Select a location

This selection will switch the site from presenting information primarily about Kenya to information primarily about . If you would like to switch back, you may use location selection options at the top of the page.


Data Protection Act, 2019

By William Maema

On Friday 8th November, 2019, the President signed into law the Data Protection Act, 2019.

 The Act gives effect to Article 31 (c) and (d) of the Constitution of Kenya, 2010 which guarantee every person the right to privacy.


1. Key definitions

Data subject”- an identifiable natural person who is the subject of personal data.

"Personal data”-  any information relating to an identified or identifiable natural person.

Data controllers”- natural or legal persons, public authorities, agencies or other bodies which, alone or jointly with others, determine the purpose and means of processing of personal data.

"Data processors”-  natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

2. Office of the Data Protection Commissioner

The Act establishes the office of the Data Protection Commissioner (“DPC”) to be recruited and employed  by the Public Service Commission upon  appointment by the President subject to the approval of the National Assembly.

3. Registration of Data Controllers and Processors

It is an offence to act as a data processor or data controller unless one is registered with the DPC.

4. Data Processing

Data must be processed  in a manner that: upholds the data subject’s right to privacy; lawfully; limited to the purpose for which it is collected; limited to the purpose for which it is collected; accurate and up to date;  kept in a form which identifies the data subjects for no longer than is necessary; and not transferred outside Kenya save as permitted in the Act.

5. Notification of Breach

Data controllers must  employ appropriate security measures to prevent the unauthorized access, disclosure or loss of the personal data collected by them. In the event of breach, they are required to report it to the DPC within 72 hours and to the affected data subjects without undue delay.

6. Transfer of Data Outside Kenya

Personal data may only be transferred outside Kenya with the approval of  the DPC upon proof of the existence of appropriate safeguards for the data being transferred.

7. Penalties for non-compliance

General penalty- a fine not exceeding Kenya Shillings Three Million Shillings (Ksh. 3,000,000/- (US$30,000) or imprisonment for a term not exceeding 10 years, or to both.

Please reach out to us ([email protected]) if you require specific advice on the Data Protection Act, 2019.