INTRODUCTION

Kenya Reinsurance Corporation Limited (“Kenya Re”) is a Data Controller - meaning that we determine the purposes for and manner in which your Personal Data is processed or is to be processed and are strongly committed to protecting your privacy while interacting with our content, products and services. Kenya Reinsurance Corporation is also a data Processor – meaning that we process data on behalf of another Data Controller.  We want to provide a safe and secure environment for you.

The purpose of this Privacy Policy is to communicate to you what kind of information we may gather about you when you visit our website, our offices or engage our services. It also enlightens you on how we may use that information, whether we disclose it to anyone, the choices you have regarding our use of this information, your ability to correct this information as well as your rights regarding the processing, use, dissemination and deletion of your personal information.

Our policy allows you to choose, subject, of course, to the requirements of the Kenya Insurance Act as well as in line with the provisions of the Kenya Data Protection Act, 2019, what kind of and how much information you provide to us and to control how we use whatever information you give us. Our goal is to provide you with a satisfying experience while allowing you to control your privacy and to give you a means to voice any questions or concerns you may have.

We are committed to:

  • protecting personal data that we receive when we provide our services to clients,
  • maintaining transparent practices and explaining how we collect, process, and share that data.

 

WHO WE ARE

Kenya Re is a leading reinsurer in Africa, headquartered in Nairobi, Kenya. Established in 1970, it plays a vital role in the insurance industry across the continent.

Kenya Re is committed in processing personal data lawfully, fairly and in a transparent manner in compliance with the Data Protection Act, 2019 and the attendant Data Protection Regulations (“Regulations”).

WHAT IS PERSONAL DATA AND WHAT PERSONAL DATA DOES KENYA RE COLLECT AND PROCESS ABOUT YOU?

What is Personal Data?

For the purposes of this Privacy Notice “Personal Data” consists of any information from which you can be identified, directly or indirectly. Personal data includes information such as your name, telephone number, address, national identification card number etc.

What Personal Data does Kenya Re Collect and Process?

We may collect, process, store and transfer different kinds of personal data about our customers, employees, service providers, agents and other stakeholders which depends on the relationship with the Corporation.

The listing below summarizes the type of personal data including sensitive personal data that we collect and process:

Information about you.

For example name, age, gender, date of birth, nationality, marital status, social security number, passport number or tax number.  Even though in some instances we do not receive your name, we need enough information to help us identify you and your policy so that we can provide services to our clients.

Identification and contact information

Name, phone number, email and postal address, physical address, social media accounts.

Payment information

we may process information related to payments you make or receive in the context of an insurance policy or claim.

Contractual information

for example details about the policies you hold and with whom you hold them.

Financial information

for example bank account or payment card details, income, investment/savings or other financial information including household income, home valuation and household demographics.

Risk, fraud and credit related data

for example credit history, sanctions and criminal offences, and information received from various anti-fraud databases.

Government generated information

National Identification Number (ID), Kenya Revenue Authority (KRA) PIN, Huduma Number, Birth certificate/notification details, NSSF Number, National Council for persons with disability number etc.

General information

Date of birth, marital status, age, gender, dependents details, profession.

Employment and educational information

Current employment and Employment history, employer, job role, salary, employment benefit options, educational institutions attended, professional qualifications and membership to professional bodies etc.

Health information

 

Health status, previous and current aliments, hospital admission history, injury or disability information, personal habits such as whether one smokers or drinks alcohol, major medical procedures undertaken or medical related issues relevant to a policy you hold or a claim you have made.

Financial information

Bank account, investments, credit reference information.

Audio-visual

Photographs, videos, telephone recordings.

Online activity information

for example cookies and IP address (your computer’s internet address), if you use our websites

Sensitive Personal Information

Property details, race, health status, martial and family status including names of children, gender etc.

 

Provision of Personal Data

Kenya Re will only use the Personal Data you have chosen to provide us for the purpose for which you provided it. We will not use it for any other purpose without your consent. In offering our services and pursuant to legal and regulatory requirements and obligations, our customers are obliged to provide personal data to us. The personal data provided enables us verify customer data so that our customers can be availed with their chosen services. Failure to provide us with the personal data may mean we cannot fulfil our obligations of the contract for provision of services and you will not have access to the said services.

 

WHY DO WE PROCESS YOUR PERSONAL DATA?

We use your personal data primarily only to the extent that it is necessary for the purposes of conducting our business, and only for the purpose for which it was originally collected and any other permissible, related purpose. We may use your personal data for a number of reasons:

  • Providing our services and fulfilling our contractual obligations to clients and other third parties
  • Underwriting our business with clients
  • Conducting data analysis, which helps us assess risks, price our products appropriately and improve our services.
  • Reviewing, managing and processing claims
  • Assessing, improving and developing our services
  • Enhancing our knowledge of risk and insurance markets in general
  • Marketing purposes (e.g. newsletters, surveys, client events, etc.)
  • Fulfilling legal or regulatory obligations and protecting ourselves and our clients against fraud, money laundering, terrorism and other crimes.
  • Communicating with customers, business partners and employees.

The Data Protection Act and Regulations law allows us to use the personal data we collect as set out above on the basis that the processing is necessary for the performance of a contract with you, or we are acting in our legitimate interests e.g., in the provision of the insurance, Reinsurance, investment or provision of office spaces and services.

We may process your personal data to send you marketing communications by email, SMS text message, telephone call, or any other appropriate means of communication. The legal justification for this direct marketing could be that you have consented to the same or it is in our legitimate interest to avail to information that is relevant to the services you have or propose to obtain from us.

However, our use of your personal data is this nature and context is subject to your rights as provided for in the Data Protection Act exercised through the various tools and procedures, we are mandated to make available to you.

 

IS THERE FURTHER PROCESSING OF DATA?

Kenya Re adheres to the principle of purpose limitation and only processes data for purposes related to those specified when personal data were collected. Processing for secondary purposes only takes place where we have a legal basis such as the consent of the data subject. To assess our adherence to this principle Kenya Re considers the relationship between the purposes for which the data have been collected and the purposes of further processing, the context in which the data have been collected, the reasonable expectations of the data subjects, the nature of the data and the impact of the further processing on the data subjects.

 

HOW IS YOUR PERSONAL DATA COLLECTED?

In most cases, we receive personal data from third parties such as our corporate clients; that can be your insurer, agent or broker or other insurance market participants. On occasion, such as when you register for an event or receive information directly from us, we may receive personal data directly from you. We may receive your data also from other parties to a claim (claimant / defendant), witnesses, experts (including medical experts), loss adjustors, solicitors, and claims handlers, health care service providers or anti-fraud databases, sanctions lists, court judgements and other public databases. We also may obtain personal data through the use of technology such as cookies when you use our website and our other digital platforms. In circumstances where personal data is obtained from third parties, we shall obtain such information in full compliance with the provisions of the Data Protection Act and Regulations.

WHAT IS THE LEGAL JUSTIFICATION FOR PROCESING OF PERSONAL DATA?

We only process personal data for legitimate business purposes and when a legal ground as set out in data protection law is applicable. There are a number of legal grounds that may apply of which the listing below describes the ones most likely to be relevant to you.

 

Consent- We may process your personal data when we obtain your consent or when our client obtains consent from you

We take steps to ensure our clients only provide us with personal data when they are allowed to do so. Often this means our clients will obtain your consent to disclose personal data to reinsurers.

Performance of a contract

If you have a contract with Kenya Re, the personal data may be processed when it is necessary in order to enter into or perform a contract.

 

This could include discharging our obligations in relation to a claim you have made.

Or execution of agreement/contracts with our tenants, suppliers and mortgagors.

Compliance with a legal obligation

Your personal information may be processed where we have a legal obligation to perform such processing, such as where we share information with our regulators, law enforcement agencies or the courts.

 

If we receive an order from the authorities in relation to an investigation, we may be required to disclose personal data as part of that process.

Necessary for an insurance purpose

In some locations, local laws include legal grounds for processing your medical and other sensitive personal data when it is necessary to do so in connection with an insurance product.

 

In some cases, we receive personal data from our clients who seek opinion on complex claims.

For claims processing to our business partners.

 

We commit to always identify and document the lawful basis of processing your personal data for each specific purpose and put the necessary safeguards to ensure that the lawful basis is always applicable. Further we shall endeavor to provide you the highest degree of autonomy with respect to control over your personal data and provide simplified processes of consenting or withdrawing consent to the processing of your personal data.

 

WHOM DO WE DISCLOSE YOUR INFORMATION?

We will only use your personal data for our internal business purposes as described above. Our employees have access to and process personal data based upon the "need to know" principle. In other words they have access to personal data where this is necessary in order to do their job. We regularly check who has access to our systems and data.

 

We may also share your personal data with the following categories of third parties:

  • our related subsidiaries who assist us in providing our products and services
  • Our service providers and agents e.g. IT companies who support our technology. As for example, we process personal data (i.e. within our email system or other applications) with Microsoft`s Office 365. This externally hosted environment was found to be consistent with our privacy and security programmes and is regularly assessed so it continuously meets our standards.
  • Our professional advisers, Consultants, auditors, reinsurers, medical agencies and legal advisers, law enforcement agencies, regulators, government authorities.
  • The client who provided us with your data.
  • Contractors, brokers, external managers, other insurance market participants or financial institutions.
  • Where legally permitted personal data may be shared with industry associations such as Association of Kenya Reinsurers.

We do not sell personal data.

Data may be exported to further countries in line with legal requirements and the required measures to ensure protection of the data. This is particularly the case where personal data needs to be processed by internal services teams or by third parties in other Kenya Re locations and outside Kenya.  We make sure adequate safeguards such as binding contracts are in place with those internal and external parties.

We shall in all circumstances where feasible and legally justifiable, inform and seek consent from you prior to sharing your personal data. We shall, however, provide your personal data whenever we are legally obligated to provide such information.

Access by 3rd Parties

In the course of providing services to you, we may share your personal data with trusted third parties. We only share personal data with affiliates, business partners, third party service providers or vendors when we have a legitimate business purpose for doing so and when permissible by law.  If we no longer require their services, any of your data held by them will be irrecoverably deleted. For fraud management or in line with public interest, we may share information about fraudulent or potentially fraudulent activity in our system which may include sharing data about individuals with law enforcement bodies. We may also be required to disclose your Personal Data to law enforcement, regulatory or government body upon a valid request to do so. These requests however will be assessed on a case-by-case basis and the privacy of our customers shall be considered.

Security

Kenya Reinsurance Corporation Limited shall ensure that Personal Data is stored securely using modern technology that is kept-up to date. Access to Personal Data shall be limited to personnel who need access and appropriate security measures shall be in place to avoid unauthorized sharing of information. When Personal Data is deleted, this will be done safely such that the data is irrecoverable.

WHAT DO WE DO TO KEEP YOUR INFORMATION SECURE?

We have put in place appropriate physical, legal, technical and organizational measures to safeguard the personal data we collect in connection with our services. Such measures include requiring confidentiality from employees and other person (s) who handle personal data, information technology security measures such as system rights and firewalls.

We process and store most of your personal data electrically and have put measures to ensure the security of your personal data as described above. Information Communication and Technology (ICT) systems remain vulnerable to new and unforeseen risks. However, we have and shall continue to deploy appropriate technical and organizational mechanisms to secure your personal data.

INTERNATIONAL TRANSFER OF YOUR PERSONAL DATA

Prior to transferring personal data outside of Kenya, we shall ascertain that the transfer is based on the provided legal and regulatory standards.

 

Legal Basis

Example

There being appropriate data protection safeguards with respect to the security and protection of personal data in respect to the jurisdiction to which the data is being transferred to which the data is being transferred to

Storage of your personal data in a cloud whose data server is located in one of the European countries that is implemented the General Data Protection Regulation (GDPR).

An adequacy decision having been made by the Office of the Data Commissioner

Where the Data Commissioner has published of countries which has appropriate data protection safeguards, and we decide to store your data in that jurisdiction in furtherance to our legitimate interest.

Necessity

When we reinsure your risk as part of our legitimate interest and the re-insurance company requests for personal data in respect to the insurance policy.

Consent

When following your express consent, we transfer your personal data to another jurisdiction.

 

We will only transfer your personal data outside Kenya or in any other jurisdiction we operate in accordance with applicable laws.

 

DATA RETENTION - HOW LONG WE WILL STORE/KEEP YOUR PERSONAL DATA?

We keep your personal information in compliance with applicable retention periods and for as long as necessary for the purpose for which it was collected, and to comply with our legal and regulatory requirements. This may include keeping your information for a reasonable period of time after your relationship with us or our client has ended. We securely destroy personal data when it is no longer needed for the relevant purposes and its retention period has expired. In some circumstances we retain aggregated or anonymized data which can no longer be associated with you and is therefore not considered personal data. Generally, the law requires us to retain your personal data for a period of 7 years at which point the information shall be removed from our information technology infrastructure or physical storage space and either deleted/ destroyed or archived.

 

ACCESSING YOUR PERSONAL DATA AND OTHER RIGHTS YOU HAVE

We will collect, process and store your personal data in accordance with your rights under the Data Protection Act and attendant Regulations. Under certain circumstances, you have the following rights in relation to your personal data:

 

Description of Right

When is the right applicable?

Right to object to processing of personal data – You have a right to object to the processing of their personal data. In implementation of right, you shall use the statutory form “Request for restriction or objection to the processing of personal data” provided in our website.

The right is not an absolute right and we can reject the request where we demonstrate that we have justifiable reasons for processing that would negate your interests e.g., when we are required by a government agency exercising their legal mandate to provide your personal data against your request not to avail the same or in our defense of a legal claim. We will always inform you when we have declined your request and provide the reasons. This right is, however, absolute when it relates to direct marketing.

Right to restrict processing of personal data – You have the right to request the suspension of processing of your personal data in certain circumstances.

In implementation of this right, you shall use the statutory form “Request for restriction or objection to the processing of personal data” provided in our website.

This right is not absolute right and shall be available when;

  1. You contest the accuracy of your personal data;
  2. Your personal data has been unlawfully processed and you oppose the erasure and request restriction instead;
  3. You no longer need your personal data but we require the same to be kept in order to establish, exercise or defend a legal claim:
  4. You have objected to the processing, pending verification as to whether our use of your personal data is justifiable and overrides your interests.

Right to access personal data – You have the right to access your personal data and obtain information of how the personal data is used and processed. In implementation of this right, you shall use the statutory form “Request for access to personal data” provided in our website.

 

Should you want to access your personal data in any other format, you may use the form subject to availing us available notice and other circumstances as shall be communicated by us to you.

Right to rectification of personal data – You have the right to request your personal data to be corrected in instances of inaccuracy or incompleteness. In implementation of this right, you shall use the statutory form “Request for rectification” provided in our website.

The right is available always subject to the discretion accorded to us to decline with reasons.

Right to data portability – You have the right to receive your personal data in a structured, commonly used and machine-readable format to transmit the said personal data obtained to another third party without any hindrance. In implementation of this right, you shall use the statutory form “Request for Data Portability” provided in our website.

This right is available always provided that it is technically feasible for us to provide the personal data in the required format.

Right to erasure – This right is sometimes referred to as “the right to be forgotten” and entitles you to request deletion or removal of your personal data from our records. In implementation of this right, you shall use the statutory form “Request for erasure of personal data” provided in our website.

Right of erasure does not apply if processing of your personal data is necessary for one of the following reasons –

  1. To exercise the right of freedom of expression and information.
  2. To comply with a legal obligation e.g., our requirement to hold on to your personal data in the event of an ongoing investigation.
  3. For the performance of a task carried out in the public interest or in the exercise of official authority;
  4. For archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure impair the achievement of that processing; or
  5. For the establishment, exercise or defense of a legal claim.

 

Right to withdraw consent to processing of personal data.

This right is not applicable when a decision is;

  1. Necessary for entering into or performing a contract between you and us.
  2. Authorized by a law to which we are subject and which lays down suitable measures to safeguard your rights, freedoms and legitimate interests;
  3. Based on your content.

 

In any case where we use your data to make decisions solely by automated means (including using your data to build a profile about you), we will inform you that we are doing this and make sure that you are able to contest any such decision. Any new profiling activity or automated decision-making activity we carry out is subject to a robust assessment aimed at mitigating any risks to you. This assessment is carried out before the processing commences.

 

The easiest way to exercise your rights is to contact the data protection officer using the contact details on clause 17 below. We will respond promptly and we do not normally charge for providing a response. Please note that, before we can process your request, we may need to verify your identity by asking you to provide a copy of an official identification document and/or a copy of evidence of your residency address or similar.

ENFORCING YOUR RIGHTS

If you wish to enforce any of your rights as highlighted above as provided under the Data Protection Act and attendant Regulations, then please contact us on our details in clause 17 below.

You may use the various statutory forms made available by us (listed in the appendices) and we will respond to your request without undue delay and within the statutory timelines.

COMPLIANTS

If you feel we have not complied with your right to privacy and other provided rights regarding your personal data, you have a right to complain to us through the provided tool available on our website or you may pay us a visit and fill the compliant form and we shall endeavor to resolve such a complain.

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, Kenya Reinsurance Corporation Limited shall within 72 (Seventy-Two) hours of having knowledge of such breach report the details of the breach to the Office of Data Protection Commissioner (ODPC). Furthermore, Kenya Reinsurance Corporation Limited shall within 7 (Seven) days of having knowledge of the occurrence of such breach take steps to inform the Data Subject of the breach incident, the risk to the rights and freedoms of the Data Subject resulting from such breach and any course of action to remedy said breach.

However, if you feel that your Personal Data has not been handled correctly or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have a right to lodge a complaint with the Office of the Data Commissioner or such other data supervisory authority in the jurisdiction we operate in.

COOKIES

Cookies are small text files which are stored on your computer when you visit certain web pages. We use cookies to understand how our sites are used which helps us to improve your overall online experience. Cookies allow a web server to transfer data to a computer or device for record keeping and other purposes. We may use cookies for detecting what kind of device you have in order to present content in the best way, for a language switch and/or for other purposes which are intended to serve you better. These cookies do not collect or store any personally identifiable information. If you do not want information collected through the use of cookies, there is a simple procedure in most browsers that allows you to decline the use of cookies. However, if you do this, you may lose some useful functionality such as personalization such as “Keep Me Signed In” and “Remember Me” features. Some of the cookies we use are necessary for some of our sites to work whilst other cookies are used to provide tailored advertising by trusted third parties. To find out more about cookies, visit; www.aboutcookies.org

The different types of cookies we use.

We use the following categories of cookies on our website:

  • Strictly necessary – These cookies are essential for certain features of our website to work for example when you make payments through the self-service portal. These cookies do not record identifiable personal data and we do not need your consent to place these cookies on your device. Without these cookies some services you asked for cannot be provided.
  • Performance - These cookies are used to collect anonymous information about how you use our website. This information is used to help us improve our website and understand how effective our adverts are. In some cases, we use trusted third parties to collect this information for us which may include recording your use of our website but they only use the information for the purposes explained. By using our websites, you agree that we can place these types of cookies on your device. You have the right to object from being recorded on our website by contacting us through the details provided in clause 16 below.
  • Functionality – These cookies are used to provide services or remember settings to enhance your visit for example text size or other preferences. The information these cookies collect is anonymous and does not enable us to track your browsing activity on other websites. By using our website, you agree that we can place types of cookies on your device.
  • Targeting and Advertising – These cookies are used by trusted third parties to deliver adverts more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. Information contained in these cookies is anonymous and do not contain your personal data.
  • Managing cookies – If you’d prefer to restrict, block or delete cookies from us and our third-party advertisers, or any other website, you can use your browser to do this. Each browser is different, so check the “Help” menu of your particular browser to learn how to change your cookie preferences. If you choose to disable all cookies, we cannot guarantee the performance of our website and some features may not work as expected.

Links to other websites – This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

CHANGES TO THIS DATA PRIVACY NOTICE

It is also important that you check back often for updates to this privacy notice, as we may change it from time to time based on factors such as changes in regulatory landscape on data protection. At the start of this privacy notice we shall tell you when it was last updated.

We shall notify you on any material changes regarding the protection of your personal data via email or through our website.

CONTACT US/ FURTHER INFORMATION

If you have any queries at all in relation to your personal data and how we protect your data rights, please contact out Data Protection Officer through dpo@kenyare.co.ke. You are also welcome to visit our offices.