Kenya's Data Protection Act, 2019 — passed 8 November 2019 and operationalized through regulations issued in 2021 — requires every data controller and data processor operating in Kenya to register with the Office of the Data Protection Commissioner, maintain lawful bases for every processing activity, and execute written agreements when personal data is shared with third-party processors. Non-compliance attracts administrative fines of up to KES 5 million (or 1% of annual turnover, whichever is lower) and criminal penalties of up to KES 3 million or ten years' imprisonment under the Act's enforcement provisions.
What the DPA 2019 actually covers
The Act applies to any organization that determines the purposes and means of processing personal data about Kenyan residents, regardless of where the organization is incorporated. A Kenyan subsidiary of a foreign group, a local hospital processing patient records, and a fintech startup onboarding customers all fall within scope.
The law draws a clear line between data controllers — those who decide why and how personal data is processed — and data processors, who act on the controller's instructions. Both categories must register separately with the Office of the Data Protection Commissioner (ODPC). This dual-registration requirement is one of the points many businesses miss: hiring a cloud provider to store customer data does not transfer your own registration obligation.
The Act protects information about identified or identifiable natural persons. This covers names, national ID numbers, biometric data, health records, financial information, and location data. Special categories — health data, genetic data, data on children — attract heightened obligations under Part IV of the Act.
OPC registration: who must register and how
The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 set out the registration mechanics. Organizations must submit an application to the ODPC — Kenya's data watchdog, established under Section 5 of the Act — before commencing any processing activity. Registration is not a one-time event; controllers and processors must renew annually and update their registration within 30 days of any material change to their processing operations.
The registration form requires you to specify:
- The categories of personal data you collect
- The purposes for which data is processed
- The legal basis for each processing purpose
- Countries to which data may be transferred
- Contact details for your designated Data Protection Officer (DPO), if required
A DPO is mandatory under Section 24 of the Act for controllers and processors whose core activities involve large-scale processing of special category data or systematic monitoring of data subjects. For most mid-sized Kenyan businesses, a DPO appointment is therefore not optional — it is a legal requirement that ODPC routinely checks during investigations.
Lawful bases and consent under the DPA
Section 30 of the Act sets out the lawful bases for processing personal data. These include consent, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a task in the public interest, and legitimate interests pursued by the controller.
Consent under the DPA must be freely given, specific, informed, and unambiguous — broadly matching the standard familiar from the EU's General Data Protection Regulation. An opt-out checkbox buried in terms of service does not satisfy Section 32, which requires that consent be as easy to withdraw as it is to give. Many Kenyan e-commerce operators discovered this gap during ODPC's 2023 investigations, when several were required to redesign their consent flows entirely.
Legitimate interests, one of the bases listed in Section 30, gives businesses flexibility but requires a balancing test: the interest must be weighed against the data subject's rights, and the assessment should be documented. The ODPC has signalled it expects this documentation to be available on request.
Data processing agreements: a non-negotiable requirement
Section 42 of the DPA makes written contracts between controllers and processors mandatory. The agreement must bind the processor to process personal data only on documented instructions from the controller, ensure that persons authorised to process the data are committed to confidentiality, implement appropriate technical and organisational security measures, and assist the controller in meeting its data subject rights obligations.
Drafting a compliant agreement from scratch takes time — and an error in the processor clause can expose both parties to regulatory liability under the Act. A well-drafted Data Processing Agreement for Kenya covers all mandatory Section 42 elements, including sub-processing controls and cross-border transfer clauses, which is the format the ODPC expects to see.
Cross-border data transfers
Section 49 of the Act restricts transfers of personal data outside Kenya to countries, territories, or international organisations that provide adequate protection for personal data. Where adequacy has not been determined, the controller must implement appropriate safeguards — such as standard contractual clauses or binding corporate rules — and obtain prior authorisation from the ODPC.
In practice, the ODPC published a list of countries it considers adequate for transfer purposes. For transfers to countries not on that list, including many cloud regions, organizations need a transfer impact assessment and, in some cases, formal ODPC approval. The approval process can take several months, so businesses running cross-border SaaS products should map their data flows early.
Data subject rights and how to handle them
The DPA grants data subjects eight distinct rights under Part III: the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to object, right not to be subject to automated decision-making, and the right to data portability.
Controllers must respond to access and erasure requests within 30 days under the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021. A missed deadline is an independent ground for complaint to the ODPC — separate from any substantive breach. Building an internal request log and assigning a responsible team member is therefore an operational priority, not a theoretical one.
Data breach notification
Section 43 of the Act and the Data Protection (General) Regulations, 2021 require controllers to notify the ODPC of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it. Where the breach is likely to result in high risk to data subjects, the affected individuals must also be notified directly.
The notification must describe the nature of the breach, the categories and approximate number of data subjects involved, and the measures taken or proposed to address it. Organizations without an incident response plan tend to scramble at this stage — a pre-drafted breach notification template, reviewed by your DPO, can cut response time significantly.
Enforcement: what the ODPC has actually done
The ODPC has moved beyond symbolic enforcement. The Commissioner has issued formal enforcement notices and administrative fines to organizations in banking, insurance, and telecommunications. In 2023 and 2024, several financial institutions received compliance directives following customer complaints about unsolicited marketing calls — a direct violation of the consent requirements in Section 32 and the right of data subjects to object to processing.
The maximum administrative fine is KES 5 million, or 1% of the organisation's annual turnover (whichever is lower). The Act separately provides for criminal prosecution where offences involve bad faith or deliberate breach, carrying fines of up to KES 3 million and imprisonment of up to ten years. Industry observers expect penalty amounts to increase as the ODPC scales its investigation capacity with additional budget allocations in 2026.
Practical steps for a 2026 compliance review
- Audit your processing activities — map every system that touches personal data, including HR platforms, CRM tools, and analytics providers.
- Verify registration status — log in to the ODPC portal at odpc.go.ke and confirm your registration is current and accurately reflects your current activities.
- Review processor contracts — any third-party vendor handling personal data on your behalf needs a Section 42-compliant agreement in place before the next processing activity.
- Document lawful bases — for every processing purpose, identify and record the applicable basis. Consent-reliant processing needs a consent management system that produces a timestamped audit log.
- Test your breach response — run a tabletop exercise against the 72-hour notification window to identify gaps before a real incident forces the question.
Forms and documentation
Kenya's compliance framework is document-heavy by design. The ODPC expects controllers to produce, on request, their processing records, DPO appointment letter, data protection impact assessments (DPIAs) for high-risk processing, and processor contracts. Keeping these in a single compliance folder — not scattered across email threads — is the difference between a clean ODPC audit and a six-month investigation.
Forms-legal.com maintains Kenya-specific templates for data-related documents, including data processing agreements, privacy policies, and data subject consent forms, all drafted against the DPA 2019 and the 2021 Regulations. These documents reflect Kenyan legal references rather than generic international language, which matters when the ODPC examines whether your documentation shows genuine engagement with local law.
Need the document itself? Download the free template →
This article is general information, not legal advice — see our accuracy & editorial policy. Confirm the cited law is current before relying on it.