Data Protection Act 2019



The Data Protection Act was signed into Law (assented) by the President of Republic of Kenya on the 8th of November 2019, thereafter gazetted and commenced on the 25th of November 2019.

The Act was promulgated to bring to effect the provisions of Article 31 (c) and (d) of the Constitution of Kenya, 2010. Article 31 provides for the right to privacy.


The objective and purpose of the Act is to regulate the processing of personal data and to protect the privacy of individuals by establishing legal and institutional mechanisms to protect personal data.



  • Sensitive Personal Data


The Act has defined “Sensitive personal data” as data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject.


  • Data Controller

This is a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purpose and means of processing personal data.


  • Data Subject

This means the personal data of an identified and identifiable natural person.


  • Data Processor

This means the person or entity that processes personal data on behalf of data controller.

A Data controller/processor is one who is:

  1. Either established or ordinarily resident in Kenya and processes personal data while in Kenya; or
  2. Not established or ordinarily resident in Kenya but processing personal data of data subjects located in Kenya.



The Act establishes the office of the Data Protection Commissioner as a State office, which shall be a body corporate with perpetual succession and a common seal.  The President shall nominate and with the approval of the National Assembly, appoint the Data Commissioner who shall be appointed for a single term of six years and shall not be eligible for reappointment.



The following are the functions of the Data Commissioner’s office to:

  1. oversee the implementation and enforcement of the Act;
  2. establish and maintain a register of data controllers and data processors;
  3. exercise oversight on data processing operations and verify whether the processing of data is done in accordance with the Act, at the Data Commissioner’s own initiative or upon request by a data subject;
  4. promote self-regulation among data controllers and data processors;
  5. conduct an assessment of a public or private body, on its own initiative or at the request of a private or public body for the purpose of ascertaining whether information is processed according to the provisions of this Act or any other relevant law;
  6. receive and investigate any complaint by any person on infringements of the rights under the Act;
  7. ensure public awareness of the Act;
  8. carry out inspections of public and private entities with a view to evaluating the processing of personal data;
  9. promote international cooperation in matters relating to data protection and ensure country’s compliance on data protection obligations under international conventions and agreements; and
  10. undertake research on developments in data processing of personal data and ensure that there is no significant risk or adverse effect of any developments on the privacy of individuals.

The office of the Data Commission has the following powers to:

  • conduct investigations;
  • obtain professional assistance or consultancy advice within or outside public service;
  • facilitate conciliation, negotiation or mediation of disputes arising from the Act.
  • Issue summons to a witness for purpose of investigation;
  • Require any person subject to the Act to provide explanation, information and assistance in person and in writing;
  • Impose administrative fines for failure to comply with Act.
  • carry out periodical audits of the processes and systems of the data controllers or data processors to ensure compliance with the Act.





Registration of Data processors and controllers is mandatory. The Data Commissioner is required to prescribe the threshold for mandatory registration, by taking into consideration the following:

  • Nature of industry;
  • Volumes of data processed;
  • Whether sensitive data is being processed and other criteria as the Data Commissioner may specify .


In our opinion there is need for Regulations:

  1. To clarify what industries would require mandatory registration and
  2. What would be considered as volumes of data processed, to warrant registration;
  3. To provide a list of all other the criteria as specified by the Data commissioner,
  4. To provide standard forms for application for registration by data controllers and processors



An application for registration to the Data Commissioner by a data controller and processor shall provide the following information:

  1. a description of the personal data to be processed;
  2. a description of the purpose for which the personal data is to be processed;
  3. the category of data subjects, to which the personal data relates;
  4. contact details of the data controller or data processor;
  5. a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of personal data;
  6. any measures to indemnify the data subject from unlawful use of data by the data processor or data controller; and
  7. any other details as may be prescribed by the Data Commissioner.

The Data Commissioner shall issue a certificate of registration where a data controller or data processor meets the requirement for registration. However, the duration of the registration certificate will be determined at the time of the application after taking into account the need for the certificate, and the holder may apply for a renewal of the certificate after expiry of the certificate.

This should be regularized, and a uniform duration of the registration certificate is provided, so as to ensure the process is standardized, fair and transparent for all the data controllers and processors.


A data controller or data processor may appoint a data protection officer where-


  1. The processing of data is carried out by a Public or Private body, Save for Courts
  2. The core activities of the data controller or data processor consist of processing operations which require regular and systematic monitoring of data subjects
  3. The core activities of the data controller or the data processor consist of processing sensitive category of personal data/

terms and conditions of appointment shall be determined by the data controller or data processor

The data protection officer may be a staff member of the data controller or data processor and  may fulfill other tasks and duties provided that such tasks and duties do not result in conflict of interest

Public bodies that are registered as data controller or data processor may have a single designated data protection officer.  A group of entities may appoint a single data protection officer, provided the officer is available to each entity.


A data protection officer shall have relevant academic or professional qualification, which include knowledge in technical skills in matters relating to data protection.

A data controller or data processor is expected to publish the details of the data protection office on their website and communicate this information to the Data Commissioner who shall ensure this information is available on the official website,


The following are principles of the Data Protection Act:

  1. Process data in accordance with the right to privacy of the data subject;
  2. Data should be processed lawfully, fairly and in a transparent manner;
  3. The data should be collected for explicit, specified and legitimate purpose;
  4. The data should be adequate, relevant and limited to what’s necessary;
  5. Collected where a valid explanation is provided whenever information relates to family or private affairs
  6. The data should be accurate and up to date; inaccurate data should be erased;
  7. Kept in a form that identifies the data subject for no longer than is necessary and for the purpose for which it was collected
  8. Not transferred outside Kenya, unless there is proof of adequate protection safeguard or with consent of data subject.

A data subject/person has a right

  • to be informed of the use to which their personal data is to be put;
  • to access their personal data in custody of data controller or data processor;
  • to object to the processing of all or part of their personal data;
  • to correction of false or misleading data; and
  • to deletion of false or misleading data about them.

In addition, a right conferred on a data subject may be exercised where:

  • the data subject is a minor, by a person who has parental authority or by a guardian;
  • the data subject has a mental or other disability, by a person duly authorized to act as their guardian or administrator; or
  • in any other case, by a person duly authorized by the data subject.




A data controller or data processor may transfer personal data to another country where:

  1. a) there is proof given to the Data Commissioner of adequate safeguards with respect to the security and protection of personal data
  2. b) the appropriate safeguards include transfer of data to jurisdictions where it is established that commensurate data protection laws exist.

Transfer will be deemed as necessary:

  • For the performance of a contract between the data subject and the data controller or data processor;
  • For any matter of public interest matter;
  • For the establishment, exercise or defense of a legal claim; and
  • To protect vital interest of data subject or other persons or where subject is incapable of giving consent;
  • For the purpose of compelling legitimate interest pursued by the data controller.


Consent of the data subject shall be required and confirmation of appropriate safeguards before processing sensitive personal data out of Kenya.


The processing of personal data is exempt where-

  1. it relates to processing of personal data by an Individual for purely personal use or household activity;
  2. it is necessary for National Security or public interest; and
  3. disclosure is required by or under any written law or by order of the Court;
  4. processing is undertaken for the publication of literary or artistic material;
  5. data controller believes the publication would be in the public interest;
  6. personal data processed for research is published in a manner where the results of the research are not made available in a form which identifies the data subject/s.

The Data Protection Commissioner is mandated to:

  • prepare a code of practice containing practical guidance in relation to processing of personal data for purpose of research, history and statistics;
  • issue a data sharing code which shall guide the data sharing and specify lawful exchange of personal data between Government Departments or public sector agencies.




Anyone who is aggrieved with the decision of any person under the Act may lodge a complaint to the Data Protection Commissioner orally or in writing. Thereafter the Data Commissioner shall investigate the complaint and issue the findings within 90 days.

Where the Data Commissioner is satisfied that a person has failed, or is failing to comply with any provisions of the Act the Data Commissioner will serve an Enforcement notice on that person requiring that person to take such steps and within such period as may be specified in the notice.


The Enforcement Notice will entail the following:

  • specify the provision of this Act which has been, is being or is likely to be, contravened;
  • specify the measures that shall be taken to remedy or eliminate the situation which makes it likely that a contravention will arise;
  • specify a period which shall not be less than twenty-one days within which those measures shall be implemented; and
  • state any right of appeal.

Further any person who, without reasonable excuse, fails to comply with an enforcement notice commits an offence and is liable on conviction to a fine not exceeding five million shillings (Kshs 5,000,000/-) or to imprisonment for a term not exceeding two (2) years, or to both.

If one is found guilty of the following offences the below penalties or jail terms apply:

  • obstruction of Data Commissioner offence attracts a penalty of Kshs 5,000,000/- or a term of two (2) years.
  • Administrative offences (infringement of a provision of the Act) attracts a penalty of a maximum of Kshs 5,000,000/- or in case of an undertaking 1% of its annual turnover of the preceding financial year, whichever is lower; and
  • General offences (where no specific penalty is provided) attracts a fine of Kshs 3,000,000/- or a maximum of 10 years or both.



This write up is for information purposes only. If you have any concerns or need any issue clarified please do not hesitate to contact us through our Partner, Stella M. Ojango or your usual contact Advocate/person at our firm, for detailed advice relating to the Data Protection Act, 2019.


Written by:   Mrs. Stella M. Ojango & Ms.  Winnie Alouch


Leave a Comment!*

Related Posts

Cancer Statistics Research

Limited Government support: No existing programme or dedicated budget – however the Ministry of health launched the Kenya National Cancer Control Strategy 2017-2022 Download PDF
Read more

Next Frontier

Mediation sets the stage for conflicting parties to vent as long as it takes to spell out their problems with each other until they find a mutually beneficial solution. The…
Read more