Data Protection Act: A New Era for Data Privacy in Kenya

In this new digital era, it has become common for countries to put in place legal structures to regulate the processing and distribution of personal data. To this end, the Kenyan legislature recently enacted the Data Protection Act 2019 in a bid to protect citizen’s right to privacy as envisioned in the Kenyan Constitution.

In this article we highlight some key provisions of the new Act.

What is the Act about?

The Act regulates the processing of personal data to protect the privacy of individuals by establishing legal and institutional mechanisms to guide the storage and use of personal data.

Who are Bound by the Provisions of the Act?

Data Controllers: These are persons or legal entities who determine the purpose and the means of processing personal data. An example of a Data Controller would be an employer.

Data Processors: These are persons or legal entities who process personal data on behalf of the Data Controller. It is worth noting that “processing” is defined to mean the collection, recording, organization, structuring, storage, disclosure or transmission of personal data. An example of a Data Processor would be a telecommunication company such as Safaricom.

Data Subject: This is an identifiable person who is the subject of personal data. An example of a Data Subject would be any person who provides data.

Any person or legal entity that process large volumes of data in respect to their clients and employees automatically qualify as Data Controllers and Data Processors and would therefore be bound by the Act.

What are some Requirements for Data Controllers and Data Processors under the Act?

Registration Requirements

Data Controllers and Data Processors are required to register with the Data Commissioner, which is a new official created under the Act. Such registration will be determined by a threshold that is to be prescribed by the Data Commissioner taking into consideration (i) the nature of the industry, (ii) volumes of data being processed and (iii) any other criteria the Data Commissioner may prescribe.

Applications for registration by Data Controllers and Data Processors will need to be accompanied by the following details:

  • description of personal data being processed;
  • purpose of the personal data;
  • category of data subjects to whom the personal data relates;
  • contact details of the Data Controllers or Data Processors;
  • contact details of the Data Controllers or Data Processors;
  • general description of risks and safeguards in place to ensure protection of personal data;
  • measures in place to indemnify data subjects from prejudiced use of their personal data; and 
  • any other details as may be prescribed by the Data Commissioner.

On compliance with the registration requirements, the Data Commissioner will issue the Data Controller or Data processor with a Certificate of Registration. 

Appointment of Data Protection Officer

A Data Controller or Data Processor may appoint a Data Protection Officer where processing of date  is carried out in the context of certain activities, for example, where the core activities of the Data Controller or Processor require the regular and systematic monitoring of Data Subjects. The main duties of the Data Protection Officer include (i) providing advice on data protection, (ii) capacity building of entities and (iii) ensuring compliance of relevant entities with the provision of the Act. A group of entities, for example a group of companies, may come together to appoint a single Data Protection Officer, however the Data Protection Officer must be accessible to each entity. 

How does the Act Deal with Data that may be Transferred Outside Kenya?

The Act provides that the Data Controllers and Data Processors will need to provide proof to the Data Commissioner of appropriate safeguards in respect to security and protection of personal data. Further, the transfer of such data will be subject to the consent of the Data Subject and should only be undertaken for compelling legitimate reasons such as the performance of a contract between a Data Controller and Data Processor or performance of a contract in the best interest of a Data. This may apply particularly to companies that operate through subsidiaries in Kenya or companies that have contractual obligations with foreign companies. It is worth noting that data collected for purposes of research is exempt from these requirements provided that data is processed in compliance with relevant conditions and the identities of Data Subjects are kept confidential.

What are some of the rights accorded to Data Subjects?

Before processing of personal data, Data Controllers and Data Processors are required to obtain the Data Subjects express consent prior to collection of personal data. On this note, the following rights have also been accorded to Data subjects:


  • to be informed on the use of their personal data;
  • to access their personal data in custody of the Data Controller or the Data Processor; 
  • to object to processing of all or part of their personal data;
  • to correct false or misleading data; and 
  • deletion of false or misleading data.


This would require that businesses and organizations make full disclosure to the Data Subjects of the intended purpose of the information collected with an obligation to make sure that Data Subjects are aware of their rights. Therefore, businesses and organizations may need to look at their internal mechanisms on safeguarding and collection of personal data and ensure that confidentiality is upheld.

Are there any Repercussions for Failure to Comply with Provisions of the Act?

The Data Commissioner reserves the right to vary or revoke the terms and conditions of the Certificate of Registration where a Data Controller or Data Processor fails to comply with the provisions of the Act and this may include imposition of financial penalties of up to Kenya Shillings five million for breaches of any provisions of the Act.

Diana Wariara

is a Paralegal at the Firm.
She is studying Law at the Catholic University of East Africa.

Write a Reply or Comment