General Data Protection Regulation is an EU law with mandatory rules for how organizations and companies must use personal data in an integrity friendly way. Personal data means any information which, directly or indirectly, could identify a living person. Name, phone number, and address are schoolbook examples of personal data. Interests, information about past purchases, health, and online behaviour is also considered personal data as it could identify a person.

In Kenya, the local version of GDPR is the The Data Protection Act, 2019 ( ) which came into force on 25/11/2019. The purpose of this Act is to

establish the Office of the Data Protection Commissioner; to make provision for the regulation of the processing of personal data; to provide for the rights of data subjects and obligations of data controllers and processors; and for connected purposes.”


The implementation of this Act shall be through the Office of the Data Protection Commission. It will be required to,

(a) oversee the implementation of and be responsible for the enforcement of this Act;

(b) establish and maintain a register of data controllers and data processors;

(c) exercise oversight on data processing operations, either of own motion or at the request of a data subject, and verify whether the processing of data is done in accordance with this Act;

(d) promote self-regulation among data controllers and data processors;

(e) conduct an assessment, on its own initiative of a public or private body, or at the request of a private or public body for the purpose of ascertaining whether information is processed according to the provisions of this Act or any other relevant law;

(f) receive and investigate any complaint by any person on infringements of the rights under this Act;

 (g) take such measures as may be necessary to bring the provisions of this Act to the knowledge of the general public;

(h) carry out inspections of public and private entities with a view to evaluating the processing of personal data;

(i) promote international cooperation in matters relating to data protection and ensure country’s compliance on data protection obligations under international conventions and agreements;

(j) undertake research on developments in data processing of personal data and ensure that there is no significant risk or adverse effect of any developments on the privacy of individuals; and

(k) perform such other functions as may be prescribed by any other law or as necessary for the promotion of object of this Act.


Data Controller: means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data;

Data Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;

There is a requirement for MANDATORY REGISTRATION of data controllers and data processors, and in making such determination, the Data Commissioner shall consider — (a) the nature of industry; (b) the volumes of data processed; (c) whether sensitive personal data is being processed; and (d) any other criteria the Data Commissioner may specify.

The Data Controller or Processor shall be required to provide the following details during registration;

(a) a description of the personal data to be processed by the data controller or data processor;

 (b) a description of the purpose for which the personal data is to be processed;

(c) the category of data subjects, to which the personal data relates;

(d) contact details of the data controller or data processor;

 (e) a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of personal data;

(f) any measures to indemnify the data subject from unlawful use of data by the data processor or data controller;

Failure to register is an offence and attracts a penalty.

Personal information form with ballpoint pen


Personal data is protected by ensuring it is;

(a) processed in accordance with the right to privacy of the data subject;

 (b) processed lawfully, fairly and in a transparent manner in relation to any data subject;

 (c) collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;

 (d) adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;

(e) collected only where a valid explanation is provided whenever information relating to family or private affairs is required;

(f) accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;

(g) kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and

(h) not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.


The Data Subject, person whose personal data is collected, has the following rights with regard to the data collected and stored by the Data Collector or Processer;

(a) to be informed of the use to which their personal data is to be put;

 (b) to access their personal data in custody of data controller or data processor;

(c) to object to the processing of all or part of their personal data;

(d) to correction of false or misleading data; and

 (e) to deletion of false or misleading data about them.


The Protection of personal data is not absolute. There are some exceptions.

The processing of personal data is exempt from the provisions of this Act if

a) it relates to processing of personal data by an individual in the course of a purely personal or household activity;

 (b) if it is necessary for national security or public interest; or

(c) disclosure is required by or under any written law or by an order of the court.

The principles of processing personal data shall not apply for journalists, art and literary works provided they comply with a Code of Ethics or requirements provided by the Commissioner. Such works are exempt if —

(a) processing is undertaken by a person for the publication of a literary or artistic material;

(b) data controller reasonably believes that publication would be in the public interest; and

(c) data controller reasonably believes that, in all the circumstances, compliance with the provision is incompatible with the special purposes.

Personal data collected or processed for Research, Statistical and Historic purposes are exempt in the event the data is processed in compliance with the relevant conditions; and the results of the research or resulting statistics are not made available in a form which identifies the data subject or any of them.

The Data Protection Commissioner can prepare guidelines and criteria for further exemption of compliance with this Act. There are various offences and penalties arising from breach of the requirements in the Act


In conclusion, personal data has been abused and has great value in commercial and research and needs to be protected. Any processor or controller of data shall now be required to put measures in place to comply with the principles and requirements of this Act. Further citizens will be able to enforce their rights in case of misuse of their personal data contrary to this Act. This Act has far reaching effect on other laws in Kenya as well.  

Do you think this law is necessary in Kenya? What is the impact of this Act on users of personal data? Kindly post your comments or questions below.

Law Query Limited.


GDPR Summary.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.