At British American Tobacco (“BAT”) we collect a variety of information about people we interact with, as part of our business and may use it in many different ways. We are committed to ensuring that your personal data is protected and never misused.
In this Privacy Notice, "BAT", "us", "we" or "our" means the BAT group company or companies who are primarily responsible for personal data collected about you in Kenya, having their registered address at 08 Likoni road, Industrial Area, P.O. Box 30000-00100 Nairobi, Kenya and which include:
If you are a current or former employee, contractor or another staff member of BAT (such as a trainee or secondee) then please note that this Privacy Notice does not apply to you. Please contact us at Data_Protection@bat.com and we will direct you to where you can obtain the privacy notice.
This section of the Privacy Notice applies to you if you or your employer is a Third Party and supplying goods or services to BAT (or proposing to do so), or purchasing goods or services from us (or proposing to do so). It also applies if you are a director or direct or indirect shareholder of a Third Party organisation supplying or receiving goods or services to or from BAT (or where such Third Party organisation is proposing to do so).
In this Privacy Notice, "Third Party" means the following:
At BAT, we need some information about you and your organisation, such as your name, job title, organisation registration numbers, bank details, tax details and contact details so we can work with you to manage the contract and relationship for the goods or services you supply to us, or we supply to you. We may collect your personal data via a Third-Party risk assessment tool to complete due diligence and risk management processes necessary for Third Party onboarding. As part of managing the business relationship, we may be legally required to conduct ‘know your customer’ (e.g. via ‘World Check One’) or similar compliance screenings on you or your organisation. In doing so we will use the information listed below. We obtain this information either obtain directly from you or from your employer, or the company you are shareholder or director of. In the context of conducting compliance screenings, we will also check the personal data provided to us against public information, including official sources (such as sanctions lists), media sources and adverse media (such as news reports, journal articles), and additional government and official sources (such as court records, election results, company filings, official company websites and press releases).
Why do we hold your information |
What type of information? |
How legally can we use your information? |
To manage the contract and business relationship with either you, your employer or the company you are a director or direct or indirect shareholder or representative. |
|
In order to perform our obligations under contract or take steps prior to entering into a contract. |
To conduct due diligence and risk management processes necessary for Third Party onboarding and during the relationship engagement (including, but not limited to, risks related to bribery and corruption, money laundering, sanctions, tax evasion and illicit trade). |
|
To comply with a legal obligation to which we are subject. For those not directly associated to a legal obligation, that such processing is necessary for the performance of a task carried out in the public interest, and that such processing is in our (and our Third Parties) legitimate interests. The legitimate interest is to ensure appropriate levels of due diligence so that we do not breach the laws and regulations that apply to us, including international sanctions laws and screening lists. |
To conduct and evaluate request for proposals, request for information and/or request for quotes. |
|
We have legitimate interest in engaging with Third Parties in order to evaluate their suitability as a supplier or business partner. |
We process the information you provide in your curriculum vitae, in our application form and supporting documentation/information you provide during the recruitment process.
Why do we hold your information |
What type of information? |
How legally can we use your information? |
We use your information about you to ensure that we can respond to any queries and contact you if you request us to do so, for storing your details (and updating them
We may also screen your CV prior to considering your application further. |
|
To pursue the legitimate interests we have. For example, it is in our legitimate commercial interest to be able to consider your details as a candidate to ascertain if you are the correct person for the role.
We may check your identity to comply with a legal obligation such as establishing your right to work in the country. |
After you have made the application, we may seek more information about you from other sources generally including from third parties. For example, we may receive information on you from those organisations that you have asked us to use for professional or academic references such as a previous employer or a college or university.
This section of the Privacy Notice applies to you if one of our employees employed by a BAT legal entity has named you as the person we should contact in an emergency or to administer any employee-based benefits.
We only hold information about you (as detailed in the table below) which has been provided to us by a BAT employee to enable us to contact you in emergencies or to administer employee benefits such as healthcare or pensions.
Why do we hold your information |
What type of information? |
How legally can we use your information? |
To contact you in emergencies relating to the BAT employee(s) that have named you as their emergency contact person. |
|
It is in our employees’ legitimate interests for us to be able to contact you in an emergency. |
To administer employee benefits that our employee has asked us to take steps to fulfil. |
|
This is necessary for us to take steps to perform the benefits contract between the BAT employee and the benefits provider. |
To administer employee pension benefits that our employee has asked us to take steps to fulfil. |
|
This is necessary for us to take steps to perform to comply with our legal obligations (e.g. tax laws) between the BAT employee and the benefits provider. |
This section of the Privacy Notice applies to you if you fall within any of the following categories:
At BAT, we need some information about you, and will collect and hold the information listed in the table below under ‘What Type of Information’ so we can manage any current or future relationship we may have with you. We obtain this information either directly from you or from your employer, or from third parties who lawfully provide it to us (including publicly available materials) including the organisers of public events you attend.
Why do we hold your information |
What type of information? |
How legally can we use your information? |
To contact you in order to manage your relationship with us. |
|
In order to: (1) perform our obligations under contract (in particular: (a) for those individuals who attend, or participate in, conferences or events; or (b) in the context of our relationships with journalists) or take steps prior to entering into a contract; or (2) exercise our legitimate interests in being able to contact you in the context of a current or future business or commercial relationship. |
To perform relevant due diligence into publicly available materials relating to you. |
|
We will either: (1) rely on our legitimate interest in: (a) protecting our business; or (b) in the context of a current or future business or commercial relationship; or (2) seek your consent where appropriate. |
To respond to any query that you have asked us. |
|
It is in our legitimate interests to respond to your query and in order to ensure that you have the most up to date information about the BAT business and that any concerns you have relating to BAT are resolved. |
To ensure quality of our call centre and facilitate training of call centre agents we record our calls. |
|
It is in our legitimate interest to ensure callers receive quality responses and correct information as well as to ensure call centre agents are properly trained. |
To run survey and research programmes. |
|
We will either: (1) rely on our legitimate interest in the context of a current or future business or commercial relationship; or (2) seek your consent where appropriate. |
To facilitate safe visits to our premises, and to contribute to COVID-19 containment measures. |
|
It is in our legitimate interests to facilitate your visit to our premises. This includes recording your access to our premises, taking steps to help ensure your safety on site, and recording any feedback you provide. Furthermore, maintaining safe premises and a safe working environment is within our legitimate interests, and is necessary to protect your legitimate interests (and those of others) and to comply with our legal obligations. |
Building a professional relationship with you in relation to your attendance at conferences and events that are of mutual interest. |
|
It is in our legitimate interests to process your personal data for the purposes of building our professional relationship with you. |
Building current or future professional relationship with you in the context of your work as an academic or research professional. |
|
It is in our legitimate interests to process your personal data for the purposes of developing a current or future professional relationship with you. |
To enable you to complete a submission and participate in the programmes we or our Third Parties offer and, depending on the programme, building a current or potential future professional relationship with you through your participation in such programmes. |
|
It is in our legitimate interests to process your personal data for the purposes of facilitating our programmes and for building potential professional relationships with you. |
Provided you do not supply more information than we request, we generally only collect the mandatory information required for our purposes. Where possible, we will indicate whether information requested is mandatory or voluntary.
In certain circumstances if you do not provide us with the information we require for our due diligence checks or onboarding procedures, we may not be able to enter into a contract with you. Furthermore, during our relationship if you do not provide certain information, we may not be able to meet our obligations under the contract we have with you or engage with you.
You have a number of rights in relation to your personal information. These are:
Right to be informed : of the use to which your personal data is to be put.
Right to access (sometimes known as a data subject access request or a "DSARs") : You may ask us to confirm what information we hold about you at any time and request access to that personal data. We do have to take into account the interests of others, so this is not an absolute right, and we may sometimes have to withhold information to meet our obligations towards others.
Right to object: this right enables you to object to us processing your personal data under certain circumstances and we can be required to no longer process your personal data.
Right to correction : You may have the right to request that we rectify any false or misleading data that we hold about you.
Right to deletion : You may have the right to ask us to erase personal data concerning you. This right does not apply to all situations, as there will be certain areas where we will need to retain your personal data.
Right to withdraw consent : In certain circumstances, where we have relied on your consent to process your personal data for certain activities, you may be able to withdraw this consent at any time and we will cease processing the personal data in connection with that activity.
If you would like to exercise any of these rights or withdraw your consent to the processing of your personal data (where consent is our legal basis for processing your personal data), please contact data_protection@bat.com . Please note that we may keep a record of your communications to help us resolve any issues which you raise.
At BAT, we do not sell, rent or trade your information with third parties for marketing or promotional purposes. When necessary we may share information about you with the following recipients:
Sometimes when we share your personal data with the third parties described in above, it may be transferred to countries outside of Kenya.
We will do our best to ensure that your personal data is stored and transferred in a way which is secure. When we transfer your personal data outside Kenya, we do so in compliance with the law and we take appropriate steps to protect that information, which include:
We care about protecting your information. That's why we put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal information. We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorised access. We do this by having in place a range of appropriate technical and organizational measures, including encryption measures and disaster recovery plans.
If you suspect any misuse or loss of or unauthorised access to your personal information, please let us know immediately by contacting us using the details provided at the end of this notice.
Unfortunately, the transmission of information via the Internet is not completely secure. Although we will apply our normal procedures and comply with legal requirements to protect your information, we cannot guarantee the security of your information transmitted from you to us
For further information, please see the Data Protection Policy (93 kb) .
To exercise any of your rights or if you have any questions or complaints about this Privacy Notice please email by writing to ssadataprivacy@bat.com .
We may amend this Privacy Notice from time to time, so please ensure to check back regularly.
Last Modified: June 2022