Privacy Notice

Last updated: 26th May 2023
Rilani Advocates LLP (the “Firm”) is committed to protecting personal information that may be collected from visitors to our website and clients to whom we provide legal services. We have a professional obligation to keep confidential all information we receive within a lawyer-client relationship and are committed to protecting any personal information we hold. This notice describes how we collect, process, and retain your personal information.
By providing us with your personal data or the personal data of your staff, customers, agents and any other relevant individuals, you agree to the processing set out in this Privacy Notice.
We collect and process different types of personal data in the course of operating our website and providing our legal services. These include: –
a. details of your visits when you or your organisation browse, make an enquiry or otherwise interact on our website or any digital tools that we make available;
b. information that you provide to us from time to time including when you request or use any of our services, or when you submit queries to us;
b. identity data such as your name, marital status, title, nationality and date of birth;
c. identification data including national ID and passport details, or other identification documents;
d. contact data including email addresses, telephone numbers and postal addresses;
e. details of your financial position and history; and
f. records of correspondence and information provided to us in correspondence.
We collect your information by lawful means and only as required to provide services as requested by you. We purpose to collect your personal data directly from you, unless otherwise required or allowed by law.
We will only use your personal data where we are permitted to do so by law. Under the Data Protection Act, 2019, the use of personal data must be justified under one of the following legal grounds, which we shall abide by: –
i. Consent: We shall process personal data if you have provided prior and explicit consent, unless the law otherwise permits.
ii. Legitimate interests: The processing of your personal data may be based on our legitimate interests which may outweigh any prejudice to your rights such as: maintaining the security of our premises, exercising or defending legal claims, financial management and reporting, conducting data analysis, providing support, and developing and improving our services.
iii. Contract: The processing of your personal data may be necessary for the performance of our contract with you.
iv. Legal obligation: The processing of personal data may be necessary for compliance with legal requirements such as: responding to court orders, exercising obligations for the prevention and detection of crime, and complying with requests to assist with investigations from competent authorities.
v. Historical, statistical, journalistic, literature and art or scientific research: The processing of personal data may be necessary to enable historical, statistical, journalistic, literature and art or scientific material.
Taking note of the above legal grounds for processing your personal, we shall use your personal data for the following purposes:
1. To identify you and confirm your identity as a client;
2. To provide you with our services;
3. To draw up and execute the agreements entered into between you and us, including the promotion of your interests and legal representation in disputes.
4. For invoicing. Your invoice will not be published, nor will it be made available to third parties for any purpose other than the execution of the agreement.
5. To offer you marketing information on our website and by e-mail in a general manner.
6. To analyze, maintain, protect and optimize our website and technologies.
7. To comply with the law and regulations we are subject to.
8. For administrative purposes.
9. To comply with our legal and professional duties.
10. To respond to your queries.
11. For general statistical analysis.
We will not share your personal data with third parties, except third parties assisting us with delivering our services. Any third parties with which we choose to share personal data shall be required to strictly use such data for the purpose for which the personal data was provided.
We may share your personal data with law enforcement agencies and regulators, such as the Financial Reporting Centre in certain circumstances where we are under a duty to comply with any legal or regulatory obligation to disclose or share your information.
The data that we collect from you or that we receive on your account or behalf is stored in Kenya or cloud-based solutions in various extraterritorial locations. Where your data is transferred outside Kenya, we will take reasonable steps to ensure that your information is treated securely, and the means of transfer provide adequate safeguards.
During the course of working with you we may use certain third-party technology services to assist with our work on the matter. Where these services are integral to our work for you, we shall deploy them as a matter of course. In all cases, the use of such services may require your personal information to be held in the cloud.
We will keep your information only for as long as necessary depending on the purpose for which it was provided. How we long we retain your personal information shall be dependent on:
i. the purposes for which we process your personal data;
ii. our legal obligations under applicable law to retain data for a certain period of time;
iii. the statute of limitations under applicable laws; the nature and sensitivity of your personal data;
iv. potential disputes;
v. the potential risk of harm from unauthorised use or disclosure of your personal data; and
vi. guidelines issued by relevant supervisory authorities.
We have put in place reasonable physical, technical, and administrative security measures to protect personal data from unauthorized access, accidental loss, alteration or destruction.
Access to your personal information shall be limited to our staff and third parties that process personal information on our instructions. They shall be subject to a duty of confidentiality and will be required to maintain appropriate security measures.
We will notify you of any personal data breach concerning data you have provided to us without undue delay, and in any case within twenty-four (24) hours and take action to contain and stop the breach. If we confirm that there has been a personal data breach and personal data has been accessed by an unauthorized person and there is real risk of harm upon you, we will also notify the Data Commissioner within seventy-two (72) hours of becoming aware of a breach.
Under certain circumstances under the Data Protection Act, 2019 and other applicable data protection regulations, you may have the following rights: –
1. The right to be informed of the use to which their personal data is to be put;
2. The right to access their personal data in our custody;
3. The right to object to the processing of all or part of their personal data;
4. The right to correct false or misleading data; and
5. The right to delete false or misleading data.
If you wish to exercise any of these rights, please contact us in writing at and we will review your entitlement and respond within a month. While it is our policy to respect your rights as a data subject, your exercise of said rights is subject to certain exemptions and some of these rights may be limited where we are required or permitted by law.
If you are not satisfied with our use of your personal data or our response to any exercise of these rights, you may make a complaint to the Data Protection Commissioner.
Please keep us informed if your personal information changes during your working relationship with us.
We keep our Privacy Notice under regular review and any updates will be posted on our website in the most recent version of this Privacy Notice. Where appropriate, changes may be notified to you by post or email.