Privacy Policy



1.0  Introduction

To address concerns related to the security of personal data collected, processed, and retained by institutions, Kenya enacted the Data Protection Act, No. 24 of 2019. The primary objective of the said Act is to make provision for the regulation of the processing of personal data, to provide for the rights of data subjects, and obligations of data controllers and processors.

2.0 About Euroscot Recruitment Solutions

Euroscot Recruitment Solutions (ERS) is a specialist recruitment agency with offices in Kenya and the United Kingdom (UK). Its principal objective is to offer professional hospitality and healthcare recruitment services. This is achieved by matching perfect candidates to vacant positions in firms and organizations within the hospitality and healthcare industries.

3.0  Purpose

The purpose of this Policy is to help ERS comply with the Data Protection Act, 2019 as well as to provide guidelines and principles relating to the collection, processing, and retention of personal data by ERS.

4.0  Scope

4.1 The Policy applies to all employees of ERS. Further, the Policy applies to all employers, prospective employers and other individuals using ERS recruitment services.

4.2 The Policy applies to all data collected, received, and/or retained by ERS’s physical or electronic databases.

4.3 The Policy covers all formats of data including physical documents, electronic records, images, and/or audio recordings.

5.0 Policy Statement

5.1 ERS is committed to ensuring compliance with the Data Protection Act, 2019, and all other applicable national, regional, and international legal instruments.

5.2 ERS appreciates the need to protect individuals’ rights and fundamental freedoms through the lawful and responsible collection, processing, and retention of personal data.

5.3 ERS staff must comply with this Policy and any breach could result in an internal disciplinary action.

6.0  Definitions[1]

Consent means any freely given, unambiguous, and informed indication by a statement or by clear positive action, which signifies an agreement by the user to the processing of his/her personal data.

A data controller means a natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purpose and means of processing personal data.

A Data processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.

A Data Protection officer means a person(s) designated by ERS for the purpose of popularizing and implementing this Policy.

Data subject means an identified or identifiable natural person who is the subject of personal data.

A Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Personal data means any information relating to an identified or identifiable natural person and includes but is not limited to biographical data such as name, sex, date of birth, country of origin, Identification Number as well as blood type.

Processing of personal data means any operation, or set of operations, automated or not, which is performed on personal data, including but not limited to the collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, transfer, dissemination or otherwise making available, correction, or destruction.

7.0 Policy Guidelines and Principles

7.1 ERS will ensure that the collection, processing, and retention of personal data are guided by the principles of:

7.1.1 Respect for rights and fundamental freedoms, especially the right to privacy of data subjects.

7.1.2 Legitimate and reasonable dealing in personal data.

7.2 ERS will ensure that:

7.2.1 Collection of data is only for specified, explicit, and legitimate purposes and excludes any further use incompatible with that purpose.

7.2.2 Data is accurate and if necessary, updated from time to time.

7.2.3 Data is not transferred out of Kenya unless there is proof of adequate data safeguards and/or measures or consent from the data subject.

7.2.4 Processing of data is done in a manner that ensures its security against unauthorized and/or unlawful processing, accidental loss, destruction, and/or damage.

7.2.5 Data is not kept in any form which permits the identification of data subjects for longer than is necessary.

8.0 Duty to Notify

8.1 ERS has a duty to notify data subjects of their rights before processing their personal data for any purpose.

8.2 In this regard, ERS will inform data subjects of the following rights:

8.2.1 Right to be informed of the use of their personal data.

8.2.2 Right to access their personal data in ERS’s custody.

8.2.3 Right to object to the processing of their personal data wholly or in part.

8.2.4 Right to correction and/or alteration of false and/or misleading data.

8.2.5 Right to deletion of false and/or misleading data.

9.0 Minimisation of Collection

9.1 ERS will only collect personal data for processing if such collection is for the purpose(s) to which data subjects have consented.

9.2 ERS will only collect and process data that is adequate, relevant, and limited to what is necessary. Access to such data by ERS staff is strictly restricted to persons with authorization.

9.3 ERS staff must ensure that they delete, destroy, and/or anonymize any personal data that is no longer required for the specific purpose for which it had been collected.

10.0 Lawful and Fair Processing of Data

10.1 ERS will only collect personal data for processing if such collection is for the purpose(s) to which data subjects have consented.

10.2 Data will only be processed where there is a legitimate basis to do so, where the data subject has given their consent, and/or where the processing of such data is deemed necessary.

10.3 Accordingly, ERS will process data in relation to the following specific purposes:

10.3.1 For the performance of the contractual obligation to which the data subject is party, especially employment contracts or registration to be matched with prospective employers.

10.3.2 To ensure compliance with ERS’s legal and regulatory obligations.

10.3.3 To perform public interest tasks or tasks undertaken in the exercise of official authority.

10.3.4 To ensure the protection of crucial interests of data subjects and/or any other person.

10.3.5 To pursue ERS’s legitimate interests where such interests outweigh the interests and rights of data subjects.

10.3.6 For any historical, statistical, journalistic, artistic, or scientific research.

11.0 Safeguards and Security of Data

11.1 ERS will ensure a high level of data security that is appropriate to the risks presented by the nature and processing of personal data considering the level of technology available and existing security conditions as well as the costs of implementing additional security measures.

11.2 ERS will ensure that personal data is filed and stored in a way that is accessible only to authorized staff and transferred only by protected means of communication.

11.3 Personal data may not be used by any employee or staff for purposes other than the business of ERS and any breach could result in an internal disciplinary action. 

11.4 ERS staff allowed access to personal data shall execute a non-disclosure agreement barring them from using the said data for business other than ERS’s mandate.

11.5 ERS staff will not use their private emails to transfer personal data of data subjects.

11.6 Data security measures will periodically be reviewed and upgraded to ensure that the level of protection is commensurate to the degree of sensitivity applied to personal data.

12.0 Accuracy of Data

ERS must ensure that the personal data collected and processed by it is accurate and kept up to date. Further, such data must be corrected and/or deleted without delay where ERS staff are notified of inaccuracies and/or misleading information.

13.0 Consent

13.1 ERS will ensure that consent of data subjects is obtained before the collection and processing of their personal data.

13.2 Where necessary, ERS will maintain appropriate and adequate records to evidence such consent.

13.3 ERS will not process any personal data where a withdrawal of consent has been made by a data subject.

14.0 Data Protection Impact Assessment

14.1 ERS will ensure that a data protection impact assessment is undertaken where the processing of personal data poses a high risk to the rights and fundamental freedoms of a data subject.

14.2 Such data protection impact assessment must be undertaken by the data protection officer before processing the data in question.

15.0 Transferring Personal Data Abroad

15.1 ERS may transfer personal data out of Kenya.

15.2 Such transfer of personal data out of Kenya shall only occur where:

15.2.1 There is proof of appropriate measures for security and protection of the personal data by the recipient of such personal data.

15.2.2 Such proof has been provided to the Data Protection Commissioner in accordance with Kenya’s Data Protection Act, 2019 on measures such as the fact that data is transferred to jurisdictions with commensurate data protection laws.

15.2.3 The transfer is necessary for the performance of a contract and/or the implementation of pre-contractual measures.

16.0 Reporting Mechanisms

ERS shall report any data breach to the Data Protection Commissioner within seventy-two (72) hours of being aware of a such data breach. Further, ERS will communicate the said data breach to the data subject(s) as soon as is practical unless the identity of the data subject cannot be established.

17.0 Training and Awareness

17.1 ERS shall train its existing staff on the contents and obligations arising from this Policy.

17.2 New staff joining ERS shall undergo an onboarding process that involves familiarisation with this Policy.

17.3 ERS will ensure that the salient requirements of this Policy form part of contractual obligations with employers, prospective employers, and any other person using ERS recruitment services.

18.0 Review of the Policy

18.1 This Policy will be reviewed after every two (2) years.

18.2 The review of the Policy will be coordinated by a member of staff designated by ERS, who shall also serve as the data protection officer.

19.0 Amendments to this Policy

ERS reserves the right to amend or modify this policy at any time. If ERS amends this policy, You can access the most current version of the privacy statement by clicking this link ERS Privacy Policy so that you will always know how your personal information is being used or shared. Any amendment or modification to this statement will take effect from the date of notification on the Euroscot website.

Statement Effective Date

20th June 2022.


[1] Data Protection Act, No. 24 of 2019; Section 2.

Get in touch

Do you have any questions about our services? Get in touch with us now and we will be glad to get back to you shortly.