Support Centre

Kenya

Summary

Law: The Data Protection Act, 2019 ('the Act') and the Data Protection Regulations, 2021 ('the 2021 Regulations')

Regulator: Office of the Data Protection Commissioner ('ODPC')

Summary: Immaculate Kassait was appointed as the Data Protection Commissioner ('the Commissioner') on 16 November 2020. According to the Act, the ODPC's powers include overseeing the implementation and the enforcement of the Act, as well as the maintenance of a register of all the data controllers and processors in Kenya. The Act sets out, among other things, data subject rights, principles of data processing, and obligations related to data transfers, direct marketing, and breach notifications. 

The Taskforce for the Development of the Data Protection General Regulations, together with the ODPC, developed the 2021 Regulations, which supplement the provisions of the Act. In particular, the 2021 Regulations comprise of three distinct regulations, namely:

  • the Data Protection (General) Regulations, 2021;
  • the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021; and
  • the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.

Notably, the 2021 Regulations were published in the Official Gazette on 14 January 2022 and enter into effect on 14 July 2022.

There are also several sector-specific pieces of legislation in Kenya addressing data protection in areas such as the information and communications technology industry, the health sector, and the financial sector, as well as other pieces of general legislation affecting data protection including the Consumer Protection Act, 2012 and Computer Misuse and Cybercrimes Act No. 5 of 2018. In the absence of an established data protection regulator, several sectoral authorities, such as the Central Bank of Kenya and the Competition Authority of Kenya, have issued guidance relevant to data protection.