Staff Login

Legal · Data protection

Data Protection Statement

Our commitment to lawful, fair, and transparent processing under the Kenya Data Protection Act, 2019, including data subject rights and governance of PMTS personal data.

Last updated: 7 June 2026

1. Our commitment

Trans Nzoia County Government operates PMTS to deliver open, accountable project monitoring for citizens, partners, and oversight institutions. Protecting personal data is essential to maintaining public trust in digital county services. This Data Protection Statement describes our governance approach in addition to the detailed processing described in our Privacy Policy.

PMTS data protection practices align with:

  • The Constitution of Kenya, 2010 — Article 31 (right to privacy);
  • Data Protection Act, 2019 — principles, rights, and obligations for data controllers and processors;
  • Office of the Data Protection Commissioner (ODPC) guidance and registration requirements;
  • Computer Misuse and Cybercrimes Act, 2018 — security of systems and data;
  • Public Finance Management Act and county transparency obligations relevant to published project data;
  • GDPR — where EU/EEA residents access the portal or where processing falls within its scope;
  • European Accessibility Act (EAA) — digital accessibility expectations for public-facing services used in the EU context.

3. Data protection principles

We apply the following principles to PMTS processing:

  1. Lawfulness, fairness, and transparency — we document purposes and provide clear notices;
  2. Purpose limitation — data collected for project monitoring is not used for unrelated marketing without consent;
  3. Data minimisation — we collect only what is needed for transparency, security, or service delivery;
  4. Accuracy — staff workflows and QA processes aim to keep project and feedback records correct;
  5. Storage limitation — retention schedules apply to logs, accounts, and feedback archives;
  6. Integrity and confidentiality — role-based access, encryption in transit, backups, and audit trails;
  7. Accountability — policies, training, incident response, and records of processing activities.

4. Roles and responsibilities

  • Data Controller: Trans Nzoia County Government for PMTS portal processing;
  • Data Protection Contact: pmts@transnzoia.go.ke;
  • Operational contact: pmts@transnzoia.go.ke;
  • Processors: vetted hosting, email, backup, and support vendors under contractual safeguards;
  • Departmental users: county staff who enter project data must follow county ICT and records policies.

5. Special categories and sensitive data

PMTS is not designed to collect special categories of personal data (e.g. health, biometrics, political opinions) through public project pages. Citizens should avoid submitting such information in open feedback fields. If sensitive data is received inadvertently, contact us for secure handling and possible redaction or deletion.

6. Automated decision-making

PMTS does not make solely automated decisions with legal or similarly significant effects on individuals. Project publication workflows involve human quality assurance. Statistical dashboards aggregate project data and do not profile individual citizens for enforcement purposes.

7. Personal data breach response

If we become aware of a breach likely to affect your rights:

  • We contain and investigate the incident without undue delay;
  • We notify the ODPC within 72 hours where required by law;
  • We notify affected individuals when the breach poses a high risk to their rights;
  • We document lessons learned and strengthen controls.

Report suspected security issues to pmts@transnzoia.go.ke.

8. Data subject rights (summary)

Under the Data Protection Act and related frameworks, you may request:

  • Confirmation whether we process your data and access to that data;
  • Correction of inaccurate data;
  • Deletion where retention is no longer necessary or consent is withdrawn (subject to legal exceptions);
  • Restriction or objection to certain processing;
  • Data portability where processing is automated and based on consent or contract;
  • Withdrawal of consent at any time for consent-based activities.

Submit requests to pmts@transnzoia.go.ke. We respond within statutory timelines (typically within 30 days unless extended with notice). You may complain to the ODPC: www.odpc.go.ke.

9. International visitors

PMTS primarily serves Trans Nzoia County and Kenya. If you access the portal from outside Kenya, your data may be processed in Kenya and on infrastructure locations used by our hosting providers. Where GDPR applies, we rely on appropriate lawful bases and safeguards described in the Privacy Policy.

10. Staff training and awareness

County staff with PMTS access receive orientation on acceptable use, confidentiality, password hygiene, and reporting suspected data incidents. Access is granted on a least-privilege basis aligned to job roles (executive, departmental, admin, etc.).

11. Records of processing

The county maintains internal records of major processing activities covering PMTS portal operations, citizen feedback, account management, system logs, backups, and email notifications. Summaries are available to regulators on lawful request.