Privacy Notice
TRM Holdings Limited (‘TRM’) understands that your privacy is important to you and that we care about how your personal data is used. We respect and value the privacy of all our customers and users and we will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the Data Protection legislation (as defined hereinbelow).
This is TRM Privacy Notice (“Privacy Notice”) which may be accessed from webpage www.trm.co.ke where you submit personal data to access the service or may be obtained as a hard copy when you submit personal data at our shopping mall. TRM is a premier shopping mall (‘TRM Mall’) based on Exit 8 Thika Superhighway Roysambu Area in Nairobi.
We are referred to in this Privacy Notice as “TRM”, “We” or “Our” or “Us”. An individual who is the subject of the personal data is referred to as “Customer”, “User” or “You”.
This Privacy Notice only covers users of our website and the TRM Mall. TRM’s employees or third-party vendors’ personal details are handled in-line with the terms of employment agreement or contractual relationships, or our separate policies that we provide, as relevant, independent of this Privacy Notice.
1. Information about us
TRM HOLDING LIMITED a limited company registered in the Republic of Kenya.
Registered address: Exit 8 Thika Superhighway Roysambu Area
Postal Address: 1400 -00606
Email address: dataprotection@trm.co.ke
Telephone number: 0750533021
Website: (“Our website”) www.trm.co.ke
2. What does this Privacy Notice cover.
2.1 This Privacy Notice explains how we use your personal data: how it is collected, how it is held and how it is processed. It also explains your rights under the law relating to your personal data.
2.2 We will process any personal data we collect from you in accordance with this Privacy Notice and our Terms and Conditions of Service (together with any other documents referred to in it). Kindly carefully read this Privacy Notice carefully so that you can understand how we handle your personal data.
3. What Is personal data.
3.1 Processing of personal data is governed by the Data Protection Act, 2019(‘the Act’), The Data Protection General Regulations 2021, The Data Protection (Registration of Data Controllers and Data Processors) 2021, The Data Protection (Complaints Handling and Enforcement Procedures) Regulations 2021 as may be amended from time to time, and any other regulations made thereunder (collectively, “the Data Protection Legislation”).
3.2 Personal data refers to any information about you that enables you to be identified as individual such as your name, contact details, identification numbers but it also covers less obvious information such as, electronic location data, and other online identifiers.
The personal data that we collect and use is set out in Part 4 and Part 5 below
4. How do we collect your personal data?
We collect personal data about you through the following means:
4.1 Website Use Information – When you use a computer, tablet, smart phone or other device to access our websites, we may collect information about the device and how you use it.
4.2 This information may include the type of device, your operating system, your browser (for example, whether you used Internet Explorer, Firefox, Safari, Chrome or another browser), your internet service provider, your domain name, your internet protocol (IP) address, your device identifier (or UDID), the date and time that you accessed our service, the website that referred you to our website, the web pages you requested, the date and time of those requests, and the subject of the ads you click or scroll over. To collect this information, we use cookies, beacons and similar technologies.
4.3 Images of you collected from CCTV cameras in operation at the TRM mall.
5. How we use your personal data.
5.1 We process your personal data for one of the lawful bases of processing (“Lawful Basis”) depending on the specific purpose or purposes for which we are using your data (see table below).
| Purposes | Lawful Basis |
| To provide our product and services We may use your personal information and financial information to: make our products and services available to you.Onboarding you as a customer, supplier, vendor or as TRM loyalty customer (if we run a loyalty scheme).To provide products and services available to you, process your payment and sometimes award you TRM loyalty points.Responding and engaging with to your inquiries, delivery and service updates or feedback, including contacting you, where necessary. | Performance of our contract with you. |
| To identify you We may use your personal information, including identification information and contact information, to: Identity verification, establishing and administering customer care services.Processing payments for our services. | Performance of our contract with you. |
| For marketing Send you marketing information by various channels including email, SMS, mail or telephone, or push messages if you use our app, including sending notices of new products, special offers and other marketing materials to enhance and support your relationship with TRM. We will use this data in accordance with any preferences you have selected, on basis of consent (where required). | Consent (You can withdraw your consent at any time.) |
| Marketing research Sending you surveys or supporting Marketing Research activities to you in other ways to help us improve our services and understand our customers better. | Legitimate Interest of TRM as the Data Controller |
| For safety and security We may use your personal information, including tracking information personal information to help provide safe and secure shopping and online environments for you to shop in, our employees to work in and for our businesses to be conducted. We use CCTV footages and carry out checks to help us ensure that our customers are genuine, to prevent fraud and to help customers use our in-store and online services safely. Please see our CCTV policy in Part 8. | Legitimate Interest of TRM as the Data Controller |
| For Government and enforcement We may use your personal information, including financial information personal information, to submit the relevant statutorily required information to various institutions of the Government of Kenya and enforcement authorities for example, the Kenya Police. | Legal Obligation and Public Interest |
5.2 ‘Vital Interests’ can be used as a lawful basis where we need to share your personal data in emergency circumstances or where it is a matter of life and death.
5.3 We will not use your personal data for any other purpose other than the purpose(s) for which it was originally collected, unless we reasonably believe that another purpose is compatible with that or those original purpose(s). If we do use your personal data in this way and you wish us to explain how the new purpose is compatible with the original, please contact us.
5.4 If we need to use your personal data for a purpose that is unrelated to, or incompatible with, the purpose(s) for which it was originally collected, we will inform you and explain the legal basis which allows us to do so or seek your consent.
5.5 In some circumstances, where permitted or required by law, we may disclose your personal data without your knowledge or consent. This will only be done within the bounds of the Data Protection Legislation and your legal rights.
6. What are your rights under the Data Protection Legislation.
Under the Data Protection Legislation, you have the following rights, which we will always work to respect and uphold:
a. The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions.
b. The right to access the personal data we hold about you.
c. The right to have your personal data corrected if any of your personal data held by us is false, erroneous or misleading.
d. The right to ask us to delete or otherwise dispose of any of your personal data that we hold.
e. The right to restrict (i.e. prevent) the processing of your personal data.
f. The right to object to us to our use of your personal data for a particular purpose or purposes.
g. The right to withdraw consent. This means that, if we are relying on your consent as the lawful basis for using your personal data, you are free to withdraw that consent at any time.
h. The right to data portability. You have a right to request your personal data, which you have provided to us in a structured and commonly used format for your own use across different services.
i. Rights relating to automated decision-making and profiling. We do not use your personal data in this way.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us by email as set out in Part 13. Note that the above rights are subject to exceptions and conditions set out under the Data Protection Legislation, and your positive identification as an individual for whom we process personal data.
It is important that your personal data is kept accurate and up to date. If any of the personal data we hold about you changes, please keep us informed as long as we have that data.
If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Office of the Data Protection Commissioner. We would welcome the opportunity to resolve your concerns ourselves, however, so please contact us first.
7. What sensitive personal data do we collect and how?
7.1 We may collect any ‘sensitive’ personal data like data relating to your race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of your children, parents, spouse or spouses, sex or the sexual orientation. We will only collect sensitive data about you if we have your explicit consent, or if authorised under the Data Protection Legislation.
8. Closed Circuit Television (C.C.T.V)
8.1 We use C.C.T.V. system to capture an overview of the TRM mall and for purposes of security of the TRM mall.
8.2 Why do we collect C.C.T.V. data?
- keeping our staff, visitors and property safe and secure;ensuring compliance with health and safety procedures;detecting and preventing crime; and
- assisting law enforcement agencies in the apprehension, investigation and prosecution of offenders.
8.3 What is the lawful basis allowing us to collect and process C.C.T.V. information?
The lawful basis for processing personal data collected by the system our legitimate interest as set out in Section 30(1)(b)(vii) of The Data Protection Act, 2019.
8.4 How long do we keep C.C.T.V. information for?
The C.C.T.V. data is retained for 2 months, except where an incident has been reported in which case it will be stored for a reasonable period for purposes of evaluating and concluding any incident and then deleted.
8.5 We may share C.C.T.V. data in limited circumstances as follows:
a. For detection, prevention, or resolution of crime on at the TRM Mall
b. Where required to share under any statute or a court order of competent authority; and
c. With authorised third parties.
9. Children’s Privacy
- If any of our products or services are targeted directly at children, we will provide you with additional information about how their data will be used in the context of that service;
- If the user’s age has been provided it is used to ensure that TRM services and products inappropriate for those under 18 are not promoted to any user aged under 18; and
- We will not process children’s personal data but in the event, we require children’s personal data we will ensure to obtain explicit consent from the parent or guardian of the child.
10. Do we share your personal data?
All data sharing will be undertaken in line with the Data Protection Legislation.
10.1 Transfer of your personal data outside of the Republic of Kenya.
- Subject to one or more appropriate safeguards set out in the Data Protection Legislation, we may from time to time transfer your personal data to our suppliers and service providers based outside of the Republic of Kenya for the purposes described in this Privacy Notice.
- When transferring your personal data, we will ensure that it is protected in the same way as if it was being processed in the Republic of Kenya.
- We will ensure that the recipient country of your personal data has equivalent data protection laws in place, and we will put in place a written contract with the recipient that means they must protect it to the same standards as the Republic of Kenya.
10.2 Within TRM Mall
For administrative and operational purposes, we share data internally across our departments in TRM as the departments need to access data. The sharing across our departments is reasonable, is in line with Data Protection Legislation, and respects your rights.
We hold may your personal data record for you in our service stores as to provide and fulfil our obligations to you and have the most up-to-date contact details for you across services to support your right to accurate data.
10.3 Outside TRM mall.
Several organisations assist us in delivering our products and services to you and will share your information with these organisations. We will provide them reasonable access to your personal data for purposes of facilitating our service to you.
We are responsible for your personal data and ensure that appropriate safeguards are in place.
Where obliged by law, we will share some personal data with Government, law and enforcement agencies. Where possible, we make this anonymous and only share statistics.
Where your consent is needed to transfer the data, we will make this clear to you in simple and clear language so you may make an informed decision.
We will never share your information if it’s not legal to do so, and will always consider your rights, and whether there is another way of achieving our aim, before doing so.
11. We keep your personal data safe.
We use a high level of protection, both organisational and technical measures, to ensure we process our customers’ data safely. Some of the measures are:
- Servers that meet the highest standards for security using firewalls, secure content delivery, network mechanisms and secure architecture.
- Access to data via secure log-in, to which is restricted by our IT teams.
- Buildings and areas that have access only through staff passes, and secure files stored in areas that are further restricted by passes and keys.
- Systems are only available through strictly controlled security processes. We ensure that only the right people have access to systems.
- Encryption of passwords using industry-accepted hashing algorithms such as (SHA 256, PBKDF2)
12. How long do we keep your personal data?
We will normally retain your personal data for a period of up to 7 years from the latter of:
12.1 when you unsubscribe from receiving marketing from us (if later); or
12.2 when you have concluded our contract with us; or
12.3 when you have last contacted us about your personal data.
Unless we are legally required to retain the information for longer. However, we may delete your data sooner if we have no purpose to retain it.
We will retain your details if you have unsubscribed from marketing to ensure that we respect your withdrawal of consent on an ongoing basis.
13. How we use cookies
We use cookies to store and collect information about your use of our website. More information is on our Cookie Policy, which may be accessed from webpage www.trm.co.ke
14. How to Contact us
If you wish to contact us in respect of part of this Privacy Notice or have any questions or would like further information regarding our handling of your personal data, please contact us by email:
Designation: Data Protection Officer
Physical Address: TRM Management Office, Thika Road Mall
Postal Address: 1400-00606
Email address: dataprotection@trm.co.ke
15. Amendments to this Privacy Notice
We may change, modify or adopt a new Privacy Notice from time to time.
If we do so, we will post it on our website and at the TRM Mall. It’s your responsibility to check the Privacy Notice every time you submit your personal data to us. This version was last updated in January 2024.