Chessie Holidays Limited is a company incorporated and registered in Kenya with company number PVT-6LULR5EX whose registered office is at Katera Drive Karen Triangle Estate House# No.16
This document sets out Chessie Holidays policy on the protection of information you disclose to us. Protecting the confidentiality and integrity of personal data is a critical responsibility that we take seriously at all times. Chessie Holiday Limited will ensure that data is processed and protected under the Kenya-regulated Data Protection Act, of 2019.
Chessie Holidays requires you to provide contact details of the people you wish to be authorized users of our services for us to fulfil our contract with you. In addition, you may need to disclose personal data (including Child data or ‘special category’ data, e.g. allergies, disabilities) about your clients/customers as part of our delivery of travel services.
In processing personal data, the following principles will be adhered to. Personal data will be:
Personal information (including special category data) will only be processed when there is a lawful basis for doing so and only on your instructions personal data provided to us will be the subject of automated decision-making.
The lawful basis on which we process the information you give us is for the performance of a contract to deliver travel services to the client.
It is your responsibility as Data Controller to advise your clients/customers that their data may be transferred to third-party processors such as Chessie Holidays and seek any necessary consent in respect of that processing.
Please be aware that we will add the personal data of authorized users to our mailing list so we can send updates on the services provided, newsletters, and invitations to events by phone, letter, or email. This is part of our contractual commitment to ensure that your authorized users are kept up to date with the services we provide for your clients. We also believe we have a legitimate interest in contacting you for this purpose.
If any authorized user wishes to stop receiving such information from us they can ‘opt-out’ of the newsletter or ask us to remove their details from our mailing list by contacting us at sales@chessieholidayssafaris.com
Chessie Holidays will collect personal information about authorized users at the beginning of our relationship and information about your clients as and when you transmit this information to us for booking travel services.
We will retain that data when it is necessary to do so and only for as long as required to fulfil the purpose/s it was collected for, including the purposes of satisfying any legal, accounting, or reporting requirements.
When determining the retention period for personal data, Chessie Holidays will consider various factors such as the nature, and sensitivity of the personal data, potential risk from harm of unauthorized use or disclosure, and the purposes for which the personal data is processed.
On termination of our contract with you, you may request that we delete personal data or return it to you. We will do so without delay unless there is a lawful basis for us to continue to process it. In this instance, we will securely destroy personal data after the relevant data retention period has expired.
Chessie Holidays has in place appropriate security measures to prevent personal information from being accidentally lost, used, or accessed in an unauthorized way:
Access to the personal data of your authorized users and clients/customers is limited to those employees and contractors who have a business need to know. They will only process information on our instructions and are subject to a duty of confidentiality.
We will share personal data with third parties where it is necessary to deliver our travel services and where we have your general or express authority to do so unless we are required by law to share the data without your authority.
Where we share data with a third-party sub-processor we will contractually require the sub-processor to respect the security of the data subject (your client) and to treat it under the law. Examples of third parties we may share personal data you transmit to us are:
Contact details of your authorized users (not clients/customers) may also be sent to a digital marketing company for the limited purpose of administering our mailing lists and no other purpose.
Where there is a significant change to a sub-processor, we will inform you and allow you to object before we share personal data.
Chessie Holidays will conduct regular reviews of the information we hold to ensure its relevancy. You are under a duty to inform us of any changes to lists of authorized users. If you have concerns about the accuracy of the personal data we hold please contact us immediately at GDPR@chessieholidayssafaris.com
You should also contact us if any data subject (authorized users, clients, customers) indicates that they want to exercise their rights in respect of personal data we hold, including the rights to:
Depending on the nature of the request, Chessie Holidays may have grounds for refusing to comply with a request. In this case, we will explain promptly.
If we receive any direct request to exercise rights in respect of personal data we process on your behalf, we will notify you as Data Controller before responding.
Chessie Holidays undertakes to assist you in meeting your obligations under GDPR concerning the security of processing, notification of data breaches, and data impact assessments. We have procedures in place to deal with any data security breach and will notify you as soon as reasonably practicable. Where legally required to do so, we will notify the applicable data regulator, in Kenya, The Office of the Data Protection Commissioner (ODPC)
We will assist you in providing data subject access requests and allowing data subjects to exercise their rights to the personal data we hold. Where necessary, this assistance extends to submitting to audits and inspections and providing the information you require to satisfy your obligations. We undertake to tell you if we are asked to do anything that would infringe on data protection legislation. Chessie Holidays will adhere to the principles of this policy and relevant legislation when designing or implementing new systems or processes.