Privacy Policy

Last updated [September  23rd, 2022]


The Act Means The (Kenya) Data Protection Act no. 24 of 2019.

GDPR Means the General Data Protection Regulation.

Data Subject Means an identified or identifiable natural person.

Personal data Means any information relating to an identified or identifiable natural person.

A personal data breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Sensitive Personal Data means data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex, or the sexual orientation of the data subject.

Responsible Person Means the Data Protection Officer for Eclectics International.

The Regulations

  1. The Data Protection (General) Regulations, 2021 – Legal Notice No. 263;
  2. The Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 —Legal Notice No. 264.
  3. The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 —Legal Notice No. 265.

Purpose of this policy

The policy provides guidance on how Eclectics will handle the data it collects. It helps Eclectics to abide by the data protection law and protect the rights of data subjects.

Application/Scope of the Policy

This policy applies to all personal data we process regardless of the location where that personal data is stored (e.g., on an employee’s own device, Eclectics International’s servers, Eclectics International’s website, etc.) and regardless of the data subject. All Eclectics International staff and others processing personal data on Eclectics International’s behalf must read it. A failure in strict compliance with this policy shall result in severe disciplinary actions. Eclectics International Heads of Departments are responsible for ensuring that all staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls, and training to ensure compliance.


Eclectics International has appointed an internal Data Protection Officer (DPO) who is responsible for overseeing the implementation of this policy. If you have any questions about this policy, including any requests to exercise your legal rights, please contact the data protection officer using the email below. Email Address:

Changes to this Policy

This version was last updated on September 23rd, 2022. This policy shall be reviewed on an annual basis or whenever there are changes to the data protection regulations and/or changes in our internal processes. Please visit this web page periodically to keep up to date with the changes in this policy

Rights of Data Subjects

As a data subject, you have the following rights.
  1. to be informed of the use to which your personal data is to be put.
  2. to request a copy of your personal data which shall be availed to you in a timely manner.
  3. to object to the processing of all or part of your personal data.
  4. to request correction or deletion of misleading information on your personal data.

Exercise of Rights of Data Subjects

A right conferred on a data subject may be exercised.

    1. where the data subject is a minor by a person who has parental authority, or by a guardian.
    2. where the data subject has a mental or other disability, by a person duly authorized to act as their guardian or administrator
    3. in any other case, by a person duly authorized by the data subject.

Data protection principles

Eclectics International Limited commits to its stakeholders and general data subjects to always collect, process, store, and transfer personal data with the utmost professionalism and in accordance with its responsibilities as stipulated under the Act, the Regulations, the GDPR, and other relevant legislation. Eclectics shall ensure that personal data is —
  1. processed in accordance with the right to privacy of the data subject;
  2. processed lawfully, fairly, and in a transparent manner in relation to any data subject;
  3. collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes;
  4. adequate, relevant, and limited to what is necessary for relation to the purposes for which it is processed;
  5. Eclectics International shall ensure that personal data is adequate, relevant, and strictly limited to what is necessary in relation to the purposes for which they are processed.
  6. collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
  7. accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
  8. kept in a form that identifies the data subjects or no longer than is necessary for the purposes for which it was collected; and not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

Lawful, fair, and transparent processing

    • To ensure its processing of data is lawful, fair, and transparent, Eclectics International shall maintain a Register of Systems.
    • The Register of Systems shall be reviewed at least annually.
    • Eclectics International’s clients and partners have the right to access their data and any such requests made to Eclectics International shall be dealt with in a timely manner.
    • Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
    • All data processed by Eclectics International must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests.
    • Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in Eclectics International’s systems.

Collection of Personal Data

Eclectics shall collect data directly from the data subject in a secure channel. Eclectics shall collect personal data indirectly where.
  1. The data is contained in a public record
  2. The data subject has deliberately made the data public
  3. The data subject has consented to the collection from another source
  4. The data subject has an incapacity, the guardian appointed has consented to the collection from another source.
  5. The collection from another source would not prejudice the interests of the data subject.
  6. Collection of data from another source is necessary
For the prevention, detection, investigation, prosecution, and punishment of crime. For the enforcement of a law that imposes a pecuniary penalty. For the protection of the interest of the data subject or another person.


  1. Eclectics International shall take reasonable steps to ensure personal data is accurate.
  2. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
  3. All users shall be expected to provide accurate information at all times and will be required to immediately report any error or discrepancies in the data capture within the shortest period of discovering such error(s).

Data Retention

  1. Eclectics shall retain personal data only if may be reasonably necessary to satisfy the purpose for which it is processed unless the retention is required or authorized by law, reasonably necessary for a lawful purpose, authorized or consented by the data subject or for historical, statistical, journalistic literature and art or research purposes.
  2. Where retention is not required under the above-mentioned grounds, then the data processor or controller shall delete, erase, anonymize or pseudonymize personal data not necessary to be retained under sub-section (1) of the Data Act in a manner as may be specified at the expiry of the retention period.


  1. Eclectics International shall conduct periodic data protection impact assessments (DPIA) to ensure the integrity, availability, and reliability of data are not compromised and that personal data is processed, controlled, transferred, and stored securely using modern software that is kept up to date.
  2. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorized sharing of information.
  3. When personal data is deleted this shall be done safely such that the data is irrecoverable.
  4. Appropriate backup and disaster recovery solutions shall be in place.


In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data, Eclectics International shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Data Commissioner as per the set guidelines per set Regulations and as per the provisions of the Act. Eclectics shall notify the data commissioner of a data breach within seventy-two hours of becoming aware of the breach. In case the delay is not made within the specified time, Eclectics shall submit a written document stating the reason for the delay.

Breach Notification as a data processor

Whenever there is a personal data breach Eclectics shall notify the relevant data controller within forty-eight hours of becoming aware of the breach.

Breach Notification as a data controller

Eclectics may restrict communication of a breach for the purpose of prevention, detection, or investigation of the incident. Eclectics may choose not to communicate the personal data breach to data subjects where the appropriate security safeguard has been implemented.

Transfer of Personal Data outside Kenya

In cases whereby Eclectics may transfer personal data to another country, the data commissioner shall be provided with appropriate safeguards aimed at ensuring the protection of personal data.