Privacy Notice

 

1. Introduction

At British American Tobacco (“BAT”) we collect a variety of information about people we interact with, as part of our business and may use it in many different ways. We are committed to ensuring that your personal data is protected and never misused.

In this Privacy Notice, "BAT", "us", "we" or "our" means the BAT group company or companies who are primarily responsible for personal data collected about you in Kenya, having their registered address at 08 Likoni road, Industrial Area, P.O. Box 30000-00100 Nairobi, Kenya and which include:

  • British American Tobacco Kenya Plc.
  • British American Tobacco Area Limited.
  • BAT Kenya Tobacco Company Limited.


If you are a current or former employee, contractor or another staff member of BAT (such as a trainee or secondee) then please note that this Privacy Notice does not apply to you. Please contact us at Data_Protection@bat.com and we will direct you to where you can obtain the privacy notice.

2. Data Subjects with Business Relationships with BAT

This section of the Privacy Notice applies to you if you or your employer is a Third Party and supplying goods or services to BAT (or proposing to do so), or purchasing goods or services from us (or proposing to do so). It also applies if you are a director or direct or indirect shareholder of a Third Party organisation supplying or receiving goods or services to or from BAT (or where such Third Party organisation is proposing to do so).

In this Privacy Notice, "Third Party" means the following:

  • Supplier/Vendor - a person or organisation (including key personnel of that organisation) that provides goods or services to us and receives consideration for these goods or services.
  • Customers - any person or organisation that purchases tobacco leaf and/or products from us.
  • Trade Associations - a group organised and funded by business/society participants that share common goals.
  • Landlords - the owner of land or buildings used by us.

At BAT, we need some information about you and your organisation, such as your name, job title, organisation registration numbers, bank details, tax details and contact details so we can work with you to manage the contract and relationship for the goods or services you supply to us, or we supply to you.  We may collect your personal data via a Third-Party risk assessment tool to complete due diligence and risk management processes necessary for Third Party onboarding. As part of managing the business relationship, we may be legally required to conduct ‘know your customer’ (e.g. via ‘World Check One’) or similar compliance screenings on you or your organisation. In doing so we will use the information listed below. We obtain this information either obtain directly from you or from your employer, or the company you are shareholder or director of. In the context of conducting compliance screenings, we will also check the personal data provided to us against public information, including official sources (such as sanctions lists), media sources and adverse media (such as news reports, journal articles), and additional government and official sources (such as court records, election results, company filings, official company websites and press releases).

Why do we hold your information What type of information? How legally can we use your information?
To manage the contract and business relationship with either you, your employer or the company you are a director or direct or indirect shareholder or representative.
  • Name, contact information (e.g. email address, address, telephone number), financial information such as creditworthiness, bank account details, specimen signatures.
In order to perform our obligations under contract or take steps prior to entering into a contract.
To conduct due diligence and risk management processes necessary for Third Party onboarding and during the relationship engagement (including, but not limited to, risks related to bribery and corruption, money laundering, sanctions, tax evasion and illicit trade).
  • Name, contact information, financial information, such as creditworthiness, bank account details, specimen signature, criminal records, identification numbers, date and place of birth, nationality, relationships with public officials.
To comply with a legal obligation to which we are subject. For those not directly associated to a legal obligation, that such processing is necessary for the performance of a task carried out in the public interest, and that such processing is in our (and our Third Parties) legitimate interests. The legitimate interest is to ensure appropriate levels of due diligence so that we do not breach the laws and regulations that apply to us, including international sanctions laws and screening lists.
To conduct and evaluate request for proposals, request for information and/or request for quotes.
  • Name, contact information, curriculum vitae of key personnel.
We have legitimate interest in engaging with Third Parties in order to evaluate their suitability as a supplier or business partner.

 3. A candidate or job applicant

We process the information you provide in your curriculum vitae, in our application form and supporting documentation/information you provide during the recruitment process.

Why do we hold your information What type of information? How legally can we use your information?

We use your information about you to ensure that we can respond to any queries and contact you if you request us to do so, for storing your details (and updating them
when necessary) on our database and to enable you to submit your CV for general applications, to allow you to apply for specific jobs, so that we can contact you in relation to job opportunities or respond to any query you have asked us to answer, research that we conduct for statistical purposes.

We may also screen your CV prior to considering your application further.

  • Name;
  • your email address and contact details;
  • your country/city of residence;
  • information in relation to your background;
  • education history;
  • interview notes and any assessment results;
  • Images and recordings of any video interviews (if relevant);
  • employment history,
  • vocation/profession; and
  • extra information that you choose to tell us.

To pursue the legitimate interests we have. For example, it is in our legitimate commercial interest to be able to consider your details as a candidate to ascertain if you are the correct person for the role.

We may check your identity to comply with a legal obligation such as establishing your right to work in the country.

After you have made the application, we may seek more information about you from other sources generally including from third parties. For example, we may receive information on you from those organisations that you have asked us to use for professional or academic references such as a previous employer or a college or university.

4. Emergency Contacts or those named to receive benefits by a BAT employee

This section of the Privacy Notice applies to you if one of our employees employed by a BAT legal entity has named you as the person we should contact in an emergency or to administer any employee-based benefits.

We only hold information about you (as detailed in the table below) which has been provided to us by a BAT employee to enable us to contact you in emergencies or to administer employee benefits such as healthcare or pensions.

Why do we hold your information What type of information? How legally can we use your information?
To contact you in emergencies relating to the BAT employee(s) that have named you as their emergency contact person.
  • Name and contact information.
It is in our employees’ legitimate interests for us to be able to contact you in an emergency.
To administer employee benefits that our employee has asked us to take steps to fulfil.
  • Name and contact information; and
  • Identification number
This is necessary for us to take steps to perform the benefits contract between the BAT employee and the benefits provider.
To administer employee pension benefits that our employee has asked us to take steps to fulfil.
  • Name and contact information; and
  • Identification number
This is necessary for us to take steps to perform to comply with our legal obligations (e.g. tax laws) between the BAT employee and the benefits provider.

5. Other individuals who interact with BAT

This section of the Privacy Notice applies to you if you fall within any of the following categories:

  • journalists with whom we communicate in any medium;
  • visitors to our physical premises;
  • individuals and/or businesses who attend or participate in conferences or events in which we are involved;
  • individuals and/or businesses who represent regulatory and law enforcement agencies or other governmental offices;
  • Third Parties and/or consumers that call our call centres;
  • Third Parties and/or consumers that participate in surveys and research activities;
  • academics and research professionals; and
  • individuals and businesses who submit information for the purposes of participating in programmes we offer (for example, our Be a Supplier programme).

At BAT, we need some information about you, and will collect and hold the information listed in the table below under ‘What Type of Information’ so we can manage any current or future relationship  we may have with you. We obtain this information either directly from you or from your employer, or from third parties who lawfully provide it to us (including publicly available materials) including the organisers of public events you attend.

Why do we hold your information What type of information? How legally can we use your information?
To contact you in order to manage your relationship with us.
  • Name, contact information (e.g. email address, telephone number, region where you are from)
In order to: (1) perform our obligations under contract (in particular: (a) for those individuals who attend, or participate in, conferences or events; or (b) in the context of our relationships with journalists) or take steps prior to entering into a contract; or (2) exercise our legitimate interests in being able to contact you in the context of a current or future business or commercial relationship.
To perform relevant due diligence into publicly available materials relating to you.
  • Name, contact information including the region where you are from.
  • Professional details including your work history, academic history and qualifications, job title, organisation, website details (if any), contact details, and area of expertise or specialty.
  • Any publications, articles or publicly available materials you have created.
We will either: (1) rely on our legitimate interest in: (a) protecting our business; or (b) in the context of a current or future business or commercial relationship; or (2) seek your consent where appropriate.
To respond to any query that you have asked us.
  • Name and contact information.
  • Any information that you provide to us in submitting your query through our call centre channels or to us directly.
It is in our legitimate interests to respond to your query and in order to ensure that you have the most up to date information about the BAT business and that any concerns you have relating to BAT are resolved.
To ensure quality of our call centre and facilitate training of call centre agents we record our calls.
  • Any information you provide during those calls.

It is in our legitimate interest to ensure callers receive quality responses and correct information as well as to ensure call centre agents are properly trained.

To run survey and research programmes.
  • Your name and contact details and information requested in the particular survey or research questionnaire.

We will either: (1) rely on our legitimate interest in the context of a current or future business or commercial relationship; or (2) seek your consent where appropriate.

To facilitate safe visits to our premises, and to contribute to COVID-19 containment measures.
  • Name, contact information and potentially questions surrounding your recent whereabouts or contact with those who may have been infected with the COVID-19 virus and body temperature information.
  • Any information that you provide to us relating to your visit.

It is in our legitimate interests to facilitate your visit to our premises. This includes recording your access to our premises, taking steps to help ensure your safety on site, and recording any feedback you provide.

Furthermore, maintaining safe premises and a safe working environment is within our legitimate interests, and is necessary to protect your legitimate interests (and those of others) and to comply with our legal obligations.

Building a professional relationship with you in relation to your attendance at conferences and events that are of mutual interest.
  • Name and contact information
  • Records of conferences and events attended.
It is in our legitimate interests to process your personal data for the purposes of building our professional relationship with you.
Building current or future professional relationship with you in the context of your work as an academic or research professional.
  • Name and contact information
  • Professional details including your academic history and qualifications, job title, organization, website details
  • (if any), contact details, and area of specialty.
It is in our legitimate interests to process your personal data for the purposes of developing a current or future professional relationship with you.
To enable you to complete a submission and participate in the programmes we or our Third Parties offer and, depending on the programme, building a current or potential future professional relationship with you through your participation in such programmes.
  • Names, contact details, job title, organisation information such as registrations numbers, country of incorporation and financial information, nature of business and proposals.
It is in our legitimate interests to process your personal data for the purposes of facilitating our programmes and for building potential professional relationships with you.

6. What if you don’t provide us with the information?

Provided you do not supply more information than we request, we generally only collect the mandatory information required for our purposes. Where possible, we will indicate whether information requested is mandatory or voluntary.

In certain circumstances if you do not provide us with the information we require for our due diligence checks or onboarding procedures, we may not be able to enter into a contract with you. Furthermore, during our relationship if you do not provide certain information, we may not be able to meet our obligations under the contract we have with you or engage with you.

7. Your rights?

You have a number of rights in relation to your personal information. These are:

Right to be informed: of the use to which your personal data is to be put.

Right to access (sometimes known as a data subject access request or a "DSARs"): You may ask us to confirm what information we hold about you at any time and request access to that personal data. We do have to take into account the interests of others, so this is not an absolute right, and we may sometimes have to withhold information to meet our obligations towards others.

Right to object: this right enables you to object to us processing your personal data under certain circumstances and we can be required to no longer process your personal data.

Right to correction: You may have the right to request that we rectify any false or misleading data that we hold about you.

Right to deletion: You may have the right to ask us to erase personal data concerning you. This right does not apply to all situations, as there will be certain areas where we will need to retain your personal data.

Right to withdraw consent: In certain circumstances, where we have relied on your consent to process your personal data for certain activities, you may be able to withdraw this consent at any time and we will cease processing the personal data in connection with that activity.

If you would like to exercise any of these rights or withdraw your consent to the processing of your personal data (where consent is our legal basis for processing your personal data), please contact data_protection@bat.com. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

8. Who do we share your information with?

At BAT, we do not sell, rent or trade your information with third parties for marketing or promotional purposes. When necessary we may share information about you with the following recipients:

  • any of our BAT group companies;
  • tax, audit, or other authorities, when we believe we are legally required to do so, where the relevant authority has asked us to assist (for example, because of a request by a tax authority or in connection with any expected litigation), or in order to help prevent fraud or to protect the rights of BAT; or protect the personal safety of BAT employees, third party agents or members of the public;
  • third party service providers such as external consultants and professional advisers (including law firms, auditors and accountants), technical support functions, and IT consultants carrying out testing and development work on our business technology systems);
  • third parties for the purposes of background screening checks, credit worthiness checks, criminal record checks, credential validation, order fulfilment, delivery, customer support services and storage services;
  • third party outsourced IT providers, including but not limited to email/text messaging providers; cloud IT service providers, business suite solution providers; data analytics agencies; IT strategic implementation partners; hosting service providers;
  • survey and research companies;
  • if it is proposed that a BAT Group entity or business is to merge with or be acquired by another business in the future, we may share your personal data with potential purchasers, where this is necessary, or the new owners of the business or company.

Sometimes when we share your personal data with the third parties described in above, it may be transferred to countries outside of Kenya.

We will do our best to ensure that your personal data is stored and transferred in a way which is secure. When we transfer your personal data outside Kenya, we do so in compliance with the law and we take appropriate steps to protect that information, which include:

  • entering into agreements with third parties;
  • transferring to organisations within countries that offer adequate protection for your information.

 9. How do we ensure your information is safe with us?

We care about protecting your information. That's why we put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal information.  We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorised access. We do this by having in place a range of appropriate technical and organizational measures, including encryption measures and disaster recovery plans.

If you suspect any misuse or loss of or unauthorised access to your personal information, please let us know immediately by contacting us using the details provided at the end of this notice.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will apply our normal procedures and comply with legal requirements to protect your information, we cannot guarantee the security of your information transmitted from you to us

10. Additional Information

For further information, please see the Data Protection Policy (93 kb) .

11. Contact us

To exercise any of your rights or if you have any questions or complaints about this Privacy Notice please email by writing to data_protection@bat.com.

12. Updates to this Privacy Notice

We may amend this Privacy Notice from time to time, so please ensure to check back regularly.

Last Modified: June 2022

max
large
medium
small
mobile