Privacy Law at Kenya
Kenya's Data Protection Act, 2019 (DPA) establishes a comprehensive legal framework for the processing of personal data, aiming to safeguard individuals' privacy rights and ensure responsible data handling practices.
🇰🇪 Key Provisions of the Data Protection Act, 2019
1. Scope and Applicability
Territorial Reach The DPA applies to both public and private entities processing personal data within Kenya and those outside Kenya processing data of Kenyan resident.
Data Controllers and Processors Organizations that determine the purposes and means of processing personal data (controllers) and those who process data on behalf of controllers (processors) are subject to the Ac.
2. Principles of Data Processing
The Act mandates that personal data b:
Processed Lawfully and Transparently Data must be handled in a manner that is lawful, fair, and transparent to the data subjec.
Collected for Specific Purposes Data should be collected for explicit, legitimate purposes and not further processed in a manner incompatible with those purpose.
Adequate, Relevant, and Limited Only data necessary for the intended purposes should be collecte.
Accurate and Up-to-Date Data must be accurate and kept up to dat.
Retained No Longer Than Necessary Data should not be kept in a form that permits identification of data subjects for longer than necessar.
Processed Securely Appropriate technical and organizational measures must be implemented to ensure data securit.
3. Rights of Data Subjects
Individuals have the right t:
Be Informed About the use to which their personal data will be pu.
Access Their personal data held by a data controller or processo.
Object To the processing of all or part of their personal dat.
Rectify False or misleading dat.
Erasure Of false or misleading data about the These rights can be exercised directly by the data subject or through a duly authorized representativ.
4. Consent and Lawful Processing
Personal data processing is lawful only i:
Consent The data subject has given explicit consen.
Contractual Necessity For the performance of a contract to which the data subject is a part.
Legal Obligation Compliance with a legal obligation to which the controller is subjec.
Vital Interests Protection of the vital interests of the data subject or another perso.
Public Interest or Official Authority In the exercise of official authority vested in the controlle.
Legitimate Interests Pursuit of legitimate interests by the ontroller or a third party, provided these are not overridden by the data subject's rights and freedom.
5. Data Protection Impact Assessment (DPIA)
Before processing operations that may result in high risks to the rights and freedoms of data subjects, a data controller or processor must conduct a DPI. This assessment should evaluate the necessity and proportionality of the processing and identify measures to mitigate risk.
6. Data Protection Officer (DPO)
Organizations may appoint a DPO to oversee data protection activitie. The DPO should have relevant qualifications and expertise in data protection matter. Their responsibilities include advising on data processing requirements, ensuring compliance with the Act, and serving as a point of contact for data subjects and the Data Commissione.
7. Cross-Border Data Transfers
Transfers of personal data outside Kenya are permitted only i:
Adequate Protection The receiving country ensures an adequate level of data protectio.
Consent The data subject has given explicit consen.
Contractual Necessity The transfer is necessary for the performance of a contrac
Public Interest The transfer is in the public interes.
Legal Claims The transfer is necessary for the establishment, exercise, or defense of legal claim.
8. Penalties for Non-Compliance
Violations of the DPA may result i:
Fines Up to KSh 3 million (approximately USD 30,000.
Imprisonment Up to 10 year.
Both Fines and imprisonmen. Specific offenses, such as using personal data for commercial purposes without consent or obstructing investigations, carry additional penaltie.
✅ Compliance Recommendations for Organizations
Organizations operating in Kenya should:
Register With the Office of the Data Protection Commissioner (ODPC) as data controllers or processor.
Appoint a DPO If required, to oversee data protection activitie.
Implement Policies Establish data protection policies and procedure.
Conduct DPIAs For processing operations that may pose high risks to data subject.
Provide Training To staff on data protection principles and practice.
Ensure Data Security Implement appropriate technical and organizational measures to protect personal dat.
Monitor Compliance Regularly audit data processing activities to ensure adherence to the DP.
RELATED Blog
0 comments