Privacy Policy for GDDC Kenya

Last updated: February 16, 2026

At GDDC Kenya (Gender and Disability Development Centre), we are committed to protecting your privacy and ensuring the security of your personal data. This policy outlines how we collect, use, and safeguard your information in compliance with the Data Protection Act, 2019 of Kenya and other applicable laws.

Definitions

The Act: The Data Protection Act, 2019 (Laws of Kenya).

Data Controller: GDDC Kenya, the entity that determines the purposes and means of processing personal data.

Data Processor: Any person or entity processing data on behalf of the Data Controller.

Data Subject: An identified or identifiable natural person who is the subject of Personal Data.

ODPC: The Office of the Data Protection Commissioner.

1. Principles of Data Protection

In accordance with Section 25 of the Act, we adhere to the following principles:

Lawfulness, Fairness, and Transparency: Data is processed lawfully, fairly, and in a transparent manner.
Purpose Limitation: Data is collected for explicit, specified, and legitimate purposes.
Data Minimization: We only collect data that is adequate, relevant, and limited to what is necessary.
Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date.
Storage Limitation: Data is kept in a form which identifies data subjects for no longer than is necessary.

2. Personal Data We Collect

We may collect and process the following data:

Identity Data: Names, designation, and gender.
Contact Data: Email address and phone numbers.
Institutional Data: Organization name and category.
Sensitive Data: Disability status (where voluntarily provided for inclusion audits).
Technical Data: IP address and browser type when you use our website.

3. How We Use Your Data

Your personal data is used for:

Conducting National Inclusion Audits and GEDI Awards assessments.
Communication regarding our programs, trainings, and certifications.
Compliance with legal obligations under Kenyan law.
Improving our digital services and website experience.

4. Legal Basis for Processing

We rely on the following lawful bases as per Section 30 of the Act:

Consent: You have given clear consent for us to process your personal data for a specific purpose.
Legal Obligation: Processing is necessary for compliance with the law.
Legitimate Interests: Necessary for the legitimate interests pursued by GDDC (e.g., advocacy for disability inclusion).
Contract: Processing is necessary for the performance of a contract (e.g., consultancy services).

5. Data Retention & Security

Security: We implement appropriate technical and organizational measures (such as encryption and access controls) to protect your data from unauthorized access, alteration, or destruction.

Retention: We retain personal data only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

6. Your Rights Under DPA 2019

Under the Data Protection Act, 2019, you have the right to:

Be Informed: Know what data we collect and how we use it.
Access: Request a copy of your personal data.
Rectification: Request correction of false or misleading data.
Erasure: Request deletion of your personal data.

Object: Object to processing of your personal data.
Portability: Request transfer of your data to another entity.
Withdraw Consent: Withdraw consent at any time.

7. Contact Us & Complaints

If you have any questions about this privacy policy or how we handle your data, please contact us:

GDDC Kenya

Email: info@gddckenya.org

Address: P.O. Box 2221-00200, Nairobi, Kenya

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) if you believe your data protection rights have been violated.
Website: www.odpc.go.ke