Skip to main content

Data Protection Act 2019 (Kenya)

Kenya's Data Protection Act 2019 is a GDPR-style law establishing the Office of the Data Protection Commissioner and granting strong data subject rights. It requires lawful bases, controller registration, impact assessments, and breach notification.

Jurisdiction
Kenya

Kenya's Data Protection Act 2019 is the country's comprehensive data protection law. It was assented to and commenced on November 25, 2019, giving effect to the right to privacy in Kenya's Constitution. The Act is closely modeled on the GDPR and established the Office of the Data Protection Commissioner (ODPC) as an independent regulator. Subsequent regulations on registration, compliance, and enforcement, and on complaints handling, fill in the operational detail.

The Act regulates the processing of personal data by data controllers and data processors and grants data subjects a strong set of rights.

Who It Applies To

The Act applies to data controllers and processors established or resident in Kenya that process personal data while in Kenya, and to those not established or resident in Kenya but processing the personal data of data subjects located in Kenya. It covers personal data processed by automated and certain manual means. The Act provides exemptions for purposes such as national security, journalism, and personal or household activity, subject to conditions.

Key Requirements

Processing must have a lawful basis, such as consent, performance of a contract, compliance with a legal obligation, vital interests, public interest, or legitimate interests, and must follow principles including lawfulness, fairness, transparency, purpose limitation, minimization, accuracy, storage limitation, and security. Data controllers and processors meeting thresholds set by regulation must register with the ODPC. Data subjects have rights to be informed, to access, to object, to correction or deletion, and to data portability. Controllers must implement security safeguards, conduct data protection impact assessments for high-risk processing, and notify the ODPC of breaches without delay, generally within 72 hours, and affected data subjects where there is real risk of harm. Cross-border transfers require proof of adequate safeguards or another lawful condition, and certain sensitive data may need to be processed or stored in Kenya.

Penalties for Non-Compliance

The ODPC can issue enforcement and penalty notices. The maximum administrative penalty is up to KES 5 million, or in the case of an undertaking up to 1 percent of its annual turnover, whichever is lower. Certain offences under the Act can also carry fines and imprisonment.

How to Comply

Identify a lawful basis for each processing activity and follow the data protection principles. Register with the ODPC if you meet the registration thresholds. Publish privacy notices and build processes for data subject rights. Implement security safeguards and conduct data protection impact assessments for high-risk processing. Establish a breach notification process aligned to the 72-hour expectation. Review cross-border transfers and apply adequate safeguards or another lawful condition.