1. Introduction

Our company is committed to protecting the privacy and security of your personal information.

This privacy policy describes how we collect and use personal data about you in accordance with the Data Protection Act 2019. The purpose of the Act is to give to effect Article 31(c) and (d) of the Constitution that contains the right to privacy which is a fundamental human rights.

Data protection is the process of safeguarding personal information, in accordance with a set of  principles laid down by law. This clearly stipulates what should our system collect, whose data is collected, and who else is the data likely to identify based to the collected or processed data.

As Senaca East Africa, we have a responsibility to ensure that we collect, process, and use personal data in accordance with the law. When we do so, we are regulated under the Data Protection Act 2019 and we are responsible as “data collectors” of that personal information for the purpose of the law or as “data processors” on behalf of our clients who contract our security services.

  1. Purpose and Scope of this Policy

We recognize and understand that innovation, new ways of doing business, and new technology drive continued change in risk, expectations, and laws. Therefore, this policy is intended to provide and guide on the minimum standards in regards to collection and processing of personal information.

The policy ensures that, Senaca East Africa:


  1. Complies with local and, to extent applicable, international laws and regulations on data protection.
  2. Protects the rights of its employees, customers, visitors, suppliers, business partners, and other stakeholders.
  3. Promotes fairness and transparency in how it collects, processes, and stores personal data.
  4. Has put measures and mitigation plan to protect itself from data breaches.


All company employees and management have core privacy responsibilities they must abide with and uphold. This should abide by:


  • Legal, regulatory, and corporate policy compliance;
  • Confidentiality;
  • Integrity; and
  • Availability of the information.

Any breach of this policy and related policies and procedures may result in disciplinary measures.

Our Data Protection Officer (DPO) is responsible for overseeing the implementation and review of this Policy and can be reached through email

We collect personal data through the following activities (the list is not exhaustive):

  1. Recruitment
  2. Job applications
  • Customers and clients contracts
  1. Suppliers and vendors
  2. Financial transactions
  3. Visitors to our premises and clients premises
  • Training and sponsorship
  • Biometric installations
  1. CCTV camera surveillance
  2. Website and social media


  1. Data Protection Principles


  Privacy Principle


Our Core Commitment
1. Right to Privacy


·        Senaca East Africa shall strive to protect the privacy of the data subject by:


ü  Requesting for the consent of the “Data Subject” before collecting or processing any personal information.

ü  Allowing only authorized personnel to process personal data.

ü  Concealing the identity of the data subject.

ü  Using end-to-end encryption in its internet connectivity.

ü  Anonymizing where possible.


·        We have implemented and applied comprehensive security program and controls that are based on the sensitivity of the information and the risk level of the activity.

·        Data and information collection and processing is implemented in accordance to the “Need to know” Rule right from recruitment, vetting and background checks, deployment on clients premises, and separation.

·        Our security policies include emergency and contingency planning, business continuity planning, access management and search procedures, information security, physical security, investigations, and risk management.



2. Fairness and Lawfulness



·        Senaca East Africa will always strive to process personal data in fair, lawful and transparent manner.

·        Processing of personal data will deemed to be lawful if the following conditions are met:


a)    The “Data Subject” has given consent.

b)    Processing is necessary for the data subject to be allowed access to Seneca East Africa premises or to the premises of a  “Data Controller” who has contracted Senaca east Africa to process data on their behalf.

c)    Processing is necessary for Senaca East Africa to pursue legitimate interest without prejudicing the dignity and rights of the data subject.

d)    To comply with legal obligations as stipulated by state legislation and statutes.


·        Senaca East Africa being  member of the UN Blue Company program abides by the Universal Declaration of Human rights Article (12) that states:


“No one shall be subjected to arbitrary interference with his/her privacy, family, home, or correspondence, nor to attacks against his/her honour or reputation.”



3. Legitimate Purpose



·        Senaca East Africa shall ensure that the data collected is for legitimate purposes only.

·        The data collected should be specified, explicit and should not further be processed in a manner incompatible with these purposes.

·        Control and monitoring measures shall be put in place to minimize any privacy impact on the data subject.


4. Purpose Limitation/Adequacy



·        Where sensitive data revealing natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details, including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the Data Subject, should be collected as directed by the Office of the Data Protection Commissioner.

·        Employees of Senaca East Africa shall not process data for a new purpose that is not compatible with the original purpose.

·        Where a new purpose is required, Seneca East Africa shall first notify and obtain a fresh consent of the data subject.


5. Valid Explanation


·        We shall ensure that all personal data is collected only where a valid explanation is provided whenever information relating to family or private affairs is required.


6. Accuracy


·        Senaca East Africa shall ensure that personal data is kept up to date.

·        Necessary measures like employees having access to their personal data on request and periodical checks of files have been put in place for correcting and updating inaccurate data.


7. Retention


·        Senaca East Africa shall ensure that there is storage limitation and that data is not stored for longer than is necessary.

·        Personal data shall not be stored in a way that identifies the data subject.


8. Transfer Outside Kenya


·        Senaca East Africa operates across the trans borders and incase of data transfer shall ensure that the entity and country of transfer has in place laws or measures that ensure an individual’s data is protected against loss or breaches.



  1. Rights of the Data Subject

The data subject has a right to:

  • Be Informed of the use to which their personal data is to be used.
  • Access their personal data in the custody of data controller or data processor.
  • Object to the processing of all or part of their personal data.
  • Correction of false or misleading data.
  • Deletion of false or misleading data about them.
  • Right to withdraw consent at any time.
  1. Compliance with Audit

Senaca East Africa management shall conduct periodic audits to ensure compliance with this policy.

  1. Related Documents
  • Service Level Agreements.
  • Standard Operating Procedures.
  • Access control policy.
  • Human Resources Policy.


  1. Review

The process shall be reviewed periodically and when there is a change in threat or change in operational environment.

  1. Policy Approval

This policy was approved by the board of management on 10th August 2022.


Definition of terms


Term Explanation
Consent Means any manifestation of express, unequivocal, free, specific, and informed indication of the data subject’s wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.


Data Subject An identified or identifiable natural person who is the subject of personal data.


Data Controller Natural or legal person, public authority, agency or other body which, alone or jointly with others, determine the purpose and means of processing of personal data.


Data Processor Natural or legal person, public authority, agency or other body which, processes personal data on behalf of the data controller.


Sensitive Personal Data


Data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of person’s children, sex, or sexual orientation of the data subject.


Personal Data Any information relating to an identified or identifiable natural person.


Processing Any operation or set of operation which is performed on personal data or on set of personal whether or not by automated means such as:


i.          Collection, recording, organization, structuring.

ii.          Storage, adaptation or alteration.

iii.          Retrieval, consultation or use.

iv.          Disclosure by transmission, dissemination or availability.

v.          Alignment or combination, restriction, erasure or destruction.