DLA Piper Intelligence

Data Protection
Laws of the World

Online Privacy

Kenyan law does not regulate online privacy. The Regulations have not prescribed any requirements or guidelines in regulating online privacy.

Last modified 12 Jan 2023

Cookies

The EU Cookie Directive has been implemented in the Law. It states that any subscriber or user of electronic communications services must be fully and clearly informed by the data controller or its representative of:

  • the purpose of any cookie (i.e. any means of accessing or storing information on the subscriber’s / user’s device, e.g. when visiting a website, reading an email, installing or using software or an app); and
  • the means of refusing cookies,

unless the subscriber / user has already been so informed.

Cookies are lawfully deployed if the subscriber / user has expressly consented after having received information. Valid consent can be expressed via browser settings if the user can choose the cookies he / she accepts and for which purpose.

However, the foregoing provisions do not apply:

  • to cookies the sole purpose of which is to allow or facilitate electronic communication by a user; or
  • if the cookie is strictly necessary to provide online communication services specifically requested by the user.

Location and traffic data

The Postal and Electronic Communications Code deals with the collection and processing of location and traffic data by electronic communication service providers (CSPs).

All traffic data held by a CSP must be erased or anonymised. However, traffic data may be retained, for example:

  • for the purpose of finding, observing and prosecuting criminal offences;
  • for the purpose of billing and payment of electronic communications services; or
  • for the CSP’s marketing of its own communication services, provided the user has given consent thereto.

Subject to exceptions (observing and prosecuting criminal offences; billing and payment of electronic communications services), location data may be used in very limited circumstances, for example:

  • during the communication, for the proper routing of such communication; and
  • where the subscriber has given informed consent, in which case the location data may be processed and stored after the communication has ended. Consent can be revoked free of charge at any time.

Cookies

The French Data Protection Supervisory Authority (CNIL) replaced its 2013 guidelines regarding cookies and trackers, which were no more compliant with the GDPR, by revised guidelines. Following the adoption of a version of its guidelines on cookies and other trackers on July 4, 2019, which have been partially annulled by a decision from the French highest administrative Court, the Conseil d’Etat, on 19 June 2020, the CNIL has adopted revised guidelines and the final version of its recommendations on the practical procedures for collecting consent concerning cookies and other trackers. The CNIL’s revised guidelines, adopted by way of deliberation No. 2020-091 of September 17th, 2020, are based on Article 82 of the Law, implementing Article 5 (3) of EU directive “ePrivacy”, into French law.

While the Revised Guidelines provide the CNIL’s guidance on how to read the relevant provisions of the French Data Protection Act, which governs the use of cookies and other trackers in France, the Recommendations adopted by a deliberation No. 2020-92 of September 17th 2020 provide practical guidance and examples to help professionals navigate the rules applicable to cookies and other trackers and comply with the requirements of Article 82 of the French Data Protection Act. These two documents constitute “soft law” and are not binding, but provide strong references for organizations to anticipate how the CNIL may conduct its compliance investigations.

Regarding consent, the CNIL has now specified that consent must be:

  • unambigous: to align with the guidelines on consent issued by the Article 29 Working Party, the CNIL repeals its previous position according to which scrolling down, browsing or swiping through a website or app was considered as an acceptable expression of consent to cookies and allowed for cookies to be placed. Therefore, for the CNIL, continuing to navigate on a website or using an application is no more acceptable to evidence a consent to cookies. The absence of action from the user (i.e., no choice from the user) can no longer be construed as a valid consent but should rather be construed as refusal. This operates a shift from “soft opt-in” to active consent. The revised guidelines also outlines that pre-ticked boxes do not meet the GDPR standard of consent;
  • freely given: the data subject must be able to exercise freely his / her choice. The CNIL has revised (albeit subtlety) its previous positioning regarding “cookie walls” (the practice of subjecting prior access to a website or application to the acceptance of cookies) – where the CNIL considered that consent could never be freely given when collected using cookie walls, the revised guidelines now specify that cookie walls are likely to hinder freely given consent. In addition, the CNIL has specified in its case law, that failure to provide a mean to refuse cookies “as easily” as it is to accept them (e.g., by way of dedicated buttons on a cookie banner) results in consent being not freely given, since users will lean toward accepting cookies rather than performing multiple clicks to refuse;
  • specific: consent must be tailored to each purpose. Therefore acceptance of the general terms and conditions as a whole (“bundled” consent) does not constitute valid consent;
    informed: information to data subjects must be easily understandable by any of them. Information must be given in plain language. The use of complex technical or legal terms does not meet the requirement of prior information. Such information must at least include (i) the identity of the data controller(s) implementing the trackers (ii) a thorough list of the purpose(s) of the reading or writing operations (iii) the means available to consent or object to the use of cookies (iv) the consequences of accepting or refusing the use of cookies and (v) the right to withdraw consent;
  • evidenced: all organizations that use cookies must implement appropriate mechanisms that allow them to demonstrate, at all times, that they have validly obtained consent from users. the revised guidelines specifically provide that users choices, be it consent or refusal, must be (i) clearly presented to users, notably as regards the available means to exercise such choice, (ii) collected and clearly evidenced (the recommendations give examples of how to ensure such evidence through the use of a consent management platform, screen capture, etc.) and (iii) recorded by data controllers, for an appropriate duration during which they would not ask the users again for their consent. Such duration may vary depending on the nature of the site or application concerned. According to the Recommendations, a good practice in that respect is 6 months – at the expiry of that term, controllers could ask users again to consent (or refuse) to the use of cookies and trackers; and
  • revocable: organizations are encouraged to put in place user-friendly solutions to allow users to withdraw their consent as easily as they gave it. The CNIL highlights the fact that means to refuse cookies and trackers must be “as easy” as means available to accept use thereof. As a result, users must not be subjected to complex procedures for refusing cookies and trackers and withdraw their consent, which they must be able to do at any time. To that end, the CNIL provides practical examples and good practices in the Recommendations, from the use of a “reject all” button to the availability of a visible “cookies” icon enabling users to parameter their choices and withdraw their consent. 

The updated guidelines do not provide a general rule regarding the data retention of cookies and the information collected via such cookies. The CNIL simply recommends that the user’s consent (or refusal) is renewed every 6 months. However, the CNIL has maintained, as guidance, the following data retention terms for certain analytics cookies that do not require users’ consent:

  • the lifetime of these cookies should be limited to a period that allows a relevant comparison of audiences over time, as it is the case with a period of 13 months, and is not automatically extended for new visits;
  • the information collected via these cookies is kept for a maximum period of 25 months; and
  • the above-mentioned lifetimes and retention periods are periodically reviewed to ensure that they are limited to what is strictly necessary.

In course of 2021 and 2022, the CNIL undertook massive online investigations in order to check whether the organizations were compliant with the new guidelines. Further to said investigations, several formal notices have been sent to organizations from different sectors (major platforms of the digital economy, e-commerce companies, car rental companies, public service authorities, bank companies, etc.). The CNIL has also fined companies for non-compliance regarding the use of cookies. Heavy sanctions have been applied to GAFAM companies in particular, with administrative fines up to 90 million Euros for failures to comply with Article 82 of the Law. It is interesting to note that, in its decisions regarding cookies, the CNIL imposes its competence even in the presence of a Lead Authority appointed by the company sanctioned, on the ground that the French Supervisory Authority remains the competent authority to control compliance of the e-Privacy Directive requirements, which are specific rules prevailing on the general rules resulting from the GDPR where thus the “One Stop Shop” process does not apply. In March 2023, the CNIL announced that user tracking by mobile phones was a priority topic for its investigations in 2023. It indicated that it carried out several investigations on applications that access identifiers generated by mobile operating systems in the absence of user consent.

Last modified 19 Jan 2024
Law
Kenya

The Data Protection Act, 2019 (the “Act”) came into force on 25th November, 2019 and is now the primary statute on data protection in Kenya. It gives effect to Article 31 c) and d) of the Constitution of Kenya, 2010 (right to privacy).

In October 2020, by virtue of the powers conferred to him under the Act, the Cabinet Secretary for Information, Communication, Technology, Innovation and Youth Affairs gazetted the Data Protection (Civil Registration) Regulations, 2020 (the “Regulations”). The Regulations apply to civil registries involved in processing personal data for registrations such as births, deaths, adoptions, persons, passports and marriages.

Since the Data Protection Commissioner’s (DPC) appointment on 16 November 2020, significant efforts have been made in developing regulations for the implementation of the Act.

  • Data Protection (Compliance & Enforcement) Regulation, 2021 – sets out the complaints handling procedures and enforcement mechanisms in the event of non-compliance with the provisions of the Act;

  • Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021 – provides for the registration of data controllers and data processors with the DPC. The threshold for mandatory registration is also set out under these regulations; and

  • Data Protection (General) Regulations, 2021 – elaborates in more detail the rights of data subjects, restrictions on commercial use of personal data, duties and obligations of data controllers and data processors, elements of implementing data protection by design or default, notification of personal data breaches, transfer of personal data outside Kenya, conduct of data protection impact assessment and other general provisions.

The above regulations were gazetted in January and came into effect on 14 February 2022 with the exception of the Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021 which came into force on 14 July 2022.

The DPC has also issued a number of guidelines, these include:

  • Guidance Note on Registration of Data Controllers and Data Processors - developed to assist entities in ascertaining if they are data controllers or data processors, and to understand their obligations with respect to mandatory registration;
  • Guidance Note on Processing Personal Data for Electoral Purposes - developed to assist data controllers and data processors dealing with voters’ personal data and members of political parties’ personal data to understand their obligations under the Act;
  • Guidance Note on Data Protection Impact Assessment - to assist data controllers and data processors to understand their obligations under the Act and the need to undertake a Data Protection Impact Assessment; and
  • Guidance Note on Consent - developed to assist data controllers and data processors to understand their duties under the Act and their obligations as far as obtaining consent is concerned.

The DPC has also published a Complaints Management Manual which sets out the complaints management handling procedure by the DPC; and the Alternative Disputes Resolution Framework which provides guidance to stakeholders who wish to engage in Alternative Dispute Resolution (ADR) to resolve their disputes arising under the Act.

Last modified 12 Jan 2023
Definitions

Definition of personal data

Section 2 of the Act 

Personal data is defined as data relating to an identified or identifiable natural person.

Definition of sensitive personal data

Section 2 of the Act

Sensitive personal data is defined as data revealing the natural person's race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person's children, parents, spouse or spouses, sex or the sexual orientation of the data subject.

Last modified 12 Jan 2023
Authority

Part II of the Act

The Act established the Office of the Data Protection Commissioner (DPC) whose mandate includes overseeing the implementation and enforcement of the provisions of the Act. The DPC is also tasked with the maintenance of the register of data controllers and processors, receiving and investigation of complaints under the Act and carrying out inspections of public and private entities to evaluate the processing of personal data.

Last modified 12 Jan 2023
Registration

Section 18 of the Act

Data processors and data controllers are required to be registered with the DPC. The DPC, however, has discretion to prescribe the thresholds for mandatory registration based on:

  • the nature of industry;
  • the volumes of data processed; and
  • whether sensitive personal data is being processed.

The Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021, provides for the registration of data controllers and data processors with the DPC. The threshold for mandatory registration is also set out under these regulations. The DPC also launched a portal where applications for registration are submitted in the prescribed form and upon payment of a prescribed fee. Where the DPC is satisfied that the applicant has fulfilled the requirements for registration, a certificate of registration is issued within 14 days and entry of the applicant’s details is made in the register of data controllers and data processors.

The certificate of registration issued is valid for 24 months from the date of issuance.

A data controller or data processor with an annual turnover or revenue of below Kenya Shillings Five Million (approx. USD 40,000) and has less than 10 employees is exempt from mandatory registration.

Data controllers and data processors who process data for the following purposes regardless of their annual turnover or revenue or number of employees have to be registered under the Regulations:

  • canvassing political support among the electorate;
  • crime prevention and prosecution of offenders (including operating security CCTV systems);
  • gambling;
  • operating an educational institution;
  • health administration and provision of patient care;
  • hospitality industry firms, excluding tour guides;
  • property management including the selling of land;
  • provision of financial services;
  • telecommunications network or service providers;
  • businesses that are wholly or mainly in direct marketing; and
  • transport services firms (including online passenger hailing applications); and businesses that process genetic data.
Last modified 12 Jan 2023
Data Protection Officers

Section 24 of the Act

The Act makes provisions for the designation of Data Protection Officers (DPOs) but this obligation is not mandatory.

DPOs can be members of staff and may perform other roles in addition to their roles. A group of entities can share a DPO and the contact details of the DPO must be published on the organisation’s website and communicated to the DPC.

DPOs have the following roles:

  • advising the data controller or data processor and their employees on data processing requirements provided under the Act or any other written law;
  • ensuring compliance with the Act;
  • facilitating capacity building of staff involved in data processing operations;
  • providing advice on data protection impact assessment; and
  • co-operating with the DPC and any other authority on matters relating to data protection.

DPO’s under the Regulations also have the following additional roles: 

  • monitoring and evaluating the efficiency of the data systems in the organization; and
  • keeping written records of the processing activities of the civil registration entity.
Last modified 12 Jan 2023
Collection & Processing

Section 25 of the Act

The processing of personal data must comply with the principles prescribed in this part. It must be:

  • processed in accordance with the right to privacy of the data subject;
  • processed lawfully, fairly and in a transparent manner in relation to any data subject;
  • collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
  • adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
  • collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
  • accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
  • kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
  • not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

Section 30 of the Act

The Act recommends personal data to be collected and processed lawfully. The lawful reasons for processing include:

  1. Consent of the data subject; or
  2. the processing is necessary:
    • for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
    • for compliance with any legal obligation to which the controller is subject;
    • in order to protect the vital interests of the data subject or another natural person;
    • for the performance of a task carried out in the public interest or in the exercise of
      • official authority vested in the controller;
      • the performance of any task carried out by a public authority;
    • for the exercise, by any person in the public interest, of any other functions of a public nature;
    • for the legitimate interests pursued by the data controller or data processor by a third party to whom the data is disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject; or
    • for the purpose of historical, statistical, journalistic, literature and art or scientific research.

It is an offence to process personal data without a lawful reason.

Under the Regulations civil registration entities must ensure that they collect only personal data permitted by the data subject and that the appropriate steps are taken to ensure the quality and security of the personal data. 

Where the registries intend to use such data for another purpose, they must either ensure that the purpose is compatible with the initial purpose or, where that is not the case, seek fresh consent.

The Data Protection (General) Regulations, 2021 elaborate in more detail restrictions on commercial use of personal data, duties and obligations of data controllers and data processors, elements of implementing data protection by design or default, conduct of data protection impact assessment and other general provisions.

Last modified 12 Jan 2023
Transfer

Part VI of the Act

The transfer of personal data outside Kenya is highly regulated under the Act. Prior to any transfer the data controller or data processor must provide proof to the DPC on the appropriate safeguards with respect to the security and protection of the personal data including jurisdictions with similar data protection laws.

The consent of the data subject is required for the transfer of sensitive personal data out of Kenya.

Under the Regulations, civil registration registries cannot transfer personal data collected for civil registration purposes outside Kenya without the written approval of the DPC.

The Data Protection (General) Regulations, 2021 elaborate in more detail transfer of personal data outside Kenya. The Regulations provide for 4 legal bases for the transfer of personal data out of the country which include;

  1. appropriate data protection safeguards in the country or territory where recipient is based in;
  2. adequacy: an adequacy decision made by the DPC that the country, territory or the international organization where data is being transferred ensures an adequate level of protection of personal data;
  3. necessity: transfer is deemed to be necessary if it is:
    • for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
    • for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another person;
    • for any matter of public interest;
    • for the establishment, exercise or defence of a legal claim in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
    • for the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.
  4. consent of the data subject on the condition they have consented to the proposed transfer and have been informed of the possible risks of transfer.
Last modified 12 Jan 2023
Security

Sections 41 and 42 of the Act

Data controllers and processors are required to implement the appropriate organizational and technical measures to implement data protection principles in an effective manner.

Civil registration registries are mandated to formulate written data security procedures which must include the following:  

  • instructions concerning physical protection of the database sites and their surroundings;
  • access authorizations to the database and database systems;
  • description of the means intended to protect the database systems and the manner of their operation for this purpose;
  • instructions to authorized officer of the database and database systems regarding the protection of data stored in the database;
  • the risks to which the data in the database is exposed in the course of the civil registration entity's ongoing activities;
  • the manner of dealing with information security incidents, according to the severity of the incident;
  • instructions concerning the management and usage of portable devices;
  • instructions with respect to conducting periodical audits to ensure that appropriate security measures, in accordance with the Procedure and these Regulations exist; and
  • instructions regarding backup of personal data.

As far as technical measures are concerned, the Regulations require the use of hashing and cryptography to limit the possibility of repurposing personal data. The Regulations also require that the contract between a data controller and a data processor to include a clause on security measures subjecting the data processor to appropriate technical and organizational measures in relation to keeping personal data secure.

With respect to organizational measures, the Regulations require a data controller or data processor to develop, publish and regularly update a policy reflecting their personal data handling practices. The policy may include:

  1. the nature of personal data collected and held;
  2. how a data subject may access their personal data and exercise their rights in respect to that personal data;
  3. complaints handling mechanisms;
  4. lawful purpose for processing personal data;
  5. obligations or requirements where personal data is to be transferred outside the country, to third parties, or other data controllers or data processors located outside Kenya and where possible, specify such recipients;
  6. the retention period and schedule; and
  7. the collection of personal data from children, and the criteria to be applied.

The Regulations provide for specific obligations to the data controller and data processor under the data protection principle of integrity, confidentiality and availability. These include:

  1. having an operative means of managing policies and procedures for information security;
  2. assessing the risks against the security of personal data and putting in place measures to counter identified risks;
  3. processing that is robust to withstand changes, regulatory demands, incidents, and cyber-attacks;
  4. ensuring only authorised personnel have access to the data necessary for their processing tasks;
  5. securing transfers shall be secured against unauthorised access and changes;
  6. securing data storage from use, unauthorised access and alterations;
  7. keeping back-ups and logs to the extent necessary for information security;
  8. using audit trails and event monitoring as a routine security control;
  9. protecting sensitive personal data with adequate measures and, where possible, kept separate from the rest of the personal data;
  10. having in place routines and procedures to detect, handle, report, and learn from data breaches; and
  11. regularly reviewing and testing software to uncover vulnerabilities of the systems supporting the processing.
Last modified 12 Jan 2023
Breach Notification

Breach Notification

Section 43 of the Act

As far as technical measures are concerned, the Regulations require the use of hashing and cryptography to limit the possibility of repurposing personal data. The Regulations also require that the contract between a data controller and a data processor to include a clause on security measures subjecting the data processor to appropriate technical and organizational measures in relation to keeping personal data secure.

With respect to organizational measures, the Regulations require a data controller or data processor to develop, publish and regularly update a policy reflecting their personal data handling practices. The policy may include:

  1. the nature of personal data collected and held;
  2. how a data subject may access their personal data and exercise their rights in respect to that personal data;
  3. complaints handling mechanisms;
  4. lawful purpose for processing personal data;
  5. obligations or requirements where personal data is to be transferred outside the country, to third parties, or other data controllers or data processors located outside Kenya and where possible, specify such recipients;
  6. the retention period and schedule; and
  7. the collection of personal data from children, and the criteria to be applied.

The Regulations provide for specific obligations to the data controller and data processor under the data protection principle of integrity, confidentiality and availability. These include:

  1. having an operative means of managing policies and procedures for information security;
  2. assessing the risks against the security of personal data and putting in place measures to counter identified risks;
  3. processing that is robust to withstand changes, regulatory demands, incidents, and cyber-attacks;
  4. ensuring only authorised personnel have access to the data necessary for their processing tasks;
  5. securing transfers shall be secured against unauthorised access and changes;
  6. securing data storage from use, unauthorised access and alterations;
  7. keeping back-ups and logs to the extent necessary for information security;
  8. using audit trails and event monitoring as a routine security control;
  9. protecting sensitive personal data with adequate measures and, where possible, kept separate from the rest of the personal data;
  10. having in place routines and procedures to detect, handle, report, and learn from data breaches; and
  11. regularly reviewing and testing software to uncover vulnerabilities of the systems supporting the processing.

Mandatory Breach Notification

Yes. Please see above analysis under “Breach Notification”.

Last modified 12 Jan 2023
Enforcement

The DPC has the duty to ensure the implementation and enforcement of the Act.

The Data Protection (Compliance & Enforcement) Regulation, 2021 sets out the complaints handling procedures and enforcement mechanisms in the event of non-compliance with the provisions of the Act. The Regulations provide for the process and procedure of lodging of complaints with the DPC.

The DPC is also required to maintain an up-to-date register of complaints stating the particulars of the complainant and complaint.

Section 62 of the Act

In instances where the DPC is satisfied that any person has violated the provisions of the Act, he has the power to issue penalty notices for up to a maximum of Kenya Shillings Five Million (approximately USD 50,000) or 1% of an undertaking’s annual turnover the preceding year, whichever is lower.

In addition, any act which constitutes an offence under the Act where a penalty is not provided attracts a fine of up to Kenya Shillings Three Million (approx. USD 30,000) or imprisonment for up to 10 years or both a fine and imprisonment.

Under the Data Protection (Compliance & Enforcement) Regulations, 2021 the DPC has the power to issue an enforcement notice where a person fails to comply with the provisions of the Act or the Regulations. A penalty notice is issued where there is failure to comply with the enforcement notice. The penalty notice will contain the reasons why the DPC is imposing a penalty, the administrative fine imposed, how the fine is to be paid and the rights of appeal the decision. The DPC may impose a daily fine of not more than Ksh. 10,000 (approx. USD 100/-) for each penalty identified, until the breach is rectified.

Last modified 12 Jan 2023
Electronic Marketing

Section 37 of the Act

The use of personal data for commercial purposes is prohibited unless the person undertaking this processing:

  • has sought and obtained express consent from a data subject; or
  • is authorized to do so under any written law and the data subject has been informed of such use when collecting the data from the data subject.

The General Regulations states that a data controller or data processor is considered to be using personal data for commercial purposes if the personal data of a data subject is used to advance commercial or economic interests, including inducing another person to buy, rent, lease, join, subscribe to, provide or exchange products, property, information or services, or enabling or effecting, directly or indirectly, a commercial transaction.

The Regulations further includes circumstances where the personal data is used for direct marketing through:

  1. sending of a catalogue through any medium addressed to a data subject;
  2. displaying an advertisement on an online media site where a data subject is logged on using their personal data; or
  3. sending an electronic message to a data subject about a sale, or other advertising material relating to a sale, using personal data provided by a data subject.

An exception to direct marketing restrictions is provided where the personal data is not used or disclosed to identify or target a particular recipient.

Personal data other than sensitive personal data is only permitted to be used for direct marketing where:

  1. the data controller or data processor has collected the personal data directly from the data subject;
  2. a data subject is notified that direct marketing is one of the purposes for which personal data is collected;
  3. the data subject has consented to the use or disclosure of the personal data for the purpose of direct marketing;
  4. the data controller or data processor provides a simplified opt-out mechanism for the data subject to request not to receive direct marketing communications; or
  5. the data subject has not made an opt-out request.

The Cabinet Secretary in charge of information, communication and technology may, in consultation with the DPC, develop guidelines on the commercial use of personal data.

Last modified 12 Jan 2023
Online Privacy

Kenyan law does not regulate online privacy. The Regulations have not prescribed any requirements or guidelines in regulating online privacy.

Last modified 12 Jan 2023
Contacts
William Maema
William Maema
Partner
IKM Advocates
T +254 20 2773 000
Imelda Anika
Imelda Anika
Senior Associate
IKM Advocates
T +254 722 898 393
Last modified 12 Jan 2023