The Effective Date Is On: Jan 2025

1. Introduction

At AAR Hospital (‘we’, ‘us’, ‘our’), we respect your personal privacy and work to ensure personal data is processed in compliance with the Kenya Data Protection Act (DPA 2019). This Data Privacy Policy describes how your personal data is collected, used and protected when you engage with our website on the services that we offer.

2. Data Collected
We collect personal data that you choose to provide when making use of the services or interacting with the Site. This includes:

Patient

Full name, Date Of Birth, Gender, Telephone Number, Marital Status, Occupation, Residence, Nationality, Email Address, National

Identification Number No./Passport No. or copy, Brought In By, Next of Kin details (Name/Relationship/Residence/Telephone number), currentand Past Medical and surgical history, Biometric data for insurance, Genetic data, closed circuit television surveillance recordings for security while in the hospital premises.

Purpose:To provide medical services, communication, and sharing with third parties only as necessary for enabling it to provide care to the patient oras required by law, medical research and quality assurance activities.

Staff

Full Name, Physical and Postal Address, Email, Phone number, Date of Birth, gender, Bank account details, dependents details, next of kin

Name/Relation/Contact, NHIF, NSSF, KRA Pin, Identification Number, professional and academic qualification details, professional license and

or Membership, certificate of service, Police clearance report, passport photo, biometric information, closed circuit Television surveillance recordings, health records.

Purpose:Management of Employment relationship, submission of statutory deductions and benefit processing.

Staff dependents and next of kin

Identity type, name, postal and physical address, location, phone number, date of birth, email address, gender and relation.

Purpose: Employee dependents benefit processing and employee relationship management.

Interns and attachés

Identity type, Full name, postal and physical address location, phone number, date of birth, email address, age, gender, bank account details,

family details-next of kin, academic details, profession, closed circuit television surveillance recordings.

Purpose: Internship and attachment processing

Researchers

Identity type, name, postal and physical address, location, phone number, Name of educational institution, email address, closed circuit

television surveillance recordings

Purpose: Validation of request

Development partners /representatives

Name, phone number, email address, closed circuit television surveillance recordings, associated development partner

Purpose: Management of relationships with development partners

Job applicants

Uniform Resource Locator (URLs), Full name, postal and physical address, phone number, email address, age, gender, date of birth,academic information.

Purpose: Processing of job applications and recruitment process.

Consultant doctors

Identity type, country of origin, Nationality, Professional Licenses, Full name, KRA pin, postal and physical address, phone number, date of

birth, email address, age, gender, academic details, closed circuit television surveillance recordings, work permit where applicable

Administration of contracts

Vendors, bidders and Contractors etc.

Full name, contact person details (Full name, email, phone number), Company directors’ details (Full name, company share held), closedcircuit television surveillance recordings

Purpose: Administration of procurement functions and contracts.

Technical Data: Information relating to your IP, the browser, device being used, along with cookies and other details about your usage patterns depending on the cookie option chosen in your browser while using our sites.

Purpose: For Research, Analytics, Marketing and utilize the information to enhance the quality of our services.

3. Processing purpose
We process your personal data for the reasons stated in each category.

4. How We Protect Your Data
We take the protection of your personal data seriously and implement reasonable technical, physical, and administrative measures to safeguard your information against unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption: Personal data transmitted online is encrypted using industry-standard protocols.
• Access Controls: We restrict access to personal data to authorized personnel only.
• Secure Servers: We host personal data on secure servers with advanced firewall protection.

5. Sharing Your Data
We may share your personal data with the following parties:

• Healthcare Providers: While providing medical care, we may share your health information with doctors, nurses, specialists, or healthcare facilities.
• Third-Party Service Providers: We may share your data with trusted vendors who assist in our operations, such as payment processors.
• Regulatory Authorities: We may disclose personal data to comply with legal obligations, such as reporting to the Ministry of Health or the Kenya Medical Practitioners and Dentists Council.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the new owners.

6. Your Rights
Under the Kenya Data Protection Act (2019), you have the following rights regarding your personal data:

• Right to Access: You have the right to request copies of your personal data.
• Right to Rectification: You can request corrections to any inaccurate or incomplete personal data.
• Right to Erasure: You can request the deletion of your personal data under certain circumstances.
• Right to Restrict Processing: You can ask us to limit the processing of your personal data in certain situations.
• Right to Object: You can object to the processing of your personal data for marketing purposes or on legitimate grounds.
• Right to Data Portability: You can request a copy of your personal data in a structured, commonly used, and machine-readable format.
• Right to Lodge a Complaint: If you believe we have violated your privacy rights, you can lodge a complaint by contacting us through dpo@aarhospital.com.

7. How Long We Retain Your Data
We will retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy and to comply with legal, regulatory, and operational requirements.

8. Changes to This Data Privacy Policy
We may update this Data Privacy Policy from time to time to reflect changes in our data processing practices or regulations. Any updates will be posted on this page, and the revised date will be indicated at the top.

9. Contact Us
If you have any questions or concerns about this Data Privacy Policy or wish to exercise any of your rights, please contact via email: dpo@aarhospital.com