Page 1 of 9

TELKOM KENYA LIMITED PRIVACY STATEMENT

Last updated August 2021

Telkom Kenya Limited (hereinafter “Telkom” “us” “we”) respects the privacy of our users hereinafter

(“You”). This Privacy Statement explains how we collect, use, disclose, and safeguard your information.

Please read this Privacy Statement carefully.

We reserve the right to make changes to this Privacy Statement at any time and for any reason. We will

alert you about any changes by updating the “Last updated” date of this Privacy Statement. Notice of at

least 7 days will be given of any substantial changes and will be effective as at the date referred in such

notifications. You are encouraged to periodically review this Privacy Statement to stay informed of

updates. You will be deemed to have been made aware of, will be subject to, and will be deemed to

have accepted the changes in any revised Privacy Statement after the date such revised Privacy

Statement is posted.

1. COLLECTION OF YOUR INFORMATION

1.1 The type of information we may collect includes:

(a) Your name, address, phone and/or mobile number, your date of birth, gender and email address.

(b) Your traffic data. This is data we see as part of providing you with connectivity, like the numbers you

call, the time and duration of the call or how you are using data.

identifying nearby mobile phone masts and Wi-Fi hotspots and you enable location-based services or

features. Or less precise where, for example, a location is derived from your IP address or data such as a

postal code or name of a town or city.

(d) Your Credit or debit-card information, information about your bank account numbers.

(e) Your contact with us such as a recording of a call you make to one of our contact centers, an email or

letter sent, or other records of any contact with us such as when you visit our Telkom Shops.

(f) Your account information such as dates of payment owed or received, subscriptions you use, account

numbers or other information related to your account.

(g) Credential information – we’ll collect passwords, hints and similar security information used for

authentication and access to accounts and services.

(h) Your preferences for particular products, services and lifestyle activities when you tell us what they are,

or we assume what they are, based on how you use the products and services.

(i) Information we obtain from other sources, such as credit agencies, fraud-prevention agencies, and from

other data providers. This includes demographic data, interest-based data, and internet browsing

behavior.

Page 2 of 9

1.2 We may collect information about you in a variety of ways. The information we may collect

depends on the services and products you use, and includes:

(a) Buy or use any of our products and services

(b) Demographic and other personally identifiable information (such as your name and email

address) that you voluntarily give to us when choosing to use Telkom services and products

(d) Register for a specific product or service including SIM Card Registration, Post Pay subscriptions

and T-Kash

(e) Subscribe to alerts or other services from us

(f) Contact us through various channels, or ask for information about a product or service

(g) Visit or browse our website

(h) Have given permission to other companies to share information about you

(i) Where your information is publicly available

(j) We may also collect information about you on CCTV when you visit our premises or on other

security cameras as part of our security and crime prevention measures.

(k) We may collect your information from other organizations such as fraud-prevention agencies,

credit reference bureaus and business directories.

2. DISCLOSURE OF YOUR INFORMATION

2.1 We may share information we have collected about you in certain situations. Your information

may be disclosed as follows:

i. By Law or to Protect Rights

If we believe the release of information about you is necessary to respond to a legal process, to

investigate or remedy potential violations of our policies, or to protect the rights, property, and safety of

others, we may share your information as permitted or required by any applicable law, rule, or

regulation. This includes exchanging information with other entities for fraud protection and credit risk

reduction.

ii. Third-Party Service Providers

We may share your information with third parties that perform services for us or on our behalf,

including payment processing, data analysis, email delivery, hosting services, customer service, and

marketing assistance.

iii. Marketing Communications

With your consent, or with an opportunity for you to withdraw consent, we may share your information

with third parties for marketing purposes, as permitted by law.

iv. Affiliates

We may share your information with our affiliates, in which case we will require those affiliates to honor

this Privacy Statement. Affiliates include our parent company and any subsidiaries, joint venture

partners or other companies that we control or that are under common control with us.

Page 3 of 9

v. Business Partners

We may share your information with our business partners to offer you certain products, services or

promotions.

vii. Other Third Parties

We may share your information with advertisers and investors for the purpose of conducting general

business analysis.

2.2 Where we have shared Your personal data with a third party as above in clause 2.1 save for

clause 2.1 (i) for processing purposes, we shall take all reasonable steps to inform third parties

processing such data, that you have requested the erasure or destruction of such personal data

that may have been obtained unlawfully.

2.3 Where Telkom is required to erase Your personal data, but the personal data is required for the

purposes of evidence such as in clause 2.1 (i) above, we shall, instead of erasing, restrict its

processing and inform you within a reasonable time.

3. SECURITY OF YOUR INFORMATION

We use strict administrative, technical, and physical security measures to help protect your personal

information. Your personal information will be kept for a certain period of time depending on individual

circumstances.

4. PRINCIPLES OF DATA PROTECTION

Telkom shall ensure that your personal data is:

4.1 Processed in accordance with your right to privacy;

4.2 Processed lawfully, fairly and in a transparent manner in relation to you;

4.3 Collected for explicit, specified and legitimate purposes and not further processed in a manner

incompatible with those purposes;

4.4 Adequate, relevant, limited to what is necessary in relation to the purposes for which it is

processed;

4.5 Collected only where a valid explanation is provided whenever information relating to family or

private affairs is required;

4.6 Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure

that any inaccurate personal data is erased or rectified without delay;

4.7 Kept in a form which identifies you for no longer than is necessary for the purposes which it was

collected; and

4.8 Not transferred outside Kenya, unless there is proof of adequate data protection safeguards or

consent from you.

5. DATA PORTABILITY RIGHTS

5.1 You have the right to receive personal data concerning you in a structured, commonly used and

machine-readable format.

5.2 You have the right to transmit the data obtained to another data controller or data processor

without any hindrance.

Page 4 of 9

5.3 Where technically possible, you shall have the right to have the personal data transmitted directly

from one data controller or processor to another.

5.4 The right under this section shall not apply in circumstances where:

(a) processing may be necessary for the performance of a task carried out in the public interest or in the

exercise of an official authority; or

(b) it may adversely affect the rights and freedoms of others.

5.5 Telkom shall comply with data portability requests, at reasonable cost and within a period of thirty

days. Where the portability request is complex or numerous, the timeline may be extended for a further

period as may be determined in consultation with the Data Commissioner.

6. LIMITATION OF RETENTION OF PERSONAL DATA

6.1 Telkom shall retain personal data only as long as may be reasonably necessary to satisfy the

purpose for which it is processed unless the retention is:

(a) Required or authorized by law;

(b) Reasonably necessary for a lawful purpose;

(d) For historical, statistical, journalistic literature and art or research purposes.

6.2 We shall delete, erase, anonymise or pseudonymise personal data not necessary to be retained

(as above) in a manner as may be specified at the expiry of the retention period.

7. RECTIFICATION AND ERASURE

7.1 You may request us to:

(a) rectify without undue delay personal data in its possession or under its control that is inaccurate,

out-dated, incomplete or misleading; or

(b) erase or destroy without undue delay personal data that Telkom is no longer authorised to retain,

irrelevant, excessive or obtained unlawfully.

7.2 Where we have shared the personal data with a third party for processing purposes, we shall take all

reasonable steps to inform third parties processing such data, that you have requested:

(a) the rectification of such personal data in their possession or under their control that is inaccurate,

out-dated, incomplete or misleading; or

(b) the erasure or destruction of such personal data that Telkom is no longer authorised to retain,

irrelevant, excessive or obtained unlawfully.

7.3 Where Telkom is required to rectify or erase personal data, but the personal data is required for the

purposes of evidence, we shall, instead of erasing or rectifying, restrict its processing and inform you

within a reasonable time.

8. TECHNICAL AND ORGANIZATIONAL MEASURES FOR DATA PROTECTION

8.1 Telkom shall implement appropriate technical and organizational measures which are designed to;

(a) implement the data protection principles in an effective manner; and

Page 5 of 9

(b) integrate necessary safeguards for that purpose into the processing.

8.2 We shall implement appropriate technical and organisational measures for ensuring that, by default,

only personal data which is necessary for each specific purpose is processed, taking into consideration:

(a) the amount of personal data collected;

(b) the extent of its processing;

(d) its accessibility; and

(e) the cost of processing data and the technologies and tools used.

8.3 To give effect to the above we shall consider measures such as;

(a) identification of reasonably foreseeable internal and external risks to personal data under the

person's possession or control;

(b) establishing and maintaining appropriate safeguards against the identified risks;

(d) The ability to restore the availability and access to personal data in a timely manner in the event of a

physical or technical incident;

(e) To verify that the safeguards are effectively implemented; and

(f) To ensure that the safeguards are continually updated in response to new risks or deficiencies.

8.4 We shall take all reasonable steps to ensure that any person employed by or acting under the

authority of Telkom, complies with the relevant security measures.

9. PROCESSING PERSONAL DATA RELATING TO A CHILD

9.1 Telkom shall only process personal data relating to a child where:

(a) consent is given by the child's parent or guardian; and

(b) the processing is in such a manner that protects and advances the rights and best interests of the

child.

9.2 We shall incorporate appropriate mechanisms for age verification and consent in order to process

personal data of a child. These mechanisms shall be determined on the basis of:

(a) Available technology;

(b) Volume of personal data processed;

(d) Possibility of harm to a child arising out of processing of personal data

9.3 The mechanisms for age verification include filling in a form (digital or physical) where input of date

of birth is required. Where a person is below the age of 18 years, the child’s parent or guardian shall be

required to consent to the processing.

10. RESTRICTION ON PROCESSING

10.1 Telkom shall, at your request, restrict the processing of personal data where:

(a) you contest the accuracy of the personal data for a period enabling the data controller to verify the

accuracy of the data;

Page 6 of 9

(b) personal data is no longer required for the purpose of the processing, unless we require the

personal data for the business, exercise or defence of a legal claim;

of their use instead; or

(d) You have objected to the processing, pending verification as to whether Telkom’s legitimate interests

override yours.

10.2 Where processing of personal data is restricted:

(a) the personal data shall, unless the data is being stored, only be processed with your consent or for

the business, exercise or defence of a legal claim, the protection of the rights of another person or for

reasons of public interest; and

(b) We shall inform you before withdrawing the restriction on processing of the personal data.

10.3 Telkom shall implement mechanisms to ensure that time limits established for the rectification,

erasure or restriction of processing of personal data, or for a periodic review of the need for the

storage of the personal data, is observed.

11 AUTOMATED PROCESSING

11.1 You have a right not to be subject to a decision based solely on automated processing, including

profiling, which produces legal effects concerning or significantly affecting you.

11.2 Where Telkom makes a decision, which produces legal effects or significantly affects You based

solely on automated processing:

(a) We must, as soon as reasonably practicable, notify you in writing that a decision has been taken

based solely on automated processing; and

(b) You may, after a reasonable period of receipt of the notification, request us to:

(i) Reconsider the decision; or

(ii) Take a new decision that is not based solely on automated processing.

11.3 Telkom, upon receipt of such a request shall within a reasonable period of time:

(a) Consider the request, including any information provided by you that is relevant to it;

(b) Comply with the request; and

(i) The steps taken to comply with the request; and

(ii) The outcome of complying with the request.

12 COMMERCIAL USE OF DATA

12.1 You have a right to object to the processing of your personal data, unless Telkom demonstrates

compelling legitimate interest for the processing which overrides your interests, or for the business,

exercise or defence of a legal claim.

12.2 Where Telkom uses personal data for commercial purposes, we shall, where possible, anonymise

the data in such a manner as to ensure that you are no longer identifiable.

13 TRANSFER OF PERSONAL DATA OUTSIDE OF KENYA

Page 7 of 9

13.1 Telkom may transfer personal data to another country only where it has given proof to the Data

Commissioner of the appropriate safeguards with respect to the security and protection of personal

data, and the appropriate safeguards including jurisdictions with commensurate data protection laws.

13.2 Telkom may transfer personal data to another country only where the transfer is necessary;

(i) for the performance of a contract between you and Telkom or implementation of pre contractual

measures taken at your request;

(ii) for the conclusion or performance of a contract concluded in your interest between Telkom and

another person;

(iii) for any matter of public interest;

(iv) for the company, exercise or defence of a legal claim;

(v) in order to protect your vital interests or of other persons, where you are physically or legally

incapable of giving consent; or

(vi) for the purpose of compelling legitimate interests pursued by Telkom which are not overridden by

your interests, rights and freedoms.

The processing of sensitive personal data out of Kenya shall only be effected upon obtaining your

consent.

14 COLLECTION OF PERSONAL DATA

14.1 Telkom shall collect personal data directly from you.

14.2 We may also collect your Personal data indirectly where:

(a) Your data is contained in a public record;

(b) You have deliberately made the data public;

(d) You have incapacity and your appointed guardian has consented to the collection from another

source;

(e) The collection from another source would not prejudice your interests;

(f) Collection of data from another source is necessary;

i. for the prevention, detection, investigation, prosecution and

punishment of crime;

ii. for the enforcement of a law which imposes a pecuniary penalty; or

iii. for the protection of your interests or another person.

14.3 Telkom shall collect, store or use personal data for a purpose which is lawful, specific and explicitly

defined.

14.4 Telkom shall, before collecting personal data, in so far as practicable, inform you of:

(a) Your rights;

(b) The fact that personal data is being collected;

Page 8 of 9

(d) The third parties whose personal data has been or will be transferred to, including details of

safeguards adopted;

(e) Telkom’s contacts and on whether any other entity may receive the collected personal data;

(f) A description of the technical and organizational security measures taken to ensure the integrity and

confidentiality of the data;

(g) The data being collected pursuant to any law and whether such collection is voluntary or mandatory;

and

(h) The consequences if any, where you fail to provide all or any part of the requested data.

15 LAWFUL PROCESSING OF DATA

15.1 Telkom shall not process personal data, unless:

(a) You consent to the processing for one or more specified purposes; or

(b) The processing is necessary:

(i) For the performance of a contract to which you are a party or in order to take steps at your request

before entering into a contract;

(ii) For compliance with any legal obligation to which Telkom is a subject;

(iii) In order to protect your vital interests or another natural person;

(iv) For the performance of a task carried out in the public interest or in the exercise of official authority

vested in the controller;

(v) The performance of any task carried out by a public authority;

(vi) For the exercise, by any person in the public interest, of any other functions of a public nature;

(vii) For the legitimate interests pursued by the data controller or data processor by a third party to

whom the data is disclosed, except if the processing is unwarranted in any particular case having regard

to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject; or

(viii) for the purpose of historical, statistical, journalistic, literature and art or scientific research.

16 DATA PROTECTION IMPACT ASSESSMENT

16.1 A data protection impact assessment means an assessment of the impact of the envisaged

processing operations on the protection of personal data.

16.2 Where a processing operation is likely to result in high risk to the rights and freedoms of a data

subject, by virtue of its nature, scope, context and purposes, Telkom shall, prior to the processing, carry

out a data protection impact assessment.

16.3 A data protection impact assessment shall include the following:

(a) a systematic description of the envisaged processing operations and the purposes of the processing,

including, where applicable, the legitimate interest pursued by Telkom;

(b) an assessment of the necessity and proportionality of the processing operations in relation to the

purposes;

(d) the measures envisaged to address the risks and the safeguards, security measures and mechanisms

to ensure the protection of personal data and to demonstrate compliance with the Data Protection Act,

taking into account your rights and legitimate interests and other persons concerned.

Page 9 of 9

16.4 The data impact assessment reports shall be submitted sixty days prior to the processing.

17. CONTACT US:

If you have questions or comments about this Privacy Statement, please contact us at:

TELKOM KENYA LIMITED

Head Office: Telkom Plaza – Ralph Bunche Rd.

Postal Address: P.O. Box 30301-00100, Nairobi.

Front Office Desk: 020 4952000

Email: CustomerCare@telkom.co.ke

Customer Care Telkom Mobile Number: 100

Customer Care Other Networks: 020 222 1000

Corporate Customer Care Telkom Mobile: 200

Corporate Customer Care Other Networks: 020 4600 200

Twitter: - @TelkomCare_Ke