Legal

Data Protection Policy

Last updated:

This policy sets out how Black Knights governs the personal data we hold — the principles we follow, the responsibilities we hold ourselves to, and the safeguards we apply at every stage of the data lifecycle. It complements our Privacy Policy, which explains in detail what data we collect and your rights over it.

1. Purpose and Scope

Black Knights (“we”, “our”, or “us”) is an AI-focused technology company headquartered in Gigiri, Nairobi, Kenya. We are committed to protecting the personal data of our clients, prospective clients, website visitors, employees, contractors, and any other individuals whose data we process.

This Data Protection Policy explains the standards we apply when handling personal data and the obligations that everyone acting on behalf of Black Knights must follow. It applies to:

  • All personal data processed by Black Knights, in any format — digital or physical
  • All staff, directors, contractors, and third parties who process personal data on our behalf
  • All systems, services, and projects through which we collect, store, or use personal data

Where we act as a data processor on behalf of a client, this policy is applied alongside the relevant Data Processing Agreement (DPA), which takes precedence to the extent of any conflict.

2. Legal Framework

We process personal data in accordance with the data protection laws applicable to us and to the individuals we serve, including:

  • The Kenya Data Protection Act, 2019 and its accompanying regulations, overseen by the Office of the Data Protection Commissioner (ODPC)
  • The EU General Data Protection Regulation (GDPR) and the UK GDPR, where we process the data of individuals in the EEA or the United Kingdom
  • Any other applicable national data protection or privacy legislation relevant to a specific engagement

Where multiple frameworks apply, we adopt the highest applicable standard of protection.

3. Our Data Protection Principles

Every processing activity we undertake is measured against the following principles, drawn from Section 25 of the Kenya Data Protection Act and Article 5 of the GDPR:

Lawfulness, fairness, and transparency

We process personal data lawfully, fairly, and in a way individuals would reasonably expect — never secretly or deceptively.

Purpose limitation

We collect personal data only for specified, explicit, and legitimate purposes, and we do not reuse it for incompatible purposes.

Data minimisation

We collect only the data that is adequate, relevant, and limited to what is necessary for the stated purpose.

Accuracy

We take reasonable steps to keep personal data accurate and up to date, and to correct or erase inaccurate data without delay.

Storage limitation

We retain personal data only for as long as necessary, after which it is securely deleted or anonymised.

Integrity and confidentiality

We protect personal data against unauthorised or unlawful processing, loss, destruction, or damage using appropriate security measures.

Accountability

We take responsibility for how we use personal data and maintain the records and governance needed to demonstrate our compliance.

4. Roles and Responsibilities

4.1 Black Knights as Controller and Processor

Depending on the activity, Black Knights acts either as a data controller (where we determine why and how data is processed — for example, our website analytics and contact enquiries) or as a data processor (where we process data on a client's documented instructions under a service engagement).

4.2 Data Protection Officer

We have appointed a Data Protection Officer (DPO) responsible for overseeing this policy, advising on compliance, monitoring our processing activities, and serving as the point of contact for the ODPC and for data subjects. The DPO can be reached at hello@blackknights.co.ke with the subject line “DPO Enquiry”.

4.3 Everyone at Black Knights

Data protection is a shared responsibility. All staff and contractors must complete data protection training, handle personal data strictly in line with this policy, and report any suspected breach immediately to the DPO.

5. Lawful Basis for Processing

We only process personal data where we have a valid lawful basis. Depending on the context, this will be one of:

  • Consent — the individual has given clear, specific, informed, and freely given consent
  • Contract — processing is necessary to deliver a service or to take steps at the individual's request before entering a contract
  • Legal obligation — processing is necessary to comply with the law
  • Vital interests — processing is necessary to protect someone's life
  • Legitimate interests — processing is necessary for our legitimate interests, balanced against the rights and freedoms of the individual

We record the lawful basis relied on for each processing activity. Where we rely on consent, individuals may withdraw it at any time without affecting the lawfulness of earlier processing.

6. Sensitive and Special Category Data

Certain categories of data — such as health information, data revealing racial or ethnic origin, biometric data, or data concerning a person's vulnerability — carry a higher risk and require additional protection. We process such data only where:

  • We have an additional condition for processing under the applicable law (for example, explicit consent)
  • Access is tightly restricted to those with a genuine need
  • Enhanced security and confidentiality controls are applied

Our handling of data relating to customers in vulnerable circumstances is governed by both this policy and our Vulnerable Customers Policy.

7. Data Subject Rights

We respect and facilitate the rights individuals hold over their personal data, including the rights of access, rectification, erasure, restriction, portability, objection, and the right not to be subject to solely automated decision-making with significant effects.

Requests can be made to hello@blackknights.co.ke. We respond within the statutory timeframe (generally 30 days) and may verify identity before acting. A full description of these rights and how to exercise them is set out in our Privacy Policy.

8. Security Measures

We apply appropriate technical and organisational measures (TOMs) to protect personal data against unauthorised access, loss, or alteration:

8.1 Technical measures

  • Encryption of data in transit (TLS) and at rest (AES-256 or equivalent)
  • Role-based access control and multi-factor authentication for systems holding personal data
  • Network segmentation, firewalls, and monitoring of production environments
  • Regular vulnerability scanning, patching, and tested backups
  • Audit logging of access to personal data

8.2 Organisational measures

  • Mandatory data protection training for all personnel
  • Confidentiality obligations in all employment and contractor agreements
  • Data protection by design and by default in every new system or project
  • Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Due diligence and contractual controls over third-party processors

9. Data Retention and Disposal

We keep personal data only for as long as necessary to fulfil the purpose for which it was collected or to meet legal and contractual obligations. When data is no longer required, it is securely deleted or irreversibly anonymised — digital records are permanently purged and physical records are shredded.

We maintain a retention schedule that defines retention periods by data category. Indicative periods are set out in our Privacy Policy.

10. Personal Data Breach Management

We maintain a documented breach response procedure. In the event of a personal data breach we will:

  • Contain and assess the breach, recording its nature, scope, and likely impact
  • Notify the Office of the Data Protection Commissioner (and other relevant authorities) without undue delay — and, where the GDPR applies, within 72 hours of becoming aware, where the breach is likely to result in a risk to individuals
  • Inform affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
  • Where we act as a processor, notify the affected client promptly and support their own notification obligations
  • Conduct a post-incident review to prevent recurrence and update controls accordingly

11. Data Sharing, Processors, and International Transfers

We share personal data only where necessary and lawful. Any third party that processes personal data on our behalf is vetted, bound by a written Data Processing Agreement, and required to apply security standards equivalent to our own.

Where personal data is transferred outside its country of origin — including outside the EEA or Kenya — we put appropriate safeguards in place, such as Standard Contractual Clauses (SCCs), UK International Data Transfer Agreements (IDTAs), or transfers to jurisdictions recognised as providing adequate protection.

12. Accountability, Training, and Review

We demonstrate accountability through documented governance:

  • A Record of Processing Activities (ROPA) covering the personal data we process
  • Ongoing data protection training and awareness for all staff
  • Regular internal reviews and audits of our processing and security controls
  • Clear procedures for handling data subject requests and regulatory enquiries

This policy is reviewed at least annually, and whenever there is a material change to our processing activities or the law. The current version is always published on this page.

13. Contact Us

For any question about this policy, our data protection practices, or to exercise your rights, please contact us:

Black Knights

AddressGigiri, Nairobi, Kenya

Emailhello@blackknights.co.ke

Phone+254 725 462 859

SubjectData Protection Enquiry

We aim to respond to data protection enquiries within 30 calendar days. If you remain dissatisfied, you may lodge a complaint with the Office of the Data Protection Commissioner (Kenya) or, for UK residents, the Information Commissioner's Office (ICO).