The Data Protection Policy
We at Royal Media Services Limited recognize the importance of protecting our privacy and the personal data we collect, process, and store in accordance with the Data Protection Act.
Data protection at Royal Media Services Limited entails shielding information collected or stored on our servers from compromise or loss. The data stored is governed by the rules of confidentiality, availability, and integrity.
Our Company Data Protection Policy is committed to protecting the information of our customers, our content providers, the Company’s directors, employees, officers and all the third parties, i.e., consultants, suppliers, distributors, and subcontractors that we engage with in business dealings.
With this policy we ensure that Data gathered/collected, processed and distributed to consumers through digital platforms is handled fairly with the utmost care, confidentiality, and transparency and with respect to individual rights.
Policy Statement.
It is the goal of the Royal Media Services Limited company to ensure all the information/Data provided by our customers is protected from unauthorized persons, deletion, hacking, viruses, and malware attacks.
This policy states how personal Data is collected, processed, retained, used, and disclosed so that confidential information is protected in compliance with The Data Protection Act 2019 (“the DPA”).
The Company strictly adheres to its responsibility to avoid any breach or mishandling of Data or sharing Data without the consent of the Data subjects in each of the jurisdictions it operates.
Definitions
Company is an incorporated business organisation registered under the Companies Act 2015.
Data is facts, figures or individual pieces of information that are captured through the operation of the Company and can be words, numbers, images, etc. Data is the raw detail that can be used to represent information or from which information can be derived. All Data needs to be managed regardless of what type it is. The types are: Internal (employee's Data) or External (Third Parties Data i.e., Customers and Partners).
Personal Data is any information where a natural person is identifiable.
Personal Data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal Data transmitted, stored, or otherwise processed.
Data governance is the management of Data assets. It includes managing, improving, monitoring and protecting the Company.
Data subjects is an identifiable natural person who is the subject of personal Data.
Data Commissioner is an independent authority that exists to protect information rights in the public interest, promoting openness by public bodies and Data privacy for individuals.
Data controller is a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purpose and means of processing of personal Data.
Data processor is a natural or legal person, public authority, agency, or other body that processes personal Data on behalf of the Data controller.
Processing is the collection and manipulation of Data to produce meaningful meaning that can be stored and disclosed for transmission in various digital platforms.
Encryption is the process of converting the content of any readable Data using technical means into coded form.
Filing System is a structured set of personal Data which is accessible by reference to a Data subject
A Content Provider is an identifiable natural person that can be identified directly or indirectly by reference to a name, identification number and phone number. He/she brings Content to be reviewed and once it meets the Company’s standards, they sign a Contract Agreement and later the Content is published in the Various available platforms.
A Third Party is an Individual or entity that is involved in the facilitation of a transaction but is neither one of the primary parties. This is anyone or any business that we come in contact with during the course of our work. This includes actual and potential customers, suppliers, business contacts, Intermediaries, government and public bodies, including their advisors, representatives and officials, politicians and political parties.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal Data transmitted, stored, or otherwise processed.
Purpose of the Policy
This Data protection policy is designed to:
Regulate all the Data processed by the Royal Media Services Limited.
Improve ease of access and ensure that once Data is located, users have enough information about the Data to interpret them correctly and consistently.
Improve the security of the Data, including confidentiality and protection from loss.
Improve the integrity of the Data, resulting in greater accuracy, timeliness, and quality of information for decision-making.
To protect the rights of the employees and third party's individuals/entities.
Ensure periodic audits of Data are done occasionally by the Data Protection Officer.
Ensure Data flow is efficient to avoid duplication of Data.
Ensure all the information held is protected from hacking, virus, and malware attacks by implementing technological security measures in each department.
Ensure all employees are well educated and aware of their role to make sure Data is secured and not shared with outside personnel.
Ensure Third parties and employees have consented to collection of their personal Data and are aware of how the Data is being stored and handled.
Ensure that Data is retained for a specific period of time depending on the Contract agreement.
Ensure the systems used in processing and storing Data meet the acceptable security standards set by the Data protection officer in compliance with the Data Protection Act 2019.
Ensure Third party Individuals and Entities understand how they can give or withdraw consent in relation to the Data stored and processed by the Company.
Application of the Policy
The policy applies to all the company’s directors, employees, officers and third parties I.e., consultants, content providers, customers, suppliers, distributors, sub-contractors that engage in business dealings with the company. All personnel covered in this policy are required to adhere strictly to the laws, rules and regulations of the Data Protection Act 2019.
Categories of Data Subjects.
Content Providers.
Customers.
Minors (being children under the age of 18).
Suppliers/Service Providers.
Personal Data collected from Data Subjects and Purpose of collection.
We collect, store, process, use, and transfer different kinds of personal data which we have grouped together as follows for different purposes as shown below:
Content Providers
Personal Data we collect | Purpose of collection |
Names of the content provider. |
To know the individual names or corporate body identity |
Email address of the content provider. |
To reach out to them for clarifications or notifications |
KRA Pin of the content Provider. | To facilitate payment of statutory deductions (Tax payments) |
Phone number of the content provider. |
To reach out to them easily for clarifications or notifications |
Business number or registration details of the content provider. | To ensure they have the necessary certificates or registration details |
Identification number (ID) of the content provider. | To ascertain a person is who they say they are (prevents identity theft) For accreditation purposes |
Passport photo of the content provider. |
For identification purposes |
Suppliers/Service providers
Personal Data we collect | Purpose of collection |
Name | To know the individual names or corporate body identity |
Mobile Phone Number | To reach out to them for clarifications or notifications |
Identification number (ID) | To ascertain a person is who they say they are (prevents identity theft) For accreditation purposes |
KRA Pin | To facilitate payment of statutory deductions (Tax payments) |
Bank Details | To facilitate personal enumerations. |
Certificate of Incorporation/ Business registration Certificate// National ID | To show the Companies or entities existence as per the law |
Customers
Personal Data we collect | Purpose of collection |
Name | To know the individual names. |
Mobile Phone Number | To reach out to them. For customer support and for marketing purposes that is to send customers promotional messages regarding our platform if they are consuming Citizen Digital services |
Email address | To reach out to them and for notification purposes and customer support |
Other Data we collect | Purpose of collection |
Active Sessions | To show duration of time the customer spends on our platform (shows the logging in and Logging out time) for analytics and customer support |
Transactions | Majorly for customer support and to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing). |
One Time Password (OTP) | To facilitate registration and to verify it’s a user registering and to assist customers in resetting their passwords. |
Identification number (ID) | To ascertain a person is who they say they are (prevents identity theft) For accreditation purposes |
If you fail to provide personal data:
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
Personal Data Collection Methods
We gather an accumulate Data from the following sources:
Website
Accessing our website when registering and consequently accessing content available in the Citizen Digital platforms and yielding your personal Data.
Emails/Social Media Platforms
By writing to us or Visiting our social media platforms for inquiries and accessing the available Content showcased and leaving your comments, suggestions and likes.
Visitations to our premises
During visitations to our premises in some instances your name is collected, and NDA is signed or a contract entered into. Your footage may also be recorded on the CCTV for security purposes.
Customer Care
Personal Data is collected when calling (all calls are recorded for quality purposes), texting, WhatsApp and emailing our customer care desk on Inquiries and any issues encountered when interacting with our Citizen Digital platform or any of our other services for support and quality management.
Content Providers
When they sign an agreement with us and Consent to share their content on our platform.
Citizen Digital Application
To access some features of the application, a customer may be required to first register. During that time, you submit your personal Data i.e., name, mobile number and email address you may also provide your National ID number when accessing certain sections.
Filling in forms
You may give us your Identity, Contact and Financial Data by filling in forms by corresponding with us by post, phone, and email or when making a payment through our platform.
Legal Requirements for the Processing of Personal Data
Personal Data may only be processed on the lawful basis provided under Section 30 of the DPA as:
Consent: The person has expressly given us permission to process their personal Data for the purpose(s) stated.
Contract: The processing is required for the performance of a contract between us and the Data subject, or we demand certain actions from the Data subject in order to enter into a contract with us (applies mostly to Content Providers).
Legal obligation: when doing so is required, such as by the Data Protection Act of 2019.
The Data subjects' essential interests.
A task must be carried out in the interest of the general public.
The legitimate interests of our Data subjects in the Data processing.
Retention of Information
The amount, nature, and sensitivity of the personal Data, the risk of harm from unauthorized use or disclosure; the purposes for which we process the Data, the need to adhere to our internal policy; and any applicable legal, regulatory, accounting, or other requirements are all taken into account when determining the appropriate retention period.
We will keep your personal information for the duration of the user registration process in order to fulfill the purposes for which it was originally collected, including those required by law.
Third-Party Relationship
Royal Media Services Limited shall share/disclose personal Data to third party under the following condition:
To meet the legal obligation between our Data subjects required by law.
Royal Media Services Limited in exercising its mandate, may share/disclose your personal Data to third party entities as below:
Publicly available and/or government agencies such as Kenya Revenue Authority (KRA), the Communications Authority of Kenya, the Kenya Copyright Board and/or any other government entity
Royal Media Services Limited (CAL) will process and store the information you send to us, and our employees who are in charge of carrying out particular tasks as part of our mission will have access to it.
Creating Market Awareness
We shall send information to create awareness of our platform through SMS (short messages), adverts on Tv/Radio, road shows, events and our social media platforms to educate viewers on the benefits of subscribing to the platform and the wide range of content available.
Terms and Conditions of Use and Privacy Policy
It is imperative that you carefully read and comprehend the terms and conditions of this policy before accessing or using this website, which belongs to Royal Media Services Limited. Please seek legal counsel at your own convenience and expense if you require it before agreeing to the terms. You accept to be bound by our Terms and Conditions by accessing, downloading, and using any of our platform materials.
Cookies
Once you visit our website, we may store information using cookies that monitor and save certain information about a user. This assists in identifying users that return to our website. The information saved includes: Location, Version of operating system the user is using, browser used, time, date, IP address, login and Usernames. Your consent shall be obtained for this.
Use of Hyperlinks
Our website www.citizen.digital and www.royalmedia.co.ke provides hyperlinks to our application which then avails the different products showing available Content our viewers can watch for entertainment purposes.
Data Storage
We store Data both in Kenya and outside Kenya as a matter of necessity due to reliability of systems, replication for read-only purposes, and for backup. Appropriate safeguard measures have been implemented with respect to security and protection of the Data in compliance with the Data Protection Act 2019.
Transfer of Data
Any transfer of data outside Kenya for another reason other than storage shall only be done under written agreements that set out the obligations of Royal Media Services Limited and recipients with respect to data protection. Further, prior to the transfer of personal data outside Kenya’s territory, you shall consent to cross-border transfers after being informed of the risks involved, and such data will only be transferred as a matter of necessity.
Your Rights
The data subjects' data processed and stored by Royal Media Services Limited gives them the following rights according to the Data Protection Act 2019.
Right to be informed of the use to which their personal Data is to be put.
Right to access their personal Data in our custody.
Right to request correction of false or misleading Data.
Right to withdraw consent given to us. This is to be done in writing according to our contractual agreement, we may choose to continue processing Data if we are legally obligated to.
Right to Object to the processing of their personal Data, unless we demonstrate compelling legitimate interests for the processing which overrides the Data subject's interests or unless we have legal reason to do so.
Right to request deletion of Data. This is done in writing according to our contractual agreement in compliance with our terms and conditions. We may choose to continue processing your Data if we are legally obligated to.
Right to object to the processing of all or part of their personal Data unless we are legally obligated to do so.
Measures Put In place to Safeguard Information
Royal Media Services Limited is committed to ensuring that information processed and stored is done so with the utmost confidentiality, integrity, and accountability.
RMS has put in place physical, administrative, and technical measures to ensure the security of information processed and stored. They Include:
Intrusion detection systems.
Regular audits of the internal control systems used are done by the Data Protection Officer to ensure all the systems being used are secure.
Regular changing of systems passwords as directed by the Data Protection Officer to ensure information is not accessed by unauthorized personnel.
Firewalls.
Anti-virus protection.
Use of backups.
The Data Protection Officer regularly educates the employees in the different departments in the organization on how sensitive and important the Data they handle is and the measures they are required to take to ensure it is well protected.
Encryptions.
Contact Us:
If you have any inquiries, comments, or would like to execute any of the rights above related to the terms and use of this policy, you can send us an email at products@royalmedia.co.ke or submit a request via one of our digital platforms.
When you reach out to us:
We will confirm your identity, evaluate the request to ensure its validity, and create a suitable response for you.
Here is our Data protection officer's contact information as a Data controller and processor:
Data Protection Officer Email: products@royalmedia.co.ke
Website: https://citizen.digital
Phone number: +254 719 060 000, +254 732 169 000
Company Name: Royal Media Services Limited
Company Location: Communication Center, Maalim Juma Road, Off Dennis Pritt
P.O. Box: 7468-00300
Monitoring and Reviews
Our Data Protection officer will monitor the effectiveness and review the implementation of this policy regularly to ensure it is adequate, effective, and in compliance with the Data Protection Laws.
Modifications to the personal Data collection and processing consent
Royal Media Services Limited reserves the right to amend or modify the
provisions of the consent for the collection and processing of your personal data at any time and shall remain effective from the date of notification. When this
happens, your express consent shall be required for subsequent registration applications.
Modifications to the privacy statement
The most recent version of this privacy statement will always be available on our website, www.citizen.digital/privacy-policy, and Royal Media Services Limited reserves the right to change it at any time.
This privacy statement may be amended or modified at any time, but only after posting the revised version on the Royal Media Services Limited website.