PKF firms in Eastern Africa include PKF Kenya LLP, PKF Consulting (K) Limited, PKF Taxation Services Limited, ESR Kenya LLP, PKF Uganda, PKF Consulting (U) Limited, PKF Taxation Services Limited (Uganda), Equatorial Secretaries & Registrars Limited (Uganda), PKF Rwanda Limited, PKF Consulting (R) Limited, PKF Associates Tanzania, PKF Advisory Limited (Tanzania), PKF South Sudan including their associates, subsidiaries, assigns and successors. As used in this privacy statement, “PKFEA”, “us”, and “we” refer to these affiliate/member firms and associates that may process your personal information.
In the course of our business activities, we process personal data of our partners, employees, contractors, job applicants, customers and individuals associated with them, business contacts, suppliers, visitors, service providers, and other stakeholders (hereinafter, the “Data Subjects” “you”, or “your”).
This policy describes the information privacy practices we follow when handling personal information we collect or receive in conducting our business. Such information is normally collected through business transactions and interactions, employment processes, and user application(s) such as emails, websites, and network platforms.
Personally Identifiable Information (PII)
Personally Identifiable Information (also referred to as personal data in this policy) means any information relating to an identified or identifiable natural person (the data subject). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location information, an online identifier or by one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of the natural person.
This policy applies to all those who have access to personal data in our possession. This includes our employees, all service providers, and consultants who are our agents or working on our behalf or in our name, through outsourcing of services and processes or any business activity.
This policy also serves to inform the general public of the rights accorded to the data subjects, personal data collected by PKFEA, the purpose of collection and how that data is handled.
Data subject rights
As a data subject, you have rights regarding the processing of your personal information as follows:
- To be informed of the use your personal data is to be put by us;
- Request access to any personal information held about you by us and details of the processing of your personal information by us;
- Object to or restrict the processing of your personal data (including profiling), including where the processing is unlawful or no longer necessary;
- Have inaccurate personal data amended or erased, and have incomplete personal data completed;
- Deletion of false or misleading data about you.
In exercising your rights, you may:
- Withdraw any consent you have given, or are deemed to have given, in relation to our collection or use of your personal information;
- Request the erasure of your personal data where:
- the processing is not lawful,
- where the data is no longer necessary for the purpose for which it was collected,
- where you withdraw consent which was the lawful basis of processing,
- where the erasure is necessary to comply with a legal obligation,
- where processing was for direct marketing, or
- you object to processing and there is no overriding legitimate interest for us to continue processing.
- Request to receive your personal data in a format suitable for transmission to another data controller;
- Object to processing of your personal information for direct marketing.
- Object to any decision about you based solely on automated processing (including any profiling) that produces legal effects or otherwise significantly affects you; and
- Complain to the relevant data protection supervisory authority, if you think that we are not complying with our obligations in relation to our processing of your personal information.
You can make a request to us in relation to these rights at any time by contacting us via email at email@example.com. All requests will be dealt with promptly, in line with the provisions of Data Protection and Privacy Regulations in Kenya, Uganda, Tanzania, Rwanda and South Sudan. Any information to which you are entitled will be provided within a reasonable timeframe, subject to any exemptions stipulated in applicable data privacy laws.
Collection of personal data and purpose of processing
How do we collect data from you?
We collect personal data from various sources as follows;
- Directly from you
- From providers of medical insurance, group life and pension administrators
- From referees whom you have provided
- From CCTV images
- From 3rd parties whom we have engaged to provide various services such as security, transport
- From our clients who have contracted us to provide services such as audit and assurance, company secretarial, tax advisory, payroll processing and any other advisory work where we request clients to share information that might constitute personal information
The data we collect depends on your relationship/interactions with us.
- Job applicants
We may collect information you provide to us through the recruitment processes such as name, date of birth/age, gender, contact information, identification document details, education and academic qualifications, professional and employment history, reference contacts and current employment remuneration details.
This information is only collected for the purposes of recruitment as follows:
- To screen and select talent by evaluating your suitability for employment with us,
- To carry out background reference checks.
The personal information we will process about you may vary depending on your specific role and personal circumstances. We may collect, store, and use the following categories of personal data about you:
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
- Date of birth.
- Next of kin and emergency contact information.
- Medical insurance dependents (Names, gender, and date of birth)
- Pension fund and group life insurance beneficiaries (name, relationship, and identification details)
- National Hospital Insurance Fund, National Social Security Fund, Pension, PIN details.
- Bank account details.
- Salary, pension and benefits information.
- Employment and education history including your qualifications, and job application-related information (CV and cover letter, employment references.
- Employment records (including correspondences, leave records, appraisal records, training records, academic and professional certificates and professional memberships certificates).
- Copy of identity documents such as driving license, passport and ID card.
- Disciplinary and grievance information.
- Biometrics such as fingerprints
- and other information relevant to meeting our obligations under the employment laws
This information is only collected for the purposes of human resource management, staff welfare, staff training and development and payroll processing.
- Business partners
For all counterparties doing business with us, we collect information that might be PII in nature. This could be names, personal email addresses or phone numbers provided in the course of communications, individual tax PIN numbers, or physical addresses of agents and representatives.
Information collected through these processes is only used for legitimate trading purposes such as facilitating processing of transactions, receipting and making of payments.
To ensure we do business with reputable, honest, and qualified business partners and agents, we may also conduct due diligence checks on companies and their directors and shareholders to establish the legal status of all potential new business partners to evaluate whether they may be involved in illegal or corrupt practices. Such checks may include the collection of personal identification documents for such directors and shareholders.
- Data subjects whose personal data we obtain in connection to providing professional services
Given the diversity of the services we provide, we process many categories of personal data, including:
- Personal details (e.g. name, age/date of birth, gender, marital status, country of residence, nationality);
- Contact details (e.g. email address, contact number, postal address);
- Financial details (e.g. salary, gratuity, pension, payroll details, and other financial-related details such as income, investments and other financial interests, benefits, tax status); and
- Job details (e.g. role, grade, experience, academic and professional qualifications, performance information and other information about management and employees).
For certain services, we may process special categories of personal data such as in
- Providing services to clients who could have processed data relating to children
- Providing immigration which involves us processing government identification documents that may contain biometric data or data revealing racial or ethnic origin
- Auditing or provision of services to clients in the health sector where we might review personal health records
- Performing individual background checks where we might process private information
Personal data collected in this category is only used for the purposes of providing professional services, managing and developing our services, quality and risk management activities, complying with any requirement of law and regulation or professional bodies where we are member
- Information provided through our security procedures
As part of our security procedures, we obtain information from our visitors. This information may include the name, national identification number, phone number, vehicle registration, name of employer and other business contact details. Such information is only processed for purposes of maintaining a record of our visitors for security management purposes.
- Information you provide to us through our website
We may collect information you provide to us through our web-based enquiries. This information include your name, your phone number and email address. This information is only processed for business purposes.
- Information we may receive from our counterparties
We may receive personal information about you from our counterparties, who may recommend or suggest that we contact you for business purposes. This includes basic contact information about you, such as your name, company name, title, address, phone number, fax number and email address. It may also include information on the products you have shown interest in or may be interested in purchasing from us.
We may also obtain personal information about you from our counterparties in connection with business transactions you initiate with us, such as through credit verification or other processes related to the transaction.
If we use such information to contact you, it will only be to see if you are interested in our products. We will not use this information for other purposes without your consent. In addition, if you inform us that you are not interested in these products, we will stop using the information to contact you.
- Others who may get in touch with us
We collect personal data when an individual gets in touch with us with a question, complaint, comments or feedback such as name, contact details and content of the communication. In this case, we will only use the data for the purpose of responding to the communication and handling the matter.
- CCTV installations
Our premises are equipped with CCTV cameras for the purposes of safety and security.
Use of personal information for marketing purposes
With your consent or as otherwise permitted by applicable law, we may use your personal information for purposes relating to the marketing of our products, or those of our business partners where you may have shown interest in. This means we may from time to time:
- Send you newsletters, press releases, event announcements and other similar communications regarding the products that we offer;
- Solicit input from you regarding improvement of our products;
- Send you announcements or requests on behalf of other customers of ours who believe you would benefit from use of our products; and
- Use your personal information for other purposes that we disclose to you at the time we obtain your consent.
You may at any time opt-out of receiving marketing related communication from us, by contacting us at firstname.lastname@example.org.
Personal data integrity
While you are responsible for the accuracy of all personal information that you provide to us, we will use reasonable efforts to maintain the accuracy and integrity of your personal information, and to update that information as appropriate. We will take reasonable steps to ensure that the personal information we collect from you is relevant to its intended use, and that it is used only in ways that are compatible with the purposes for which it was collected or otherwise authorised by you.
Personal data sharing
From time to time we may share your personal information within the PKFEA. Such information may be used for internal business, operational, as well as for purposes consistent with the purpose for which the information was originally collected or subsequently authorised by you.
We may disclose or transfer your personal information with our service providers. Normally, these would include the company lawyers, bank, medical insurance providers, group life providers, pension administrators, professional bodies where we are members, service providers and consultants.
We will not share your personal information with third parties outside of PKFEA for their marketing purposes without your consent. However, we may share such information with our counterparties as described for the purposes disclosed to you at the time you provided the information, or as subsequently authorised by you or as permitted by applicable laws.
The personal information that we collect from you may be transferred to, and stored at, a destination outside Kenya. It may also be processed by members of staff operating outside of the country who work for us or one of our service providers.
If your personal information is held by us within Kenya, it will only be transferred outside the country after the following considerations – as provided by the law:
- The appropriateness of data protection safeguards during transfer;
- The transfers is to a country where adequate level of protection is ensured;
- The transfer is based on necessity and approved by the Office of Data Protection Commissioner; or
- If you have given consent to such transfer.
- Legal Protections and Law enforcement
We may access, use, preserve, transfer and disclose to our counterparties your personal information for the following purposes:
- To satisfy any applicable law, regulation, or legal or regulatory process, if in our opinion such is required or permitted by law or reasonably requested by a regulatory authority (including the tax authorities);
- To detect, prevent or otherwise address fraud, security issues or breaches, or technical issues. This may include allowing third parties, such as internet service providers, wireless service providers and/or law enforcement agencies, to access and use your personal information in order to identify you. We may take any of these steps without prior notice to you to the extent permitted by law.
Protection of personal information
We put in place reasonable safeguards and measure based on internationally recognised information security standards to protect your personal information in our possession from misuse, unauthorised access, disclosure, alteration, destruction or loss. We have a framework of policies, procedures and training/awareness in place covering data protection, confidentiality and security. As necessary, we will take additional precautions regarding the security of particularly sensitive information, such as categories of data deemed as sensitive under applicable data protection laws.
While we strive to secure your personal information, we cannot warrant or guarantee that this information will be protected under all circumstances, including those beyond our reasonable control.
We will not retain personal information for longer than is necessary for the purposes for which it was collected, except where retention is necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims. We have developed an internal data retention policy which is guided by the applicable laws.
Access, objection to processing, rectification and data erasure
Should you require to communicate to us in regard to access of your data, object to processing, request for rectification or erasure, kindly contact us through email@example.com.
Request by employees can be communicated through the Human Resource department or in writing through firstname.lastname@example.org.
Monitoring and enforcing this policy