shield_person Governance · Statutory Notice

Privacy Policy.

CEMASTEA is a data controller under the Data Protection Act, 2019 (No. 24 of 2019). This policy explains what personal data we collect through cemastea.ac.ke and our related services, why we collect it, the lawful basis we rely on, how long we keep it, and the rights you have over it.

Effective date

1 May 2026

Last reviewed

21 April 2026

Regulator

Office of the Data Protection Commissioner

1. Who we are

The Centre for Mathematics, Science and Technology Education in Africa ("CEMASTEA", "we", "us", "our") is a State Corporation established under Legal Notice No. 41 of 2014 and operating under the Ministry of Education of the Republic of Kenya. Our registered office is:

CEMASTEA
Karen Road, Junction with Bogani Road
P.O. Box 24214–00502, Karen
Nairobi, Kenya

For any matter relating to this policy, or to exercise any of the rights in section 7 below, contact our Data Protection Officer at dpo@cemastea.ac.ke.

2. Personal data we collect

We only collect personal data that is adequate, relevant and limited to the purpose for which it is processed (§25(c) of the Act). Depending on how you interact with us, this includes:

Identification & contact

Full name, TSC number (where supplied), email, telephone, county, school or institution — collected through our contact, partnership, support, and newsletter forms.

Professional data

Designation, subject specialisation, and programme history — collected when you apply for or participate in a CEMASTEA training programme.

Application & procurement

CV, referees, bid documents, KRA PIN, and supporting evidence — collected when you respond to a published vacancy or tender notice.

Technical data

IP address, browser type and version, pages visited, referring URL, session timestamps — collected automatically through server logs and cookies.

Image & media

Photographs and video recordings taken at CEMASTEA-hosted events where signage and verbal notices indicate that recording is in progress.

We do not knowingly collect personal data from children under the age of 18 through this website. Where a programme involves learners, data is collected from the teacher, school principal, or parent/guardian acting on the child's behalf.

3. Why we process it, and our lawful basis

Under §30 of the Act, every processing activity must have a lawful basis. Ours are:

Purpose Lawful basis
Delivering the STEM teacher professional-development mandate assigned to CEMASTEA by the Ministry of EducationPublic task — §30(1)(e)
Processing vacancies, tenders, and other statutory corporate transactionsLegal obligation — §30(1)(c)
Responding to contact, support, and partnership enquiriesConsent — §30(1)(a)
Sending the CEMASTEA newsletter and programme announcementsConsent — §30(1)(a); withdrawable any time
Operating, securing, and improving the websiteLegitimate interest — §30(1)(f)

4. Who we share your data with

We do not sell personal data. We share it only where strictly necessary, and only with:

  • The Ministry of Education and other Kenyan government bodies where required by law.
  • Development partners (e.g. JICA, UNESCO, JKUAT, Kenyatta University) where joint delivery of a programme you enrol in requires it.
  • Technology processors who host our infrastructure, under written contracts that bind them to §42 processor obligations.
  • The Office of the Attorney General, the EACC, the DCI, or a court of competent jurisdiction, where lawfully compelled.

5. How long we keep it

We retain personal data only for as long as is necessary for the purpose it was collected, in line with our Records Retention and Disposal Schedule filed with the Kenya National Archives and Documentation Service. In practice: enquiry and newsletter records are retained for 24 months after last contact; programme participation records for 10 years; procurement and employment records as prescribed by the Public Procurement and Asset Disposal Act, 2015 and the Employment Act, 2007; server logs for 90 days.

6. Transfers outside Kenya

Some of our processors operate infrastructure outside Kenya. Where personal data leaves the country, we rely on one of the safeguards set out in §48 and §49 of the Act — typically an adequacy determination issued by the ODPC, or contractual clauses imposing protections equivalent to those in the Act.

7. Your rights as a data subject

Under §26 of the Data Protection Act, you have the right to:

  • be informed of the use to which your personal data is to be put;
  • access your personal data in our custody;
  • request the correction of inaccurate, misleading, or out-of-date data;
  • object to the processing of all or part of your personal data;
  • request the deletion of false or misleading data, or data held without lawful basis; and
  • withdraw consent at any time where processing is consent-based.

To exercise any of these rights, email dpo@cemastea.ac.ke. We will respond within seven (7) working days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Data Protection Commissioner at odpc.go.ke.

8. Cookies and similar technologies

We use strictly-necessary session cookies to keep you signed in to the staff portal and to maintain CSRF protection on our forms. We also use first-party analytics cookies to understand how visitors use the website so we can improve it; these are aggregated and do not identify you individually. You can disable cookies in your browser settings; strictly-necessary cookies cannot be disabled without breaking authenticated features.

9. Security

We apply technical and organisational measures commensurate with the sensitivity of the data, including TLS in transit, encryption at rest for sensitive records, role-based access control, audit logging, and annual staff training on information-handling. No system is fully immune; if a personal-data breach occurs we will notify the ODPC within seventy-two (72) hours as required by §43 of the Act, and affected data subjects without undue delay.

10. Changes to this policy

We review this policy at least once every twelve (12) months and whenever a change to our processing activities requires it. Material changes will be announced on the homepage and communicated to registered users by email.

Questions about how we use your data?

Write to our Data Protection Officer at dpo@cemastea.ac.ke or reach the Corporation through the general contact form.

Contact CEMASTEA arrow_forward