DATA PROTECTION ACT
The Data Protection Act, 2019 of Kenya (also known as the Kenya Data Protection Act, No.
24 of 2019) is a comprehensive law designed to regulate the processing of personal data in
Kenya and to ensure the protection of individuals' privacy in the digital age. The Act aligns
Kenya with international data protection standards, including the General Data Protection
Regulation (GDPR) of the European Union, while also addressing local concerns and the needs
of Kenyan citizens.
Key Features of the Data Protection Act, 2019 (Kenya)
1. Purpose and Scope:
o The primary purpose of the Act is to protect the privacy of individuals and to
regulate the collection, storage, use, and sharing of personal data.
o It applies to both public and private entities that process personal data, whether
the data is processed in Kenya or outside Kenya, as long as the data concerns
Kenyan residents or citizens.
2. Definitions of Personal Data:
o Personal data is defined as any information that can be used to identify an
individual, either directly or indirectly. This includes names, identification
numbers, contact details, location data, online identifiers, and other personal
characteristics.
o The Act also recognizes sensitive personal data, which includes information
such as health data, biometric data, religious beliefs, political opinions, and more.
Processing sensitive data requires additional safeguards and justifications.
3. Data Protection Principles:
o The Act outlines several core principles that guide the processing of personal data:
Lawfulness, fairness, and transparency: Personal data must be
processed in a lawful, fair, and transparent manner.
Purpose limitation: Data should only be collected for specific, legitimate
purposes and not further processed in a way that is incompatible with
those purposes.
Data minimization: Only the data necessary for the purpose for which it
is collected should be processed.
Accuracy: Personal data must be accurate, complete, and kept up to date.
Storage limitation: Personal data should not be kept longer than
necessary for the purposes for which it was collected.
Integrity and confidentiality: Personal data should be processed securely
to protect against unauthorized access or disclosure.
Accountability: Organizations are required to be accountable for the
personal data they process and must be able to demonstrate compliance
with data protection principles.
4. Rights of Data Subjects:
o The Act grants data subjects (individuals whose data is being processed) a range
of rights, including:
, Right to access: Individuals can request access to their personal data held
by organizations.
Right to rectification: Individuals can request corrections to inaccurate or
incomplete data.
Right to erasure: Individuals can request the deletion of their personal
data under certain conditions.
Right to restrict processing: Individuals can request the restriction of
data processing in certain situations.
Right to object: Individuals can object to the processing of their data for
direct marketing or other specific purposes.
Right to data portability: Individuals can request the transfer of their
data to another service provider.
Right to withdraw consent: If consent was the basis for data processing,
individuals can withdraw consent at any time.
5. Consent and Processing of Personal Data:
o The Act requires that consent must be freely given, specific, informed, and
unambiguous. Consent must be obtained before processing personal data, and
individuals must be able to withdraw their consent at any time.
o However, there are other legal bases for processing personal data without consent,
such as contractual necessity, legal obligations, protection of vital interests, or
performance of a public task.
6. Data Protection Officer (DPO):
o The Act mandates the appointment of a Data Protection Officer (DPO) for
organizations that engage in large-scale processing of personal data. The DPO is
responsible for ensuring that the organization complies with data protection laws,
monitoring internal data protection activities, and acting as a point of contact for
the Data Protection Commissioner.
7. Data Protection Impact Assessment (DPIA):
o A Data Protection Impact Assessment (DPIA) is required when an organization
intends to process personal data in a way that may result in a high risk to the
rights and freedoms of individuals, especially in cases of new technologies or
large-scale data processing.
8. Data Security and Breach Notification:
o Organizations are required to implement appropriate technical and organizational
measures to ensure the security of personal data. This includes preventing
unauthorized access, disclosure, and loss of personal data.
o If there is a data breach, organizations are obligated to notify the Data
Protection Commissioner and, in certain cases, the affected individuals, within
72 hours of becoming aware of the breach.
9. Data Transfers and Cross-Border Data:
o The Act governs the transfer of personal data outside Kenya. Personal data can
only be transferred to countries that have an adequate level of data protection, or
if the organization ensures appropriate safeguards for data protection (such as
Standard Contractual Clauses or Binding Corporate Rules).
10. Data Protection Commissioner (DPC):
The Data Protection Act, 2019 of Kenya (also known as the Kenya Data Protection Act, No.
24 of 2019) is a comprehensive law designed to regulate the processing of personal data in
Kenya and to ensure the protection of individuals' privacy in the digital age. The Act aligns
Kenya with international data protection standards, including the General Data Protection
Regulation (GDPR) of the European Union, while also addressing local concerns and the needs
of Kenyan citizens.
Key Features of the Data Protection Act, 2019 (Kenya)
1. Purpose and Scope:
o The primary purpose of the Act is to protect the privacy of individuals and to
regulate the collection, storage, use, and sharing of personal data.
o It applies to both public and private entities that process personal data, whether
the data is processed in Kenya or outside Kenya, as long as the data concerns
Kenyan residents or citizens.
2. Definitions of Personal Data:
o Personal data is defined as any information that can be used to identify an
individual, either directly or indirectly. This includes names, identification
numbers, contact details, location data, online identifiers, and other personal
characteristics.
o The Act also recognizes sensitive personal data, which includes information
such as health data, biometric data, religious beliefs, political opinions, and more.
Processing sensitive data requires additional safeguards and justifications.
3. Data Protection Principles:
o The Act outlines several core principles that guide the processing of personal data:
Lawfulness, fairness, and transparency: Personal data must be
processed in a lawful, fair, and transparent manner.
Purpose limitation: Data should only be collected for specific, legitimate
purposes and not further processed in a way that is incompatible with
those purposes.
Data minimization: Only the data necessary for the purpose for which it
is collected should be processed.
Accuracy: Personal data must be accurate, complete, and kept up to date.
Storage limitation: Personal data should not be kept longer than
necessary for the purposes for which it was collected.
Integrity and confidentiality: Personal data should be processed securely
to protect against unauthorized access or disclosure.
Accountability: Organizations are required to be accountable for the
personal data they process and must be able to demonstrate compliance
with data protection principles.
4. Rights of Data Subjects:
o The Act grants data subjects (individuals whose data is being processed) a range
of rights, including:
, Right to access: Individuals can request access to their personal data held
by organizations.
Right to rectification: Individuals can request corrections to inaccurate or
incomplete data.
Right to erasure: Individuals can request the deletion of their personal
data under certain conditions.
Right to restrict processing: Individuals can request the restriction of
data processing in certain situations.
Right to object: Individuals can object to the processing of their data for
direct marketing or other specific purposes.
Right to data portability: Individuals can request the transfer of their
data to another service provider.
Right to withdraw consent: If consent was the basis for data processing,
individuals can withdraw consent at any time.
5. Consent and Processing of Personal Data:
o The Act requires that consent must be freely given, specific, informed, and
unambiguous. Consent must be obtained before processing personal data, and
individuals must be able to withdraw their consent at any time.
o However, there are other legal bases for processing personal data without consent,
such as contractual necessity, legal obligations, protection of vital interests, or
performance of a public task.
6. Data Protection Officer (DPO):
o The Act mandates the appointment of a Data Protection Officer (DPO) for
organizations that engage in large-scale processing of personal data. The DPO is
responsible for ensuring that the organization complies with data protection laws,
monitoring internal data protection activities, and acting as a point of contact for
the Data Protection Commissioner.
7. Data Protection Impact Assessment (DPIA):
o A Data Protection Impact Assessment (DPIA) is required when an organization
intends to process personal data in a way that may result in a high risk to the
rights and freedoms of individuals, especially in cases of new technologies or
large-scale data processing.
8. Data Security and Breach Notification:
o Organizations are required to implement appropriate technical and organizational
measures to ensure the security of personal data. This includes preventing
unauthorized access, disclosure, and loss of personal data.
o If there is a data breach, organizations are obligated to notify the Data
Protection Commissioner and, in certain cases, the affected individuals, within
72 hours of becoming aware of the breach.
9. Data Transfers and Cross-Border Data:
o The Act governs the transfer of personal data outside Kenya. Personal data can
only be transferred to countries that have an adequate level of data protection, or
if the organization ensures appropriate safeguards for data protection (such as
Standard Contractual Clauses or Binding Corporate Rules).
10. Data Protection Commissioner (DPC):
