We shall process your personal data when we receive, assess, and investigate your submission in accordance with this information on data protection.
Incoming whistleblower submissions are handled by a defined group of expressly authorized and specially trained employees of Watu and its subsidiaries. Watu’s Compliance and Investigations Department shall be the recipient and handler of the facts of the whistleblowing submission and, if necessary, conduct further case-related investigation together with other investigation units of the company concerned. These shall always be treated confidentially.
Confidentiality cannot be guaranteed if you deliberately submit false information with the aim of discrediting a person.
Our statement on data protection governs our data processing activities and must be carefully before submitting a report. You can decide whether you want to submit an anonymous or non-anonymous report.
The protection of your privacy rights during the processing of personal data is important to Watu. We process personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and in accordance with the national legal provisions.
The controller as defined by data protection law for the data processing relating to the receipt, assessment, and investigation of the whistleblower’s report submitted is, Watu Credit Limited.
Ethicontrol is the data processor. However, in case of possible serious regulatory violations, Watu acts as joint controllers with Ethicontrol.
To contact Watu’s Data Protection team or to exercise your data subject rights, please do so through the listed email addresses:
1. [email protected]
2. [email protected]
3. [email protected]
4. [email protected]
Watu processes your data for purposes of assessing and processing your report and conducting necessary investigations against the affected person(s) associated therewith, and, where appropriate, for communication with authorities and courts in connection with your report, communication with lawyers and auditors or other investigating persons engaged by Watu.
You can submit a report without sharing your personal data (anonymous reporting). You are therefore under no obligation to provide your personal data.
We collect the following personal data and information when you submit a report:
- Your name and/or private contact and identification data, when you disclose your identity (non-anonymous report).
- Your professional contact and (professional) organization data, if disclosed by you (non-anonymous reporting), and, where applicable the names of persons and other personal data of the persons named in your reporting.
The processing of your personal data is justified by the following legal basis:
- Collection, processing, and disclosure of personal data of the persons included in your report and your personal data in cases where you as the whistleblower chooses not to be anonymous: for the purposes of safeguarding the legitimate interests pursued by the data controller or by a third party. It is a legitimate interest of Watu to identify, process, rectify, and apply law to handle severe breaches of duty of employees throughout the company in an effective manner with a high level of confidentiality to avert damage and liability risks for Watu.
- Disclosure of personal data in case of non-anonymous reporting to other recipients: processing is necessary for compliance with a legal obligation as required under the GDPR.
In certain cases, your personal data may be transmitted to other recipients: in substantiated individual cases, while processing a reported case, or as part of an internal investigation, it may be necessary to share information with other employees outside Watu’s Compliance and Investigations Department.
If required by the investigation, information can be shared with Watu’s subsidiaries outside Kenya, based on appropriate data protection guarantees designed to protect those affected.
In the event of a corresponding legal obligation or if Watu or a third party has a legitimate interest in investigating the information, further possible categories of recipients are criminal prosecution authorities, antitrust authorities, other administrative authorities, courts, lawyers and auditors engaged by Watu.
In certain cases, Watu is obliged by internal policies, data protection legislation or applicable international legislation to inform the suspects of the accusations made against them. This is a legal requirement in cases where it can be objectively established that the disclosure of information to the suspect can no longer have an adverse effect on the investigation in question. If you disclosed your name or other personal data (non-anonymous reporting), your identity as a whistleblower will not be disclosed, as far as it is legally possible, and steps will also be taken to ensure that no conclusions can be drawn as to your identity as the whistleblower.
Personal data will be stored for as long as it is required for the purposes of the investigation and the subsequent assessment, and for as long as we are obliged to store it under national legal, contractual, or statutory retention periods.
The following retention periods are adopted for Watu:
- For cases closed as unfounded, case files will be deleted after one year from case completion;
- For cases investigated as Regulatory Violations, case files will be deleted after three years from case completion;
- For cases investigated as Serious Regulatory Violations, case files will be deleted after seven years of case completion; and
- For cases that contain documents concerning legal proceedings, case files will be deleted after ten years after the end of the legal proceeding.
If there is a legal obligation, the above timelines may be reasonably extended.
Once the report submitted has been processed, the data will be deleted or anonymized in accordance with the national legal requirements. In case of anonymization, the reference to your identity as a whistleblower is permanently and irreversibly removed.