L LEYSCO100 ← Back to site

Leysco Limited

Data Privacy Policy

Last updated: June 2026  ·  Reviewed every two years  ·  Prepared in line with the Data Protection Act (Cap 411C, Laws of Kenya).

1. Introduction

Policy Statement

Leysco Limited recognises and understands the importance of treating personal data in a responsible and legally compliant manner. The Company understands that every person has a Constitutionally protected right to privacy which creates an obligation to keep people's private affairs and communications safeguarded.

Leysco Limited endeavours to go beyond compliance with data protection and privacy laws in protecting the privacy of personal information under its custody or control. The Company believes that at the centre of all business relations is a culture of trust, transparency, integrity, and accountability in the management of personal information. The Company is therefore committed to establishing high standards of data protection, not only to protect individuals' information and to comply with the law, but also to maintain the trust and confidence that our customers, employees, and other stakeholders have with the Company.

This Policy is part of the many steps taken by the Company towards establishing, maintaining, and implementing high standards of data privacy and protection.

Purpose

The purpose of this Policy is to:

  • Provide minimum standards with respect to the protection of personal data that we collect, process, or store.
  • Adhere to Constitutional and statutory requirements on data protection.
  • Abide by all local and international laws (to the extent possible) on data protection.

Scope and Application

This Data Protection Policy applies to:

  • All personal data, whether in electronic format or on paper, collected, stored, processed, or transmitted by the Company.
  • The Company, and all its operations within and outside Kenya in relation to data subjects located in Kenya.
  • All employees of the Company regardless of the nature and terms of their engagement with the Company as well as the Company's Directors.
  • All third-parties who process or handle personal data on behalf of the Company.

2. Definitions

The following terms as used in this Policy shall have the meaning assigned to them.

"Child"
means any person below the age of eighteen years;
"Consent"
means the data subject's explicit, informed, and voluntary agreement to the processing of their personal data;
"Data Controller"
means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data;
"Data Processer"
means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;
"Data Subject"
means an identified or identifiable natural person who is the subject of personal data that is being processed;
"Data Owner"
means a person in charge of a specific set of data such as customer data;
"Encryption"
means the process of converting the content of any readable data using technical means into coded form;
"Personal Data Breach"
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
"Personal Data"
means any information relating to an identified or identifiable natural person;
"Processing"
means any operation or sets of operations which are performed on personal data or on sets of personal data whether or not by automated means, including but not limited to: collection, recording, organization, structuring; storage, adaptation or alteration; retrieval, consultation or use; disclosure by transmission, dissemination, or otherwise making available; or alignment or combination, restriction, erasure or destruction;
"Pseudonymisation"
replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure;
"Sensitive Personal Data"
means data revealing the natural person's race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, and family details including names of the person's children, parents, spouse or spouses, sex or the sexual orientation of the data subject;
"Third-Party"
means a natural or legal person, public authority, agency or other body, other than the data subject, data controller, data processor or persons who, under the direct authority of the data controller or data processor, are authorized to process personal data;

3. Guiding Principles

In processing personal data, the Company shall abide by the following data protection principles:

  • Right to privacy: The Company shall endeavour to protect the privacy of the data subject, by anonymizing personal data where possible and in processing data in consistency with the purpose for which the data is being processed, to hide the identity of the data subject.
  • Lawfulness and fairness: Collection of personal data shall be for a lawful reason for which the Company shall explain the specific purpose to the data subject. Before processing of data, the lawful basis relied upon shall be documented. Processing of personal data will be lawful if at least one of the following conditions are met:
    • The data subject has given their consent for one or more specific purposes.
    • Processing is necessary for the entering into and performance of a contract to which the data subject is a party.
    • To comply with a legal obligation as prescribed by statute.
    • Where the processing is necessary for public interest.
    • Processing is necessary for the Company to pursue a legitimate interest without prejudicing the rights and dignity of the data subject.
  • Legitimate purpose: The Company shall ensure that the data collected is used for legitimate purposes and shall seek to minimize any privacy impact on the data subject.
  • Purpose limitation: Processing and control of data shall be limited to the purpose for which it was collected. Data shall only be collected for a specified, explicit and legitimate purpose. The data collected shall be adequate, relevant, and limited to what is necessary for processing. Employees and agents of the Company may use personal data for another reason other than the reason the data was originally collected where they consider that other reason to be compatible with the original purpose, but shall not process data for a new purpose that is not compatible with the original purpose. Where a new purpose is required, the Company shall first notify and obtain fresh consent from the data subject and explain to the data subject the legal basis upon which the Company needs to process the data.
  • Data minimization: The Company shall ensure that it only collects personal data that is required for the legitimate purpose of collection.
  • Storage limitation: To the extent possible, the Company shall ensure that personal data is not stored in a way that identifies the data subject. Further, the Company shall ensure that personal data is not stored for longer than is necessary in respect of the purpose for which it was collected (except where there is a legal, regulatory, audit, tax, accounting or reporting obligation that requires holding of the records). The Company may also retain personal data for a longer period in the event of a complaint or if it reasonably believes there is a prospect of litigation with respect to its relationship with a data subject.
  • Data security: Personal data shall be protected by reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure of data.
  • Data migration: The Company may share personal data in its custody with a third party for storage or processing. In such a case, the Company shall ensure that the third party has in place policies and measures that ensure an individual's data is protected against loss or improper disclosure offering the same protection as if the data was still under the Company's custody.

The Company appreciates that a longer storage period beyond the retention period may lead to data breaches and increase storage costs. The Company shall therefore regularly review the personal data it processes to ascertain whether or not it is due for destruction.

To determine the appropriate retention period for personal data, the Company shall consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which the Company processes personal data and whether those purposes can be achieved through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In accordance with Section 23 of the Tax Procedures Act (CAP 469B Laws of Kenya), the Company has to keep basic information about customers, users, and service providers (including contact, identity, financial, and transactional data) for five (5) years after the end of the tax reporting period to which the document relates.

A data subject can request to have their data deleted. The Company's management shall ensure that personal data is destroyed, deleted, or anonymized (so that it can no longer be associated with a data subject) where such data is no longer needed for the performance of their duties and or has been held for longer than the applicable retention period. The Company shall hold data for a maximum of seven (7) years unless otherwise agreed or communicated.

4. Nature of Personal Data Collected

The Company may collect, use, store and transfer different kinds of personal data which may include: bank account information, name, address, identification, contact, phone number, physical address, postal address, date of birth, gender, marital status, nationality, employee I.D., SHA Number, NSSF No., driver's licence, passport number, national I.D. Card Number, KRA PIN Number, email, emergency contact, job title, department, employment start date, employment end date, employee status (full-time, part-time, or contract etc), work schedule, supervisor, reporting structure, employment history within the organization among others.

The Company may also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from personal data but is not considered personal data in law as this data does not directly or indirectly reveal a data subject's identity. However, if the Company combines or connects Aggregated Data with personal data so that it can directly or indirectly identify a data subject, the Company shall treat the combined data as personal data which will be used in accordance with this privacy policy.

Where the Company needs to collect personal data by law, or under the terms of a contract, and the data subject fails to provide that data when requested, the Company may not be able to perform the contract (for example, provision of goods or services). In this case, the Company may have to cancel a product or service to a customer with sufficient notification.

5. How Personal Data is Collected

Personal data may be provided by the data subject directly to the Company or to the data controller on behalf of whose data we process or through a data subject's interaction with the Company's website or social media platforms.

The Company may also collect personal data indirectly where:

  • The data is contained in a public record;
  • The data subject has deliberately made the data public; or
  • Collection of data from another source would not prejudice the interest of the data subject.

The Company may also collect data from another source where such collection is necessary for the prevention, detection, investigation, prosecution, or punishment of a crime, or where such collection is necessary for the protection of the interests of a data subject or another person.

6. Data Subject's Rights

The Company respects the rights of a data subject in accordance with the Act. These rights include:

  • Right to be informed on the reason for collection of their personal data including the purpose for which and how their personal data will be processed.
  • Right of access to receive a copy of the personal data the Company holds including an understanding of how the data has been processed.
  • Right to withdraw consent where the lawful basis relied upon to collect personal data is the data subject's consent, the data subject reserves the right to withdraw such consent at any time without reason. Withdrawal of consent shall not impact the information processed when consent was still in effect. A data subject's consent shall not be considered to have been freely given where more personal data than is necessary is collected with respect to a process that a data subject may have consented to.
  • Right to rectification: to have inaccurate personal data corrected.
  • Right to erasure (right to be forgotten): a data subject has the right to ask the Company to delete or destroy the data subject's personal data where: consent has been withdrawn (where applicable), data is no longer required for the Company to perform its tasks, the holding of the personal data is not in the best interest of the data subject, or in an objection to processing.
  • Right to restrict processing where there is reason to believe that; the personal data is inaccurate; the processing was unlawful, and the data subject prefers restriction of processing over erasure; the Company's legitimate interests for processing do not override those of the data subject.
  • Right to data transfer: to the extent permissible, the right to receive or ask the Company to transfer to a third party, a copy of the data subject's personal data in a structured, commonly used machine-readable format.
  • Right to be notified of a personal data breach: the right to be notified of a personal data breach which is likely to result in a high risk to the data subject's rights, freedoms, or dignity.
  • Right to complain: the right to lodge a complaint to the Data Commissioner.

7. Duty to Notify

Before collecting personal data, in so far as shall be practicable, the Company shall inform the data subject of;

  • The fact that personal data is being collected;
  • The purpose for which the personal data is being collected;
  • The third-parties to whom personal data has been or will be transferred;
  • The rights of the data subject;
  • Whether data is being collected pursuant to any law and whether such collection is voluntary or mandatory; and
  • The consequences, if any, where the data subject fails to provide all or any part of the requested data.

8. Lawful Purpose for Processing Personal Data

The Company shall not process personal data unless;

  • The data subject consents to the processing for one or more specified purposes; or
  • The processing is necessary for:
    • Performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
    • Compliance with any legal obligation to which the Company is subject;
    • Protection of the vital interest of the data subject or another data subject;
    • Protection of someone's life or physical integrity, especially in emergencies;
    • Performance of a task in the public interest or when exercising official authority; and
    • The controller or a third party has a legitimate interest in processing the data, provided that this interest is not overridden by the rights and freedoms of the data subject.

9. Exercise of the Rights of Data Subjects

A right conferred on a data subject shall be exercised—

  • By the data subject;
  • Where the data subject is a minor, by a person who has parental authority or by a guardian;
  • Where the data subject has a mental or other disability, by a person duly authorized to act as their guardian; or
  • In any other case, by a person duly authorized by the data subject.

10. Exercise of a Data Subject's Rights — Restriction on Processing

The Company can, at the request of a data subject, restrict the processing of personal data where;

  • The accuracy of the personal data is contested by the data subject to allow the Company time to verify the accuracy of the data;
  • Personal data is no longer required for the purpose of the processing unless the Company requires the personal data for the establishment, exercise or defence of a legal claim;
  • Processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
  • The data subject has objected to the processing pending verification whether the legitimate interests of the Company override those of the data subject.

Where the processing of personal data is restricted, the personal data shall unless being stored, only be processed with the data subject's consent or for the establishment, exercise or defence of a legal claim, the protection of the rights of another person or for reasons of public interest; and at all times, the Company shall inform the data subject before withdrawing the restriction on processing personal data.

11. Reporting and Handling of Data Breaches

All employees, contractors, and third-party service providers must promptly report any suspected or actual data breach to the Data Protection Officer (DPO).

Reports should be made as soon as the individual becomes aware of the breach, regardless of whether they are directly involved in the incident, and in any case, not more than seventy-two (72) hours after the data breach occurred.

The Report should include:

  • A description of the incident.
  • The type of data affected and the individuals affected.
  • The potential consequences of the breach.
  • Any remedial actions taken or planned.
  • Upon receiving a data breach report, the DPO shall conduct an initial assessment to determine the severity and scope of the breach.
  • Immediate steps will be taken to contain and minimize the breach's impact, which may include isolating the affected systems or data.
  • The DPO will ensure to notify all the affected individuals without undue delay.
  • The Company shall take necessary steps to mitigate any harm resulting from the breach and implement measures to prevent future incidents.
  • Following the resolution of a data breach, the Company will conduct a comprehensive review to identify lessons learned, improve security measures, and enhance data protection practices.
  • Thereafter, the DPO shall report the data breach to the Office of the Data Commissioner as provided under the Data Protection Act.

12. Criteria to be Applied to Collection of Personal Data from Children

In the event that processing of a child's personal data is necessary, the Company shall ensure that the minor's rights as a data subject are protected and safeguarded and consent is sought through the parental authority or guardian at all times. Personal data relating to a child shall be processed in such a manner that protects and advances the rights and the best interests of the child.

In order to process the personal data of a child, the Company shall have incorporated appropriate mechanisms for age verification and consent. Such mechanisms include but are not limited to, available technology, the volume of personal data processed, the proportion of that personal data likely to be of a child, the possibility of harm to a child arising out of the processing of the data, and such other factors as may be specified by the Data Commissioner.

Where the Company provides services to a minor, it may not be required to obtain parental consent.

13. Processing of Sensitive Personal Data

No category of sensitive personal data shall be processed unless data protection principles apply to that processing.

14. Disclosure of Personal Data

The Company shall hold personal data in confidentiality and shall not disclose the same save to the following persons:

  • Internal Third Parties: these are other companies or organizations such as subsidiaries and affiliated entities acting as joint controllers or processors of personal data alongside the Company.
  • External Third Parties: these are service providers who provide I.T. and system administration services; professional advisers acting as processors or joint controllers including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services; the Kenya Revenue Authority, regulators and other authorities acting as processors or joint controllers based in Kenya.
  • Third Parties to whom the Company may choose to sell, transfer or merge part of its assets or such entities that the Company may acquire. In such circumstances, the new entities shall have rights to use personal data in a similar manner as set out in this Policy.

The Company undertakes to require all third-parties with whom it may share personal information to respect the security and privacy of all personal data and to treat it at all times in accordance with the law and this Policy. Such third parties may not use personal data shared with them by the Company for their own purposes and they must use it for the specified purpose and in accordance with the Company's instructions.

15. Data Protection Officer

The Company shall designate a Compliance Officer to be the Data Protection Officer (DPO). The DPO shall:

  • Advise staff on requirements for data protection, including conducting data protection impact assessments.
  • Ensure that the Company complies with the legal requirements on data protection.
  • Handle all data protection inquiries within the Company.
  • Facilitate capacity building of staff involved in data processing operations.
  • Monitor the implementation and enforcement of the data protection policies and procedures.
  • Ensure that data processor and controller licenses are up to date.

16. Data Protection Impact Assessment

The Company shall carry out data protection impact assessment where it is suspected that data processing might result in high risk to the rights and freedoms of the data subject. In those instances, the Company shall, where possible, consult with the Data Commissioner and shall adhere to the set-out guidelines in carrying out an impact assessment.

17. Compliance with Audit

The Company may conduct periodic audits to ensure compliance with this Policy. All employees, contractors, and third parties involved in data processing shall cooperate and facilitate the conducting of the audits and comply with any remediation actions.

18. Employee's Responsibilities

Employees of the Company who process personal data shall comply with the requirements of this Policy. All employees shall ensure that:

  • All personal data is kept securely;
  • No personal data is disclosed either verbally or in writing, accidentally or otherwise to any unauthorized third party;
  • All personal data is kept in accordance with the Company's Policies;
  • Any data protection breaches are swiftly brought to the attention of the DPO; and
  • Where there is uncertainty around a data protection matter, advice is sought from the DPO.

19. Applicable Laws

This Policy has been prepared with due regard to the following laws and regulations:

  • Data Protection Act (Cap 411C Laws of Kenya); and
  • Data Protection (General) Regulations (Legal Notice 263 of 2021).

20. Governance and Review

This Policy shall be reviewed every two years by the Company's management responsible for data privacy and security. Such necessary changes may be recommended to the Board of Directors for approval.

Annex

Data Retention Policy

Purpose

This Data Retention Policy establishes the guidelines for the retention, management, and disposal of data held by the Company. The purpose of this Policy is to ensure that personal data is retained only for as long as necessary to fulfil its intended purpose, comply with legal and regulatory requirements, and support business operations.

Scope

This Policy applies to all employees, contractors, and third-party service providers who handle the Company's personal data. It covers personal data held including electronic records, paper documents, emails, and other forms of information, regardless of format or storage location.

Data Classification and Retention Periods

Data will be classified based on its type and sensitivity. The following retention periods apply unless a longer period is mandated by law or contractual obligations:

  • Operational Data: Retained for the duration of its active use and archived when no longer needed, with periodic review for disposal.
  • Financial and Accounting Records: Retained for a minimum of seven years to comply with legal and tax regulations.
  • Employee and Human Resources Data: Retained for six years after termination of employment, unless longer retention is required.
  • Customer and Client Data: Retained for the period of the relationship and for six years after the relationship ends, unless otherwise required.
  • Legal and Compliance Documents: Retained for as long as necessary to comply with legal, regulatory, or contractual obligations.
  • Sensitive Data: Retained only for as long as necessary to fulfil its specific purpose and then securely disposed of.
Personal Data CategoryType of DataRetention PeriodRationaleDisposal Method
Employee RecordsPersonal details, employment contracts, performance reviews, benefits records etc.Active: During employment; 6 years after terminationCompliance with employment law and to respond to potential claimsSecure deletion or physical shredding
Customer DataContact information, purchase history, service communications etc.Active: Duration of relationship; 6 years after last contactContractual obligations and potential claims.Secure deletion or anonymization
Supplier and Vendor RecordsContracts, invoices, contact details, payment records etc.6 years after contract terminationAudit, tax, and accounting purposes in line with legal obligationsSecure deletion or physical destruction.
Financial and Accounting RecordsInvoices, receipts, bank statements, tax records etc.7 years after the end of the relevant financial year.Statutory requirements for tax, audit, and financial reporting.Secure deletion or destruction.
Marketing DataNewsletter subscriptions, promotional emails, engagement analytics etc.Active: Until opt-out; 2 years after last engagementConsent-based processing and to support marketing effectiveness.Secure deletion or anonymization.
Legal and Litigation FilesDocuments related to disputes, litigation, or legal claims.10 years after case resolutionPreservation for potential legal claims and dispute resolutionSecure archiving followed by destruction after expiry.
Website Analytics and Cookies DataVisitor logs, IP addresses, etc.13 monthsStatistical and performance analysis, with compliance to privacy guidelines.Secure deletion or anonymization.

Data Disposal and Deletion

When personal data reaches the end of its retention period:

  • The data must be securely deleted, destroyed, or anonymized to prevent unauthorized access or recovery.
  • Appropriate methods for disposal, approved by the DPO, will be used based on the data type and storage medium. Disposal may be through shredding paper records or using secure deletion software for electronic data.
  • Documentation of the disposal process should be maintained to verify compliance.

Responsibilities

  • Data Owners: Responsible for determining the appropriate retention period for the personal data they manage, in consultation with the DPO, and ensuring that the data is reviewed periodically.
  • IT Department: Responsible for implementing technical measures to archive and securely dispose of personal data according to this Policy.
  • DPO: Oversee Policy compliance, conduct audits, and ensure that retention practices meet legal and regulatory standards.
  • Employees: Must adhere to this Policy and report any deviations or concerns to their supervisor or the DPO.

Policy Review and Updates

This Policy will be reviewed once every two years and updated as necessary to reflect changes in legal requirements, business needs, or technology.

Contact — Data Protection Officer. To exercise any of your rights, raise a data-protection query, or report a suspected data breach, contact Leysco Limited at info@leysco.co.ke or +254 (0) 780 457 591, APA Arcade, Hurlingham, Nairobi, Kenya. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (Kenya).
← Back to home