Data Protection Policy

Effective: January 1, 2025

BioTrack Tech Limited is committed to protecting personal data in accordance with the Kenya Data Protection Act, 2019 (KDPA) and the Data Protection (General) Regulations, 2021. This policy explains how we fulfil our obligations as a data processor and, in some contexts, a data controller.

1. Roles and Responsibilities

BioTrack as Data Processor

When processing employee payroll data on behalf of your organisation, BioTrack acts as a data processor. Your organisation (the employer) is the data controller and is responsible for ensuring that employee data is collected lawfully and that employees are informed of how their data is used.

BioTrack as Data Controller

BioTrack acts as a data controller for data we collect directly — such as administrator account data, billing information, and usage logs.

2. Data Protection Principles

We adhere to the following principles under the KDPA:

• Lawfulness, fairness, and transparency: Data is processed lawfully, with a clear legal basis.
• Purpose limitation: Data is collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes.
• Data minimisation: We collect only data that is necessary for payroll processing.
• Accuracy: We take reasonable steps to ensure data is accurate and kept up to date.
• Storage limitation: Payroll records are retained for 7 years per KRA requirements; other data is deleted when no longer needed.
• Integrity and confidentiality: Data is protected against unauthorised access, loss, or destruction using technical and organisational measures.

3. Categories of Personal Data Processed

BioTrack Payroll processes the following categories of personal data:

• Identity data: Full name, national ID number, KRA PIN
• Contact data: Email address, phone number
• Financial data: Salary, allowances, deductions, bank account details
• Government identifiers: NSSF number, SHA/NHIF number
• Employment data: Job title, department, employment date, leave records
• Tax data: PAYE calculations, tax relief claims, P9A/P10A records

4. Legal Bases for Processing

• Contract: Processing employee payroll data is necessary to fulfil the service contract.
• Legal obligation: Kenyan law (Income Tax Act, NSSF Act, SHA Act) requires employers to compute and remit statutory deductions.
• Legitimate interests: Security monitoring, fraud prevention, and service improvement.

5. Technical Security Measures

• All data in transit is encrypted using TLS 1.2 or higher (256-bit SSL)
• Passwords are hashed using bcrypt — plain-text passwords are never stored
• CSRF token protection on all forms
• Session-based authentication with automatic expiry
• Role-based access control separating admin and employee access
• Regular security monitoring for unauthorised access attempts

6. Organisational Security Measures

• Access to production systems is restricted to authorised BioTrack personnel only
• Staff with access to personal data are trained on data protection obligations
• Data processing agreements are in place with all third-party infrastructure providers
• Security incidents are logged, investigated, and reported as required by law

7. Cross-Border Data Transfers

BioTrack stores data on servers located in the African region where possible. Where data may be processed by infrastructure providers outside Kenya, we ensure appropriate safeguards are in place in accordance with Part VI of the KDPA, including standard contractual clauses or adequacy decisions.

8. Data Breach Notification

In the event of a personal data breach that poses a risk to data subjects, we will:

• Notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of the breach
• Notify affected data subjects without undue delay where the breach is likely to result in high risk to their rights and freedoms
• Document all breaches, including those not reported, in our internal breach register

9. Data Subject Rights

Under the KDPA, individuals whose data we process have the right to:

• Be informed about how their data is used
• Access their personal data
• Correct inaccurate data
• Request erasure (subject to statutory retention requirements)
• Object to processing
• Data portability
• Lodge a complaint with the ODPC at odpc.go.ke

Requests should be submitted to payroll@biotrack.co.ke. We will respond within 30 days.

10. Data Processing Agreement

As a data processor, BioTrack is willing to enter into a formal Data Processing Agreement (DPA) with enterprise clients as required under Section 45 of the KDPA. Contact us to request a DPA.

11. Contact — Data Protection Officer

For all data protection matters:

• Email: payroll@biotrack.co.ke
• Phone: +254-103-852840
• Address: BioTrack Tech Limited, Nairobi, Kenya