Iseme Kamau & Maema Advocates
1. Purpose of this policy
2. Who are we and what do we do
3. How to contact us
4. What personal information do we collect
5. Purpose and legal bases for using your personal information
6. Sharing your personal information
7. Where we transfer your personal information to
8. Retention of personal information
9. Confidentiality and security of your personal information
10. How to access your information and your other rights
IKM is a leading corporate commercial law firm that has been offering legal services in Kenya for over 30 years. Our goal is to offer quality, value for money and efficient representation to achieve best outcomes for our clients' needs. The focus is on finding practical and innovative legal solutions, while ensuring quick turnaround times.
IKM is a member of DLA Piper Africa, a Swiss Verein whose members are comprised of independent law firms in Africa working with DLA Piper.
We may collect personal information in the course of our business, when you contact us or request information from us, when you engage our Services or as a result of your relationship with one or more of our staff and clients. When we require personal information from you in order to fulfil a statutory or contractual requirement, or where such information is necessary to enter into a contract or is otherwise an obligation, we will inform you and indicate the consequences of failing to do so.
From individuals who are clients and prospective clients, or are representatives of clients and prospective clients, we may collect the following personal information:
- Your name, the named IKM client, the name of the company you work for (if different) and your job title.
- Contact information for you, the named IKM client, and the company you work for (if different), including address, fax, phone number and email address.
- Payment information (including bank account and wire details), billing instructions and preferences (including to whom to direct invoices). Relevant information so that we can perform conflicts of interest checks.
- Relevant information as required by regulatory Know Your Client and/or Anti Money Laundering regulations and as part of our client intake procedures. This may possibly include evidence of source of funds, at the outset of and possibly from time to time throughout our relationship with clients, which we may request and/or obtain from third party sources. The sources for such verification may include documentation, which we request from the client or prospective client or through the use of online or public sources or both.
- Information you provide to us for the purposes of attending meetings and events, including dietary requirements, which may reveal information about your health or religious beliefs.
- Information that you provide to us as part of the provision of Services to you, which depends on the nature of your engagement with DLA Piper.
- Other information relevant to the provision of Services.
Related parties and client representatives
IKM is primarily engaged by corporate entities and clients (i.e., legal entities), and those legal entities are not data subjects (i.e., natural persons to whom personal information relates). However, as part of our engagement with these clients, we may receive personal information about individuals. For example, we may receive names, contact details and other information relating to:
- Officers, representatives and/or personnel of our corporate clients or prospective clients, as well as their affiliated and related entities.
- Adverse parties in a matter or potential matter, such as claimants, plaintiffs, defendants and other adverse parties.
- Related parties in a matter or potential matter.
- Vendors and suppliers of our corporate clients or prospective clients.
- Current and former legal advisors, consultants and other professional advisors of our corporate clients or prospective clients.
- Government and/or law enforcement entities and their representatives.
- If you are an individual whose personal information is processed by us as a result of providing the Services to others (including individual clients and corporate clients), we will process a variety of different personal information depending on the Services provided. For example, if we are representing a client in a cross-border acquisition, we may receive and then process (among other information) details of the key managers of the target company. We might also need to process personal information in relation to other third parties instructed either by our own clients or other persons or companies involved in providing the Services to our client (egg, other law firms, experts etc.). These examples are non-exhaustive, which is reflective of the varied nature of the personal information we process as part of a law firm providing legal services.
For clients and prospects, we also collect information to enable us to market our Services, which may be of interest to you. For this purpose, we collect:
- Name and contact details.
- Other business information, such as job title and the company you work for.
- Areas or topics that interest you.
- Additional information may be collected, such as events you attend and if you provide it to us, dietary preferences which may indicate data about your health or religious beliefs.
Our processing of personal information is justified by a "legal basis", that is, a specific condition. We may use personal information for the following purposes, in each case as justified by a legal basis:
Fulfilment of services
We use personal information to enable us to perform the Services, respond to your requests and deliver our Services, to provide legal advice and related Services for which you have engaged us, verify your identity, and carry out requests made by you in relation to our Services.
What is our legal basis?
This processing is necessary for our compliance with legal obligations (including our professional and ethical duties as lawyers). It is in our legitimate interest or a third party's legitimate interest to use your personal information in such a way to ensure that we provide the very best client service we can to you or others and comply with our professional and ethical duties as lawyers, consistent with applicable law. In some cases, this processing is necessary to perform a contract to which you are a party.
We use personal information to provide the Services, to communicate with you about your use of the Services, to respond to your inquiries, to provide troubleshooting, to fulfil your requests, to bill you for our Services, to collect payments, to respond to complaints and inquiries, to provide technical support, and to provide other client service and support.
What is our legal basis?
This processing is necessary to establish, exercise or defend our legal claims and rights. It is in our legitimate interest or a third party's legitimate interest to use your personal information in such a way to ensure that we provide the very best client service we can to you or others and comply with our professional and ethical duties as lawyers, consistent with applicable law. In some cases, this processing is necessary to perform a contract to which you are a party.
Business administration and legal compliance
We use personal information for the following business administration and legal compliance purposes:
- To perform and maintain information for the purposes of performing conflicts of interest searches.
- To comply with our legal obligations (including Know Your Client, Anti-Money Laundering, Anti-Bribery, conflicts or similar obligations including, but without limitation, maintaining regulatory insurance).
- To enforce our legal rights. To investigate and/or settle inquiries or disputes.
- To comply with any applicable law, court order, other judicial process, law enforcement requests or the requirements of a regulator.
- To enforce our agreements with you.
- To protect the rights, property or safety of us or third parties, including our other clients and users of our Services.
- To maintain our records.
- To process business transaction data, such as in connection with a merger, or a restructuring, or sale.
- To use as otherwise required or permitted by law, consistent with these purposes.
What is our legal basis?
It is necessary to enforce, establish or defend our legal rights, or to protect the rights of third parties. This processing is necessary to comply with local and other legal obligations imposed upon us. It is in our legitimate interest or a third party's legitimate interest to use your personal information to comply with other legal obligations. In some cases, this processing will be necessary to perform a contract to which you are a party.
Marketing and promotions
We may use personal information for marketing and promotional purposes, such as to send you news and newsletters, or to otherwise contact you about products or information we think may interest you, by email and direct (postal) mail. We may also use it develop new Services and determine how to market our Services.
What is our legal basis?
It is in our legitimate interest to use your personal information for marketing purposes in order to develop and grow our business and Services and promote the reputation of our firm. We will, where required by applicable law, obtain your consent to send such communications.
We may use personal information in order to respond to Requests for Proposals ("RFPs"), prepare for and present pitches and other proposals, and identify potential business opportunities. Largely, this involves our collection and use of non-personal business information about current, former and prospective corporate clients. However, we may also process limited personal information about individuals (name, current and former company, current and former title, contact information and similar information).
What is our legal basis?
This processing is also in our legitimate interest to use your personal information in order to develop and grow our business and Services and promote the reputation of our firm. We also may process this information to respond to an RFP or a specific request in anticipation of a contract with you (i.e., engagement for Services).
Client insight and analytics
We use personal information to better understand how you and others use our Services, so that we can improve our Services, develop new features, tools, offerings, services and the like, and for other research and analytical purposes. We may use this information and the insights we have derived for marketing purposes (see the marketing section above for further details), or to make decisions about events, news and information that may be of interest to clients and prospective clients.
What is our legal basis?
It is in our legitimate interest to use your personal information in such a way to ensure that we provide the very best Services to our clients and others in order to develop and grow our business and Services and promote the reputation of our firm.
Industry benchmarking and rankings
We participate in industry surveys and reports (such as Chambers, International Financial Law Review and Partners and Legal 500), which clients use to assess law firms and the legal industry. Largely, this involves our collection and use of non-personal business information about clients and matters. However, we may also review and share limited personal information about individuals (such as referee name, title and contact).
What is our legal basis?
It is in our legitimate interest to use your personal information in order to develop and grow our business and Services and promote the reputation of our firm. Where required, we will obtain your consent.
Prevent misconduct, abuse and misuse
Subject to our professional and ethical duties, we use personal information where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, or violations of our terms of engagement.
What is our legal basis?
This processing is necessary to comply with local and other legal obligations imposed upon us. It is necessary to enforce, establish or defend our legal rights, or to protect the rights of third parties. It is in our legitimate interest or a third party's legitimate interest to use your personal information to comply with other legal obligations. In some cases, this processing will be necessary to perform a contract to which you are a party.
We may appoint sub-contractor data processors as required to deliver the Services, such as, without limitation, document processing and translation services, confidential waste disposal, IT systems or software providers, IT Support service providers, and document and information storage providers, who will process personal information on our behalf and at our direction. We conduct an appropriate level of due diligence and put in place contractual documentation in relation to any sub-contractor to ensure that they process personal information appropriately and according to our legal and regulatory obligations.
Further, we may appoint external data controllers where necessary to deliver the Services (for example, but without limitation, accountants, attorneys, consultants, professional advisors and other third party experts including, but without limitation, other DLA Piper practicing entities and/or DLA Piper Africa member firms as well as other law firms). When doing so, we will comply with our legal and regulatory obligations in relation to the personal information including, but without limitation, putting appropriate safeguards in place.
We may also share personal information with a variety of the following categories of third parties as necessary:
- Our professional advisers, such as lawyers and accountants.
- Government and/or regulatory authorities.
- Professional indemnity insurers.
- Regulators, tax authorities and/or corporate registries.
- Third parties to whom we outsource certain services, such as, without limitation, document processing and translation services, confidential waste disposal, IT systems or software providers, IT Support service providers, and document and information storage providers.
- Third parties engaged in connection with our Services, such as counsel, arbitrators, mediators, clerks, witnesses, court reporters, court, opposing party and their lawyers, document review platforms and experts, such as tax advisors.
- Third party service providers to assist us with client insight analytics, such as Google Analytics.
- Third party postal or courier providers who assist us in delivering our postal marketing campaigns to you, or delivering documents related to a matter.
IKM is located in Kenya; when you submit personal information to us, or when others provide personal information to us, we will receive it and process it in Kenya. In order to provide the Services, we also may need to transfer your personal information to locations in other jurisdictions.
If you are based in Kenya, please note that we will, where necessary to deliver our Services, transfer personal information to other countries and shall, where necessary, provide the office of the Data Protection Commissioner with proof of existence of the necessary safeguards with respect to the security and protection of the personal data.
Further, if you are based within the European Union/European Economic Area (EEA), please note that where necessary to deliver the Services, we will transfer personal information to countries outside the EEA. Countries outside the EEA may not provide an adequate level of protection for your personal information.
For more information on how we protect your information please contact us at IKM Place, 5th Ngong Avenue, Nairobi or through email at [email protected].
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us.
We are committed to keeping personal information secure and we have implemented appropriate information security policies, rules and technical measures to protect the personal information that we have under our control from unauthorized access, improper use or disclosure, unauthorized modification and unlawful destruction or accidental loss. Please note that no transmission over the Internet is completely secure or error-free, and that the information security policies, rules and technical measures utilized and maintained by us may be subject to compromise.
All of our partners, employees, consultants, workers and data processors (i.e., those who process your personal information on our behalf, for the purposes listed above), who have access to, and are associated with the processing of personal information, are obliged to respect the confidentiality of such personal information.
This section only applies to data originating from the European Union.
You have the following rights in relation to the personal information we hold about you:
Your right of access
If you ask us, we will confirm whether we are processing your personal information and, if necessary, provide you with a copy of that personal information (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.
Your right to correction (rectification)
If the personal information we hold about you is inaccurate or incomplete, you are entitled to request to have it corrected. If you are entitled to have information corrected and if we have shared your personal information with others, we will let them know about the rectification where possible. If you ask us, we will also tell you, where possible and lawful to do so, with whom we have shared your personal information so that you can contact them directly.
Your right to erasure
You can ask us to delete or remove your personal information in some circumstances, such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we have shared your personal information with others, we will let them know about the erasure where possible. If you ask us, we will also tell you, where it is possible and lawful for us to do so, with whom we have shared your personal information with so that you can contact them directly.
Your right to restrict (block) processing
You can ask us to restrict the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or the personal data is no longer required for the purpose of the processing. If you are entitled to restriction and if we have shared your personal information with others, we will let them know about the restriction where it is possible for us to do so. If you ask us, we will also tell you, where it is possible and lawful for us to do so, with whom we have shared your personal information so that you can contact them directly.
Your right to data portability
You have the right, in certain circumstances, to receive a copy of personal information we've obtained from you in a structured, commonly used and machine readable format, and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
Your rights in relation to automated decision-making and profiling
You have the right not to be subject to a decision when it's based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for entering into, or the performance of, a contract between you and us or is authorised by laws applicable to us.
Your right to withdraw consent
If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time.
Your right to lodge a complaint with the supervisory authority
If you have a concern about any aspect of our privacy practices, including the way we've handled your personal information, you can report it to the relevant supervisory authority including but not limited to the Office of the Data Protection Commissioner.
Please note that some of these rights may be limited where we have an overriding legitimate interest or legal obligation to continue to process the personal information, or where the personal information may be exempt from disclosure due to applicable law, the applicable rules of professional conduct, attorney-client privilege, legal professional privilege, other applicable privileges or protections, or professional secrecy obligations.
We may make changes to this Privacy Notice from time to time, to reflect changes in our practices. We may also make changes as required to comply with changes in applicable law or regulatory requirements. Where we materially change this Policy, we will take steps to notify you (such as by posting a notice on the Site or via email), and where required by applicable law to obtain your consent.