Our commitment to data protection
Ahmednasir Abdullahi Advocates LLP takes data privacy seriously. The effective management of all personal data, including its security and confidentiality, lies at the heart of our business and underpins our practices and processes. We recognise and value the trust that individuals place in us when providing us with personal data and we are committed to safeguarding the privacy and security of personal data we may collect from visitors to our websites and/or the clients to whom we provide legal and other services by putting in place robust compliance and risk management practices and protocols.
What data do we collect
We may collect and process different types of personal data in the course of operating our business and providing our services. These include:
- Basic personal details such as your name and job title;
- Contact data such as your telephone number and postal or email address;
- Financial data such as payment related information or bank account details;
- Demographic data such as your address, preferences or interests;
- your IP address and other technical information which tells us about how you use our Websites;
- Personal data provided to us by or on behalf of our clients or generated by us in the course of providing our services, which may, where relevant, include special categories of personal data;
- your geographic location (country/territory where you are living and/or working);
- Identification and other background verification data such as a copy of identification cards, passports or utility bills or evidence of beneficial ownership or the source of funds to comply with client due diligence / “know your client” / anti-money laundering laws and collected as part of our client acceptance and ongoing monitoring procedures;
- Recruitment related data such as your curriculum vitae, your education and employment history, details of professional memberships and other information relevant to potential recruitment to Norton Rose Fulbright;
- Data that you may provide to us in course of registering for and attending events or meetings, including access and dietary requirements; and
- Any other personal data relating to you that you may provide.
A. For people who view and interact with our websites, we process data:
- to respond to your query when sent through our ‘contact us’ or ‘book appointment form
- to sign up to our e-alerts or newsletter when you request subscription through our website
The legal basis for this processing is our legitimate interest in the administration and operation of our legal services as well as our legitimate interest in marketing and promoting our firm’s legal services. We always include an unsubscribe button in our communications, so you can opt out of receiving such communications at any time
B. For our potential clients and past clients, we process data:
- in order to market the services of our firm
- to provide you with legal updates and newsletters to which you have subscribed
The legal basis for the processing of this data is processing necessary for the purpose of the legitimate interests of our firm in promoting our services. We always include an unsubscribe button in our communications, so you can opt out of receiving such communications at any time.
C. For advocates, attorneys, solicitors, barristers and other professional advisers that we liaise with on client matters, we process data
- In order to liaise with you about our client matters
The legal basis for the processing of this data is processing necessary for the purposes of the legitimate interests pursued by our firm in representing our clients
D. For job applicants to the firm, we process data:
- to recruit new employees
- to ascertain your suitability for a specific role
E. For our clients, we process data:
- to communicate with you;
- in order to provide you with legal advice;
- to assist you with legal claims or legal proceedings;
- to assist you with your legal rights
- to enable corporate transactions to take place;
- for record keeping, statistical analysis, internal reporting and research purposes;
- to notify you about changes to our services;
- to investigate any complaint you make;
- to provide evidence in any dispute or anticipated dispute between you and us;
- to analyse how our Websites are being used;
- to customise various aspects of our Websites to improve your experience;
- to host, maintain and otherwise support the operation of our Websites;
- for the detection and prevention of fraud and other criminal offences;
- for risk management purposes;
- for business and disaster recovery (e.g. to create back-ups);
- for document retention/storage purposes; and
- to ensure the quality of the services we provide.
The legal basis for the processing of this data is processing necessary for the performance of a contract to which you are a party.
Where we process special categories of data relating to you, e.g. health data that we may process in connection with a legal claim where we are acting on your behalf, our legal basis for processing will be that the processing is necessary for the establishment, exercise or defence of legal claims.
There may also be limited circumstances where our legal basis for processing is your consent (where we have sought it and you have provided it to us), in which case you can withdraw your consent at any time.
How long do we keep your data
We only retain your data for as long as is necessary for us to use your data as described above, where it is in our legitimate interest, or to comply with our legal obligations. However, please be advised that we may retain some of your data after you cease to use our services, for instance if this is necessary to meet our legal obligations, such as retaining the data for tax and accounting purposes. When determining the relevant retention periods, we will take into account factors including: (a) our contractual obligations and rights in relation to the data involved; (b) legal obligation(s) under applicable law to retain data for a certain period of time; (c) our legitimate interest where we have carried out a balancing test; (d) statute of limitations under applicable law(s); (e) (potential) disputes; (f) if you have made a request to have your data deleted; and (g) guidelines issued by relevant data protection authorities. Otherwise, we securely erase your data once this is no longer needed.
Who we share your data with
We share data with:
- professional advisers who we instruct on your behalf or refer you to, e.g. medical professionals, accountants, tax advisors or other experts;
- other third parties where necessary to carry out your instructions, e.g. Land Registry in the case of a property transaction, Companies Registry or your mortgage provider;
- our insurers and brokers;
- the auditors of our accounts;
- our bank/s; and
- external service suppliers, representatives and agents that we use to make our business more efficient, e.g. typing / transcription services, marketing agencies, document collation or analysis suppliers.
Our IT support and service providers may also access your data as a consequence of them providing support to us.
We only allow our service providers to handle your data if we are satisfied they take appropriate measures to protect your data. We also impose contractual obligations on service providers to ensure they can only use your data to provide services to us and to you.
We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
We may also need to share some data with other parties. For example, if we, in the course of our own business operations, sell or buy any business or assets we may disclose data held by us to the prospective seller or buyer of those businesses or assets.
Where possible, information will be anonymised but the recipient of the information will be bound by confidentiality obligations. If we are acquired, or substantially all of our assets are acquired, by a third party (or are subject to a reorganisation), Data held by us will be one of the assets which is transferred.
Transfers of data outside Kenya
To deliver services to you, it is sometimes necessary for us to share your data outside Kenya, e.g.:
- with your and our service providers located outside Kenya
- if you are based outside Kenya
- where there is an international dimension to the matter in which we are advising you
- if one of our lawyers or members of our staff needs to access it remotely while they are travelling outside Kenya
These transfers are subject to special rules under Kenya data protection laws. In those circumstances, we undertake an assessment of the level of protection in light of the circumstances surrounding the transfer. We will make sure that any transfers are not repetitive and only limited to the minimum amount of information possible and will always take steps to ensure that your data is adequately protected. In certain circumstances we may need to seek your consent unless there is an overriding legal need to transfer the data.
Where necessary we have entered into standard approved model data protection clauses with our external service providers and business partners in relation to the services they provide which may involve processing data for which we are the data controller from locations outside Kenya.
Your rights relating to personal data
You have the following rights under the GDPR, in certain circumstances and subject to certain exemptions, in relation to your personal data
- Right to access the data – you have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.
- Right to rectification- you have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete.
- Right to erasure – you have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the right to be forgotten.
- Right to restriction of processing or to object to processing – you have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.
- Right to data portability – you have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine-readable format.
If you wish to request further information or exercise any of the above rights, or if you are unhappy with how we have handled your Personal Information, contact us here: firstname.lastname@example.org. Please provide as much information as possible to help us identify the information you are requesting, the action you are wanting us to take and why you believe this action should be taken.
Before assessing your request, we may request additional information in order to identify you. If you do not provide the requested information and, as a result we are not in a position to identify you, we may refuse to action your request.
We will generally respond to your request within fourteen days of receipt of your request. We can extend this period by an additional fourteen days if this is necessary taking into account the complexity and number of requests that you have submitted.
We will not charge you for such communications or actions we take, unless:
you request additional copies of your Personal Information undergoing processing, in which case we may charge for our reasonable administrative costs, or
you submit manifestly unfounded or excessive requests, in particular because of their repetitive character, in which case we may either: (a) charge for our reasonable administrative costs; or (b) refuse to act on the request.
If you are not satisfied with our response to your complaint or believe our processing of your Personal Information does not comply with data protection laws, you can make a complaint to the Office of the Data Protection Officer (“ODPC”). The contact details the ODPC can be found here: https://www.odpc.go.ke/contact/.
Requirement to process personal data
You may browse our website without providing us with any personal data and this will not affect your ability to view our website.
If you do not provide us with your information for the purposes described above, we cannot send you, our legal alerts / newsletter, respond to your queries sent through our contact us form, liaise with you on client matters or assess your suitability for a role within our firm.
Automated decision-making and profiling
We do not use any personal data for the purpose of automated decision-making or profiling.