Kenya's Data Protection Act 2019: How the Law Protects Your Personal Information and What You Need to Know

The Data Protection Act, 2019 is Kenya's first comprehensive privacy law, enacted to give effect to Article 31 of the Constitution of Kenya which guarantees every person the right to privacy. Modelled after the European Union's General Data Protection Regulation (GDPR), the Act regulates the collection, processing, storage, and transfer of personal data, ensuring that individuals' information is handled lawfully, fairly, and transparently. The Office of the Data Protection Commissioner (ODPC) serves as the independent regulatory authority responsible for overseeing compliance, registering data controllers and processors, investigating complaints, and enforcing the law through fines, orders, and penalties.

Who Must Comply with the Data Protection Act

The Act applies to all data controllers (entities that determine the purpose and means of processing personal data) and data processors (entities that process data on behalf of controllers) operating within Kenya or processing the personal data of individuals located in Kenya. This means every business, government agency, non-profit organisation, hospital, school, financial institution, and online service provider handling Kenyan residents' personal data must comply. A fundamental obligation is mandatory registration with the ODPC—no person may act as a data controller or data processor without being registered with the Data Commissioner.

Registration requires submitting details about the organisation's data processing activities, the types of personal data handled, the purposes of processing, security measures in place, and any international data transfers. The ODPC maintains a public register of all registered data controllers and processors, promoting transparency and accountability. Failure to register constitutes an offence punishable by fines and imprisonment.

Rights of Data Subjects

The Act grants individuals (data subjects) a comprehensive set of rights over their personal information. The right to be informed requires organisations to clearly explain what data they collect, why they collect it, how it will be used, and with whom it will be shared—typically through privacy notices and policies. The right of access allows individuals to request confirmation of whether their data is being processed and obtain copies of their personal data held by any organisation.

Additional rights include the right to rectification (correcting inaccurate or incomplete data), the right to deletion (requesting erasure of personal data in certain circumstances), the right to restrict processing, the right to data portability (receiving personal data in a structured, commonly used format for transfer to another controller), and the right to object to processing, particularly for direct marketing purposes. Organisations must respond to data subject requests within reasonable timeframes specified in the Act. The ODPC has processed 9,061 data protection complaints since the law came into force, demonstrating active exercise of these rights by Kenyans.

Lawful Bases for Processing Personal Data

The Data Protection Act requires that all personal data processing be based on at least one lawful basis. The primary bases include: consent of the data subject, which must be freely given, specific, informed, and unambiguous; contractual necessity, where processing is required to perform a contract with the individual; legal obligation, where processing is required by law; vital interests, where processing is necessary to protect someone's life; public interest, where processing is necessary for tasks carried out in the public interest; and legitimate interests of the controller, balanced against the rights of the data subject.

Sensitive personal data receives enhanced protection under the Act. This category includes data revealing racial or ethnic origin, health status, genetic and biometric data, sexual orientation, religious beliefs, and—under the proposed Data Protection (Amendment) Bill, 2025—political opinions and trade union memberships. Processing sensitive data requires explicit consent and additional safeguards. The 2025 Amendment Bill also proposes expanding complaint-filing rights from individuals to any person, including legal entities, and establishing a Data Protection Appeals Tribunal to handle appeals against Commissioner decisions.

Data Breach Notification Requirements

The Act imposes strict obligations when personal data breaches occur. Data controllers must notify the Data Commissioner within 72 hours of becoming aware of a breach that is likely to result in risk to the rights and freedoms of data subjects. If a data processor discovers the breach, they must notify the data controller within 48 hours. Where the breach poses a high risk to individuals, the data controller must also notify affected data subjects without undue delay, providing clear information about the nature of the breach, likely consequences, and measures taken to address it.

Breach notifications to the Commissioner must include a description of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate the breach. Organisations must also maintain internal records of all data breaches, including those that do not meet the notification threshold, as evidence of compliance during audits.

Enforcement and Penalties

The ODPC has demonstrated increasingly robust enforcement since the Act's commencement. Penalties for violations include fines of up to KES 5 million or 1 percent of annual turnover, imprisonment for up to 10 years, or both. As of 2025, the ODPC has issued 184 compensation orders to individuals whose personal data was mishandled, 357 determinations, 134 enforcement notices, and 20 penalty notices against non-compliant organisations. Additionally, 84 disputes have been resolved through Alternative Dispute Resolution (ADR).

Notable enforcement actions include fines imposed on organisations for processing personal data without lawful basis, sharing customer information without consent, and failing to implement adequate security measures. The ODPC conducts compliance audits under draft regulations issued in December 2024, and has released a Data Sharing Code to regulate ethical and responsible data sharing practices. Organisations are advised to appoint a Data Protection Officer (DPO), conduct regular Data Protection Impact Assessments (DPIAs) for high-risk processing activities, and maintain comprehensive records of processing activities to demonstrate compliance.

International Data Transfers

The Act restricts the transfer of personal data outside Kenya unless the receiving country provides adequate data protection safeguards, the data subject has given explicit consent, the transfer is necessary for contractual performance, or appropriate safeguards such as binding corporate rules or standard contractual clauses are in place. The Data Commissioner has the authority to determine which countries offer adequate protection and to approve specific transfer mechanisms. This framework ensures that Kenyan citizens' data remains protected even when processed by international organisations, cloud service providers, or multinational corporations operating across borders.