Data Protection Act 2019 Kenya

Regulation Summary

November 8, 2019: Law enacted.
November 25, 2019: Law takes effect.
2022: Subsidiary regulations on registration, complaints handling, general provisions, and civil registration issued.
Ongoing: Businesses required to register with the ODPC to process personal data.

All organizations processing personal data in Kenya, including both public and private entities.
Foreign businesses processing data of Kenyan residents, provided they operate in Kenya or use local data infrastructure.
Entities handling sensitive data such as health, biometric, and financial information.

Personal data processing for exclusively personal or household purposes.
Government agencies processing data for national security, taxation, or crime prevention.
Journalistic, artistic, academic, or research purposes where lawful safeguards are applied.

Lawful Processing: Organizations must have a legal basis for processing data, such as consent, contractual necessity, or legal obligation.
Purpose Limitation: Data must be collected and processed for specific, legitimate purposes.
Data Security: Businesses must implement technical and organizational measures to protect data from unauthorized access or loss.
Accountability: Data controllers and processors must document processing activities and if they are engaged in high-risk processing (e.g., large-scale profiling, systematic monitoring) they must appoint Data Protection Officers (DPOs).

Cookie Consent: Websites must obtain user consent before storing non-essential cookies.
Privacy Notice: A clear privacy policy must be accessible to users.
User Rights Portal: Websites should provide an interface for individuals to exercise their data rights.
Secure Data Transmission: Websites must encrypt personal data collected online.

Cross-Border Data Transfers: Allowed only if the receiving country ensures adequate protection or specific safeguards are in place.
Data Protection Officer (DPO): Required for large-scale processors or those handling sensitive data.
Impact Assessments: Mandatory for high-risk processing activities, including profiling and automated decision-making.

Access: Individuals can request copies of their personal data.
Rectification: Right to correct inaccurate or incomplete data.
Erasure: Right to request deletion of personal data under certain conditions.
Portability: Right to obtain and transfer personal data.
Objection: Right to refuse data processing for marketing or other purposes.
Restriction: Right to limit processing in specific cases.

Regulatory Body: The Office of the Data Protection Commissioner (ODPC) oversees compliance and enforcement.
Fines: Businesses that violate the Act can face penalties of up to 5 million Kenyan Shillings (approximately $35,000 USD) or up to 1% of their annual turnover, plus daily fines of up to KES 10,000 (approximately $77 USD) per day until compliance is achieved.
Sanctions: In severe cases, businesses may face suspension of data processing activities, and responsible individuals may be subject to criminal penalties, including imprisonment.