1. Purpose
In our dealings with you, we are called upon to process your personal data. The purpose of this Privacy Notice is to explain to you:
- Who we are and how we may be contacted.
- The categories of personal data we collect.
- The purpose for which we collect your personal data and the lawful basis for such collection.
- The intended recipients of the personal data.
- Whether the supply of personal data is voluntary or mandatory.
- Your rights relating to your personal data being processed by us.
- The possible existence of automated decision making in respect of your personal data.
- The period for which we will store your personal data.
- Whether, and in what circumstances, we may transfer your personal information to another country, and the safeguards we have put in place in relation to such transfer; and
- How we conduct direct marketing.
2. Application
This Privacy Notice applies to any processing of your personal information by us, whether such information is provided to us through our website, by email, through the filling of forms (including employment-related ones), through the exchange of contractual documents, by letter or fax, verbally, or through any other means.
By entering into a business relationship with us, or by providing your personal data to us, you confirm that you are agreeable to the processing of your personal data in accordance with the terms of this Privacy Notice.
3. Technical terms
We have tried to use simple and plain English as far as possible in this Privacy Notice. However, data protection is a complex subject and the use of technical terms from time to time is inevitable. We have therefore set out below definitions of the technical terms we have used in this document:
“Personal data”: Any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural, or social identity of that natural person.
“Processing”: An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as access to, obtaining, collection, recording, structuring, storage, adaptation or alteration, retrieval, reconstruction, concealment, consultation, use, disclosure by transmission, sharing, transfer, or otherwise making available, sale, restriction, erasure or destruction.
4. Who we are and how we may be contacted
Details about us and how we may be contacted are set out in the table found in the schedule of this Privacy Notice (the “Information Table”).
We have appointed a Data Protection Officer to monitor the adherence to data protection principles within our organisation. His name and contact details are also set out in the Information Table. You may wish to contact him if you have any query regarding this Privacy Notice or any other matter relating to your personal data.
5. The categories of personal data we collect
- Categories
The categories of personal data we collect are set out in the Information Table.
While we have attempted to make the list as exhaustive as possible, there is a possibility we may have omitted come categories due to the complexity of our organisation and the intricacies of our operations.
We encourage you to get in touch with our Data Protection Officer if you find that any of your personal data which we collect is not listed in this Privacy Notice. We will then endeavour to promptly amend this Privacy Notice accordingly.
- Personal data of children
We do not knowingly process data relating to a child under the age of 16, without the consent of his parents or guardians. If you are a child under the age of 16, please ensure that you (a) obtain the consent of your parents or guardians before providing such data to us; and (b) provide a record of such consent to us.
If you provide us with the personal data of another person, you are responsible for ensuring that such person is made aware of the information contained in this Privacy Notice and that the person has given you his consent for sharing his personal data with us.
- Sensitive personal data
Sensitive personal data are data pertaining to sensitive personal data: information revealing a person’s race, health status, criminal records, medical records, social origin, religious or philosophical beliefs, political opinion, genetic or biometric information, sexual life or family affairs.
We do not collect any of your personal data which falls within the special categories of personal data, unless:
- the processing is based on your consent.
- the processing is necessary for the purposes of carrying out our obligations in accordance with the law.
- the processing is necessary for the purposes of exercising your specific rights in accordance with the law.
- the processing is necessary to protect your vital interests or those of any other person.
- the processing is necessary for the purposes of preventive or occupational medicine, public health such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices; or
- the processing is necessary for archiving purposes in the public interest or scientific and historical research purposes or statistical purposes.
The sensitive personal data which we may collect, in accordance with the above terms, are set out in the Information Table.
6. The purpose for which we collect personal data and the lawful basis for such collection
- Purpose
We collect personal data for a number of purposes, including:
- to provide services to our clients. You will find a brief description of the services we provide in the Information Table.
- to enter into contractual relationships with suppliers and service providers and execute such contracts.
- to keep a database of clients and potential clients to communicate with in respect of our services and matters related thereto.
- to comply with our legal obligations towards authorities, including tax authorities and regulators.
- to keep a database of candidates who have sent CVs to us, for potential future use.
- to keep appropriate employment-related information on employees.
- to provide facilities and benefits to our employees.
- for security purposes.
- to generate statistics and reports on different aspects of our business; and
- for such other purposes as may be related, directly or indirectly, to our business activities.
- Lawful basis
We only process personal data if at least one of the following conditions is satisfied:
- we have obtained your consent for the processing of your personal data for purposes explained to you.
- processing is necessary for the performance of a contract to which you are party or in order to take steps at your request to entering into a contract.
- in order to execute a legal obligation to which we are a subject.
- it is necessary for protection of your vital interests or those of any other person.
- it is necessary for the performance of a duty carried out in the public interest or in the exercise of official authority vested in us.
- it is intended for legitimate interests pursued by us or by a third party to whom the personal data are disclosed, unless the processing of personal data is unwarranted in any particular case having regard to the prejudice to the rights and freedoms or legitimate interests pursued by you. A non-exhaustive list of the legitimate interests pursued by us above is set out in the Information Table.
- it is carried out for research purposes upon authorisation by relevant institution.
7. The intended recipients of the personal data
The primary purpose of collecting your personal data is for our own uses, in connection with our business relationship with you. In this context, we may disclose your personal information to our collaborators, including our employees, consultants, advisors, directors, and service providers who need to access the personal data.
However, we may also be required to disclose your personal data to third parties to comply with our legal obligations. Such third parties may include regulators and local authorities, i.e. Rwanda Revenue Authority, Rwanda Social Security Board, etc.
8. Whether the supply of personal data is voluntary or mandatory
The provision of personal data is of course entirely voluntary. You are free to choose whether to provide your personal data to us or not. Please note however that if you choose not to provide your personal data to us, we may not be able to provide certain services to you or enter into a contractual relationship with you.
9. Your rights relating to your personal data being processed by us
The law confers upon you a number of rights relating to the personal data being processed by us. These rights are set out below. If you wish to exercise any of the said rights, we encourage you to contact our Data Protection Officer.
- Right to withdraw consent at any time
Where we process your personal data on the basis of your consent, you may withdraw such consent at any time. The withdrawal of your consent will not affect the lawfulness of any processing done by us prior to such withdrawal.
Please note that withdrawing your consent may result in us not being able to provide certain services to you or enter into a contractual relationship with you.
- Right of access
You may request a copy of the personal data we hold about you. Kindly ensure that such request is made in writing to our Data Protection Officer.
- Rectification, erasure or restriction of processing
You may also, at any time, request:
- to have any inaccurate personal data we hold on you corrected. This includes the right to supplement and/or update existing personal data provided to us.
- that we erase any personal data we hold on you where (i) such data is no longer necessary in relation to the purpose for which it was collected or processed; (ii) you have withdrawn your consent to us holding and processing such data and there are no other legal grounds for the continued processing; or (iii) you object to the processing and there are no other overriding legitimate grounds for the processing; or (iv) your personal data has been unlawfully processed.
You will understand that this right is not absolute and that it will not be applicable where the exceptions provided for by law apply, including where our processing of your personal data is necessary for the purpose of historical, statistical or scientific research purposes or for compliance with a legal obligation or for a task carried out in the public interest or for the establishment, exercise or defence of a legal claim;
- us to restrict processing of your personal data where (i) the accuracy of your personal data is contested by you. This restriction will apply for such period as may be necessary to enable us to verify the accuracy of the data; (ii) you deem the processing of your personal data to be unlawful and request us to erase or restrict the use of some of them; or (iii) you have objected to the processing of your data. Such restriction will apply pending verification as to our legitimate grounds to keep processing the personal data, despite your objection.
- Right to object
You have the right, at any time, to object to our processing of your personal data which causes or is likely to cause loss, sadness, or anxiety to you. Upon receiving such objection, we will stop processing your personal data, except where there are compelling legitimate grounds to continue such processing or where such processing is required for the establishment of a legal claim.
- Right to lodge a complaint
If you feel that we have not processed your personal data lawfully, please do feel free to contact us through our Data Protection Officer.
If you remain unsatisfied, you may lodge a complaint with the National Cyber Security Authority.
10. The possible existence of automated decision making in respect of your personal data
Unless one of the following exceptions apply, we will not process your personal data in such a way to subject you to a decision which produces legal effects concerning you or which significantly affects, you, based solely on automated processing, including profiling:
- where the decision is necessary for entering into, or performing, a contract between us;
- where the decision is authorised by a law to which we are subject, and which lays down suitable measures to safeguard your rights, freedoms and legitimate interests; or
- where the decision is based on your explicit consent.
11. The period for which we will store your personal data
The law provides that where the purpose for keeping any personal data has lapsed, we should destroy the data as soon as reasonably practicable.
We will keep storing your data for as long as is necessary:
- for us to fulfil the purposes we collected it for;
- for the performance of any contract which may exist between us;
- for us to share with you the latest news regarding our organisation and our services;
- for us to keep a record of your preferences in order to service you again on future occasions;
- for us to satisfy any legal requirement, including statutory reporting and record-keeping obligations;
- for the keeping of adequate records for historical, financial or statistical purposes;
- for security purposes;
- for the prevention of fraud and abuse; and
- for us to defend or enforce our rights.
We wish to draw your attention to the fact that (a) tax and other statutory records need to be maintained by us for at least 10 years; (b) the legal prescription period in Rwanda (i.e. the period during which one party may sue another after the happening of an event) is 5 years for certain civil matters. Depending on the nature of our relationship with you, we may, in this context, also choose to keep your personal data for at least the legal prescription period in order to be able to defend or enforce our rights. We may also keep your personal data for a period of at least 15 years following the end of our relationship with you to defend ourselves against potential litigation, including to establish that any prescription period applies.
In some circumstances, we may anonymise your personal data by pseudonymisation or encryption, such that the personal data can no longer be associated with you, for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
12. Whether, and in what circumstances, we may transfer your personal information to another country, and the safeguards we have put in place in relation to such transfer
Please refer to the Information Table in Annex A.
13. How we conduct direct marketing
You may from time to time receive communication of advertising or marketing material from us (“Direct Marketing”) if:
- you have given your consent;
- you asked for a quote or other information on us;
- you have, at any time, purchased goods or services from us and have not opted out of receiving advertising or marketing material;
- you have entered into a contractual relationship with us; or
- you have provided us with your personal data when you entered a competition or registered for a promotion.
You have the right, at any time, to object to the processing of your personal data for direct marketing purposes. Where we receive such an objection from you, we will stop processing your data for direct marketing purposes.
14. Queries
If you have any queries on this Privacy Notice, we encourage you to get in touch with us through our Data Protection Officer.
Annex A
The Information Table
Who we are | Crystal Ventures Ltd and its subsidiaries |
Our contact details | R KN 3 Av-No 2, 4th Floor, Grand Pension Plaza, P.O. Box 1287 Kigali, Rwanda |
Our Data Protection Officer and his/her contact details | The Data Protection Officer
Email: dpo@isco.co.rw Phone: (+250) 788309017/18 |
The categories of personal data we collect (including the sensitive personal data) | Please refer to Annex B below. |
Our services | The Organisation operates in diverse sector of activities including Construction, Aviation, Food Processing, Investment, Forestry, Logistics, Event Management, Trading, Security, Manufacturing, and Minerals. |
Legitimate interests | Please refer to Annex C below. |
Details on transfer of personal data to another country | CVL and its subsidiaries commit to transfer personal data outside Rwanda lawfully only if required and necessary, after seeking approval from NCSA for the transfers and ensuring adequate security measures have been implemented to secure the transfer. |
Annex B
The categories of personal data we hold
Categories of personal data | Examples |
Identity | – First name
– Last name – Username or similar identifier – Marital status – Job title – Date of birth – Signature |
Contact details | – Email address
– Telephone numbers – Address – Identity card number |
Financial | – Payment details
– Bank details – Invoice details |
Transactional | – Payments to and from you
– Services purchase history |
Technical | – Internet Protocol (IP) address
– Login data – Browser type and version – Time zone setting and location – Browser plug-in types and versions – Operating system and platform – Other technology on the devices used to access our website – Traffic data |
Preferences and interests | – Not applicable |
Usage | – Information about how you use our website and service |
Additional information we collect if your relationship with us is an HR-related one (solicitation, recruitment, or employment) | – Qualifications
– CVs – Records of past employment – Employment records, including remuneration details, attendance records, performance-related information – Fingerprints, since we operate a fingerprint-based access system for employees |
Sensitive personal data | – Fingerprints (for the purposes of operating a fingerprint-based access system for employees)
– Criminal records, including certificate of character (for HR purposes and to meet our obligations towards the authorities) – Health records (if you are an employee and are or wish to become a member of our pension fund) |
Others | – Photographs
– Videos, including where we operate CCTV surveillance systems |
Annex C
Legitimate interests pursued by us
- General Business Operations
- Security Services: Protecting the business and its customers supported by tech-based solutions.
- IT Infrastructure and Information Security: Ensuring the security of IT systems and network infrastructure.
- Direct Marketing: Sending promotional communications to customers about relevant products or services.
- Business Analysis and Improvements: Utilising data analysis for market research, performance analysis, and business strategy development.
- Legal Compliance and Enforcement: Processing data to comply with legal obligations or defend against legal claims.
- Internal Administration and Operations: Sharing data within the Organisation for effective business management.
- Client Relationship Management: Managing and maintaining customer relationships, including feedback and communication.
- Employee Safety: Ensuring employee health and safety in the workplace.
- Public Safety and Legal Proceedings: Assisting with law enforcement and public safety efforts and participating in legal proceedings.
- Product Development and Enhancement: Innovating and improving products or services based on customer data and feedback.
- Property Protection: Monitoring and protecting physical and intellectual property.
- Debt Recovery: Recovering debts and managing financial transactions.
- HR-Related Matters
- Employee Management and Administration: Managing employment-related activities like payroll, benefits, and employee records.
- Recruitment and Hiring: Conducting recruitment processes, including candidate assessment and background checks.
- Training and Development: Identifying and providing employee training and career development opportunities.
- Workplace Safety and Compliance: Maintaining workplace health and safety and complying with relevant laws.
- Internal Investigations and Compliance: Investigating internal compliance issues or misconduct.
- Restructuring and Redundancy Processes: Managing organisational changes, including mergers, acquisitions, and redundancies.
- Employee Relations: Addressing employee grievances, disputes, and disciplinary actions.
- Workforce Analytics: Analysing workforce data for HR strategy and planning.
- Exit Management: Handling processes related to employee departures.
- Additional Considerations
- Research and Development (R&D): Using data for research and development to innovate and improve products or services.
- Customer Service Improvement: Enhancing customer service quality through feedback and interaction analysis.
- IT Systems Management: Managing and optimising the use and performance of IT resources.
- Legal Rights Protection: Protecting the legal rights of the business, including intellectual property rights and contract enforcement.
- Supply Chain Management: Optimising supply chain operations and relationships with suppliers.
- Emergency Response Planning: Planning and responding to emergencies to protect employees, customers, and business operations.