DATA SHARING AGREEMENT

This Agreement is entered into between the Company and yourself and between yourself and the other party in the Ajira Biashara online marketplace with respect to the use, processing, retention and storage of your personal data within your use of the Ajira Online Platform (marketplace).

WHEREAS:

1. The Parties have entered into an agreement that may include sharing Personal Identifiable Information hereinafter referred to as “Personal Data” or “Shared Personal Data” which is protected by Data Protection Legislation.
2. In order for the Parties to fulfil their obligations under the Ajira Online Platform, they shall be required to process personal data, whilst they jointly determine the purposes and means of processing of personal data as joint data controllers.
3. Each Party acknowledges that in exercising its role as a data controller (Data Discloser) it will, as necessary, disclose to the other Data Recipient) the shared Personal Data collected by either party for the agreed purposes.

1. Definitions and Interpretation

Agreement:                    this Data Sharing Agreement.

Business Day:                  a day other than a Saturday, Sunday or public holiday in Kenya.       

ODPC:                              the Office of the Data Protection Commissioner.

Data Discloser:                   Either Party that shares personal data with the other Party.

Data Recipient:                  Either Party that receives personal data from the other Party

Data Protection

Legislation:                      means the Data Protection Act, Cap. 411C Laws of Kenya; the Data Protection (General) Regulations 2021; the Data Protection (Complaints Handling and Enforcement Procedures) Regulations) 2021; and the Data Protection (Registration of Data Controllers and Data Processors) Regulations as amended from time to time, and any legislation implemented in connection with the aforementioned legislation. This includes any replacement legislation coming into effect from time to time.

Data Security Breach:          a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Data Subject                     means an individual/person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, etc.

• Scope

The purpose of this Data Sharing Agreement is to lay down the rights and obligations related to sharing and processing of Personal Data by both Parties in relation with the services under the Ajira Online Platform.  This Data Sharing Agreement shall be deemed to take effect from the effective date and shall continue in full force and effect until termination of the Agreement.

• Processing of the Personal Data

• Each Party agrees to process the Personal Data only in accordance with Data Protection Legislation and as per this Agreement.

• Both Parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a Party’s obligations or rights under the Data Protection Legislation.

• The Parties acknowledge that the Data Recipient shall process Personal Data on behalf of the Discloser during the term of this Agreement. 

• The Parties declare that they have the means enabling them to process and protect Personal Data they are processing, including information systems meeting the requirements of the appropriate level of security required.

• Each Party will fully adhere to the applicable Data Protection Law(s) with respect to obligations and responsibilities of data controllers. In particular, the parties shall:
  • Exercise due diligence in processing Personal Data and process Personal Data pursuant to this Agreement, and the provisions of Data Protection Law(s) and
  • Restrict access to Personal Data only to persons who need the access to Personal Data for the purposes of this Agreement, provide those persons with relevant authorizations, offer relevant training on personal data protection and ensure confidentiality of Personal Data
  • processed thereby, both during and after their employment or other engagement with the respective party.

• To the extent that the Data Discloser and the Data Recipient Share Personal Data in connection with this Agreement, each Party shall:
  • Solely process the Personal Data for the purposes of fulfilling its obligations under the Partnership Agreement and in compliance with the Data Protection Act, Cap. 411C;
  • Notify either Party immediately if any instructions of the other Party relating to the processing of Personal Data are unlawful;
  • Maintain a record of its processing activities;
  • Either Party shall ensure compliance with the obligations set out in the Data Protection Legislation taking into account the nature of the data processing undertaken.

• International Data Transfers

Each Party shall comply with the Data Protection Legislation in relation to transfers of Personal Data to a Country outside Kenya.

• Staff Confidentiality

Each party shall ensure that any persons used by the Processor to process Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data and shall ensure that only such persons who have undergone appropriate training in Data Protection Legislation and in the care and handling of Personal Data are appointed to process Personal Data;

3.9 Security Measures

Each party shall implement appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of or damage to Personal Data taking into account the harm that might result from such unauthorised or unlawful processing, loss, destruction or damage and the nature of the Personal Data to be protected including without limitation, all such measures that may be required to ensure compliance with the Data Protection Legislation.

3.10      Data Subject Rights

• Each Party shall promptly notify the other if it receives a request from a Data Subject (Data Subject Access Request) under any Data Protection Legislation in respect of Personal Data;
  • Ensure that it does not respond to the Data Subject Access Request except on the documented consensus of the other Party or as required by applicable Data Protection Legislation to which the other Party is subject, in which case the Party to whom the request has been made shall to the extent permitted by applicable Data Protection Legislation inform the other Party of that legal requirement before any response to the Data Subject Access Request;
  • Taking into account the nature of the data processing activities undertaken by each Party, provide all possible assistance and co-operation (including without limitation putting in place appropriate technical and organisational measures) to enable the Data Controller to fulfil its obligations to respond to requests from individuals exercising their rights under the Data Protection Legislation.
    
    

       3.11 Data Protection Impact Assessments

Each Party shall conduct its own Data Protection Impact Assessments in relation to their data processing activities.

       3.12    Deletion or Return of Data

3.12.1    Upon termination of this Agreement, each Party shall as long as is necessary under law or as permitted by the data subject retain copies of the Personal Data. 

3.12.2 In the event that the Personal Data is deleted or destroyed by either Party as a result of a joint decision to do so, either Party shall supply the other with a certificate of destruction evidencing that the Personal Data has been destroyed or deleted.

•   Audits

Each Party shall share all information necessary with the other to demonstrate compliance with the obligations set out in this Agreement and allow for and contribute to audits, including inspections, conducted by or on behalf of either party or by the ODPC.

•  Neither Party shall transfer any Personal Data outside of Kenya unless consent has been obtained from the other and the following conditions are fulfilled:
  • Each Party has provided appropriate safeguards in relation to the transfer;
  • The Data Subject has enforceable rights and effective legal remedies;
  • Each Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
  • Each Party complies with reasonable instructions notified to it in advance by the other with respect to the processing of the Personal Data.

• General Terms

• Indemnity

Each Party shall indemnify the other from and against all costs, expenses (including legal and other professional fees and expenses), losses, damages, and other liabilities of whatever nature (whether contractual, tort or otherwise) suffered or incurred by the other and arising out of or in connection with any breach by either Party or respective processors or Sub-Contractors of this Agreement.

• Breach Identification and Notification

Each Party shall notify the other without undue delay of becoming aware of a Data Security breach if:

• A Party or their Sub-Contractor engaged by, or on behalf of, the Party suffers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data; or
  • A Party, their Sub-Contractor engaged by, or on behalf of the Party receives any Data Security Breach notification, complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with the Data Protection Legislation.

(And in each case the Party shall provide full co-operation, information and assistance to the other in relation to any such Data Security Breach, compliance notice or communication.)

In respect to compliance reporting: –

• A Party with whom a personal data breach was committed or from whom the reason for the breach originates is responsible for notifying the personal data breach to the Data Protection Commissioner.
  • If a personal data breach is likely to result in a high risk to the rights and freedoms of the Data Subjects a Party with whom the personal data breach was committed, or from whom the reason for the breach originates is responsible for communicating the personal data breach to the data subjects affected.

• Confidentiality

Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that disclosure is required by law or the relevant information is already in the public domain.

• Governing Law and Jurisdiction

5.1 This Agreement is governed by the Laws of Kenya.

• Dispute Resolution
  • Any dispute arising under this agreement may be settled by way of negotiation and mediation between the parties or their duly appointed representatives and which negotiations should be concluded within 14 days of declaring of a dispute by either Party.
  • Should such negotiations fail, either party may refer the matter to a court of competent jurisdiction.

• Termination

7.1      This Agreement may be terminated by either Party giving not less than three (3) months written notice to the other party or upon termination of the underlying service agreement.

7.2   On termination of this agreement for whatever reason, both Parties  shall cease to process the personal data and confidential information and shall arrange for the prompt and safe return of all of the personal data and confidential information, processed under the terms of this agreement to the other , together with all copies of the personal data in its possession or control or that of its agents or contractors, within such time and by such secure means as the other Party shall provide for in writing at the time of termination of the agreement.

7.3     On termination of this Agreement, the Parties jointly agree to the deletion of data still held by the other, then the Party is required to provide certificate of destruction as evidence to support the deletion activity within the timeframe jointly specified by the Parties.

7.4     Termination of this Agreement shall not affect any rights or obligations of either Party which have accrued prior to the date of termination and all provisions which are expressed to, or do by implication, survive the termination of this Agreement shall remain in full force and effect.

• Variation of Agreement

In the event any of the provisions in this Agreement are to be modified after the Agreement has been signed, the modifications shall not be effective, until they are made in writing and signed by the authorized representatives of the Parties

• Force Majeure
  • Neither Party shall be liable to the other Party nor deemed in default or breach of this Agreement with respect to the occurrence of a “force majeure” event, which materially interferes with the ability of a Party to perform its obligations hereunder and which is not within the reasonable control of the affected Party.

• Force Majeure events include, but are not limited to acts of terrorism, global pandemics, epidemics, wars, national emergencies, prohibitive government regulations, strikes, earthquakes, fires, “acts of God” or any other cause(s) beyond the control of the Parties.

• The Party subject to a Force Majeure event shall promptly notify the other Party of the occurrence and particulars of such Force Majeure event and shall provide the other Party its best estimate of the duration of such Force Majeure Event and notice of termination thereof.

1. Notices

All notices or other communications given to a Party under or in connection with this Agreement shall be in writing.

1. Liability for Default

 If  a Party (“the Defaulting Party”) constitutes a default due to direct or indirect violation of any terms of this Agreement or failure to promptly and fully assume its obligations under this Agreement, after the occurrence of the default, the other party(the observant party) shall be entitled to request in writing the defaulting party to rectify the default and take sufficient, effective and timely measures to eliminate the consequences of the default, and compensate the observant party for the losses incurred as a result, including but not limited to economic loss and reputation damage. If the defaulting party fails to rectify its default within a reasonable timeline of receipt of the above notice of default by the observant Party, the observant Party shall be entitled to terminate this Agreement by notifying the counterparties in writing and require the defaulting Party to compensate for the losses.

1. Representations and Warranties

Each Party states, represents and warrants to the other Party as follows:

12.1 The Party has all necessary powers, licenses and authority to execute and deliver this Agreement and perform its obligations under this Agreement.

12.2 The Party has obtained all necessary official authorizations from its company, other party and regulators to execute and deliver this Agreement and perform its obligations under this Agreement.

12.3 The Party’s execution of this Agreement or performance of its obligations under this Agreement is not in violation of or in conflict with any other agreements it has entered into.

1. Miscellaneous provisions

1. With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and the Principal Agreement, the provisions of this Agreement shall prevail with regard to the Parties’ Data Protection obligations for Personal Data and/or Sensitive Personal Data of a Data Subject.

1. Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.