Data Protection Policy
1. Introduction
1.1 This policy outlines the principles and procedures governing the collection, processing, storage, and disposal
of personal data by Wanjiku Joy & Company Advocates in compliance with the Data Protection Act 2019 and its subsidiary legislation.
1.2 The policy ensures the lawful, secure, and ethical handling of personal and sensitive data, helping maintain compliance
with data protection laws while protecting individuals' privacy rights.
1.3 This policy also complies with the Constitution of Kenya (2010), the Advocates Act (2012) and its subsidiary
legislation, and the Data Protection Act (2019) and its subsidiary legislation.
1.4 The scope of this policy covers all employees, clients, and third parties handling data.
1.5 It applies to all data processing activities related to business purposes, including:
- Delivering legal and consultancy services to clients, such as representing clients in legal matters, drafting and reviewing IT contracts, conducting data protection audits, and providing advisory opinions.
- Business administration, client relationship management, professional development (e.g., inviting clients to seminars), and compliance with legal and regulatory requirements such as tax reporting and record retention.
2. Definitions
2.1 Personal data: Information that may be used to identify an individual, including contact details (name, address, email, phone number), identification details (ID/passport number, date of birth), billing information, contractual or transactional data, case data, and communication records.
2.2 Sensitive personal data: Delicate personal information requiring additional safeguards such as biometric details, health records, marital status, family information, or sex of the data subject.
2.3 Processing: Any action performed on personal data—collection, storage, transmission, retrieval, use, or destruction.
2.4 Data Controller: The Firm—responsible for determining the purposes and means of processing personal data.
2.5 Data Processor: Any individual or entity processing data on behalf of the Firm through a written contract.
2.6 Data Subject: Any individual whose data is processed by the Firm, including clients, representatives, partners, or witnesses.
2.7 Third Party: Any external person or organization processing Firm data, including regulators, courts, opposing counsel, and service providers such as hosting or accounting firms.
3. Types of Personal Data Collected
- Client data: names, phone numbers, email addresses, ID/passport numbers, PIN, contractual data, billing information, and case-related communications.
4. Data Processing Principles
As per Section 25 of the Data Protection Act 2019, personal data must be handled in a manner that:
- Respects the privacy rights of the data subject;
- Is lawful, fair, and transparent;
- Is collected for specific, legitimate purposes (Purpose Limitation);
- Is limited to what is necessary (Data Minimisation);
- Is accurate and up to date (Accuracy);
- Is retained only as long as necessary (Storage Limitation);
- Is secure from unauthorized access or damage (Confidentiality and Integrity); and
- Complies with all data protection principles (Accountability).
5. Lawful Basis for Data Processing
- Consent: Obtained from individuals before processing personal or sensitive data.
- Contractual Necessity: Processing required to fulfill legal and consultancy obligations.
- Legal Obligation: Compliance with the Advocates Act and other statutory requirements.
- Legitimate Interest: Processing necessary for improving services and marketing to existing clients.
6. Data Subject Rights and Privacy Notice
- Right to be informed: Data subjects are notified about data usage, processing, and retention.
- Right to access: Data subjects may request records about themselves; the Firm must respond within seven (7) days.
- Right to object: Individuals can object to data processing; objections for marketing must be honored immediately.
- Right to rectification and erasure: Individuals may request correction or deletion of data, processed within 14 days unless restricted by law or public interest obligations.
7. Responsibilities of the Firm
- Clients: Must understand how the Firm processes their personal data and how to exercise their rights.
- Head Attorney: Oversees personal data management, responds to data subject requests, and handles breach notifications.
8. Security and Access Controls
The Firm ensures data confidentiality and protection against unauthorized access or disclosure through:
- Password-protected and encrypted email services;
- Secure disposal when retention terms expire;
- Locked filing cabinets within the office; and
- Regular testing and review of security measures.
9. Third Parties
- All third-party processors must have written contracts specifying data use and protection measures.
- Data transfers occur only if the recipient offers equivalent data protection standards.
- Third parties must maintain strict confidentiality and data security practices.
10. Data Retention and Disposal
| Data Type |
Retention Period |
Disposal Method |
| Client Records |
7 years |
Secure shredding using paper destruction tools |
11. Enforcement
- All Firm members must comply with this policy. Breaches may result in disciplinary or legal action.
- Personal data breaches that pose a risk to individuals must be reported immediately.
- The Firm will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of a confirmed breach, including all relevant details and remedial actions.
- Post-incident analysis and reports will be prepared to ensure corrective and preventive measures.
12. Policy Review and Amendments
This policy will be reviewed annually or when new data protection laws are enacted.
Wanjiku Joy & Company Advocates
Nakuru, Kenya
+254743257967
info@wanjikujoycompanyadvocates.co.ke