Data & Privacy - Kenya

The Data Protection Act No. 24 of 2019 came into force on 25 November 2019 as Kenya's primary cross-sectoral data-protection statute, giving effect to the constitutional right to privacy under Article 31(c)-(d).

The Office of the Data Protection Commissioner, established under Section 5, is an independent body corporate that oversees implementation, enforces the Act, maintains the register of data controllers/processors, and handles complaints. The Commissioner serves a single six-year term.

Section 25 requires lawful, fair, transparent, purpose-limited, accurate and minimal processing. Section 18 obliges public and private bodies and individuals processing personal data to register with the ODPC under the 2021 Registration Regulations.

Data subjects have rights to be informed, to access their data (s.26), to rectification (s.40), erasure/deletion, and to object to or restrict processing, with remedies enforceable through complaints to the ODPC.

Section 48 (read with s.25(h)) restricts transfer of personal data outside Kenya unless adequate safeguards are demonstrated or the data subject consents; transfers of sensitive data may require the Data Commissioner's approval.

The Commissioner can impose administrative fines up to KES 5 million or 1% of annual turnover (whichever is lower) and issue binding determinations; by March 2025 the ODPC had handled thousands of complaints and penalised multiple entities. A Data Protection (Amendment) Bill, 2025 proposes higher penalties and a Data Protection Appeals Tribunal.