Related documents
LAWS OF KENYA
DATA PROTECTION ACT
CAP. 411C
- Published in Kenya Gazette Vol. CXXI—No. 156 on 15 November 2019
- Assented to on 8 November 2019
- Commenced on 25 November 2019
- [Revised by 24th Annual Supplement (Legal Notice 221 of 2023) on 31 December 2022]
Part I – PRELIMINARY
1. Short title
This Act may be cited as the Data Protection Act.2. Interpretation
In this Act, unless the context otherwise requires—"anonymisation" means the removal of personal identifiers from personal data so that the data subject is no longer identifiable;"biometric data" means personal data resulting from specific technical processing based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, deoxyribonucleic acid analysis, earlobe geometry, retinal scanning and voice recognition;"Cabinet Secretary" means the Cabinet Secretary responsible for matters relating to information, communication and technology;"consent" means any manifestation of express, unequivocal, free, specific and informed indication of the data subject's wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject;"data" means information which—3. Object and purpose of this Act
The object and purpose of this Act is—4. Application
This Act applies to the processing of personal data—Part II – ESTABLISHMENT OF THE OFFICE OF DATA PROTECTION COMMISSIONER
5. Establishment of the Office
6. Appointment of the Data Commissioner
7. Qualifications of Data Commissioner
8. Functions of the Office
9. Powers of the Office
10. Delegation by the Data Commissioner
The Data Commissioner may, subject to such conditions as the Data Commissioner may impose, delegate any power conferred under this Act or any other written law to a regulator established through an Act of Parliament.11. Vacancy in the Office of the Data Commissioner
The Office of the Data Commissioner shall become vacant, if the Data Commissioner—12. Removal of the Data Commissioner
13. Staff of the Office
The Data Commissioner shall in consultation with the Public Service Commission, appoint such number of staff as may be necessary for the proper and efficient discharge of the functions under this Act or any other relevant law.14. Remuneration of the Data Commissioner and staff
The Data Commissioner and staff of the Office shall be paid such remuneration or allowances as the Salaries and Remuneration Commission may advise.15. Oath of office
The Data Commissioner shall take the oath set out in the First Schedule on appointment.16. Confidentiality agreement
The Data Commissioner, or any staff of the Office, shall not, unless with lawful authority, disclose any information obtained for the purposes of this Act.17. Protection from personal liability
The Data Commissioner or any staff of the Office shall not be held liable for having performed any of their functions in good faith and in accordance with this Act.Part III – REGISTRATION OF DATA CONTROLLERS AND DATA PROCESSORS
18. Registration of data controllers and data processors
19. Application for registration
20. Duration of the registration certificate
A registration certificate issued under section 19 shall be valid for a period determined at the time of the application after taking into account the need for the certificate, and the holder may apply for a renewal of the certificate after expiry of the certificate.21. Register of data controllers and data processors
22. Cancellation or variation of the certificate
The Data Commissioner may, on issuance of a notice to show cause, vary terms and conditions of the certificate of registration or cancel the registration where—23. Compliance and audit
The Data Commissioner may carry out periodical audits of the processes and systems of the data controllers or data processors to ensure compliance with this Act.24. Designation of the Data Protection Officer
Part IV – PRINCIPLES AND OBLIGATIONS OF PERSONAL DATA PROTECTION
25. Principles of data protection
Every data controller or data processor shall ensure that personal data is—26. Rights of a data subject
A data subject has a right—27. Exercise of rights of data subjects
A right conferred on a data subject may be exercised—28. Collection of personal data
29. Duty to notify
A data controller or data processor shall, before collecting personal data, in so far as practicable, inform the data subject of—30. Lawful processing of personal data
31. Data protection impact assessment
32. Conditions of consent
33. Processing of personal data relating to a child
34. Restrictions on processing
35. Automated individual decision making
36. Objecting to processing
A data subject has a right to object to the processing of their personal data, unless the data controller or data processor demonstrates compelling legitimate interest for the processing which overrides the data subject's interests, or for the establishment, exercise or defence of a legal claim.37. Commercial use of data
38. Right to data portability
39. Limitation to retention of personal data
40. Right of rectification and erasure
41. Data protection by design or by default
42. Particulars of determining organisational measures
43. Notification and communication of breach
Part V – GROUNDS FOR PROCESSING OF SENSITIVE PERSONAL DATA
44. Processing of sensitive personal data
No category of sensitive personal data shall be processed unless section 25 applies to that processing.45. Permitted grounds for processing sensitive personal data
Without prejudice to section 44, sensitive personal data of a data subject may be processed where—46. Personal data relating to health
47. Further categories of sensitive personal data
Part VI – TRANSFER OF PERSONAL DATA OUTSIDE KENYA
48. Conditions for transfer out of Kenya
A data controller or data processor may transfer personal data to another country only where—49. Safeguards prior to transfer of personal data out of Kenya
50. Processing through a data server or data centre in Kenya
The Cabinet Secretary may prescribe, based on grounds of strategic interests of the state or protection of revenue, certain nature of processing that shall only be effected through a server or a data centre located in Kenya.Part VII – EXEMPTIONS
51. General exemptions
52. Journalism, literature and art
53. Research, history and statistics
54. Exemptions by the Data Commissioner
The Data Commissioner may prescribe other instances where compliance with certain provisions of this Act may be exempted.55. Data-sharing code
Part VIII – ENFORCEMENT PROVISIONS
56. Complaints to the Data Commissioner
57. Investigation of complaints
58. Enforcement notices
59. Power to seek assistance
For the purpose of gathering information or for any investigation under this Act, the Data Commissioner may seek the assistance of such person or authority as they deem fit and as is reasonably necessary to assist the Data Commissioner in the discharge of their functions.60. Power of entry and search
The Data Commissioner, upon obtaining a warrant from a Court, may enter and search any premises for the purpose of discharging any function or exercising any power under this Act.61. Obstruction of Data Commissioner
A person who, in relation to the exercise of a power conferred by section 9—62. Penalty notices
63. Administrative fines
In relation to an infringement of a provision of this Act, the maximum amount of the penalty that may be imposed by the Data Commissioner in a penalty notice is up to five million shillings, or in the case of an undertaking, up to one per centum of its annual turnover of the preceding financial year, whichever is lower.64. Right of appeal
A person against whom any administrative action is taken by the Data Commissioner, including in enforcement and penalty notices, may appeal to the High Court.65. Compensation to a data subject
66. Preservation Order
The Data Commissioner may apply to a court for a preservation order for the expeditious preservation of personal data including traffic data, where there is reasonable ground to believe that the data is vulnerable to loss or modification.Part IX – FINANCIAL PROVISIONS
67. Funds of the Office
The funds and assets of the Office shall consist of—68. Annual estimates
69. Accounts and Audit
The annual accounts of the Office shall be prepared, audited and reported in accordance with the provisions of Articles 226 and 229 of the Constitution, the Public Finance Management Act (Cap. 412A), or any other law relating to audit of public entities.70. Annual reports
Part X – PROVISIONS ON DELEGATED POWERS
71. Regulations
Part XI – MISCELLANEOUS PROVISIONS
72. Offences of unlawful disclosure of personal data
73. General penalty
74. Codes, guidelines and certification
75. [Spent]
History of this document
31 December 2022 this version
Revised by
24th Annual Supplement
25 November 2019
Commenced
15 November 2019
08 November 2019
Assented to
Cited documents 2
Act 2
1. | Public Finance Management Act | 686 citations |
2. | Statutory Instruments Act | 241 citations |
Documents citing this one 93
Judgment 72
Legal Notice 9
Act 8
1. | Employment Act | 5276 citations |
2. | Kenya Information and Communications Act | 618 citations |
3. | Independent Electoral and Boundaries Commission Act | 382 citations |
4. | Basic Education Act | 172 citations |
5. | Children Act | 42 citations |
6. | Primary Health Care Act | 6 citations |
7. | Social Health Insurance Act | 6 citations |
8. | Digital Health Act | 2 citations |
Gazette 2
1. | Kenya Gazette Vol. CXXII-No. 198 | |
2. | Kenya Gazette Vol. CXXII-No. 201 |
Bench Bulletin 1
1. | Bench Bulletin - Issue 48 |
Bill 1
1. | The E-Health Bill, 2023 |
Subsidiary legislation
Title
|
Date
|
|
---|---|---|
The Data Protection (Registration of Data Controllers and Data Processors) Regulations | Legal Notice 265 of 2021 | 31 December 2022 |
The Data Protection (Complaints Handling Procedure and Enforcement) Regulations | Legal Notice 264 of 2021 | 31 December 2022 |
The Data Protection (General) Regulations | Legal Notice 263 of 2021 | 31 December 2022 |
The Data Protection (Civil Registration) Regulations | Legal Notice 196 of 2020 | 31 December 2022 |