40. A data controller or data processor who is a transferring entity shall before transferring personal data out of Kenya ascertain that the transfer is based on—
(a) appropriate data protection safeguards;
(b) an adequacy decision made by the Data Commissioner;
(c) transfer as a necessity; or
(d) consent of the data subject.