We may collect the following personal data from you:

2.1. Identification information

We collect your personal data such as your name, your identification information/passport number, and other government issued identification information, to identify you in respect of the services we offer you.

2.2. Contact information

We collect your contact details such as your phone number, residential address, email address and postal address to contact you, in respect of the services we offer you.

2.3.  From our website or events

We collect your personal data that you choose to provide to us when you interact with us on our website or social media platforms such as Facebook, Instagram, or if you register to attend any of our events through meeting conferencing tools.

2.4.  Personal data we automatically collect

When you visit our website, we may collect internet or other electronic network activity information using trackers. The information we collect may include your device’s internet protocol (IP) address, referring website, and the time that your device visited our website.

2.5.  Recruitment related data

We may collect your personal data related to recruitment such as your curriculum vitae, your education and employment history, details of professional memberships, and other information relevant to potential recruitment to Centum Re.

2.6.  Background information

We may collect your background verification data such as a copy of passports or utility bills or evidence of beneficial ownership or the source of funds to comply with client due diligence/” know your client”/anti-money laundering laws are collected as part of our client acceptance and ongoing monitoring procedures.

2.7.  Information we collect from third parties

Your personal data may be collected as you interact with or use our website, you register and or attend our events, and/or as part of our services to you. Centum Re uses third-party service providers to store personal data, and third-party marketing agency to track the performance of our marketing campaigns.

Failure to provide us with the personal data above would make it impossible for us to offer our services to you, as we require your personal data to identify you, to contact you, and to make payments relating to the services we offer you. The identification, contact and payment information are mandatory for us offering services to you.

We may collect or receive your personal data in several ways:

3.1. Direct collection

Where you provide it to us directly, for example by corresponding with us by email, or via other direct interactions with us such as completing a form manually or on our website or registering for and using one of our online tools.

3.2. Indirect collection

We may monitor use of or interactions with our websites, any marketing we may send to you, or other email communications sent from or received by Centum Re. We may also collect your personal data from third party sources for example, where we collect information about you to assist with “know your client” checks as part of our client acceptance procedures or where we receive information about you from recruitment agencies for recruitment purposes. We also use publicly available sources – we may, for example, use such sources to help us keep the contact details we already hold for your accurate and up to date.

We will only use your personal data where we are permitted to do so by applicable law. Under the DPA, the use of personal data must be justified under one of several legal grounds. The principal legal grounds that justify our use of your personal data are:

1. Contract performance: where your information is necessary to enter or perform our contract with you;
2. Legal obligation: where we need to use your information to comply with our legal obligations;
3. Legitimate interest: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights;
4. Legal claim: where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party; and
5. Consent: where you have consented to our use of your information (you will have been presented with a consent form or facility in relation to any such use and may withdraw your consent through an unsubscribe or similar facility).

Centum RE may sometimes share your personal data with third parties. Such disclosures will be made in accordance with the law and, where necessary, with your consent or upon reliance on necessity, in which event, we will notify you. Below are some of the circumstances under which your personal data may be shared:

5.1. Other companies within Centum Re

Your personal data may be shared with other Centum RE entities to service your needs and provide you with the relevant products and services.

5.2. The Government (and Government Agencies)

Your personal data may be shared with law enforcement agencies and other regulatory bodies where such disclosures are mandated by law.

5.3. Court orders

Your personal data may be shared if a court order is obtained requiring that such information be shared.

5.4. Service providers

Your personal data may be disclosed to service providers where necessary to provide certain services to you or to protect our legitimate interests (including in the enforcement of a legal claim).

Your personal data may be shared with other entities within or outside Centum RE if this is necessary to fulfil our agreements with you. These include any regulatory, supervisory, governmental or quasi-governmental authority with jurisdiction over Centum RE, any agent, contractor or third-party service provider, professional adviser or any other person under a duty of confidentiality to Centum RE.

If we transfer your data to other parties outside Kenya, we will ensure the appropriate safeguards are in place to protect your data in accordance with the requirements under the DPA.

Your personal data will be held by us for as long as it is necessary for us to offer you services. If we no longer offer you services, which would require us to continue holding your personal data, we will only retain the personal data, for as long as is necessary, for the purposes of:

• Establishing or defending a legal claim;
• Fulfilling a legal obligation; or
• Direct marketing (upon your consent).

Centum Re will develop, implement, and maintain safeguards appropriate to its size, scope, and business. Its available resources, the amount of personal data that Centum Re owns or maintains on behalf of others and identified risks (including de-personalisation of personal data) where applicable. These measures must be complied with accordingly.

Centum Re will regularly evaluate and test the effectiveness of its technical and organisational measures to ensure security of its processing of personal data, including sensitive personal data.

Centum Re may only share personal data with third parties who agree to comply with this Notice and have put in place adequate technical and organisational measures to ensure security and protection of personal data to be shared.

Centum Re maintains the following (non-exhaustive) security measures:

1. Making sure that, where possible, personal data is pseudonymised or encrypted.
2. Ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
3. Ensuring that, in a physical or technical incident, availability and access to personal data can be restored promptly.
4. A process for regularly testing, assessing, and evaluating the effectiveness of the Security Measures for ensuring the security of the processing.

Alongside our role, please also note that where we have given you (or where you have chosen) a password which enables you to access certain parts of our online services, you are responsible for keeping this password confidential and for complying with any other security procedures that we notify you of. We ask you not to share your password with anyone.

If you have any questions about our use of your personal data, you should first contact us via the details provided in section 11 below.

Under certain circumstances and in accordance with Kenya DPA, or other applicable data protection laws, you may have the right to require us to:

You have rights when it comes to how we process your personal data. These include rights to:

• Be informed about how we process your personal data.
• Access to your personal data that we hold in a machine-readable format.
• Object to the processing of your personal data.
• Seek correction of false and misleading personal data about you.
• Seek deletion of false and misleading personal data about you.
• Not be subjected to automated decision making without human intervention.
• Where processing is based on consent, withdrawing your consent so that we stop the processing.

To exercise your data subject rights or to enable another data subject to exercise their data subject rights, this can be done through the data subject rights forms which are available on Centum RE’s website.

Under the Kenya DPA, and other applicable data protection laws, you have to right to access, correct, delete, or object to the processing of your personal data, as well as withdraw consent, or object to automated processing of your data. This section provides Data Protection Forms that allow you to exercise your data projection rights as outlined in the DPA:

1. Consent Form
2. Right to request for the rectification of personal data
3. Right to request for the objection of processing personal data
4. Right to request for data portability
5. Right to request for access of personal data
6. Right to object to automated decision-making
7. Right to request for the deletion of personal data

To complete your request, select and fill the most applicable form, and submit it along with any supporting documentation via email to dpo@centumre.co.ke, or in person/by postal mail to the address provided in section 11 below. We will process your request within 30 days of receipt, as required by law.

If you have any questions about this Notice or how we process your personal data, please contact us by sending an email to: dpo@centumre.co.ke or by writing to:

Data Protection Officer

Centum Real Estate Limited.

Two Rivers Mall Nairobi.

9th Floor, South Tower, Two Rivers,

P.O Box 10518 – 00100 Nairobi Kenya.

Centum RE reserves the right to amend this Notice at any time. All changes to this Notice will be posted on the Centum RE website.