Data Protection Policy


Capwell Industries Limited, (hereinafter referred to as “CIL”) in the course of its operation, collects, stores, uses and otherwise processes certain types of information (such as name, telephone numbers, address, images, Identity  card details, fingerprint, photographs, etc.) of individuals that makes them identifiable (“personal data”). These individuals may include customers, current, past and prospective employees,  suppliers/vendors,  and other individuals whom CIL interacts or deals with, jointly and/or severally (“Data Subjects”).

Policy Statement

CIL is committed to processing all personal data in accordance with the provisions of the Data Protection Act and the attendant Regulations which seek to safeguard the privacy rights of individuals, and any other relevant data protection laws (herein collectively referred to as “data protection laws”) CIL also fully respects individual’s right to privacy and is committed to preserving the rights of data subjects and entities who share their personal data with the Company.


This Policy applies to all employees of CIL, customers, as well as any external business partners (such as, suppliers, contractors, vendors and other service provider) who receive, send, collect, access, or process Personal Data in any way, on behalf of CIL, including processing wholly or partly, by automated means. This Policy also applies to third party Data Processors who process Personal Data under the instructions of CIL.

General Principles for Processing of Personal Data

CIL will ensure that Personal data shall be:

  • Processed lawfully, fairly and in a transparent manner and in line with the right to privacy.
  • Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with that purpose.
  •  Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is to be processed.
  • Accurate and where necessary kept up to date.
  •  Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed.
  • Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction, or damage.
  • Not transferred out of Kenya unless there is proof of adequate data safeguards/measures or consent from the data subject.

Rights of Data Subjects

 All individuals who are the subject of Personal Data processed by CIL are entitled to the following rights:

  • Right to request for and access their Personal Data collected and stored. Where personal data is held electronically in a structured form, such as in a Database, the Data Subject has a right to receive that data in a common electronic format;
  • Right to information on their personal data collected and stored;
  •  Right to objection or request for restriction;
  • Right to object to automated decision making;
  •  Right to request rectification and modification of their data which CIL keeps;
  • Right to request for deletion of their data, except as restricted by law or CIL’s statutory obligations
  • Right to request the movement of data from CIL to a Third Party; this is the right to the portability of data; and


CIL may engage the services of third parties in processing the Personal Data it collects. The processing by such third parties shall be governed by an express written contract,  to ensure adequate protection and security measures are put in place by the third party for the protection of Personal Data in accordance with the terms of this Policy and Data Protection laws. CIL may also share your personal data with law enforcement agencies as and when required by law to do so.


CIL will only process data where the data subject has given their explicit consent or where there is lawful basis to do so for one or more specific purposes or where the processing is deemed necessary:

  • For the performance of a contract to which the data subject is a party;
  • To comply with the CIL’s legal obligations;
  • To perform tasks carried out in the public interest or the exercise of official authority;
  • To protect the vital interests of the data subject or another person;
  • To pursue CIL’s legitimate interests where those interests are not outweighed by the interests and rights of data subjects.


CIL will only collect and process data that is adequate, relevant, and limited to what is necessary. CIL staff must not access data which they are not authorised to access nor have a reason to access.

Data shall only be collected for the performance of the stated duties and tasks. Moreover, staff shall not ask data subjects to provide personal data unless that is strictly necessary for the intended purpose and  shall ensure that data that is no longer needed for the specific purpose for which they were collected is deleted, erasedd, anonymised or pseudonymised


CIL will ensure that the personal data it collects, and processes is accurate, kept up to date, corrected or deleted without delay.


CIL have put in place data security measures and safeguards to ensure that by default, only personal data which is necessary for each specific purpose and that appropriate measures are employed against unauthorized access, accidental loss, damage and destruction to data.  This includes the use of password encrypted databases for digital storage and locked cabinets for those physical files.


Where necessary, CIL will maintain adequate records to show that explicit consent was obtained before processing of personal data. Data will not be processed after the withdrawal of consent by a data subject.


CIL will process sensitive personal data only when:

  • The processing is carried out during legitimate activities with appropriate safeguards and that the processing relates solely to the staff or to persons who have regular contact with CIL and the personal data is not disclosed outside CIL without the consent of the data subject.
  • The processing relates to personal data that has been made public by the data subject.
  • Processing is necessary for:
  • The establishment, exercise or defence of a legal claim;
  • The purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject;
  • Protecting the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent.


CIL will transfer personal data out of Kenya only when they have:

  1. Proof of appropriate measures for security and protection of the personal data, and the proof provided to the Data Protection Commissioner in accordance with Kenya’s Data Protection Act, 2019, such measures include that data is transferred to jurisdictions with commensurate data protection laws.
  2. The transfer is necessary —
    • for the performance of a contract which the data subject is part of;
    • for the conclusion or performance of a contract concluded in the interest of the data subject;
    • for any matter of public interest;
    • for the establishment, exercise or defense of a legal claim;
    • in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
    • for the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects

CIL will process sensitive personal data out of Kenya only after obtaining the consent of a data subject and on receiving confirmation of appropriate safeguards.


The Data retention period in CIL is determined by legitimate needs. Adequate records of decision making will be maintained accordingly.


The adequacy and effectiveness of this policy is subject to the regular i reviews.  Where this policy is amended, an updated version shall be provided.