ALN Kenya|Anjarwalla & Khanna LLP (ALN Kenya) is committed to safeguarding the privacy of those we interact with, and we recognize the need to respect and protect personal data that is collected or disclosed to us. For purposes of this Data Protection Policy (Policy), personal data means any information relating to an identified or identifiable natural person. This Policy explains when and why we collect personal data (including sensitive personal data) belonging to the individuals who obtain services from us, how we use it, the conditions under which we may disclose it to others, and how we keep it secure. This Policy also explains the rights of these individuals in relation to their personal data and how they may exercise them.

We are committed to processing your personal data in accordance with our responsibilities under Kenya’s Data Protection Act, 2019 (the DPA) and we take our responsibilities in this regard very seriously. We ensure the personal data we obtain is held, used, and otherwise processed in accordance with the DPA and all other applicable laws and regulations.

1. Who is ALN Kenya?

ALN Kenya is a full-service law firm incorporated in the Republic of Kenya as a limited liability partnership. ALN Kenya is a member of ALN, an alliance of leading law firms currently spanning 14 jurisdictions in Africa. We provide our clients with a range of legal and business solutions. We, as the data controller, are responsible for the personal data we collect.

2. What personal data do we collect?

In the course of rendering services to our clients, we collect a broad range of personal data including but without limitation:

  • Identity information which includes names, copies of identity documentation (for example, national ID or passport), dates of birth, and locations/addresses;
  • Contact information which includes phone numbers and email addresses;
  • Device identifier information which includes internet protocol address, browser type and other similar information from our website users;
  • Financial information which includes bank account details in case we need to process any payments;
  • Details on remuneration where, for example, we may act for an employer or a party to a merger and acquisition;
  • Photographs of our clients for various processes with government registries and other public authorities; and
  • Vehicle registration details belonging to people who visit our offices.

We collect this personal data directly when clients engage us. We may also indirectly collect personal data from other professional service providers who are working with us to render services or from our corporate clients in relation to individuals employed or contracted by them. In such cases, we rely on these third parties to inform the individuals in question that they will be sharing their personal data with us, and we only use that personal data for the stated purpose.

3. What we do with your personal data and why do we do it?

We primarily use the personal data we collect to render services and to comply with various legal obligations. Some of the specific processing activities we may be involved in are:

  • running Know Your Customer (KYC) checks;
  • providing legal advice;
  • attending to various registration formalities;
  • processing tax payments;
  • facilitating transactions where we act as an escrow agent or stakeholder;
  • improving our website;
  • complying with various legal obligations which we may be subject to;
  • providing information about our services or upcoming events we may be hosting;
  • prosecuting and defending our rights in any legal proceedings or enforcing compliance with any agreement with us; and
  • responding to any queries or processing any complaints which may be made.

We may also use personal data to keep our stakeholders up to date on legal developments, invite them to events we host, and provide them with information on our services. However, we only do this if we have obtained consent from the individuals involved.
We appreciate that some of the personal data we collect, such as financial information, is sensitive personal data. We ensure that we process such sensitive personal data in accordance with the DPA.

4. What rights do you have?

As a data subject, you have the right to:

  • be informed of the use to which your personal data is to be put;
  • access your personal data which we hold;
  • request that we make your personal data available to you in a portable format and transmit it to another data controller, data processor or a third party;
  • request for your personal data to be corrected or updated;
  • request for your personal data to be deleted, provided that the DPA may allow us to retain your personal data in certain circumstances;
  • request us to suspend the processing of your personal data for various reasons provided for in the DPA such as where your personal data is incorrect;
  • object to the processing of all or part of your personal data; and
  • request that we process your personal data anonymously or pseudonymously.

To exercise any of these rights, please reach out to us through the contact page on our website.

5. Who do we share your personal data with?

Our primary use of personal data is to render services. We do not sell any personal data to third parties. However, we do share personal data with some third parties who assist us in rendering services, such as government and regulatory authorities, registry service providers, and our bankers. When sharing this personal data, we ensure that we comply with the provisions of the DPA.

6. Do we transfer your personal data outside Kenya?

We use cloud service providers to store the personal data we collect. These service providers host their servers outside Kenya and therefore, we do transfer personal data outside Kenya. We do this to provide better services and to secure the personal data we hold. We do not transfer any sensitive personal data outside Kenya without first seeking consent of the individuals in question. Our cloud service provider primarily hosts their servers in France, Ireland, South Africa, Austria, Finland, and the Netherlands.

7. How long do we hold your personal data for?

We generally store personal data for as long as we need to render legal services. We may retain some personal data for longer periods to the extent we are permitted to do so under the DPA and other applicable laws. Where we do so, we will ensure that we either anonymise or pseudonymise the personal data if retaining it in an identifiable form is not necessary for the reasons we are holding it.
We review the personal data which we hold periodically and assess whether we need to keep holding it. Where we no longer need it, we permanently delete it.

8. Have a complaint?

We take your privacy seriously and are committed to ensuring that we are compliant with the DPA and any other applicable law. Should you have a complaint with how we process your personal data, please reach out to us through the contact page on our website and we will do our best to address your concerns.

9. Updating this Policy

We will be updating this Policy from time to time, so kindly check this page regularly and let us know here if you have any questions. All changes we make are, unless stated otherwise, effective immediately upon notice, which we may give by any means, including but not limited to, by posting the updated version of the Policy on our website or within our application. If the changes are material, we may also post a notice on our website drawing your attention to it.