28^th January, 2022 marks this year’s Data Protection Day. In commemorating the Data Protection Day and the 41^st anniversary of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”), we look at the strides made towards data protection in Kenya.

On 14^th January, 2022, the Data Protection (General) Regulations, 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 were published in the Kenya Gazette. A brief summary of the Regulations is provided below.

1. The Data Protection (General) Regulations, 2021

The Regulations enable the rights of a data subject by among others, requiring that free, informed and express consent be obtained before processing of data, by providing for the procedures to restrict and object to processing, rectification, erasure and portability of data and by prohibiting direct marketing (with exemptions).

The Regulations also provide for restrictions on commercial use of data including that any personal data (other than sensitive personal data), collected for the purpose of direct marketing, must be collected directly from a data subject. Additionally, a data controller or data processor is required to provide a simplified opt out mechanism for a data subject to request not to receive direct marketing communications.

Further restrictions include that:

1. the data controller/data processor must have a retention schedule for the personal data, which should be frequently audited;
2. data sharing agreements must comply with principles of data protection;
3. the data controller/data processor must have a Data Protection Policy;
4. the data controller/data processor must inform a data subject of automated processing of data;
5. there must be written agreements between data controllers and data processors.

2. The Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021

The Regulations generally provide for the procedure for lodging, admission and response to complaints. The Regulations require the Office of the Data Protection Commissioner (“ODPC”) to maintain a register of complaints. The Regulations also provide for the joint consideration of complaints where there are two or more similar allegations are made against the same person.  Appeals of the decisions of the ODPC lie to High court.

3. The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021

The Regulations provide for the registration of data controllers and data processors. It is important to note that under the Regulations, public entities at national or county governments which operate within a state or county department, provide a public service and are wholly funded from the Consolidated Fund, are required to Register with ODPC.

The gazettement of the Regulations is a positive step towards the protection of the rights of data subjects in Kenya and shall ensure compliance with the provisions of the Data Protection Act, 2019.

The Gazette Notice and Regulations can be found here

Happy Data Protection Day!