Our Data Protection Policy
1. Introduction
Wacu Mureithi & Co. Advocates (“the Firm”) is committed to protecting the privacy and confidentiality of personal data in compliance with the Data Protection Act, 2019 (“DPA”).
This Data Protection Policy explains how we collect, use, store, and disclose personal data while offering legal services to our clients.
Wacu Mureithi & Co. Advocates is committed to legally, fairly, and transparently processing personal data.
2. Scope of the Data Protection Policy
This Data Protection Policy applies to personal data we collect from clients, employees, service providers, and other third parties. It covers data collected in all forms, including electronic and paper records.
3. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person.
- Data Subject: The individual to whom the personal data relates.
- Data Controller: Wacu Mureithi & Co. Advocates, who determines the purpose and means of processing personal data.
- Data Processor: Any entity that processes personal data on behalf of the Data Controller.
- Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
4. Legal Basis for Processing
We process personal data based on the following lawful grounds under the DPA:
- Consent: This is when the data subject gives clear consent for their data to be processed for a specific purpose.
- Contractual Obligation: Where processing is necessary for the performance of a contract to which the data subject is a party.
- Legal Obligation: Where processing is necessary to comply with a legal obligation.
- Legitimate Interest: Where processing is necessary for the legitimate interests of the Firm or a third party, provided that these interests do not override the rights of the data subject.
5. Types of Personal Data Collected
The Firm may collect and process the following types of personal data:
- Identification Information: Name, national ID/passport number, date of birth, gender.
- Contact Information: Telephone number, email address, postal address.
- Financial Information: Bank account details, and tax identification number.
- Legal Information: Information related to the provision of legal services, including case files and other documentation.
- Employment Information: For employees and job applicants, we collect employment history, qualifications, and other HR-related data.
6. How We Collect Personal Data
We collect personal data in the following ways:
- Directly from the data subject through forms, emails, phone calls, or in-person meetings.
- Through third parties such as regulators, courts, and other legal professionals.
- From publicly available sources like company registries, land registries, and online databases.
7. Purposes of Processing Personal Data
The Firm processes personal data for the following purposes:
- To provide legal advice and representation to clients.
- To fulfil contractual and legal obligations.
- To manage client relationships and communicate effectively.
- For employment and HR management purposes.
- To comply with statutory and regulatory obligations.
8. Data Subject Rights
Under the DPA, data subjects have the following rights regarding their personal data:
- Right to Access: Data subjects may request access to the personal data we hold about them.
- Right to Correction: Data subjects can request correction of inaccurate or incomplete data.
- Right to Deletion: Data subjects can request that their data be deleted under certain conditions.
- Right to Object: Data subjects may object to the processing of their data for certain purposes.
- Right to Data Portability: Data subjects can request a copy of their data in a structured, machine-readable format.
- Right to Restrict Processing: Data subjects can request the restriction of processing in certain circumstances.
Requests to exercise these rights can be made in writing to the Firm at the contact details provided below.
9. Data Security
We take reasonable technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of sensitive data.
- Regular auditing of security practices.
- Access controls to restrict access to personal data to authorized personnel only.
10. Data Retention
We retain personal data only for as long as is necessary for the purposes outlined in this Policy or as required by law. Personal data that is no longer required will be securely deleted or anonymized.
11. Sharing and Disclosure of Personal Data
The Firm may share personal data with:
- Regulatory bodies, government agencies, and courts where required by law.
- Third-party service providers such as IT support and cloud service providers, are subject to contractual obligations to protect the data.
- Other legal professionals or experts as part of the provision of legal services.
We will not sell, rent, or trade personal data to third parties for marketing purposes.
12. International Data Transfers
In certain cases, we may transfer personal data outside Kenya, for example, to service providers or partners located abroad. Such transfers will only occur where there are appropriate safeguards in place to ensure the protection of personal data, including compliance with the provisions of the DPA regarding cross-border data transfers.
13. Data Breaches
In the event of a data breach that compromises personal data, the Firm will notify the Office of the Data Protection Commissioner and affected data subjects in line with the DPA’s requirements.
14. Updates to this Data Protection Policy
This Policy may be updated from time to time to reflect changes in legal or regulatory requirements or our business practices. The most recent version will be available on our website.
15. Contact Information
For questions, requests, or concerns regarding this Policy or the Firm’s handling of personal data, please contact us at:
Wacu Mureithi & Co. Advocates
P . O. BOX 28 – Diamond Plaza Nairobi.
Phone: +254 708 806 621
Email: info@wacumureithiadvocates.co.ke