Last modified 23 March 2026

Data Protection in Kenya

Breach notification in Kenya

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Kenya

The Data Protection Act, 2019 (the “Act”) came into force on 25th November, 2019 and is now the primary statute on data protection in Kenya. It gives effect to Article 31 c) and d) of the Constitution of Kenya, 2010 (right to privacy).

In October 2020, by virtue of the powers conferred to him under the Act, the Cabinet Secretary for Information, Communication, Technology, Innovation and Youth Affairs gazetted the Data Protection (Civil Registration) Regulations, 2020 (the “Regulations”). The Regulations apply to civil registries involved in processing personal data for registrations such as births, deaths, adoptions, persons, passports and marriages.

Since the Data Protection Commissioner’s (DPC) appointment on 16 November 2020, significant efforts have been made in developing regulations for the implementation of the Act.

Data Protection (Complaints Handling Procedure & Enforcement) Regulation, 2021 (the “Complaints Handling Regulations”) - sets out the complaints handling procedures and enforcement mechanisms in the event of non-compliance with the provisions of the Act;
Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021 (the “Registration Regulations”) - provides for the registration of data controllers and data processors with the Office of the Data Protection Commissioner (ODPC). The threshold for mandatory registration is also set out under these regulations; and
Data Protection (General) Regulations, 2021 (the “General Regulations”) – elaborates in more detail the rights of data subjects, restrictions on commercial use of personal data, duties and obligations of data controllers and data processors, elements of implementing data protection by design or default, notification of personal data breaches, transfer of personal data outside Kenya, conduct of data protection impact assessment and other general provisions.

The above regulations were gazetted in January and came into effect on 14 February 2022 with the exception of the Registration Regulations, 2021 which came into force on 14 July 2022.

The ODPC has also issued a number of guidelines, these include:

Guidance Note on Registration of Data Controllers and Data Processors - developed to assist entities in ascertaining if they are data controllers or data processors, and to understand their obligations with respect to mandatory registration;
Guidance Note on Processing Personal Data for Electoral Purposes - developed to assist data controllers and data processors dealing with voters’ personal data and members of political parties’ personal data to understand their obligations under the Act;
Guidance Note on Data Protection Impact Assessment - to assist data controllers and data processors to understand their obligations under the Act and the need to undertake a Data Protection Impact Assessment;
Guidance Note on Consent - developed to assist data controllers and data processors to understand their duties under the Act and their obligations as far as obtaining consent is concerned;
Guidance Note for the Communications Sector – it applies to communication service providers processing personal data in either the public or private sectors and provides considerations that must be present in when processing subscribers’ personal data, network traffic, location or geographical data, financial data, and mobile operators’ privacy policies;
Guidance Note for the Education Sector – developed to assist educational institutions to understand their obligations under the DPA and remain compliant. The guidance note also covers institutions offering remote e-learning solutions and services;
Guidance Note on the Processing of Health Data – developed to provide healthcare institutions with a clear understanding of their obligations under the DPA and applies to all healthcare institutions operating in Kenya, including hospitals & clinics, laboratories, pharmaceutical services, health insurance providers, health research and training institutions, and professional health bodies. The guidance note also extends to the processing of digital health processing platforms such as Health Management Information System (HMIS), eHealth and mHealth applications; and
Guidance Note for Digital Credit Providers – sets out the compliance requirements that digital credit providers (DCPs) must implement while processing personal data in line with the administration of digital credit and in compliance with the DPA.
Guidance Notes for the Public Sector – Developed to provide the public sector with a clear understanding of their obligations under the Act and Regulations, and to guide public entities in ensuring legal compliance, upholding privacy rights, and protecting against various risks that come with processing of personal data;
Guidance Notes on Processing by Micro, Small & Medium Enterprises (MSMEs) – developed to assist MSMEs understand their obligations under the Act, the scope of their data processing activities, and to help them implement best practices for data protection while promoting compliance with the Act;
Guidance Notes on Processing for Journalistic Purpose – developed to clarify the balance between freedom of expression and personal data protection in journalistic, literary and artistic activities. It outlines the scope of allowable exemptions under the DPA, emphasizing that these exemptions are not absolute and must satisfy the specific conditions set out in the Act, and further outlines the compliance requirements and obligations;
Guidance Notes on Processing for Research Purpose – developed to provide the considerations that must be present when processing personal data for research purposes;
Guidance Notes for Processing Children’s Data – developed to set out considerations that must be present when processing children’s personal data, and to clarify the obligations of organisations that process children’s data;
Guidance Notes on Biometric Data – provides detailed considerations that must be taken into account when processing biometric data, and to clarify the legal and compliance obligations of data controllers and data processors when processing biometric data;
Guidance Notes on Historical & Statistical Purposes – developed to outline the obligations of data controllers and processors regarding the processing of personal data for historical and statistical purposes; and
Guidance Notes for Processing of Personal Data on Publications of Recorded Media – addresses the processing of personal data for the publication of audio visual and recorded media, with the exclusion of intellectual property rights considerations. It outlines specific considerations and best practices and provides direction in the handling of personal data within the context of creating, processing and publishing audio visual content, ensuring compliance with the Act and Regulations when processing personal data for publication of recorded media.

The ODPC has also published:

the Personal Data Protection Handbook, which provides simplified information to data controllers and data processors, who have the responsibility and obligation to uphold the principles of data protection, and acts as an awareness wallet for data subjects to better understand their rights and available legal and institutional framework to protect their personal data from processing that is not covered under the existing personal data laws;
the Data Without Borders Report, which highlights how trusted data flows can power Kenya’s economic growth. This report on the economic impact of data flows provides timely and evidence-based analysis to support the implementation of the Act. It examines how data flows contribute to economic growth, innovation, and competitiveness, while also highlighting the role of effective data governance, regulatory certainty, and trust;
a Complaints Management Manual, which sets out the complaints management handling procedure by the ODPC;
the Alternative Disputes Resolution Framework/Guidelines, which provide guidance to stakeholders who wish to engage in Alternative Dispute Resolution (ADR) to resolve their disputes arising under the Act;
the Data Sharing Code, which provides a framework for responsible and ethical data sharing practices and outlines the requirements that data controllers and processors are required to observe prior to sharing personal data, as well as the measures to put in place to ensure the protection of the data subject.

The ODPC is also in the process of developing the following regulations, which are currently undergoing public consultation/participation:

Data Protection (Conduct of Compliance Audit) Regulations, 2024 – set out the procedure for the conduct of audits by the ODPC, as well as the procedure for entities that want to be accredited by the ODPC to carry out data protection audits; and
Guidance Note on the Processing of Personal Data for Private Security – provides clear and concise instructions on how to handle personal data by the private security service providers in Kenya, in accordance with the Act and the Regulations. Also provides practical advice on how to implement appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction.

Related resources

Definitions

Definitions in Kenya

Definition of personal data

Personal data is defined as any information relating to an identified or identifiable natural person. (Section 2 of the Act).

Definition of sensitive personal data

Sensitive personal data is defined as data revealing the natural person's race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person's children, parents, spouse or spouses, sex or the sexual orientation of the data subject. (Section 2 of the Act)

Related resources

Authority

National data protection authority in Kenya

The Act established the ODPC, whose mandate includes overseeing the implementation and enforcement of the provisions of the Act. The ODPC has, in the recent past, intensified enforcement efforts. The ODPC is also tasked with the maintenance of the register of data controllers and processors; receiving and investigation of complaints under the Act; and carrying out inspections of public and private entities to evaluate the processing of personal data. (Part II of the Act)

Related resources

Registration

Registration in Kenya

Section 18 of the Act

Data processors and data controllers are required to be registered with the ODPC. The ODPC, however, has discretion to prescribe the thresholds for mandatory registration based on:

the nature of industry;
the volumes of data processed; and
whether sensitive personal data is being processed.

(Section 18 of the Act)

The Registration Regulations provide for the registration of data controllers and data processors with the ODPC. The threshold for mandatory registration is also set out under these regulations. The ODPC also launched a portal where applications for registration are submitted in the prescribed form and upon payment of a prescribed fee. Where the ODPC is satisfied that the applicant has fulfilled the requirements for registration, a certificate of registration is issued within 14 days and entry of the applicant’s details is made in the register of data controllers and data processors.

The certificate of registration issued is valid for 24 months from the date of issuance.

A data controller or data processor with an annual turnover or revenue of below Kenya Shillings Five Million (approx. USD 38,760) and which has fewer than 10 employees is exempt from mandatory registration.

Data controllers and data processors who process data for the following purposes regardless of their annual turnover or revenue or number of employees have to be registered under the Registration Regulations:

Canvassing political support among the electorate;
Crime prevention and prosecution of offenders (including operating security CCTV systems);
Gambling;
Operating an educational institution;
Health administration and provision of patient care;
Hospitality industry firms, excluding tour guides;
Property management including the selling of land;
Provision of financial services;
Telecommunications network or service providers;
Businesses that are wholly or mainly in direct marketing;
Transport services firms (including online passenger hailing applications);
businesses that process genetic data;
digital credit providers;
state or county department and state or county corporation; and
non-profit making entities, including non-governmental organizations, charitable and religious institutions, multi-lateral agencies or civil society organizations.

Related resources

Data protection officers

Data protection officers in Kenya

The Act makes provisions for the designation of Data Protection Officers (DPOs), but this obligation is not mandatory. (Section 24 of the Act).

DPOs can be members of staff and may perform other roles in addition to their roles. A group of entities can share a DPO.

The contact details of the DPO must be published on the organisation’s website and communicated to the ODPC.

DPOs have the following roles:

advising the data controller or data processor and their employees on data processing requirements provided under the Act or any other written law;
ensuring compliance with the Act;
facilitating capacity building of staff involved in data processing operations;
providing advice on data protection impact assessments; and
co-operating with the DPC and any other authority on matters relating to data protection.

Under the Regulations, DPOs also have the following additional roles:

monitoring and evaluating the efficiency of the data systems in the organization; and
keeping written records of the processing activities of the civil registration entity.

Related resources

Collection and processing

Collection and processing in Kenya

The processing of personal data must comply with the prescribed principles. (Section 25 of the Act). It must be:

processed in accordance with the right to privacy of the data subject;
processed lawfully, fairly and in a transparent manner in relation to any data subject;
collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

The Act recommends personal data to be collected and processed lawfully (Section 30 of the Act). The lawful reasons for processing include:

consent of the data subject; or
the processing is necessary for:
- the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
- compliance with any legal obligation to which the controller is subject; in order to protect the vital interests of the data subject or another natural person;
- the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- performance of any task carried out by a public authority;
- the exercise, by any person in the public interest, of any other functions of a public nature;
- the legitimate interests pursued by the data controller or data processor by a third party to whom the data is disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject; or
- the purpose of historical, statistical, journalistic, literature and art or scientific research.

It is an offence to process personal data without a lawful reason.

Under the Regulations, civil registration entities must ensure that they collect only personal data permitted by the data subject, and that appropriate steps are taken to ensure the quality and security of the personal data.

Where the registries intend to use such data for another purpose, they must either ensure that the purpose is compatible with the initial purpose or, where that is not the case, seek fresh consent.

The General Regulations elaborate in more detail restrictions on commercial use of personal data; duties and obligations of data controllers and data processors; elements of implementing data protection by design or default; conduct of data protection impact assessments; and other general provisions.

Related resources

Transfer of personal data

Transfer of personal data in Kenya

The transfer of personal data outside Kenya is highly regulated under the Act (Part VI of the Act). Prior to any transfer the data controller or data processor must provide proof to the DPC on the appropriate safeguards with respect to the security and protection of the personal data including jurisdictions with similar data protection laws. The data controller also has an obligation to document the transfer and provide documentation to the DPC upon request.

The consent of the data subject is required for the transfer of sensitive personal data out of Kenya.

Under the Regulations, civil registration registries cannot transfer personal data collected for civil registration purposes outside Kenya without the written approval of the DPC.

The General Regulations elaborate in more detail transfer of personal data outside Kenya. They provide for four legal bases for the transfer of personal data out of the country, which include:

appropriate data protection safeguards in the country or territory in which recipient is based. Any country or territory is taken to have appropriate safeguards if it has: a reciprocal data protection agreement with Kenya; ratified the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention); or contractual binding corporate rules among a concerned group of undertakings or enterprises;
adequacy: an adequacy decision made by the DPC that the country, territory or the international organization to which/whom data is being transferred ensures an adequate level of protection of personal data;
necessity: transfer is deemed to be necessary if it is:
- for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
- for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another person;
- for any matter of public interest;
- for the establishment, exercise or defence of a legal claim in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
- for the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects; or
consent of the data subject, on the condition they have consented to the proposed transfer and have been informed of the possible risks of transfer.

Related resources

Security

Security in Kenya

Data controllers and data processors are required to implement appropriate organizational and technical measures to implement data protection principles in an effective manner and to integrate necessary safeguards for that processing. (Sections 41 and 42 of the Act).

Civil registration registries are mandated to formulate written data security procedures which must include the following:

instructions concerning physical protection of the database sites and their surroundings;
access authorizations to the database and database systems;
description of the means intended to protect the database systems and the manner of their operation for this purpose;
instructions to authorized officer of the database and database systems regarding the protection of data stored in the database;
the risks to which the data in the database is exposed in the course of the civil registration entity's ongoing activities;
the manner of dealing with information security incidents, according to the severity of the incident;
instructions concerning the management and usage of portable devices;
instructions with respect to conducting periodical audits to ensure that appropriate security measures exist, in accordance with the Procedure and the Regulations; and
instructions regarding backup of personal data.

As far as technical measures are concerned, the General Regulations require the use of hashing and cryptography to limit the possibility of repurposing personal data.

The General Regulations also require the contract between a data controller and a data processor to include a clause on security measures, subjecting the data processor to appropriate technical and organizational measures in relation to keeping personal data secure.

With respect to organizational measures, the General Regulations require a data controller or data processor to develop, publish and regularly update a policy reflecting their personal data handling practices. The policy may include:

the nature of personal data collected and held;
how a data subject may access their personal data and exercise their rights in respect to that personal data;
complaints handling mechanisms;
lawful purpose for processing personal data;
obligations or requirements where personal data is to be transferred outside the country, to third parties, or other data controllers or data processors located outside Kenya and where possible, specify such recipients;
the retention period and schedule; and
the collection of personal data from children, and the criteria to be applied.

The General Regulations provide specific obligations on the data controller and data processor under the data protection principle of integrity, confidentiality and availability. These include:

having an operative means of managing policies and procedures for information security;
assessing the risks against the security of personal data and putting in place measures to counter identified risks;
processing that is robust to withstand changes, regulatory demands, incidents and cyber-attacks;
ensuring only authorised personnel have access to the data necessary for their processing tasks;
securing transfers against unauthorised access and changes;
securing data storage from use, unauthorised access and alterations;
keeping back-ups and logs to the extent necessary for information security;
using audit trails and event monitoring as a routine security control;
protecting sensitive personal data with adequate measures and, where possible, are kept separate from the rest of the personal data;
having in place routines and procedures to detect, handle, report, and learn from data breaches; and
regularly reviewing and testing software to uncover vulnerabilities of the systems supporting the processing.

Related resources

Breach notification

Breach notification in Kenya

Section 43 of the Act

In the event of a personal data breach that poses a real risk of harm to the data subject, a data controller is required to notify the DPC without delay, within seventy-two hours of becoming aware of such breach. Where the notification is submitted after the 72 hour window, it must be accompanied by reasons for the delay.

The ODPC has launched a portal where data breach notifications should be made here: Report a Data Breach - Office of the Data Protection Commissioner (ODPC).

The data controller is further required to communicate the breach to the affected data subjects within a reasonably practical period, unless:

the identity of the data subject cannot be established; or
the data controller or processor has implemented appropriate security safeguards which may include encryption of affected personal data.

The Act requires the notification to the DPC and the communication to the affected data subject to provide sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach.

As for data processors, the Act requires them to notify the data controllers within 48 hours of becoming aware of a breach.

The DPA requires a data controller to record:

the facts relating to the breach;
its effects; and
the remedial action taken.

The Data Protection (General) Regulations, 2021 elaborate in more detail notification of personal data breaches. In particular, Part VI outlines the categories of a notifiable breach and the requirements for a notification of breach to the DPC.

Under the Data Protection (Civil Registration) Regulations, 2020 , civil registration registries must also notify the DPC of any personal data breach. However, no timelines are stipulated for this requirement. The Regulations also grant the data subject the power to notify the relevant civil registration registry and the DPC where the data subject suspects that their personal data has been breached. This notification must be done within 14 days of such a suspicion.

Related resources

Enforcement

Enforcement in Kenya

The DPC has the duty to ensure the implementation and enforcement of the Act. In the recent past, the ODPC has significantly intensified its enforcement activity, as shown by the increased issuance of formal determinations, enforcement notices and penalty notices across various sectors.

The Compliance & Enforcement Regulations set out the complaints handling procedures and enforcement mechanisms in the event of non-compliance with the provisions of the Act. The Regulations provide for the process and procedure of lodging of complaints with the DPC.

The DPC is also required to maintain an up-to-date register of complaints stating the particulars of the complainant and complaint.

Under section 62 of the Act:

In instances where the DPC is satisfied that any person has violated the provisions of the Act, he has the power to issue penalty notices for up to a maximum of Kenya Shillings Five Million (approximately USD 38,760) or 1% of an undertaking’s annual turnover the preceding year, whichever is lower.
In addition, any act which constitutes an offence under the Act where a penalty is not provided attracts a fine of up to Kenya Shillings Three Million (approx. USD 23,256) or imprisonment for up to 10 years or both a fine and imprisonment.

Under the Data Protection (Compliance & Enforcement) Regulations, 2021 the DPC has the power to issue an enforcement notice where a person fails to comply with the provisions of the Act or the Regulations. A penalty notice is issued where there is failure to comply with the enforcement notice. The penalty notice will contain the reasons why the DPC is imposing a penalty, the administrative fine imposed, how the fine is to be paid and the rights of appeal the decision. The DPC may impose a daily fine of not more than Ksh. 10,000 (approx. USD 76) for each penalty identified, until the breach is rectified.

Related resources

Electronic marketing

Electronic marketing in Kenya

Under section 37 of the Act, the use of personal data for commercial purposes is prohibited unless the person undertaking this processing:

has sought and obtained express consent from a data subject; or
is authorized to do so under any written law and the data subject has been informed of such use when collecting the data from the data subject.

The General Regulations state that a data controller or data processor is considered to be using personal data for commercial purposes if the personal data of a data subject is used to advance commercial or economic interests, including inducing another person to buy, rent, lease, join, subscribe to, provide or exchange products, property, information or services, or enabling or effecting, directly or indirectly, a commercial transaction.

The General Regulations further include circumstances where the personal data is used for direct marketing through:

sending of a catalogue through any medium addressed to a data subject;
displaying an advertisement on an online media site where a data subject is logged on using their personal data; or
sending an electronic message to a data subject about a sale, or other advertising material relating to a sale, using personal data provided by a data subject.

Marketing is not direct where the personal data is not used or disclosed to identify or target a particular recipient.

Personal data other than sensitive personal data is only permitted to be used for direct marketing where:

the data controller or data processor has collected the personal data directly from the data subject;
a data subject is notified that direct marketing is one of the purposes for which personal data is collected;
the data subject has consented to the use or disclosure of the personal data for the purpose of direct marketing;
the data controller or data processor provides a simplified opt-out mechanism for the data subject to request not to receive direct marketing communications; or
the data subject has not made an opt-out request.

The Cabinet Secretary in charge of information, communication and technology may, in consultation with the DPC, develop guidelines on the commercial use of personal data.

Related resources

Online privacy

Online privacy in Kenya

Kenyan law does not regulate online privacy. The Regulations have not prescribed any requirements or guidelines in regulating online privacy.

Related resources

Key contacts

Data protection lawyers in Kenya

William Maema

Senior Partner

IKM Advocates

Nairobi

Email Full bio

Imelda Anika

Legal Director

IKM Advocates

Nairobi

Email Full bio

Section 43 of the Act

The ODPC has launched a portal where data breach notifications should be made here: Report a Data Breach - Office of the Data Protection Commissioner (ODPC).

The data controller is further required to communicate the breach to the affected data subjects within a reasonably practical period, unless:

the identity of the data subject cannot be established; or
the data controller or processor has implemented appropriate security safeguards which may include encryption of affected personal data.

As for data processors, the Act requires them to notify the data controllers within 48 hours of becoming aware of a breach.

The DPA requires a data controller to record:

the facts relating to the breach;
its effects; and
the remedial action taken.

Quick links

Data Protection in Kenya

Breach notification in Kenya

Section 43 of the Act

Continue reading