1. Our Data Protection and Privacy Commitment

The Hub Karen Management Co. Limited (THK) is a shopping mall committed to protecting the privacy and security of your personal information. This privacy policy is issued on behalf of THK so when we mention "Company”, “THK”, "we", "us" or "our" in this privacy policy, we are referring to THK responsible for processing your data.

Data Protection and Privacy matters to us and we know it matters to you.We are committed to protecting your privacy, keeping your information safe and ensuring the security of your personal information. To provide you with the most effective products and services, your personal information will be collected, processed lawfully, stored securely and not disclosed unlawfully to any third party.

2. Our Privacy Policy

Our Privacy Policy explains how THK collects, uses, and protects your information.It extends to both our control and processing of personal information.

3. Who does this Policy apply to?

This Policy applies to:

1. All Customers and/or users who are natural persons or living individuals.
2. All THK employees and job applicants or prospective employees.
3. All THK prospective and existing tenants, suppliers, partners, and service providers.
4. All THK mall shoppers and visitors.
5. Current employees of THK (whether they are employed on a permanent, temporary or fixed-term contract including interns, secondees and graduates).

4. Definitions

1. “Personal Data” means data either on its own or jointly with other data that can be used to identify a natural person (or from those and other information either in our possession or likely to come into our possession).
2. “Cookies” means a small text file placed on your computer or device by Our Site when you visit certain parts of Our Site and/or when you use certain features of Our Site. Details of the Cookies used by Our Site are set out below.
3. “Data Controller” means a natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the way any personal data are, or are to be, processed. For this Privacy Policy, we are a Data Controller of your data.
4. “Data Processor (or Service Provider)” means any natural or legal person who processes the data on behalf of the Data Controller. We may use the services of various Service Providers to process your data more effectively.
5. “Data Subject” is any living individual who is the subject of Personal Data.
6. “JCG” means Janus Continental Group, which is an international conglomerate comprising of market-leading companies in the energy, real estate, conservation and hospitality sectors to which The Hub Karen is a part of.
7. “Local Regulation” refers to the Kenya Data Protection Act 2019, the Data Protection (General) Regulations 2021, and any other relevant regulation (as may be amended from time to time) that govern the collection, use, storage, and disclosure of your personal data.
8. “Services” means any services administered through the THK website or through engagement with THK.
9. “User “means the individual using our Service. The User corresponds to the Data Subject, who is the subject of Personal Data.

5. Information we collect and how we collect it.

We collect and maintain personal information about you from many sources to understand and meet your needs, manage our business, and for other purposes disclosed to you. For example, we collect personal information about you from:

• You, when you voluntarily provide us with information.
• Your transactions with us.
• Other third-party sources. The information obtained in this manner will be used in accordance with this Privacy Policy and will not supersede or otherwise prejudice your rights as a data subject, including your right to access, rectify, or erase your personal data. We encourage you to review the privacy policies of any third parties who may collect your information to understand how they handle your data.

The personal information we collect about you through these various sources may include, but is not limited to:

• Identity Data includes first name, last name, any previous names, username or similar identifier, identification number, passport number, date of birth and gender.
• Contact Data includes email address and telephone numbers.
• Financial Data includes bank account information.
• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website.
• Profile Data includes your username and password, purchases or orders made by, feedback and survey responses.
• Usage Data includes information about how you interact with and use our website, products and services.
• Marketing and Communications Data includes imagery to be used for marketing purposes.

We also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals' usage data to calculate the percentage of users accessing a specific website feature to analyse general trends in how users are interacting with our website to help improve the website and our service offering.

6. We will rely on one of the following to process your personal data:

1. Legal Obligation

In some circumstances, where the processing of personal data is necessary for the performance of an obligation conferred or imposed by law on us, THK we will rely on Legal Obligation as a basis to process the personal information you have provided. 

2. Legitimate Interest

Our legitimate business interests, for example, direct marketing and improving our services. Whenever we rely on this lawful basis to process your data, we assess our business interests to make sure they do not override your rights as an individual. Additionally, in some cases, you have the right to object to this process. See “Your Rights” section of the policy.

3. Consent

We may rely on the consent you provide in the absence of any other legal basis. Consent will always be presented separately to you, can be withdrawn at any time and you will be given details on how to do so.

4. We rely on contractual obligation as a legal basis to process your personal information when we need to deliver a contractual service to you or when it has become necessary to process data before entering into a contract with you for purposes of documentation of the contract itself.

 

7. Purpose of collecting personal information:

1. We collect your personal information for a variety of business purposes. These include, but are not limited to:
   1. Tracking and communicating with a prospect tenant, employee, and/or service providers
   2. Tenant asset security and verification
   3. Lost item recovery
   4. Security Administration
   5. Assessment and approval of works (modifications and/or repairs) to be undertaken by the tenants.
   6. Know Your Customer
   7. Marketing purposes such as, videography and photography marketing content and social media posting.
   8. Facilitation of shopper’s raffle activities.
   9. Human Resource management
   10. Conducting employee background check
   11. Wi-Fi management
   12. Understand user interests, preferences and areas of improvement based on survey responses.
   13. Sharing of THK newsletters
2. We may keep a log of the activities performed by you on our network and websites by using various internet techniques such as web cookies, web beacons, server log files, etc. for analytical purposes, for analysis of the agreeableness of various features on our site and in accordance with requisite legal requirements. This information may be used to provide you with a better experience on our platforms.
3. At any time while you are browsing our site, if you do not wish to share browsing information, you may opt out of receiving the cookies from our site by making appropriate changes to your browser privacy settings. Further information on cookies can be accessed via our Cookie Policy.
4. For prospective employees, we collect your personal data to assess your suitability for a role within THK in accordance with our recruitment and selection policies and procedures.
5. There are Closed Circuit Television (CCTV) cameras in operation within and around our offices, which are used for the following purposes:
   1. To prevent and detect crime.
   2. To protect the health and safety of our customers and employees.
   3. To manage and protect our property and the property of our guests and other visitors; and
   4. For quality assurance purposes.

 

8. Is it mandatory to provide us with the Personal Data asked for?

It is not mandatory for you to provide any Personal Data to us in all instances. However, failing to provide certain Personal Data to us, where the same is required for THK’s legitimate interest or pursuant to a contractual obligation, particularly where that Personal Data has been requested by us may impact our ability to, amongst other things:

—   provide our products or services to you.

—   to support you with and manage our products and services.

—   provide you full functionality to all our webpages; and

—   on-board you as supplier, contractor, or service provider.

9. Disclosure and Transfer of Personal Information

1. Collection of Personal Information: We will obtain your consent, where no other lawful basis is relied on for sharing your personal information, in several ways such as in writing, online through "click-through" agreements, or when your consent is part of the terms and conditions which apply to our products and services.

We do not actively collect personal data related to children in the provision of its services, but in instances where this may be collected e.g., for employer-employee relationship to determine the beneficiaries/next of kin of the employees, we shall require parent/ guardian representation and consent.

Sensitive information may be collected with regards to human resource management, to facilitate provision of medical insurance for employees. Such data may also be collected based on a data subject’s consent or for the purpose of carrying out our obligations and exercising specific rights pertaining to us as a data controller or of the data subject (contractual obligation and/or legitimate interest). We have implemented a combination of technical and organizational measures designed to protect your information from unauthorized access, disclosure, alteration, or destruction. These measures include, but are not limited to, encryption of data at rest and in transit, access controls that restrict access to your data to authorized personnel only, regular security audits and vulnerability assessments, privacy specific policies and procedures and employee training on data privacy and security best practices. While we strive to maintain a secure environment for your data, please be aware that no security measures can guarantee complete protection from all threats.

2. Internal Use: We may utilize some or all available personal information for legitimate business purposes and related activities within the parameters mentioned above.
3. Third Parties: We may have to share your personal information with other JCG entities, JCG shared services, law enforcement agencies, our regulators, our external auditors, other delegates (where your registration details will appear on the list of attendees of an event), third parties, including third-party service providers, sub-contractors etc. A ‘Third Party’ is a service provider who is contracted by us to provide a service or product which may include the handling, managing, storing, processing, protecting, and transmitting information of and for THK. This includes all subcontractors, consultants and/or representatives of the Third party. Processing by third parties may include cloud services which involves storage, transfer, transmission and processing of your personal data via servers located anywhere in the world. We strictly require third parties to respect the security of your data and to treat it in accordance with applicable laws.
4. Government and Law Enforcement Agencies: We may also share your personal information with Government agencies or other authorized Law Enforcement Agencies (LEAs) mandated under law to obtain such information for the purpose of verification of identity or for prevention, detection, investigation including but not limited to cyber incidents, the investigation and prosecution of crime, and as is required by law. We may also share information to meet our regulatory obligations.
5. Transfer: We may transfer your personal information or other information, or data collected, stored and processed to any other entity or third party located outside the country of service, only, if necessary, for legitimate business purposes for providing services to you. This may also include sharing of aggregated information with third parties contracted to us for them to understand our environment and consequently, provide you with better services. However, the transfer of sensitive personal data will only be effected upon obtaining your consent. While sharing your personal information with third parties, reasonable organizational, technical and security measures shall be taken to ensure that reasonable security practices are followed by the third party and are in line with the Data Protection Principles and Regulations.

 

10. Security Practices and Procedures

1. We will adopt reasonable security practices and procedures, in line with international standards to include technical, and organizational security safeguards to protect your personal information from unauthorized access, or disclosure while it is under our control.
2. Our security practices and procedures are within industry standards. Further, our employees and service providers/partners are bound by Codes of Conduct and Confidentiality Policies which require them to protect the confidentiality of personal information they access.

 

11. When we dispose of your personal information, we will use reasonable procedures to erase it or render it unreadable/anonymized.

 

12. Internet Use - We maintain the security of our internet connections and observe reasonable security measures to protect your personal information against hacking and virus dissemination. However, for reasons outside of our control, security risks may still arise.

 

13. Storage: How do we keep your information?

1. We may store your information in hard copy or electronic format and keep it in storage facilities that we own and operate ourselves, or that are owned and operated by our Third parties/ service providers. 
2. We use a combination of technical solutions, security controls, and internal processes to help us protect your information and our network from unauthorized access and disclosure.

Personal information shared with us will be retained in line with the Local Regulations on records retention and our Records Retention Policy. We will retain your Personal Information for the longest of the following periods:

1.                  as long as is necessary for the relevant activity or services.
2.                any retention period that is required by law;
3.              the end of the period in which litigation or investigations might arise in respect of the services.

14. Accuracy: We endeavor to ensure that personal information is accurate and encourage you to update your personal information in our possession as and when it changes by contacting us on the information provided under section 16.

15. Your Rights 

1. Right to access personal information

You have the right to make a request for a copy of the personal information that we hold about you (including advertising audience categories and inferred information) as permitted by law.

2. Right to correct personal information

You have the right to correct information held about you to ensure it is accurate, relevant, complete, and not excessive.

3. Right to object to the use of personal information

You have the right to object to our processing your personal information, in certain circumstances as permitted by law. However, in instances where the basis for processing is Legal Obligation or other legitimate ground, you may not be able to exercise your right to object.

4. Right to opt-out of marketing messages

We will not issue targeted marketing to you unless you consent for us to do so. If you no longer want to receive marketing messages from us, you can choose to opt out at any time using the means made available to you. If you have previously opted in to receive personalized content based on how and where you use our network, you can also opt out at any time.  

5. Right to personal data portability

You have the right to request us, in writing or electronically to resend the personal data concerning you, where feasible, in a structured and readable format.

You also have the right to request the data controller in writing or electronically to have your personal data transmitted to another data controller, where technically feasible, without hindrance.

6. Right to restriction of processing of personal data

You have the right to restrict us from processing your personal data for a given period under the conditions provided by the Law, where:

 

• accuracy of the personal data is contested by the data subject, for a period enabling THK to verify the accuracy of the data.
• personal data is no longer required for the purpose of the processing, unless THK or our data processors require the personal data for the establishment, exercise or defence of a legal claim.
• processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; or
• data subject has objected to the processing, pending verification as to whether the legitimate interests of THK or our data processors overrides those of the data subject.

Note that in case the purpose of collecting and processing your information was to meet our contractual obligation to you, objection to processing may hinder us from providing our services and products to you.

7. Right to erasure of personal data

You have the right to request us in writing or electronically for erasure of your personal data. Where the personal data is required for the purposes of evidence or any other specific legal reason, THK or our data processors shall, instead of erasing or rectifying, restrict its processing and inform the data subject within a reasonable time.

 

16. How do we handle Personal Data Breaches?

While we implement reasonable measures to prevent or reduce the likelihood and impact of Personal Data Breaches, this risk however cannot be eliminated. If we become aware of or reasonably suspect a Personal Data Breach has occurred or that the integrity or confidentiality of Personal Data has been compromised, we shall adhere to our incident and breach management Policies, Procedures, and supporting documents governing the handling and reporting of Personal Data Breaches as required by the Law.

 

17. Contact- How to exercise any of the above-mentioned Rights.

If you have any queries in any aspect of this privacy policy or if you would want to exercise any of the rights mentioned above, please send an email to dpo@januscontinental.com and our privacy team will respond to you. You can also visit our offices at The Hub Karen Nairobi, Kenya.

 

18. Changes to policy

We reserve the right to modify this Privacy Policy as and when required. We will post any changes to our Privacy Policy on our website.

When we make changes to this policy, we will revise the “effective” date, April 2024, at the top of this notice and any changes affecting you will be communicated to you through an appropriate channel, depending on how we normally communicate with you.

We encourage you to check this policy frequently to become aware of any updates made hereinafter, as a demonstration of our commitment to protecting your information and providing you with improved content on our site to enhance your experience.

 

19. Third-party links 

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

 

Disclaimer

Our employees and/or agents shall not be liable for any damage to your computer or device and/or loss of information or data when accessing the information contained in our website or through other means.