26.
(1) Pursuant to section 50 of the Act, a data controller or data processor who processes personal data for the purpose of strategic interest of the state outlined under sub-regulation (2) shall —
(a) process such personal data through a server and data centre located in Kenya; or
(b) store at least one serving copy of the concerned personal data in a data centre located in Kenya.
(2) The purpose contemplated under sub-regulation (1) includes the processing of personal data for the purpose of—
(a) administering of the civil registration and legal identity management systems;
(b) facilitating the conduct of elections for the representation of the people under the Constitution;
(c) overseeing any system for administering public finances by any state organ;
(d) running any system designated as a protected computer system in terms of section 20 of the Computer Misuse and Cybercrime Act, 2018;
(e) offering any form of early childhood education and basic education under the Basic Education Act, 2013; or
(f) provision of primary or secondary health care for a data subject in the country.
(3) Despite (2), the Cabinet Secretary may require a data controller
(a) has been notified that personal data outside Kenya has been breached or its services have been used to violate the Act and has not taken measures to stop or handle the violation; and
(b) resists, obstructs or fails to comply with requests of the Data Commissioner or any other relevant authority in—
(i) cooperating to investigate and handle such violations; or
(ii) neutralising and disabling the effect of cyber security protection measures.