protection against unauthorized access.
- Be cautious when sharing personal information online: Be careful about what personal information you share online and only share it with trusted sources.
- Use privacy settings on social media: Adjust the privacy settings on your social media accounts to control who can see your personal information.
- Use antivirus software: Antivirus software can help protect your device from malware and other threats that can access your personal information.
- Use encrypted messaging apps: Encrypted messaging apps, such as Signal and WhatsApp, can help protect the privacy of your messages.
- Use a password manager: A password manager can help you create and store strong, unique passwords for all of your accounts in a secure manner.
- Keep your devices and software up to date: Make sure to keep your devices and software up to date with the latest security patches and updates to help protect against vulnerabilities.
- Be aware of phishing scams: Be cautious of emails or messages that ask for personal information or request that you click on a link. This can be a tactic used by attackers to gain access to your personal information.
6.0 Data Retention
Under the General Data Protection Regulation (GDPR), and also affirmed in Data Protection Act of 2019, organizations are required to retain personal data for no longer than is necessary for the purposes for which the data was collected. This means that organizations should have a clear policy on data retention, which should specify how long personal data will be retained and the criteria used to determine retention periods.
In general, UNES shall retain personal data for the shortest period necessary to achieve the purposes for which it was collected. This means that UNES only retain personal data for as long as it is needed to fulfill the purposes for which it was collected. Once these purposes have been achieved, the data should be deleted or erased permanently.
There are certain circumstances in which UNES may be required to retain personal data for longer periods of time, such as for legal, regulatory, or compliance purposes. In these cases, the data should be retained in a secure manner and the data subject should be informed of the reasons for the extended retention period.
UNES shall also regularly review data retention policy and ensure that personal data is not being retained for longer than is necessary. This may involve conducting periodic audits or reviews to assess the need for continued retention of personal data.
UNES shall continually comply with Office of Data Protection Commissioner as required in the Data Protection Act, 2019 through implementation of a clear and transparent data retention policy that complies with the Act and GDPR. UNES shall also ensure that the personal data is only retained for as long as is necessary for the purposes for which it was collected.
7.0 Rights of Data Subjects
Data subjects have several rights under the General Data Protection Regulation (GDPR), which is a European Union (EU) law that regulates the processing of personal data. The Kenyan Law on Data Protection also recognizes these rights in Data Protection Act, 2019.
These rights include:
- The right to be informed: Data subjects have the right to be informed about how their personal data is being collected, used, and shared. This includes receiving a privacy notice that explains the purposes for which their data will be processed and the rights they have in relation to their data.
- The right of access: Data subjects have the right to request a copy of the personal data that an organization holds about them. This includes the right to request access to their data and receive information about how it is being used.
- The right to rectification: Data subjects have the right to request that any incorrect or incomplete personal data be corrected.
- The right to erasure: Data subjects have the right to request that their personal data be erased, also known as the “right to be forgotten.” This right is not absolute and may be limited in certain circumstances, such as when the data is necessary for legal purposes.
- The right to restrict processing: Data subjects have the right to request that an organization stop processing their personal data, or restrict the way in which it is processed. This right may be exercised in certain circumstances, such as when the accuracy of the data is being disputed.
- The right to data portability: Data subjects have the right to request that their personal data be transferred to another organization in a machine-readable format. This right applies when the data is processed using automated means and the data subject has provided their consent or the processing is necessary for the performance of a contract.
- The right to object: Data subjects have the right to object to the processing of their personal data in certain circumstances, such as when the data is being used for direct marketing purposes or for the purposes of scientific or historical research.
- The right not to be subject to automated decision-making: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning them or significantly affects them.
- It’s important to note that these rights are not absolute and may be limited in certain circumstances.
8.0 Changes to The Policy
The Data Privacy Policy was reviewed on January 4th 2023 and shall be updated every year or when necessary.
Customers have the right to access their personal data and request that it be erased. If you have any questions or concerns about our data privacy practices, please contact us on Tel: +254 491 3912/14 or at unes@uonbi.ac.ke.
We may update this policy from time to time. Any changes will be reflected on this page, and we will be available on our official website