Africa Afya Healthcare

Data Protection Compliance

Last updated: 22 June 2026

Africa Afya Healthcare Limited ("Africa Afya," "we," "us," or "our") is committed to protecting personal data in accordance with the Kenya Data Protection Act, 2019 (the "Act") and its implementing regulations. This page sets out how we approach our obligations under the Act, separate from our general Privacy Policy, and applies to all personal data processed in connection with africaafya.co.ke, AfyaRad Marketplace, and AfyaRad Community.

Current certification status. Africa Afya Healthcare Limited has not yet obtained formal Data Processor certification from the Office of the Data Protection Commissioner of Kenya (ODPC). We are actively working toward this certification and have built our systems and processes around the principles of the Act in the meantime, as set out below. We will update this page as soon as certification is obtained, and current status is available on request by contacting us using the details in Section 9.

1. Our Role Under the Act

Depending on the activity, Africa Afya Healthcare Limited acts as either a data controller or a data processor, as defined under the Act:

  • As a data controller, we determine the purpose and means of processing personal data we collect directly — for example, AfyaRad Community member accounts, Teleradiologist credentialing records (including the documents and notarised declaration collected during onboarding), and Facility billing details.
  • As a data processor, we process patient health data submitted by a Facility through AfyaRad Marketplace strictly on that Facility's instructions. The submitting Facility remains the data controller for its patients' data unless a separate written Data Processing Agreement states otherwise.

2. Data Protection Principles We Apply

In line with Section 25 of the Act, we process personal data in accordance with the following principles:

  • Lawfulness, fairness, and transparency — we process data only where we have a valid legal basis, and we are transparent about our practices, including in this page and our Privacy Policy.
  • Purpose limitation — we collect data for specified, explicit purposes only. For example, the detailed disclosures collected during Teleradiologist onboarding (licensure history, disciplinary history, conflicts of interest) exist solely to support credentialing and patient safety, not for any unrelated purpose.
  • Data minimisation — we collect only the data reasonably necessary for the purpose. AfyaRad Community does not collect patient-identifying information at all, because it has no need to.
  • Accuracy — we take reasonable steps to keep personal data accurate and up to date, and Teleradiologists are contractually required to notify us promptly of any change to their licensing or regulatory status.
  • Storage limitation — we retain personal data only for as long as necessary, as described in our Privacy Policy's retention section.
  • Integrity and confidentiality — we apply the technical and organisational security measures described in Section 4 below.
  • Accountability — we maintain internal records of processing activities and take responsibility for demonstrating compliance.

3. Lawful Basis for Processing

Where the Act requires a specific lawful basis, we rely on consent, performance of a contract (including the Facility Service Agreement and the Teleradiologist Independent Contractor Agreement), compliance with a legal obligation, or legitimate interests balanced against the data subject's rights. For sensitive personal data, including health data, we additionally rely on explicit consent obtained by the submitting Facility from its patients, or another lawful basis recognised under Section 30 of the Act, such as the provision of healthcare services by a duly authorised health professional.

4. Security Measures

Consistent with Section 41 of the Act, our security measures include:

  • Encryption of data in transit using TLS/HTTPS across all our services
  • Encryption of DICOM imaging studies and clinical reports at rest within AfyaRad Marketplace
  • Role-based access controls restricting data access to personnel and Teleradiologists with a legitimate need to access it
  • Restricted internal access to identity documents, licence certificates, indemnity certificates, and bank or mobile-money details collected during onboarding, limited to personnel performing credentialing or payment functions
  • Full audit trails of access to patient studies and reports within AfyaRad Marketplace
  • Secure password storage using industry-standard hashing
  • Regular review of system access and account activity to detect anomalies
  • Restriction of AfyaRad Marketplace access to verified healthcare professionals and authorised facility representatives who have completed onboarding

5. Data Subject Rights

Under Sections 26 to 40 of the Act, you have the right to be informed of the use of your personal data, access your personal data, request correction or rectification, request deletion of false or misleading data, object to processing, and request a portable copy of your data.

How to Submit a Data Subject Request

Email us at info@africaafya.co.ke with the subject line "Data Subject Request," specifying the right you wish to exercise, sufficient information for us to locate your record (such as your registered email address, facility name, or Teleradiologist declaration reference), and any additional relevant detail. We will acknowledge your request within seven (7) working days and aim to resolve it within thirty (30) days. We may request additional information to verify your identity before processing a request.

6. Personal Data Breach Notification

In the event of a personal data breach likely to result in a risk to data subjects' rights and freedoms, we will notify the Office of the Data Protection Commissioner within seventy-two (72) hours of becoming aware of the breach where required under Section 43 of the Act, notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights, and document the breach internally regardless of whether external notification was required. Facilities under a Data Processing Agreement will additionally be notified in accordance with that agreement.

7. International Data Transfers

Where personal data is transferred outside Kenya — for example, to our cloud infrastructure or email delivery providers — we ensure such transfers comply with Section 48 of the Act, including verifying adequate data protection safeguards in the recipient jurisdiction or putting in place appropriate contractual safeguards.

8. Data Processing Agreements for Facility Partners

Facilities that require a formal Data Processing Agreement, in addition to the Facility Service Agreement, may request one by contacting us using the details in Section 9. We will work with Facilities to put in place an agreement that reflects the specific data flows relevant to their use of AfyaRad Marketplace.

9. Data Protection Contact

For any question regarding our data protection practices, to exercise a data subject right, to check our current ODPC certification status, or to request a Data Processing Agreement, contact:

Africa Afya Healthcare Limited
Karen Flame Business Centre, Dagoretti Road
Nairobi, Kenya

Email: info@africaafya.co.ke
Phone: +254 799 657 949

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya.