by Gregor Pannike

Data Protection in Kenya

The Kenyan Data Protection Act and the impact on Cross-Border Business and Agreements


There has been an increase in the concern regarding the storage and usage of the data collected from individuals in our daily engagements. As a result, there has been a growing campaign towards the protection of such data to uphold the individual’s right to privacy. Recently we have seen a number of laws and regulations that have been passed and implemented in a bid to ensure data protection.

In Kenya, the Data Protection Act, 2019 was passed on 8 November 2019. The key mandate and the purpose of the Act is:

  • To uphold the right to privacy as per the Constitution of Kenya
  • To oversee the registration of those who collect, store, process or transfer data, i.e., the data “controllers” and “processors”
  • To regulate the use and transfer of personal data
  • To outline the key principles governing data protection

Data Protection Principles

The Act outlines key principles on how the data controller/processors should be collected, highlighting the need for data to be collected “lawfully, fairly and transparently” [S.25(b)]. For many data “controllers” and “processors”, this means balancing the need to collect and process the data, and the rights of the data subject. The data subject has the to be informed of the data collection, especially when it comes to their personal data, and they should also have the right to access such data[S.26]. In addition, the data subject has the right to be informed of the purpose of the data collection and how such data may or will be used, including the possibility of a transfer of their data. However, there are exemptions such as:

  • In the interest of national security
  • Where disclosure is required under law
  • In the apprehension or prosecution of an offender
  • In the detection or prevention of crime or
  • In the assessment or collection of tax

Transfer of Personal Data outside Kenya

Under the Act, there are provisions for the transfer of data outside of Kenya by data “controllers” or “processors” such as multi-jurisdictional entities or in the performance of cross-border transactions. In all instances, the data “controller” or “processor” must prove to the Data Commissioner that the transfer of data is necessary[S.48(c)] and that all the safeguards regarding safety and protection of personal data have been met[S.48(b), S.49].


What does this mean for corporates that collect and/or process data? The Act has led to such corporates taking key measure to ensure compliance including:

  • Mandatory data protection officers
  • Keeping a data inventory
  • Ensuring proper consents are obtained from data subjects
  • Registration with the Data Commissioner

How can we help?

At Agema Analysts, we work with experts to advise accordingly on how to comply with data protection Act, including conducting an internal risk assessment and advising on the actions to be taken for compliance.

The information contained in this publication is provided for informational purposes only, and should not be construed as legal, risk or investment advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this site without seeking legal, risk, investment or other professional advice. The contents of this publication contain general information and may not reflect current legal, risk or investment developments or address your situation. We disclaim all liability for actions you take or fail to take based on any content on this publication. Agema Analysts makes no representations as to the accuracy, completeness, suitability, or validity of any information in this publication and will not be liable for any errors or omissions in them for delays in publication of information, or for any losses, injuries, or damages arising from the display or use for any other reason whatsoever.

Related Posts

Share This

Share this post with your friends!