Date Implemented: 01 January 2024

Date Last Updated: 01 January 2024

Data Subject Rights, Security Controls, and Data Collection

 Definitions:

For the purposes of this policy, personal information means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable natural person. This includes but is not limited to: name, address, email address, phone number, social security number, driver’s license number, passport number, national identification number, financial information, medical information, employment information, and any other information that could be used to identify an individual.

Data Subject Rights:

In order to ensure that all information and data collected by GeoPoll is subject to and/or compliant with the GDPR, the Data Protection Act (2019), Data Protection (General) Regulations 2021 and the Data Protection (Compliance & Enforcement) Regulation (2021) of Kenya, the California Consumer Privacy Act (CCPA),the Tanzania Personal Data Protection Act of 2022 and/or other analogous and applicable data privacy regulations, we are obliged to provide the following rights to our Data Subjects:

  1. Data Subjects have the right to obtain a summary of their personal information retained by us, or modify, correct, change or update such information by contacting GeoPoll. They may also request to have GeoPoll remove personal information they have provided to us.
  2. Data Subjects have the right to be informed. Our Data Privacy Policy explains what, how, and the purposes of the collection of your personal information.
  3. Data Subjects have the right of access their personal information.

Additionally, Data Subjects can also request that we disclose to them: (1) the categories and/or specific pieces of personal information collected about them (2) the categories of sources for that personal information, (3) the purposes for which GeoPoll uses that information, (4) the categories of third parties with whom GeoPoll discloses the information, and (5) the categories of information that GeoPoll sells or discloses to third parties.

  1. Right to withdraw consent for the use of their personal data for marketing or sale to a third party. Data Subjects will be provided an opportunity to give their informed consent before engaging in survey / data collection exercises
  2. Data Subjects have the right to rectification. This right applies to data that is inaccurate, incomplete, and/or misleading, Data Subjects can request for the rectification of their personal data.
  3. Data Subjects have the right to erasure and deletion of their personal information.
  4. Data Subjects have the right to restrict data. They may restrict the processing of their personal information, or to limit the uses of their personal information.
  5. Data Subjects have the right to object to the processing or use of their personal information.
  6. Data Subjects have the right to data portability. They may be entitled to obtain their data in a portable / machine-readable format (Word, PDF, etc.), which makes it easier for them to use their personal information in another context.
  7. Data Subjects have the right to complain to the supervisory authority, depending on the applicable Data Privacy Regulation.
  8. Data Subjects have the right to opt-out of the sale of their personal information.
  9. Data Subjects have to the right to non-discrimination in terms of price or service when they exercise a privacy right.
  10. Data subjects in Tanzania have a right to get compensation for the use of their personal data for commercial purposes.

Data Security Controls:

If breach of security occurs which leads to an unauthorized modification, deletion, disclosure, or modification of access with respect to Data Subject’s personal data, GeoPoll is typically responsible to assess the risk, and if and required, to report the same the supervisory authority and make the necessary changes to mitigate and prevent further breach.

The implementation of the appropriate security controls for the processing of data, should include the following:

  1. The pseudonymization and encryption of data;
  2. The ability to ensure the ongoing confidentiality, integrity, and availability of processing systems and services;
  3. A process for regularly testing, assessing and evaluating the effectiveness of the security controls implemented;
  4. The fastrestoration of the availability of, and access to, data in the event of incident; and
  5. The regular verification, evaluation and assessment of the security controls. Such measures shall at least include mechanisms to:
    • Enforce multifactor authentication for any user access to data;
    • Ensure encryption of all devices including mobile devices, storage devices files and databases containing data and encrypt all communications,between all stakeholders (including its sub-processors, which in this case are our vendors / partners);
    • Ensure that all files and databases containing data are backed up on a daily basis and paper-based information is duly secured in protected premises;
    • Enforce system access controls, including granting user access, access recertification, revoking user access, administrative access and administrative user access management; Ensure that data access/ transmission/ input/ availability/ integrity/ segregation controls are in place; and
    • Put physical access controls in place and ensure physical security measures specially targeted to protect paper-baseddata are in place and aligned with the highest industry standards.

Data Collection and Storage:

In order to ensure compliance with applicable data privacy regulations, we are obliged:

  1. To seek informed consent from our Data Subject.
  2. To restrict access to Data Subject phone numbers.
  3. To ensure the data we collect is centralized. This also comprises the location of servers where data is collected and stored. For GDPR-countries, data collected there must be stored in servers located in the EU / Schengen markets. For Kenya, GeoPoll will demonstrate to the Office of the Data Protection Commissioner proof of adequate safeguards in the country of transfer. Before the transfer of personal data outside Tanzania, GeoPoll will seek approvals from the regulator.
  4. To implement double password protection. Interviewers / enumerators should use strong passwords that are required to access the device and the data collection application.
  5. To restrict the downloading of collected data. This means that data collected from Data Subjects on an interviewer’s device must remain online and cannot be downloaded on their devices nor shared forward. This means that interview data must be removed from the device once synched to an appropriate GeoPoll server.
  6. To collect only the necessary amount of data required for our services, and limited to what is necessary in relation to the purposes for which they are collected and processed.
  7. To retain personal data for no longer than is necessary for the purposes for which the personal data are processed.
  8. To have an incident response plan in place to handle any data breaches or cyber threats, which shall include reporting the same to the relevant authorities if required by the relevant Data Privacy legislation.
  9. To conduct regular training and awareness programs for our employees and contractors to ensure they understand and can implement our data protection policies effectively.

Download

—-