Tag Archive for: Kenyan Data Protection Act

This information is courtesy of Iseme, Kamau & Maema Advocates (IKM).

On Friday 8th November, 2019, Kenyan President Uhuru Kenyatta signed into law the Data Protection Act, 2019.

The Act gives effect to Article 31 (c) and (d) of the Constitution of Kenya, 2010 which guarantee every person the right to privacy.


1. Key definitions

“Data subject”- an identifiable natural person who is the subject of personal data.

“Personal data”- any information relating to an identified or identifiable natural person.

“Data controllers”- natural or legal persons, public authorities, agencies or other bodies which, alone or jointly with others, determine the purpose and means of processing of personal data.

“Data processors”- natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

2. Office of the Data Protection Commissioner

The Act establishes the office of the Data Protection Commissioner (“DPC”) to be recruited and employed by the Public Service Commission upon appointment by the President subject to the approval of the National Assembly.

3. Registration of Data Controllers and Processors

It is an offence to act as a data processor or data controller unless one is registered with the DPC.

4. Data Processing

Data must be processed in a manner that: upholds the data subject’s right to privacy; lawfully; limited to the purpose for which it is collected; limited to the purpose for which it is collected; accurate and up to date; kept in a form which identifies the data subjects for no longer than is necessary; and not transferred outside Kenya save as permitted in the Act.

5. Notification of Breach

Data controllers must employ appropriate security measures to prevent the unauthorized access, disclosure or loss of the personal data collected by them. In the event of breach, they are required to report it to the DPC within 72 hours and to the affected data subjects without undue delay.

6. Transfer of Data Outside Kenya

Personal data may only be transferred outside Kenya with the approval of the DPC upon proof of the existence of appropriate safeguards for the data being transferred.

7. Penalties for non-compliance

General penalty- a fine not exceeding Kenya Shillings Three Million Shillings (Ksh. 3,000,000/- (US$30,000) or imprisonment for a term not exceeding 10 years, or to both.


For information as to how Relocation Africa can help you with your Mobility, Immigration, Research, Remuneration, and Expat Tax needs, email marketing@relocationafrica.com, or call us on +27 21 763 4240.

Sources: [1], [2]. Image sources: [1], [2].