Clym Logo
KE flag

KE

Data Protection Act 2019 Kenya

Overview

Kenya’s Data Protection Act, 2019 (No. 24 of 2019), enacted on November 8, 2019, establishes a legal framework for the collection, processing, storage, and transfer of personal data. The law seeks to safeguard individuals' privacy rights, regulate data processing activities, and introduce penalties for non-compliance. The Office of the Data Protection Commissioner (ODPC) is responsible for overseeing the enforcement of the Act. 

Regulation Summary

  • November 8, 2019: Law enacted.
  • November 25, 2019: Law takes effect.
  • 2022: Subsidiary regulations on registration, complaints handling, general provisions, and civil registration issued.
  • Ongoing: Businesses required to register with the ODPC to process personal data.

  • All organizations processing personal data in Kenya, including both public and private entities.
  • Foreign businesses processing data of Kenyan residents, provided they operate in Kenya or use local data infrastructure.
  • Entities handling sensitive data such as health, biometric, and financial information.

  • Personal data processing for exclusively personal or household purposes.
  • Government agencies processing data for national security, taxation, or crime prevention.
  • Journalistic, artistic, academic, or research purposes where lawful safeguards are applied.

  • Lawful Processing: Organizations must have a legal basis for processing data, such as consent, contractual necessity, or legal obligation.
  • Purpose Limitation: Data must be collected and processed for specific, legitimate purposes.
  • Data Security: Businesses must implement technical and organizational measures to protect data from unauthorized access or loss.
  • Accountability: Data controllers and processors must document processing activities and if they are engaged in high-risk processing (e.g., large-scale profiling, systematic monitoring) they must appoint Data Protection Officers (DPOs).

  • Cookie Consent: Websites must obtain user consent before storing non-essential cookies.
  • Privacy Notice: A clear privacy policy must be accessible to users.
  • User Rights Portal: Websites should provide an interface for individuals to exercise their data rights.
  • Secure Data Transmission: Websites must encrypt personal data collected online.

  • Cross-Border Data Transfers: Allowed only if the receiving country ensures adequate protection or specific safeguards are in place.
  • Data Protection Officer (DPO): Required for large-scale processors or those handling sensitive data.
  • Impact Assessments: Mandatory for high-risk processing activities, including profiling and automated decision-making.

  • Access: Individuals can request copies of their personal data.
  • Rectification: Right to correct inaccurate or incomplete data.
  • Erasure: Right to request deletion of personal data under certain conditions.
  • Portability: Right to obtain and transfer personal data.
  • Objection: Right to refuse data processing for marketing or other purposes.
  • Restriction: Right to limit processing in specific cases.

  • Regulatory Body: The Office of the Data Protection Commissioner (ODPC) oversees compliance and enforcement.
  • Fines: Businesses that violate the Act can face penalties of up to 5 million Kenyan Shillings (approximately $35,000 USD) or up to 1% of their annual turnover, plus daily fines of up to KES 10,000 (approximately $77 USD) per day until compliance is achieved.
  • Sanctions: In severe cases, businesses may face suspension of data processing activities, and responsible individuals may be subject to criminal penalties, including imprisonment.