SemaLink
Log InStart Free
Legal

GDPR & ODPC Compliance

Effective date: 1 April 2025 · Last updated: 1 April 2025

1. Scope & Applicability

This page describes how Sema Link approaches compliance with:

  • Kenya Data Protection Act, 2019 (KDPA) and regulations administered by the Office of the Data Protection Commissioner (ODPC).
  • Tanzania Personal Data Protection Act, 2022 (PDPA).
  • Uganda Data Protection and Privacy Act, 2019 (DPPA).
  • EU General Data Protection Regulation 2016/679 (GDPR) — applicable when we process personal data of individuals in the European Economic Area.

Where these frameworks overlap, we apply the stricter standard. Where they differ, we apply the relevant law based on the data subject's jurisdiction.

2. Data Controller vs Processor

The relationship between Sema Link and our customers depends on context:

Sema Link as Data Controller

When we process personal data of our registered users (account details, billing records, usage analytics), Sema Link acts as a data controller. We determine the purposes and means of that processing as described in our Privacy Policy.

Sema Link as Data Processor

When our customers use the API to send messages to their end-users (recipients), the customer is the data controller and Sema Link acts as a data processor, processing recipient MSISDNs and message content on behalf of and under the instructions of the customer.

Customers remain responsible for ensuring they have a valid lawful basis (typically consent) to send messages to their recipients, in compliance with applicable data protection law.

3. Lawful Basis for Processing

For our own processing of customer data, Sema Link relies on the following lawful bases:

  • Contract performance — processing necessary to provide the Services you have contracted for (KDPA s.30(a), GDPR Art.6(1)(b)).
  • Legal obligation — processing required to comply with telecommunications regulations, tax law, and anti-money laundering requirements (KDPA s.30(c), GDPR Art.6(1)(c)).
  • Legitimate interests — fraud prevention, platform security, and aggregated analytics (KDPA s.30(f), GDPR Art.6(1)(f)), subject to appropriate balancing tests.
  • Consent — marketing communications and non-essential cookies (KDPA s.30(a), GDPR Art.6(1)(a)), where required.

4. Cross-Border Data Transfers

Sema Link's primary infrastructure is hosted within the African continent. In limited cases, data may be processed by sub-processors whose infrastructure spans multiple regions.

Where personal data is transferred outside Kenya, Tanzania, or Uganda, we ensure adequate safeguards are in place as required by the KDPA (Third Schedule), Tanzania PDPA, and Uganda DPPA. For transfers to non-EEA countries under GDPR, we use Standard Contractual Clauses (SCCs) approved by the European Commission.

A list of our sub-processors and their processing locations is available upon request at privacy@semalink.africa.

5. Data Processing Agreement

Customers who process personal data of EU/EEA data subjects through Sema Link, or who are subject to the KDPA as data controllers, may require a Data Processing Agreement (DPA) between their organisation and Sema Link.

To request a DPA, email legal@semalink.africa with your company name and registered country. We will review and return a signed DPA within 10 business days.

Our DPA incorporates the GDPR Standard Contractual Clauses (2021) for processor-to-processor and controller-to-processor transfers, and addresses obligations under the KDPA, Tanzania PDPA, and Uganda DPPA where applicable.

6. Data Subject Rights

Under the applicable frameworks, individuals have the following rights regarding their personal data:

  • Right of access — to receive a copy of personal data we hold about them.
  • Right to rectification — to correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — subject to legal retention obligations.
  • Right to restriction — to limit how we process their data in certain circumstances.
  • Right to data portability — to receive data in a structured, machine-readable format.
  • Right to object — to processing based on legitimate interests.
  • Rights related to automated decision-making — not to be subject to solely automated decisions with significant effects.

To submit a data subject access request (DSAR), email privacy@semalink.africa with the subject "DSAR" and provide sufficient information to verify your identity. We respond within 30 days (extendable by a further 60 days for complex requests, with notice).

If you believe we have processed your data unlawfully, you have the right to lodge a complaint with:

  • Kenya: Office of the Data Protection Commissioner (ODPC) — odpc.go.ke
  • Tanzania: Personal Data Protection Commission
  • Uganda: Personal Data Protection Office (PDPO)
  • EU/EEA: Your national supervisory authority

7. Breach Notification

In the event of a personal data breach, Sema Link will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in a risk to data subjects' rights and freedoms.
  • Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
  • Notify affected customers (as data controllers) within 24 hours of a confirmed breach affecting their data, so they can fulfil their own notification obligations.

If you discover or suspect a breach involving Sema Link systems, please contact security@semalink.africa immediately.

8. Data Protection Officer

Sema Link has designated a Data Protection Officer (DPO) responsible for overseeing compliance with data protection law. The DPO can be contacted at:

Data Protection Officer
Sema Link Limited
Email: dpo@semalink.africa

9. Contact

For all data protection and compliance enquiries:

Sema Link Limited
Email: privacy@semalink.africa
Nairobi, Kenya