My Zamtel App Privacy Policy

Data Privacy & Protection policy

1. Introduction

As part of our operations, Zamtel Limited (“Zamtel”) collects and processes certain types of information (including but not limited to NIN, name, telephone numbers, address phone number, sex, photograph, ID card, fingerprint, and signature etc. of individuals that makes them easily identifiable. These individuals include current, past and prospective employees, merchants, suppliers/vendors, customers or merchants and other individuals whom Zamtel communicates or deals with, jointly and/or severally (“Data Subjects”).


Maintaining the Data Subject’s trust and confidence requires that Data Subjects do not suffer negative consequences/effects as a result of providing Zamtel with their Personal Data. To this end, Zamtel is firmly committed to complying with applicable data protection laws, regulations, rules and principles to ensure security of Personal Data handled by the Company. This Data Privacy & Protection Policy (“Policy”) describes the minimum standards that must be strictly adhered to regarding the collection, use and disclosure of Personal Data and indicates that Zamtel is dedicated to processing the Personal Data it receives or processes with absolute confidentiality and security

This Policy applies to all forms of systems, operations and processes within the Zamtel environment that involve the collection, storage, use, transmission, and disposal of Personal Data.

Failure to comply with the data protection rules and guiding principles set out in the Zambia Data Protection Act (ZDPA), as well as those set out in this Policy is a material violation of Zamtel’s policies and may result in disciplinary action as required, including suspension or termination of employment or business relationship.

2.0 SCOPE

This Policy applies to all employees of Zamtel, as well as to any external business partners (such as merchants, suppliers, contractors, vendors and other service providers) who receive, send, collect, access, or process Personal Data in any way on behalf of Zamtel, including processing wholly or partly by automated means. This Policy also applies to third party Data Processors who process Personal Data received from Zamtel.

3.0 GENERAL PRINCIPLES FOR PROCESSING OF PERSONAL DATA

Zamtel is committed to maintaining the principles in the ZDPA regarding the processing of Personal Data. To demonstrate this commitment as well as our aim of creating a positive privacy culture within Zamtel, we adhere to the following basic principles relating to the processing of Personal Data:

  1. Lawfulness, Fairness and Transparency:

    Personal Data must be processed lawfully, fairly and in a transparent manner at all times. This implies that Personal Data collected and processed by or on behalf of Zamtel must be in accordance with the specific, legitimate, and lawful purpose consented to by the Data Subject, save where the processing is otherwise allowed by law or within other legal grounds recognized in the ZDPA.

  2. Data Accuracy:

    Personal Data must be accurate and kept up-to-date. In this regard, Zamtel:

    • a) shall ensure that any data it collects and/or processes is accurate and not misleading in a way that could be harmful to the Data Subject;
    • b) make efforts to keep Personal Data updated where reasonable and applicable; and
    • c) make timely efforts to correct or erase Personal Data when inaccuracies are discovered.
  3. Purpose Limitation:

    Zamtel collects Personal Data only for the purposes identified in the Zamtel Privacy Notice provided to the Data Subject and for which consent has been obtained. Such Personal Data cannot be reused for another purpose that is incompatible with the original purpose, except a new Consent is obtained.

    The purposes for which Zamtel will use your personal data includes but not limited to the following:

    • a) For the provision of services to you. For example, when you purchase any of our products or services, we will use your personal data to process your order.
    • b) For customer care and billing. When you use our products or services, we will use your personal information to bill you and to respond to enquiries and concerns that you may have about our products and services.
    • c) Customer service messages. We will use your personal data to keep you updated with the latest information or changes about our products and services.
    • d) For marketing purposes. To serve you better, will use your personal data to market our products and services to you.
    • e) Fraud prevention and security. We will process your personal and traffic data to protect you against and detect fraud, to protect and detect misuse or damage to our networks.
    • f) Managing our networks and understanding network usage. We do this to manage the volume and quality of calls and to understand how you use our networks, products, and services.
  4. Data Minimization:

    Zamtel limits Personal Data collection and usage to data that is relevant, adequate, and necessary for carrying out the purpose for which the data is processed. Zamtel will evaluate whether and to what extent the processing of personal data is necessary and where the purpose allows, anonymized data must be used.

  5. Integrity and Confidentiality:

    Zamtel shall establish adequate controls in order to protect the integrity and confidentiality of Personal Data, both in digital and physical format and to prevent personal data from being accidentally or deliberately compromised.

    Personal data of Data Subjects must be protected from unauthorized viewing or access and from unauthorized changes to ensure that it is reliable and correct.

    Any personal data processing undertaken by an employee who has not been authorized to carry such out as part of their legitimate duties is un-authorized.

    Employees may have access to Personal Data only as is appropriate for the type and scope of the task in question and are forbidden to use Personal Data for their own private or commercial purposes or to disclose them to unauthorized persons, or to make them available in any other way.

    Human Resources Department must inform employees at the start of the employment relationship about the obligation to maintain personal data privacy. This obligation shall remain in force even after employment has ended.

  6. Personal Data Retention:

    All personal information shall be retained, stored and destroyed by Zamtel in line with legislative and regulatory guidelines. For all Personal Data and records obtained, used and stored within the Company, Zamtel shall perform periodical reviews of the data retained to confirm the accuracy, purpose, validity and requirement to retain.

    To the extent permitted by applicable laws and without prejudice to Zamtel Document Retention Policy, the length of storage of Personal Data shall, amongst other things, be determined by:

    1. a) the contract terms agreed between Zamtel and the Data Subject or as long as it is needed for the purpose for which it was obtained; or
    2. b) whether the transaction or relationship has statutory implication or a required retention period; or
    3. c) whether there is an express request for deletion of Personal Data by the Data Subject, provided that such request will only be treated where the Data Subject is not under any investigation which may require Zamtel to retain such Personal Data or there is no subsisting contractual arrangement with the Data Subject that would require the processing of the Personal Data; or
    4. d) whether Zamtel has another lawful basis for retaining that information beyond the period for which it is necessary to serve the original purpose.

    Notwithstanding the foregoing and pursuant to the ZDPA, Zamtel shall be entitled to retain and process Personal Data for archiving, scientific research, historical research, or statistical purposes for public interest.

    Zamtel would forthwith delete Personal Data in Zamtel’s possession where such Personal Data is no longer required by Zamtel or in line with Zamtel Retention Policy, provided no law or regulation being in force requires Zamtel to retain such Personal Data.

  7. Accountability:

    Zamtel demonstrates accountability in line with the ZDPA obligations by monitoring and continuously improving data privacy practices within Zamtel.

    Any individual or employee who breaches this Policy may be subject to internal disciplinary action (up to and including termination of their employment); and may also face civil or criminal liability if their action violates the law.

4.0 DATA PRIVACY NOTICE

Zamtel considers Personal Data as confidential and as such must be adequately protected from unauthorized use and/or disclosure. Zamtel will ensure that the Data Subjects are provided with adequate information regarding the use of their Personal Data as well as acquire their respective Consent, where necessary.

Zamtel shall display a simple and conspicuous notice (Privacy Notice) on any medium through which Personal Data is being collected or processed. The following information must be considered for inclusion in the Privacy Notice, as appropriate in distinct circumstances in order to ensure fair and transparent processing:

  1. Description of collectible Personal Data;
  2. Purposes for which Personal Data is collected, used and disclosed,
  3. What constitutes Data Subject’s Consent?
  4. Purpose for the collection of Personal Data,
  5. The technical methods used to collect and store the information.
  6. Available remedies in the event of violation of the Policy and the timeframe for remedy; and
  7. Adequate information to initiate the process of exercising their privacy rights, such as access to, rectification and deletion of Personal Data.

5.0 LEGAL GROUNDS FOR PROCESSING OF PERSONAL DATA

The personal data we collect from our customers and how we collect it depends on the services that our customers subscribe to, how they use our services and how they interact or interface with us. This also applies to persons who are not customers of Zamtel but have interacted with Zamtel such as our employees and external business partners. We may also obtain your personal data from a third party who has permission to share it with us.

We may share your data with third parties to whom you have given your consent to procure such data from Zamtel; Personal data we have about our customers where applicable includes but not limited to: Name, Phone number, address, sex, photograph, ID card details, fingerprint, signature etc.

Please note that we collect your data when you provide it to us through any of our data collection points (physical, online, virtually, etc.) and only process your personal data based on the grounds set out in the ZDPA. Accordingly, processing of Personal Data by Zamtel shall be lawful if at least one of the following applies:

  1. where you give us consent to the processing of your Personal Data for one or more specific purposes. You are at liberty to withdraw the consent and Zamtel will cease to process your personal where there is no other basis to do so.
  2. Where the processing is necessary for the performance of a contract to which the Data Subject is party or to take steps at the request of the Data Subject prior to entering into a contract.
  3. Processing is necessary for compliance with a legal obligation to which Zamtel is subject.
  4. Processing is necessary to protect the vital interests of the Data Subject or of another natural person; and
  5. Processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in Zamtel.
  6. For the purposes of the legitimate interest pursued by the data controller or by a third party to whom the data is disclosed

5.1. We collect your personal data when you do any of the following:

The personal data we collect from individuals can be obtained through various methods and interactions, including but not limited to:

  1. Buy or use any of our products and services.
  2. Use our network or other Zamtel products and services.
  3. Register for a specific product or service.
  4. Visit or browse our website.
  5. Have given permission to other companies to share information about you.
  6. Where your information is publicly available.
  7. Are the customers of a business we acquire.
  8. Take part in a competition, prize draw, or survey.
  9. Where Zamtel engages you as an employee or external business partner.
  10. We also keep records when you use/conduct an activity on your mobile phone using our network. This includes the number you dialed, the length, date and time of that call, and records of your IP data sessions.
  11. When you provide your data to us through any of our data collection points including but not limited to the following: our KYC registration forms, SIM Swap Forms, MNP Forms self-service applications, social media platforms, websites.

6.0 CONSENT

Where processing of Personal Data is based on consent, Zamtel shall obtain the requisite consent of Data Subjects at the time of collection of Personal Data. In this regard, Zamtel will ensure:

  1. that the specific purpose of collection is made known to the Data Subject and the Consent is requested in a clear and plain language,
  2. that the Consent is freely given by the Data Subject and obtained without fraud, coercion, or undue influence,
  3. that the Consent is sufficiently distinct from other matters to which the Data Subject has agreed,
  4. that the Consent is explicitly provided in an affirmative manner,
  5. that Consent is obtained for each purpose of Personal Data collection and processing; and
  6. that it is clearly communicated to and understood by Data Subjects that they can update, manage, or withdraw their Consent at any time.

Valid Consent

For Consent to be valid, it must be given voluntarily by an appropriately informed Data Subject. In line with regulatory requirements, Consent cannot be implied. Silence, pre-ticked boxes or inactivity does not constitute Consent under the ZDPA 2023. Consent in respect of Sensitive Personal Data must be explicit. A tick of the box would not suffice.

Consent of Minors

In the unlikely event that we deal with minors, the consent of minors will always be protected and obtained from the minor’s representatives in accordance with applicable regulatory requirements.

7.0 DATA SUBJECT RIGHTS

All individuals who are the subject of Personal Data held by Zamtel are entitled to the following rights:

  1. Right to request for and access the Personal Data collected and stored. Where data is held electronically in a structured form, such as in a Database, the Data Subject has a right to receive that data in a common electronic format,
  2. Right to information on their personal data collected and stored,
  3. Right to objection or request for restriction,
  4. Right to request rectification and modification of their data which Zamtel keeps,
  5. Right to request for deletion of their data, except as restricted by law or Zamtel statutory obligations,
  6. Right to request the movement of data from Zamtel to a Third Party; this is the right to the portability of data; and
  7. Right to object to, and to request that Zamtel restricts the processing of their information except as required by law or Zamtel’s statutory obligations.

Right to request that Zamtel restricts processing of your personal data and Right

8.0 TRANSFER OF PERSONAL DATA

8.1 Third Party Processor within Zambia

Zamtel may engage the services of third parties in order to process your Personal Data collected by us. The processing by such third parties shall be governed by a written contract with Zamtel to ensure adequate protection and security measures are put in place by the third party for the protection of Personal Data in accordance with the terms of this Policy and the ZDPA. We may also share your personal data with law enforcement agencies where required by law to do so.

Where applicable, Zamtel will share your information with:

  1. Partners, suppliers, or agents involved in delivering the products and services you have ordered or used. For example, when you apply for a loan, your loan request is handled by our business partner who is bound by contract to protect your personal data.
  2. Law enforcement agencies, government bodies, regulatory organizations, courts, or other public authorities if we have to, or are authorized to by law. For example, under the Cybercrimes Act, a law enforcement agency may request a service provider to keep or release any traffic data, subscriber information, content, or non-content information. This is, however, for law enforcement purposes only.
  3. A third party or body where such disclosure is required to satisfy any applicable law, or other legal or regulatory requirement e.g., to respond to a complaint or security threat, detect or prevent fraud, or to respond to the commission of any other crime. Further, disclosures of personal data may also be needed by our auditors to perform financial audits.
  4. A merging or acquiring entity where we undergo business reorganization e.g., merger, acquisition, or takeover. We may be required to disclose personal data about you for insurance purposes.
  5. We may be required to share your information with other third parties who use Zamtel platforms/systems to advertise their products. However, the personal data collected is anonymized or aggregated prior to sharing it with the third parties.

8.2 Transfer of Personal Data to Foreign Country

Zamtel may transfer Personal Data outside Zambia only if such transfer is permitted by, and is in accordance with Local Regulatory Requirements, and for the purposes described in this Policy. Zamtel will take all necessary steps to ensure that the Personal Data is handled and transmitted in a safe and secure manner. These measures include conducting data protection impact assessments to verify that such a country has adequate data protection laws, which binds the recipient to prescribed data handling and data protection requirements acceptable to Zamtel and our relevant regulators. These measures also include entering into binding data transfer agreements, amongst others.

Furthermore, Zamtel as a multinational operating company within the Zamtel Africa Group, may transfer your personal data to other Zamtel affiliated entities within the Group. All these entities are bound by Binding Corporate Rules (“BCR”) which ensures that the entity receiving the data safeguards your data in accordance with the terms of the BCR.

9.0 DATA BREACH MANAGEMENT PROCEDURE

A data breach procedure is established and maintained in order to deal with incidents concerning Personal Data or privacy practices leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

All employees must inform their designated line manager or the DPO of Zamtel immediately about cases of violations of this Policy or other regulations on the protection of Personal Data, in accordance with Zamtel Personal Data Breach Management Procedure in respect of any:

  1. improper transmission of Personal Data across borders;
  2. loss or theft of data or equipment on which data is stored;
  3. accidental sharing of data with someone who does not have a right to know this information;
  4. inappropriate access controls allowing unauthorized use;
  5. equipment failure;
  6. human error resulting in data being shared with someone who does not have a right to know; and
  7. hacking attack.

A data protection breach notification must be made immediately after any data breach to ensure that:

When a potential breach has occurred, Zamtel will investigate to determine if an actual breach has occurred, and the actions required to manage and investigate the breach as follows:

  1. Validate the Personal Data breach.
  2. Ensure proper and impartial investigation (including digital forensics if necessary) is initiated, conducted, documented, and concluded.
  3. Identify remediation requirements and track resolution.
  4. Report findings to the top management.
  5. Coordinate with appropriate authorities as needed.
  6. Coordinate internal and external communications.
  7. Ensure that impacted Data Subjects are properly notified, if necessary.

10.0 DATA PROTECTION IMPACT ASSESSMENT

Zamtel shall carry out a Data Protection Impact Assessment (DPIA) in respect of any new project or IT system involving the processing of Personal Data to determine whenever a type of processing is likely to result in any risk to the rights and freedoms of the Data Subject. Zamtel shall carry out the DPIA in line with the procedures laid down in the Zamtel  Data Protection Impact Assessment Policy  

11.0 DATA SECURITY

All Personal Data must be kept securely and should not be stored any longer than necessary. Zamtel will ensure that appropriate measures are employed against unauthorized access, accidental loss, damage, and destruction to data. This includes the use of password-encrypted databases for digital storage and locked cabinets for those using paper form.

To ensure security of Personal Data, Zamtel will, among other things, implement the following appropriate technical controls:

  1. Industry-accepted hardening standards, for workstations, servers, and databases.
  2. Full disk software encryption on all corporate workstation/laptops operating systems drives storing Personal and Personal/Sensitive Data.
  3. Encryption at rest including key management of key databases.
  4. Enable Security Audit Logging across all systems managing Personal Data.
  5. Restrict the use of removable media such as USB flash disk drives.
  6. Anonymization techniques on testing environments.
  7. Physical access control where Personal Data are stored in hardcopy.

12.0 DATA PROTECTION OFFICER

Zamtel shall appoint a Data Protection Officer(s) (DPO) responsible for overseeing the Company's data protection strategy and its implementation to ensure compliance with the ZDPA requirements. The DPO shall be a knowledgeable person on data privacy and protection principles and shall be familiar with the provisions of the ZDPA.

The main tasks of the DPO include:

  1. Administering data protection policies and practices of Zamtel.
  2. Monitoring compliance with the ZDPA and other data protection laws, data protection policies, awareness-raising, training, and audits.
  3. Advising the business, management, employees, and third parties who carry on processing activities of their obligations under the ZDPA.
  4. Acting as a contact point for Zamtel.
  5. Monitoring and updating the implementation of the data protection policies and practices of Zamtel and ensuring compliance among all employees of Zamtel.
  6. Ensuring that Zamtel undertakes a Data Impact Assessment and curbs potential risks in Zamtel's data processing operations.
  7. Maintaining a database of all Zamtel's data collection and processing operations.

13.0 TRAINING

Zamtel shall ensure that employees who collect, access and process Personal Data receive adequate data privacy and protection training in order to develop the necessary knowledge, skills and competence required to effectively manage the compliance framework under this Policy and the ZDPA with regard to the protection of Personal Data. On an annual basis, Zamtel shall develop a capacity building plan for its employees on data privacy and protection in line with the ZDPA.

14.0 DATA PROTECTION AUDIT

Zamtel shall conduct an annual data protection audit through a licensed Data Protection Compliance Organization (DPCOs) to verify Zamtel compliance with the provisions of the ZDPA and other applicable data protection laws.

15.0 RELATED POLICIES AND PROCEDURES

This Policy shall be read in conjunction with the following policies and procedures of Zamtel:

CHANGES TO THE POLICY

Zamtel reserves the right to change, amend, or alter this Policy at any point in time. If we amend this Policy, we will provide you with the updated version.

GLOSSARY

Consent: Any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.

Database: A collection of data organized in a manner that allows access, retrieval, deletion, and processing of that data; it includes but is not limited to structured, unstructured, cached, and file system type Databases.

Data Processor: A person or organization that processes Personal Data on behalf and on instructions of Zamtel.

DPCO: An organization registered by NITDA to provide data protection audit, compliance, and training services to public and private organizations who process Personal Data in Zambia.

Data Subject: Any person who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.

ZDPA: The Zambia Data Protection Act.

Personal Data: Any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifiers such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII), and others.

Sensitive Personal Data: Data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal records, or any other sensitive personal information.