Protecting your personal information

Privacy Policy

Data privacy in Kenya has gained significant attention in recent years, particularly with the enactment of the Data Protection Act, 2019 (DPA). This law established a legal framework for data protection, ensuring that personal data is collected, processed, stored, and shared responsibly.

Legal Framework

1. The Data Protection Act, 2019

The DPA is Kenya’s primary law governing data privacy. It aligns with international best practices, such as the EU’s General Data Protection Regulation (GDPR). The Act provides:

  • Rights to individuals over their personal data (e.g., access, correction, and deletion).
  • Obligations for data controllers and processors to handle data lawfully.
  • The establishment of the Office of the Data Protection Commissioner (ODPC) to oversee compliance.

2. Supporting Regulations

In addition to the DPA, the government has introduced specific regulations to guide compliance:

  • The Data Protection (General) Regulations, 2021
  • The Data Protection (Registration of Data Controllers and Processors) Regulations, 2021
  • The Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021

These regulations outline procedures for data processing, security measures, and penalties for violations.

Key Aspects of Data Privacy in Kenya

1. Rights of Data Subjects

Under the DPA, Kenyans have several rights, including:

  • The right to be informed about how their data is used.
  • The right to access their personal data.
  • The right to rectify inaccurate data.
  • The right to erasure (also known as the right to be forgotten).
  • The right to restrict or object to data processing.

2. Obligations of Data Controllers and Processors

Entities that collect or process personal data must:

  • Register with the ODPC if handling sensitive or large-scale data.
  • Ensure lawful and fair processing of personal data.
  • Implement security measures to prevent breaches.
  • Report data breaches within 72 hours.

3. Cross-Border Data Transfers

The law restricts the transfer of personal data outside Kenya unless:

  • The receiving country has adequate data protection laws.
  • The data subject has given explicit consent.
  • There are appropriate safeguards in place.

4. Penalties for Non-Compliance

Failure to comply with the DPA can result in:

  • Fines of up to Ksh 5 million or 1% of annual turnover for corporations.
  • Criminal liability, including imprisonment, for severe violations.

Challenges in Data Privacy

Despite legal progress, Kenya faces challenges in implementing data privacy laws, including:

  • Low public awareness of data protection rights.
  • Inadequate enforcement due to limited resources.
  • Data breaches and cyber threats, particularly in financial and government sectors.

Conclusion

Kenya’s data privacy landscape is evolving, with strong legal frameworks in place. However, for effective implementation, more awareness, enforcement, and technological safeguards are needed to protect personal information in the digital age.