1.0 DATA PRIVACY NOTICE

Kenya Revenue Authority is committed to protecting your personal data in accordance with Data Protection Laws. This Privacy Notice provides information on how and why the Kenya Revenue Authority (KRA) collects and processes your personal data.This notice should be read together with the Terms and Conditions  of use for other KRA Services. Where there is a conflict, this privacy notice will prevail.

This notice applies to all taxpayers, KRA staff, students, consultants, 3^rd parties, development partners and all visitors to any of KRA premises.

2.0 DEFINITIONS

The Authority/KRA/We/our/ours/us/ means the Kenya Revenue Authority established under Act of Parliament Chapter 469 of the laws of Kenya.

Data Protection Officer is a person designated or appointed by the Authority to monitor compliance with the Data Protection Act 2019, No. 24 of 2019 and the Regulations made under the Act.

Data Collection means gathering of information that relates to you.

Personal data means information about you that identifies you directly or indirectly as a unique individual such as name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.

Processing means any operation or sets of operations which is performed on your personal data whether or not by automated means, such as: collection, recording, organization or structuring; Storage, adaptation or alteration; Retrieval, consultation or use; Disclosure by transmission, dissemination, or otherwise making available; Alignment or combination, restriction, erasure or destruction.

Sensitive personal data is data revealing your racial or ethnic origin, political opinions, professional membership, and the processing of genetic data, biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person's gender.

Third Party means a natural or legal person, public authority, agency or body other than you and KRA, who under the direct authority of KRA are authorized to process your personal data.

You/ Your (s) means:

1. Taxpayer – a person who holds a Personal Identification number (PIN) and liable for tax under the Kenyan tax law whether or not you have accrued any tax liability in a tax period.
2. Any person employed by Kenya Revenue Authority
3. Any student enrolled in the Kenya School of Revenue Administration (KESRA)
4. Any agent, dealer and/or merchants who has signed an agreement with KRA and is recognized as a merchant or agent in accordance with any applicable laws or Regulations.
5. Any visitor that is a person (including contractors/subcontractors or any third parties) who gains access to any KRA premises.
6. Any supplier/ service provider contracted by KRA.
7. Any external lawyer who has tendered his/her application and/or signed a service level agreement with KRA.
8. Any Auditor who has signed an agreement with KRA.

3.0 PROCESSING OF PERSONAL DATA

 3.1 Lawful basis for processing your data

The Kenya Revenue Authority processes different categories of personal data as defined and permitted by the applicable Tax Laws, Data Protection Law and its internal policies. We will process your personal information based on any of the following lawful basis as provided for under the Data Protection Act, 2019:

1. With your consent
2. Where processing is necessary for fulfilment of the Authority’s mandate.
3. For the performance of a contract to which you are party to or at your request before entering a contract.
4. In compliance with any legal obligation to which KRA is subject.
5. For protecting the vital and legitimate interests of KRA or another person.
6. For the performance of a task carried out in public interest.
7. For historical, statistical, or scientific research.

3.2. How KRA collects your data

KRA collects your personal data both directly and indirectly in accordance with the law. We collect your personal information with your knowledge and consent with the exception of cases where prior consent cannot be obtained for real reasons and the processing of the data is permitted by law.

We collect personal data through various platforms: iTax, ICMS, eRecruitment, CCTV cameras, access control, eTIMS and registers.

3.3. What information is collected

1. The data we collect from Taxpayers during PIN registration, KESRA students registration, KRA staff, Intern, attaches, Staff dependants, consultants, vendors, visitors, bidders, Researchers, Development Partners  includes and is not limited to the following:  name, postal and physical address, location, phone number, date and place of birth, email address, age, marital status, family details, gender, bank account details, income brackets, profession, supporting personal documents, closed circuit television surveillance recordings.
2. KRA collects, but is not limited to, your National Identification Number, passport number, SHIF, NSSF, full name, postal and physical addresses, location, phone number, email address, age, gender, date of birth, and academic information during the job application process.
3. KRA also collects information that does not personally identify you such as anonymous usage data, general demographic information, referring/exit pages and URLs, platform types, preferences that are generated based on the data that you submit and number of clicks.
4. Sensitive Personal Data- The Authority collects special category of personal data about you revealing details about your ethnic group, biometric data, property details, marital status, family details including details of your children spouse or spouses, gender, Date of Birth, Disability Status, mobile phone number and Nationality,

KRA shall ensure that your personal data about you is processed in accordance with your right of privacy and as permitted in Part V of the Data Protection Act, 2019. 

4.0 ACCESS TO YOUR PERSONAL DATA

You have the right to request access to your personal data held by KRA. This includes information on how your data is being used, the purposes of processing and any third parties with whom the data has been shared.

 We take steps to ensure that your personal data is not altered by unauthorized entities or persons. All authorized persons accessing your personal data are bound by a duty of confidentiality.

We may request additional details or ask you to visit our offices to verify your identity and protect your data. This ensures information is only shared with authorized persons and may help us respond to your request more efficiently. 

5.0 HOW KRA USES YOUR PERSONAL DATA

1. Taxpayers’ data for tax administration purposes.
2. KESRA student’s data for education administration.
3. KRA staff data for the execution of the contract of employment and management of employment relationship and benefit processing such as pension.
4. Staff dependents data for employee dependant benefit processing.
5. Intern and attaches data for Internship and attachment processing.
6. Job application data for job application processing.
7. Administration of procurement functions and contracts.
8. For research purposes.
9. To comply with any legal, government or regulatory requirement.
10. For automated processing, including automated decision-making in risk assessment, fraud detection, and compliance monitoring.

6.0 YOUR LEGAL RIGHTS IN RELATION TO PERSONAL DATA

Subject to legal and contractual provisions, you as a data subject has the:

1.  Right to be informed that KRA is collecting your personal data
2. Right to access and request more information about your personal data in KRA.
3. Right to request KRA to correct your personal data when it is inaccurate or incomplete;
4. Right to request KRA to erase your personal data noting that KRA may continue to retain your information if obligated by the law or has a legal basis to do so;
5. Right to object and withdraw consent to processing of personal data. However, KRA may continue to process if there is a legitimate or legal reason to do so.
6.  Right to lodge a complaint with the relevant supervisory authority that is tasked with personal data protection within the Republic of Kenya

7.0 TRANSFER OF PERSONAL DATA

KRA shall transfer personal data in a manner that is compatible with the purpose for which it was collected.

In the event that KRA undergoes a business transformation, your personal data may be among the assets to be transferred to new platforms or entities and the acquirer of data assets may continue to process the personal data.

KRA will ensure that during the transfer of your personal data all the risks that might occur are well mitigated. This will be done by conducting a data protection impact assessment on any project that handles personal data to help in identifying the level of risk that can occur and how to prevent the risks.

8.0 DATA SHARING AND DISCLOSURE

We may share your data with:

1. Other government agencies (e.g., Central Bank, Registrar of Companies, HELB, SHA) as required by law.
2. Law enforcement agencies for the prevention or detection of crime.
3. Authorized third-party service providers supporting KRA’s operations (bound by confidentiality and data protection obligations).
4. International bodies or tax authorities in accordance with applicable treaties.

It is our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by us.

Where necessary KRA may transfer personal data to other countries, stakeholders, partners or entities outside Kenya so long as those countries, stakeholders, partners or entities have equivalent data protection laws.

9.0 PROTECTION OF PERSONAL DATA

The Authority ensures that access to electronic and physical repositories containing your personal data is controlled based on reasonable and appropriate administrative, physical, and organizational safeguards. We implement security measures designed to protect your information from unauthorized access.

Your account is protected by your account password and KRA urges you to take steps to keep your personal information safe by not disclosing your password and by logging out of your account after each use.

By using the Authority’s systems, sites and access services, you acknowledge that you understand and agree to assume these risks. You also accept responsibility not to disclose your PIN and tax information to suspicious individuals.

10.0 RETENTION OF PERSONAL DATA

We will only retain your personal data to fulfil the purposes for which we collect your data and to satisfy any legal requirements to which we are subject.  To determine the appropriate retention period, we consider the size, nature and sensitivity of the personal data, the purposes for which we process the data, the need to comply with internal policies and the applicable legal requirements.

Due to the nature of our mandate, we may retain your personal data indefinitely in administration of a tax law or in compliance with any other legal obligation.

11.0 USE OF COOKIES, EMBEDDED PLUG-INS, WIDGETS & LINKS

The Kenya Revenue Authority website use “cookies” to give you more personal, convenient website visits. This enables us to recognise you during subsequent visits.

You can accept or decline cookies. If you choose to decline cookies, you may not be able to fully experience the interactive features of the Kenya Revenue Authority services or web sites you visit.

Within the Kenya Revenue Authority’s Corporate Website, there are embedded applications, plug-ins, widgets or links to non-Kenya Revenue Authority Websites (collectively “sites”). These sites operate independently of the Kenya Revenue Authority and have their own privacy policies. When you visit these sites, you leave our website and no longer will be subject to our privacy and security policies. The Kenya Revenue Authority is not responsible for the privacy or security practices or the content of other sites, and as such does give an endorsement of those sites or their content.

This website uses cookies to enhance user experience and to analyse performance and traffic on our website. By accessing our website, you agree to the storing of cookies on your device to enhance site navigation and analyse site usage. You also have a right to opt out on nonessential cookies as stated in the privacy 

By clicking 'I Accept' when you visit this website, you confirm that you have read, understood and agree to the provisions to this privacy notice.

We may store some information (using "cookies") on your computer when you visit our websites. This enables us to recognize you during subsequent visits. The type of information gathered is non-personal (such as: The Internet Protocol (IP) address of your computer, the date and time of your visit, which pages you browsed and whether the pages have been delivered successfully.

We may also use this data in aggregate form to develop customized services - tailored to your individual interests and needs. Should you choose to do so, it is possible (depending on the browser you are using), to be prompted before accepting any cookies, or to prevent your browser from accepting any cookies at all. This will however cause certain features of the web site not to be accessible

12.0. CONTACT

KRA Data Protection Officer

For any questions regarding your personal data or this privacy notice, you may reach our Data Protection Officer on;

Name: Mr. Peter Kaburia

Designation: Chief Manager, Data Governance & Service Level Management

Email: dataprivacy@kra.go.ke

Telephone: 0709017038

KRA also welcomes your questions or concerns about how it processes your personal data or if you want to exercise any of your rights in relation to your personal data, by writing to us on email: dataprivacy@kra.go.ke 

13.0 AMENDMENT TO THIS NOTICE

This privacy notice was last updated on 25^th September 2025.

We reserve the right to amend this privacy notice at any time. All amendments to this privacy notice will be posted on KRA’s website. Unless otherwise stated, the current version shall supersede and replace all previous versions of the privacy notices.