Welcome to the AAR’s Job Applicant Privacy Policy. We appreciate you taking time to read all our notices carefully

AAR Insurance Limited (“AAR”, “We” “Us” “Our”) is committed to ensuring that your Personal Data is collected and used lawfully and transparently. We process your personal information according to the Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021.


AAR is a leading medical and general insurance company, providing innovative underwriting solutions to individuals, families, and businesses. We offer products ranging from Family Plans, Personal Accident Insurance, School Insurance, Home Owners Insurance, Medical Insurance for SME’s and Corporates, Professional Indemnity, WIBA Cover, Travel Insurance, Marine Insurance and Landlord Insurance.

Our offices are located at Real Towers, Upperhill, Nairobi, Kenya.


As part of our recruitment process, AAR collects and processes personal data relating to job applicants to assess their suitability for open positions. We are committed to being transparent about how we collect and use personal data as well as meeting the data protection obligations set out in the Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021.

For purposes of the Data Protection Act, AAR is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you.

This Privacy Policy:

  • the types of personal data we collect about you
  • explains how and why we collect and use your personal data
  • how we collect, use, store, transfer or share your personal data.
  • your data rights over your personal data how you can exercise these rights.
  • you with internal points of contact, should you have any questions about our use of your Personal Data.


For purposes of this Job Applicant Privacy Policy, personal data means any information relating to an individual.


As part of our recruitment process, we collect and process personal data relating to job applicants. We collect a range of information about you. This includes: -.

  • your first name, middle name, and last name
  • telephone numbers
  • email addresses
  • postal address
  • identification details such as ID/Passport number
  • gender
  • passport photos
  • information contained in your curriculum vitae (CV) such as:-
    1. work/employment history including details of your employment background, position, work experience, skills, competencies
    2. information relating to your job expectations
    3. education history including degrees, certificates, transcripts
  • your current and expected compensation i.e., your salary and benefits
  • referee names and contact details
  • questions and responses given during interviews
  • job interview video recordings
  • interview notes and related documentation
  • background checks and psychometric test results
  • information from referees

AAR does not usually request for sensitive personal information i.e., information regarding your race, ethnicity, political opinions, religion and religious beliefs, trade union membership, details of your spouse or children, sexual orientation or political affiliation in regards with your application. Unless specifically responding to a question asked by us, please do not include sensitive personal data as part of your application. If we do require this information in connection with your application, this will be highlighted to you where we will obtain necessary consents and acknowledgements.

AAR is committed to leveraging each applicant’s skills and competencies to find the right match for a role in the organization as opportunities arise.

If you are successfully hired, AAR keeps this information for the course of the employment relationship and, to the extent permitted, after the termination of employment.

If your application is not successful, we may retain and use your personal data for a further one (1) year to consider you for other job opportunities where permitted by applicable law and/or for as long as necessary to comply with legal record retention requirements. if you do not wish us to retain your personal data, please contact us on


We get information about you from the following sources

  • Directly from you. For example, the information may be contained in your CV, application letter, your identification documents or it may be gathered from interviews or assessments that you take during the interview process.
  • Automatically-collected information – this includes:
    1. online identifiers such as IP addresses, domain names, information about pages you view on our website including but not limited to the links clicked, traffic data, features used,
    2. Cookies or similar activity – cookies (small text files stored in a user’s browser), beacons (electronic images that allow us to count users who have accessed particular content and to access certain cookies), the tags through the website, tracking technology.
  • From a recruitment or employment agency. We may also receive your CV and information from recruitment agencies or headhunter firms whom we have engaged to carry out our recruitment on our behalf.
  • From your references or background checks providers. We contact your employment references to obtain personal information relating to your employment. We may also obtain such information from background check providers whom we shortlist from time to time.
  • From your LinkedIn or other publicly available professional networking platforms we may sometimes obtain your contact details from these platforms. Where we do so, we adhere to the platform’s terms and your privacy settings. We will only contact you if your settings and the terms of use permit us to do so.


  • to set up interviews and determine the types of assessments to be administered
  • to assess your suitability for the role applied
  • to communicate to you about the progress of your application
  • to contact third party references provided by you to evaluate your previous performance
  • to conduct background checks to the extent permitted by law
  • to maintain records in relation to the recruitment process according to our data retention policy
  • to develop and improve our recruitment processes, website and other related services.
  • If you are hired, for populating your employee file and various systems and tools used in connection with your employment at AAR
  • to comply with any legal obligations imposed on us


AAR processes your personal data for the following purposes: -

  • To establish and perform the employment contract. We assess your capabilities and job qualifications so as to make a decision about your recruitment or appointment.
  • Where necessary for AAR’s legitimate interests, where those interests are not overridden by your data protection rights
  • Where required by applicable laws: Immigration documentation is processed to ensure the candidate is entitled to work in the country where job is located.

To comply with specific provisions of law concerning personal data processing at work for reasons of substantial public interest as may be determined by law.


  • AAR stores your personal information on the AWS servers located in the Western Europe region and on servers of its authorized third-party service providers. This means that your Personal Data may be transferred across international borders to countries other than the one where you are applying to as an applicant.
  • AAR takes appropriate steps to ensure that it gets your express unsolicited consent and puts in place necessary protective safeguards before transferring your personal data outside Kenya.


  • We take care to allow your Personal Data to be accessed only by those who truly must access it in order to perform a service for you or for AAR, and to third parties who have a legitimate purpose for accessing it.
  • Whenever we authorize third parties to access your Personal Data, we take steps to ensure they have appropriate security measures in place and that they only use the Personal Data in confidence and in a way that is consistent with this Privacy Notice.
  • We may share your Personal Data in the following ways:
  1. With appropriate personnel within AAR such as Human Resources personnel.
  2. With third party service providers and agents: We may also make certain Personal Data available to third parties who provide services to us (such as our human resource management software, background checks and psychometric service providers, headhunter firms, cloud service providers, and recruitment service providers. When we share with these third parties, we do so on a need-to-know basis and under clear contractual terms and instructions for the processing of the Personal Data.
  3. With other third parties: We may also share your information with other types of third parties, such as our legal representatives, industry groups or self-regulatory bodies, on lawful grounds. For example:
    • With your consent.
    • To comply with our legal obligations (including to comply with laws, regulations, and contracts, to respond to court orders, administrative or judicial process, subpoenas and search warrants, or to meet national security and law enforcement requests);
    • To establish, exercise, or defend against potential, threatened, or actual litigation.
    • To protect the safety, property, or vital interests of a person.
    • To protect AAR’s rights or property.
    • To protect AAR, our other Employees, customers, or the public from harm or illegal activities.
    • To respond to an emergency that we, in good faith, believe requires us to disclose data to prevent harm; and
    • In connection with the sale, assignment, merger, or other reorganization or transfer of all or part of our business.


AAR has taken appropriate technical, administrative, physical and procedural security measures, consistent with local and international information practices, to protect the personal data from misuse, unauthorized access or disclosure, loss, alteration, or destruction. These measures include:

  • Physical safeguards, such as locked doors and file cabinets, controlled access to our facilities, and secure destruction of media containing personal data.
  • Technology safeguards, such as use of anti-virus and endpoint protection software, passwords, encryption, and monitoring of our systems and data centres to ensure compliance with our security policies.
  • Organizational safeguards, through training and awareness programs on security and privacy, to ensure employees understand the importance and means by which they must protect personal data, as well as through privacy policies and policy standards that govern how AAR treats personal data.


Our ability to perform our obligations derived from your employment contract with AAR and our ability to comply with our legal and contractual obligations sometimes depends on AAR accessing to and being able to use certain personal data. Therefore, and depending on the circumstances, if you do not provide us with the personal data we request or if you ask that we stop processing your personal data, we may not be able to perform our contractual obligations, we may be in breach of one or more legal obligations applicable to us. In some cases, if we are not allowed to process your personal data, this may result in us being required to terminate our work relationship with you.


The data protection Act accords you several rights. However, these rights are not absolute and may be subject to some exceptions according to the data protection law.

  1. Right to information you have a right to be informed of how AAR will use your personal data.
  2. Right of access: you are entitled to access your personal data that is in our possession or custody.
  3. Right to object:  you can object to the processing of all part of your personal data, unless we can demonstrate a compelling legitimate interest for the processing which overrides your interests or for the establishment, exercise or defence of a legal claim.
  4. Right to rectification: you have the right to request us to rectify or correct, without undue delay, personal data in our possession or under our control that is inaccurate, outdated, incomplete or misleading
  5. Right to erasure: you can request us to delete or destroy, without undue delay personal data that we are no longer authorized to retain or which is irrelevant, excessive or obtained unlawfully.
  6. Right to data portability
    • you have the right to receive personal data concerning you in a structured, commonly used and machine-readable format and to transmit the data to another data controller without hinderance.
    • Where technically possible. have personal data transmitted directly from us to another data controller or data processor.
  7. Automated decision making
    •  you have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning or that significantly affects you.
    • You also have the right to be informed, in writing, whenever a decision based on automated processing is taken. In addition, you can to request us to reconsider any decisions made based on automated processing or to take a new decision that is not based solely on automated processing.
  8. Right of restriction:  You have the right to request us to restrict the processing of personal data where: -
    • you contest the accuracy of the personal data 
    • the personal data is no longer required for the purpose of the processing
    • the processing is unlawful of you have opposed to the erasure of the personal data and requested for restriction of its use instead
    • you have objected to the processing of personal data, pending verification as to whether the legitimate interests of the data controller or data processor overrides those of the data subject.
  9. Right to raise a complaint: You can raise a complaint about our processing with the Regulator i.e. the Data Commissioner in Kenya. You may also be able to seek a remedy through the courts if you believe that your rights have been breached.


  • If you wish to exercise any of the rights outlined above, please write an email to the Data Protection Officer (DPO) on
  • We will endeavour to answer all questions via email within the timelines stipulated in law.
  • If the provision of the data involves the data of third parties, these third parties can be asked in advance whether they have objections to the provisions. 
  • We may ask for identification, because we need to know for certain whether we are issuing the data to the right person. 
  • In some cases, we will not be able to comply with your request. If this happens, you will be duly notified.


If you have any questions or complaints about the processing of personal data, you can contact AAR on


This Privacy Notice may be updated periodically. We will update the date at the top of this Privacy Notice accordingly. On some occasions, we may also actively advise you of specific data handling activities or significant changes to this Privacy Notice as required by applicable law.

Updated on: 02-06-2022