• Suite 1008, 10th Floor, Applewood Adams, Ngong Road, Nairobi, Kenya

Privacy Notice

Privacy Notice

  1. Introduction

Gathara Consulting Engineers and its subsidiaries (“GATHARA CONSULTING ENGINEERS”, “we”, “us”, “our”) are committed to protecting your personal data. Please read this Privacy Notice carefully as it explains:

  1. how and why Gathara Consulting Engineers uses your personal data when you access our website, services and/or otherwise engage with us; and
  2. your legal rights in respect of your personal data.

Where you provide Gathara Consulting Engineers with personal data about other individuals (for example, other people within your organisation), please refer them to this Privacy Notice.

The term “personal data” used in this Privacy Notice is taken from data protection laws and broadly means any information that can identify individuals.

If you have any questions or comments about this Privacy Notice, please find our contact details in section 11 “How can you contact us?”.

Note that we may change this Privacy Notice from time to time by updating this page. This Privacy Notice does not apply to any third-party websites, plug-ins or applications to which you may be directed from our website. Clicking on those links or enabling those connections may allow third parties to collect or share data about you and so we encourage you to read the privacy policies/notices on the other websites you visit. We do not accept any responsibility or liability for the privacy practices of such third parties and your use of them is at your own risk.

  1. Who are we and who is responsible for your personal data?

Gathara Consulting Engineers is an international professional services and engineering firm headquartered in Canada, with offices in numerous locations across five continents. Further details can be found on our website. Our contact details can be found in section 11 of this Privacy Notice.

Typically, the Gathara Consulting Engineers entity or associated entity that is legally responsible for handling your personal data will be the entity in the country where you are accessing our services and/or otherwise engaging with us.

Where Gathara Consulting Engineers is engaged by its clients to provide services and as a result, we collect and use your personal data, we generally do so in line with our clients’ contractual instructions, or in accordance with applicable data protection laws. It is usually our clients and not Gathara Consulting Engineers that decide how and why any personal data should be used in the provision of services, so our clients will be ultimately responsible for your personal data in such circumstances.

  1. What personal data do we collect about you and for what purposes?

We may collect personal data about you or individuals working for your organisation in various circumstances, including in the provision of our services, use of our website, attendance at one of our events/offices and/or where we otherwise engage with you, e.g., to procure a service for Gathara Consulting Engineers etc. The personal data that we will collect and the reasons for using it will depend on the nature of your relationship with us but may include the types of information and purposes set out below.

  1. Engaging with youThis includes personal data such as your name, title, position, the company you work for, your postal address, email address, phone number and your correspondence with Gathara Consulting Engineers (including notes/transcripts/recordings of calls by telephone or Voice over IP systems). We may also ask about your relationship to another person, for example to establish any conflict of interest that might exist. We require the above information in order to engage with you for business purposes.

 

  1. Identification and verificationWe may ask for your passport or other official identification document to verify your identity, for example, if you are required to visit Gathara Consulting Engineers offices or facilities, or to access Gathara Consulting Engineers systems prior to or during your engagement with us. Aside from the data you provide to us directly, and in accordance with the local laws of the country where you are accessing our services, we may also find information about you from other sources, such as from tax authorities, carefully selected third party background screening providers (see section 5 below for more information on Gathara Consulting Engineers’ use of third parties), and/or from publicly available registers/websites where you have voluntarily made your personal data available (e.g., LinkedIn, company databases etc.). We require this information as part of our business acceptance processes and to comply with our legal obligations to prevent against money laundering, terrorism, corruption and fraud.

 

  1. On-site securityIf you visit us at our premises, we may collect your image and/or video footage via CCTV, and may also collect visitor log information (e.g., entry and exit times, vehicle registration etc.). We collect this personal data as it is in our legitimate interest to ensure our premises are secure and for the purposes of detecting/preventing crime.If you connect to our guest Wi-Fi network when visiting one of our offices, we may collect your name, e-mail address, telephone number, device MAC address, IP address and location to provide you with access to this network and to protect it from unauthorised use.

 

  1. Meeting/eventsWe may collect basic contact information from you when you register or attend a meeting/event hosted by or on behalf of Gathara Consulting Engineers. We use this information to identify you for building security and safety reasons, and so that we can invite you to future events/meetings (see section 3(f) on marketing below).In addition, for promotional purposes, we may also collect photos/video footage of individuals attending such meetings and events.However, you may also wish to inform us of any specific dietary requirements and/or tell us about any disabilities you have so that we can make the reasonable adjustments you require to facilitate your attendance at the meeting/event. In certain countries, such details fall into the category of personal data that data protection law considers to be inherently sensitive, as it relates to your health/disability and/or potentially your religion. This type of information is purely optional, so you do not have to provide it to us if you do not wish to, provided that you accept any associated risks of us not being aware. For more information about the legal bases which we rely on to use this specific type of personal data, please see section 4, “On what legal basis do we use your personal data?” below.

 

  1. Automated interactionsAs you interact with our website, we may automatically collect personal data from your device by using cookies and other similar technologies. Processing such information is necessary for us to pursue our legitimate interests in improving our website and providing a more relevant service to our clients and business partners. This information is not used to develop a personal profile of you.

 

  1. Marketing and information gathered through our website and our social media accountsCertain sections of our website, including our blogs, invite you to request publications, newsletters and alerts, subscribe to receive invitations to events, seminars and webinars, take part in client surveys and to receive Gathara Consulting Engineers announcements. If you do so, we will collect some or all of the following information: your name, email address, job title, organisation name and company address. Our systems will recognise you as a user and based on the content you view/request, we will strive to provide material that is relevant to you and your interests. We may also collect this information about you where you have physically attended an event hosted by Gathara Consulting Engineers, so that we can invite you again in the future.In addition, Gathara Consulting Engineers maintains accounts on social media platforms (such as LinkedIn and X) and may collect pictures, demographic information, interests and other personal data that you may share with the social media platform when interacting with these accounts.
  2. RecruitmentGathara Consulting Engineers will collect and use your personal data when you apply for a job, consultancy role, or work placement/internship with us. We may receive information about you through a recruitment agency or directly from you where you complete an online application form via any of Gathara Consulting Engineers’s career portals or when negotiating your consultancy/independent contractor agreement with Gathara Consulting Engineers. The personal data will include information relating to your education, employment history, skills, referrals, and other background information such as your right to work in the country where you are applying to work etc.
  3. Personal data of general populationsThe nature of Gathara Consulting Engineers’s business means that we are often engaged to work on environmental or infrastructure projects that are public, e.g., railway networks/housing developments. Where our clients engage us to provide these types of services, we may be required to collect your personal data. For example, we may be instructed to conduct social impact assessments, which could include surveying certain populations, such as indigenous populations. This may involve Gathara Consulting Engineers collecting sensitive information about members of the general public. Another example is where Gathara Consulting Engineers is engaged to identify legal interests in land that could be affected by proposed developmental/infrastructure work.  In such cases, Gathara Consulting Engineers may collect personal data of homeowners/residents in a given area.Note that when collecting personal data in the sorts of circumstances described in this section, Gathara Consulting Engineers would generally do so in accordance with our clients’ contractual instructions, in accordance with applicable data protection laws and with appropriate privacy and security protocols in place to protect your personal data.

 

  1. ProfilingThe term “profiling” refers to where your personal data is used for solely automated processing to evaluate or predict certain aspects about you without human assessment. Gathara Consulting Engineers does not currently do any profiling using personal data. Should we decide to use completely automated processes to profile individuals in the future, e.g., to market Gathara Consulting Engineers’s services more efficiently, we will notify you in accordance with applicable law and, depending on where you are located, you will have certain rights with respect to such use of your personal data (see section 9 “What are your rights over your personal data?” below).

 

 

  1. On what legal basis do we use your personal data?

The main legal grounds that Gathara Consulting Engineers relies on to collect and handle your personal data are:

  1. With your consent. For example, where:
    • it is mandatory under the data protection laws in a particular country that we operate in (note, this will either be your explicit consent or inferred consent where allowed by applicable law (the latter meaning your agreement is assumed based on your action or inaction at the point of collection, use or sharing of your personal data));
    • Gathara Consulting Engineers cannot lawfully handle personal data on the below or other permitted grounds under data protection laws; and/or
    • Gathara Consulting Engineers collects information that the data protection laws of certain countries consider to be inherently sensitive (for example, where you tell us about your dietary requirements so that we can cater to your specific health or religious requirements, or where you ask us to make adjustments to accommodate your disability etc.).

Please note that you may withdraw consent at any time after you have given it. This would not affect the lawfulness of Gathara Consulting Engineers’s prior use of that data. In certain situations, however, withdrawing consent might impact Gathara Consulting Engineers’s ability to provide services to/otherwise engage with you.

  1. Where it is necessary for us to collect and use personal data to provide our services to/perform a contract with you or your organisation.  For example:
    • to conduct our business activities, we have information (such as contact details and email communications) of our clients’, business partners’ and suppliers’ employees;
    • to complete projects for our clients, we may receive personal data of individuals;
    • to facilitate visitor access and on-site services at our premises; or
    • to process applications for employment.
  1. Where it is necessary in Gathara Consulting Engineers’s or in our clients’ legitimate interests. For example:
    • to administer and improve our websites;
    • to provide our services to/otherwise engage with you in the course of our day-to-day business activities;
    • to conduct investigations if we suspect illegal or illicit behavior (whether or not this suspicion arises from a whistleblower’s alert);
    • to manage the security of our systems and networks;
    • for insurance purposes;
    • to exercise or defend our legal rights or to comply with court orders; and
    • to develop our business (including to communicate with you about our services, events, surveys and other promotional activities).

However, Gathara Consulting Engineers will only use your personal data for its legitimate interests where such interests are not overridden by the need to protect your privacy.

  1. To comply with legal requirements placed on Gathara Consulting Engineers.  For example:
    • to maintain accurate records;
    • to conduct certain background checks when evaluating and vetting new clients/business partners (e.g., to comply with anti-money laundering, terrorist financing and sanctions laws – this might include financial, credit and identity checks, and screening which could also include sensitive information such as political allegiances or criminal convictions etc.); and
    • for the purposes of fraud and crime prevention and detection or as otherwise required under applicable law.
  1. Who do we share your personal data with?

We may share information that you have provided to us as necessary within the Gathara Consulting Engineers group of entities and with certain third parties such as service providers acting on our behalf who will use the data to provide the service. These may include insurers, IT and cloud service providers, background screening providers, legal advisers, accountants, tax advisers, advertising agencies, insurance companies, financial or lending institutions, and facilities services providers etc. We will ensure that any third-party service provider that we use commits to an appropriate level of security and confidentiality to protect your personal data.

We may also share your personal data in connection with a merger, acquisition, sale of all or a portion of Gathara Consulting Engineers’s assets, financing, restructuring or other corporate transactions.

In some circumstances and in accordance with applicable law, we may have to disclose your personal data with other third parties for legal, tax or regulatory purposes such as:

  • where a domestic or foreign court, police, law enforcement agency, governmental agency, or regulatory body asks us for it;
  • to protect Gathara Consulting Engineers’s assets and interests, or to protect people’s safety, security, rights and/or property;
  • to assist Gathara Consulting Engineers with internal or external investigations into potentially illegal or suspicious activity; or
  • to manage, defend or settle any actual or potential legal claims.
  1. How do we protect your personal data?

We strive to maintain systems that are secure and meet industry standards, and we implement a combination of measures to protect your personal data, including:

  • internal policies and procedures that define the roles and responsibilities of our staff members throughout the life cycle of records containing personal data and limit their access to that information on a “need-to-know” basis;
  • physical, electronic and procedural safeguards that comply with relevant standards to protect personal data;
  • technical safeguards for information that is collected or stored electronically, such as encryption, firewalls, passwords, anti-virus software etc.;
  • a designated privacy officer and regional privacy coordinators to monitor Gathara Consulting Engineers’s compliance with applicable privacy laws;
  • staff training in privacy and information security;
  • procedures for receiving, investigating, and responding to complaints or inquiries about Gathara Consulting Engineers’s information handling practices;
  • contractual protections and information security procedures to ensure that service providers with whom we share personal data maintain adequate protections and security standards; and
  • policies and procedures to respond to and mitigate breaches involving personal data.
  1. Is your personal data transferred overseas?

Due to the global nature of Gathara Consulting Engineers’s business operations, it may be necessary to send your personal data to other overseas Gathara Consulting Engineers offices or third parties (as per section 5 “Who do we share your personal data with?” above), unless we have specifically agreed to retain your personal data within a particular location. Examples of situations where your personal data may be transferred to a different country than the one where you are based include:

  1. where Gathara Consulting Engineers has outsourced one or more aspects of its business (such as IT support); or
  2. where we have utilised cloud services to store/host data (meaning that personal data may be stored on Gathara Consulting Engineers’s behalf by a cloud provider in different locations around the world).

The main jurisdictions where Gathara Consulting Engineers may transfer your personal data include Canada, the European Economic Area, the United Kingdom, the United States and India.

Some of the countries where your personal data is transferred have a different standard of data protection than the country where you are based. However, we have/will put in place contractual or other appropriate protections as prescribed by applicable data protection laws to ensure that your information is adequately safeguarded globally.

  1. How long will we keep your personal data?

Your personal data will be retained as long as necessary to fulfil the purposes for which it was collected, unless Gathara Consulting Engineers needs to retain it as required by applicable laws. When determining the retention period, we consider various criteria, such as:

  • the nature and duration of our relationship with you;
  • the types and sensitivity of personal data;
  • the purposes for which we use your personal data and whether we can achieve those purposes through other means;
  • statutory retention and limitation periods; and
  • other applicable legal requirements.

At the end of any retention period, your personal data will either be securely deleted in its entirety or anonymised so that you can no longer be identified from that data.

  1. What are your rights over your personal data?

You have various legal rights in relation to your personal data with some restrictions and exceptions, depending on the laws of the country where you are based.

Such rights may allow you to ask Gathara Consulting Engineers to:

  1. tell you whether we are using or storing your personal data;
  2. provide a copy of your personal data (subject to the privacy rights of other people and the information already provided to you in applicable privacy notices);
  3. correct any inaccuracies in your personal data by informing us to make the necessary changes;
  4. modify or withdraw your consent for the collection, use and disclosure of your personal data, where Gathara Consulting Engineers has obtained your consent for this (see section 4 “On what legal basis do we use your personal data?” above);
  5. delete your personal data where there is no lawful justification for Gathara Consulting Engineers to retain it;
  6. pause use of your personal data until:
    • Gathara Consulting Engineers verifies any inaccuracies in your personal data that you notify us of; or
    • we assess that Gathara Consulting Engineers’s legitimate interests in processing your personal data outweigh your interests in the data not being processed; and
  1. transfer your personal data to you or another organisation in a commonly used electronic format (known as the right to data portability).

You may also be able to object to your personal data being processed (including if we use it for profiling purposes), when:

  • it is in our legitimate interests or those of a third party;
  • Gathara Consulting Engineers is acting in the public interest; or
  • we use it for direct marketing purposes.

If you object to the last ground, Gathara Consulting Engineers will stop processing your personal data for marketing purposes (and any associated profiling). In the other cases, Gathara Consulting Engineers will stop processing the relevant data unless:

  • we identify compelling legitimate grounds to continue which override your privacy rights; or
  • we need to process the data for a legal claim.

Note, you may have additional rights in accordance with the local laws of the country where you are based.

You may exercise or enquire about the above rights by contacting Gathara Consulting Engineers’s data protection team (see section 11 “How can you contact us?” below).

  1. What are Gathara Consulting Engineers’ privacy protocols regarding minors?

We do not knowingly solicit or collect personal data from children under the age of 16. If we discover that a child under the age of 16 has provided us with personal data without the verifiable consent of a parent or legal guardian, we will take reasonable steps to delete that information.

  1. How can you contact us?

We hope this Privacy Notice has been helpful in setting out the way we handle your personal data and your rights to control it. This Privacy Notice sets out most of your rights under relevant laws, but not necessarily every right you have.

If you have any concerns, requests related to, among others, the exercise of your rights, complaints or questions that have not been covered, please contact us by emailing info@gathara.co.ke.

  1. Complaints

You may have a right to make a complaint to the relevant Data Protection Authority (“DPA”) at any time. We would appreciate the chance to understand your concerns in the first instance before you contact the DPA, however.

The website of the DPA responsible for overseeing data protection compliance in your country can be accessed via this link: Global Privacy Law and DPA Directory (iapp.org).

  1. Changes to this Privacy Notice

This Privacy Notice was last updated on the date shown at the top of this page. We may change this Privacy Notice from time to time by updating this page.