Wamae & Allen LLP
What law(s) specifically govern personal data / information?
Article 31 of the Constitution of Kenya, 2010, the Data Protection Act CAP 411C Laws of Kenya, Data Protection (General) Regulations, 2021, Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021, Data Protection (Compliance and Enforcement) Regulations, 2021, Kenya Information and Communications Act (KICA), 1998 (as amended), Access to Information Act, 2016, Digital Health Act No. 15 Of 2023, The Digital Health (Data Exchange Component) Regulations, 2025, Computer Misuse and Cybercrime Act No 5 Of 2018 in Kenya.
What are the key data protection principles in this jurisdiction?:
Every data controller or data processor shall ensure that personal data is—
- processed in accordance with the right to privacy of the data subject;
- processed lawfully, fairly and in a transparent manner in relation to any data subject;
- collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
- collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
- accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
- kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
- not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
What is the supervisory authority / regulator in charge of data protection?
Office of the Data Protection Commissioner as established by Section 5 of the Data Protection Act.
Is there a requirement to register with a supervisory authority / regulator?
Under Section 18 of the Data Protection Act, it provides a mandatory requirement for registration either as a Data Processor (DP) or Data Controller (DC).
However, there are particular exceptions:
- if the DC or processor have an annual turnover/revenue of below Kshs. 5,000,000;
- if the DC or processor has less than 10 employees.
Where a DC or DP does not meet BOTH the exceptions of having an annual turnover/revenue of less than Kshs.5 Million and have less than ten employees, the DC or DP will not be exempt and must register.
However, if a company operates in the following sectors, they are not exempt from the mandatory registration, notwithstanding the exemptions above. These industries are:
- canvassing political support among the electorate
- crime prevention and prosecution of offenders (including operating security CCTV system)
- gambling
- operating an educational institution
- health administration and provision of patient care
- hospitality industry firms but excludes tour guides
- property management including the selling of land
- provision of financial services
- telecommunications network or service providers
- businesses that are wholly or mainly in direct marketing
- transport services firms (including online passenger hailing application)
- businesses that process genetic data
Is there a requirement to notify the supervisory authority / regulator?
Yes,
e.g.
- For any data breach it is mandatory to notify the regulator of said breach.
- Before undertaking data processing activities that pose a high risk to the rights and freedoms of data subjects (e.g., large scale processing of sensitive personal data, automated decision-making with legal effects, or cross-border data transfers), data controllers or processors may need to conduct a Data Protection Impact Assessment (DPIA) and notify the ODPC. The ODPC will review the DPIA.
- If personal data is to be transferred outside Kenya, data controllers or processors must notify the ODPC in certain cases, particularly where the transfer involves sensitive personal data or lacks adequate safeguards (e.g., to countries without equivalent data protection laws).
- Changes in Registration Details: Registered data controllers or processors must notify the ODPC of any significant changes to their registration details, such as changes in the purpose of data processing or contact information.
- Appointment of a Data Protection Officer (DPO): Organisations required to appoint a DPO (e.g., those processing sensitive data or large-scale data) must notify the ODPC of the DPO’s contact details.
Is it possible to register with / notify the supervisory authority / regulator online?
Registration/notification is undertaken through an online process through the Office of the Data Protection Commissioner’s website. For specific guidance or technical issues, organisations can contact the ODPC helpdesk via email (
[email protected]) or phone numbers listed on the ODPC website.
What are the key data subject rights under the data protection laws of this jurisdiction?
Right to privacy
Article 31 of the Constitution of Kenya, every person has the right to privacy, which includes the right not to have— (a) their person, home or property searched; (b) their possessions seized; (c) information relating to their family or private affairs unnecessarily required or revealed; or (d) the privacy of their communications infringed.
Right to information
This is provided under the Constitution under Article 35, on the right to access of information. Further under Section 26 of the Data Protection Act, data subjects have the right to be informed of the use of their personal data
Right of access
S. 26 of the Data Protection Act provides Data subjects with the right to access their personal data in the custody of data controllers or data processors.
Right to rectification of errors
S. 40 of the Data Protection Act provides Data subjects with the right of rectification or erasure, however, the same is exercised pursuant to a request being made by the data subject with the data controller and data processor.
Right to deletion/right to be forgotten
S. 26 provides data subjects with the right to deletion of false or misleading data about them. Further S. 40 allows for the right to erasure.
Right to restriction of processing
S.34 provides for particular restrictions on the part of data controllers/ data processors. However, any restriction of processing shall be pursuant to a request being made by a data subject. Further S. 26 further grants the data subject the right to object of the processing of their personal data in whole or partially. S. 36 grants data subjects the right to object to the processing of their personal data.
Right to data portability
S. 38 of the Act, provides for the right of data portability.
Right to object to processing
S.34 provides for particular restrictions on the part of data controllers/ data processors. However, any restriction of processing shall be pursuant to a request being made by a data subject. Further S. 26 further grants the data subject the right to object of the processing of their personal data in whole or partially. S. 36 grants data subjects the right to object to the processing of their personal data
Right to withdraw consent
S. 32 of the Act provides for the conditions of the consent, amongst which is the right for a data subject to withdraw their consent at any time.
Right to complain to the relevant data protection authority(ies)
S. 56 of the Act provides for the right to lodge complaints to the Data Commissioner for any violations provided for under the Act or to any person or data subject that may be aggrieved by a decision of any person under the Act.
Right not to be subject to automated individual decision-making
S. 35 of the Act, provides that data subjects shall not be subject to a decision solely based on an automated procession. However, there are exception such as where the decision is necessary for entering/performing a contract between the data subject and data controller, it is authorised by law and the data controller has laid down suitable measures to safeguard the data subjects rights, freedoms and legitimate interests, or based on the data subject’s consent.
Right to be Notified
S. 29 of the Act places a duty on the data controller/processor to notify a data subject of their rights, the collection of their data and its purpose, any transfer of their data to 3rd parties, contacts of the data controller/processor, security measures to ensure the integrity and confidentiality of the data and any consequences of failure to provide data. This is to be done before collection as far as is practicable.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, it is optional to designate a data protection officer to any registered data controller or processor. The same is provided under S.24 of the Act.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes, under S. 31 of the Act, Data Protection Impact Assessments shall be undertaken where the processing operation is likely to result in high risk to the right and freedoms of the data subject, by virtue of the nature, scope, context and purposes.
Potential high risk situations are outlined in Section 49 of the Data Protection (General) Regulations and the format of the same is per the Third Schedule of the Regulations.
The Act introduces the need to consult the ODPC prior to processing if DPIA indicates that the processing of data would result in a high risk to the rights and freedoms of the data subjects. The timeline for submission of DPIAs, which is 60 days prior to processing of data. However, the same shall not affect the processing of data based on prior consent.
Does this jurisdiction have any specific data breach notification requirements?
Yes. Under S. 43 of the Act, it is imperative to notify the Data Commissioner within 72 hours after being made aware of any breach. The same shall apply where personal data has been accessed or acquired by an authorised person, and there is risk of personal data being subjected to unauthorised access.
In the even there is delay in communication within the stipulated 72 hours, the notification shall explain the delay in notification.
What restrictions apply to the international transfer of personal data / information?
S. 48 of the Act, allows for the transfer of data to another country, however, only where the data controller or processors has given proof to the data commissioner on appropriate safeguards with respect to security and protection of personal data. This proof has to also include the appropriate safeguards including the jurisdictions with commensurate data protection laws. Further the transfer is necessary for the following;
- performance of a contract between the data subject and the data controller or processor, or for precontractual measures taken at the request of the data subject.
- for the conclusion or performance of a action concluded in the interest of the data subject between the data controller or processor.
- for any matter of public interest
- for establishment, exercise or defence of a legal claim.
- in order to protect the vital interest of the data subject or of other persons, wherein the data subject is physically or legal incapable of giving consent.
- for the purpose of compelling legitimate interests pursued by the data controller or processors which are not overridden by the rights of the data subject.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes. Section 4 of the Act extends its application to entities that are neither established nor ordinarily residents in Kenya, where such entities process the personal data of data subjects located in Kenya.
What rules specifically deal with marketing?
The Data Protection (General) Regulations, give the right to a data subject to object to direct marketing. Further the rules note that any form of direct marketing by data controllers or processors is to advance a commercial interest, thus, may be permitted where the data controller or processor does not use personal sensitive data, or where;
- the data controller or processor has collected the personal data from the data subject
- the data subject is notified that direct marketing is one of the purposes for which the personal data is collected.
- the data subject has consented to the use or disclosure of the personal data for direct marketing
- the data controller or processor has provided to the data subject an opt out option for communications;
- the data subject has not made an opt out request.
Do different rules apply to business-to-business and business-to-consumer marketing?
B2C Marketing- These individuals are directly protected as data subjects under the DPA, and their rights must be strictly upheld.
B2B Marketing- under the DPA, the data is often tied to their professional role, which may influence the lawful basis for processing and the level of protection required.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Section 37 of the Act: This section specifically deals with the processing of personal data for direct marketing purposes. It mandates that consent must be obtained from the data subject before their personal data can be used for marketing.
Data Protection (General) Regulations, 2021:
Regulation 4: This regulation emphasizes the need for explicit consent when collecting personal data for marketing purposes, ensuring that individuals are informed about how their data will be used.
Regulation 5: It requires that data subjects be provided with clear information about their rights regarding their personal data, including the right to withdraw consent at any time.
Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021:
These regulations require data controllers and processors engaged in electronic marketing to register with the Office of the Data Protection Commissioner, ensuring accountability and compliance with data protection laws.
Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021:
These regulations outline the procedures for handling complaints related to violations of data protection rights, including issues arising from unsolicited electronic marketing communications.
What rules specifically deal with cookies?
Kenya’s DPA and its regulations do not have specific provisions addressing cookies or similar tracking technologies. Instead, cookies are regulated under the broader framework of personal data processing.
What are the consequences of non compliance with data protections laws (including marketing laws)?
In the event that a complaint is lodged, and the same is investigated, with an entity being found culpable for breach of the data protections law, the data commissioner shall issue an enforcement notice, notifying the entity of the provisions they have contravened, the measures to be taken to remedy or eliminate the situation, specify the period to remedy. Further the Data Commissioner may issue penalty notices as against a party and administrative fines, with a maximum being set at Kshs. 5,000,000. The commissioner may also issue an order of compensation to a data subject.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
The application of the Act affects entities that are established or resident in Kenya, or process data in Kenya. Or entities that process data of data subjects located in Kenya.
Additionally, they should be aware of the following key factors;
What constitutes a data subject
A data subject refers to an identifiable natural person from whom personal data is collected or processed. Under the Data Protection Act, personal data is any information relating to an identified or identifiable individual. This can include names, identification numbers, location data, online identifiers, and other factors specific to the individual’s identity.
In Kenya, data subjects have rights under the DPA, such as the right to be informed, right to access their data, right to rectification, and right to object to data processing.
The rules on transfer of personal data
The transfer of personal data outside Kenya is regulated under the DPA. Personal data can only be transferred outside Kenya if certain conditions are met, including ensuring that the data protection standards in the receiving country are adequate or that proper safeguards are in place.
The key rules for data transfer include:
- The data subject’s consent must be obtained unless otherwise allowed by law.
- Transfers should ensure that the data is protected to a similar or higher standard than what is mandated in Kenya.
- The Data Commissioner must be notified of such transfers when required.
The rules safeguards necessary for data transfer
Safeguards for the transfer of personal data from Kenya to foreign countries include:
The recipient country must have adequate data protection laws similar to those in Kenya.
Appropriate safeguards, such as legally binding agreements between the parties, must be in place. These could include contractual clauses ensuring the security and protection of data.
In cases where a recipient country lacks adequate protection, the transfer can only occur under special conditions, such as obtaining explicit consent from the data subject or demonstrating that the transfer is necessary for the performance of a contract.
What is a DPIA?
A Data Protection Impact Assessment (DPIA) is a tool used to assess the potential risks to the rights and freedoms of individuals arising from the processing of personal data. The DPA requires DPIAs for certain high-risk processing activities, such as:
- Large-scale processing of sensitive personal data.
- Automated decision-making or profiling that affects individuals.
- DPIAs help organizations to identify risks early, adopt measures to mitigate them, and ensure compliance with the DPA.
- Transfer of sensitive personal data outside Kenya
Consents in respect of transfer
Under Kenyan law, consent from the data subject is a critical element in the transfer of personal data, especially when transferring data outside the jurisdiction. Consent must be:
Informed: The data subject must be aware of the purpose and nature of the data transfer.
Freely given: The data subject should not be coerced or misled.
Explicit: In cases of sensitive personal data or international transfers, explicit consent is often required.
Exceptions to the consent requirement exist, such as if the transfer is necessary for the performance of a contract or for the public interest, but in most cases, consent remains a primary safeguard.
Deletion Correction
Part of the rights of a data subject in Kenya includes the right to to access their personal data in custody of data controller or data processor; and the right to correction of false or misleading data; and to deletion of false or misleading data about them.
What upcoming data protection developments should multinational organisations be aware of?
Several draft guidance notes are under development or review, including:
- Guidance Note on Data Sharing Code (Draft): Focuses on mechanisms for secure data sharing among controllers and processors.
- Guidance Note on Research Purposes (Draft): Provides compliance requirements for processing data in research, interpreting the Act and regulations.
- Guidance Note for Processing of Children's Data (Draft): Addresses child-specific protections, drawing from the Constitution, Act, and regulations.
- Guidance Note on Processing of Biometric Data (Draft): Outlines principles for handling sensitive biometric data under Section 25 of the Act.
- Guidance Note on Processing Personal Data for Journalistic Purposes (Draft): Recommends policies for media practitioners to ensure compliance.
Draft Regulations
- Draft Data Protection (Conduct of Compliance Audit) Regulations, 2024: These propose procedures for conducting data protection audits to ensure adherence to the Act.
Policies and Strategic Plans:
- ODPC Strategic Plan 2023–2027: This policy document guides the development of additional policies, guidance notes, and regulations to strengthen data protection enforcement.
- ODPC Strategic Plan FY 2022/3–2024/5: Focuses on aligning strategies across ODPC directorates for compliance, awareness, and coordination.
- Kenya National E-Commerce Policy (Draft, June 2025): Includes provisions on data protection, privacy, cybersecurity, and consumer protection in the digital economy.