Data Protection in Kenya

Collection and processing in Kenya

Section 25 of the Act

The processing of personal data must comply with the principles prescribed in this part. It must be:

  • processed in accordance with the right to privacy of the data subject;
  • processed lawfully, fairly and in a transparent manner in relation to any data subject;
  • collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
  • adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
  • collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
  • accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
  • kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
  • not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

Section 30 of the Act

The Act recommends personal data to be collected and processed lawfully. The lawful reasons for processing include:

  1. consent of the data subject; or
  2. the processing is necessary:
    • for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
    • for compliance with any legal obligation to which the controller is subject;
    • in order to protect the vital interests of the data subject or another natural person;
    • for the performance of a task carried out in the public interest or in the exercise of
      • official authority vested in the controller;
      • the performance of any task carried out by a public authority;
    • for the exercise, by any person in the public interest, of any other functions of a public nature;
    • for the legitimate interests pursued by the data controller or data processor by a third party to whom the data is disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject; or
    • for the purpose of historical, statistical, journalistic, literature and art or scientific research.

It is an offence to process personal data without a lawful reason.

Under the Regulations civil registration entities must ensure that they collect only personal data permitted by the data subject and that the appropriate steps are taken to ensure the quality and security of the personal data. 

Where the registries intend to use such data for another purpose, they must either ensure that the purpose is compatible with the initial purpose or, where that is not the case, seek fresh consent.

The General Regulations elaborate in more detail restrictions on commercial use of personal data, duties and obligations of data controllers and data processors, elements of implementing data protection by design or default, conduct of data protection impact assessment and other general provisions.

Continue reading

  • no results

Previous topic
Back to top