THE AERO CLUB OF EAST AFRICA
DATA PRIVACY POLICY

A. IMPORTANT INFORMATION

Welcome to the Aero Club of East Africa (“ ACEA ”, “ we ”, “ us ”, “ our ”) Data Privacy Policy.
We respect your privacy and are committed to protecting your information that is collected or disclosed
to us (called “ personal data ” and explained below). Since we want to empower you to make the best decisions about your privacy and personal data, we have made this Privacy Policy as clear and transparent as possible to ensure that you understand your rights under the law. It is important that you read this Privacy Policy carefully and understand how we intend to use your personal data.
This Privacy Policy will inform you on how we collect, use, disclose, transfer, store or otherwise process your personal data when you interact with us. It will also inform you about your privacy rights and how the law protects you in accordance with the provisions of the Data Protection Act, 2019 (“ the DPA ”).
It is important that you read this Privacy Policy in conjunction with any other related privacy policy or privacy notice we may provide on specific occasions when we collect or process personal data about you, so that you are fully aware of how and why we are using your data. This Privacy Policy supplements such other privacy policy and privacy notice and is not intended to override them.
We will regularly review this Privacy Policy. This version was last updated on [ ].

B. WHO WE ARE

ACEA is the data controller in relation to the processing activities described below. This means that we determine the purpose and means of processing your personal data.
We are engaged in processing personal data belonging to our members about individuals as part of our operations. In some instances this may include sensitive personal data as defined in the DPA. This is primarily in order to run the operations of the ACEA Membership Application (the App) and to carry out our broader activities as a members club Membership Administration Department is responsible for our data protection function. You can find contact details for our Membership Administrator at the end of this Privacy Policy.

C.THE TYPES OF PERSONAL DATA THAT WE PROCESS

Personal data means any information that can be used to identify an individual natural person. There are ” special categories ” of personal data that are more sensitive and require a higher level of protection. The personal data we collect will vary according to the circumstances surrounding our relationship with you.
We may collect, use, store, transfer or otherwise process various types of personal data about you or persons connected to you. We have categorised the personal data, as follows:

(i) Information from our members:

We will collect your identity and contact details such as your name, date of birth, nationality, national identity card number or passport bio-data page copies, work address, work email, telephone number, job title postal  address.

We will collect sensitive personal data including your blood group and the names of your minor children

(ii) Members of the public:

If you attend one of our events or correspond with us, we will collect your name, national identity or passport number, telephone number, email address, social media handles and in some instances, the nature of your complaint against one of our members (if any). Please note that when you correspond with us, the personal data we process about you is required to assist you with your enquiries.

If you wish to access our premises, we will process your name, national identity or passport number, the purpose of your visit, your telephone number, email address and your body temperature. Please note that have CCTV cameras installed throughout our premises for security and safety purposes.

(iii) General:

If you visit our website and social media sites If we require information about other people connected to you, we may request you to provide such information in relation to those people. If you provide information about  another person, we expect you to ensure that they are aware of your actions and consent to the disclosure of their information to us. It might be helpful to show them this Privacy Policy and encourage them to contact us if they have any concerns.
What happens if you fail to provide the requested personal data?
If you do not provide us with the requested personal data needed to meet our legal obligations and for our operational purposes, we may not be able to provide you with the services you require. In some instances, we may be forced to cancel a service you currently have with us but we will notify you if this is the case at that time.
Third parties that we contract with are also obliged to provide personal data to us. Failure to provide this personal data may result in the termination of your contract/relationship with us; however, we will notify you within reasonable time and according to the terms of your contract if this is the case.

D.HOW DO WE COLLECT YOUR PERSONAL DATA?

We may collect or receive your personal data in a number of different ways:
Where you provide the personal data directly to us, for example by:

  1. corresponding with us by phone or email;
  2. completing a form or events attendance lists to participate in our initiatives;
  3. using our mobile applications, e.g., the ACEA Mobile Application;
  4. registering for any of our newsletters or attending any of our events; or
  5. entering into a contract with us.

Where we receive the personal data from our members, such as when you work for a member
firm or are insured by a member firm;From third parties, such as people who work on our behalf, whether as a paid consultant or on volunteer basis on our boards and/or committees; from individuals who have registered you for an event; or from event organisers who are involved in organising or contributing to ACEA
events; and From publicly available sources including but not limited to internet search engines, public
records and registers and social media accounts (e.g. Facebook, Linkedin and Twitter). Generally, you have no obligation to provide us with your personal data, but if you do not provide us with the information we need, we may be unable to assist and work with you. We will seek to minimise the amount of information we request for, to only that which is needed to perform the relevant function or service at the time.

E. HOW DO WE USE YOUR PERSONAL DATA?

The DPA sets out the lawful legal bases which allow us to collect and process your personal data. For ACEA, these are:
Legal Ground of Processing
Details
Consent
Subscription to the use of the Club Application, Use through
the Customer Relations Management Apps e.g., Mailchimp,
( Please note that you have the right to Subscribing to be included in our Email campaigns
withdraw your consent at any time )
Performance of our contract with you
Such as:
when you enter into a contract with us for the supply of
specific goods and services; or
to administer your ACEA membership where you are a
representative of one of our members.
Compliance with a legal obligation
Such as when:
conducting compliance due diligence;
filing regulatory reporting; or
where relevant regulatory authorities wish us to maintain
certain records of any dealings with you.
For our legitimate interests
Such as by:
maintaining our records;
(Please note that we will use this legal administering and managing your membership;
basis where our legitimate interests responding to complaints and queries concerning our
are not overridden by your members; fundamental rights and freedoms ).
organizing events and trainings in connection with the ACEA;
personalising your experience and use of our websites;
and sending you important notices such as changes to our terms, conditions and policies or unusual activity with respect to any of your accounts with us.
To establish, exercise or defend our Such as when we are faced with any legal claim or where legal rights
we want to pursue any legal claims.
Protection of vital interests
This is where we receive your personal data from third parties, we may use it to validate the information you have provided to us or for fraud prevention purposes.
In the instances where we rely on your express consent to use your personal information, we will provide
you with the means to withdraw your consent. .
Please note that we will use your personal data solely for the purposes for which it was acquired, unless we reasonably believe that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis, which allows us to do so.

F. WHO DO WE SHARE YOUR PERSONAL DATA WITH?

We will disclose your personal data to:
third parties such as [please insert]. We will do this for the effective performance of your membership contract with us, and/or so that we can comply with any legal obligations; to fellow attendees, sponsors of an event or speakers of an event if you sign up to attend one of our events, we may share your name and name of your employer or organisation solely for their information;
our external service providers where we outsource certain functions, including but not limited to, our IT and office systems; administrative services providers; and research companies (who may contact you to gather information relating to the aviation sector and on topical, policy and strategic issues facing the aviation sector). We will only disclose personal data to our external service providers when it is essential for them to provide their service and we have a contract in place that requires them to keep your information secure and not to use it other than in accordance with our specific instructions;
public authorities or governments when required by law, public interest, national security, regulation, legal process or enforceable governmental request;
establish, exercise or defend our legal rights including providing information to others and/or in connection with any ongoing or prospective legal proceedings.
In all the cases cited above, we require all parties we share your personal data with to respect the security of your personal data and treat it in accordance with the law. Please note that we do not allow our external service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

G.CROSS BORDER TRANSFER OF PERSONAL DATA

Where we transfer your personal data outside Kenya, we will ensure that adequate steps are taken to protect your privacy rights and your personal data. These steps include:

obtaining your consent for the transfer of your personal data outside Kenya;

providing proof to the Data Protection Commissioner of the appropriate safeguards taken to protect your personal data. Such safeguards may include placing the third party under contractual commitments to protect the personal data with adequate standards as well as transferring the personal data to jurisdictions with commensurate levels of protection to ours; and entering into a written agreement with the third party and ensure that your rights are safeguarded.

DATA SECURITY

We have put in place appropriate physical and technical measures to safeguard your personal data
from being accidentally lost, used or accessed in an unauthorised way. For example, we will store your
personal data on computer servers with limited access and when we transmit your personal data, we
will protect it using encryption.
In addition, we will limit access to your personal data to those employees, agents, contractors and other
third parties that require it for legitimate business purposes. They will only process your personal data
on our instructions and they are subject to a duty of confidentiality. However, please keep in mind that
while we will take appropriate measures to protect your personal data, no website, product, device,
online application or transmission of data, computer system or wireless connection is absolutely secure
and therefore we cannot fully guarantee the security of your personal data.
We have established procedures to deal with any suspected personal data breach and will notify you
and any applicable regulators of a breach where we are legally required to do so.

H. THE RETENTION AND STORAGE OF YOUR PERSONAL DATA

Through this Privacy Policy, we aim to meet the following commitments with our data retention
practices:
to comply with legal and regulatory requirements on data retention; to comply with our data protection obligations, in particular to keep personal data no longer than is necessary for the purposes for which it is processed; to handle, store and dispose of data responsibly and securely; to create and retain data where necessary to operate our business effectively; to allocate appropriate resources, roles and responsibilities to data retention; to regularly remind employees of their data retention responsibilities; and to regularly monitor and audit compliance with this policy and update this policy when required.
We will only retain your personal data for as long as may be reasonably necessary to fulfil the purpose for which it was collected, including to comply with any legal, regulatory, tax, accounting or reporting
information requirements.
Type of Personal Data
Retention Period
All records relating to our members and their Retain 7 years after the conclusion of the representatives such as attendance lists
membership of the relevant member.
All records relating to contracted third parties
Retain 7 years after conclusion of the contract.
All records relating to third parties
Retain 7 years from the date of the conclusion of the interaction with the third party.
All records relating to members of the public Retain 7 years from the date we interacted with the member of public.
Personal data obtained from us tracking your use There is no set period in law but the personal of our websites such as cookies data should not be retained indefinitely.
Notwithstanding the retention periods set out above, we may retain your personal data for a longer period if the retention is:
required or authorised by law; reasonably necessary for a lawful purpose; authorised or consented by you; for personal data that has been anonymised; or for historical, statistical, journalistic, literature and art or research purposes.

I. YOUR LEGAL RIGHTS

ACEA will collect, store and process your personal data in accordance with your rights under the DPA. Under the DPA, you have the following rights:
(i) to be informed of the use to which your personal data is to be put as we have endeavoured to outline in this Privacy Policy;
You have the right to be informed about the collection and use of your personal data. This entails us providing you with information regarding to the nature, scope, purpose of processing, the retention period and the person we will share your personal data with.
(ii) to request access to your personal data that we hold about you;
You are entitled to a confirmation whether we are processing personal data, to obtain a copy of your personal data, as well as information about our purposes of processing and our various modes of processing the personal data.
(iii) to object or restrict the processing of all or part of your personal data;
You can object to how we process your personal data or you can restrict how your personal data is processed in certain cases, such as when the accuracy of your personal data is contested and you require us to verify the accuracy of the personal data.
(iv) request for your personal data to be transferred to another data controller or data processor;
Please note that where we provide information to another data controller or data processor in response to your request, we will not be responsible for any subsequent processing carried out by the receiving data controller or data processor. We will however be responsible for the transmission of the data and we will take appropriate measures to ensure that it is transmitted securely and to the right destination.
(v) request that we amend any false or misleading data we hold about you; and
If you believe the personal data we hold about you is false, inaccurate, misleading and incomplete, you can request us to amend it.
(vi) request that we delete any false or misleading data that we hold about you.
Please note that this right will be balanced against other factors such as our legal and regulatory obligations which may mean that we cannot comply with your request.
J. ENFORCING YOUR RIGHTS
If you wish to enforce any of your rights indicated above in clause I, please contact us on our details in clause K below.
Kindly note that you will not be required to pay a fee to exercise any rights set out in clause I above. However, we reserve the right to impose a reasonable fee where your request is clearly unfounded or excessive and where we are permitted to do so by the DPA. Alternatively, under specific circumstances that we will convey to you, we may refuse to comply with the request. We will respond to your request without undue delay and no later than the time periods stipulated by
the DPA.

K. CONTACT US AND FURTHER INFORMATION

If you have any queries, questions or concerns at all in relation to your personal data and how we protect your data rights, please contact us at:
Our email address for data protection queries is admin@aeroclubea.com
If you would prefer to speak to us by phone, please call the Membership Admin on 0722 205 936 . It is important that you check this Privacy Policy frequently for updates, as we may make changes from time to time. The “Date last updated” section at the bottom of this page indicates when this Privacy Policy was last updated and any changes take effect upon our publishing of the revised Privacy Policy.
We will, however, notify you if these changes are material and, where required by applicable law, we will obtain your consent. We will notify you of these changes by email or by posting a notice of the changes on our website.