1.Constitution of Kenya, 2010

Article 31 (c) and (d) of the Constitution of Kenya speaks on the Right to Privacy and provides that:

“Every person has the right to privacy, which includes the right not to have: information relating to their family or private affairs unnecessarily required or revealed; or the privacy of their communications infringed.”

2.Data Protection Act, 2019

The Data Protection Act was enacted in 2019 to give effect to Article 31 (c) and (d) of the Constitution as highlighted above. The main aim of the Act is to:

  1. Establish the Office of the Data Protection Commissioner.
  2. Make provision for regulation of the processing of personal data.
  3. Provide for the rights of data subjects.
  4. Detail obligations of data users.

Salient terms used in the Act

Data subject means a natural person who is the subject of personal data.

Personal data means any information relating to a natural person.

Sensitive personal data means data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject.

Data controller is a natural or legal person, who determines the purpose and means of use of personal data (the decision maker).

Processing means collection, storage, consultation and use of personal data by any means.

Data processor is as a natural or legal person, public authority, agency or other body which uses data on behalf of the data controller (the user).

Data Protection (Registration of Data Controllers and Processors) Regulations ,2021

The Data Protection (Registration of Data Controllers and Processors) Regulations 2021 were published on January 14, 2022, and commenced operation on July 14, 2022, with the main aim of giving effect to Section 18 of the Act, which requires every Data Controller and Data Processor to be registered.


Any person or business that controls or processes personal data must register.

The following are a few examples of businesses that should register as Data Controllers and Processors.

  • Businesses or persons who collect people’s details in support of a political candidate or cause.
  • Crime prevention and prosecution of offenders.
  • Gambling.
  • Educational institutions.
  • Health administration and provision of patient care institutions.
  • Hospitality institutions.
  • Property management institutions.
  • Financial services providers
  • Telecommunications network or service providers.
  • Marketing businesses
  • Transport services firms.
  • Any other businesses that processes personal data.


Compliance with the principles of Personal Data protection

The principles require that personal data should be:

  1. Processed in accordance with the right to privacy of the data;
  2. Processed lawfully, fairly and in a transparent manner;
  3. Collected for explicit, specified and legitimate purposes;
  4. Adequate, relevant and limited to the purpose for which it is collected;
  5. Collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
  6. Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
  7. Kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
  8. Not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

Registration of Data Controllers and Processors

The Act requires every Data Controller and Data Processor with an annual turnover or revenue of KES 5,000,000 and above and holding more than 10 employees to register at the Office of the Data Protection Commissioner.

In addition, the Regulations require the mandatory registration of a data controller or data processor in various areas and industries including health administration and provision of patient care.

Data Controllers and Processors to uphold the rights of data subjects

The rights of data subjects include:

  1. to be informed of the use to which their personal data is to be put;
  2. to access their personal data in custody of data controller or data processor;
  3. to object to the processing of all or part of their personal data;
  4. to correction of false or misleading data; and
  5. to deletion of false or misleading data about them

Data Controllers and Processors must comply with requirements of transfer of data out of Kenya.

It is crucial that Data Controllers and Processors comply with the requirements of transfer of data out of Kenya. Given that most software systems used by organizations today utilize cloud computing, it is important to ensure that any data transferred outside Kenya is done in compliance with the Act’s requirements on cross-border data transfers.

Data Processor and Data Controller must have a Data Protection Officer.

The roles of a Data Protection Officer are to:

  1. Advise the data controller or data processor on legal compliance;
  2. Provide advice on data protection impact assessment; and
  3. Co-operate with the Data Commissioner and any other authority on matters relating to data protection.

Who can be a Data Protection Officer?

A Data Protection Officer may be a staff member provided that any such tasks and duties do not result in a conflict of interest.

A Data Protection Officer can also be an external person.

A person appointed as a data protection officer, should have relevant academic or professional qualifications which may include knowledge and technical skills in matters relating to data protection.

NOTE – The Act and regulations do not provide for Data Controllers and Processors to have a Complaint Mechanism. It is however advisable to have one to allow data subjects to make complaints with regards to any data privacy breaches therefore allowing the Data Controllers or Processors to remedy the breach before it gets to the Data Commissioner.


Failure to comply with the Act and Regulations amounts to an offence under the Act.

Section 73 of the Data Protection Act provides that non-compliance with the Act and Regulations is an offense and is punishable by a fine not exceeding KES 3,000,000 or an imprisonment term not exceeding ten years or both.

Section 63 further provides that if a complaint is made to the Data Protection Commissioner against a Data Processor or Controller, and the Commissioner issues a notice to the Data Processor or Controller to comply in order to remedy the complaint but the Data Processor or Controller continues or fails to comply with the notice, it will be an offence. The said offence is punishable by a fine not exceeding KES 5,000,000 or an imprisonment term not exceeding two years or both. An example of this is the recent case of the mobile lender company Whitepath and the real estate firm Regus which the office of the Data Protection Commissioner imposed a fine of 5million to each of them for non compliance with notices that had been issued to them.

Further to the penalties above, the Court may;

  1. order the forfeiture of any equipment or any article used or connected in any way with the commission of an offence; or
  2. order or prohibit the doing of any act to stop a continuing contravention.

Additionally, non-compliance can result in reputational damage and loss of customer trust, which can impact a business negatively.


It is important for organizations operating in Kenya to take the provisions of the Data Protection Act and its Regulations seriously and comply with its requirements. Organizations should also ensure that they have appropriate security measures in place to safeguard the personal data they collect and process.

Non-compliance with the Act can result in significant penalties and reputational damage, so it is important for organizations to prioritize data protection and make sure they are fully compliant with the Act and its regulations.

NOTE: This article is for general information and does not constitute legal advice. If interested in getting legal advice or guidance in respect of the above area, kindly do not hesitate to contact us via the email addresses provided below;

© 2023 Kiingati Ndirangu & Associates

Your Comment:

Related Posts


Real Estate Development & Disposition


INTRODUCTION Capital Gains Tax (referred to as CGT) is tax imposed on the net profit earned from the sale or transfer of any capital assets such as stocks, bonds, real estate, shares or other investments. Capital Gains Tax had been suspended in 1985 but was reintroduced in Kenya with effect from 1st January, 2015 through the Finance […]