Privacy Statement
1. Who are we?
Mwongozo Mpya Party ("MMP", "The Party", "We", "Us" or "Our") is a Kenyan-based Political Party registered with the Office of Registrar of Political Parties and acts as a data controller in respect of personal data processed in the course of our activities and in accordance with the Data Protection Act, 2019.
MMP is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you in each way you may interact with us.
This notice does not form part of any contract with you, and we may update this notice at any time. If you have any questions about any aspect of any of the privacy notice you can contact us by emailing us at Data@mmpkenya.co.ke
2. Categories of Personal Data We Collect
We collect personal data depending on your interaction with the Party.
a) Membership Registration Data
When you apply to become a member, we collect information pertaining to your:
- Full name
- Email address
- Phone number
- National ID / Passport number
- Date of birth
- Gender
- Religion (optional)
- Voter registration status
- Postal address (optional)
- County, Constituency, Ward and Polling Station of Voter Registration
- Disability status
- Ethnicity
b) General Enquiries ("Contact/Send us a Message")
When you contact us, we collect your:
- Name
- Email address
- Phone number
c) Donations and Fundraising
Where you choose to make a donation, the following parameters are applied:
Anonymous donations
No personal data is collected
Identified donations:
- Name
- Email address
- Phone number
Additional information may be required where necessary to comply with legal and regulatory obligations relating to campaign finance and financial reporting.
d) Other data we may collect
Depending on engagement, we may also collect:
- Membership and participation records
- Volunteer and attendance records
- Communication preferences
- Website usage data (including IP address and cookies)
- Survey responses and feedback
- Images and video recordings captured during events
3. Purpose of Processing
We process personal data for the following purposes:
a) Membership Administration
- Registering and verifying members
- Maintaining membership records and registers
- Facilitating participation in party activities
- Submitting required information to regulatory authorities
b) Political Engagement and Campaign Activities
- Communicating with members, supporters, and voters
- Conducting campaigns, outreach, and canvassing
- Carrying out surveys, opinion polling, and engagement initiatives
- Analysing voter demographics and trends
c) Digital Engagement
- Managing website registrations, petitions, and surveys
- Providing updates, newsletters, and campaign information
- Conducting digital outreach and engagement activities
d) Event and Volunteer Management
- Registering and managing event attendance
- Coordinating volunteers and participation
- Collecting feedback and engagement insights
- Capturing photos and videos during events
e) Fundraising and Financial Compliance
- Processing donations and receipt issuance
- Verifying donor eligibility where required
- Maintaining financial and audit records
f) Internal Governance and Administration
- Managing party officials and candidates
- Conducting internal party elections
- Maintaining governance and disciplinary records
g) Security and Risk Management
- Maintaining visitor logs
- Operating CCTV systems
- Recording and managing incidents
h) Legal and Regulatory Compliance
- Complying with applicable laws and regulations
- Responding to data subject rights requests
- Managing audits and reporting obligations
- Investigating and reporting data breaches
4. Sensitive Personal Data
Certain categories of personal data are classified as Sensitive Personal Data under the Data Protection Act, 2019 and are subject to enhanced protection.
In the course of our activities, we may process the following categories of sensitive personal data:
- Political opinions and affiliations (e.g. through membership, surveys, or engagement activities)
- Ethnicity
- Religious beliefs (where voluntarily provided)
- Disability status
We process such data only where it is necessary and lawful, and in particular where:
- You have provided explicit consent, including but not limited to; during membership registration, survey administration, or political engagement.
- Processing is necessary to facilitate your participation in political activities, including but not limited to, membership administration, internal democratic processes, and voter engagement.
- Required or permitted by applicable law, including but not limited to; obligations under electoral and political party legislation.
Given the nature of our role as a political party, certain processing of sensitive personal data, particularly relating to political opinions and participation, is necessary for the conduct of our legitimate political activities.
We ensure that such processing is:
- Limited to what is relevant and necessary for the specific purpose
- Subject to appropriate safeguards, including restricted access and confidentiality controls
- Carried out in a manner that respects your rights and freedoms
Where sensitive personal data is optional (e.g. religion, ethnicity, disability status), you are not required to provide it, and your decision will not affect your ability to engage with the Party.
5. Legal Basis for Processing
We process personal data only where there is a valid lawful basis under the Data Protection Act, 2019. The lawful basis relied upon depends on the specific nature and purpose of the processing activity, as outlined below.
a) Consent
We rely on consent as the primary lawful basis where you voluntarily provide your personal data, including:
- Membership registration
- Campaign engagement and outreach (including SMS and email communication)
- Surveys, opinion polling, and political engagement activities
- Website interactions, including contact forms, petitions, and newsletter sign-ups
- Volunteer registration and participation
Consent is obtained in accordance with applicable legal requirements and can be withdrawn at any time. Where consent is withdrawn, we will cease processing unless another lawful basis applies.
b) Legal Obligation
We process personal data where necessary to comply with statutory and regulatory obligations, including obligations under electoral and political party laws. This includes:
- Maintaining a verified membership register
- Submitting membership data to the Registrar of Political Parties
- Verifying member and donor eligibility where required by law
- Maintaining financial and donation records for compliance and audit purposes
- Responding to lawful requests from regulatory or oversight bodies
Where we rely on this lawful basis, the processing is strictly limited to what is required to meet the relevant legal obligation.
c) Legitimate Interests
We process personal data where it is necessary for our legitimate interests, provided that such interests are not overridden by your rights and freedoms. This includes:
- Internal administration and governance of the Party
- Campaign planning, strategy, and political analytics
- Communication with members, supporters, and stakeholders
- Management of events, volunteers, and participation
- Security, including CCTV monitoring, visitor logs, and incident management
- Maintenance of internal databases and systems
Where we rely on legitimate interests, we ensure that:
- The processing is necessary and proportionate
- A balancing assessment is undertaken
- The processing does not result in undue harm or prejudice to individuals
You have the right to object to processing carried out on this basis.
d) Contractual Obligation/Necessity
We may process personal data where it is necessary to take steps at your request or to facilitate your participation in Party activities. This may include:
- Processing membership details to facilitate your enrolment and participation as a member
- Issuing membership credentials and maintaining active membership status
- Coordinating participation in Party activities, programmes, or volunteer engagements
This lawful basis applies only where the processing is objectively necessary to fulfil your request to engage with the Party in a structured manner. Where appropriate, such processing may also rely on consent, particularly where participation is voluntary and not strictly dependent on the processing activity.
e) Compliance and Accountability
In line with regulatory requirements, we:
- Identify and document the lawful basis for each processing activity.
- Ensure that personal data is not processed for purposes incompatible with the original purpose of collection.
- Maintain records to demonstrate compliance with applicable data protection laws.
6. Data Sharing and Recipients
We may share personal data with:
- The Registrar of Political Parties and other regulatory authorities
- Electoral and oversight bodies
- Service providers, consultants, and campaign partners
- Auditors and professional advisors
- Technology and digital platform providers
All third parties are required to process personal data in accordance with applicable law, data sharing agreements and other appropriate safeguards.
7. Cross-Border Transfers
Where personal data is transferred outside Kenya (e.g. through digital platforms or service providers), we ensure that:
- Adequate safeguards are in place; and
- Transfers comply with applicable legal requirements.
8. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, including:
- To fulfil the purposes outlined in this Notice
- To comply with applicable legal and regulatory obligations
- For governance, audit, and accountability requirements
- For the resolution of disputes and enforcement of legal rights
Where personal data is no longer required for these purposes, it is securely deleted or anonymized in accordance with applicable retention and disposal standards.
9. Data Subject Rights
Individuals have the following rights under the Data Protection Act, 2019:
- Right to be informed
- Right of access
- Right of rectification
- Right to erasure
- Right to object to processing
- Right to data portability
Requests may be submitted using the contact details provided above.
10. Security Measures
We implement appropriate technical and organisational measures to safeguard personal data against unauthorised access, loss, misuse, or disclosure. These measures include:
- Access controls and role-based permissions to ensure that personal data is only accessible to authorised individuals.
- Secure storage systems and data backup mechanisms to protect data integrity and availability.
- Confidentiality obligations and sensitization for staff, volunteers, and third-party service providers.
- Data minimisation practices to ensure that only necessary data is collected and processed.
- Anonymisation of data, where personal data is no longer required in identifiable form, to prevent re-identification.
- Pseudonymisation techniques, where appropriate, to reduce the direct identifiability of personal data during processing.
We continuously review and update our security measures to respond to evolving risks and ensure compliance with applicable data protection requirements.
11. Incident and Breach Management
In the event of a data breach:
- We investigate and assess the impact
- Notify the Office of the Data Protection Commissioner (ODPC) where required
- Inform affected individuals where there is a risk to their rights and freedoms
12. Contact and Complaints
If you have any concerns regarding the processing of your personal data, you may contact us using the details in Clause 1 above. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner.
13. Updates to this Notice
We may update this Privacy Statement from time to time. Any changes will be communicated through our official communication channels and/or published on our website.