THE KENYA DATA PROTECTION REGULATIONS, 2021 Official Legal Text

Welcome to privacy watch kenya Data protection guidance. Here you can find the official PDF of  THE DATA PROTECTION (GENERAL) REGULATIONS, in the current version of 2021 as a neatly arranged website.

The DATA PROTECTION ACT is applicable as of  2019 in Kenya.

IN EXERCISE of the powers conferred by section 71 of the Data Protection Act, 2019, the Cabinet Secretary for Information, Communication, Technology, Innovation and Youth Affairs makes the following Regulations—

QUICK LINK

GENERALCOMPLAINTS HANDLING AND ENFORCEMENTREGISTRATION OF DATA CONTROLLERS AND PROCESSORS
PART 1-1
2
3
3b
PART 1-1
2

PART 1-1
2
2
5
6
5
6
5
6
3
4
5
6
5
6
5
6
PART 2-4
5
6
7
8
9
10
11
12
13
PART 2-3
4

7
8

11
12

15

-
5
6

9
10

13
14

PART 3-14
15
16
17
18
PART 3-16
17

20
21

-
18
19

PART 4-19
20
21
22
23
24
25
26
SCHEDULES-FIRST

-
PART 5-27
28
29
30
31
32
33
34
35
36
--
PART 6-37
38
PART 7-39
40
41
42
43
44
45
46
47
48
--
PART 8-49
50
51
52
53
--
PART 9-54
55
56
57
--
PART 10-58
SCHEDULES-FIRSTSECONDTHIRD

PART I - PRELIMINARY

1-Citation

2-Interpretation.

3-Exemption

3—Object and purpose of the Regulations

PART II— ENABLING THE RIGHTS OF A DATA SUBJECT

4—Processing on the basis of consent

5—Lawful basis for processing

6—Mode of collection of personal data

7—Restriction to processing

8—Objection to processing

9—Data access request

10—Rectification of personal data

11—Data portability request

12—Right of erasure

13—Exercise of rights by others.

PART III—RESTRICTIONS ON THE COMMERCIAL USE OF PERSONAL DATA

14—Interpretation of commercial purpose

15—Permitted commercial use of personal data

16—Features of an opt out message.

17—Mechanisms to comply with opt out requirement

18—Requests for restriction of further direct marketing

PART IV—OBLIGATIONS OF DATA CONTROLLERS AND DATA PROCESSORS

19—Retention of personal data

20—Requests to deal anonymously or pseudonymously

21—Sharing of personal data

22—Automated individual decision making.

23—Data protection policy

24—Contract between data controller and data processor

25—Obligations of a data processor

26—Requirement for specified processing data to be done in Kenya

PART V—ELEMENTS TO IMPLEMENT DATA PROTECTION BY DESIGN OR BY DEFAULT

27. Data protection by design or default

28—Elements of data protection by design or default

29—Elements for principle of lawfulness

30—Elements for principle of transparency

31—Elements for principle of purpose limitation.

32—Elements for principle of integrity, confidentiality and availability

33—Elements for principle of data minimization

34—Elements for principle of accuracy

35—Elements for principle of storage limitation.

36—Elements for principle of fairness

PART VI—NOTIFICATION OF PERSONAL DATA BREACHES

37—Categories of notifiable data breach

38—Notification to Data Commissioner

PART VII—TRANSFER OF PERSONAL DATA OUTSIDE KENYA

39—Interpretation of Part VII

40—General principles for transfers of personal data out of the country

41—Transfers on the basis of appropriate safeguards

42—Deeming of appropriate safeguards

43—Binding corporate rules

44—Transfers on the basis of an adequacy decision

45—Transfers on the basis of necessity

46—Transfer on basis of consent

47—Subsequent transfers

48—Provisions for the agreement to cross boarder transfer

PART VIII—DATA PROTECTION IMPACT ASSESSMENT

49—Processing activities requiring data protection impact assessment.

50—Conduct of data protection impact assessment

51—Prior consultation

52—Consideration of data protection impact assessment report.

53—Audit of compliance with assessment report

PART IX— PROVISIONS ON EXEMPTIONS UNDER THE ACT

54—Exemption for national security

55—Exemptions for public interest

56—Permitted general situation

57—Permitted health situation

PART X —GENERAL PROVISIONS

58— Complaints against Data Controller and Data Processor

First Shedule

First Schedule- General

Second Schedule

SECOND SCHEDULE General (r.37 (1)& (3))

Third Schedule

THIRD SCHEDULE General (r.50 (1))

PART I−PRELIMINARY

1—Citation-COMPLAINTS HANDLING AND ENFORCEMENT

2—Interpretation – COMPLAINTS HANDLING AND ENFORCEMENT

PART II — PROCEDURE FOR LODGING, ADMISSION AND RESPONSE TO COMPLAINTS

4—Lodging of a complaint

5—Register of complaints

6—Admission of a complaint

7—Discontinuation of a complaint

8—Withdrawal of a complaint

9—Joint consideration of complaints

10—Language

11—Notification of a complaint to the respondent

12—Joinder of parties

13—Investigations of a complaint

14—Outcome of investigation

15—Negotiation, mediation or conciliation

PART III—ENFORCEMENT PROVISIONS

16—Issuance of enforcement notice

17—Service of enforcement notice

18—Review of enforcement notice

19—Appeals against enforcement notice

20—Issuance of penalty notice

21—Enforcement of penalty notice

Schedule

SCHEDULE—ENFORCEMENT

PART 1

THIRD SCHEDULE – REGISTRATION OF DATA CONTROLLERS AND PROCESSORS

SECOND SCHEDULE – REGISTRATION OF DATA CONTROLLERS AND PROCESSORS

FIRST SCHEDULE- REGISTRATION OF DATA CONTROLLERS AND PROCESSORS)

18—Offences

17—Electronic registration

16—Cancellation or variation of registration

15—Change of particulars

14—Register

13—Exemption from mandatory registration

12—Refusal of renewal

11—Renewal of registration

10—Refusal of registration

9—Duration of certificate of registration

8—Approval and issuance of certificate of registration

7—Processing of an application for registration

6—Payment of registration fees by specified public bodies

5—Application for registration

4—Requirements for registration

3—Scope of Regulations

2—Interpretation

1—Citation and commencement- REGISTRATION OF DATA CONTROLLERS PROCESSORS