AAR Colors


AAR Healthcare (Kenya) Limited (hereinafter, the “Company” or “we” or “our” or “us”) is a company incorporated in Kenya.

In the course of its activities, the Company processes personal data of its directors, caller, employees, doctors, locums, patients, employees, employee candidate, contact persons, member, model, prospective patients, organization HR officer, specialist, supplier, trainees, white member, witness and other stakeholders (hereinafter, the “Data Subjects” “you”, or “your”).

This policy describes the information privacy practices that the company follows when handling personal information that we collect or receive in conducting our business. Such information is normally collected through business transactions and interactions, websites, patient(s), employee(s) and user application(s) such as emails and network platforms.

This privacy policy statement demonstrates our commitment to protect the privacy of individuals with respect to personal identifiable information and is designed to assist you in understanding our policies and practices in relation to the collection, use, retention, transfer and access of your personal information. 

Personal Identifiable Information (PII)

Personal Identifiable Information (also referred to as personal data in this policy) means any information relating to an identified or identifiable natural person (the data subject). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location information, an online identifier or by one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of the natural person.

Application of this privacy policy

This policy applies to all those who have access to PII in our possession. This includes our employees and all service providers or working on our behalf or in our name, through outsourcing of services and processes or any business activity. Independent contractors and consultants will be made aware of the Privacy Policy as it applies to our staff, potential and/or existing patients and counterparties in their dealings with them. This policy also serves to inform the public of the personal data collected by AAR Healthcare, the purpose of collection and how that data is handled.

Data subject rights

As a data subject, you have rights regarding the processing of your personal information as follows:

  • Withdraw any consent you have given, or are deemed to have given, in relation to our collection or use of your personal information;
  • Request access to any personal information held about you by us and details of the processing of your personal information by us;
  • Have inaccurate personal data amended or erased, and to have incomplete personal data completed;
  • Request the erasure of your personal data;
  • Object to or restrict the processing of your personal data (including profiling), including where the processing is unlawful or no longer necessary;
  • Receive your personal data in a format suitable for transmission to another data controller;
  • Object to processing of your personal information for direct marketing.
  • Object to any decision about you based solely on automated processing (including any profiling) that produces legal effects or otherwise significantly affects you;
  • Complain to the relevant data protection supervisory authority, if you think that we are not complying with our obligations in relation to our processing of your personal information.

You can make a request to us in relation to these rights at any time by contacting us via email at dpo@aar-healthcare.com. All requests will be dealt with promptly, in line with the provisions of Data Regulations of 2021. Any information to which you are entitled will be provided within a reasonable timeframe, subject to any exemptions stipulated in applicable data privacy laws.

Collection of personal data and purpose of processing

1. Employment and recruitment

This includes information that you may provide to us in employment contracts and applications for employment. The personal information you provide includes basic contact information about you, such as your name, physical and postal address details, contact details, referee name, referee postal address, referee email address, referee phone number, nationality, marital status, date of birth, university transcripts, academic certificates, practice licenses, national ID number, NSSF number, NHIF number, KRA Pin number, bank details, spouse details (name, passport photo, date of birth), marriage certificate, dependant details (name, birth certificate, passport photo), next of kin details (name, phone number, address) and medical history.

We may collect information you provide to us through the recruitment processes such as name, physical and postal address details, email address, phone number, referee name, referee postal address, referee email address, referee phone number, nationality, marital status. We may also collect and retain background information as permitted under applicable law. On your employment with the company, we may also collect information related to your national ID number, NSSF number, NHIF number, KRA Pin number, bank account information and other information relevant to meeting our obligations under the employment laws and to process the periodic payroll.

This information is only collected for the purposes of human resource management, determination of employee age, processing statutory deductions, tax compliance, payroll processing, employee processing benefits, alternative point of contact, pre-employment medical assessment and recruitment.

2. Business Partners

For all counterparties doing business with us, we collect information that might be PII in nature. This could be personal email addresses provided in course of communications and names and contacts of (company) representatives. Information collected though these processes is only used for disinfection activities in out-patient centres, formalizing institution rescue services agreement and supplier on-boarding procedures.

To ensure we do business with reputable, honest and qualified business partners we may also conduct due diligence checks on companies and their directors and shareholders to establish the legal status of all potential new business partners to evaluate whether they may be involved in illegal or corrupt practices. Such checks may include the collection of personal identification documents for such directors and shareholders.

3. Information provided through our security procedures

As part of our security procedures, we obtain information from our visitors. This information may include CCTV footage. Such information is only processed for purposes of security and monitoring.

4. Information you provide to us through our website

We may collect information you provide to us through our web-based enquiries, booking appointments and registration of white members. This information includes your name, age, gender, physical and postal address details, national ID number, phone number, blood group, medical report, email address and functionality cookies. This information is only processed for registering and management of patients, administrative purposes, determination of blood group and user preferences.

5. Others who may get in touch with us

We collect personal data when an individual gets in touch with us with a question, complaint, comments or feedback such as name, contact details and content of the communication. In this case, we will only use the data for the purpose of responding to the communication and handling the matter.

Use of personal information

a). For business use

We use your personal information to facilitate our ongoing and proposed business dealings with you. This includes: • To process business transactions with us; • To communicate with you about updates to our services • To respond to questions or inquiries or complaints that you may have about our services. We may use your personal information as required for us to comply with relevant laws and regulations relating our business.

b). Marketing Purposes

With your consent or as otherwise permitted by applicable law, we may use your personal information for purposes relating to the marketing of our services. This means we may from time to time: • Send you newsletters, press releases, event announcements and other similar communications regarding the services that we offer; • Market or promote our services to you; • Solicit input from you regarding improvement of our services; • Use your personal information for other purposes that we disclose to you at the time we obtain your consent. You may at any time opt-out to receiving marketing related communication from us, by contacting us at dpo@aar-healthcare.com.

c). Employment

As permitted by applicable laws we maintain employment records of our current and former employees. With respect to current employees, we use the processed personal information for human resource management, determination of employee age, processing statutory deductions, tax compliance, payroll processing, employee processing benefits, alternative point of contact, pre-employment medical assessment and recruitment. With respect to former employees, we archive the records and only use them on lawful basis only as permitted by the law. After the required retention period (in line with Income tax Act and Companies Act), the records are destroyed.

d). Recruitment

We may use your personal information you provide to us through email solely for the purposes of processing your job application for the position you have shown interest in and in accordance with this privacy notice and applicable law. This may also include data we collect from third parties such as your references, prior employers and educational history in order to identify and evaluate candidates for potential employment. We may conduct vetting for specific job roles, which may include background checks as permitted by local laws. With your consent, we may retain a record of your job application and references for a period of 1 year or 6 months after the role is filled.

Personal data integrity

While you are responsible for the accuracy of all personal information that you provide to us, we will use reasonable efforts to maintain the accuracy and integrity of your personal information, and to update that information as appropriate. We will take reasonable steps to ensure that the personal information we collect is relevant to its intended use, and that used only in ways that are compatible with the purposes for which it was collected or otherwise authorised by you.

Personal data sharing

a). Internal

From time to time we may share your personal information within the company. Such information may be used for internal business, operational, as well as for purposes consistent with the purpose for which the information was originally collected or subsequently authorised by you. If your personal information is held by us within Kenya, it will only be transferred outside the country after the following considerations – as provided by the law: • The appropriateness of data protection safeguards during transfer; • The transfer is to a country where adequate level of protection is ensured; • The transfer is based on necessity and approved by the Office of Data Protection Commissioner; or • If you have given consent to such transfer.


We may disclose or transfer your personal information with our service providers. Normally, these would include the company lawyers, service providers for support, auditors, laboratory service providers, insurance / assurance companies within our panel, delivery service providers, document archiving service providers, aviation rescue service providers, asset management service providers, marketing service providers, medical service providers, pension administrators and trustees and banks. We may also, from time to time, employ service providers to perform services on our behalf, such as hosting our data (including your personal information) and websites. Prior to allowing these service providers to access your personal information, we will enter into a formal agreement with them to ensure that they handle and process the information in accordance with this Privacy Policy and applicable law and ensuring they have adequate technical and organisational controls in place to safeguard your personal data. We will not share your personal information with third parties outside of AAR Healthcare for marketing purposes without your consent. However, we may share such information with our counterparties as described for the purposes disclosed to you at the time you provided the information, or as subsequently authorised by you or as permitted by applicable laws.

Legal Protections and Law enforcement

We may access, use, preserve, transfer and disclose to our counterparties your personal information for the following purposes: • To satisfy any applicable law, regulation, or legal or regulatory process, if in our opinion such is required or permitted by law or reasonably requested by a regulatory authority (including the tax authorities); • To protect and/or defend this privacy policy or other internal policies or terms of use applicable, including investigations of potential violations thereof, ensuring the protection of the safety, rights, property or security of AAR Healthcare or any of our counterparties; and • To detect, prevent or otherwise address fraud, security issues or breaches, or technical issues. This may include allowing third parties, such as internet service providers, wireless service providers and/or law enforcement agencies, to access and use your personal information in order to identify you. We may take any of these steps without prior notice to you to the extent permitted by law.

Protection of personal information

We put in place reasonable safeguards and measures based on internationally recognised information security standards to protect your personal information in our possession from misuse, unauthorised access, disclosure, alteration, destruction or loss. We have a framework of policies, procedures and training/awareness in place covering data protection, confidentiality and security. As necessary, we will take additional precautions regarding the security of particularly sensitive information, such as categories of data deemed as sensitive under applicable data protection laws. While we strive to secure your personal information, we cannot warrant or guarantee that this information will be protected under all circumstances, including those beyond our reasonable control.

Data retention

We will not retain personal information for longer than is necessary for the purposes for which it was collected, except where retention is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims. We have developed an internal data retention policy which is guided by the applicable laws.

Access, objection to processing, rectification and data erasureAccess, objection to processing, rectification and data erasure

Should you require to communicate to us in regard to access of your data, object to processing, request for rectification or erasure, kindly contact us through dpo@aar-healthcare.com. Request by employees can be communicated through the Human Resource department or in writing through allhrkenya@aar-healthcare.com.

Monitoring and enforcing this policy

We will conduct Biannually internal compliance audits and assessments of our relevant privacy practices to verify adherence to this privacy policy.

Policy revision

his privacy policy is kept under review every 3 years or adhoc, should there be fundamental changes to the subject matter, as per our policy requirements and is therefore subject to change.