Logo Logo
Cookiebot

Try our free compliance test to check if your website's use of cookies and online tracking is GDPR/ePR compliant.

The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

Kenya dpa

Published September 11, 2021.


Kenya’s Data Protection Act came into effect on November 25, 2019, and is now the primary law on data protection in the country. It gives effect to article 31 in the constitution of Kenya that stipulates privacy as a fundamental right.

Like is the case with many other data privacy laws, its purpose is to protect individuals’ rights and interests. It applies to data controllers and data processors processing data about data subjects in Kenya. It does not matter if the data controller or data processor is established or residing within the country of Kenya, making the scope of application both territorial and extra-territorial.

The Data Protection Act in Kenya is closely modeled after the EU’s GDPR, using many of the same provisions, requirements, and definitions as its European counterpart. For instance, it requires end-user consent before any processing or transferring of personal data to third parties may take place.

In this blogpost, we will break down Kenya’s Data Protection Act, so you know what it means for your website’s use of cookies – and how you can become compliant with Cookiebot consent management platform.


Kenya’s Data Protection Act, quick summary


Kenya’s data privacy law condensed

Kenya’s Data Protection Act was enacted and came into effect right away on November 25, 2019, making the country one of the first ones in Africa to have a comprehensive data privacy law.

Kenya’s Data Protection Act is one of the latest major data privacy law in the world to be modelled closely after the EU’s GDPR, which empowers individuals with enforceable rights over their personal information, while also providing clear guidelines for companies to handle their users’ data with care.

Some of the rights the Data Protection Act Kenya provide data subjects with include the right to be informed about data tracking; the right to access data; to erasure and rectification of data; to opt-out of tracking; to data portability, and not to be subject to automated decision-making.

The Data Protection Act in Kenya is applicable to data controllers or data processors who process personal data of data subjects located within the country of Kenya and who are either established or resident in or outside of Kenya. This means, Kenya’s Data Protection Act has both territorial and extra-territorial scope of application, which is one of the similarities with the EU’s GDPR.

The Data Protection Act in Kenya distinguishes between sanctions for companies and for individuals. For companies, infringement of provisions of the Data Protection Act Kenya will result in a fine of up to five million KES. In the case of an undertaking, the fine will be 1% of the company’s annual turnover of the preceding financial year, unless that figure exceeds five million KES. In which case, they will be sanctioned 5 million KES.

Individuals will be liable to a fine of maximum three shillings or to an imprisonment term of up to ten years. Individuals can also receive both sanctions.

Scan your website for free to see all cookies and trackers in use.


Try Cookiebot CMP free for 30 days – or forever if you have a small website.



Kenya's Data Protection Act aims to protect the privacy rights of the data subject.



Kenya’s Data Protection Act – quick breakdown



Data Protection Act Kenya compliance with Cookiebot CMP


Cookiebot consent management platform (CMP) is a world-leading solution that helps you provide transparency and control over all the cookies – and similar tracking – on your website.

This guarantees you that your website complies with all the main data privacy laws around the world. This includes Kenya’s Data Protection Act, Thailand’s PDPA, Brazil’s LGPD, South Africa’s POPIA, EU’s GDPR, UK’s GDPR and South Korea’s PIPA.

Kenya’s Data Protection Act will, like many data privacy laws before it, require consent from the users in Kenya, before you can use cookies and trackers as an integral part of your website.

Our unrivaled website scanner detects all cookies and trackers while delivering an exhaustive report on all personal data processing on your website.

For that reason, among others, Cookiebot CMP is an optimal solution for making your domain fully compliant without the need for you to get into any complicated technical implementation.



Implement Cookiebot CMP to comply with Kenya's Data Protection Act.



What is Cookiebot CMP?

You might wonder, what is Cookiebot CMP?

Simply put, Cookiebot CMP is a plug-and-play consent management solution that automatically keeps your website cookies and tracking compliant with the Data Protection Act of Kenya.

Cookiebot CMP provides you with a detailed monthly scan report of your website, including all necessary details about the cookies and trackers on your domain, such as their purpose, their provider, their duration and what third parties they share the end-user data with.

Finally, Cookiebot CMP helps you to safely store all end-user consents, and to renew them on a regular basis.


Consent banner by Cookiebot CMP for Data Protection Act Kenya compliance


Cookiebot CMP works to make end-user privacy protection an integrated part of each individual website, and by offering you a comprehensive overview of all cookies on your website, Cookiebot CMP ensures compliance with Kenya’s Data Protection Act along with many other data privacy regulations around the world.

Scan your website to discover what cookies and trackers are in use on your website


Try Cookiebot CMP for compliance with Kenya’s Data Protection Act


Data Protection Act Kenya, in detail


Hopefully you’ve now gotten a quick overview of Kenya’s Data Protection Act, and what it means to you and your website. Kenya’s Data Protection Act is very closely modeled after the EU’s GDPR, which also means that a lot of the requirements and terminology seen in the EU’s GDPR can be found in Kenya’s Data Protection Act. These include data subjects, processors, controllers and the requirement for "express, explicit, unequivocal, free, specific, and informed consent" before processing any personal data is allowed.

If you’re looking for a more detailed breakdown, read on as we take a closer look at the Data Protection Act Kenya’s key characteristics.

Scope of application of Kenya’s Data Protection Act

Kenya’s Data Protection Act applies to all processing of personal data by data controllers or data processors established or resident in Kenya, who process personal data while in the country of Kenya.

If you are a data controller or data processor, who is not located in Kenya, but are processing personal data of data subjects located within the country of Kenya, the Kenyan Data Protection Act applies as well.

Kenya’s Data Protection Act has, in other words, both territorial and extra-territorial scope of application. The extraterritorial scope is not always present in data privacy laws, but other examples of this type of scope can be found in the EU’s GDPR, Japan’s APPI and Thailand’s PDPA.



Kenya's Data Protection Act has both territorial and extra-territorial scope



Data Protection Commissioner

The first Commissioner under the Data Protection Act Kenya was appointed in November 2020. This section will quickly outline the Commissioner’s main responsibilities, duties and powers.

These include:


Scan your website to discover what cookies and trackers are in use on your website


Try Cookiebot CMP free for 30 days – or forever if you have a small website


Data Protection Act Kenya – Key definitions

As mentioned above, Kenya’s Data Protection Act uses a lot of the same definitions as the EU’s GDPR. This means there is a chance that a lot of the definitions presented here sound familiar.

The key definitions are:

  1. Data controller
  2. Data processor
  3. Personal data
  4. Sensitive data
  5. Biometric data
  6. Health data
  7. Pseudonymization

A data controller is a ‘natural’ or ‘legal’ person, agency, public authority or other body, which has the power to determine, either alone or with others, the purpose and means of processing of personal data.

A data processor is just like the data controller a ‘natural’ or ‘legal person, agency, public authority or other body. The difference is their tasks. While the data controller has to determine the purpose and means of the processing, the data processor processes personal data on behalf of the data controller. This can be done alone or with other processors.

Personal data include any information relating to an identified or identifiable ‘natural’ person. This could include a person’s full name, gender, date of birth, physical and postal address and their identity card number.

Sensitive data include information revealing a person’s sex, sexual orientation, origin, belief, genetic data, race, health status, biometric data, marital status and family details like the name of a person’s children, parents and spouse.

Biometric data is the result of specific technical processing. The specific in this case contains physical, physiological or behavioral characterization. This includes fingerprinting, DNA analysis, blood samples, voice recognition and more.

Health data is data related to the data subjects’ physical or mental health, and it may include any potential records regarding the past, present or future state of health of the data subjects, as well as information collected in the course of registration for health services or information which can associate the data subjects to the provision of specific health services.

Pseudonymization is the processing of personal data in a way guaranteeing that the personal data can no longer be attributed to a certain data subject without additional information. By keeping such additional information separately and subjecting it to organizational and technical measures it ensures that the personal data cannot be attributed to an identified or identifiable natural person.



It is important to recognize the key definitions to understand Kenya's Data Protection Act.



Rights and responsibilities

As explained above, Kenya’s Data Protection Act differentiates between a data controller and a data processor. Their rights and responsibilities will be explained in detail here.

Data controller rights and responsibilities include:


Besides their duties, data controllers also have to:


In practice, a data controller and a data processor will often be one and the same. In that case, the same duties apply, but in addition, data processors’ rights and responsibilities include:


Data subjects

The data subjects have certain rights under Kenya’s Data Protection Act. A lot of these rights are inspired by the EU’s GDPR, and include:

  1. Right to be informed – The data subject has the right to be informed about the collection of their personal data. This includes everything from what data is being collected, the purpose of the collection and if it is shared with any third parties.
  2. Right to access – Besides knowing about the collection of their data, the data subject also has the right access the collected data. This is similar to the EU’s GDPR.
  3. Right to erasure – this right is not absolute, meaning it only applies under certain circumstances, which are: When the data is outdated, incomplete, inaccurate or misleading, when the data controller or processor no longer has the authority to hold the data or when the data has been obtained unlawfully, and when it is excessive or irrelevant.
  4. Right to opt-out – data subjects have this right to opt out of the collection entirely, which is also adopted from the EU’s GDPR.
  5. Right to rectification – Kenya’s Data Protection Act provides the data subjects with the right to correct or delete false or misleading data. It also lets the data subjects update their data, once again following the EU’s GDPR.
  6. Right to data portability – data subjects have the right to receive their data in a “structured, commonly used, machine-readable format, to transmit this ported data to another data controller or processor, or to request the transfer to another data controller or processor where possible”.
  7. Right not to be subject to automated decision-making – the data subjects have the right to not be subject to automated decision-making. This includes profiling, which may produce legal effects on or may significantly affect the data subject.


Infringement of Kenya's Data Protection can lead to big fines and even imprisonment



Sanctions

For companies, infringement of provisions of the Data Protection Act Kenya will result in a fine of up to five million KES. In the case of an undertaking, the fine will be 1% of the company’s annual turnover of the preceding financial year, up to 5 million KES.

Individuals will be liable to a fine of maximum three shillings or to an imprisonment term of up to ten years. Individuals can also receive both sanctions.


Scan your website to discover what cookies and trackers are in use on your website


Try Cookiebot CMP for Data Protection Act compliance in Kenya


Summary of Kenya’s Data Protection Act


Kenya’s Data Protection Act is one of the many data privacy laws emerging around the world in these years. Its purpose is to protect Kenyan individuals’ rights and interests and it applies to data controllers and data processors processing data about data subjects in Kenya. It was enacted in 2019 with immediate effect.

The Data Protection Act in Kenya is closely modeled after the EU’s GDPR, with the same provisions, definitions and requirements, like the requirement for end-user consent before any processing or transferring of personal data to third parties. That is why Cookiebot consent management platform, cradled for GDPR compliance but now covering all major data privacy legislations in the world, is an optimal solution for ensuring your website’s compliance with the Data Protection Act of Kenya.


Try Cookiebot CMP for compliance with Kenya’s Data Protection Act


FAQ


What is Kenya’s Data Protection Act?

Kenya’s Data Protection Act is a data privacy law enacted in 2019 and closely modeled after the EU’s GDPR. Its purpose is to protect the privacy rights of the data subjects in Kenya by making sure that companies or organizations do not abuse data about their users. Consent is a key requirement of the Data Protection Act of Kenya.

Learn more about Kenya’s Data Protection Act

Who does Kenya’s Data Protection Act apply to?

Kenya’s Data Protection Act applies to all processing of personal data of data subjects in Kenya, wherever the data controllers and data processors are located in the world.

Try our free website scanner to see if Kenya’s Data Protection Act applies to you.

Does Kenya’s Data Protection Act have extraterritorial scope?

Yes, Kenya’s Data Protection Act has extraterritorial scope. The Act applies to both data controllers and processors located in Kenya as well as data processors outside of Kenya, as long as they process personal data about data subjects located within the country of Kenya.

Try our free website scanner to see if Kenya’s Data Protection Act applies to you.

What is the penalty for breaching the Data Protection Act Kenya?

The penalty for breaching Kenya’s Data Protection Act differs. For companies, infringement of provisions of the Data Protection Act Kenya will result in a fine of up to five million KES, or in the case of an undertaking, not more than 1% of its annual turnover of the preceding financial year. Whichever one is lower.

Individuals will be liable to a fine of maximum three shillings or to an imprisonment term of up to ten years. Individuals can also receive both sanctions.

Don’t want to breach Kenya’s Data Protection Act? Try our free website scanner

How can I scan my website for cookies and trackers?

By using a consent management platform like Cookiebot CMP you can reveal all cookies and trackers that currently process personal information on your website. It also shows you where in the world your domain sends data to.

Try the Cookiebot CMP website scanner for free


Resources


See the full Kenyan Data Protection Act of 2019 (In English)


Get started with Cookiebot CMP and Google Consent Mode


Learn more about EU’s GDPR


Learn about the EU’s GDPR and consent


Learn more about Cookiebot CMP

New: Cookiebot™ for Partners 

Deliver automated cookie compliance at scale with Cookiebot™ for Partners.

Make your website’s use of cookies and online tracking compliant today

Try for free