Related documents
- Is amended by 24th Annual Supplement

LAWS OF KENYA
DATA PROTECTION ACT
THE DATA PROTECTION (GENERAL) REGULATIONS
LEGAL NOTICE 263 OF 2021
- Published in Kenya Gazette Vol. CXXIV—No. 6 on 14 January 2022
- Commenced on 14 January 2022
- [Revised by 24th Annual Supplement (Legal Notice 221 of 2023) on 31 December 2022]
Part I – PRELIMINARY
1. Citation
These Regulations may be cited as the Data Protection (General) Regulations.2. Interpretation
In these Regulations, unless the context otherwise requires—Act means the Data Protection Act (Cap 411C);Data Commissioner means the person appointed as such pursuant to section 6 of the Act; andOffice has the meaning assigned to it under the Act.3. Exemption
These Regulations shall not apply to civil registration entities specified under the Data Protection (Civil Registration) Regulations (L.N. 196/2020).Part II – ENABLING THE RIGHTS OF A DATA SUBJECT
4. Processing on the basis of consent
5. Lawful basis for processing
6. Mode of collection of personal data
7. Restriction to processing
8. Objection to processing
9. Data access request
10. Rectification of personal data
11. Data portability request
12. Right of erasure
13. Exercise of rights by others
Part III – RESTRICTIONS ON THE COMMERCIAL USE OF PERSONAL DATA
14. Interpretation of commercial purposes
15. Permitted commercial use of personal data
16. Features of an opt out message
17. Mechanisms to comply with opt out requirement
18. Request for restriction of further direct marketing
Part IV – OBLIGATIONS OF DATA CONTROLLERS AND DATA PROCESSORS
19. Retention of personal data
20. Requests to deal anonymously or pseudonymously
21. Sharing of personal data
22. Automated individual decision making
23. Data protection policy
24. Contract between data controller and data processor
25. Obligations of a data processor
26. Requirement for specified processing to be done in Kenya
Part V – ELEMENTS TO IMPLEMENT DATA PROTECTION BY DESIGN OR BY DEFAULT
27. Data protection by design or default
A data controller or data processor shall in processing of personal data —28. Elements of data protection by design or default
The elements for the protection of personal data by design or by default that are necessary to implement the data protection principles outlined under section 25 of the Act are as set out in this Part.29. Elements for principle of lawfulness
The elements necessary to implement the principle of lawfulness include—30. Elements for principle of transparency
The elements necessary to implement the principle of transparency include—31. Elements for principle of purpose limitation
The elements necessary to implement the principle of purpose limitation include—32. Elements for principle of integrity, confidentiality and availability
The elements necessary to implement the principle of integrity, confidentiality and availability include—33. Elements for principle of data minimization
The elements necessary to implement the principle of data minimization include—34. Elements for principle of accuracy
The elements necessary to implement the principle of accuracy include—35. Elements for principle of storage limitation
The elements necessary to implement the principle of storage limitation include—36. Elements for principle of fairness
The elements necessary to implement the principle of fairness include—Part VI – NOTIFICATION OF PERSONAL DATA BREACHES
37. Categories of notifiable data breach
38. Notification to Data Commissioner
Part VII – TRANSFER OF PERSONAL DATA OUTSIDE KENYA
39. Interpretation of the Part VII
In this Part, unless the context otherwise requires—40. General principles for transfers of personal data out of the country
A data controller or data processor who is a transferring entity shall before transferring personal data out of Kenya ascertain that the transfer is based on—41. Transfers on the basis of appropriate safeguards
42. Deeming of appropriate safeguards
For the purpose of confirming the existence of appropriate data protection safeguards anticipated under section 49(1) of the Act and these Regulations, any country or a territory is taken to have such safeguards if that country or territory has—43. Binding corporate rules
44. Transfers on the basis of an adequacy decision
45. Transfers on the basis of necessity
46. Transfer on basis of consent
47. Subsequent transfers
48. Provisions for the agreement to cross boarder transfer
A transferring entity may enter into a written agreement with the recipient of personal data, which shall contain provisions relating to—Part VIII – DATA PROTECTION IMPACT ASSESSMENT
49. Processing activities requiring data protection impact assessment
50. Conduct of data protection impact assessment
51. Prior consultation
52. Consideration of the data protection impact assessment report
53. Audit of compliance with Assessment Report
Pursuant to section 23 of the Act, the Data Commissioner may carry out periodic audits to monitor compliance with the Assessment Report and any recommendations that may have been provided by the Data Commissioner.Part IX – PROVISIONS ON EXEMPTIONS UNDER THE ACT
54. Exemption for national security
55. Exemptions for public interest
For the purposes of section 51(2)(b) of the Act, the processing of personal data is exempted from the Act on the grounds of public interest where such processing exists as a—56. Permitted general situation
A permitted general situation referred to under regulation 55(a) relates to the collection, use or disclosure by a data controller or data processor of personal data about data subject including for—57. Permitted health situation
Part X – GENERAL PROVISIONS
58. Complaints against data controller and data processor
A person aggrieved by a decision of a data controller or a data processor under this Regulation or non-compliance with any provision may lodge a complaint with the Data Commissioner in accordance with the Act and regulations on complaints handling made thereunder.History of this document
31 December 2022 this version
Revised by
24th Annual Supplement
14 January 2022
Cited documents 3
Act 3
1. | Basic Education Act | 159 citations |
2. | Data Protection Act | 96 citations |
3. | Computer Misuse and Cybercrimes | 34 citations |