On Friday 8th November, 2019, the President signed into law the Data Protection Act, 2019.
The Act gives effect to Article 31 (c) and (d) of the Constitution of Kenya, 2010 which guarantee every person the right to privacy.
1. Key definitions
“Data subject”- an identifiable natural person who is the subject of personal data.
"Personal data”- any information relating to an identified or identifiable natural person.
“Data controllers”- natural or legal persons, public authorities, agencies or other bodies which, alone or jointly with others, determine the purpose and means of processing of personal data.
"Data processors”- natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
2. Office of the Data Protection Commissioner
The Act establishes the office of the Data Protection Commissioner (“DPC”) to be recruited and employed by the Public Service Commission upon appointment by the President subject to the approval of the National Assembly.
3. Registration of Data Controllers and Processors
It is an offence to act as a data processor or data controller unless one is registered with the DPC.
4. Data Processing
Data must be processed in a manner that: upholds the data subject’s right to privacy; lawfully; limited to the purpose for which it is collected; limited to the purpose for which it is collected; accurate and up to date; kept in a form which identifies the data subjects for no longer than is necessary; and not transferred outside Kenya save as permitted in the Act.
5. Notification of Breach
Data controllers must employ appropriate security measures to prevent the unauthorized access, disclosure or loss of the personal data collected by them. In the event of breach, they are required to report it to the DPC within 72 hours and to the affected data subjects without undue delay.
6. Transfer of Data Outside Kenya
Personal data may only be transferred outside Kenya with the approval of the DPC upon proof of the existence of appropriate safeguards for the data being transferred.
7. Penalties for non-compliance
General penalty- a fine not exceeding Kenya Shillings Three Million Shillings (Ksh. 3,000,000/- (US$30,000) or imprisonment for a term not exceeding 10 years, or to both.
Please reach out to us ([email protected]) if you require specific advice on the Data Protection Act, 2019.