Contact Us

Data Protection Policy

Introduction

Taifa Mining and Civil Limited (the Company) needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the Company has a relationship with or may need to contact. This policy describes how this personal data must be collected, handled, stored and erased, to meet the company’s data protection standards thus complying with the legislation.

Policy Statement

This data protection policy ensures the Company:

  • Complies with Data Protection legislations and follows good practice;
  • Protects the rights of employees, customers and partners;
  • Is transparent in terms of how it stores and processes individuals’ data;
  • Protects itself from the risks associated with a data breach;
  • Respect individuals’ rights;
  • Provide training and support for staff who handle personal data, so that they can act confidently and consistently;
  • Notify the Commission in event there is suspected breach of data.

Scope

This policy includes in its scope all data which the Company collect either in hardcopy or digital copy, this includes special categories of data.

This policy applies to all staff, including interns, volunteers, temporary staff, permanent staff and suppliers, service providers and contractors.

Personal data herein referred to, means any information relating to a staff who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

This can include in particular: Names of individuals, Postal or living addresses, Email addresses, Telephone numbers, Identity card and passport, Date and place of birth, Identification of relatives, Fingerprints, Business reference.

What the company do

Taifa Mining and Civil Limited as the registered Company, not only hire staff but also conducts a variety of activities. These include receiving and sharing information with its clients on mining and civil works and other related operations.

The Company, in conducting the above-mentioned events and other events with the same objective of the mentioned events will collect data from individuals and entities as well after conducting Data Protection Impact Assessment (DPIA) and the report of it for determination if there are any risks of data breach.

Principles of Data protection

 

1. Fairness and Lawfulness

Personal data must be collected and processed in a legal and fair manner. When processing personal data, the individual rights of the data subjects must be Protected.

Collected data shall be adequate, relevant and not excessive in relation to the purposes for which they are obtained and their further processing. Individual data can be processed upon voluntary consent of the person concerned.

2. Restriction to a specific purpose

Personal data shall be processed only for the purpose that was defined before the data was collected. Personal data shall be obtained for specified, explicit and legitimate purposes, and shall not subsequently be processed in a manner that is incompatible with those purposes. Subsequent changes to the purpose are only possible to a limited extent and require justification.

However, further data processing for statistical, scientific and historical purposes shall be considered compatible with the initial purposes of the data collection, if it is not used to take decisions with respect to the data subjects.

3. Transparency

The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be made aware of, or informed of:

The purpose of data processing;

  • Categories of third parties to whom the data might be transmitted Processing of personal data must have received the consent of the data subject or must meet one of the following conditions: compliance with any legal obligation to which the Company is subject to the protection of the data subject’s life; the performance of a public service mission entrusted to the Company.

4. Confidentiality and Data Security

Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organisational and technical measures to prevent unauthorised access, illegal processing or distribution, as well as accidental loss, modification or destruction.

5. Deletion

Personal data shall be retained in a form that allows the identification of the data subjects for a period no longer than is necessary for the purposes for which they are obtained and processed. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection has been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.

6. Factual Accuracy and Up-to-datedness of Data

  • Personal data on file must be correct, complete, and if necessary, kept up to date.
  • Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated

Rights of the date subject

All individuals who are the subject of personal data held by the Company are entitled:

  • To request information on which personal data relating to him/her has been stored, how the data was collected, and for what intended purpose.

If there are further rights to view the employer’s documents (e.g. personnel file) for the employment relationship under the relevant employment laws, these will remain unaffected. If personal data is transmitted to third parties, individuals should be informed of such a possibility. If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented.

  • To request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.
  • To object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.

Personal data must be safeguarded from unauthorised access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organisational measures to protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing, and the need to protect the data (determined by the process for information classification).

The technical and organisational measures for protecting personal data are part of Company’s Information Technology Communication management and must be adjusted continuously to the technical developments and organisational changes.

Data protection control

Compliance with the Data Protection Policy and the applicable data protection laws is checked regularly with data protection audits and other controls. The performance of these controls is the responsibility of the Company or appointed representative. The results of the data protection controls performed by appointed representative must be reported to the Managing Director.

The Company’s Committee must be informed of the primary results as part of the related reporting duties. On request, the results of data protection controls will be made available to the responsible data protection authority. The responsible data protection authority can perform its own controls of compliance with the regulations of this Policy, as permitted under national law.

Reporting

The reporting of suspected or actual violations to this policy is a professional and legal obligation of all staff and partners. Failure to report information can lead to disciplinary action.

The Company encourages its staff and stakeholders to report suspected cases which involve any Company’s staff, consultants, board members, guests or staff of Company’s partner organisations, their board members, staff and or suppliers.

The Company encourages its staff and stakeholders to report suspected cases through the following means:

  • Staff and interns can report contacting standard lines of hierarchy (contained in staff Terms of Reference); the Head of Human Resources.
  • Beneficiaries and their representatives can report using the Complaints and Response Mechanism Suppliers and contractors can use the confidential email address transparency ali.mbarouk@taifamining.co.tz.

Individual donors

Individual donors and sympathisers can refer to the confidential email address transparency ali.mbarouk@taifamining.co.tz.

There shall be appointment of Data Protection Officer. The job description of the Data Protection Officer (DPO) is a role specified in this Policy. The role holder will be a member of the senior management team, be accountable to the Company for the management of personal data within the Company and for ensuring that compliance with data protection legislation and good practice can be demonstrated.

A Data Protection Officer (DPO), who the Company consider to be suitably qualified and experienced, has been appointed to take responsibility for Company on compliance with this policy on a day-to-day basis and will have direct responsibility for ensuring that Company complies with the Data Protection Law in respect of data controlling that take place within their area of responsibility. However, the following have key areas of responsibility of Data

Protection officer

  • The Data Protection Officer is ultimately responsible for ensuring that Company meets its legal obligations.
  • Development and implementation of this policy as required by this policy; and security and risk management in relation to compliance with the policy.
  • Keeping the Company updated about data protection responsibilities, risks and issues;
  • Reviewing all data protection procedures and related policies, in line with an agreed schedule;
  • Arranging data protection training and advice for the people covered by this policy;
  • Handling data protection questions from staff and anyone else covered by this policy;
  • Dealing with requests from individuals to see the data Association, holds about them (also called ‘Data Subject Access Requests’).
  • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data. 10. Disclosure of Data to Third Parties. The Company will ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, government bodies. All employees/ staff will exercise caution when asked to disclose personal data held on a data subject to a third party. We will consider whether disclosure of the information is relevant to, and necessary for, the conduct of our business. Nonetheless disclosure will only be to third parties that are authorised to receive it, and with whom we have in place a data protection / confidentiality agreement.

All requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures, must be specifically authorised by the Data Protection Officer.

Disclosing data for other reasons

Data collected may only be disclosed under the following circumstances:

  1. Where the data subject has consented to such disclosure;
  2. Where authorised or required by law;
  3. Where disclosure is directly related to the purpose for which such data was collected:
  4. Where such disclosure would preserve health or reduce harm to another person or the society; and
  5. Where disclosure is necessary in compliance with the law.

Retention and disposal of data

The Company shall not retain personal data for a longer period than as provided in the Law, in relation to the purposes) for which the data was originally collected, except where it is required to be retained to meet other legislative or regulatory obligations.

The Company may also store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject.

Staff awareness

Staff awareness training is mandatory for anyone who handles personal data or who is responsible for overseeing data protection practices.

The Company will also ensure that training is relevant to the work that employees do. For example, those responsible for processing personal data should be taught about their responsibilities and the threats that come with that.

Personal data breach

This is a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The Company employed various measures to prevent data breaches. These steps collectively aim to bolster data security, minimize risks, and prepare for potential data breaches scenarios.

These measures include:

  • Regular Data Backups
    • Automated systems for regular backups to ensure data security. Storing backups in multiple locations, including offsite or secure cloud services and Regular testing of the restoration process to ensure data integrity.
  • Robust Firewalls and Antivirus Software
    • Deploying firewalls and up-to-date antivirus software across all systems. Regular updates and patching to address vulnerabilities and Use of intrusion detection and prevention systems to identify and mitigate threats.
  • Employee Awareness Training and Education
    • Regular training sessions on data security best practices. Emphasis on recognizing phishing emails, creating strong passwords, and avoiding suspicious activities and Reinforcement of adherence to security policies. Regular training to maintain a secure workplace and mitigate risks from sophisticated cyber-attacks.
  • Monitoring and Controlling Access
    • Centralized authentication and access control lists to restrict access to sensitive data. Real-time monitoring of network activity and Implementation of intrusion detection systems.
  • Data Backup and Recovery
    • Automated remote backup systems for data protection and safeguarding physical data with locked storage.
  • Protecting Portable Devices
    • Ensuring portable devices have strong passwords and anti-theft measures and Restricting access to authorized users only.
  • Biometric Access and Restricted Access
    • Restricting access to sensitive data using biometric systems which restrict access from un authorized person.
  • Proper Management of Ex-Employees
    • Ensuring proper handling and return of devices and information from former employees.

Data subject consent

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

Violation and sanction

Any failure to comply with the current policy or to deliberately violate the rules set in the policy will result in the launch of an appropriate investigation by the Company.

Depending on the gravity of the suspicion or accusations, the Company may suspend staff or relations with other stakeholder during the investigation. This will not be subject to challenge.

Depending on the outcome of the independent investigation, if it comes to light that anyone associated with the Company has deliberately violated the rules set in the policy for its personal profit or any other usage personal data, or has systematically and deliberately contravened with the principles and standards contained in this document, the Company will take immediate disciplinary action and any other action which may be appropriate to the circumstances.

This may mean, for example, for:

  • Employees – disciplinary action/ dismissal;
  • Trustees, officers and interns – ending the relationship with the organisation;
  • Partners – withdrawal of funding/support;
  • Contractors and consultants – termination of contract.

Depending on the nature, circumstances and location of the case and violation, the Company will also consider involving authorities such as the police to ensure the protection of personal data and victims.

Links

Services

News

Policies

Quality Policy

Environmental Policy

OHS Policy

Compliance Certificates

Safety & Compliance Certificates

Workers Compensation Fund

ISO Certificate

©Copyright 2025 | Taifa | All right reserved | Privacy Policy | Website by Geolix

Scroll to Top