Kenya’s Data Protection Act (DPA), enacted on November 8, 2019, and effective from November 25, 2019, establishes a comprehensive legal framework for the protection of personal data. It regulates the collection, processing, storage, and sharing of personal data while ensuring that individuals’ privacy rights are upheld. The Act aligns Kenya’s data protection standards with global best practices, including the EU General Data Protection Regulation (GDPR).

Scope and Applicability

The DPA applies to both public and private entities that process personal data within Kenya. It also extends to entities outside Kenya that process personal data of individuals residing in Kenya. This ensures that all organisations handling personal data of Kenyan residents comply with the Act, regardless of their physical location.

Key Principles of Personal Data Processing

Organisations subject to the DPA must adhere to the following seven fundamental principles:

1. Lawfulness, Fairness, and Transparency – Personal data must be processed lawfully, fairly, and in a transparent manner.
2. Purpose Limitation – Data should be collected for explicit, specified, and legitimate purposes and not further processed in an incompatible manner.
3. Data Minimisation – Data collected should be adequate, relevant, and limited to what is necessary for its intended purpose.
4. Accuracy – Personal data must be accurate and kept up to date where necessary. Inaccurate data must be corrected or deleted.
5. Storage Limitation – Personal data should not be retained longer than necessary for the purpose it was collected.
6. Integrity and Confidentiality – Personal data must be processed securely to protect against unauthorised access, loss, or destruction.
7. Accountability – Data controllers are responsible for compliance with data protection principles and must demonstrate adherence to the law.

Rights of Data Subjects

Under the DPA, individuals (data subjects) are granted the following rights:

1. Right to Be Informed – Individuals have the right to be informed about the collection and use of their personal data.
2. Right of Access – Individuals can request access to their personal data held by a data controller or data processor.
3. Right to Object – Individuals can object to the processing of their personal data, including for direct marketing purposes.
4. Right to Rectification – Individuals can request the correction of false or misleading personal data.
5. Right to Deletion of false or misleading data – Individuals can request the deletion of personal data that is false or misleading.
6. Right to Erasure (“Right to be Forgotten”) – Individuals can request the complete erasure of all their personal data held by a data controller when it is no longer necessary, consent has been withdrawn, or the processing is unlawful.
7. Right to Data Portability – Individuals can request to receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another data controller.
8. Right Not to be Subject to Automated Decision-Making – Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, which significantly affects them.

These rights give data subjects greater control over how their personal data is handled and used.

Obligations of Data Controllers and Processors

Entities that determine the purpose and means of processing personal data (data controllers) and those that process data on behalf of controllers (data processors) are required to:

• Register with the Office of the Data Protection Commissioner (ODPC) before processing personal data.
• Appoint a Data Protection Officer (DPO) if they process high-risk personal data, such as large-scale processing or sensitive data. The DPO is responsible for ensuring compliance with the DPA.
• Ensure lawful processing of personal data in accordance with the principles of data protection.
• Implement security safeguards to protect personal data from unauthorised access, loss, or misuse.
• Facilitate the exercise of data subject rights by establishing mechanisms for individuals to access and control their personal data.
• Report data breaches to the ODPC and affected data subjects within a reasonable timeframe.
• Meet data localisation requirements by processing personal data through a data center located in Kenya or by storing a serving copy of the personal data in Kenya.
• Develop policies on data retention and data protection as required under the General Regulations.

Cross-Border Data Transfers

Organisations can transfer personal data outside Kenya if they ensure adequate safeguards for data protection. Transfers are permitted under the following conditions:

• The recipient country has adequate data protection laws.
• Appropriate security measures are in place.
• The transfer is necessary for a contract, legal claim, or public interest.
• The data subject has provided explicit consent, especially for sensitive personal data.
• Binding corporate rules or agreements approved by the Data Commissioner allow controlled transfers.

The Data Commissioner has the authority to approve, restrict, or impose conditions on cross-border data transfers to protect individuals’ rights.

Enforcement and Penalties

The Office of the Data Protection Commissioner (ODPC) is responsible for enforcing the DPA. Non-compliance can lead to severe penalties, including:

• Fines of up to KES 5 million or 1% of an organisation’s annual turnover, whichever is lower.
• General penalties of up to KES 3 million or imprisonment for up to 10 years, or both, for serious violations.

These penalties emphasize the importance of compliance to avoid severe financial and legal consequences.

Kenya’s Data Protection Act, 2019, is a crucial step toward ensuring data privacy and security. Organisations that collect or process personal data of Kenyan residents must comply with the law to uphold individuals’ rights and avoid regulatory penalties.

DPA Solutions

Advoke International provides comprehensive solutions tailored to support your organisation in achieving compliance with the Kenyan DPA.

• DPA Gap Analysis
• Privacy Framework Implementation
• DPA Readiness Assessment
• Complete DPA Compliance Review

Frequently Answered Questions

Who does the Kenya Data Protection Act (DPA) apply to?

The DPA applies to any organisation, public or private, that collects, processes, or stores personal data of individuals in Kenya. It also applies to foreign entities handling Kenyan residents’ data.

Are companies required to store personal data within Kenya?

Not generally. However, the government may require specific types of data to be processed and stored locally for national security or economic reasons.

Can companies transfer personal data outside Kenya?

Yes, but only if the receiving country has adequate data protection laws or if there are appropriate safeguards, such as binding agreements or the data subject’s explicit consent.

How can individuals report data privacy violations?

Complaints can be filed with the Office of the Data Protection Commissioner (ODPC), which investigates violations and enforces compliance.

Can individuals withdraw their consent after giving it?

Yes, individuals have the right to withdraw consent at any time, and organisations must stop processing their data unless there is another legal basis for doing so.