BOTSWANA PRIVACY NOTICE (ADDENDUM TO PRIVACY POLICY)
Last modified: 19 November 2025
This Addendum sets out requirements under the Botswana Data Protection Act, 2024 (“DPA”) that are stricter or more specific than the KFC Master Global Privacy Policy. It applies to all users in Botswana and prevails over any conflicting provisions in the global policy.
1. No Sale of Personal Data
The sale of personal data is strictly prohibited and constitutes an offense under Botswana law (DPA s.84(2)).
Policy Statement:
We do not sell personal data in Botswana. Any language in the global policy referring to the sale or sharing of personal data for commercial purposes does not apply to users in Botswana.
2. Children’s Data and Consent
Parental or guardian consent is required for users under 16 years of age for information society services (DPA s.29; Children’s Act).
Policy Statement:
Our services are not intended for children under 16 in Botswana. We do not knowingly collect personal information from children under 16 unless we have obtained verifiable parental or guardian consent. If we become aware of such collection without consent, we will delete the information promptly.
3. Data Subject Rights
Botswana grants a comprehensive suite of rights (DPA ss.37–49), including access (with transfer safeguard details), rectification, erasure, restriction, portability, objection (including to marketing), automated decision-making (ADM) safeguards, and the right to complain to the Commission.
Policy Statement:
Botswana users have the right to access, rectify, erase, restrict, and port their data; to object to processing (including for marketing); to obtain information about and contest automated decisions; and to complain to the Botswana Information and Data Protection Commission. Requests will be handled without undue delay and generally within one month (with possible extension per s.38).
4. Automated Decision-Making (ADM)
Users have the right to object to ADM, request human intervention, and receive meaningful information about ADM logic and consequences (DPA s.42(h), s.48, s.49(3)).
Policy Statement:
Where we use automated decision-making, including profiling, that produces legal or similarly significant effects, Botswana users have the right to obtain human intervention, express their point of view, and contest the decision. Users may object at any time to the use of their data for direct marketing, including profiling.
5. Cross-Border Data Transfers
Data transfers outside Botswana are only permitted to countries with an adequacy decision or with appropriate safeguards, specifically Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”), and a copy of the data must remain in Botswana for the duration of processing (DPA ss.74–76).
Policy Statement:
Personal data will only be transferred outside Botswana where adequate protection is ensured or appropriate safeguards are in place, including Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”). A copy of the personal data transferred remains in Botswana for the period of processing. Users may request a copy of the relevant safeguards by contacting our Data Protection Officer at dataprivacy@kfcbaobab.com.
6. Joint Controllers
Where roles are joint controllers, there must be a transparent arrangement and a single contact point; users may exercise rights against either controller (DPA s.53(5)).
Policy Statement:
Where Yum! Brands, affiliates, and franchisees act as joint controllers, an arrangement is in place and a single contact point is provided. Botswana users may exercise their rights against either controller.
7. Representative in Botswana
Controllers/processors not established in Botswana but offering services or monitoring behavior must appoint a local representative (DPA s.54).
Policy Statement:
Where required, a representative in Botswana will be designated.
8. CCTV and Sensitive Data
Sensitive/biometric data may only be processed with a lawful basis and safeguards (DPA s.30(2)). Transparency is required for all CCTV use, including signage and information about purposes, retention, and rights (DPA ss.39–41).
Policy Statement:
CCTV is only used where lawful and necessary. We do not use CCTV for biometric identification in Botswana. If introduced, it will only occur with a lawful exception and appropriate safeguards. Clear signage and privacy notices are provided, and users may request access to footage relating to them.
9. Breach Notification
Personal data breaches must be reported to the Commission without undue delay and, where feasible, within 72 hours. Users must be notified if the breach poses a high risk (DPA ss.63–64).
Policy Statement:
In the event of a personal data breach, we will notify the Botswana Information and Data Protection Commission without undue delay and, where feasible, within 72 hours. If the breach is likely to result in a high risk to users’ rights and freedoms, we will also notify affected users directly.
10. Complaint Route
Users must be informed of their right to complain to the Botswana Information and Data Protection Commission (DPA s.80).
Policy Statement:
Botswana users may lodge a complaint with the Botswana Information and Data Protection Commission if they believe their data protection rights have been violated.
Commission Contact: [To insert Commission contact details once available.]
