DTOS GROUP – DATA PRIVACY NOTICE
This Data Privacy Notice (‘Notice’) has been prepared in accordance with the prevailing data protection laws (including the EU General Data Protection Regulation) and adapted to such legal requirements provided therein.
DTOS Group, comprising of entities operating in Mauritius, Kenya, Uganda and UAE (jointly referred as ‘DTOS’), hereby informs you as data subject on its commitment towards ensuring compliance with the provisions under the applicable data protection laws. Security in terms of data handling and safeguarding remain one of the critical aspects of operation onto which DTOS management is putting much emphasis. Consequently, this Notice is being circulated, providing details on your respective rights and the qualifying measures in line with the governing data privacy laws.
1.2 Information Processing Activities
Pursuant to the legal provisions under the applicable laws and relative to its distinct processing activities, DTOS handles different categories of data, as described below:
- As a licensed and regulated service provider in the respective country of operation, DTOS is required to perform due diligence checks on its clients. For this exercise, you are requested to provide, through our website, email and/or by courier, specific documents and personal information to DTOS for processing purposes, which may include the application for a licence, opening of a bank account, for ongoing monitoring in view of updating existing records, transaction processing and also for reporting purposes to the competent authorities, as shall be applicable.
- By this virtue, the data processing activities of DTOS as a service provider are regarded as lawful processing and thus there is no need for prior consent. On an objection to processing or complaint in relation to DTOS data processing activities, we have an internal system in place where such issues are to be entertained in a timely manner. Refer to Section 1.10 below.
- The above process is also applicable to the DTOS Human Capital function, whereby qualitative data from candidates applying for a vacant position are processed and maintained in compliance with the DTOS data protection policies.
- In line with its sales, Marketing and communication strategy, DTOS maintains a mailing list, not limited to its pre-existing clients, to whom timely alerts and media releases are sent by email. However, with the consent principle being mandatory for this processing activity, prior to sharing any DTOS related materials, the clients, potential leads and/or other business partners, are advised on their right as data subject. Any existing subscriber opting at any particular point in time to no longer receive such notifications from DTOS, provisions have been made for the latter to ‘Unsubscribe’ and necessary measures will be taken accordingly.
1.3 Source of Information
Under its mandate as service provider, DTOS requires you to provide specific due diligence documents for the purpose of completing the ‘Know Your Client’ process. While the documents provided are to be used to complete the checklist of documents, we also rely on renowned reference databases for conducting independent profile checks. Since the independent review is performed internally, we confirm that none of your personal data are transmitted to third party service provider(s), except on formal request from the regulatory authorities in DTOS’ country of operation.
1.4 Transfer of information
As regard to the handling of your personal data maintained at DTOS, it is ensured that same are to be used strictly for such intended purposes and under such agreed terms. However, where specific derogations shall apply, you will be informed accordingly on the data transfer.
On an information note, DTOS wish to highlight that as at date, our information systems are currently located in Mauritius, Dublin Ireland, Johannesburg, South Africa and in Cape Town, South Africa. Nevertheless, appropriate risk mitigation and security measures, not limited to the use of sophisticated anti-virus and anti-spam tools has been provided. Should there be any change in the current arrangement, this section shall be amended accordingly.
Binded by the legal obligation to preserve confidentiality on such data records being maintained and processed at its level, DTOS has defined and adopted a set of internal control and risk management policies. Those policies, adapted to the corporate governance principles and prevailing laws have been duly implemented and are strictly adhered to by DTOS staff.
To ensure compliance with the requirements as provided under the data protection laws, specific data security measures have been taken, with qualified persons being designated for the enforcement of the data protection framework.
For any breach of confidentiality by DTOS staff, DTOS management has provided for disciplinary sanctions while any breach at the client or data subject’s level shall entail in the termination of the business relationship.
1.6 Rights of Data Subjects
As per the provisions under the applicable data protection legislations, you as the data subject have the following rights which have been considered by DTOS in the designing of the applicable data protection process:
- Right to access: For information provided to DTOS, you are allowed to make written request for an update or any specific information required at your end and same will be entertained by DTOS. However, the process of entertaining such request includes an assessment of the type of information requested, rationale and recipient. DTOS shall only execute the transfer in the event where it is satisfied with its observations. A fee may be charged under specific circumstances;
- Right to rectify: Since it is a shared responsibility to ensure that records are kept up to date, you may advise DTOS to amend your personal details, as and when the need be. Any non-disclosure of amended particulars may be considered as a breach and necessary actions can be initiated by DTOS;
- Right to erase, restrict processing, object: Pursuant to the provisions under the data protection laws, these rights have been assigned to you as data subject. While being in conformance with our legal obligations, we will attend to your request and shall provide you with our comments, as and where applicable.
Any request to access your personal data maintained at DTOS will be assessed individually and shall not be subject to a charge. However, in the event that such requests are exhaustive in terms of processing, a fee may be charged. Additionally, where DTOS, as a responsible data processor is not satisfied with the rationale for data transfer or as a result of being unfounded, it will not entertain the request. Each request will therefore be assessed individually.
1.8 Data Retention Policy
Your data and information gathered by DTOS are to be used solely for such intended purpose and are to be recorded in both physical and electronic format at DTOS. For this purpose, a secured filing cabinet and an efficient database system has been put in place.
Except where otherwise provided under the governing laws, DTOS shall keep in its records your data and information for such additional period specified after the engagement has been terminated. We however warrant that all the security measures will be applied during that period of retention.
We have a secure Information Technology platform with a proper back up and disaster recovery system. Our database management system meets the recommended criteria in terms of risk management and to ensure consistency, it is serviced and maintained in a timely manner.
Additionally, specific policies and procedures are in place to ensure an effective use of the tools and infrastructure made available to staff for the handling and processing of your data.
On an information note, should you wish to clear cookies accepted on previously accessed websites, you may visit www.allaboutcookies.org for necessary procedures to be followed.
1.10 Contact Us
The Data Protection Officer
10th Floor, Standard Chartered Tower
19 Cybercity, Ebène
Tel: (+230) 404 6000
Fax: (+230) 468 1600
In case you are not satisfied with the way DTOS has handled your data and/or you are not satisfied with the justification provided by DTOS’ Data Protection Officer in respect to the perceived data breach, you may opt to lodge a formal complaint with the Data Protection Commissioner (DPC) of Mauritius. Contact details of the DPC’s Office and relevant links are provided below.
The Data Protection Commissioner
Data Protection Office
5th floor, SICOM Tower
Tel: (+230) 460 0251
Fax: (+230) 489 7341