This website uses cookies to enhance user experience and to analyse performance and traffic on our website. By accessing our website, you agree to the storing of cookies on your device to enhance site navigation and analyse site usage. You also have a right to opt out on nonessential cookies as stated in the privacy
By clicking 'I Accept' when you visit this website, you confirm that you have read, understood and agree to the provisions to this privacy statement.
COOKIE POLICY
- We may store some information (using "cookies") on your computer when you visit our websites. This enables us to recognize you during subsequent visits. The type of information gathered is non-personal (such as: The Internet Protocol (IP) address of your computer, the date and time of your visit, which pages you browsed and whether the pages have been delivered successfully.
- We may also use this data in aggregate form to develop customized services - tailored to your individual interests and needs. Should you choose to do so, it is possible (depending on the browser you are using), to be prompted before accepting any cookies, or to prevent your browser from accepting any cookies at all. This will however cause certain features of the web site not to be accessible.
KRA Data Protection Officer
KRA as a data controller is required to have a data protection officer whose role is to oversee and ensure compliance to the Data Protection Act , 2019. The contact details of KRA's data protection officer is as follows:
Mr. Joseph Tonui
Deputy Commissioner - Corporate Data Office
Email: dc.cdo@kra.go.ke
Telephone: 0709017166
PRIVACY STATEMENT
This Privacy Statement provides information on how and why the Kenya Revenue Authority (KRA) collects and processes your personal data.
This statement should be read together with the Terms and Conditions of use for other KRA Services. Where there is a conflict, this privacy statement will prevail.
This statement applies to all taxpayers, KRA staff, students, consultants, 3rd parties, development partners and all visitors to any of KRA premises.
DEFINITIONS
The Authority/KRA/We/our/ours/us/ means the Kenya Revenue Authority established under Act of Parliament Chapter 469 of the laws of Kenya.
Data Protection Officer is a person designated or appointed by the Authority to monitor compliance with the Data Protection Act, No. 24 of 2019 and the Regulations made under the Act.
Data Collection means gathering of information that relates to you.
Personal data means information about you that identifies you directly or indirectly as a unique individual such as name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
Processing means any operation or sets of operations which is performed on your personal data whether or not by automated means, such as: collection, recording, organization or structuring; Storage, adaptation or alteration; Retrieval, consultation or use; Disclosure by transmission, dissemination, or otherwise making available; Alignment or combination, restriction, erasure or destruction.
Sensitive personal data is data revealing your racial or ethnic origin, political opinions, professional membership, and the processing of genetic data, biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person's gender.
Third Party - means a natural or legal person, public authority, agency or body other than you and KRA, who under the direct authority of KRA are authorized to process your personal data.
You/ Your (s) means:
- Taxpayer – a person who holds a Personal Identification number (PIN) and liable for tax under the Kenyan tax law whether or not you have accrued any tax liability in a tax period.
- Any person employed by Kenya Revenue Authority
- Any student enrolled in the Kenya School of Revenue Administration (KESRA)
- Any agent, dealer and/or merchants who has signed an agreement with KRA and is recognized as a merchant or agent in accordance with any applicable laws or Regulations.
- Any visitor that is a person (including contractors/subcontractors or any third parties) who gains access to any KRA premises.
- Any supplier/ service provider contracted by KRA.
- Any external lawyer who has tendered his/her application and/or signed a service level agreement with KRA.
- Any Auditor who has signed an agreement with KRA.
PROCESSING OF PERSONAL DATA
The Kenya Revenue Authority processes different categories of personal data as defined and permitted by the applicable Tax Laws, Data Protection Law and its internal policies:
- With your consent
- Where processing is necessary for fulfilment of the Authority’s mandate.
- For the performance of a contract to which you are party to or at your request before entering a contract.
- In compliance with any legal obligation to which KRA is subject.
- For protecting the vital and legitimate interests of KRA or another person.
- For the performance of a task carried out in public interest.
- For historical, statistical, or scientific research.
3.1 Collection of Data
KRA collects your personal data both directly and indirectly in accordance with the law. We collect your personal information with your knowledge and consent with the exception of cases where prior consent cannot be obtained for real reasons and the processing of the data is permitted by law.
We collect personal data through various platforms: iTax, ICMS, eRecruitment, CCTV cameras, access control and registers.
3.1.1 What information is collected
- The data we collect from Taxpayers during PIN registration, KESRA students registration, KRA staff, Intern, attaches, Staff dependants, consultants, vendors, bidders, Researchers, Development Partners includes and is not limited to the following: name, postal and physical address, location, phone number, date and place of birth, email address, age, marital status, family details, gender, bank account details, income brackets, profession, supporting personal documents, closed circuit television surveillance recordings.
- KRA collects your National Identification number, passport number, SHIF, NSSF, name, postal and physical address, location, phone number, email address, age, gender, date of birth, academic information during job applications.
KRA also collects information that does not personally identify you such as anonymous usage data, general demographic information, referring/exit pages and URLs, platform types, preferences that are generated based on the data that you submit and number of clicks.
3.1.2 Sensitive Personal Data
The Authority collects special category of personal data about you revealing details about your ethnic group, biometric data, property details, marital status, family details including details of your children spouse or spouses, gender, Date of Birth, Disability Status, mobile phone number and Nationality,
KRA shall ensure that your personal data about you is processed in accordance with your right of privacy and as permitted in Part V of the Data Protection Act, 2019.
3.2 Access to your Personal Data
You have the right to request access to your personal data held by KRA. This includes information on how your data is being used, the purposes of processing and any third parties with whom the data has been shared.
We take steps to ensure that your personal data is not altered by unauthorized entities or persons. All authorized persons accessing your personal data are bound by a duty of confidentiality.
3.3 Use of your Personal Data
- Taxpayers data for tax administration purposes.
- KESRA student’s data for education administration.
- KRA staff data for the execution of the contract of employment and management of employment relationship and benefit processing such as pension.
- Staff dependents data for employee dependant benefit processing.
- Intern and attaches data for Internship and attachment processing.
- Job application data for job application processing.
- Administration of procurement functions and contracts.
- For research purposes.
- To comply with any legal, government or regulatory requirement.
3.4 Your legal rights in relation to personal data
Subject to legal and contractual provisions, you as a data subject has the:
a) Right to be informed that KRA is collecting your personal data
- Right to access and request more information about your personal data in KRA.
- Right to request KRA to correct your personal data when it is inaccurate or incomplete;
- Right to request KRA to erase your personal data noting that KRA may continue to retain your information if obligated by the law or has a legal basis to do so;
- Right to object and withdraw consent to processing of personal data. However, KRA may continue to process if there is a legitimate or legal reason to do so.
- Right to lodge a complaint with the relevant authority that deals with personal data protection within the Republic of Kenya.
3.5 Transfer of Personal Data
KRA shall transfer personal data with your consent and in a manner that is compatible with the purpose for which it was collected.
We may transfer or disclose the personal data we collect to third parties who provide support to KRA in providing its services. We shall also disclose or process your personal data to a third party when required by law and the request has been authorized by the designated Data Protection Officer.
It is our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by us.
Where necessary KRA may transfer personal data to other countries, stakeholders, partners or entities outside Kenya so long as those countries, stakeholders, partners or entities have equivalent data protection laws.
In the event that KRA undergoes a business transformation, your personal data may be among the assets to be transferred to new platforms or entities and the acquirer of data assets may continue to process the personal data.
KRA will ensure that during the transfer of your personal data all the risks that might occur are well mitigated. This will be done by conducting a data protection impact assessment on any project that handles personal data to help in identifying the level of risk that can occur and how to prevent the risks.
3.6 Protection of Personal Data
The Authority ensures that access to electronic and physical repositories containing your personal data is controlled based on reasonable and appropriate administrative, physical, and organizational safeguards. We implement security measures designed to protect your information from unauthorized access.
Your account is protected by your account password and KRA urges you to take steps to keep your personal information safe by not disclosing your password and by logging out of your account after each use.
By using the Authority’s systems, sites and access services, you acknowledge that you understand and agree to assume these risks. You also accept responsibility not to disclose your PIN and tax information to suspicious individuals.
3.7 Retention of Personal Data
We will only retain your personal data to fulfil the purposes for which we collect your data and to satisfy any legal requirements to which we are subject. To determine the appropriate retention period, we consider the size, nature and sensitivity of the personal data, the purposes for which we process the data, the need to comply with internal policies and the applicable legal requirements.
Due to the nature of our mandate, we may retain your personal data indefinitely in administration of a tax law or in compliance with any other legal obligation.
You may however request deletion of your personal data before expiry of the retention period as provided in law. Such requests shall be processed in accordance with the Data Protection Act, 2019 and the KRA data protection and Privacy Policy.
USE OF COOKIES, EMBEDDED PLUG-INS, WIDGETS & LINKS
The Kenya Revenue Authority website use “cookies” to give you more personal, convenient website visits. This enables us to recognise you during subsequent visits. A cookie is a text file that is placed on your hard disk by a Web page server. Data stored in a cookie is created by the server upon your connection. This data is labelled with an ID unique to you and your computer and can only be read by a web server in the domain that issued the cookie to you.
You can accept or decline cookies. If you choose to decline cookies, you may not be able to fully experience the interactive features of the Kenya Revenue Authority services or web sites you visit.
Within the Kenya Revenue Authority’s Corporate Website, there are embedded applications, plug-ins, widgets or links to non-Kenya Revenue Authority Websites (collectively “sites”). These sites operate independently of the Kenya Revenue Authority and have their own privacy policies. When you visit these sites, you leave our website and no longer will be subject to our privacy and security policies. The Kenya Revenue Authority is not responsible for the privacy or security practices or the content of other sites, and as such does give an endorsement of those sites or their content.
AMENDMENT TO THIS STATEMENT
This privacy statement was last updated on 30th October 2024.
We reserve the right to amend this privacy statement at any time. All amendments to this privacy statement will be posted on KRA’s website. Unless otherwise stated, the current version shall supersede and replace all previous versions of the privacy statements.
CONTACT
KRA welcomes your questions or concerns about how it processes your personal data or if you want to exercise any of your rights in relation to your personal data, by writing to us on email: dataprivacy@kra.go.ke