Any business in Kenya that shares personal data with a third-party service provider — a payroll bureau, cloud software vendor, HR outsourcer, or call-centre contractor — must have a written data processing agreement in place before that sharing begins. The requirement comes from section 42 of the Data Protection Act 2019, read together with regulation 24 of the Data Protection (General) Regulations 2021. Get this wrong and the Office of the Data Protection Commissioner (ODPC) can impose an administrative penalty of up to KES 5 million, or — for undertakings — up to 1% of annual turnover, whichever is lower; criminal conviction for general contraventions carries a fine of up to KES 3 million.
data processing agreement kenya — free, fillable template; download as PDF or Word.
What the Data Protection Act 2019 actually says
The Act draws a sharp line between two roles. A data controller decides why and how personal data is collected and used — that's typically your business. A data processor handles that data on your behalf, following your instructions, without controlling the purpose. Section 42(2)(b) of the Act requires the data controller and processor to enter a written contract providing that the processor acts only on the controller's instructions; section 42(2)(a) requires the controller to select only a processor who gives sufficient guarantees that it will implement appropriate technical and organisational measures.
The contract must set out what the processor may do with the data, how long they hold it, what security measures apply, and what happens when the engagement ends. A verbal arrangement or a line in a master services agreement that doesn't address these points specifically will not satisfy the Act.
Which relationships trigger the obligation
The controller-processor structure is easy to understand in the abstract but often misidentified in practice. Here are the situations that most commonly require a formal agreement in Kenya:
SaaS vendors. A Kenyan business subscribing to payroll software, a CRM platform, or an HR information system is the controller. The software company processes employee or customer data under the business's account. Even if the vendor is headquartered outside Kenya, section 3 of the Act applies to any processing that relates to data subjects in Kenya.
Payroll bureaux. An employer who hands monthly payroll data — names, national ID numbers, bank details, PAYE deductions — to an external payroll firm is transferring personal data to a processor. The payroll firm cannot use that data for any purpose beyond running the payroll.
HR and recruitment outsourcers. Firms that conduct background checks, run psychometric assessments, or manage onboarding paperwork on behalf of an employer are processors. The same applies to outsourced training providers who collect attendance and performance data.
IT managed-services providers. A company that gives a managed-services contractor access to servers storing customer records, or grants remote desktop access to troubleshoot systems, is engaging a processor. Access alone triggers the requirement.
The test is always the same: does the third party handle personal data as part of a service they provide to you? If yes, you need a written agreement before they start.
What the agreement must contain
Regulation 24 of the Data Protection (General) Regulations 2021 specifies the minimum content. The agreement must describe:
- the subject matter, duration, nature, and purpose of the processing;
- the type of personal data involved and the categories of data subjects;
- the obligations and rights of the controller;
- an instruction that the processor only acts on documented instructions from the controller;
- confidentiality obligations on anyone authorised to process the data;
- the security measures required under section 41 of the Act;
- conditions for engaging sub-processors, including a requirement for written consent from the controller;
- procedures for assisting the controller with data subject requests — access, rectification, erasure, and objection rights under the data subject rights provisions of the Act;
- what happens to the data at the end of the contract (deletion or return); and
- audit rights, so the controller can verify compliance.
Processors that want to engage a sub-processor — another company they bring in to help deliver the service — must get the controller's written authorisation first, and must impose the same obligations on the sub-processor that the controller imposed on them. Chains of subcontracting do not dilute liability: the Regulations keep the original processor fully accountable for the compliance of any sub-processor it engages.
ODPC registration — a separate but related obligation
Controllers and processors must register with the ODPC under the Act's registration provisions (section 18) if they handle personal data beyond a domestic or purely personal purpose. For commercial enterprises this means virtually all businesses that store customer, employee, or supplier data. Registration is done through the ODPC online portal. The registration is not a substitute for a data processing agreement — both obligations run in parallel.
Cross-border transfers
Kenya's Act restricts sending personal data outside the country. Section 48 prohibits cross-border transfers unless the destination country offers an adequate level of protection, the data subject has given explicit consent to the transfer, or one of the other grounds in section 48(2) applies (such as a contract that is necessary for the data subject's benefit, or standard contractual clauses approved by the ODPC).
This matters acutely for businesses using cloud services hosted outside Kenya. Uploading customer records to a server in Ireland or the United States is a cross-border transfer. The data processing agreement needs to address it — either by identifying the adequacy basis or by incorporating the relevant transfer mechanism. Leaving this out is a compliance gap that ODPC inspectors check for specifically.
What happens when you get it wrong
The ODPC has enforcement powers under Part VII of the Act. A first finding of non-compliance typically produces a compliance notice requiring the business to fix the problem within a set period. Failure to comply, or a more serious breach, can result in an administrative financial penalty — up to KES 5 million, or up to 1% of the undertaking's annual turnover, whichever is lower. Criminal conviction for a general contravention of the Act carries a fine of up to KES 3 million or imprisonment of up to ten years, or both. These figures can be material for businesses processing high-value financial data.
Beyond the direct fine, a data breach involving a processor who had no proper agreement in place exposes the controller to civil claims from data subjects under section 65. Kenyan courts can award compensation for material and non-material damage.
Getting your agreement drafted
The core structure of a compliant agreement is well established, but the details need to match your specific relationship: the type of data, the services being provided, the security standards you expect, and the sub-processing chain, if any. A template gives you the right skeleton; the work is in making sure the specific clauses reflect what your processor actually does and what your business actually needs.
Forms Legal's data processing agreement for Kenya covers the mandatory provisions under the Act and the 2021 Regulations, including the sub-processor consent mechanism, data subject rights assistance clauses, and the end-of-contract data-return obligation. Download, complete the company-specific fields, and have both parties sign before any data changes hands.
A checklist before sharing data with a service provider
Before onboarding any vendor who will handle personal data belonging to your customers or employees, run through these points:
- Confirm the vendor's role — controller or processor? If they control the purpose, you may need a data-sharing agreement (also required under the Act) rather than a processing agreement.
- Check whether the vendor is ODPC-registered. The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 require registration as a precondition to operating as a processor.
- Confirm where data will be stored and processed. If outside Kenya, identify the transfer mechanism before signing.
- Insist on an audit clause — regulators expect controllers to be able to demonstrate oversight of their processors.
- Set a review date for the agreement, especially if the services are long-running. Data types and processing activities evolve, and the agreement should reflect the current arrangement.
The controller-processor distinction is not a technicality. Under Kenya's data protection framework, getting this relationship documented properly is the legal baseline, not a mark of sophistication. For SaaS vendors, payroll bureaux, and HR outsourcers operating in Kenya, the written agreement is the price of entry to the market.
Need the document itself? Download the free template →
This article is general information, not legal advice — see our accuracy & editorial policy. Confirm the cited law is current before relying on it.