Data Protection

1. Overview

OnLocum is committed to protecting your personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the Kenya Data Protection Act 2019.

This Data Protection Policy explains your rights regarding your personal data and how we fulfill our obligations as a data controller.

2. Data Controller

OnLocum Limited is the data controller responsible for your personal data. This means we determine the purposes and means of processing your personal data.

3. Legal Basis for Processing

We process your personal data only when we have a valid legal basis. Under GDPR and Kenya Data Protection Act, these include:

3.1 Consent

You have given clear consent for us to process your personal data for a specific purpose (e.g., marketing communications).

3.2 Contract Performance

Processing is necessary to perform a contract with you (e.g., providing healthcare staffing services).

3.3 Legal Obligation

Processing is necessary to comply with the law (e.g., tax records, regulatory reporting).

3.4 Legitimate Interests

Processing is necessary for our legitimate interests or those of a third party, provided your rights don't override those interests (e.g., fraud prevention, platform security).

3.5 Vital Interests

Processing is necessary to protect someone's life (e.g., emergency medical services coordination).

4. Your Data Rights

Under GDPR and Kenya Data Protection Act 2019, you have the following rights regarding your personal data:

4.1 Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this within 30 days of your request.

4.2 Right to Rectification

You have the right to request correction of inaccurate personal data or completion of incomplete data.

4.3 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the original purpose.

4.4 Right to Restrict Processing

You have the right to request that we limit how we use your data in certain circumstances.

4.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

4.6 Right to Object

You have the right to object to processing of your personal data in certain circumstances, including direct marketing.

4.7 Right to Withdraw Consent

Where we rely on consent as the legal basis for processing, you have the right to withdraw that consent at any time.

How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer at privacy@onlocum.com. We will respond within 30 days.

5. International Data Transfers

OnLocum operates across multiple African countries and uses cloud services that may store data internationally. When we transfer your data outside Kenya or the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use EU-approved standard contractual clauses with service providers
• Adequacy Decisions: We transfer data to countries with adequate data protection laws
• Binding Corporate Rules: Our corporate group follows approved binding corporate rules

Cloud Service Providers

We use Google Cloud Platform, which maintains compliance with GDPR through Standard Contractual Clauses and is certified under various security frameworks including ISO 27001.

6. Data Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

6.1 Technical Measures

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access control (RBAC) limiting data access
• Multi-Factor Authentication: Required for administrative access
• Security Monitoring: 24/7 intrusion detection and logging
• Vulnerability Scanning: Regular automated security scanning

6.2 Organizational Measures

• Employee Training: Regular data protection training for all staff
• Data Processing Agreements: Contracts with all third-party processors
• Privacy by Design: Data protection built into new features
• Access Reviews: Quarterly review of data access permissions

7. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach is likely to result in a high risk
• Document the breach, its effects, and remedial action taken

Supervisory Authorities

• Kenya: Office of the Data Protection Commissioner (ODPC)
• EU: Relevant EU Data Protection Authority

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.

9. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee compliance with data protection laws and handle your data protection inquiries.

10. Complaints

If you are unhappy with how we have handled your personal data or believe we have not complied with data protection law, you have the right to lodge a complaint with a supervisory authority.

Kenya

Office of the Data Protection Commissioner (ODPC)
Website: www.odpc.go.ke
Email: info@odpc.go.ke

European Union

If you are in the EU, you can contact your local Data Protection Authority. A list is available at European Data Protection Board.

Internal Complaints

We encourage you to contact us first at privacy@onlocum.com. We will investigate your complaint and respond within 30 days.