Privacy & Data Retention Policy

INTRODUCTION

  • FISCAL HARMONY ZAMBIA LIMITED (“Fiscal Harmony”) is committed to protecting the privacy of personal data of its clients and other stakeholders in compliance with Zambian laws, including the Data Protection Act No, 3 of 2021 and other applicable regulations. This Privacy and Data Retention Policy sets out how Fiscal Harmony collects, uses, stores and retains personal data in the course of its operations.
  • DEFINITIONS
    • Terms used in this Policy shall carry the same meaning as defined in the Data Protection Act No. 2 of 2021, including but not limited to:

Personal data:    data which relates to an individual who can be directly or indirectly identified from that data which includes a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subject:     an individual from, or in respect of whom, personal information is processed.

Data controller:  a person who, either alone or jointly with other persons, controls and is responsible for keeping and using personal data on a computer, or in structured manual files and requests, collects, processes or stores personal data from or in respect of a data subject.

Data processor: a person, or a private or public body that processes personal data for and on behalf of and under the instructions of a data controller.

Processing:      an operation or a set of operations which is or are performed on personal data, whether or not by automatic means, including the collection, recording or holding of data or the carrying out of any operation or set of operations on data, including:

  • organisation, adaption or alteration of the data;
  • retrieval, combination or use of the data;
  • alignment, combination, blocking, erasure or destruction of the data; or
  • disclosure of the information or data by transmission, dissemination or otherwise making available;

SCOPE

    • This Policy applies to all personal data processed by Fiscal Harmony in connection with its clients, users, employees, vendors, and other individuals, whether the data is collected directly or indirectly. It also applies to all formats which the data may be held, including electronic and physical records.

TYPES OF PERSONAL DATA COLLECTED

    • Fiscal Harmony may collect the following categories of personal data from the data subject:
  • identifying information such as full names, national registration card (NRC), certificate of incorporation or passport numbers, date of birth, and nationality
  • contact details including residential or postal address, telephone numbers, and email addresses;
  • employment and professional information such as job title, employer, and work contact details;
  • financial information including bank details and payment records relevant to the services provided;
  • technical or usage data such as device identifiers, access logs, and service usage history; and
  • any other personal data required for the legitimate performance of Fiscal Harmony’s functions or compliance with applicable laws.

LAWFUL BASIS FOR PROCESSING

    • Fiscal Harmony shall only process personal data where there is a lawful and justifiable reason for doing so. These reasons include situations where:
  • the data subject has given clear consent;
  • the personal data is required to enter into or perform a contract;
  • the processing is necessary for compliance with a legal obligation to which the Fiscal Harmony is subject;
  • the processing is necessary to protect the vital interests of an individual;
  • the processing is necessary for the performance of a task carried out in public interest or in the exercise of official authority vested Fiscal Harmony.
  • the processing relates to personal data that has been manifestly made public by the data subject.

METHOD OF COLLECTION

    • Personal data will be collected directly from the data subject.
    • Collection of personal data from any person or source other than the data subject shall only occur if authorised by law. Such circumstances include those set out under Section 16 of the Data Protection Act, namely:
  • the data subject has consented to the collection from a third party;
  • the personal data is contained in a public record or has been deliberately made public by the data subject;
  • collecting the personal data directly from the data subject would prejudice the purpose of the collection;
  • it is not reasonably practicable to collect the personal data directly from the data subject; or

CONSENT

    • Fiscal Harmony will not process personal data unless the data subject has provided clear consent, except in cases where another lawful basis for processing is applicable. Such consent must be freely given, specific, informed, and unambiguous, and must be obtained through a positive act, such as signing a form or ticking a checkbox. Data subjects shall be informed of their right to withdraw consent at any time, and where such withdrawal occurs, Fiscal Harmony will cease further processing unless another lawful basis applies. Records of consents and withdrawals will be duly maintained.

DATA PROCESSING OBLIGATIONS

    • In accordance with the principles, rules and obligations set out in the Data Protection Act, Fiscal Harmony, whether acting as a data controller or processor, shall process personal data in a fair, lawful and transparent manner. Personal data shall be collected for specified, explicit, and legitimate purposes and shall not be further processed in a manner that is incompatible with those purposes.
    • Reasonable steps shall be taken to ensure that personal data is accurate and kept up to date. Inaccurate or incomplete data shall be rectified or erased without delay.
    • The collection of personal data shall be adequate, relevant and limited what is necessary in relation to the purposes for which it is processed. Personal data shall not be retained for longer than is necessary to fulfil the identified purposes, unless a longer retention period is required by law. Upon expiry of the applicable retention period, such data shall be securely erased.
    • Appropriate technical and organisational measures shall be implemented to ensure the security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.
    • All processing of personal data shall be conducted in a way that upholds and respects the rights of data subjects as provided under the Data Protection Act, including the rights to access, rectify, erase, object to processing, restrict processing, and data portability.

RIGHTS OF THE DATA SUBJECT

    • In accordance with the Data Protection Act, data subjects have the right to:
  • access their personal data;
  • request rectification of inaccurate or incomplete data;
  • request erasure of data under certain conditions;
  • restrict or object to processing;
  • request data portability;
  • not be subject to decisions made through automated processing;
  • lodge complaints with the Data Protection Commissioner.
    • Any individual wishing to exercise these rights may do so through the contact details provided under paragraph 15 of this policy.

DATA RETENTION

    • Fiscal Harmony shall retain personal data for as long as it is necessary to achieve the purpose for which it was collected, and for a minimum period of one year thereafter, or for such other period as may be prescribed under any written law. periods include:
    • Fiscal Harmony shall maintain a record of each data processing activity, including the purpose for which the personal data was collected, the categories of personal data processed, and any third parties to whom the personal data has been disclosed.

DATA SECURITY

    • Fiscal Harmony applies appropriate technical and organisational measures to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, but are not limited to, role-based access controls, data encryption, regular backups, incident response procedures, and continuous assessment of risks to ensure ongoing data security.

DISCLOSURE OF PERSONAL DATA

    • Personal data will not be shared with third parties unless:
  • the data subject has provided prior written consent; or
  • the disclosure is necessary to prevent a reasonable threat to national security, defence, or public order; or
  • the disclosure is necessary to investigate or prosecute a cognisable offence.
  • Prior to any disclosure under 12.1 (b) and (c), Fiscal Harmony shall inform the data subject of the following:
  • when and to whom it will be disclosed
  • the purpose of its disclosure
  • the security practices, privacy policies, and other measures in place to protect the data; and
  • the procedures available for the data subject to address any grievances related to the disclosure.

CROSS-BOARDER DATA TRANSFERS

    • Personal data shall be stored and processed within the Republic of Zambia. Where a transfer of personal data outside Zambia is required, such transfer shall only be carried out in accordance with the law and subject to appropriate safeguards that ensure the protection of the data subject’s rights.

DATA BREACH NOTIFICATION

    • Fiscal Harmony will notify the Data Protection Commissioner within 24 hours of becoming aware of a personal data breach and shall inform affected data subjects as soon as practicable.

CONTACT INFORMATION

    • For any questions, concerns, or to exercise your rights under this Policy, please contact:

The Data Handler:

Fiscal Harmony Zambia Limited

DG OFFICE PARK,

#1 CHILA ROAD, KABULONGA – LUSAKA.

[email protected]

+260 (0) 630 372 070

REVIEW AND UPDATES

    • This policy shall be reviewed annually and updated to reflect legal, operational, or technological changes. Any significant amendments will be communicated to affected stakeholders.