The Data Protection (Complaints Handling Procedure and Enforcement) Regulations

Legal Notice 264 of 2021

This is the latest version of this Legal Notice.
The Data Protection (Complaints Handling Procedure and Enforcement) Regulations
Related documents

LAWS OF KENYA

DATA PROTECTION ACT

THE DATA PROTECTION (COMPLAINTS HANDLING PROCEDURE AND ENFORCEMENT) REGULATIONS

LEGAL NOTICE 264 OF 2021

  • Published in Kenya Gazette Vol. CXXIV—No. 6 on 14 January 2022
  • Commenced on 14 January 2022
  1. [Revised by 24th Annual Supplement (Legal Notice 221 of 2023) on 31 December 2022]

Part I – PRELIMINARY

1. Citation

These Regulations may be cited as the Data Protection (Complaints Handling Procedure and Enforcement) Regulations.

2. Interpretation

In these Regulations, unless the context otherwise requires—"Act" means Data Protection Act (Cap. 411C);"complainant" means a data subject or a person who has lodged a complaint pursuant to regulation 4;"Data Commissioner" means the person appointed under section 6 of the Act;"Office" means the office of the Data Protection Commissioner;"enforcement notice" means a notice issued by the Data Commissioner under regulation 16;"penalty" means a penalty imposed by a penalty notice;"penalty notice" means a notice issued by the Data Commissioner under regulation 20;"respondent" means a person against whom a complaint is lodged; and"summons" means an order of the Data Commissioner, in writing, directing a person to appear before the Office.

3. Object and purpose of the Regulations

The object and purpose of these Regulations is to—
(a)facilitate a fair, impartial, just, expeditious, proportionate and affordable determination of complaints lodged with the Data Commissioner in accordance with the Act and these Regulations, without undue regard to technicalities of procedure;
(b)provide for issuance of enforcement notices as contemplated under section 58 of the Act;
(c)provide for issuance of issuance of penalty notices as contemplated under section 62 of the Act;
(d)provide for the procedure for hearing and determining of complaints; and
(e)provide for the resolution of complaints lodged with the Data Commissioner by means of alternative dispute resolution mechanisms as specified under section 9(1)(c) of the Act.

Part II – PROCEDURE FOR LODGING, ADMISSION AND RESPONSE TO COMPLAINTS

4. Lodging of a complaint

(1)Pursuant to section 56 of the Act, a data subject or any person aggrieved on any matter under the Act may lodge a complaint with the Data Commissioner.
(2)A complaint lodged under subregulation (1) may be lodged in Form DPC 1 set out in the Schedule—
(a)orally, subject to section 56(3) of the Act;
(b)through electronic means, including email, web posting, complaint management information system; or
(c)by any other appropriate means.
(3)A complaint under subregulation (1) may be lodged—
(a)by the complainant in person;
(b)by a person acting on behalf of the complainant;
(c)by any other person authorized by law to act on behalf of a data subject; or
(d)anonymously.
(4)The Data Commissioner shall acknowledge receipt of the complaint within seven days of receipt of the complaint under subregulation (1).
(5)The complaint under subregulation (1) shall be lodged free of charge.

5. Register of complaints

(1)The Data Commissioner shall keep and maintain an up to date Register of Complaints.
(2)An entry into the register of complaints shall state the particulars of the complainant and the complaint filed with the Data Commissioner.
(3)The Data Commissioner shall protect the identity of the complainant where the request to protect the identity is sought by the complainant.

6. Admission of complaint

(1)The Data Commissioner shall undertake a preliminary review of a complaint, upon receipt of the complaint by the Office.
(2)The Data Commissioner may, upon undertaking a preliminary review of the complaint—
(a)admit the complaint;
(b)where applicable, advise the complainant in writing that the matter is not within the mandate of the Data Commissioner; or
(c)advise the complainant that the matter lies for determination by another body or institution and refer the complainant to that body or institution.
(3)Despite subregulation (2), the Data Commissioner may decline to admit a complaint where the complaint does not raise any issue under the Act.
(4)Upon admission of a complaint, the Data Commissioner may—
(a)conduct an inquiry into the complaint;
(b)conduct investigations;
(c)facilitate mediation, conciliation or negotiation in accordance with the Act and these Regulations; or
(d)use any other mechanisms to resolve the complaint.
(5)Where a complaint is declined for admission under subregulation (3), the complaint may be re-admitted within six months from the date of decline, where the complaint raises new issues for determination under the Act.
(6)A complaint under subregulation (5) shall be lodged in accordance with regulation 4.

7. Discontinuation of a complaint

(1)The Data Commissioner may discontinue an existing complaint in Form DPC 2 set out in the Schedule, where—
(a)a complaint does not merit further consideration; or
(b)a complainant refuses, fails or neglects to communicate without justifiable cause.
(2)The Data Commissioner shall provide the reasons for discontinuation on any of the grounds specified under subregulation (1)(a) or (b) and shall, in writing, notify the complainant and respondent within fourteen days from the date the decision to discontinue a complaint is made.
(3)A complainant may, where a complaint has been discontinued pursuant to these Regulations, re-institute a complaint upon providing grounds for the restitution to the Data Commissioner.

8. Withdrawal of a complaint

(1)A complaint may be withdrawn at any stage during its consideration but before a determination is made.
(2)A complainant may, at any time during the consideration of a complaint lodged pursuant to regulation 4 and before its determination, withdraw the complaint.
(3)An application for a withdrawal under subregulation (1) shall be in Form DPC 2 set out in the Schedule.
(4)A withdrawn complaint under subregulation (1) may be re-lodged, within six months from the date of withdrawal of such complaint.
(5)A complaint re-lodged under this regulation shall be processed in accordance with the provisions of this Part.

9. Joint consideration of complaints

(1)Where two or more complaints are lodged in which similar issues are raised against a respondent, the Data Commissioner may with the consent of the complainants—
(a)consolidate the complaints and make a determination; or
(b)treat one complaint as a test complaint and stay further action on the other complaints pending resolution of the test complaint.
(2)The Data Commissioner shall, with necessary modifications, apply the decision of a test complaint to all the complaints stayed under subregulation (1)(b).
(3)The Data Commissioner shall, in writing, communicate to the complainants and all the parties the decision made under this regulation.
(4)Where complaints are consolidated in accordance with this regulation, the complaint shall be treated as a single complaint and shall be determined in accordance with the provisions of these Regulations.

10. Language

(1)Proceedings before the Office shall be conducted in Kiswahili, English or Kenyan Sign Language.
(2)The Office may ensure that a party who cannot speak, hear or understand the language of proceedings receives the services of an interpreter provided for by the Office.

11. Notification of a complaint to the respondent

(1)Upon admission of a complaint, the Data Commissioner shall notify the respondent of the complaint lodged against him, in Form DPC 3 set out in the Schedule and shall require the respondent to within twenty-one days—
(a)make representations and provide any relevant material or evidence in support of its representations;
(b)review the complaint with a view of summarily resolving the complaint to the satisfaction of the complainant; or
(c)provide a response with the required information.
(2)Where a respondent does not take any action as contemplated under subregulation (1), the Data Commissioner shall proceed to determine the complaint in accordance with the Act and these Regulations.
(3)The notice referred to under subregulation (1) shall specify options available to resolve a complaint including determining the complaint through alternative dispute resolution mechanisms specified in the Act and these Regulations.

12. Joinder of parties

(1)Where it appears to the Data Commissioner, or by an application by either the complainant or the respondent, that it is necessary that a person becomes a party to a complaint, the Data Commissioner may order that person to be enjoined as a party.
(2)A person who has sufficient interest in the outcome of a complaint may apply to the Office for leave to be enjoined in the proceedings prior to the hearing of the complaint.
(3)An application under subregulation (1) shall include—
(a)the names of the parties to which that application relates;
(b)the name and address for service of the person wishing to be enjoined;
(c)the grounds the applicant relies on to be enjoined;
(d)a copy of any relevant document in support of the application; and
(e)the relief sought.

13. Investigations of a complaint

(1)In investigating a complaint, the Data Commissioner may, subject to section 57 of the Act—
(a)issue summons in Form DPC 4 set out in the Schedule requiring the attendance of any person at a specified date, time and place for examination;
(b)examine any person in relation to a complaint;
(c)administer an oath or affirmation on any person during the proceedings;
(d)require any person to produce any document or information from a person or institution; and
(e)on obtaining warrants from the court, enter into any establishment or premises and conduct a search and may seize any material relevant to the investigation.
(2)Upon completion of the investigation, the Data Commissioner shall prepare an investigation report.
(3)In conducting investigations under this regulation, the Data Commissioner shall be guided by the provisions of the Fair Administrative Action Act (Cap. 7J).

14. Outcome of investigation

(1)The Data Commissioner shall, upon the conclusion of the investigations, make a determination based on the findings of the investigations.
(2)A determination under subregulation (1) shall be in writing and shall state—
(a)the nature of the complaint;
(b)a summary of the relevant facts and evidence adduced;
(c)the decision and the reasons for the decision;
(d)the remedy to which the complainant is entitled; and
(e)any other relevant matter.
(3)The remedies contemplated under subregulation (2)(d) may include—
(a)issuance of an enforcement notice to the respondent in accordance with the Act and these Regulations;
(b)issuance of a penalty notice imposing an administrative fine where a respondent fails to comply with the enforcement notice;
(c)dismissal of the complaint where it lacks merit;
(d)recommendation for prosecution; or
(e)an order for compensation to the data subject by the respondent.
(4)The Data Commissioner shall within seven days from the date of such determination, communicate the decision under subregulation (3) to the parties, in writing.
(5)The decision of the Data Commissioner made under these Regulations shall be—
(a)binding on the parties; and
(b)shall be enforced as an order of the Court.

15. Negotiation, mediation or conciliation

(1)Where the complaint is to be determined through negotiations, mediation or conciliation, the provisions of these Regulations shall apply.
(2)Where parties to a complaint agree to negotiation, mediation or conciliation, the Data Commissioner may in consultation with the parties facilitate the process.
(3)During the negotiations, mediation or conciliation, the Data Commissioner may apply such procedures as may, in the interest of the parties, deem appropriate in the circumstances.
(4)At the conclusion of the negotiations, mediation or conciliation process, the parties shall sign a negotiation, mediation or conciliation agreement in the manner specified in Form DPC 5 set out in the Schedule.
(5)A negotiation, mediation or conciliation agreement entered into under this regulation shall be deemed to be a determination of the Data Commissioner, and shall be enforceable as such.
(6)Despite this regulation, a party to dispute who is subject to a negotiation, mediation or conciliation may withdraw from the proceedings at any stage and shall notify the Data Commissioner and other parties of such withdrawal within seven days from the date of making such a decision.
(7)Parties to a dispute shall take all reasonable measures to amicably determine a dispute and act in good faith.
(8)Where the complaint is not determined through negotiation, mediation or conciliation, the Data Commissioner shall proceed to determine the complaint as provided for in the Act and these Regulations.

Part III – ENFORCEMENT PROVISIONS

16. Issuance of enforcement notice

(1)The Data Commissioner may pursuant these Regulations or section 58 of the Act issue an enforcement notice.
(2)An enforcement notice shall specify the consequences of failure to comply with the notice including issuance of a penalty notice as provided under section 62(1) of the Act.

17. Service of an enforcement notice

(1)An enforcement notice shall be deemed to have been duly served on the concerned person where—
(a)an electronic copy of enforcement notice is sent to the concerned person’s last used email address; or
(b)the enforcement notice is posted or physically delivered to the registered offices of the concerned person, in the absence of an electronic address.
(2)The enforcement notice shall take effect from the date of service specified under subregulation (1).

18. Review of enforcement notice

(1)A person to whom an enforcement notice is given may apply in Form DPC 6 set out in the Schedule to the Data Commissioner for a review of the enforcement notice.
(2)An application under subregulation (1) may be made—
(a)before the end of the period specified in the enforcement notice; and
(b)on the ground that—
(i)a change of circumstances or new facts have arisen; or
(ii)one or more of the provisions of that notice need not be complied with in order to remedy the failure identified in the notice.

19. Appeals against enforcement notice

Subject to sections 58(2)(d) and 64 of the Act, a person may before the lapse of thirty days from the date of service of the enforcement notice, appeal to the High Court against a decision arising out of the enforcement of the notice.

20. Issuance of penalty notice

(1)The Data Commissioner shall, where any of the circumstances specified under section 62 of the Act and these Regulations arises, issue a penalty notice for each breach identified in the enforcement notice.
(2)A penalty notice shall contain—
(a)the name and address of the concerned person, to whom it is addressed;
(b)the reasons why the Data Commissioner proposes to impose the penalty and the amount thereof;
(c)an administrative fine imposed as contemplated under section 63 of the Act;
(d)details of how the penalty is to be paid; and
(e)details of the rights of appeal under section 64 of the Act.
(3)The administrative fine levied under subregulation (2)(c) shall consider each individual case and have due regard to factors or reasons outlined under section 62(2) of the Act.
(4)A penalty notice may impose a daily fine of not more than ten thousand shillings for each breach identified until the breach is rectified.
(5)The daily fine imposed under subregulation (4) shall be managed in accordance with section 67 of the Act and the Public Finance Management Act (Cap. 412A).

21. Enforcement of penalty notice

The Data Commissioner shall enforce or take action to recover a penalty—
(a)upon the lapse of the period specified in the penalty notice for payment of the penalty;
(b)on the final determination of any appeal against the penalty notice; or
(c)on the lapse of the period given to appeal against the penalty.
  
  
  
  
  
  

SCHEDULE [r. 4(2)(a)]

FORMS

FORM DPC 1

COMPLAINT SUBMISSION FORM

A. PARTICULARS OF THE COMPLAINANT/REPRESENTATIVE
Full Names 
National Identification Card Number/Passport Number 
Contact information (Phone number/email address) 
B. PARTICULARS OF THE COMPLAINT
Describe your complaint;
Indicate to whom the complaint is against:
When did you become aware of the alleged breach
C. REMEDY SOUGHT
Explain the remedy you are seeking for the alleged breach;
D. Which other steps have you already taken in relation to the Complainant, if any
State any other institution contacted over the complaint, if any.
SignatureDate
Note* If the space provided for in this Form is inadequate, submit information as an annex.* If you have supporting documents to substantiate your claim, please annex copies to this Form.* The information submitted will be treated with the upmost confidentiality.FORM DPC 2 (r. 7(1) & 8(3))

REQUEST TO DISCONTINUE OR WITHDRAW A COMPLAINT

A. NATURE OF REQUEST
Mark the appropriate the box with an "x".Request for:
DISCONTINUATION ☐WITHDRAWAL ☐
B. PARTICULARS OF THE COMPLAINANT/REPRESENTATIVE
Full names 
National Identification Card Number/Passport Number 
Contact Information(Phone Number/Email Address) 
C. NATURE OF THE COMPLAINT
Complaint Number/Reference Number 
D. STATE REASON FOR WITHDRAWAL/DISCONTINUATION OF COMPLAINT
SignatureDate
Note:*If the space provided for in this Form is inadequate, submit information as an Annexure to this form*If you have supporting documents to substantiate your claim, please annex copies to this Form.*The information submitted will be treated with the upmost confidentiality.FORM DPC (r. 11(1))

Notification of a complaint to the Respondent

Details of the Respondent
Full Names 
Complaints Register entry number 
Email address 
Details of the Complainant
Describe your complaint;
Full Names 
National Identification Card Number 
Contact information 
Particulars of the Complaint
 
Representation to be made to the Data Commissioner by:
SignatureDate
  
  
  
  
  
  
  
  
  
  
  
  
  
  
FORM DPC 4 (r. 13(1)(a))

Summons to Enter Appearance

OFFICE OF THE DATA PROTECTION COMMISSIONER

COMPLAINT NO .................. OF ...........

WHEREAS the above-named Complainant has instituted a Complaint against you, the Respondent particulars of which are set out in the copy of Complaint annexed herewith.YOU ARE HEREBY REQUIRED to attend to the Office of the Data Commissioner on__________________(Date), ________________________________(Venue) At_______________(Time) (am/pm)Should you fail to attend to the above mentioned summons, you may be liable to an offence under section 57 of the Data Protection Act, 2019.Dated ................ day of ............. 20 ........
...........................................Data Commissioner
FORM DPC 5 (r. 15(4))

ALTERNATIVE DISPUTE RESOLUTION SETTLEMENT AGREEMENT

The undersigned parties, on this _____ day of ____________, have agreed to the following settlement of their dispute concerning________________________________________________________________________________________________________________________________________________________________________, and hereby memorialize such agreement according to the following terms:______________________________________________________________________________________________________________________________________________________________________,___________________________________________The Settlement Agreement is binding on the parties and is admissible in court for enforcement purposes.In order to facilitate the above-specified terms of settlement, the parties further agree that on or before the _______day of ______, 20_, they willComplainant:_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________Respondent:______________________________________________________________________________________________________________________________________________Complainant:
Signature________________________Date___________________________
Respondent 
Signature________________________Date___________________________
FORM DPC 6 (r. 18(1))

REVIEW OF ENFORCEMENT NOTICE

A. PARTICULARS OF THE PERSON ISSUED WITH THE ENFORCEMENT NOTICE
Full Names 
Registration Number/ Identification Number 
Contact information(Phone number/ email address) 
B. REFERENCE NUMBER OF THE ENFORCEMENT NOTICE
 
C. GROUNDS FOR REVIEW OF THE ENFORCEMENT NOTICE(tick as appropriate)
i) Change of circumstances or new facts have arisen; or
(ii) One or more of the provisions of that notice need not be complied with in order to remedy the failure identified in the notice.
Note:*If the space provided for in this Form is inadequate, submit information as an Annex to this Form*If you have supporting documents to substantiate your claim, please annex copies to this Form.*The information submitted will be treated with the upmost confidentiality.
▲ To the top

History of this document

31 December 2022 this version

Cited documents 1

Act 1
1. Data Protection Act 98 citations

Documents citing this one 0