The Constitution of Kenya [“the Constitution”] guarantees the right to privacy as a fundamental right. In 2019, the Data Protection Act, 2019 [“the Act”] was enacted to govern the processing of the Data lawfully while maintaining security safeguards to protect personal data. The Act seeks to;
- Give effect to the Right to Privacy under the Constitution of Kenya, 2010
- Establishment of the Office of the Data Commissioner;
- Regulate the Processing of Personal Data;
- Provide for the rights of data ‘Subjects’ [person whose information is collected e.g.
employees, service providers or third parties either directly or indirectly]; and
- Obligation of the data ‘Controllers [person who determines the purpose and means of
processing of Personal data] and ‘Processors’ [Person who processes personal date
on behalf of the data controller]
The Principles that the Data Protection Act seeks to enforce include;
- Processing of Data Lawfully;
- Minimise Collection of data
- Restrict further processing of data;
- Requires data controllers and data processors to ensure data quality;
- Establish and maintain security safeguards to protect personal data
How does the Kenya Data Protection Act protect Personal Data and Privacy?
To enforce the Kenya Data Protection Act, the Office of the Data Commissioner [ODPC] was formed whose mandate is to ensure that the provisions of the Act are followed through:
Organizations that process personal data are held to high regulation standards by the ODPC which ensure that the interests of the data subject are protected
Organizations in the Scope of
the Data Protection Act are subject to oversight of the Officer of the Data Protection Commissioner, who will monitor and audit the data collection procedures to ensure compliance with the Act.
An Enforcement Notice may be issued by the Data Protection Commissioner outlining the consequences of failure to comply with the Act, which may include fines and penalties.
Who needs to Comply?
Compliance with the Kenyan Data Protection Act is mandatory and all organizations as listed below and any company collecting any personal data must comply:
Business with a turn over of
more than Kenya Shillings
Businesses with more than 10
Businesses dealing with
Personal data such as Client
records, account details,
medical history, next of kin,
service providers and
supplier information etc
Failing to comply with the Kenya Data Protection Act leads to expensive fines, prison or both.
Organizations are fined up to
Kenya Shillings 5,000,000/
Individuals faces fines in
excess of Kenya Shillings
3,000,000, years in prison or