KAWT Logo

Data Policy

How the Kenya Association of Women in Tourism (KAWT) collects, processes, stores, and protects data

HomeData Policy

Last Updated: April 26, 2024

This Data Policy outlines how the Kenya Association of Women in Tourism (KAWT) collects, processes, stores, shares, and protects data in our operations. This policy applies to all data processed by KAWT, including but not limited to member data, website visitor data, and operational data.

1. Data Collection and Sources

Direct Collection

We collect data directly from individuals through:

  • Membership applications and renewals
  • Event registrations
  • Newsletter subscriptions
  • Surveys and feedback forms
  • Direct communication (email, phone, in-person)
  • Website forms and user accounts

Indirect Collection

We may indirectly collect data through:

  • Website analytics tools
  • Cookies and similar tracking technologies
  • Social media interactions
  • Third-party service providers
  • Public records and directories

2. Categories of Data Processed

Personal Data

We process various categories of personal data, including:

  • Identification data (name, ID number, date of birth)
  • Contact information (email, phone number, physical address)
  • Professional information (job title, organization, industry experience)
  • Educational background
  • Financial information (for payment processing)
  • Photographs and visual representations
  • Survey responses and feedback

Non-Personal Data

We also process non-personal data such as:

  • Aggregated statistical data
  • Website usage patterns
  • Device and browser information
  • Geographic distribution of members and visitors

3. Legal Basis for Processing

We process data based on one or more of the following legal grounds:

  • Contract: Processing necessary for the performance of a contract (e.g., membership agreement)
  • Legitimate Interests: Processing necessary for our legitimate interests, such as improving our services, marketing, and security
  • Consent: Processing based on specific, informed, and unambiguous consent
  • Legal Obligation: Processing necessary to comply with legal requirements
  • Vital Interests: Processing necessary to protect vital interests of the data subject or another person
  • Public Interest: Processing necessary for tasks carried out in the public interest

4. Purposes of Data Processing

We process data for various purposes, including:

  • Membership administration and management
  • Event organization and management
  • Communication with members and stakeholders
  • Provision of member benefits and services
  • Marketing and promotion of activities
  • Research and statistical analysis
  • Website operation and improvement
  • Financial management and accounting
  • Legal compliance and reporting
  • Security and fraud prevention

5. Data Retention Periods

We retain different types of data for varying periods:

  • Membership Data: For the duration of membership plus 7 years after membership ends
  • Financial Records: 7 years (as required by tax regulations)
  • Event Registration Data: 3 years after the event
  • Marketing Communications Data: Until consent is withdrawn or the relationship ends
  • Website Analytics: 26 months
  • Unsuccessful Membership Applications: 1 year

At the end of the retention period, data is securely deleted or anonymized, unless there is a legal requirement to retain it longer.

6. Data Sharing and Recipients

We may share data with the following categories of recipients:

  • Service Providers: Third-party vendors who provide services on our behalf (e.g., IT services, payment processors, email marketing platforms)
  • Professional Advisors: Accountants, lawyers, and consultants
  • Government Authorities: When required by law or regulation
  • Partner Organizations: Tourism industry partners for collaborative activities (with appropriate safeguards)
  • Event Sponsors: Limited attendee information for sponsored events (with notice)

All third parties with whom we share data are required to protect data in accordance with applicable laws and our agreements with them.

7. International Data Transfers

KAWT primarily operates in Kenya, but we may transfer data internationally in the following circumstances:

  • When using third-party service providers based outside Kenya
  • When collaborating with international tourism organizations
  • When organizing international events

When transferring data internationally, we implement appropriate safeguards such as:

  • Data transfer agreements incorporating standard contractual clauses
  • Ensuring recipients are in countries with adequate data protection laws
  • Obtaining explicit consent for specific transfers where appropriate

8. Data Security Measures

We implement appropriate technical and organizational measures to protect data, including:

  • Technical Measures:
    • Encryption of sensitive data
    • Secure network architecture
    • Regular security updates and patches
    • Access controls and authentication mechanisms
    • Backup systems and disaster recovery processes
  • Organizational Measures:
    • Staff training on data protection
    • Data protection policies and procedures
    • Confidentiality obligations for staff and contractors
    • Regular security assessments and audits
    • Incident response plan

9. Data Breach Procedures

In the event of a data breach, we will:

  • Investigate and contain the breach promptly
  • Assess the risk to affected individuals
  • Notify the relevant data protection authority within 72 hours, if required
  • Notify affected individuals without undue delay, if required
  • Document the breach and our response
  • Implement measures to prevent similar breaches in the future

10. Data Subject Rights

We respect and facilitate the rights of data subjects, including:

  • Right to Access: You can request a copy of your personal data
  • Right to Rectification: You can request correction of inaccurate data
  • Right to Erasure: You can request deletion of your data in certain circumstances
  • Right to Restriction: You can request restriction of processing in certain circumstances
  • Right to Object: You can object to processing based on legitimate interests
  • Right to Data Portability: You can request transfer of your data in a structured format
  • Right to Withdraw Consent: You can withdraw consent at any time

To exercise these rights, please contact us using the details in section 14.

11. Cookies and Similar Technologies

Our website uses cookies and similar technologies for the following purposes:

  • Essential: Necessary for the website to function properly
  • Analytical: Help us understand how visitors interact with our website
  • Functional: Allow the website to remember choices you make
  • Targeting: Deliver relevant content and advertising

You can manage cookie preferences through your browser settings. For more details, please see our Cookie Policy.

12. Automated Decision-Making

KAWT does not engage in automated decision-making or profiling that has legal or similarly significant effects on individuals. If we introduce such processes in the future, we will provide appropriate information and safeguards.

13. Policy Updates

We review and update this Data Policy periodically to reflect changes in our practices, services, and legal requirements. When we make significant changes, we will notify members and website users through appropriate channels and update the "Last Updated" date at the top of this policy.

14. Data Protection Officer and Contact Details

For questions, concerns, or requests regarding this Data Policy or our data practices, please contact our Data Protection Officer:

Data Protection Officer
Kenya Association of Women in Tourism (KAWT)
1st Floor, Western Heights, Karuna Road - Westlands,
P.O Box 79729 - 00200, Nairobi, Kenya
Email: dataprotection@kawt.or.ke
Phone: +254 123 456 789

15. Governing Law

This Data Policy is governed by the laws of Kenya, including the Data Protection Act, 2019. Any disputes arising from this policy will be subject to the exclusive jurisdiction of the courts of Kenya.