1.     Objective and Scope of Policy

1.1.   KN Law LLP (the “Firm”), is committed to complying with its responsibilities under the Data Protection Act 2019 (the “DPA”). Thus, it has established this Policy to guide the collection, processing and utilisation of data.

• This Policy will apply to any personal data collected and processed from clients, employees, and any relevant third parties.

2.     Definitions

• For the purpose of this Policy:

1. Consent means any manifestation of freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to the data subject.
2. Data Protection Commissioner means the person appointed under the DPA to oversee its implementation and enforcement.
3. Data Controller means a natural or legal person, who either, alone or jointly with others, determines the purpose and means of processing of personal data. KN Law LLP is the data controller under the terms of this Policy.
4. Data Processor means an organisation or individual who processes Personal Data on behalf of the Data Controller
5. Data Subject means the subject of personal data;
6. Personal Data means any information relating to an identified or identifiable natural person. This can include, the names of individuals, email addresses, postal addresses, identity card and passport information as well as telephone numbers.
7. Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

3.     Data Protection Principles

• The Firm shall ensure that the processing of personal data is in line with the principles set out in Section 25 of the DPA by making certain that the data is:

1. processed in accordance with the right to privacy of the data subject;
2. processed lawfully, fairly and in a transparent manner in relation to any data subject;
3. collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
4. adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
5. collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
6. accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
7. kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
8. not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

4.     Rights of Data Subject

• Personal Data will be processed in accordance with the rights of the Data Subject as set out in the DPA.
• The Data Subject has the right to:

1. be informed of the use to which their personal data is to be put;
2. access their personal data in custody of data controller
3. object to the processing of all or part of their personal data;
4. correction of false or misleading data; and
5. deletion of false or misleading data about them.

5.     Lawful Processing

• The Firm will ascertain that lawful processing is carried out by only processing data on the following grounds:

1. to pursue the legitimate interests of the Data Controller except where processing is unwarranted or likely to prejudice the rights of the data subject;
2. to conduct the recruitment and selection processes
3. to comply with legal obligations;
4. to perform a task in the interest of the Public;
5. to guarantee the performance of the contract which the Data Subject is a party; and
6. to protect the vital interests of the Data Subject or another natural person
   • The Personal data shall be processed only for the purposes that were set out to the Data Subject before the data was collected. Subsequent changes to the purposes are only possible to a limited extent and require a legitimate basis.
   • Further processing of the Personal Data for archiving, statistical or historical research purposes shall not be considered to be incompatible with the initial purpose.

6.     Consent

• Where consent is relied on as a lawful basis for processing data, the Firm will ensure that:

1. it was obtained without manipulation, coercion or trickery
2. it is indicated by affirmative action. Consequently, silence, inactivity or pre-ticked boxes will not qualify as consent.
   • Where the request for consent is in the form of a written statement, it shall be communicated to the data subject in a clear, plain and intelligible language.
   • Consent will be renewed if the Firm intends to process Personal Data for a different purpose than was disclosed initially to the Data Subject.
   • The Data Subject has the right to withdraw consent at any time which shall be honoured promptly by the Firm.

7. Transparency
   • The Firm shall take practicable steps to ensure that the Data Subject is aware of who will be processing their personal data, how their data is being utilised and how they can exercise their rights when the need arises.
   • Pursuant to this aim, the Firm shall share this policy with all its employees and shall ensure that the policy is available upon request by individuals.

8. Data Minimisation and Retention
   • The Firm shall only collect and process Personal Data that is adequate, relevant and limited to what is necessary for its purpose.
   • The Firm will store the Personal Data in an identifiable form for as long as it is necessary to meet the purposes of the data.
   • Upon the fulfilment of the specified purpose, the Firm shall take all reasonable steps to erase from its system and restore to the data subject all of the personal data collected. The Firm shall certify in writing to the Data Subject that it has done so, unless the applicable regulations require the Firm to continue processing the personal data.

9.     Accuracy

• The Firm will endeavour to maintain Personal Data that is accurate, complete and up to date by:

1. reviewing the accuracy of the Personal Data at the point of collection and at regular intervals; and
2. taking reasonable steps to amend or delete inaccurate or out of date Personal Data.
3. Confidentiality and Security
   • Access to Personal Data provided shall be limited to authorised personnel to retain confidentiality and integrity of the Data.
   • The authorised personnel shall not use any of the Personal Data for private or commercial purposes.
   • The Firm shall take reasonable steps to establish administrative and technical security measures to safeguard the Personal Data so as to ensure that it is not illegitimately destroyed, modified, processed or distributed.

11.  Reporting of Personal Data Breach

11.1.                Where Personal Data has been accessed or acquired by an unauthorised person while under the custody of the Firm and there exists a risk of harm to the rights and freedoms of the Data Subject, the Firm shall inform the Office of the Data Protection Commissioner, and where necessary, the Data Subject.

12. Accountability
    • The Firm shall be responsible for implementing appropriate and effective technical and organisational measures to ensure compliance with the legal requirements for data protection as well as the data protection principles.

13. Transmission of Data to third parties
    • Personal data shall not be disclosed or processed by a third party except when required by law or the third party has been approved and signed by the Firm to provide a particular service.
    • The authorised third parties shall process the data to the extent requested by the firm and in accordance with data security standards and policies.

14. Record Keeping
    • The Firm shall keep and maintain accurate records reflecting its processing procedures including records of Data Subjects’ Consents, third-party recipients of the Personal Data, personal data transfers and records of personal data breaches.

15.  Review of The Policy

• This Policy shall be reviewed annually or when appropriate to address any deficiencies and to ensure consistency with future developments in legal or regulatory requirements.

16. Relevant Contact Information
    • If you have any questions or concerns about the Data Protection Policy or its implementation, you may contact the Firm’s Data Protection Officer by emailing info@kn.co.ke.