Kenya Mortgage Refinance Company PLC (referred to as "KMRC", "it's", "our", "we" or "us") respects your right to privacy and is committed to protecting your personal data that we receive in the provision of our services.

This privacy statement provides information regarding the processing of personal data by KMRC in the provision of its products and services. It describes how KMRC collects, handles or otherwise processes (“processes”) personal data relating to data subject who are either (i) themselves the direct or indirect beneficiaries of our services, or (ii) individual representatives of, or otherwise associated with, businesses and other organizations currently or potentially participating in KMRC’S services (including, employees, officers, shareholders, directors, beneficial owners, guarantors or key vendors or partners of such businesses or organizations) (“you” ).

KMRC keeps this statement under regular review to make sure it is up to date and accurate.

Why do we process your personal data?

We process your personal data as is reasonably necessary in the conduct of our business, in the provision of our services to the participating Primary Mortgage Lenders (PMLs) that we refinance and for the purpose for which your personal data was originally collected and any other admissible, related purpose.

In particular, KMRC will process your personal data for any of the following purposes:

  • Providing our services to participating PMLs as well as fulfilling our contractual obligations with other third parties
  • Refinancing mortgage portfolios submitted to us by PMLs
  • Executing legal documentation attendant to the provision of our services to the PMLs and other third parties
  • Conducting data analysis to help us assess and determine the amounts, appropriate credit lines and risks applicable to the refinance facilities offered to PMLs
  • Monitoring and analysing the use of our products and services for purposes of improving and developing our services
  • Analysing, understanding and monitoring the effectiveness and impact of our services in the affordable housing and mortgage markets
  • Enhancing our knowledge of the affordable housing and mortgage markets in general
  • Fulfilling our legal or regulatory obligations
  • Administering and managing our relationships with PMLs and other third parties in the affordable housing and mortgage markets
  • Conducting credit and risk assessments and other control activities aimed at preventing corruption and fraud.
  • Responding to enquiries submitted to us via our website, our Client Relationship Management (CRM) portal, emails, telephones or any other available channels
  • Where it is necessary for advancing our legitimate interests in instances where your interests and fundamental rights do not override those interests. Legitimate Interest refers to any activity necessitated by our business objects and the participation in the affordable housing and mortgage market sector.

What personal data do we process?

We collect and process the following personal data about you:

  • Personal information-for example name, age, gender, date of birth, nationality, marital status, national identification number, passport number or KRA PIN number. Though in some instances we may not receive your name, we receive adequate information to identify you and your mortgage facilities held with the PMLs to enable us provide services to the PMLs and other third parties.
  • Contact information- in some instances we may receive your email, postal address, physical address, or phone number.
  • Property details- we receive and process information pertaining to Land, houses, apartments, bungalow and other immovable property that you may own, the property’s respective registration numbers with the Ministry of Lands and the location of such properties.
  • Transaction information – we may process information related to payments you make towards your mortgage facilities, property rents and rates.
  • Contractual information- we may obtain the letter of offers, loan agreements and charge documents among other documents executed towards your mortgage facility.
  • Financial information- for example your income, bank account numbers, loan account details, property valuation information, and any other relevant financial information of individuals who benefit from our services.
  • Employment information- whether you are in formal or informal sector and your salary range among others.
  • Technical information- IP addresses, your browser type, time zone settings, browser plug-in types and versions, URL, Clickstream to through and from our website and other Tracking technologies
  • We process aggregated data such as statistical or demographic data. Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

Where do we get personal data from?

KMRC receives your personal data from PMLs and/or other third parties that are recipients of or providers of services to KMRC. This can be your Bank, your Sacco, or your Microfinance Bank. We may as well obtain your data directly from yourself, from an organization that employs you or you are associated with, from our service providers or from third parties that KMRC partners with. Relevant personal data may also be collected from publicly available sources, relevant business contacts, specialized databases operated by the private sector, or specialized external service providers.

When you access the KMRC website, register or post comments, make inquiries, respond to, or participate in any survey or questionnaire set up by us, or make any application through the Website we may collect your Personal Data and record your interaction with the Site. We may use online identification technologies, such as cookies or web beacons on our website.

Is there further processing of this data?

KMRC adheres to the principle of purpose limitation and only processes data for purposes related to those specified when personal data was collected. Processing for secondary purposes only takes place where we have a legal basis such as the consent of the data subject or where such processing is in line with our legitimate interests.

Who do we share personal data with?

Our employees access and process your data on a “need to know” basis with their access being limited to what is necessary in the performance of their duties. Additionally, we may share your personal data with:

  • Legal entities associated with KMRC including our shareholders, intermediaries, partners or other organizations involved in our relevant transactions or engagements in the ordinary conduct of our business and delivery of our services.
  • The World Bank, Africa Development Bank and other international organizations that may from time to time extend credit lines to KMRC to finance our services
  • The PML who provided us with your personal data
  • Our professional advisors including Auditors, Legal and Tax experts,
  • Regulators including the Central Bank of Kenya, among others, critical to the delivery of our services
  • Service providers including IT companies that support our systems subject to terms and conditions on confidentiality and security of your personal data stipulated in contracts.

We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow service providers and professional advisors to use your Personal Data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We may transfer your personal data to entities outside Kenya. In such instances we establish legal grounds for such a transfer, mainly being the performance of our contractual and legal obligations and in line with our legitimate interests. If the other jurisdictions do not have the same level of protection for Personal Data as provided in Kenya, we shall put in place appropriate safeguards e.g., contractual commitments to ensure the data is adequately protected.

We do not sell personal data.

How long do we retain personal data?

We retain your personal data only for as long as it is required and in compliance with the applicable laws, the purpose and the legal ground it was collected for, and in compliance with our legal, regulatory, accounting or reporting requirements. This may include keeping your information for a reasonable a period after your relationship with the PMLs and related third parties has been terminated. We securely destroy personal data when it is no longer needed for the relevant purposes and its retention period has expired. In some circumstances, we will anonymize your Personal Data (so that it can no longer be associated with you) for research, statistical or other related purposes, in which case we may use this information indefinitely without further notice to you.

What are our legal grounds for processing data?

Our processing of your personal data is linked to a legal basis anchored in law. The table below breaks down the most common legal grounds based on which KMRC processes your data. The Table further describes our legitimate interests where appropriate.

LEGAL BASIS EXAMPLES
Consent We may process your personal data when we obtain your consent to do so or when our PMLs has obtained your consent to share your data with us Consent may be withdrawn at any time The PMLs will obtain your consent to share your personal data as they assign their rights and nterests over your mortgage facility to a third party. PMLs will also obtain your consent to share with us and allow us to publish any testimonials or comments made pertaining to any KMRC backed products they offer to you.
Performance of contractual obligations If you enter into a contract with KMRC for the provision of goods or services or for the performance of any obligations as stipulated in the contract. If your employer and/ or an affiliated organization enters into contract with KMRC and submits your personal data being key personnel for the performance of that contract.
Compliance with legal obligations KMRC is regulated by the Central Bank of Kenya and we may share your personal data with the regulator in compliance with the law.
Legitimate Interest KMRC will process your data to evaluate the effectiveness of our services, to develop new products and services suitable for our target market, and to evaluate our impact on the affordable housing and mortgage market as well as evaluate the security and effectiveness of our systems.

What about information security?

KMRC employs diverse and extensive security measures to protect your Personal Data from unauthorized access, being lost, being altered, or disclosed irregularly and from any other unauthorised use. Employees’, agents’, contractors’ and other third parties’ access to your personal data is limited to those who have a business need to know and will only process your Personal Data on KMRC’s instructions subject to a duty of confidentiality.

We have put in place breach detection and containment procedures to address any suspected personal data breach. These procedures consider the potential business, reputational, legal and regulatory impact on our company. We will notify you and any applicable regulator of a breach where we are legally required to do so.

Your rights

KMRC recognizes your rights as a data subject as prescribed in the Constitution, the Data Protection Act 2019 which, subject to legal and contractual exceptions, are detailed herein below:

  • right to access Personal Data that we hold about you. Where personal data is provided to us by our PMLs and other third parties, your right to access may be exercised directly through KMRC upon request, or through such PMLs and third parties;
  • right to request that we correct your Personal Data where it is inaccurate or incomplete. Any request for rectification of your data may be submitted directly to KMRC. Corrections and/or updating of your personal data submitted to your Bank or Sacco (being our PML) will on a monthly basis if not sooner be forwarded to us to enable us correct your personal data;
  • right to request that we erase your Personal Data noting that we may continue to retain your information if obligated or entitled to do so. This right may be exercised directly through us or through our PMLS;
  • right to object and withdraw your consent to the processing of your Personal Data. You have the right to withdraw granted to KMRC for the processing of your personal data. You further have the right to object to any processing done under legitimate interests. We will then re-assess the balance between our interests and yours, considering your circumstances. If we have a compelling reason, we may still continue to use your personal information;
  • right to request restricted processing of your Personal Data noting that we may be entitled to continue processing your data and refuse your request;
  • right ask us to delete your personal data if deleting your data is not in conflict with our legal and regulatory obligations; and
  • right to request transfer of your personal data in a portable format subject to a minimal fee equivalent to the cost of obtaining the media/ portable device.

The easiest way to exercise your rights is to contact KMRC using the contact details below. We will respond promptly and we do not normally charge for providing a response. Please note that before we can process your request, we may need to verify your identity by asking you to provide a copy of an official identification document. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

If you have questions about this Privacy Statement, or if you wish to exercise your privacy rights, please contact us through info@kmrc.co.ke. Attention: Data Protection Office.