43—Binding corporate rules

43. (1) The contractual binding corporate rules contemplated under regulation 41 shall be valid if they—

(a)  are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;

(b)  expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and

(c)  fulfil the requirements laid down in sub-regulation (2).

(2) The binding corporate rules referred to in sub-regulation (1) shall specify—

(a)  the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;

(b)  the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of another country or countries in question;

(c)  their legally binding nature, both internally and externally;

(d)  the application of the general data protection principles;

(e)  the rights of data subjects in regard to processing and the means to exercise those rights;

(f)  the complaint procedures; and

(g)  the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules.

161  PART VII—TRANSFER OF PERSONAL DATA OUTSIDE KENYA