
KE
Data Protection Act 2019 Kenya
Overview
Kenya’s Data Protection Act, 2019 (No. 24 of 2019), enacted on November 8, 2019, establishes a legal framework for the collection, processing, storage, and transfer of personal data. The law seeks to safeguard individuals' privacy rights, regulate data processing activities, and introduce penalties for non-compliance. The Office of the Data Protection Commissioner (ODPC) is responsible for overseeing the enforcement of the Act.
Regulation Summary
- November 8, 2019: Law enacted.
- November 25, 2019: Law takes effect.
- 2022: Subsidiary regulations on registration, complaints handling, general provisions, and civil registration issued.
- Ongoing: Businesses required to register with the ODPC to process personal data.
- All organizations processing personal data in Kenya, including both public and private entities.
- Foreign businesses processing data of Kenyan residents, provided they operate in Kenya or use local data infrastructure.
- Entities handling sensitive data such as health, biometric, and financial information.
- Personal data processing for exclusively personal or household purposes.
- Government agencies processing data for national security, taxation, or crime prevention.
- Journalistic, artistic, academic, or research purposes where lawful safeguards are applied.
- Lawful Processing: Organizations must have a legal basis for processing data, such as consent, contractual necessity, or legal obligation.
- Purpose Limitation: Data must be collected and processed for specific, legitimate purposes.
- Data Security: Businesses must implement technical and organizational measures to protect data from unauthorized access or loss.
- Accountability: Data controllers and processors must document processing activities and if they are engaged in high-risk processing (e.g., large-scale profiling, systematic monitoring) they must appoint Data Protection Officers (DPOs).
- Cookie Consent: Websites must obtain user consent before storing non-essential cookies.
- Privacy Notice: A clear privacy policy must be accessible to users.
- User Rights Portal: Websites should provide an interface for individuals to exercise their data rights.
- Secure Data Transmission: Websites must encrypt personal data collected online.
- Cross-Border Data Transfers: Allowed only if the receiving country ensures adequate protection or specific safeguards are in place.
- Data Protection Officer (DPO): Required for large-scale processors or those handling sensitive data.
- Impact Assessments: Mandatory for high-risk processing activities, including profiling and automated decision-making.
- Access: Individuals can request copies of their personal data.
- Rectification: Right to correct inaccurate or incomplete data.
- Erasure: Right to request deletion of personal data under certain conditions.
- Portability: Right to obtain and transfer personal data.
- Objection: Right to refuse data processing for marketing or other purposes.
- Restriction: Right to limit processing in specific cases.
- Regulatory Body: The Office of the Data Protection Commissioner (ODPC) oversees compliance and enforcement.
- Fines: Businesses that violate the Act can face penalties of up to 5 million Kenyan Shillings (approximately $35,000 USD) or up to 1% of their annual turnover, plus daily fines of up to KES 10,000 (approximately $77 USD) per day until compliance is achieved.
- Sanctions: In severe cases, businesses may face suspension of data processing activities, and responsible individuals may be subject to criminal penalties, including imprisonment.