22 Oct 2022

Personal Information Data protection Act Kenya The Kenyan government introduced a new data protection law that came into effect in September 2019. The law protects the personal data of Kenyan citizens and residents and sets out strict rules about how data must be collected, used, and disclosed. Under the new law, data controllers (those who collect and process personal data) must ...

22 Oct 2022

Data Protection Act (DPA)This law was introduced to protect the privacy rights of individuals. It provides for the right to access personal information held about them and their entitlement to have this information corrected if necessary.Personal Information (PI)Personal information includes any information relating to an identified or identifiable natural person who may be directly or i...

22 Oct 2022

The Data Protection Commissioner is the independent regulator of data protection in Kenya. The Commissioner is appointed by the President and reports to Parliament.The Commissioner has a wide range of powers to protect personal data, including the power to investigate complaints, conduct audits, and impose sanctions. The Commissioner can also order the disclosure of personal data in cert...

29 Aug 2022

the entity that determines the purposes, conditions and means of the processing of personal data.

29 Aug 2022

freely given, specific, informed and explicit permission by statement or action signifying agreement to the processing of their personal data.

21 Aug 2022

THRESHOLDS FOR MANDATORY REGISTRATION (r. 13(3))

A data controller or data processor processing personal data for the following
purposes shall register as a data controller or a data processor as provided for under these
Regulations—
1. Canvassing political support among the electorate.
2. Crime prevention and prosecution of offenders (including operating security
CCTV systems).
3. Gambling.
4. Operating an educational institution.
5. Health administration and provision of patient care.
6. Hospitality industry firms but excludes tour guides.
7. Property management including the selling of land.
8. Provision of financial services.
9. Telecommunications network or service providers.
10. Businesses that are wholly or mainly in direct marketing.
11. Transport services firms (including online passenger hailing applications)
12. Businesses that process genetic data.

21 Aug 2022

18.

A data controller or a data processor who—
(a) processes personal data without registering in accordance
with these Regulations;

(b) provides false or misleading information for the purpose of
registration; or

(c) fails to renew a certificate of registration and continues to
process personal data after the expiry of the certificate,
commits an offence and shall, upon conviction, be liable to
penalty specified under section 73 of the Act.

21 Aug 2022

17.

An application made under these Regulations shall be
submitted through electronic means provided for on the Office website.