Achievo
Achievo Limited
Sign In
Data Protection

Data Protection Policy

Our commitment to protecting personal data in compliance with the Kenya Data Protection Act, 2019 (KDPA). Protecting privacy and building trust.

Last Updated: January 2026Effective: January 2026KDPA 2019 Compliant

Quick Navigation

IntroductionIntroductionLegal FrameworkLegalData Protection PrinciplesDataLegal Basis for ProcessingLegalData Subject RightsDataData SecurityDataData Breach ManagementDataData Retention & DisposalDataInternational Data TransfersInternationalThird-Party ProcessingThird-PartyEmployee ResponsibilitiesEmployeePolicy Review & UpdatesPolicyContact UsContact

Introduction

Protecting Privacy, Building Trust

Achievo Limited ("we", "our", "us") is committed to protecting the privacy and security of personal data. This Data Protection Policy ("Policy") outlines our approach to data protection and our compliance with the Kenya Data Protection Act, 2019 (KDPA).

We recognize that protecting personal data is fundamental to maintaining trust with our employees, clients, partners, and other stakeholders. This Policy applies to all personal data we process, regardless of the medium in which it is stored.

Legal Framework

Our data protection practices are guided by the following legal framework:

Key Legislation

  • Kenya Data Protection Act, 2019 (KDPA)
  • Kenya Data Protection Regulations, 2021
  • Kenya Data Protection (General) Regulations, 2021
  • General Data Protection Regulation (GDPR) - where applicable

Regulatory Authority

  • The Office of the Data Protection Commissioner (ODPC) is the supervisory authority in Kenya
  • We are registered with the ODPC as a data controller and data processor
  • We cooperate with the ODPC and respond to their inquiries promptly

Data Protection Principles

We adhere to the following data protection principles as outlined in the Kenya Data Protection Act, 2019:

Lawfulness, Fairness & Transparency

  • We process personal data lawfully, fairly, and in a transparent manner
  • We provide clear information about how we use personal data
  • We obtain consent where required and respect individual choices

Purpose Limitation

  • We collect personal data for specified, explicit, and legitimate purposes
  • We do not process personal data in a way that is incompatible with those purposes
  • We document our processing purposes and activities

Data Minimization

  • We collect only the personal data that is adequate, relevant, and limited to what is necessary
  • We do not collect excessive or unnecessary personal data
  • We regularly review data collection practices

Accuracy

  • We ensure personal data is accurate and kept up to date
  • We take reasonable steps to correct or delete inaccurate data
  • We provide mechanisms for individuals to update their information

Storage Limitation

  • We keep personal data only for as long as necessary for the purposes for which it was collected
  • We have established retention schedules and disposal procedures
  • We securely delete or anonymize data when it is no longer needed

Integrity & Confidentiality

  • We process personal data in a manner that ensures appropriate security
  • We protect personal data against unauthorized or unlawful processing
  • We protect personal data against accidental loss, destruction, or damage

Accountability

  • We are responsible for and able to demonstrate compliance with these principles
  • We maintain records of our processing activities
  • We conduct regular audits and reviews of our data protection practices

Legal Basis for Processing

We process personal data only when we have a valid legal basis. The legal bases we rely on include:

Consent

  • You have given clear consent for us to process your personal data for specific purposes
  • Consent can be withdrawn at any time
  • We document and manage consent appropriately

Contract

  • The processing is necessary for a contract we have with you
  • The processing is necessary because you have asked us to take specific steps before entering into a contract
  • We process data to fulfill our contractual obligations

Legal Obligation

  • The processing is necessary for us to comply with a legal obligation under Kenyan law
  • We process data to meet regulatory requirements
  • We maintain records for legal and compliance purposes

Legitimate Interests

  • The processing is necessary for our legitimate interests or those of a third party
  • We ensure that your fundamental rights are not overridden
  • We conduct balancing assessments where required

Data Subject Rights

Under the Kenya Data Protection Act, 2019, data subjects have the following rights. We are committed to facilitating the exercise of these rights:

Right to Access

  • You have the right to request access to the personal data we hold about you
  • We will provide a copy of your data within 30 days of your request
  • We may charge a reasonable fee for additional copies

Right to Rectification

  • You have the right to request correction of inaccurate or incomplete personal data
  • We will correct the data and inform you of the correction
  • We will inform third parties of the correction where appropriate

Right to Erasure (Right to be Forgotten)

  • You have the right to request deletion of your personal data
  • We will delete the data unless we have a legal obligation to retain it
  • We will inform third parties of the deletion where appropriate

Right to Restriction of Processing

  • You have the right to request restriction of processing in certain circumstances
  • We will limit processing while the restriction is in place
  • We will inform you when the restriction is lifted

Right to Object to Processing

  • You have the right to object to processing based on legitimate interests
  • You have the right to object to direct marketing
  • We will stop processing unless we have compelling legitimate grounds

Right to Data Portability

  • You have the right to request transfer of your data to another service provider
  • We will provide data in a structured, commonly used, and machine-readable format
  • We will transfer data directly to another controller where technically feasible

Right to Withdraw Consent

  • You have the right to withdraw your consent at any time where processing is based on consent
  • Withdrawal will not affect the lawfulness of processing based on consent before its withdrawal
  • We will stop processing once consent is withdrawn

Right to Lodge a Complaint

  • You have the right to lodge a complaint with the Office of the Data Protection Commissioner
  • You have the right to seek judicial remedy
  • We will assist you in exercising this right

Data Security

We implement appropriate technical and organizational measures to ensure the security of personal data. Our security measures include:

Technical Measures

  • Encryption of data in transit and at rest
  • Secure data centers with access controls
  • Regular security assessments and penetration testing
  • Multi-factor authentication for system access
  • Firewall and intrusion detection systems
  • Antivirus and malware protection

Organizational Measures

  • Data protection policies and procedures
  • Employee training on data protection
  • Access controls based on need-to-know principle
  • Incident response and breach notification procedures
  • Regular audits and reviews
  • Vendor and third-party security assessments

Data Breach Management

We have established procedures to detect, report, and investigate personal data breaches. In the event of a breach:

Breach Response

  • We will contain and assess the breach immediately
  • We will notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of the breach where required
  • We will notify affected data subjects where there is a high risk to their rights and freedoms
  • We will investigate the breach and implement corrective measures
  • We will document all breaches and actions taken

Data Retention & Disposal

We retain personal data only for as long as necessary for the purposes for which it was collected. Our retention policies are based on:

Retention Criteria

  • The amount, nature, and sensitivity of the personal data
  • The potential risk of harm from unauthorized use or disclosure
  • The purposes for which we process your personal data
  • Legal, regulatory, and contractual obligations
  • Statistical and research purposes where applicable

Disposal

  • We securely dispose of personal data when it is no longer needed
  • We use secure deletion methods for digital data
  • We use shredding or incineration for physical documents
  • We maintain records of disposal activities

International Data Transfers

We may transfer personal data to countries outside Kenya. When we do, we ensure appropriate safeguards are in place:

Transfer Safeguards

  • Standard contractual clauses approved by the Office of the Data Protection Commissioner
  • Processing only in countries with adequate levels of data protection
  • Ensuring compliance with KDPA requirements for international data transfers
  • Conducting transfer impact assessments where required
  • Documenting all international transfers

Third-Party Processing

When we engage third-party processors, we ensure they provide sufficient guarantees to implement appropriate technical and organizational measures:

Processor Requirements

  • We conduct due diligence on all third-party processors
  • We have written contracts with all processors
  • Contracts include data protection obligations and security requirements
  • We monitor processor compliance and conduct regular reviews
  • We are responsible for the actions of our processors

Employee Responsibilities

All employees are responsible for protecting personal data in accordance with this Policy. Responsibilities include:

Employee Duties

  • Completing mandatory data protection training
  • Following data protection policies and procedures
  • Reporting any suspected data breaches immediately
  • Ensuring data is processed lawfully and securely
  • Protecting personal data from unauthorized access or disclosure
  • Seeking guidance from the Data Protection Officer when unsure

Policy Review & Updates

This Policy will be reviewed regularly and updated to reflect changes in legislation, best practices, and organizational needs.

Review Process

  • This Policy will be reviewed at least annually
  • Feedback from stakeholders will be considered
  • Changes will be communicated to all employees and stakeholders
  • The latest version will always be available on our website
  • We will notify data subjects of significant changes

Contact Us

If you have any questions, concerns, or wish to exercise your data subject rights, please contact us:

Email

privacy@achievo.co.ke

Phone

+254 705 982 897

Address

Bellways Business Park No.18, Syokimau, Kenya

Data Protection Officer

The Data Protection Officer is responsible for overseeing this Policy and ensuring compliance with the Kenya Data Protection Act, 2019. They can be contacted at privacy@achievo.co.ke.

This Data Protection Policy reflects our commitment to protecting personal data and respecting privacy. It is compliant with the Kenya Data Protection Act, 2019 (KDPA) and aligns with international best practices, including the General Data Protection Regulation (GDPR). We are committed to upholding the highest standards of data protection.

© 2026 Achievo LimitedAll Rights ReservedPrivacy PolicyTerms of ServiceCookie Policy
Back to Top

Company

  • About Us
  • Leadership
  • Careers
  • News

Services

  • Loss Prevention
  • Payroll Management
  • HR Solutions
  • Training

Resources

  • Downloads
  • Case Studies
  • FAQs
  • Partners

Contact

  • Bellways Business Park No.18
  • Syokimau, Kenya
  • +254 705 982 897
  • info@achievo.co.ke

© 2026 Achievo Limited. All rights reserved.

Privacy PolicyTerms of ServiceCookie Policy