DATA PROCESSING AGREEMENT

This Data Processing Agreement (‘DPA’) is made by and between:

KCB Bank Kenya Limited

Kencom House.
Moi Avenue
P.O. Box 48400 - 00100,
Nairobi, Kenya.
('KCB')

and

KATIKU & MUTURI ADVOCATES

Post Office Box Number ……67434-00200……….
Nairobi Kenya
('Client’)

(KCB and the Client hereinafter also separately referred to as 'Party' and jointly as 'Parties')

Page 1 of 9
This Data Processing Agreement (“DPA”) dated ……………………………………………………………forms
part of the Agreement between KCB Bank Kenya Limited (“KCB”) and ………………… (“Client”) termed
as …………………………………………………………………………… (“the Agreement”) and KCB Group
PLC Data Protection and Privacy Policy available at www.kcbgroup.com.

WHEREAS:
A. KCB through its operations is a Data Controller and/or Data Processor.
B. The performance of the Parties obligations under the Agreement is subject to collecting, processing
and/or storing of Personal Data.
C. KCB requires that all Personal Data collected, processed and/or stored by the Client on behalf of
KCB shall be subjected to the privacy requirements of the KCB Group Plc Data Protection and
Privacy Statement available at www.kcbgroup.com.
D. The Parties are entering into this DPA for the purpose of updating the data processing terms of the
Agreement and to comply with the provisions of the Data Protection Laws.

NOW IT IS HEREBY AGREED as follows:

1. INTERPRETATION
1.1. Definitions
All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in
the Agreement. The capitalised terms are defined as follows whereby the use of the singular will include
the plural and vice versa:
1.1.1. “Data Controller” or “Controller” means a natural or legal person, public authority,
agency or other body which, alone or jointly with others, determines the purpose and
means of processing of personal data;
1.1.2. “Data Processor” or “Processor” means any person or body who/which processes
personal data on behalf of the Data Controller.
1.1.3. “Data Protection Laws” means EU General Data Protection Regulation (EU) 2016/679
(GDPR), Data Protection Act No. 24 of 2019, Laws of Kenya and the data protection or
privacy laws of any other country.
1.1.4. “Data Subject” means an identified or identifiable natural person who can be identified,
directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors specific to
the physical, physiological, genetic, mental, economic, cultural or social identity of that
natural person.
1.1.5. “Data Subject Request” means any inquiry, request or complaint received from or relating
to a Data Subject including a request by a Data Subject to exercise Data Subject rights
under the Data Protection Laws.

Page 2 of 9
 1.1.6. “Personal Data” means any information relating to an identified or identifiable natural
person for the performance of the Agreement.
1.1.7. “Sensitive Personal Data” means data revealing the natural person’s Race, health status,
ethnic social origin, conscience, belief, genetic data, biometric data, property details,
marital status, family details including names of the person's children, parents, spouse or
spouses, sex or the sexual orientation of the data subject.
1.1.8. “Regulator” means the Office of the Data Protection Commissioner in Kenya or such other
supervisory authority as KCB may be subject to due to the nature of its business or
operations at any time before or during the term of the Agreement.
1.1.9. “Restricted Transfer” means (i) a transfer of Personal Data from Data Controller to the
Data Processor; or (ii) an onward transfer of Personal Data between two organisations of a
Data Processor or between the Data Processor and a Sub-processor.
1.1.10. “Sub-processor” means any person (including any and any affiliate of the Data Processor)
appointed by or on behalf of the Data Processor to process Personal Data in connection
with the Agreement.
1.1.11. “Sensitive Personal Data” means data revealing the natural person's race, health status,
ethnic social origin, conscience, belief, genetic data, biometric data, property details,
marital status, family details including names of the person's children, parents, spouse or
spouses, sex or the sexual orientation of the Data Subject.
1.1.12. “Third party” means natural or legal person, public authority, agency or other body, other
than the Data Subject, Data Controller, Data Processor or persons who, under the direct
authority of the Data Controller or Data Processor, are authorised to process personal data.
1.1.13. The terms, “Anonymization”, “Consent”, “Controller”, “Data Protection Officer”,
“Encryption”, “Filing System”, “Personal Data Breach”, “Processing”,
“Pseudonymization” and “Technical and organizational security measures” shall
have the meanings in the Data Protection Act, and their cognate terms shall be construed
accordingly.

2. Data Use and Processing

2.1. Purpose: As set out in the Agreement.
2.2. Nature of processing: This is set forth in Schedule 1
2.3. Categories of Personal Data : Personal Data uploaded and shared with between the Parties or
collected on behalf of KCB for the performance of the service under the Agreement which
include customer title, name, photographs, marital Status, nationality, occupation, residence,
physical and postal address, phone number, identity document type and number, date of birth,
age, gender, email and social media address, signature specimen, employment details,
estimated monthly income levels, education, transaction and account status information, cookie

Page 3 of 9
 ID, mobile ID, IP address, next of kin details and any Personal Data as agreed in writing by the
Parties.
2.4. Sensitive Personal Data (if applicable): Parties shall apply restrictions and additional security
measures that fully take into consideration the nature of the data and the risks involved, such as
strict purpose limitation, access restrictions, keeping a record of access to the data and
restrictions for onward transfers.
2.5. Compliance with Laws: Personal Data shall be processed in compliance with the terms of this
DPA and all Data Protection Laws.
2.6. Documented Instructions: The Parties shall process Personal Data only in accordance with
documented instructions or as specifically authorized by this DPA and the Agreement. The Data
Processor will unless legally prohibited from doing so, inform Data Controller in writing if it
reasonably believes that there is a conflict between documented instructions and applicable law
or otherwise seeks to process Personal Data in a manner that is inconsistent with the
documented instructions.

3. Obligations of a Data Controller

3.1. In the context of the Data Controller’s activities, where either Party processes Personal Data as
an independent Data Controller, the Data Controller represents and warrants that:
3.1.1.It shall comply with all applicable Data Protection Laws.
3.1.2.It has a valid legal ground for each processing activity and, where required by applicable
law, provides notice to and obtains the consent of Data Subjects.
3.1.3.It maintains and ensures that its Processors and Sub-Processors maintain a
comprehensive written information security programme with appropriate technical and
organisational measures to protect Personal Data against accidental, unauthorised or
unlawful destruction, loss, alteration disclosure or access and to ensure a level of security
appropriate to the risk.
3.1.4.It shall process Personal Data received under or in connection with its contractual
obligations.
3.1.5.It may only process Personal Data for another purpose:
3.1.5.1. where it has obtained the Data Subject’s prior consent;
3.1.5.2. where necessary for the establishment, exercise or defence of legal claims in the
context of specific administrative, regulatory or judicial proceedings; or
3.1.5.3. where necessary in order to protect the vital interests of the Data Subject or of
another natural person.

4. Obligations of a Data Processor

The Parties acknowledge and agree that, in providing services as per the Agreement, Personal Data
will be shared with the Processor.

Page 4 of 9
The Processor agrees, warrants and covenants:
4.1. That it shall comply with all applicable Data Protection Laws in processing of Personal Data.
4.2. To process Personal Data only in accordance with the Agreement and on any relevant
documented instructions.
4.3. To ensure any data processing is consistent with the specified and agreed purpose for which the
Personal Data was shared.
4.4. That it shall implement and maintain appropriate technical and organizational security measures
in relation to processing Personal Data to prevent unauthorized or accidental access, collection,
use, disclosure, copying, modification, disposal or destruction of personal data or other similar
risks, which shall ensure a level of security appropriate to the risk including as appropriate:
i. Pseudonymisation and encryption.
ii. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of
processing systems and services.
iii. The ability to restore the availability and access to Personal Data in a timely manner in
the event of a physical or technical incident.
iv. A process for regularly testing, assessing and evaluating the effectiveness of the
measures to ensure the security of Personal Data from a reasonably suspected or actual
accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
4.5. That in the event of an actual or imminent Personal Data Breach the Processor shall:
4.5.1. Notify Data Controller without undue delay and in any case within 48 hours of becoming
aware of such breach.
4.5.2. Investigate and immediately take action to contain, mitigate the effects of and remediate
any security incidences and record on the actions taken to rectify the leakage and /or any
measures put in place to avoid such incidences in the future.
4.5.3. Provide Data Controller with full and prompt cooperation and assistance in relation to any
investigation, mitigation, and/or remediation it may undertake as a result of the Personal
Data Breach.
4.5.4. Restore the availability or access to Personal Data in a timely manner.
4.5.5. Reimburse Data Controller for any costs and/or expenses incurred in connection with
investigations, or proceedings by a Regulator, Data Subject, or any other third party(ies)
in the event of such breach.
4.6. That it shall not transfer or authorize any cross-border transfer without the prior written consent
of the Data Controller. The Processor warrants and covenants that any cross-border transfer of
Personal Data must be supported by an approved adequacy mechanism.
4.7. That it shall control how Personal Data is stored so as to make available to the Data Controller
upon request, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to
respond to Data Subject Requests.

Page 5 of 9
 4.7.1. It shall provide full cooperation and assistance to the Data Controller in relation to any
request by a data subject to have access to Personal Data held about them.
4.7.2. To promptly notify the Data Controller if it receives a Data Subject Request at least within
48 hours of receipt of any such notice or request and provide a copy of the request and
ensure that it does not respond to the request unless authorised to do so by the Data
Controller.
4.8. That where it receives any complaint, notice or communication from the Regulator which relates
to processing of Personal Data or potential failure to comply with applicable Data Protection
Laws, it shall promptly notify the Data Controller of such complaint, notice or communication and
inform the data controller of the resolution of such complaints, record on the actions taken to
rectify the leakage and /or any measures put in place to comply with any notice or
communication. The Parties shall provide each other with full cooperation and assistance in
relation to such a notification from the Regulator.
4.9. That it shall not use the Personal Data for sending unsolicited electronic marketing
communications to End Users.
4.10. That it shall run regular data protection and security awareness training to all its staff and
shall ensure that its personnel are subject to a code of conduct compliant with Data Protection
Laws.
4.11. That it shall not sub-contract to a Sub-processor any of its data processing operations
performed on behalf of the Data Controller or for the fulfilment of its obligations under the
Agreement without prior written consent of the Data Controller. Where such Sub-processor is
engaged: -
4.11.1. It must enter into a written agreement with the Processor to the extent that the Sub-
processor performs the same data processing obligations equal to the obligations
imposed on the Processor.
4.11.2. The Processor will always remain responsible for compliance with the obligations of
this DPA. Failure by a Sub-processor to comply with its equivalent contractual
obligations, the Processor remains fully liable to the Data Controller.
4.11.3. Ensure that the Sub-processor will act only on documented instructions.
4.11.4. The Processor shall within 30 days notify the Data Controller of its intention to engage
new, additional or replacement Sub-processor.
4.11.5. The Processor shall maintain an up-to-date list of Sub-processors which include geo-
graphical location of the Sub-processor, description of service and proof of
implementation of adequate data protection safeguards and shall make available to the
Data Controller the updated list of Sub-processors upon reasonable request.
4.12. The Processor acknowledges that the services may involve Restricted Transfers of
Personal Data and hereby warrants and agrees to sign any Standard Contractual Clauses as
separate documents if the Data Controller so requests and any other additional documents.

Page 6 of 9
5. Audit Rights
5.1. Upon request by the Data Controller, the Processor allows the Data Controller, Regulator or any
independent agent or auditor selected by the Data Controller, and which possess the required
professional qualifications, to audit and review Processor’s information security program, data
processing facilities, compliance with Data Protection Laws, compliance with this DPA, and any
other Data Controller’s instructions (“Audit”).
5.2. The parties will mutually agree upon the scope, timing, and duration of the Audit.
5.3. The Processor shall make available on request all information necessary to demonstrate
compliance with this DPA.
5.4. The Processor commits to fully cooperate with the Data Controller to reach an agreement on the
details of the Audit within the shortest possible time and to implement all reasonable changes to
its security program, data processing facilities and data protection compliance program that, as a
result of the Audit, are required or advisable to ensure Processor’s compliance with this DPA,
Data Protection Laws and documented instructions.
5.5. If the Processor declines to submit its personal data processing facilities for Audit or follow any
instructions requested by the Data Controller regarding Audit, including inspections, the Data
Controller is entitled to terminate the Agreement.

6. Confidentiality
6.1. The Processor will treat Personal Data as confidential information and will not access or use, or
disclose to any third party, any Personal Data without prior written consent from the Data
Controller except as necessary to maintain or provide the services, or as necessary to comply
with the law or a valid court order.
6.2. Where it is required by law or a valid court order to disclose and/or grant access to Personal
Data, the Processor warrants and covenants that it will first give Data Controller notice of the
intended disclosure and that it will disclose and /or grant access to only the minimum extent
necessary to comply with such statutory obligation or court order.

7. Consequences of Non-compliance
7.1. In the event of any actual or potential violation of Data Protection Laws relating to Personal Data,
the Data Controller reserves the right, without incurring any liability whatsoever, to suspend
and/or terminate, either temporarily or permanently, any or all services provided by the
Processor, or to take any other actions as deemed appropriate in its sole discretion.
7.2. Failure by the Processor to comply with its obligations under the DPA, may lead to a claim from
the Data Subjects which cost will be incurred by the Processor.

8. Term and Termination

Page 7 of 9
 8.1. This DPA shall take effect on the effective date and shall remain in full force and as long as the
Agreement remains in effect. Notwithstanding any termination of the Agreement or service,
Processor agrees and covenants to comply with this DPA for as long as Personal Data remains
in Processor’s possession, custody or control.
8.2. The parties agree that upon termination of the Agreement (the “Termination Date”), the
Processor and all Sub-processors shall promptly and in any event within 14 business days of the
Termination Date, securely return all Personal Data and the copies thereof to the Data Controller
or irretrievably delete or destroy or procure the deletion or destruction of all the Personal Data if
so instructed by the Data Controller.
8.3. All deletion or destruction of Personal Data will be conducted in accordance with standard
industry practices for deletion or destruction of sensitive data.
8.4. The Processor shall provide written certification to the Controller that it has fully complied with
clause 8.2 within 14 business days of the Termination Date unless required by law to retain all or
part of the Personal Data. In such a case, the Processor warrants and covenants that it will
process such Personal Data solely for purpose of storage and for complying with the applicable
Laws and it will guarantee the confidentiality of such Personal Data and will return to the
Controller and /or destroy the data as soon as the legal obligation is no longer in effect.

9. Complaint Handling
9.1. The Processor shall ensure that it has available customer service to attend to any customer
complaints relating to processing of personal data under this Agreement and to escalate such
complaints to Data Controller’s Data Protection Officer or such other address that may from time
to time be provided by the Parties as the official channel for communication.

10. Miscellaneous
10.1.Any amendments to this DPA shall be in writing duly signed by authorized representatives of the
Parties hereto.
This DPA supersedes all prior understandings and agreements relating to the protection of Personal
Data and compliance with Data Protection Laws.
SCHEDULE 1

Nature of Processing:
The Personal Data processed will be subject to the following, to the extent permitted under Data
Protection Laws, the Agreement, and the DPA (please select all that apply):
☐ Receiving data, including collection, accessing, retrieval, recording, and data entry

☐ Holding data, including storage, organization, and structuring

☐ Using data, including analyzing, consultation, testing, automated decision making and profiling

☐ Updating data, including correcting, adaptation, alteration, alignment, and combination

Page 8 of 9
 tr Protecting data, including restricting, encrypting, and security testing
tr Sharing data, including disclosure, dissemination, allowing access or otherwise making available
tr Returning data to the data exporter or Data Subject
tr Erasing data, including destruction and deletion
tr Other (please specify)

lN WITNESS WHEREOF the duly authorized representatives of the parties have set their respective
hands hereto on the day and year first hereinbefore written.

(&J
By KGB BANK KENYA LIMITED By (client)

Name: Name Ja r# KpirK,t

Signature: Signature: /r dLP

Designation; Director;

Date Date: ls* f"l 2 -2- r

ln the Presence of: Director:

Name Name

S sig

Page9 of2