GDPR Compliance Guide
Last updated: November 2025
Although PublicMoodTracker is primarily a Kenyan platform, we may process personal data of individuals located in the European Economic Area (EEA) — including diaspora users and international researchers. This document explains how we meet our GDPR obligations under Regulation (EU) 2016/679.
1. Scope and Applicability
GDPR applies to PublicMoodTracker under the market-place principle (Article 3(2)) when:
- We offer services to individuals located in the EEA (e.g., Kenyan diaspora with EU residency).
- We monitor the behaviour of individuals in the EEA.
Where PublicMoodTracker processes data of EEA residents, we apply GDPR standards as the higher standard, even though our primary legal framework is the Kenya Data Protection Act 2019.
2. Data Controller Identity
| Role | Details |
|---|---|
| Data Controller | PublicMoodTracker, Nairobi, Kenya |
| EU Representative | Not currently designated (under review for 2026) |
| Data Protection Officer | dpo@siasaiq.com |
| GDPR contact point | gdpr@siasaiq.com |
3. Legal Bases for Processing EEA Data (Article 6 GDPR)
| Processing Activity | Article 6 Basis | Notes |
|---|---|---|
| Account creation and management | Art. 6(1)(b) — Contract | Necessary to perform the service |
| Payment processing (M-Pesa) | Art. 6(1)(b) — Contract | Necessary for paid access |
| Transaction receipts and records | Art. 6(1)(c) — Legal obligation | KRA VAT requirements |
| Platform security and fraud prevention | Art. 6(1)(f) — Legitimate interests | LIA on file; not overridden by data subject interests |
| Anonymised usage analytics | Art. 6(1)(f) — Legitimate interests | No personal identifiers retained post-anonymisation |
| Marketing emails and newsletters | Art. 6(1)(a) — Consent | Explicit opt-in; withdrawal mechanism provided |
4. Special Categories of Data (Article 9 GDPR)
PublicMoodTracker does not collect or process special category data (health, biometrics, religion, ethnicity, political opinions about users, sexual orientation). The political sentiment data we produce concerns public figures in their public roles — this is not special category data concerning our users.
5. International Data Transfers (Chapter V GDPR)
Kenya is not currently an EU adequacy decision country. When EEA user data is processed by PublicMoodTracker (a Kenyan entity), we rely on Standard Contractual Clauses (SCCs)adopted by the European Commission (Decision 2021/914) as the transfer mechanism.
Sub-processors handling EEA data (e.g., email delivery, cloud hosting) are required to maintain SCCs or operate under an adequacy decision. Our sub-processor register is available on request at gdpr@siasaiq.com.
6. Data Subject Rights Under GDPR (Articles 15–22)
| Right | Article | How to Exercise | Response Time |
|---|---|---|---|
| Right of access | Art. 15 | Email gdpr@siasaiq.com | 30 days |
| Right to rectification | Art. 16 | Email gdpr@siasaiq.com | 30 days |
| Right to erasure ("right to be forgotten") | Art. 17 | Email gdpr@siasaiq.com | 30 days |
| Right to restriction of processing | Art. 18 | Email gdpr@siasaiq.com | 30 days |
| Right to data portability | Art. 20 | Email gdpr@siasaiq.com | 30 days |
| Right to object | Art. 21 | Email gdpr@siasaiq.com | Immediately for marketing; 30 days for other |
| Rights re. automated decision-making | Art. 22 | Email gdpr@siasaiq.com | 30 days |
7. Data Retention for EEA Users
Consistent with Article 5(1)(e) GDPR (storage limitation), PublicMoodTracker applies the same retention periods to EEA users as described in our Privacy Policy (Section 7). Upon verified erasure request, all personal data will be deleted within 30 days, except data we are legally required to retain (e.g., KRA transaction records for 7 years).
8. Data Breach Notification (Articles 33–34 GDPR)
In the event of a personal data breach:
- We will notify the relevant supervisory authority within 72 hours of becoming aware, where feasible.
- We will notify affected EEA data subjects without undue delay if the breach is likely to result in high risk to their rights and freedoms.
- Primary supervisory authority: the data subject's local EU/EEA data protection authority.
- Parallel notification to the ODPC (Kenya) within 72 hours as required by KDPA Section 43.
9. Data Protection Impact Assessment (DPIA)
We have conducted a DPIA for our AI-powered sentiment scoring system, as it involves systematic processing of data about public figures and could indirectly affect individuals mentioned in processed content. The DPIA identified the following key mitigations:
- Sentiment scores apply only to public figures in their public roles (not private individuals).
- No personal data of private individuals is stored as part of sentiment analysis.
- A minimum-mention threshold (≥3) prevents single-source bias from creating misleading scores.
- Quarterly bias audits assess for systematic regional or demographic skew.
10. Supervisory Authorities
EEA users may lodge a complaint with:
- Their local EU/EEA data protection authority (e.g., ICO in UK, CNIL in France).
- The ODPC Kenya: P.O. Box 41079–00100, Nairobi | www.odpc.go.ke
Contact our DPO first: dpo@siasaiq.com — most concerns can be resolved within 14 days without a formal complaint.