All Blog Posts

Kenya Data Protection Act

Kenya’s Data Protection Act came into effect on November 25, 2019, and is now the primary law on data protection in the country. It gives effect to article 31 in the constitution of Kenya that stipulates privacy as a fundamental right.

Published September 11, 2021.

Like is the case with many other data privacy laws, its purpose is to protect individuals’ rights and interests. It applies to data controllers and data processors processing data about data subjects in Kenya. It does not matter if the data controller or data processor is established or residing within the country of Kenya, making the scope of application both territorial and extra-territorial.

The Data Protection Act in Kenya is closely modeled after the EU’s GDPR, using many of the same provisions, requirements, and definitions as its European counterpart. For instance, it requires end-user consent before any processing or transferring of personal data to third parties may take place.

In this blogpost, we will break down Kenya’s Data Protection Act, so you know what it means for your website’s use of cookies – and how you can become compliant with Cookiebot consent management platform.

Kenya’s Data Protection Act, quick summary

Kenya’s data privacy law condensed

Kenya’s Data Protection Act was enacted and came into effect right away on November 25, 2019, making the country one of the first ones in Africa to have a comprehensive data privacy law.

Kenya’s Data Protection Act is one of the latest major data privacy law in the world to be modelled closely after the EU’s GDPR, which empowers individuals with enforceable rights over their personal information, while also providing clear guidelines for companies to handle their users’ data with care.

Some of the rights the Data Protection Act Kenya provide data subjects with include the right to be informed about data tracking; the right to access data; to erasure and rectification of data; to opt-out of tracking; to data portability, and not to be subject to automated decision-making.

The Data Protection Act in Kenya is applicable to data controllers or data processors who process personal data of data subjects located within the country of Kenya and who are either established or resident in or outside of Kenya. This means, Kenya’s Data Protection Act has both territorial and extra-territorial scope of application, which is one of the similarities with the EU’s GDPR.

The Data Protection Act in Kenya distinguishes between sanctions for companies and for individuals. For companies, infringement of provisions of the Data Protection Act Kenya will result in a fine of up to five million KES. In the case of an undertaking, the fine will be 1% of the company’s annual turnover of the preceding financial year, unless that figure exceeds five million KES. In which case, they will be sanctioned 5 million KES.

Individuals will be liable to a fine of maximum three shillings or to an imprisonment term of up to ten years. Individuals can also receive both sanctions.

Scan your website for free to see all cookies and trackers in use.

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

Flag of Kenya - Cookiebot
Kenya’s Data Protection Act aims to protect the privacy rights of the data subject.

Kenya’s Data Protection Act – quick breakdown

  • Kenya’s Data Protection Act was enacted and came into effect immediately on November 25, 2019.
  • Kenya’s Data Protection Act has, not unlike many other major data privacy laws, the purpose of protecting the privacy rights of the data subject.
  • Kenya’s Data Protection Act applies to data controllers and data processors who process personal data about data subjects located within the country of Kenya.
  • Kenya’s Data Protection Act has territorial scope, meaning if the data controller or data processor is located within Kenya, the Data Protection Act Kenya is applicable.
  • Kenya’s Data Protection Act has extraterritorial scope as well, meaning the same thing applies to data controllers and data processors resident outside of Kenya, who process personal data about data subjects located within the country of Kenya.
  • Kenya’s Data Protection Act offers the data subjects the right to be informed, to access, erasure, opt-out, rectification, data portability and not to be subject to automated decision-making.
  • Kenya’s Data Protection Act prohibits transfer of personal data to third parties unless you get prior consent of the data subject.
  • Kenya’s Data Protection Act dictates that for companies, infringement of provisions of the Data Protection Act Kenya will result in a fine of up to five million KES.
  • Kenya’s Data Protection Act dictates that in the case of an undertaking, the fine will be that of 1% of the company’s annual turnover of the preceding financial year, unless that is more than five million KES. In that case, they will pay 5 million KES.
  • Kenya’s Data Protection Act makes individuals liable to a fine of maximum three shillings or to an imprisonment term of up to ten years. Individuals can also receive both sanctions.

Data Protection Act Kenya compliance with Cookiebot CMP

Cookiebot consent management platform (CMP) is a world-leading solution that helps you provide transparency and control over all the cookies – and similar tracking – on your website.

This guarantees you that your website complies with all the main data privacy laws around the world. This includes Kenya’s Data Protection Act, Thailand’s PDPA, Brazil’s LGPD, South Africa’s POPIA, EU’s GDPR, UK’s GDPR and South Korea’s PIPA.

Kenya’s Data Protection Act will, like many data privacy laws before it, require consent from the users in Kenya, before you can use cookies and trackers as an integral part of your website.

Our unrivaled website scanner detects all cookies and trackers while delivering an exhaustive report on all personal data processing on your website.

For that reason, among others, Cookiebot CMP is an optimal solution for making your domain fully compliant without the need for you to get into any complicated technical implementation.

Illustration of a giraffe eating leaves with a signal tower in the background - Cookiebot
Implement Cookiebot CMP to comply with Kenya’s Data Protection Act.

What is Cookiebot CMP?

You might wonder, what is Cookiebot CMP?

Simply put, Cookiebot CMP is a plug-and-play consent management solution that automatically keeps your website cookies and tracking compliant with the Data Protection Act of Kenya.

Cookiebot CMP provides you with a detailed monthly scan report of your website, including all necessary details about the cookies and trackers on your domain, such as their purpose, their provider, their duration and what third parties they share the end-user data with.

Finally, Cookiebot CMP helps you to safely store all end-user consents, and to renew them on a regular basis.

Cookieboot Pop Up Banner - Cookiebot
Consent banner by Cookiebot CMP for Data Protection Act Kenya compliance

Cookiebot CMP works to make end-user privacy protection an integrated part of each individual website, and by offering you a comprehensive overview of all cookies on your website, Cookiebot CMP ensures compliance with Kenya’s Data Protection Act along with many other data privacy regulations around the world.

Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot CMP for compliance with Kenya’s Data Protection Act

Data Protection Act Kenya, in detail

Hopefully you’ve now gotten a quick overview of Kenya’s Data Protection Act, and what it means to you and your website. Kenya’s Data Protection Act is very closely modeled after the EU’s GDPR, which also means that a lot of the requirements and terminology seen in the EU’s GDPR can be found in Kenya’s Data Protection Act. These include data subjects, processors, controllers and the requirement for “express, explicit, unequivocal, free, specific, and informed consent” before processing any personal data is allowed.

If you’re looking for a more detailed breakdown, read on as we take a closer look at the Data Protection Act Kenya’s key characteristics.

Scope of application of Kenya’s Data Protection Act

Kenya’s Data Protection Act applies to all processing of personal data by data controllers or data processors established or resident in Kenya, who process personal data while in the country of Kenya.

If you are a data controller or data processor, who is not located in Kenya, but are processing personal data of data subjects located within the country of Kenya, the Kenyan Data Protection Act applies as well.

Kenya’s Data Protection Act has, in other words, both territorial and extra-territorial scope of application. The extraterritorial scope is not always present in data privacy laws, but other examples of this type of scope can be found in the EU’s GDPR, Japan’s APPI and Thailand’s PDPA.

Illustration of flamingos on a Phone - Cookiebot
Kenya’s Data Protection Act has both territorial and extra-territorial scope

Data Protection Commissioner

The first Commissioner under the Data Protection Act Kenya was appointed in November 2020. This section will quickly outline the Commissioner’s main responsibilities, duties and powers.

These include:

  • Enforcing the provisions of the Data Protection Act Kenya
  • Oversight and assessing the data processing to make sure the act is up to date
  • Promoting self-regulation to the data controllers and processors
  • Raising public awareness of the provisions of the act
  • Making sure to make requirements for the appointment of data protection officers
  • Making sure Kenya complies with its international obligation in relation to data protection
  • Researching developments in data processing of personal data to make sure that the data subjects’ best interests are being taken care of.

Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot CMP free for 14 days – or forever if you have a small website

Data Protection Act Kenya – Key definitions

As mentioned above, Kenya’s Data Protection Act uses a lot of the same definitions as the EU’s GDPR. This means there is a chance that a lot of the definitions presented here sound familiar.

The key definitions are:

  1. Data controller
  2. Data processor
  3. Personal data
  4. Sensitive data
  5. Biometric data
  6. Health data
  7. Pseudonymization

A data controller is a ‘natural’ or ‘legal’ person, agency, public authority or other body, which has the power to determine, either alone or with others, the purpose and means of processing of personal data.

A data processor is just like the data controller a ‘natural’ or ‘legal person, agency, public authority or other body. The difference is their tasks. While the data controller has to determine the purpose and means of the processing, the data processor processes personal data on behalf of the data controller. This can be done alone or with other processors.

Personal data include any information relating to an identified or identifiable ‘natural’ person. This could include a person’s full name, gender, date of birth, physical and postal address and their identity card number.

Sensitive data include information revealing a person’s sex, sexual orientation, origin, belief, genetic data, race, health status, biometric data, marital status and family details like the name of a person’s children, parents and spouse.

Biometric data is the result of specific technical processing. The specific in this case contains physical, physiological or behavioral characterization. This includes fingerprinting, DNA analysis, blood samples, voice recognition and more.

Health data is data related to the data subjects’ physical or mental health, and it may include any potential records regarding the past, present or future state of health of the data subjects, as well as information collected in the course of registration for health services or information which can associate the data subjects to the provision of specific health services.

Pseudonymization is the processing of personal data in a way guaranteeing that the personal data can no longer be attributed to a certain data subject without additional information. By keeping such additional information separately and subjecting it to organizational and technical measures it ensures that the personal data cannot be attributed to an identified or identifiable natural person.

Illustration of a laptop with a shield leaning against it  - Cookiebot
It is important to recognize the key definitions to understand Kenya’s Data Protection Act.

Rights and responsibilities

As explained above, Kenya’s Data Protection Act differentiates between a data controller and a data processor. Their rights and responsibilities will be explained in detail here.

Data controller rights and responsibilities include:

  • The duty of processing data in accordance with the Act.
  • The duty of designating a DPO as directed by the Commissioner.
  • The duty to notify data subject about the processing of their personal data.
  • The duty of applying for registration or renewal of certificate.
  • The duty of retaining data only as long as it is necessary.
  • The duty of implementing appropriate technical and organizational measures to safeguard data and comply with the Act.
  • The duty of conducting impact assessments if a processing operation could potentially result in compromising the rights and freedom of a data subject.

Besides their duties, data controllers also have to:

  • Bear the burden of proof for ascertaining data subject consent to the processing of personal data for a specified purpose.
  • Notify the Commissioner within 72 hours of any breach, if there is a real risk of harm to any data subjects.
  • Ensure sufficient protective measures.
  • Ensure sufficient proof to the Commissioner of the appropriate safeguards when transferring personal data outside of Kenya.
  • Inform the data subjects of the processing of information and any potential purposes of processing.

In practice, a data controller and a data processor will often be one and the same. In that case, the same duties apply, but in addition, data processors’ rights and responsibilities include:

  • To put in place protective measures for the processing of sensitive personal data.
  • To apply for registration and application for renewal of the certificate they require.

Data subjects

The data subjects have certain rights under Kenya’s Data Protection Act. A lot of these rights are inspired by the EU’s GDPR, and include:

  1. Right to be informed – The data subject has the right to be informed about the collection of their personal data. This includes everything from what data is being collected, the purpose of the collection and if it is shared with any third parties.
  2. Right to access – Besides knowing about the collection of their data, the data subject also has the right access the collected data. This is similar to the EU’s GDPR.
  3. Right to erasure – this right is not absolute, meaning it only applies under certain circumstances, which are: When the data is outdated, incomplete, inaccurate or misleading, when the data controller or processor no longer has the authority to hold the data or when the data has been obtained unlawfully, and when it is excessive or irrelevant.
  4. Right to opt-out – data subjects have this right to opt out of the collection entirely, which is also adopted from the EU’s GDPR.
  5. Right to rectification – Kenya’s Data Protection Act provides the data subjects with the right to correct or delete false or misleading data. It also lets the data subjects update their data, once again following the EU’s GDPR.
  6. Right to data portability – data subjects have the right to receive their data in a “structured, commonly used, machine-readable format, to transmit this ported data to another data controller or processor, or to request the transfer to another data controller or processor where possible”.
  7. Right not to be subject to automated decision-making – the data subjects have the right to not be subject to automated decision-making. This includes profiling, which may produce legal effects on or may significantly affect the data subject.
Red, brown & red circular pattern - Cookiebot
Infringement of Kenya’s Data Protection can lead to big fines and even imprisonment

Sanctions

For companies, infringement of provisions of the Data Protection Act Kenya will result in a fine of up to five million KES. In the case of an undertaking, the fine will be 1% of the company’s annual turnover of the preceding financial year, up to 5 million KES.

Individuals will be liable to a fine of maximum three shillings or to an imprisonment term of up to ten years. Individuals can also receive both sanctions.

Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot CMP for Data Protection Act compliance in Kenya

Summary of Kenya’s Data Protection Act

Kenya’s Data Protection Act is one of the many data privacy laws emerging around the world in these years. Its purpose is to protect Kenyan individuals’ rights and interests and it applies to data controllers and data processors processing data about data subjects in Kenya. It was enacted in 2019 with immediate effect.

The Data Protection Act in Kenya is closely modeled after the EU’s GDPR, with the same provisions, definitions and requirements, like the requirement for end-user consent before any processing or transferring of personal data to third parties. That is why Cookiebot consent management platform, cradled for GDPR compliance but now covering all major data privacy legislations in the world, is an optimal solution for ensuring your website’s compliance with the Data Protection Act of Kenya.

Try Cookiebot CMP for compliance with Kenya’s Data Protection Act

FAQ

What is Kenya’s Data Protection Act?

Kenya’s Data Protection Act is a data privacy law enacted in 2019 and closely modeled after the EU’s GDPR. Its purpose is to protect the privacy rights of the data subjects in Kenya by making sure that companies or organizations do not abuse data about their users. Consent is a key requirement of the Data Protection Act of Kenya.

Learn more about Kenya’s Data Protection Act

Who does Kenya’s Data Protection Act apply to?

Kenya’s Data Protection Act applies to all processing of personal data of data subjects in Kenya, wherever the data controllers and data processors are located in the world.

Try our free website scanner to see if Kenya’s Data Protection Act applies to you.

Does Kenya’s Data Protection Act have extraterritorial scope?

Yes, Kenya’s Data Protection Act has extraterritorial scope. The Act applies to both data controllers and processors located in Kenya as well as data processors outside of Kenya, as long as they process personal data about data subjects located within the country of Kenya.

Try our free website scanner to see if Kenya’s Data Protection Act applies to you.

What is the penalty for breaching the Data Protection Act Kenya?

The penalty for breaching Kenya’s Data Protection Act differs. For companies, infringement of provisions of the Data Protection Act Kenya will result in a fine of up to five million KES, or in the case of an undertaking, not more than 1% of its annual turnover of the preceding financial year. Whichever one is lower.

Individuals will be liable to a fine of maximum three shillings or to an imprisonment term of up to ten years. Individuals can also receive both sanctions.

Don’t want to breach Kenya’s Data Protection Act? Try our free website scanner

How can I scan my website for cookies and trackers?

By using a consent management platform like Cookiebot CMP you can reveal all cookies and trackers that currently process personal information on your website. It also shows you where in the world your domain sends data to.

Try the Cookiebot CMP website scanner for free

Resources

See the full Kenyan Data Protection Act of 2019 (In English) See the full Kenyan Data Protection Act of 2019 (In English)

Get started with Cookiebot CMP and Google Consent Mode Get started with Cookiebot CMP and Google Consent Mode

Learn more about EU’s GDPR Learn more about EU’s GDPR

Learn about the EU’s GDPR and consent

Learn more about Cookiebot CMP Learn more about Cookiebot CMP

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.