Kenya Privacy Centre

Credit Reference Bureau Africa Limited T/A TransUnion

May, 2024

Version 1.0

Introduction

This privacy notice provides a high-level overview of how we use and share personal data across TransUnion. You can find more detailed information at the TransUnion Privacy Center or in other privacy information you may have received.

In Brief

TransUnion strives to protect privacy as we collect, use, process, disclose, transfer and retain personal data.

If your personal data is used unlawfully or infringes on your privacy, you have the right to object.

This notice covers the following topics:

1. Who we are and how to contact us
2. How we use personal data
3. Where we get personal data
4. How long we keep personal data
5. Our legal basis for handling personal data
6. Who we share personal data with
7. Where we store and send personal data
8. Your rights concerning your personal data
9. Where to lodge a complaint

Information for Good^®

We're in an era of rapid digital transformation where consumers demand more access to seamless, personalised products and services online. But the currency of personal data that fuels this platform economic boom poses threats to individuals and endangers corporate security.

Now more than ever — and likely more so in the future — consumers and corporates need new levels of trust and transparency.

As a global information and insights company, TransUnion seeks to make trust possible. We do this by curating an accurate and comprehensive picture of each consumer so they're safely and reliably represented in the marketplace. This enables businesses and consumers to transact with confidence and achieve great things. We call this Information for Good.

We have our registered offices at 2^nd Floor Delta Corner Annex, Ring Road, Westlands, Kenya  .  Although we're part of a larger group, this notice covers only the activities of Credit Reference Bureau Africa Limited T/A TransUnion within the Republic of Kenya.

Contact details
Contact us about personal data issues, including the contents of this notice via:

• Telephone:   +254 (020) 7603717

• Email: KenInfo@transunion.com / DPO_KE@transunion.com

How we use personal data

TransUnion limits the use and disclosure of personal data to the terms of the following legislation:

• The Banking (Credit Reference Bureau) Regulations 2020;
• Data Protection Act, 2019 and all subsidiary regulations thereunder; and
• any other applicable laws.

Products and services

Many of our products and services rely on personal data. For example:

Credit reporting: TransUnion compiles consumer credit information in credit reports from applications to (for example) credit providers for credit.

Credit services:  We may provide your information to organisations you deal with directly, such as credit risk assessors.

Example: credit risk assessment

If you apply for credit from one of our clients, they send us your data so we can find you in our databases and reply with information about your credit history. They use that information to assess your creditworthiness.

Fraud detection services: We may provide personal information to organisations other than those you deal with directly.

Example: fraud alerts

If we receive numerous identity verification checks against an individual in a short space of time, this could indicate someone is attempting identity theft or another form of fraud. In this case, we provide real-time fraud alerts to clients subscribed to that service.

If you have provided your details to an organisation to confirm your identity, we may retain those details and link them to other details we hold about you. Then, if a fraudster tries to use your details to apply for credit with a different organisation, we can raise a potential fraud alert.

Development and testing

We sometimes use personal information to improve, develop, monitor, maintain and test our products, systems and security measures. Where possible, we create pseudonyms or make the data anonymous beforehand.

If you consent, TransUnion will at times access, use, process and analyse your personal data, your consumer credit information, and marketing data to provide personalised offers from TransUnion and our trusted partners.

Digital marketing: To provide relevant products and services to consumers, we may enable business partners to use our data and technology to create, deploy and measure targeted digital advertising programs.

Advertising: We may use domestic or overseas third-party advertising companies to serve ads on TransUnion Site or on other sites which we use for advertising. We may also use third-party analytical tools to personalise advertisements and enhance the visitor experience.

Market research: Participation in market research activities is optional. When you opt-in, we use your information to improve the experience of our products

Business products: We may use personal data to promote and market relevant products, services and special offers from us and our affiliates.

Customer service: We may use personal data to identify customers, process transactions and provide quality service.

Recruitment: We use personal data when we receive an employment application.

Business operations

We may use personal data for our internal operations, such as:

Names, contact details, biometric and other information from consumers who visit our offices and contact us to deal with their enquiries. See our Customer Service Privacy Notice for more.

Employee information (including employment and educational history, background checks, biometric and performance appraisals) to manage our relationship.

CCTV cameras in public areas of our business premises for the safety of staff and visitors, and the security of our information and assets.

Legal and regulatory purposes, such as responding to complaints or enquiries about how we have used personal data.

In addition, we may aggregate anonymised data to provide performance analytics to business partners.

For more details on the kinds of data used for each purpose described, visit the TransUnion Privacy Center

For more on our use of cookies, see our Cookie Policy.

The kinds of personal information we use and where we get it

Information in your credit report includes:

• Identifying information, such as first name, surname, ID number, physical and postal address, contact numbers, marital status, spouse details, and current employer and occupation
• An account history or payment profile is a record of all your accounts with credit or service providers and a history of how you pay these accounts
• Enquiries include a list of credit or service providers allowed by you or permitted in terms of the Consumer Credit Act to receive your credit report
• Public records include publicly available information as permitted by law, such as judgments, administration orders, sequestrations and rehabilitation
• Default data is a record of any failure to pay money owed
• Other includes any information permitted under the Banking (Credit Reference Bureau) Regulations 2020.

Information not included in your credit report:

• Race, creed, colour, ancestry, ethnicity, religion, sexual orientation or political affiliations
• Medical history or status
• Major purchases paid in full with cash or cheques

Sources for information
We may collect your personal information, or obtain information originating from the following sources:

• Financial Institutions: banks, micro finance institutions
• Telecommunication companies
• Public Service utilities
• Any trader or any other company providing deferred payment services
• Other organisations as may be approved by the Financial Services Regulatory Authority.

The information we need
To verify information, credit providers need to include:

• Your full name and surname
• Your Identity Card number (where applicable) or your passport number and date of birth. Without this information, they can't lawfully grant credit.

Any further information requested by credit providers must be necessary and relevant to your application. No law forces you to give information, but a credit provider can't consider your credit application if you don't provide the information required.

We get personal data directly from our business partners, suppliers, clients, site visitors, and product and services customers signing up for any of our products or services.

When visitors use any products or functions in a TransUnion Site, we collect general internet data (including internet protocol ("IP") address, metadata, location data, date and time of the visit) and behavioural data, such as searches transactions and purchases.

How long we keep personal data

Simply put, we keep personal data for as long as necessary. More technically, we retain it to fulfil the purpose(s) of its provision, to comply with applicable laws, and for as long as your consent to such purpose(s) remains valid after termination of our relationship.

The Banking (Credit Reference Bureau) Regulations 2020 requires we use credit information only for the provided maximum periods prescribed for credit scoring or credit assessment.

We keep specific data indefinitely to verify the integrity of the information we may need to process in the future. We store this information securely and don't use it for any other purpose.

Our legal basis for handling personal data

Legitimate interests
The Law relating to the protection of personal data and privacy allows personal data usage where necessary for legitimate purposes without undue adverse impact. We base most of our processing activities on the 'legitimate interests' condition. For more details, refer to the relevant privacy notices in the links above.

Consent
In most instances, consumer consent to use personal information comes to TransUnion via our clients and data suppliers.

You need to agree on who can use your personal information and how. To do this, persons who have your information must notify you they have your data and how they plan to use it.

We strive to ensure our clients and data suppliers honour their contractual obligation to get all legally required consents before accessing personal information in our credit reports.

Contracts
If you sign up for one of our online services, we need to use personal data to provide the services as set out in the Terms & Conditions. We also use this basis for processing some of our staff data. Refer to the privacy notice on the relevant website for details.

Compliance
We only access, use and disclose personal data without consent in exceptional circumstances where necessary to:

• Comply with the law or a legal process served on us
• Comply with requests for information from police or government authorities
• Protect and defend our rights or property (including the enforcement of agreements)
• Protect the public interest
• Act in urgent circumstances to protect the personal safety of our employees or members of the public

We apply the above in terms of the Banking (Credit Reference Bureau) Regulations 2020, The Data Protection Act 2019 and other relevant national legislation.

Clients

Our clients have privacy notices that provide more information about how they use the data we supply. These clients typically operate in the following sectors:

• Banks, Microfinance institutions etc.
• TradersInsurance
• Retail
• Telecommunications
• Collections
• Employment agencies
• Financial services
• Public sector
• Startup

If our clients appoint an intermediary to act on their behalf, they too will receive the data.

Service providers

Our clients and we might provide information to third parties that help us achieve the purposes described in section 2. For example:

• Cloud-based services, such as Salesforce, help host, manage and analyse our databases.
• Cloud-based technologies, such as Microsoft Office 365, support our ordinary business operations.
• Printing companies to produce and send direct mail or other correspondence.
• Payment service providers to help with payments made by individuals.
• Market research companies to help us better understand our customers.
• A specialist sub-contractor operates our CCTV system.
• Services Providers that assists us with providing our services to you.
• Regulators like the Office of the Data Protection Commissioner or the Central Bank of Kenya.

These service providers can't use your information for their purposes or on behalf of other organisations unless you agree otherwise.

Where we store and send personal data

We sometimes make use of Service Providers that are situated outside of Kenya, e.g. South Africa, UK and US.  We access and use your information from our base in Kenya and will not transfer personal data to a country lacking laws that provide an adequate level of information protection, unless we have an agreement with the recipient requiring measures that offer a similar level of protection as The Data Protection Act, 2019 in Kenya and with the required permission from the relevant supervisory authority.

Your rights concerning personal data

We outline your rights regarding the personal data we hold about you below.

Access: You can access all information that we hold about you by contacting us through DPO_KE@transunion.com

Correction/Destruction/Deletion: If the information we hold about you is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained lawfully, you have a right to ask us to correct it or delete it.

Objection to processing: You may object (on reasonable grounds) to processing your personal data unless legislation provides for such processing.

Objection to direct marketing: You may object to us using your personal data for direct marketing, and if you do, we will stop.

Where to lodge a complaint

We strive to deliver the highest levels of customer service. However, if you’re ever unhappy with us, please contact us so we can investigate.

• Location: 2^nd Floor Delta Corner Annex Ring Road, Westlands,Kenya
• Postal Address:  P. O. Box 46406 – 00100 Nairobi
• Telephone:  +254 (020) 7603717
• Email: DPO_KE@transunion.com

Business Contact Privacy Notice

Credit Reference Burea Africa Limited T/A TransUnion

May, 2024

Version 1.0

Introduction

This privacy notice provides a high-level overview of how we use and share personal data across TransUnion. You can find more detailed information at the TransUnion Privacy Center or in other privacy information you may have received.

In Brief

We use personal information to:

• Manage our relationship with our business contacts and keep in touch with them
• Promote our products and services to our customers and potential customers

This notice covers the following topics:

1. Who we are and how to contact us
2. How we use personal data
3. Where we get personal data
4. How long we keep personal data
5. Our legal basis for handling personal data
6. Who we share personal data with
7. Where we store and send personal data
8. Your rights concerning your personal data
9. Where to lodge a complaint

Information for Good^®

We're in an era of rapid digital transformation where consumers demand more access to seamless, personalised products and services online. But the currency of personal data that fuels this platform economic boom poses threats to individuals and endangers corporate security.

Now more than ever — and likely more so in the future — consumers and corporates need new levels of trust and transparency.

As a global information and insights company, TransUnion seeks to make trust possible. We do this by curating an accurate and comprehensive picture of each consumer so they're safely and reliably represented in the marketplace. This enables businesses and consumers to transact with confidence and achieve great things. We call this Information for Good.

We have our registered offices at 2^nd Floor Delta Corner Annex, Ring Road, Westlands, Kenya .  Although we're part of a larger group, this notice covers only the activities of Credit Reference Burea Africa Limited T/A TransUnion within the Republic of Kenya.

Contact details

Contact us about personal data issues, including the contents of this notice via:

• Telephone:   +254 (020) 7603717

• Email: KenInfo@transunion.com / DPO_KE@transunion.com

How we use personal data

Relationship management

We use personal information to maintain and develop our relationships with clients, suppliers and their representatives.

Example: relationship management

• Informing you about product changes or planned maintenance activity
• Contacting you with billing enquiries
• Inviting you to events and webinars
• Corresponding with you about your enquiries
• Conducting surveys to collect qualitative and quantitative feedback
• Canvassing you about products or product features you want us to develop

Marketing

We use personal information to market our products and services to current and potential clients and their representatives. This includes providing industry insights, commentary and research on data and software, notification of events and webinars, and updates on products and services.

Example: Marketing

• Monitoring your interactions to understand the products and services that interest you so we can tailor our marketing
• Contacting you by email, telephone, SMS or post to tell you about products and services we think will interest you

Providing services

Sometimes we use personal information to provide information, services, alerts and other facilities requested. For example, we might use your contact details to grant access to one of our webinars.

As a registered user of one of our products, we may use your personal information within that product — please refer to the privacy notice available within the product for more details.

Monitoring and improving our websites

We use information such as how different people navigate our websites, how long they spend on particular pages and what content they download. This helps us improve the user experience by tailoring our website to match individual interests and preferences.

Security and systems administration

We also use this information for security and system administration to generate non-personalised data (such as statistics on the uptake of services and patterns of browsing). In addition, we may share this anonymous data with business contacts, selected third parties, sponsors and advertisers.

Legal and regulatory purposes

We may also need to use your personal information for legal and regulatory purposes.

The kinds of personal information we use and where we get it

We obtain and use information from various sources summarised in the following table:

We need your personal information to provide our products correctly. You don’t have to provide us with personal information for technical support requests, but this may impede the help we can provide.

How long we keep personal data

Simply put, we keep personal data for as long as necessary. More technically, we retain it to fulfil the purpose(s) of its provision, to comply with applicable laws, and for as long as your consent to such purpose(s) remains valid after termination of our relationship.

The Bankig (Credit Reference Bureau)Regulations 2020 requires we use credit information only for the provided maximum periods prescribed for credit scoring or credit assessment.

We keep specific data indefinitely to verify the integrity of the information we may need to process in the future. We store this information securely and don't use it for any other purpose.

Our legal basis for handling personal data

Legitimate interests
The Data Protection Act, 2019 allows personal data usage where necessary for legitimate purposes without undue adverse impact. We base most of our processing activities on the 'legitimate interests' condition. For more details, refer to the relevant privacy notices in the links above.

Other legal bases

Sometimes we process personal information on the following grounds:

Who we share personal information with

Clients

Our clients have privacy notices that provide more information about how they use the data we supply. These clients typically operate in the following sectors:

• Banks, Microfinance institutions etc.
•  TradersInsurance
• Retail
• Telecommunications
• Collections
• Employment agencies
• Financial services
• Public sector
• Startup

If our clients appoint an intermediary to act on their behalf, they too will receive the data.

Service providers

Our clients and we might provide information to third parties that help us achieve the purposes described in section 2. For example:

• Cloud-based services, such as Salesforce, help host, manage and analyse our databases.
• Cloud-based technologies, such as Microsoft Office 365, support our ordinary business operations.
• Printing companies to produce and send direct mail or other correspondence.
• Payment service providers to help with payments made by individuals.
• Market research companies to help us better understand our customers.
• Services Providers that assists us with providing our services to you.
• A specialist sub-contractor operates our CCTV system.
• Regulators like the Office of the Data Protection Commissioner or the Central Bank of Kenya.

These service providers can't use your information for their purposes or on behalf of other organisations unless you agree otherwise.

Where we store and send personal data

We sometimes make use of Service Providers that are situated outside of Kenya, e.g. South Africa,  UK and US.  We access and use your information from our base in Kenya and will not transfer personal data to a country lacking laws that provide an adequate level of information protection, unless we have an agreement with the recipient requiring measures that offer a similar level of protection as the Data Protection Act, 2019 in Kenya and with the required permission from the relevant supervisory authority.

Your rights concerning personal data

We outline your rights regarding the personal data we hold about you below.

Access: You can access all information that we hold about you by contacting us through DPO_KE@transunion.com

Correction/Destruction/Deletion: If the information we hold about you is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained lawfully, you have a right to ask us to correct it or delete it.

Objection to processing: You may object (on reasonable grounds) to processing your personal data unless legislation provides for such processing.

Objection to direct marketing: You may object to us using your personal data for direct marketing, and if you do, we will stop.

Where to lodge a complaint

We strive to deliver the highest levels of customer service. However, if you’re ever unhappy with us, please contact us so we can investigate.

• Location:  2nd floeer, Delta Corner Annex, Ring Road Westlands, Kenya
• Postal Address:  P O Box 46406 – 00100 Nairobi
• Telephone:  +254 (020) 7603717

Email: DPO_KE@transunion.com

TransUnion Kenya

Last revised: 22 September 2022 

Version 1.1 

© 2022 TransUnion LLC
All Rights Reserved

No part of this publication may be reproduced or distributed in any form or by any means, electronic or otherwise, now known or hereafter developed, including, but not limited to, the Internet, without the express written permission of TransUnion. This document is protected by U.S. and International copyright laws. This document and the subject matter contained herein is TransUnion proprietary and confidential information, and may not be shared or used for any purposes other than the purpose for which it was provided by TransUnion, without the express written permission of TransUnion. By using this document, you are agreeing that you will not attempt, directly or indirectly, to reverse engineer, decompile, or disassemble any TransUnion services or service information, any confidential or proprietary criteria developed or used by TransUnion relating to services you receive from TransUnion, or any of the TransUnion confidential and proprietary information contained herein. The entire right, title and interest in and to this document and TransUnion services, and all copyrights, patents, trade secrets, trademarks, trade names, and all other intellectual property rights associated with any and all ideas, concepts, techniques, inventions, processes, or works of authorship including, but not limited to, all materials in written or other tangible form developed or created by TransUnion, shall at all times vest exclusively in TransUnion. You acknowledge that any misuse, misappropriation or threatened misappropriation of TransUnion’s intellectual property rights, or any breach or threatened breach of the foregoing restrictions, may cause immediate and irreparable injury to TransUnion, and in such event, TransUnion shall be entitled to seek injunctive relief. Nothing stated herein will be construed to limit any other remedies available to TransUnion including, but not limited to suspension and/or termination of the services provided to you.

Requests for permission to reproduce or distribute any part of, or all of, this publication should be mailed to:

Law Department
TransUnion
Delta Corner Annex, 2^nd Floor, Ring Road,
Westlands, Nairobi.

The “tu” logo, TransUnion, and other trademarks, service marks, and logos (the “Trademarks”) used in this publication are registered or unregistered Trademarks of TransUnion LLC or their respective owners. Trademarks may not be used for any purpose whatsoever without the express written permission of the Trademark owner.

transunion.com

Table of contents

Internet Information

Internet information

When you visit and use any Products or functions in the TransUnion Site, we may collect behavioural data and general internet data, including your internet protocol ("IP") address, metadata, location data, and date and time you visit. As part of this:

• We set a "cookie" on your computer to recognise you when you visit, and collect information (like your page visits and preferences) for statistical purposes and to study how people use the site to improve the user experience. We may provide such data to outside vendors for the same reasons. We store no personal information in cookies. You can reject cookies by setting the preference in your web browser, but you might not be able to apply for credit reports online. For more information about cookies, visit: http://www.cookiecentral.com/n_cookie_faq.htm.
• TransUnion uses two different cookies. One type "recognises" you whenever you return using the same computer, so you do not have to re-enter personal information. If you set your web browser to not accept or delete this cookie, you can still access our products and services if you re-enter personal information each time you visit. The second type of cookie processes each step of your transactions with us. If you refuse to accept this type of cookie, you cannot access our products and services. Most web browsers auto-delete this type of cookie when you end your session.
• We may use third-party advertising companies to serve ads on the TransUnion Site or on other sites we use for advertising. These companies may use cookies and action tags (also known as single-pixel GIFs or web beacons) to measure advertising effectiveness. They may not use the information we share for any other purpose. Any information collected via cookies and action tags is anonymous.
• We may use Google Analytics or similar analytical tools to optimise and personalise the advertisements and customer experiences we offer.
• The data we collect to enhance your user experience includes the IP address of your computer and pages you visit but excludes any personal information. We only link the IP address to your information to authenticate and protect your personal information. We receive anonymous data from other websites displaying our advertisements to help us understand how visitors to our site responded to those ads and enhance our campaigns. You can opt out of this data collection and sharing activity by following the procedures under the Browser Opt-Out and Privacy Center information sections on com.
• Behavioural data is the information used to enhance the relevance of personalised offers from TransUnion and our trusted partners. This data includes your interaction with our products and services, such as searches, transactions and purchase history. We keep all such data in our secure server and do not share it with any third parties.

Customer Service Privacy Notice

Credit Reference Bureau Africa T/A TransUnion

May, 2024

Version 1.0

Introduction

This privacy notice provides a high-level overview of how we use and share personal data across TransUnion. You can find more detailed information at the TransUnion Privacy Center or in other privacy information you may have received.

In Brief

When you contact us with a request, complaint or enquiry, we will use your personal data in order to help us to respond to you.

Sometimes this will mean sharing personal data with third parties. For example, if you dispute the accuracy of information on your credit report, we may need to contact the organisation who provided us with that information to check whether it is correct.

This notice covers the following topics:

1. Who we are and how to contact us
2. How we use personal data
3. Where we get personal data
4. How long we keep personal data
5. Our legal basis for handling personal data
6. Who we share personal data with
7. Where we store and send personal data
8. Your rights concerning your personal data
9. Where to lodge a complaint

Information for Good^®

We're in an era of rapid digital transformation where consumers demand more access to seamless, personalised products and services online. But the currency of personal data that fuels this platform economic boom poses threats to individuals and endangers corporate security.

Now more than ever — and likely more so in the future — consumers and corporates need new levels of trust and transparency.

As a global information and insights company, TransUnion seeks to make trust possible. We do this by curating an accurate and comprehensive picture of each consumer so they're safely and reliably represented in the marketplace. This enables businesses and consumers to transact with confidence and achieve great things. We call this Information for Good.

We have our registered offices 2nd Floor Delta Corner Annex Ring Road Westlands Kenya.  Although we're part of a larger group, this notice covers only the activities of Credit Reference Bureau Africa T/A TransUnion within the Republic of Zambia.

Contact details
Contact us about personal data issues, including the contents of this notice via:

• Telephone:   +254 (020) 7603717

• Email: KenInfo@transunion.com / DPO_KE@transunion.com

How we use personal data

Enquiries

We use your personal data to deal with any issue or complaint you have raised (which we refer to as an “enquiry”). This might include contacting you for more information or tell you the outcome of your enquiry. Typical enquiries include:

• Requests for access to personal data, to challenge the accuracy of personal data, or to request the erasure of personal data
• Support requests for our consumer products
• Complaints of any nature
• General enquiries

Identity verification

When you contact us, we may need to verify your identity to ensure we don’t provide personal data to unauthorised parties.

Example: identity verification

If someone contacts us and asks us for a copy of your credit report, we’ll check that it’s you (or someone authorised by you) asking for it. We may ask for evidence of identity such as a  copy of your identity card or a bank statement.

It’s important to do this because the information in your credit report is valuable and could be used to impersonate you if it were to fall into the wrong hands.

Feedback

We may ask you to provide us with feedback or to leave a review about the service you received. Your feedback helps us to improve our services.

Products and services

We use aggregated statistics about enquiries, requests and complaints to help manage our services and identify potential problems. Some enquiries lead to changes to the personal data we use in our products and services.

Constant improvement

We use information from complaints and requests to help understand what went wrong, fix any problems, and improve how we deal with similar issues.

Legal and regulatory purposes

We may use personal data for legal and regulatory purposes. This might include responding to complaints or enquiries from you or a regulator about how we have handled your enquiry or used your personal data.

The kinds of personal information we use and where we get it

We obtain and use information from various sources summarised in the following table:

You are free to choose whether you give us your personal data. However, if you don’t provide the information we need, this may limit our ability to help.

How long we keep personal data

We keep your personal data during the enquiry and for an additional period after completion. That period depends on purposes, such as:

• Showing we have processes to deal with enquiries and are doing so fairly under our regulatory requirements
• Responding to you or a regulator to show we dealt with an enquiry properly
• Defending legal claims or regulatory action that might arise because of the enquiry

Our legal basis for handling personal data

Legitimate interests
The Law relating to the protection of personal data and privacy allows personal data usage where necessary for legitimate purposes without undue adverse impact. We base most of our processing activities on the 'legitimate interests' condition. For more details, refer to the relevant privacy notices in the links above.

Who we share personal information with

Clients

Our clients have privacy notices that provide more information about how they use the data we supply. These clients typically operate in the following sectors:

• Banks, Microfinance institutions etc.
• Traders
• Insurance
• Retail
• Telecommunications
• Collections
• Employment agencies
• Financial services
• Public sector
• Startup

If our clients appoint an intermediary to act on their behalf, they too will receive the data.

Service providers

We may provide information to third parties who help us use it for purposes described For example:

• Cloud-based services, such as Salesforce, help host, manage and analyse our databases.
• Cloud-based technologies, such as Microsoft Office 365, support our ordinary business operations.
• Printing companies to produce and send direct mail or other correspondence.
• Payment service providers to help with payments made by individuals.
• Market research companies to help us better understand our customers.
• A specialist sub-contractor operates our CCTV system.
• Services Providers that assists us with providing our services to you.
• Regulators like the Office of the Data Protection Commissioner or the Central Bank of Kenya.

Data suppliers and other third parties

If your enquiry is about data supplied to us by third parties, we might provide them with your personal data to help manage your enquiry. For example, if you dispute the accuracy of an entry on your credit file, we may contact the provider of that information to check whether its validity.

These service providers can’t use your information for their purposes or on behalf of other organisations unless you agree otherwise.

Where we store and send personal data

We sometimes make use of Service Providers that are situated outside of Kenya, e.g. South Africa,  UK and US.  We access and use your information from our base in Kenya and will not transfer personal data to a country lacking laws that provide an adequate level of information protection, unless we have an agreement with the recipient requiring measures that offer a similar level of protection as  in the Data Protection Act 2019 in Kenya and with the required permission from the relevant supervisory authority.

Your rights concerning personal data

We outline your rights regarding the personal data we hold about you below.

Access: You can access all information that we hold about you by contacting us through DPO_KE@transunion.com

Correction/Destruction/Deletion: If the information we hold about you is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained lawfully, you have a right to ask us to correct it or delete it.

Objection to processing: You may object (on reasonable grounds) to processing your personal data unless legislation provides for such processing.

Objection to direct marketing: You may object to us using your personal data for direct marketing, and if you do, we will stop.

Where to lodge a complaint

We strive to deliver the highest levels of customer service. However, if you’re ever unhappy with us, please contact us so we can investigate.

• Location: 2nd Floor Delat Corner Annex Ring Road Westlands Kenya
• Postal Address: P O Box 46406 – 00100 Nairobi
• Telephone: +254 (020) 7603717
• Email: DPO_KE@transunion.com

TransUnion Kenya

Last revised: 22 September 2022 

Version 1.0 

© 2022 TransUnion LLC
All Rights Reserved

No part of this publication may be reproduced or distributed in any form or by any means, electronic or otherwise, now known or hereafter developed, including, but not limited to, the Internet, without the express written permission of TransUnion. This document is protected by U.S. and International copyright laws. This document and the subject matter contained herein is TransUnion proprietary and confidential information, and may not be shared or used for any purposes other than the purpose for which it was provided by TransUnion, without the express written permission of TransUnion. By using this document, you are agreeing that you will not attempt, directly or indirectly, to reverse engineer, decompile, or disassemble any TransUnion services or service information, any confidential or proprietary criteria developed or used by TransUnion relating to services you receive from TransUnion, or any of the TransUnion confidential and proprietary information contained herein. The entire right, title and interest in and to this document and TransUnion services, and all copyrights, patents, trade secrets, trademarks, trade names, and all other intellectual property rights associated with any and all ideas, concepts, techniques, inventions, processes, or works of authorship including, but not limited to, all materials in written or other tangible form developed or created by TransUnion, shall at all times vest exclusively in TransUnion. You acknowledge that any misuse, misappropriation or threatened misappropriation of TransUnion’s intellectual property rights, or any breach or threatened breach of the foregoing restrictions, may cause immediate and irreparable injury to TransUnion, and in such event, TransUnion shall be entitled to seek injunctive relief. Nothing stated herein will be construed to limit any other remedies available to TransUnion including, but not limited to suspension and/or termination of the services provided to you.

Requests for permission to reproduce or distribute any part of, or all of, this publication should be mailed to:

Law Department
TransUnion
Delta Corner Annex, 2^nd Floor, Ring Road,
Westlands, Nairobi.

The “tu” logo, TransUnion, and other trademarks, service marks, and logos (the “Trademarks”) used in this publication are registered or unregistered Trademarks of TransUnion LLC or their respective owners. Trademarks may not be used for any purpose whatsoever without the express written permission of the Trademark owner.

transunionafrica.com

Table of contents

Introduction

1. Purpose of policy
2. Application of policy
3. Definitions
4. Compliance with laws and associated bodies
5. Information security
6. Consents
7. Submission of data to TransUnion
8. Use of information
9. The parties obligation concerning protection of personal data
10. Audit rights
11. Return and retention of Personal Data
12. Indemnities
13. Confidentiality
14. Breach and termination
15. Payment profile information
16. Removal of adverse listings
17. Information requested in respect of juristic persons and their principals
18. Consequences of termination
19. Waiver
20. Severability

Introduction

TransUnion is a credit bureau licensed by the Central Bank of Kenya in accordance with the provisions of the Banking Act (Credit Reference Bureau Regulations, 2020; Registration Number C.82122). Its operations are regulated by the CRB Regulations and other applicable Laws, including the Data Protection Act No. 24 of 2019. TransUnion protects the integrity of all information housed by it, ensuring the information is kept secure.

TransUnion is committed to conducting its operations in an ethical manner and in compliance with all applicable Laws and guidelines. To successfully ensure this, it’s vital all entities doing business with TransUnion ascribe to the same standards. Accordingly, TransUnion has set out, in this policy, obligations that need to be adhered to when an entity processes (including but not limited to the receipt and usage of), personal data from or supplies personal data to TransUnion.

NOTE: This policy may be updated from time to time to reflect any amendments made to applicable Laws or association/industry policy directives and guidelines.

1. Purpose of policy

To outline obligations for protecting the integrity and confidentiality of information transmitted to and from TransUnion’s systems as required by applicable laws and guidelines relevant to the information services and risk services industry.

2. Application of policy

• This policy is applicable to all entities who (a) procure and/or use and/or process Personal Data from TransUnion (whether directly OR through an authorised TransUnion channel partner/reseller), and who (b) supply information to TransUnion (whether directly OR through an authorised TransUnion channel partner/reseller) – such parties referred to hereafter as an “Applicable Party.”
• The terms of this policy shall be deemed to form part of the Applicable Party’s contract with TransUnion or with a TransUnion channel partner/TransUnion reseller (as the case may be) as if specifically incorporated therein. A breach of any obligation by the Applicable Party herein (and a contravention of the CRB Regulations and/or the Data Protection Act) shall therefore be regarded as a breach of the contract concluded with TransUnion or the channel partner/reseller, and shall be managed as such. Therefore, this policy shall continue to be of force and in effect for as long as either Party remains in possession of any Personal Data of the Data Subjects, regardless of the termination of any agreement or contract with TransUnion.
• In the event of a conflict between the provisions of this policy and any other agreement between TransUnion and the Applicable Party; and, any applicable agreement in place between an authorised TransUnion channel partner/reseller and the Applicable Party, the provisions of this policy will take precedence in regard to all aspects pertaining to any processing of Personal Data.

3. Definitions

For purposes of this policy, capitalised terms shall have the meanings ascribed to them below:

• “CRB Regulations” means the Banking Act, Credit Reference Bureau Regulations, 2020 as amended from time to time
• “Data Controller” shall have the meaning ascribed thereto in Data Protection Act, and for purposes of this policy shall mean either Party as the context may require
• “Data Processor” has the meaning set out in the Data Protection Act, and for purposes of this policy means the Party who Processes Personal Data on behalf of the other Party or any authorised subcontractor of either of the Parties
• “Data Protection Act ” means the Data Protection Act No. 24 of 2019 together with the Regulations as amended from time to time
• “Data Subject” means any identified or identifiable natural person who is the subject of personal data — as contemplated in the Data Protection Act
• “Laws” means all laws, regulations, by-laws, rules, directives, guidelines, circulars, orders and other requirements of any government or any government agency, body or authority, including any regulator or court
• “Party” or “Parties” means either the Applicable Party or TransUnion or both, as the context may require
• “Payment Profile Information” means the payment history and financial information relating to a debt or credit transaction, including relevant payment dates, both negative and positive information and/or signs depicting action taken in respect of such debt or credit transaction
• “Personal Data” shall have the meaning set out in section 2 of the Data Protection Act, and includes sensitive personal Data as defined in the Data Protection Act and relates to the Personal Data of which either Party is the Data Controller in relation to which TransUnion renders the services to the Applicable Party
• “Processing” or “Process” shall have the meaning set out in the Data Protection Act
• “TransUnion” means Credit Reference Bureau Africa Limited, registration number C.82122; a private company with limited liability registered in accordance with the Companies Act, 2015

4. Compliance with laws and associated bodies

In its dealings with TransUnion and usage of TransUnion’s service offerings, the Applicable Party shall at all times comply with the requirements for the receipt, compilation and reporting of information as prescribed by the CRB Regulations and other applicable Laws and associated bodies.

5. Information security

• The Applicable Party shall ensure all persons accessing TransUnion’s services on its behalf have been duly authorised by the Applicable Party to do so. In addition, the Applicable Party shall ensure only it or its authorised representatives have access to any PIN and/or password PIN issued for the purposes of requesting TransUnion services. The Applicable Party shall be liable for transactions, fees and other costs arising out of the use by any person of TransUnion’s services via the PIN and/or Password —whether or not such use is or has been authorised by the Applicable Party.
• The Applicable Party shall immediately notify TransUnion in writing of any breach or attempted breach of security of which the Applicable Party may become aware or ought to have become aware of, and the Applicable Party shall take reasonable steps to prevent a recurrence thereof and mitigate the effects of such breach. TransUnion shall be entitled to fully investigate such breach or attempted breach, and the Applicable Party shall give TransUnion its full cooperation with such investigation. Furthermore, the Applicable Party shall be liable for transactions, fees and other costs arising out of the use by any person of the TransUnion services, including use of such services arising from a security breach in accordance with applicable Laws.
• The Applicable Party shall install, implement and maintain the necessary software and IT security systems to ensure no destructive elements are introduced into TransUnion’s systems. Destructive Elements means code that:
  • is intentionally designed to disrupt, disable, harm or otherwise impede in any manner, including aesthetic disruptions or distortions; the operation of TransUnion’s software, hardware, computer systems or networks; or any other associate hardware, software, firmware, computer system or network used in relation to TransUnion’s services; or
  • would disable TransUnion’s software, hardware, computer systems or network, or impair in any way their operation based on the elapsing of a period of time, exceeding the authorised number of copies, advancement to particular date or numeral; or
  • would permit an unauthorised person to access TransUnion’s software, hardware, computer systems or network of and/or of third parties to cause a disruption, disablement, harm or impairment, or which contains any other similar harmful, malicious or hidden procedures, routines or mechanisms which would cause such programs to cease functioning; or that can cause damage to data, storage media, programs, equipment or communications, or otherwise interfere with the operations thereof.

6. Consents

• The Applicable Party:
  • shall ensure prior to submitting to and/or requesting any information from TransUnion (whether directly or via a TransUnion channel partner or TransUnion reseller) it shall have validly obtained all consents (whether from natural or juristic persons – as applicable) that may be required in terms of the CRB Regulations and the Data Protection Act, or any other applicable Laws to submit, request and/or receive such information;
  • shall obtain upfront, written, express, ongoing and lawfully valid consent in respect of any requests for TransUnion to provide monitoring and account management services; and
  • shall retain and store all consents obtained, and be able to make same available to TransUnion without delay if ever requested.

7. Submission of data to TransUnion

• The Applicable Party shall ensure any information requested from or submitted to TransUnion (whether directly or indirectly):
  • shall contain, in relation to a natural person, the minimum criteria as set out in Regulation 18 of the CRB Regulations; and
  • shall contain, in relation to a juristic person, the juristic person’s registered and trading name, registration number, registered address, physical and postal address.
• When submitting any information to TransUnion (whether directly or indirectly), the Applicable Party shall:
  • be lawfully entitled to submit such information to TransUnion;
  • ensure all information reported to TransUnion is accurate, up-to-date, relevant, complete, valid and not duplicated;
  • submit only information as required in the Credit Reference Bureau Regulations; and
  • before submitting adverse credit information, (a) ensure such default is as defined in the Banking Act, the Micro Finance Act and the Sacco Societies Act or any other applicable law; and give its customers the requisite notices, as required by Regulation 63 of the CRB Regulations, of its intention to submit adverse information regarding the customer before such information is submitted to TransUnion. Also ensure the customer is informed of the submission of such adverse information after the same has been submitted to TransUnion as required by the aforementioned Regulations.
• The Applicable Party shall under no circumstances submit the following information to TransUnion:
  • Negative information in respect of a debt where amount related does not exceed Kenya Shillings One Thousand as prescribed by the CRB Regulations.
  • Duplicate listings or inaccurate information where the party is aware of such inaccuracy.
  • Disputed adverse credit information – that is a default listing relating to an outstanding amount that had been disputed by a person prior to the date of the submission of the disputed adverse information (i.e., where such dispute had not been resolved at the time of listing). For purposes of this obligation, “disputed” refers to any instance where it can be proven a person had communicated to the Applicable Party an uncertainty around being liable for the whole or part of the relevant debt, whether or not through the institution of legal proceedings.
  • Information which the Applicable Party had already submitted to TransUnion in respect of a person, which information the person had successfully disputed in accordance with the dispute process provided for in the CRB Regulations. For purposes of clarity, the Applicable Party shall not be entitled to modify the successfully disputed information in any way so as to resubmit same.
• The Applicable Party will fully and timeously cooperate with TransUnion’s requests for credible evidence related to an adverse credit listing when that listing has been disputed as part of any customer Dispute Resolution Mechanism process (including but not limited to Data Subject access requests, queries or challenges as contemplated in the CRB Regulations, Data Protection Act or any other applicable Laws) provided for in the CRB Regulations. Should an Applicable Party fail to respond to TransUnion within the legislated period set out in the CRB Regulations, the adverse listing in dispute will be permanently removed from the relevant person’s credit profile.

8. Use of information

• All information received as part of services provided by TransUnion shall:
  • be used by the Applicable Party solely and exclusively for a purpose permitted in terms of the CRB Regulations or the Data Protection Act. The Applicable Party shall not (whether directly or indirectly) sell or use any such information for any commercial purpose; and
  • be for the Applicable Party's exclusive, one-time use, which usage shall be strictly related to the lawful purpose for which the service is intended.
• The Applicable Party shall only access a person’s information for the purposes of assessing an employment application where that person has (a) consented to such access; AND (b) is being considered for a position that requires honesty in dealing with cash or finances, and where the job description of such position has been clearly outlined in the applicable contract of employment.
• The Applicable Party acknowledges the information supplied to it pursuant to a testing request will contain information that’s regulated by Laws. This test data shall be used by the Applicable Party solely and exclusively for the purpose of the test and the Applicable Party shall not share the test data with or distribute that data to any third party. The Applicable Party shall not (whether directly or indirectly) use the test data for internal business or operational purposes or sell/use the test data for any purpose whatsoever. The Applicable Party shall destroy the test data, and upon completion of the testing exercise shall provide TransUnion with written confirmation of the destruction. The Applicable Party shall furthermore be able to evidence the destruction to TransUnion should TransUnion request such evidence.

9. The parties obligation concerning protection of personal data:

• It is recorded that, pursuant to the obligations under this policy, either Party will Process Personal Data of Data Subjects in connection with and for the purposes of the provision of TransUnion’s services and will act as the other Party’s Data Processor.
• Unless required by Law, each Party shall Process the Personal Data only:
  • in compliance with this policy;
  • for the purposes connected with the provision of the Services as provided for in any agreement or contract with TransUnion or as specifically otherwise instructed or authorised by the other Party in writing;
  • to the extent permissible in terms of applicable Laws; and
  • The Parties shall treat Personal Data that comes to their knowledge or into their possession as confidential, and shall not disclose it without the prior written consent of the other Party, unless permissible by law.
• Without limiting either Party’s obligations under this policy, each Party shall comply with applicable industry or professional rules, regulations and Laws (including any applicable technical or organizational security measures) in regard to the safeguarding of Personal Data.
• Each Party shall:
  • take steps to keep abreast and ensure it and its Staff comply fully with all applicable laws and regulations applicable to the Services;
  • limit the Processing of and access to the Personal Data to those Staff who need to know the Personal Data to enable the rendering of the Services;
  • deal promptly, but at all times without exceeding 5 (five) business days, with all reasonable inquiries from the other Party relating to its Processing of the Personal Data;
  • immediately inform the other Party of its inability to comply with the other Party’s instructions and this clause 9, in which case the other Party is entitled to suspend the other’s Processing of Personal Data and/or terminate any agreement or contract with TransUnion; and
  • provide the other with full cooperation and assistance in relation to any requests for access to, correction of or complaints made by the Data Subjects relating to their Personal Data.
• Each Party (the “Notifying Party”) shall notify the other Party in writing:
  • within 1 (one) business day, or otherwise as soon as reasonably possible, if any Personal Data under the control of the Notifying Party as a result of any agreement or contract between Parties has been or may reasonably believe to have been accessed or acquired by an unauthorised person; or if a breach has occurred with reference to the Notifying Party’s use of the Personal Data under this policy, furnish the other Party with details of the Data Subjects affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the Personal Data, as well as daily reports on progress made at resolving the compromise;
  • of any request by a Data Subject for correction of the Personal Data, or complaints received by the Notifying Party, relating to any Personal Data submitted by the other Party in relation to that Data Subject’s obligations in terms of the CRB Regulations, and provide the other Party with full details of such request or complaint; and
  • to the extent lawfully permissible, promptly advise of any legally binding request for disclosure of Personal Data or any other notice or communication that relates to the Processing of the Personal Data from any supervisory or governmental body.
  • Each Party acknowledges and agrees the other Party retains all right, title and interest in and to the Personal Data.

10. Audit rights

• TransUnion shall have the right to audit the Applicable Party’s Processing facilities in respect of the services upon separate and specific written policy regarding such audit first being reached with the other Party on each occasion at least once per year — or if there’s a reasonable suspicion the Applicable Party is not complying with the provisions of this policy, or where there’s suspicion the confidentiality, integrity and accessibility of Personal Data is likely to be compromised. The Party being audited shall offer reasonable assistance and cooperation to the other Party and/or its auditors or inspectors in the carrying out of such auditing exercise. Nothing in this clause 10 should be read as providing either Party with unlimited access to audit the other Party without just cause. If an audit takes place, TransUnion shall have no right of access to any confidential information of the Applicable Party’s clients or any confidential information in general (including Personal Data TransUnion is not responsible for in terms of CRB Regulations or the Data Protection Act).

11. Return and retention of Personal Data

• Each Party (“requesting Party”) may, at any time on written request to the other Party, require, where it is practically and lawfully possible, that (a) the other Party immediately return to it any Personal Data and may, in addition, require that the other Party furnish a written statement to the effect that upon such return, it has not retained in its possession or under its control (whether directly or indirectly) any such Personal Data or material; or (b) as and when required by the requesting party on written request, destroy all such Personal Data and material and furnish TransUnion with a certificate of destruction to the effect the same has been destroyed. Where, by the nature of the services that the other Party provides to different clients, the return of information or destruction thereof is not possible, the Party shall provide the requesting Party with written reasons as to why this is the case, and seek to reach written policy with the requesting Party as to how to regulate the relevant Personal Data going forward.
• Each Party shall comply with any request in terms of this clause 11 within 7 (seven) days of receipt of such request.

12.Indemnities

• Subject to the provisions contained in the Any agreement or contract with TransUnion, each Party hereby indemnifies and holds the other Party harmless from any and all losses arising from any claim or action brought against the other Party arising from or due to the one’s Party’s breach of its obligations set out in this policy or any law with respect to the protection of Personal Data.

13.Confidentiality

• The Parties agree and undertake:
  • Except as permitted by this policy, not to disclose or publish any Confidential Information (which for purposes of this clause shall mean any information or data (a) which by its nature or content is identifiable as confidential and/or proprietary to either Party and/or any third party; or (b) which is provided or disclosed in confidence by the one Party (“Disclosing Party”) to the other Party (“Receiving Party”); and (c) which Disclosing Party or any person acting on its behalf may disclose or provide to Receiving Party, or which may come to the knowledge of Receiving Party by whatsoever means) in any manner for any reason or purpose whatsoever without the prior written consent of the other Party, and provided that in the event of the Confidential Information being proprietary to a third party, it shall also be incumbent on the Parties to obtain the consent of such third party.
  • Except as permitted by this policy, not to utilise, employ, exploit or in any other manner whatsoever use the Confidential Information for any purpose whatsoever without the prior written consent of the other Party, and provided that in the event of the Confidential Information being proprietary to a third party, it shall also be incumbent on the Applicable Party to obtain the consent of such third party.
  • To restrict the dissemination of the Confidential Information to only those of each Party’s staff who are actively involved in activities for which use of Confidential Information is authorized (and then only on a “need to know” basis) and each Party shall initiate, maintain and monitor internal security procedures reasonably acceptable to the other to prevent unauthorised disclosure by its staff.
  • To take all practical steps, both before and after disclosure, to impress upon its staff who are given access to Confidential Information the secret and confidential nature thereof.
• The obligations of each Party with respect to each item of Confidential Information shall endure for an indefinite period from receipt of that item of Confidential Information. The obligations referred to in this clause 13 shall endure notwithstanding any termination of this policy, any other policy entered into between the Parties or any discussions between the Parties.
• Each Party hereby indemnifies and holds the harmless from any and all losses arising from, or in connection with, any claim or action arising from the other Party’s breach of any obligation with respect to Confidential Information.

14.Breach and termination

• In the event either Parties commits a breach of any of the conditions of this policy, and failing to remedy such breach within 7 (seven) Business Days of receipt of a notice from the other Party requesting it to remedy such breach, the other Party shall be entitled to cancel this entire policy forthwith and claim such losses as it may have suffered. In the event of termination of this policy, the Party terminating this policy shall have a right to also exercise its rights of termination under any agreement or contract with TransUnion.
• Notwithstanding anything to the contrary contained in this policy, the Parties shall be entitled to terminate this policy by mutual policy in writing.
• The provisions of this clause 14 shall not affect or prejudice any other rights/remedies which the Parties may have in law or in any other written agreement or contract between the Parties.

15.Payment profile information

• Payment Profile Information may be requested by an Applicable Party who is a Subscriber or entitled to such information in terms of the CRB Regulations.
• Where supplying Payment Profile Information, the Applicable Party shall ensure compliance with CRB Regulations as may be amended from time to time.

16.Removal of adverse listings

• To the extent required by the CRB Regulations, adverse credit information must be removed from a person’s credit profile if that person has paid up the debt associated with that listing. The Applicable Party shall provide TransUnion with details regarding settlement of any obligations under a credit agreement as required by the CRB Regulations.
• To the extent required by the CRB Regulations, judgments must be removed from a person’s credit profile if that person has settled the capital amount of the judgment. The Applicable Party shall upon settlement by the person of the capital amount of a judgment advise TransUnion within seven days of settlement of such obligation.
• An Applicable Party shall only be entitled to remove a default listing if it is factually incorrect, related to fraud or a duplicate listing.
• The Applicable Party shall not, unless lawfully entitled to do so, take an upfront fee in order to remove adverse credit information from a person’s credit profile.

17.Information requested in respect of juristic persons and their principals.

• The Applicable Party acknowledges to the event that it requests information in relation to any juristic person/s, the relevant report to be provided to it may contain information relating to that juristic person’s directors, senior leadership and/or key stakeholders in the business (“Principals”). The Applicable Party shall be (a) fully authorised, as required by all applicable Laws, to obtain the information in respect of the Principals; and (b) in the event it requests information relating to both juristic persons and their Principals, be fully compliant with the requirements as set out in the CRB Regulations. It shall furthermore have obtained all required consents for obtaining and having sight of information regarding the Principals.

18.Consequences of termination

• The termination of this policy shall not affect the rights of either of the Parties that accrued before termination of this policy or which specifically survives the termination of the policy.
• Upon termination of this policy and upon request by either Party, the other Party shall return or destroy any material containing, pertaining or relating to the Personal Data disclosed pursuant to this policy to the requesting Party. Such request will be regulated in accordance with clause 18 and/applicable Laws pertaining to the Processing of Personal Data.

19.Waiver

• Failure or delay by either Party in exercising any right will not constitute a waiver of that right.
• No waiver of any of right under this policy will be binding unless it is in writing and signed by the Party waiving the right.

20.Severability

If any part of this policy is found to be invalid or unenforceable, it shall be severed from the remainder of this policy, which shall remain valid and enforceable.

TransUnion Kenya

Last revised: 22 September 2022 

Version 1.0 

© 2022 TransUnion LLC
All Rights Reserved

No part of this publication may be reproduced or distributed in any form or by any means, electronic or otherwise, now known or hereafter developed, including, but not limited to, the Internet, without the express written permission of TransUnion. This document is protected by U.S. and International copyright laws. This document and the subject matter contained herein is TransUnion proprietary and confidential information, and may not be shared or used for any purposes other than the purpose for which it was provided by TransUnion, without the express written permission of TransUnion. By using this document, you are agreeing that you will not attempt, directly or indirectly, to reverse engineer, decompile, or disassemble any TransUnion services or service information, any confidential or proprietary criteria developed or used by TransUnion relating to services you receive from TransUnion, or any of the TransUnion confidential and proprietary information contained herein. The entire right, title and interest in and to this document and TransUnion services, and all copyrights, patents, trade secrets, trademarks, trade names, and all other intellectual property rights associated with any and all ideas, concepts, techniques, inventions, processes, or works of authorship including, but not limited to, all materials in written or other tangible form developed or created by TransUnion, shall at all times vest exclusively in TransUnion. You acknowledge that any misuse, misappropriation or threatened misappropriation of TransUnion’s intellectual property rights, or any breach or threatened breach of the foregoing restrictions, may cause immediate and irreparable injury to TransUnion, and in such event, TransUnion shall be entitled to seek injunctive relief. Nothing stated herein will be construed to limit any other remedies available to TransUnion including, but not limited to suspension and/or termination of the services provided to you.

Requests for permission to reproduce or distribute any part of, or all of, this publication should be mailed to:

Law Department
TransUnion
Delta Corner Annex, 2^nd Floor, Ring Road,
Westlands, Nairobi.

The “tu” logo, TransUnion, and other trademarks, service marks, and logos (the “Trademarks”) used in this publication are registered or unregistered Trademarks of TransUnion LLC or their respective owners. Trademarks may not be used for any purpose whatsoever without the express written permission of the Trademark owner.

transunionafrica.com

Table of contents

Introduction

1. Who we are and how to contact us
   • Information for Good^®
   • Contact details
2. How we use personal information
   • Direct marketing
   • Opting out
   • Digital marketing
   • Market research
   • Consumer engagement
   • Client data enhancement
   • Development and testing
   • Consumer queries
   • Legal compliance with laws and regulations
3. Where we get personal information
4. How long we keep personal information
5. Our legal basis for handling personal information
   • Legitimate interests
   • The legitimate interests we are pursuing are
6. Who we share personal information with
   • Clients and resale partners
   • Service providers
7. Where we store and send personal information
8. Your rights concerning personal information
9. Where to lodge a complaint

Introduction

This privacy notice provides information about how we use and share consumers' personal information for our clients' marketing purposes.

1. Who we are and how to contact us

Information for Good^®

We're in an era of rapid digital transformation where consumers demand more access to seamless, personalised products and services online. But the currency of personal data that fuels this platform economic boom poses threats to individuals and endangers corporate security.

Now more than ever — and likely more so in the future — consumers and corporates need new levels of trust and transparency.

As a global information and insights company, TransUnion seeks to make trust possible in global commerce. We do this by curating a robust and actionable picture of each consumer so they're reliably represented in the marketplace. This enables businesses and consumers to transact with confidence and achieve great things. We call this Information for Good^®.

We’re a company with registered offices at Delta Corner Annex, 2^nd Floor, Ring Road, Westlands, Nairobi. Although we’re part of a larger group, this notice covers only the activities of TransUnion within the Republic of Kenya.

Contact details

Contact us about personal information issues, including the contents of this notice via:

• Post: TransUnion P.O Box 46406-00100 Nairobi

• Telephone: TransUnion Contact Centre: +254 768262495, +254 768617074, +254 768253748­, +254 706565285

2. How we use personal information

You can find more detail about the personal information we might use for these purposes in Section 3 below.

Direct marketing

If you give your consent, or law permits it, we may use your personal information for direct marketing purposes. We may access, use, process and analyse personal information provided by you — as well as your consumer credit information, Internet information and marketing data — to provide personalised offers from TransUnion and our trusted partners.

Opting out

Suppose you no longer want to receive such communications. In that case, you can opt-out by responding to the newsletter and asking to be unsubscribed, or calling our customer service department and asking to be taken off the list. Alternatively, you can go to transunion.co.za, log in as a subscriber, click on your "profile" link, go to "My Settings", and de-select the Emails and Special offers opt-in box.

Digital marketing

Our digital marketing services enable our business partners to communicate with consumers about relevant products and services. These businesses use our data and technology to devise, create, deploy and measure targeted advertising programs. We also aggregate and depersonalise data for analytical purposes to provide statistical reporting and performance measurements.

Market research

If you choose to take part in market research, we may use your information to improve our products and services. If we engage third parties to assist, they can use non-personal, aggregated data — but they use all personal information for our research purposes only.

Consumer engagement

With your consent, we may use your personal information to present additional products, services and special offers from our affiliates and marketing partners. We may also share basic information — name and email address — with third parties to fulfil your request.

Our third-party email processor may use action tags (also known as single-pixel GIF or web beacons) to collect anonymous information on your use of the TransUnion Site in connection with the email registration program.

If you do not register your ID Number, we will not collect any personal information while you visit TransUnion Site.

Client data enhancement

Some TransUnion clients provide data collected under their separate privacy notices and ask us to enhance it. Here, our client is responsible for ensuring the personal information is used fairly and lawfully. You can refer to their privacy notices for details on the data they collect, what they use it for, and how to exercise your rights.

Development and testing

We sometimes use personal information while improving, developing, monitoring, maintaining and testing our products, systems and security measures. Where possible, we create pseudonyms, anonymity or aggregate the data beforehand.

Consumer queries

We will sometimes use your personal information to help deal with your enquiry, and for legal and regulatory purposes.

Legal compliance with laws and regulations

We only access, use and disclose personal information without consent in exceptional circumstances where necessary to:

• Comply with the law or a legal process served on us
• Comply with requests for information from police or government authorities
• Protect and defend our rights or property (including the enforcement of agreements)
• Protect matters of public interest
• Act in urgent circumstances to protect the personal safety of our employees or members of the public
• To protect the interests of the data subject

We apply the above in terms of the Credit Reference Bureau Regulations 2020, the Data Protection Act No. 24 of 2019 and other relevant national legislation.

3. Where we get personal information

We get personal information directly from our business partners, suppliers, clients, site visitors, and customers signing up for any of our products or services.

There are various types and categories of personal information we gather, including:

• Marketing — consumer, household, business, non-personal aggregated information, and advertising program performance data
• Demographic — age, gender, income, occupation, education and marital status
• Life events — a recent move or home purchase
• Public records — census data, geographic data, property data from local tax assessor and recorded deed information
• Firmographic — type of business, years in business, size of business and job titles

4. How long we keep personal information

We keep personal information for as long as we handle your request and for an additional period after completion — as determined by:

1. Demonstrating appropriate processes are in place to deal with enquiries, requests and complaints, and that we’re doing so fairly and under our regulatory requirements
2. Responding to requests from you or a regulator to explain how we dealt with a request and to show we dealt with it properly
3. Defending potential legal claims or regulatory action resulting from the request

5. Our legal basis for handling personal information

This section explains the basis on which we process your personal marketing information.

Legitimate interests

The Data Protection Act No. 24 of 2019 allows the use of personal information where necessary for legitimate purposes, provided this does not outweigh the impact it has on you. We base most of our processing activities on the legitimate interest’s condition.

The legitimate interests we are pursuing are:

For more details, refer to the relevant privacy notices in the links above.

6. Who we share personal information with

Clients and resale partners

Our clients have privacy notices that provide more information about how they use the data we supply. These clients typically operate in the following sectors:

• Banking
• Micro finance
• Sacco societies
• FinTechs or digital Lending
• Commercial
• Insurance
• Telecommunications
• Financial services
• Public sector
• And any other sector as may be approved by the Central Bank of Kenya from time to time

If our clients appoint an intermediary to act on their behalf, they too will receive the data. We also appoint data resale partners to distribute our data to third parties.

Service providers

Our clients and we may provide your information to third parties who help us achieve the purposes described in section 2. For example:

• Third parties may host our databases of personal information
• Printing companies produce and send direct mail or other correspondence
• Market research companies help us better understand our customers
• Cloud-based technologies, such as Microsoft Office 365, support our ordinary business operations

These service providers cannot use your information for their purposes or on behalf of other organisations unless you agree otherwise.

7. Where we store and send personal information

We access and use your information from our base in Kenya. We will not transfer personal information to a country lacking laws that provide an adequate level of information protection — unless we have an agreement with the recipient requiring measures that offer a similar level of protection as the Data Protection Act No. 24 of 2019 in Kenya.

8. Your rights concerning personal information

We outline your rights regarding the personal information we hold about you below.

Access: Refer all data access requests to us via info@transunion.com or DPO_KE@transunion.com.

Correction/Destruction/Deletion: If the information we hold about you is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained lawfully, you have the right to ask us to correct or delete it.

Objection to processing: You may object (on reasonable grounds) to processing your personal information unless legislation provides for such processing.

Objection to direct marketing: You may object to us using your personal information for direct marketing, and if you do, we will stop.

To find out about exercising these rights, please contact us on TransUnion Contact Centre: +254 742 258478, +254 768 617074, +254 768 253748, +254 768 262495, +254 706 565285

9. Where to lodge a complaint

We strive to deliver the highest levels of customer service. However, if you're ever unhappy with us, please contact us so we can investigate.

• Post:O Box 46406-00100 Nairobi
• Telephone:+254 768262495, +254 768617074, +254 768253748­, +254 706565285

You can also contact our Data Protection Officer at DPO_KE@transunion.com

You may complain to the Information Regulator:

• Email: info@odpc.go.ke
• Post: P.O Box 30920-00100, Nairobi

Site: https://www.odpc.go.ke/file-a-complaint/

TransUnion Kenya

Last revised: 22 September 2022 

Version 1.1 

© 2022 TransUnion LLC
All Rights Reserved

No part of this publication may be reproduced or distributed in any form or by any means, electronic or otherwise, now known or hereafter developed, including, but not limited to, the Internet, without the express written permission of TransUnion. This document is protected by U.S. and International copyright laws. This document and the subject matter contained herein is TransUnion proprietary and confidential information, and may not be shared or used for any purposes other than the purpose for which it was provided by TransUnion, without the express written permission of TransUnion. By using this document, you are agreeing that you will not attempt, directly or indirectly, to reverse engineer, decompile, or disassemble any TransUnion services or service information, any confidential or proprietary criteria developed or used by TransUnion relating to services you receive from TransUnion, or any of the TransUnion confidential and proprietary information contained herein. The entire right, title and interest in and to this document and TransUnion services, and all copyrights, patents, trade secrets, trademarks, trade names, and all other intellectual property rights associated with any and all ideas, concepts, techniques, inventions, processes, or works of authorship including, but not limited to, all materials in written or other tangible form developed or created by TransUnion, shall at all times vest exclusively in TransUnion. You acknowledge that any misuse, misappropriation or threatened misappropriation of TransUnion’s intellectual property rights, or any breach or threatened breach of the foregoing restrictions, may cause immediate and irreparable injury to TransUnion, and in such event, TransUnion shall be entitled to seek injunctive relief. Nothing stated herein will be construed to limit any other remedies available to TransUnion including, but not limited to suspension and/or termination of the services provided to you.

Requests for permission to reproduce or distribute any part of, or all of, this publication should be mailed to:

Law Department
TransUnion
Delta Corner Annex, 2^nd Floor, Ring Road,
Westlands, Nairobi.

The “tu” logo, TransUnion, and other trademarks, service marks, and logos (the “Trademarks”) used in this publication are registered or unregistered Trademarks of TransUnion LLC or their respective owners. Trademarks may not be used for any purpose whatsoever without the express written permission of the Trademark owner.

transunionafrica.com

Table of contents

Introduction

1. Who we are and how to contact us
   • Information for Good^®
   • Joint responsible parties
2. What we use personal information for
3. Kinds of personal information we use and where we get it
4. How long we keep personal information
5. Our legal basis for handling personal information
6. Who we share personal information with
7. Where we store and send personal information
8. Your rights concerning your personal information
9. Where to lodge a complaint

Introduction

This privacy notice provides information about how we use and share the personal information we obtain during the job application process.

1. Who we are and how to contact us

Information for Good^®

We’re in an era of rapid digital transformation where consumers demand more access to seamless, personalised products and services online. However, the currency of personal data that fuels this platform economic boom poses threats to individuals and endangers corporate security.

Now more than ever — and likely more so in the future — consumers and corporates need new levels of trust and transparency.

As a global information and insights company, TransUnion seeks to make trust possible in modern commerce. We do this by curating a robust and actionable picture of each consumer so they’re reliably represented in the marketplace. This enables businesses and consumers to transact with confidence and achieve great things. We call this Information for Good^®.

We’re a company with registered offices at Delta Corner Annex, 2^nd Floor, Ring Road, Westlands, Nairobi. Although we’re part of a larger group, this notice covers only the activities of TransUnion companies within the Republic of Kenya.

Joint responsible parties

TransUnion companies sometimes cooperate with other TransUnion companies when sharing and making decisions about your personal information. When this happens, all employees across the group ensure each company involved complies with data protection rules.

Contact our Consumer Services Team to enquire about any of our companies or exercise your rights regarding your personal information.

Contact details

Contact us about personal information issues, including the contents of this notice via:

• Post: TransUnion P.O Box 46406-00100 Nairobi
• Telephone: TransUnion Contact Centre: +254 742 258478, +254 768 617074, +254 768 253748, +254 768 262495, +254 706 565285

2. What we use personal information for

Managing end-to-end recruitment

TransUnion Information Group personnel involved in the recruitment process (and relevant third parties) may communicate with you on a strict need-to-know basis. In doing this, we show how we conducted the application and recruitment process and arrived at our decision.

Screening checks

TransUnion holds highly confidential data that’s subject to stringent legal and regulatory responsibilities. Therefore, we undertake identity verification checks and employment screening to protect the interests of TransUnion, its parent company, clients, partners and other stakeholders, including consumers and third parties.

Additional information

These checks are mandatory for your application and need to be complete before employment begins. To complete these checks, you may need to present specific documentation, provide additional details and sign authorisations or acknowledgements. (Further details will be provided with any offer of employment).

We’re mindful of your privacy and will only perform these checks at the appropriate application stage.

3. Kinds of personal information we use and where we get it

We obtain and use information from various sources summarised in the following table.

You’re free to choose whether you give us your personal information. However, if you don’t provide the information we need, this may limit our ability to complete certain processes.

4. How long we keep personal information

We’ll keep your personal information for as long as we handle your application and an additional period after completion. That period depends on the following purposes:

• Showing we have processes to deal with enquiries, requests and complaints fairly and under our regulatory requirements
• Responding to you or a regulator about how we dealt with your request and to show we dealt with it appropriately
• Defending any potential legal claims or regulatory action that might arise because of the request

5. Our legal basis for handling personal information

Legitimate interests

The Data Protection Act No. 24 of 2019 allows personal information usage where necessary for legitimate purposes without undue adverse impact. We base most of our processing activities on the following legitimate interests:

• Administering and managing the recruitment process
• Assessing and confirming an applicant’s suitability for employment
• Deciding whom to offer a job
• Keeping records of this process to explain or justify our decision

6. Who we share personal information with

Our group of companies

As stated, we share personal information among TransUnion companies as appropriate. We’ve set out a list of current such companies below.

Service providers

We may provide information to third parties who help us use it for purposes described in Section 2.

We may host our information database with third parties and use a third-party broadcasting service to send you emails or SMS messages.

These service providers may not use your information for their purposes or on behalf of other organisations unless you agree.

7. Where we store and send personal information

We access and use your information from our base in Kenya. We will not transfer personal information to a country lacking laws that provide an adequate level of information protection — unless we have an agreement with the recipient requiring measures that offer a similar level of protection as the Data Protection Act No. 24 of 2019 in Kenya.

8. Your rights concerning your personal information

We’ve outlined your rights concerning the personal information we hold about you below:

Access: You have the right to find out if and what personal information we hold about you. Refer all your data access enquiries to info@transunion.com or DPO_KE@transunion.com.

Correction/Destruction/Deletion: If the information we hold about you is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully, you have a right to ask us to correct or delete it.

Objection to processing: You may object (on reasonable grounds) to processing your personal information unless legislation provides for such processing.

Objection to direct marketing: You may object to us using your personal information for direct marketing, and if you do, we will stop.

To enquire about exercising these rights, please contact the TransUnion Contact Centre on: +254 768262495, +254 768617074, +254 768253748¬, +254 706565285

9. Where to lodge a complaint

We strive to deliver the highest levels of customer service. However, if you’re ever unhappy with us, please contact us so we can investigate.

• Post: O Box 46406-00100 Nairobi
• Telephone: +254 768262495, +254 768617074, +254 768253748­, +254 706565285

You can also contact our Data Protection Officer at DPO_KE@transunion.com

You may complain to the Information Regulator via:

• Email:info@odpc.go.ke
• Post: O Box 30920-00100, Nairobi

Site:  https://www.odpc.go.ke/file-a-complaint/