Data Protection Policy
Our commitment to protecting personal data in compliance with the Kenya Data Protection Act, 2019 (KDPA). Protecting privacy and building trust.
Introduction
Protecting Privacy, Building Trust
Achievo Limited ("we", "our", "us") is committed to protecting the privacy and security of personal data. This Data Protection Policy ("Policy") outlines our approach to data protection and our compliance with the Kenya Data Protection Act, 2019 (KDPA).
We recognize that protecting personal data is fundamental to maintaining trust with our employees, clients, partners, and other stakeholders. This Policy applies to all personal data we process, regardless of the medium in which it is stored.
Legal Framework
Our data protection practices are guided by the following legal framework:
Key Legislation
- Kenya Data Protection Act, 2019 (KDPA)
- Kenya Data Protection Regulations, 2021
- Kenya Data Protection (General) Regulations, 2021
- General Data Protection Regulation (GDPR) - where applicable
Regulatory Authority
- The Office of the Data Protection Commissioner (ODPC) is the supervisory authority in Kenya
- We are registered with the ODPC as a data controller and data processor
- We cooperate with the ODPC and respond to their inquiries promptly
Data Protection Principles
We adhere to the following data protection principles as outlined in the Kenya Data Protection Act, 2019:
Lawfulness, Fairness & Transparency
- We process personal data lawfully, fairly, and in a transparent manner
- We provide clear information about how we use personal data
- We obtain consent where required and respect individual choices
Purpose Limitation
- We collect personal data for specified, explicit, and legitimate purposes
- We do not process personal data in a way that is incompatible with those purposes
- We document our processing purposes and activities
Data Minimization
- We collect only the personal data that is adequate, relevant, and limited to what is necessary
- We do not collect excessive or unnecessary personal data
- We regularly review data collection practices
Accuracy
- We ensure personal data is accurate and kept up to date
- We take reasonable steps to correct or delete inaccurate data
- We provide mechanisms for individuals to update their information
Storage Limitation
- We keep personal data only for as long as necessary for the purposes for which it was collected
- We have established retention schedules and disposal procedures
- We securely delete or anonymize data when it is no longer needed
Integrity & Confidentiality
- We process personal data in a manner that ensures appropriate security
- We protect personal data against unauthorized or unlawful processing
- We protect personal data against accidental loss, destruction, or damage
Accountability
- We are responsible for and able to demonstrate compliance with these principles
- We maintain records of our processing activities
- We conduct regular audits and reviews of our data protection practices
Legal Basis for Processing
We process personal data only when we have a valid legal basis. The legal bases we rely on include:
Consent
- You have given clear consent for us to process your personal data for specific purposes
- Consent can be withdrawn at any time
- We document and manage consent appropriately
Contract
- The processing is necessary for a contract we have with you
- The processing is necessary because you have asked us to take specific steps before entering into a contract
- We process data to fulfill our contractual obligations
Legal Obligation
- The processing is necessary for us to comply with a legal obligation under Kenyan law
- We process data to meet regulatory requirements
- We maintain records for legal and compliance purposes
Legitimate Interests
- The processing is necessary for our legitimate interests or those of a third party
- We ensure that your fundamental rights are not overridden
- We conduct balancing assessments where required
Data Subject Rights
Under the Kenya Data Protection Act, 2019, data subjects have the following rights. We are committed to facilitating the exercise of these rights:
Right to Access
- You have the right to request access to the personal data we hold about you
- We will provide a copy of your data within 30 days of your request
- We may charge a reasonable fee for additional copies
Right to Rectification
- You have the right to request correction of inaccurate or incomplete personal data
- We will correct the data and inform you of the correction
- We will inform third parties of the correction where appropriate
Right to Erasure (Right to be Forgotten)
- You have the right to request deletion of your personal data
- We will delete the data unless we have a legal obligation to retain it
- We will inform third parties of the deletion where appropriate
Right to Restriction of Processing
- You have the right to request restriction of processing in certain circumstances
- We will limit processing while the restriction is in place
- We will inform you when the restriction is lifted
Right to Object to Processing
- You have the right to object to processing based on legitimate interests
- You have the right to object to direct marketing
- We will stop processing unless we have compelling legitimate grounds
Right to Data Portability
- You have the right to request transfer of your data to another service provider
- We will provide data in a structured, commonly used, and machine-readable format
- We will transfer data directly to another controller where technically feasible
Right to Withdraw Consent
- You have the right to withdraw your consent at any time where processing is based on consent
- Withdrawal will not affect the lawfulness of processing based on consent before its withdrawal
- We will stop processing once consent is withdrawn
Right to Lodge a Complaint
- You have the right to lodge a complaint with the Office of the Data Protection Commissioner
- You have the right to seek judicial remedy
- We will assist you in exercising this right
Data Security
We implement appropriate technical and organizational measures to ensure the security of personal data. Our security measures include:
Technical Measures
- Encryption of data in transit and at rest
- Secure data centers with access controls
- Regular security assessments and penetration testing
- Multi-factor authentication for system access
- Firewall and intrusion detection systems
- Antivirus and malware protection
Organizational Measures
- Data protection policies and procedures
- Employee training on data protection
- Access controls based on need-to-know principle
- Incident response and breach notification procedures
- Regular audits and reviews
- Vendor and third-party security assessments
Data Breach Management
We have established procedures to detect, report, and investigate personal data breaches. In the event of a breach:
Breach Response
- We will contain and assess the breach immediately
- We will notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of the breach where required
- We will notify affected data subjects where there is a high risk to their rights and freedoms
- We will investigate the breach and implement corrective measures
- We will document all breaches and actions taken
Data Retention & Disposal
We retain personal data only for as long as necessary for the purposes for which it was collected. Our retention policies are based on:
Retention Criteria
- The amount, nature, and sensitivity of the personal data
- The potential risk of harm from unauthorized use or disclosure
- The purposes for which we process your personal data
- Legal, regulatory, and contractual obligations
- Statistical and research purposes where applicable
Disposal
- We securely dispose of personal data when it is no longer needed
- We use secure deletion methods for digital data
- We use shredding or incineration for physical documents
- We maintain records of disposal activities
International Data Transfers
We may transfer personal data to countries outside Kenya. When we do, we ensure appropriate safeguards are in place:
Transfer Safeguards
- Standard contractual clauses approved by the Office of the Data Protection Commissioner
- Processing only in countries with adequate levels of data protection
- Ensuring compliance with KDPA requirements for international data transfers
- Conducting transfer impact assessments where required
- Documenting all international transfers
Third-Party Processing
When we engage third-party processors, we ensure they provide sufficient guarantees to implement appropriate technical and organizational measures:
Processor Requirements
- We conduct due diligence on all third-party processors
- We have written contracts with all processors
- Contracts include data protection obligations and security requirements
- We monitor processor compliance and conduct regular reviews
- We are responsible for the actions of our processors
Employee Responsibilities
All employees are responsible for protecting personal data in accordance with this Policy. Responsibilities include:
Employee Duties
- Completing mandatory data protection training
- Following data protection policies and procedures
- Reporting any suspected data breaches immediately
- Ensuring data is processed lawfully and securely
- Protecting personal data from unauthorized access or disclosure
- Seeking guidance from the Data Protection Officer when unsure
Policy Review & Updates
This Policy will be reviewed regularly and updated to reflect changes in legislation, best practices, and organizational needs.
Review Process
- This Policy will be reviewed at least annually
- Feedback from stakeholders will be considered
- Changes will be communicated to all employees and stakeholders
- The latest version will always be available on our website
- We will notify data subjects of significant changes
Contact Us
If you have any questions, concerns, or wish to exercise your data subject rights, please contact us:
Phone
+254 705 982 897Address
Bellways Business Park No.18, Syokimau, Kenya
Data Protection Officer
The Data Protection Officer is responsible for overseeing this Policy and ensuring compliance with the Kenya Data Protection Act, 2019. They can be contacted at privacy@achievo.co.ke.