KENYA
DATA PROTECTION FACTSHEET
-
Population: 53,771,300
Capital: Nairobi
President: William Ruto
2021 Freedom House Score: 48/100
Data protection law? Yes, with data protection authority appointed
-
Privacy enshrined in Constitution: Yes, the Kenyan Constitution protects the right to privacy under Article 31.
DPA legislation: The Data Protection Act No. 24 of 2019 (the Act) was signed into law and came into effect in November 2019 and sets out the regulatory framework for data protection in Kenya. It sets out guidelines on how personally identifiable data can be used, stored, or shared. The Data Protection (General) Regulations, 2021, along with the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021, have also since been gazetted. The Act establishes the Office of the Data Protection Commissioner to ensure enforcement.
Among other things, data subjects have the right to:
- be informed of the use to which their personal data is to be put;
- access to their personal data in the custody of the data controller or data processor;
- object to the processing of all or part of their personal data;
- the correction of false or misleading data; and
- the deletion of false or misleading data.
-
ICCPR: Acceded
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
-
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: Yes
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: Yes
Temporary copies exclusion: No
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: No
-
Under the Act, personal data means any information relating to an identified or identifiable natural person. Sensitive personal data means any data revealing the natural person’s:
- health status;
- ethnic social origin;
- conscience;
- belief;
- genetic data;
- biometric data;
- property details;
- marital status; and
- family details including names of a person’s children, parents, spouse, sex or sexual orientation of the data subject.
-
A data controller or data processor shall collect personal data directly from the data subject. Personal data maybe collected indirectly where—
- the data is contained in a public record;
- the data subject has deliberately made the data public;
- the data subject has consented to collection from another source;
- the data subject has an incapacity, the guardian appointed has consented to the collection from another source;
- the collection from another source would not prejudice the interests of the data subject;
- collection of data from another source is necessary—
- for the prevention, detection, investigation, prosecution and punishment of a crime;
- for the enforcement of a law which imposes a pecuniary penalty; or
- for the protection of the interests of the data subject or another person.
A data controller or data processor shall collect, store or use personal data for purposes which are lawful, specific and explicitly defined.
Every data controller or data processor shall ensure that personal data is:
- processed in accordance with the right to privacy of the data subject;
- processed lawfully, fairly and in a transparent manner in relation to any data subject;
- collected for the explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant, limited to what is necessary in relation to the purpose for which it is processed;
- collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
- accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
- kept in form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
- not transferred outside of Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
-
Notification that data is being processed: Yes
Notification to DPA in event of data breach: Yes
Notification to data subject in event of data breach: Yes
Timeframe for notification is specified: No
Exceptions exist to breach notifications: Yes
Requires a data processing register: Yes
Register is publicly available: Yes
Provides for terms of service icons: No
DPA must submit at least annual report: Yes
DPA report is made public: Unclear
-
Explicit provision for civil liability: Yes
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): Yes
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Yes
Adequate protections against undue removal: Yes
Number of members in DPA: 1
Maximum term length for members of the DPA (years): 6
-
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Unclear
-
A data controller or data processor may transfer personal data to another country only where:
- the data controller or processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of personal data;
- the data controller or processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and the protection of personal data, and the appropriate safeguards including jurisdictions with corresponding data protection laws;
- the transfer is necessary—
- for the performance of a contract between the data subject and the data controller or data processor or implementation of pre-contractual measures taken at the data subject’s request;
- for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another person;
- for any matter of public interest;
- for the establishment, exercise or defence of a legal claim;
- to protect the vital interest of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
- for compelling legitimate interests pursued by the data controller or data processor, which are not overridden by the interests, rights and freedoms of data subjects.
-
Provides a right not to be subject to automated decision-making: Yes
Page last updated: 24 May 2022
