Passing of Data Protection Law in Kenya

The right to privacy is guaranteed as a basic right in Kenya’s Constitution. The Data Protection Act 2019,  (the “DPA”) was enacted and went into effect on November 25, 2019, to give effect to this constitutional right under Article 31(c) and (d). 

The Act establishes a set of comprehensive legislation to protect people’s personal information. It established the Office of the Data Protection Commissioner, that is responsible for regulating the processing of personal data, and specifies data subjects’ rights as well as the obligations of data controllers and processors.


Subsequently, the following regulations came into effect on 31 December 2021:

  1. The Data Protection (General) Regulations, 2021
  2. The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021; and 
  3. The Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021,

Data Protection Commissioner, Kenya Immaculate Kassait. Image by NMG


Overview of some obligations

  1. Data Processing Principles (section 25)

The ascension to the bill gave way for the appointment of the first Data Commissioner of the Republic of Kenya, Ms. Immaculate Kassait, MBS  in 16th  November 2020.

As highlighted in Part IV of the act, all data processors/controllers are required to follow the data protection principles, which are:

  • Data processing in accordance with the right to privacy of the data subject;
  • Fair and transparent processing of a data subject’s personal data;
  • Collection of personal data for specified and legitimate purposes and not further processing beyond those purposes;
  • Purpose limitation for data collected;
  • Collection of personal data relating to family or private affairs only where a valid explanation is provided;
  • Accuracy of collected personal data and every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
  • Personal data is to be kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
  • Personal data shall not be transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject.


2. Duty to Notify (section 29)

Before collecting any personal data, data processors / controllers must inform the data subject of the following:

  • The rights of data subject specified under section 26;
  • The fact that personal data is being collected;
  • The purpose for which the personal data is being collected;
  • The third parties whose personal data has been or will be transferred to, including details of safeguards adopted;
  • The contacts of the data controller or data processor and on whether any other entity may receive the collected personal data;
  • A description of the technical and organizational
    security measures taken to ensure the integrity and confidentiality of the data;
  • The data being collected pursuant to any law and whether such collection is voluntary or mandatory;
  • The consequences if any, where the data subject fails to provide all or any part of the requested data.


3. Lawful Processing (section 30)

A data controller or data processor shall not process personal data, unless:

  • Consent: the individual has given clear consent for a data processor or controller to process their personal data for a specific purpose;
  • Contract: the processing is necessary for a contract’s performance between a data processor or controller and the data subject or because the data subject has asked the data processor or controller to take specific steps before entering into a contract;
  • Legal obligation: the processing is necessary for a data processor or controller to comply with the law (not including contractual obligations);
  • Vital interests: the processing is necessary to protect the vital interests of the data subject or another natural person;
  • Public task: the processing is necessary for a data processor or controller to perform a task in the public interest or the exercise of official authority vested in the controller;
  • Legitimate interests: the processing is necessary for a data processor or controller’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the data subject’s data which overrides those legitimate interests; and
  • Historical, Statistical, Journalistic, Literature and Art or Scientific research: if the data is required in such pursuits.


4. Data Retention Obligations

Personal data must be retained for a valid purpose and only for as long as is reasonably necessary for that purpose.

Data controllers and processors must develop a data retention schedule with adequate time limitations for reviewing the need for continuing storage under the Regulations. Data retention must be audited on a regular basis.

After the purpose for which the personal data was acquired has expired, data controllers and processors must erase, destroy, anonymize, or pseudonymize the personal data that has been maintained.

5. Data Protection

In relation to any data subject, every data controller or processor is obligated to ensure that all personal data is processed lawfully, fairly, and transparently. Insofar as they process personal data while in Kenya or of data subjects located in Kenya, the Act applies to data controllers and processors established or resident in Kenya or outside Kenya.

6. Storage of Data

There are no time limits on how long personal data must be kept. When determining retention periods, data controllers and processors must follow a reasonableness test.

7. Sensitive Data

Race, health, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marriage status, family details including names of children, parents, spouse or spouses, sex, or sexual orientation are all considered sensitive data. The collection, storage, and processing of such data are all subject to specific rules. Personal data on a data subject’s health, for example, may only be handled by or under the supervision of a health care provider.

8. Transfer of Personal Data Outside Kenya

Data controllers and processors will be permitted to transfer personal data to another country only where the data controller or processor has demonstrated to the Commissioner that all the necessary controls for the security and protection of personal data have been implemented.

9. Exemptions

In cases where data disclosure would be in the public interest, such as journalism, literature and art, research, history, and statistics, general exemptions from the Act apply (all under specific circumstances).

10. Enforcement

The Act gives the Commissioner investigative powers, including the ability to enter and search premises and levy administrative fines. When personal data has been accessed or acquired by an unauthorized person and there is a serious risk of harm to the data subject whose personal data has been accessed, a data controller is required to notify the Commissioner immediately, within 72 hours of becoming aware of the breach.

Offenses under the Act can result in a fine of up to KES5 million and/or a ten-year prison sentence.

Disclaimer: The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.


Useful links

  1. The Data Protection Act No. 24 of 2019 
  2. The Data Protection (General) Regulations, 2021




Tags :
Data Privacy,Data Protection,Kenya Laws,Laws of Kenya
Share This :