Data Protection Compliance Guide

Last updated: 24/08/2025

This guide explains how your organisation must obtain explicit, written consent from each employee before using Sawa Done to send task notifications via WhatsApp, Telegram, or Viber.

Following these steps will help ensure compliance with GDPR, the Kenya Data Protection Act 2019, the Uganda Data Protection and Privacy Act 2019, the Tanzania Personal Data Protection Act 2022, the Rwanda Law 058/2021, and other applicable frameworks.

Step-by-Step Process for Employee Consent

  1. Nominate an owner
    Appoint a responsible person (e.g., HR or Compliance) to manage consent collection, maintain the consent register, and handle opt-out requests.

  2. Confirm lawful basis and non-detriment
    Use consent as the lawful basis for messaging. Provide an alternative non-messaging workflow (e.g., email or app notifications) so declining or withdrawing consent has no negative impact.

  3. Prepare documents and links
    Include the following in the consent request: your company privacy notice and messaging policy; Sawa Done Terms of Service and Privacy Policy; scope of use (purpose, channels, frequency, hours); opt-out instructions (“Reply STOP” or use “Stop Notifications” in the app); contact details for HR/Privacy.

  4. Define scope clearly
    State that messages are limited to task notifications, reminders, confirmations, and essential service announcements. List which channels will be used (WhatsApp / Telegram / Viber), typical frequency, permitted hours/time-zone, and who is allowed to send messages.

  5. Issue the written information notice
    Provide employees with a written notice (email or HR portal) covering: what data will be used (name, work phone/messaging ID, task status); why it is used (task coordination); lawful basis (consent, voluntary); opt-out process and non-detriment assurance; links to documents and HR/Privacy contact.

  6. Capture explicit written consent per channel
    Acceptable methods: e-signature on a consent form naming each channel; employee email reply explicitly stating “I consent … via [WhatsApp/Telegram/Viber]”; in-app checkbox with timestamp and channel selection. Unacceptable: implied consent, silence, pre-ticked boxes, or blanket approvals without channels and purposes.

  7. Maintain a consent register
    For each employee, record: full name, employee ID, and messaging ID; channels consented; exact consent wording; method (e-sig/email/in-app); date/time with time-zone; collector details; version of notices provided (URLs or file references); and any later opt-out date/time. Store securely with restricted access.

  8. Configure safeguards
    All message templates must include an opt-out footer (“Reply STOP to opt out”). Enforce sending windows (working hours) and keep messages strictly work-related.

  9. Honour opt-outs immediately
    Disable the relevant channel within 24 hours of an opt-out and log the event. Provide an alternative workflow.

  10. Re-consent and review cycle
    Re-obtain consent if purposes, channels, or frequency change. Reconfirm at least every 24 months.

  11. Train managers
    Ensure managers only use the system for permitted work-related communication. No harassment, after-hours messaging (unless pre-agreed), or performance scoring from chat logs.

  12. Handle data-rights requests
    Provide employees with a contact point for access, rectification, deletion, restriction, and objection requests. Track and resolve within statutory deadlines.

Consent Wording Example
“I consent to receive work-related task notifications, reminders and confirmations from [Company Name] via [WhatsApp/Telegram/Viber]. I understand I can withdraw consent at any time without detriment by replying STOP or using ‘Stop Notifications’ in Sawa Done.”

Compliance Matrix

Compliance state Required actions to reach or maintain compliance
No mention of employee monitoring or messaging in employment contract or policies Draft and publish a “Messaging for Work” policy and update the Employee Handbook. Issue a contractual addendum or
policy acknowledgement covering purpose, channels, frequency, hours, opt‑out, and non‑detriment. Run the written
notice and explicit consent process (per channel). Provide alternative non‑messaging workflows and create the consent
register. Train managers.
Vague mentions but not specific Issue a clear policy addendum defining purposes, channels (WhatsApp/Telegram/Viber), frequency, hours, data used,
opt‑out, and contact. Re‑notify employees with the detailed notice and collect explicit per‑channel consent
(replacing vague approvals). Update the consent register. Configure templates with opt‑out footer and time
restrictions.
Clearly defined in contracts and/or policies, read and understood by employees Verify explicit, per‑channel written consent exists (e‑sig/email/in‑app) and is logged. Confirm opt‑out footer,
sending windows, and alternative workflows are active. Conduct quarterly audits, refresh consent on material change
or at least every 24 months, and maintain manager training and audit records.