Legal Notice and Privacy Policy Kenya

1. Introduction

SEIDOR Kenya recognizes that handling personal data appropriately is vital and we have implemented the appropriate data systems, privacy, and security measures to ensure that rights of data subjects through its processing and handling of data complies with law.

This Data Protection Policy is based the tenets and principles on data protection. SEIDOR Kenya recognizes data protection as critical in achieving subject matter trust and compliance. This policy is created to align and adopt the tenets of Kenyan and other international laws and regulations including:

  • The Constitution of Kenya (2010);
  • The Kenya Data Protection Act, No. 24 of 2019 and Regulation;
  • Kenya Access to Information Act No. 31
  • The EU General Data Protection Regulation (GDPR) 2016/679;
  • African Union Convention on Cyber Security and Personal Data; and
  • The UN Guidelines for the Regulation of Computerized Personal Data Files.

This policy provides guidance on procedures to secure individuals’ personal data, regulate the collection, usage, transfer, and disclosure of the said data. The definition of terms used in this policy have been listed in the glossary.

Policy statement

SEIDOR Kenya has a responsibility to protect confidential, restricted, and personal data from unwarranted disclosure, loss, or damage to avoid detrimental affects our employees and stakeholders from whom we collect data. Handling personal data in an ethical manner is in line with SEIDOR’s values in ensuring the rights of employees and stakeholders are protected.

2. Scope

This Policy applies to all SEIDOR Kenya’s employees, associates, contractors, and Board members

The Policy applies to all personal data that SEIDOR Kenya holds relating to identifiable individuals. We may obtain, hold, and process the personal data of data subjects in order to implement and manage all services and contractual obligations and without which, SEIDOR Kenya might not be able to provide its services to these individuals or to its clients. This data includes;

  • Personal details such as; name, gender, race, family and social circumstances, signatures, contact details, photos and/or videos, passport information or other travel related information, education and training records, employment and financial records.
  • Details of any criminal allegations against a data subject obtained during routine due diligence checks.
  • An assessment of creditworthiness of a person or an estimate of work performance by an employer.
  • Any other personal data SEIDOR Kenya may require in its operations including during recruitment and other HR processes, provision of ICT support, finance and other instances through which personal data is collected.

The Policy applies to data in SEIDOR Kenya’s possession, collected from individuals within or outside the business as part of the following categories;

  • Personal data of employees/applicants: We collect, and processes personal and Special Category data of job applicants and employees as described in the Kenya Data Protection Act (DPA), 2019, and the GDPR. The information is transferred between internal management and departments for operational purposes.


SEIDOR Kenya will adhere to the principles for processing personal data as set out in various Kenyan and international laws and regulations and relate to data subjects and data from other stakeholders. These principles include:

  • Privacy: SEIDOR Kenya recognizes the right of a data subject to have control over how his or her personal data is collected, used, and/or disclosed. SEIDOR Kenya will only process data provided by a data subject willingly and, or with a legal basis as required by the law.
  • Confidentiality: SEIDOR Kenya will take reasonable measures to ensure that data in its possession is kept safe and only accessed by approved and authorized individuals.
  • Integrity: SEIDOR Kenya will update and maintain accurate records and where required, take necessary steps in providing the reliability of data accuracy and consistency of data in its possession.
  • Autonomy: SEIDOR Kenya recognizes and protects the rights of data subjects to make informed decisions about when to have their data collected and for what it may be used for. SEIDOR Kenya will allow for data subjects to exercise these rights.
  • Ethics and corruption: SEIDOR Kenya will process its data in a responsible way and will not intentionally process data in a way that causes harm to data subjects.
  • Compliance: SEIDOR Kenya will process all data that is in its possession lawfully, fairly, and in a transparent manner. SEIDOR Kenya will only collect personal data for specified, explicit, and legitimate purposes.

3. Policy implementation

Data systems

SEIDOR Kenya develops and adheres to system usage to ensure the security of personal data of any form are aligned IT and Human Resources relevant policies and as outlined in the handbook Guidelines and Procedures.

Monitoring and compliance

SEIDOR Kenya enforces that it is the responsibility of all employees and stakeholders to adhere to this policy and maintain accuracy and sensitivity when working with any personal data in their possession. In line with the Kenya DPA 2019, SEIDOR Kenya will appoint a Data Protection Officer (DPO) to coordinate the implementation of this policy across the Company. The DPO will liaise with employees in general, critical or urgent items in all departments to ensure compliance with this and other related policies.

4. Handling of Data

Data privacy and security

SEIDOR Kenya will apply the strictest measures against unauthorized or unlawful access, processing, accidental loss, destruction, or damage to secure all its data and data systems. At SEIDOR Kenya we adopt diversified security measures as outlined in our ICT Policy to protect personal data against unauthorized access and disclosure and will continually review them to ensure they are effective.

How do we protect your information?

  1. Right to object. You may on reasonable grounds object to us using your information. If you object, we will stop using your information, except if the law allows its use.
  2. Lodging a complaint. If you believe we are using your information unlawfully, you may lodge a complaint to the Data Protection Officer:

Maxine Paul
[email protected]

  • Our website is scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to our site as safe as possible. We are committed to implement appropriate technical and other security measures to protect the integrity and confidentiality of your information. Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential.
  • Security breach. We will report any security breach to the Information Regulator and to the individuals or companies involved. If you want to report any concerns about our privacy practices or if you suspect any breach regarding your information, kindly notify us by sending an email to [email protected].

Data access, sharing and transfer

SEIDOR Kenya allows its data access and transfer of data on the basis that it should be made available to all authorized users in a timely manner and in a user-friendly format. Any individual or organization using or seeking to access SEIDOR Kenya data will be required to adhere to Data Sharing Procedures and rules and the Company handbook.

Storage limitations

All stored personal data will be done so in line with the various laws and regulations governing the storage of different types of data. SEIDOR Kenya will store all forms of data for a minimum of five years and maximum of seven years. In addition, employee data and other forms of data will be stored for as long as is necessary in line with the provisions of the DPA 2019.

Data and Marketing

SEIDOR Kenya maintains no forms of personal data will be transferred for the purposes if financial gain or benefit. With unambiguous consent or as otherwise allowed by law, personal information for purposes relating to the marketing of our products and services, or those of our partners is employed in adherence to law and related laws.

5. Usage of ‘cookies’?

  • Use of Cookies. When you use our website, we automatically receive and record information on our server logs from your browser which may include your location, Internet Protocol address, cookie information, and the page you requested. This is statistical data about browsing actions and patterns and does not identify any individual. We may also obtain information about your general internet usage through a cookie file which is stored on the hard drive of your computer.
  • Cookies enable us to improve our service to you, compile aggregate data regarding our site traffic and interactive and usage patterns, store information about your preferences and recognise when you return to our website.
  • If cookies are disabled in your browser you can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings. Since each browser is a little different, look at your browser’s Help Menu to learn the correct way to modify your cookies.
  • You can set your web browser to refuse cookies, but if you do this some of the features may not function properly, you may not be able to enjoy the full use of our website and you may not be able to take advantage of certain promotions we may run.

6. Third-party disclosure and links

  1. Disclosure. We do not sell, trade, or otherwise transfer to outside parties your personal information.
  2. Links on our website. Our website may include links to other applications or third party websites which do not fall under our control. We cannot accept any responsibility for your privacy or the content of these applications, but we display these links in order to make it easier for our visitors to find information about specific subjects.
  3. Social Media. Our website may connect to various social media sites or applications, including Facebook, Twitter, LinkedIn, Instagram and Google+. If you want to use our website for social media integration, including to create user profiles and login functionality, we will share your information with the relevant social media sites or applications.

7. Roles and responsibilities

All employees and stakeholders have a role to play in ensuring compliance with this Policy. Effective Data protection requires the participation and support of every employee and associate who deals with data and data systems. It is the responsibility of every user to familiarize themselves with this policy and adhere to it. The following have specific roles in relation to the Data Protection Policy:

Directors (Data Protection Officer included)

  • Ensure SEIDOR Kenya keeps pace with evolving data protection trends and practices.
  • Ensure that potential risks are monitored and appropriate prevention efforts are put in place.
  • Increase management’s ability to apply appropriate safeguards to help minimize data breaches and other privacy violations, lawsuits, and potential negative damage to reputation.

Senior Management (Data Protection Officer included)

  • Oversee the implementation of the Policy by developing appropriate programs and guidelines, establishing systems and processes to protect personal data in SEIDOR Kenya’s possession.
  • Ensure that SEIDOR Kenya’s employees and stakeholders are trained and aware on the Policy and compliance procedures.
  • Exercise applicable monitoring to ensure that SEIDOR Kenya adequately assesses data protection risks and implements risk mitigation procedures and processes.
  • Monitor updates and trends in data protection and institute appropriate measures.

Data measurement and team monitoring

  • Where applicable develop or implement databases/software used to safely capture, manage, store data;
  • Ensure compliance with our IT policy in the development of data management, processing, and storage tools and platforms;
  • Liaise with the DPO to ensure the safety of personal data;
  • Oversee SEIDOR Kenya’s data-sharing systems and processes, ensuring compliance with laws and regulations of personal data.

Data protection officer

  • Advise the Company on data processing requirements provided under the DPA 2019 or any other written law.
  • Ensure that the DPA is complied with.
  • Cooperate and seek the guidance of the Data Protection Commissioner on any matters relating to data protection.
  • Record all data breaches and notify the Office of the DPC within 72 hours, where it is established that
  • the breach may result in real harm to affected data subject(s).
  • Conduct a data protection impact assessment as required by the DPA 2019 and related regulations.
  • Perform an independent risk assessment biannually that identifies relevant risks and the adequacy of processes and controls in place to mitigate them.
  • Review and advise on any changes in the law relating to data protection
  • Draft and review contracts with partners and third parties to ensure compliance with the data protection policy.
  • Ensure contracts with associates and partners include Data Protection principles.

IT manager

  • Notify relevant employees in case of a data breach
  • Secure data from loss, unauthorized access, and inconsistencies.
  • Ensure data availability and accessibility.


  • Handle data related to the Group as required by the applicable laws and align with the principles outlined in this policy.
  • Report data incidences, breaches, and malpractice to the DPO within 24 hours of being aware.


Disciplinary measures will be taken against employees and stakeholders who intentionally hamper and corrupt administrative, physical, and technical safeguards that have been put in place to protect personal data of any type. Disciplinary measures will be as outlined in the HR Policies and Procedures manual. Disciplinary action does not exclude legal action by the affected or referred party by SEIDOR Kenya to government authorities in accordance with the law.

Related policies

  • IT Policy.
  • Handbook.
  • Data Sharing Procedures and Guidelines.
  • Human Resource Policies and Procedures Manual.
  • All related Data protection annexures.

Monitoring and review

The Data Protection Officer will monitor the implementation of this policy, regularly considering its suitability, adequacy and effectiveness.

Policy revision

This policy is subject to revision whenever legal, or technological developments are implemented and in addition in accordance with the applicable updates from the regulator. In addition, the Policy will be reviewed at least every year.


  • Consent - means any manifestation of express, unequivocal (unambiguous), free, specific, and informed indication of the data subject’s wishes by a statement or by clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.
  • Data controllers - natural or legal persons, public authorities, agencies, or other bodies which, alone or jointly with others, determine the purpose and means of the processing of personal data. Data controllers have the overall say and control over the reason (the why) and purposes (the how) behind data collection and the means and method of any data processing.
  • Data processors - natural or legal persons, public authority, agency, or other body, which processes personal data on behalf of the data controller.
  • Data protection impact assessment - an assessment of the impact of the envisaged processing operations on the protection of personal data.
  • Data subject - an identifiable natural person who is the subject of personal data.
  • Encryption - the process of converting the content of any readable data using technical means into coded form.
  • Identifiable natural person - a person who can be identified directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more specific factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
  • Personal data - any information relating to an identified or identifiable natural person. e.g., names, contact details, GPS locations, social numbers, etc.
  • Personal data breach - breach of security leading to the accidental or unlawful destruction, loss, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  • Pseudonymisation - processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.

Such additional information is kept separately and is subject to technical and organizational measures to ensure that personal data is not attributed to an identified or identifiable natural person.