Data Processing Agreement (Kenya)
DATA PROCESSING AGREEMENT
Data Protection Act No. 24 of 2019 — Section 43 | Data Protection (General) Regulations 2021
THIS DATA PROCESSING AGREEMENT is made on [Agreement Date]
BETWEEN:
(1) [Controller Name] (BRS No: [Controller BRS]), having its registered office at [Controller Address] (the "Controller"); and
(2) [Processor Name] (BRS No: [Processor BRS]), having its registered office at [Processor Address] (the "Processor").
1. PROCESSING DETAILS
1.1 Purpose of processing: [Processing Purpose].
1.2 Categories of personal data: [Data Categories].
1.3 Categories of data subjects: [Data Subject Categories].
1.4 Lawful basis for processing under Section 30 of the Data Protection Act No. 24 of 2019: [Lawful Basis].
1.5 Duration of processing: [Processing Duration].
2. PROCESSOR OBLIGATIONS
2.1 The Processor shall process personal data only on the Controller's documented instructions and shall not process personal data for any other purpose.
2.2 The Processor shall treat all personal data as confidential and shall bind all personnel with access to the personal data to the same confidentiality obligations.
2.3 The Processor shall implement and maintain the following technical and organisational security measures: [Security Measures], consistent with Section 41 of the Data Protection Act No. 24 of 2019 and the Data Protection (General) Regulations 2021.
2.4 The Processor shall assist the Controller in responding to data subject rights requests under Sections 26 to 35 of the Data Protection Act No. 24 of 2019 within the timeframes specified by the Office of the Data Protection Commissioner (ODPC).
2.5 On termination of this Agreement, the Processor shall, at the Controller's election, securely delete or return all personal data and delete existing copies within 30 days, providing written certification of deletion to the Controller.
3. PERSONAL DATA BREACH NOTIFICATION
3.1 The Processor must notify the Controller [Breach Notification Period] of becoming aware of a personal data breach, providing sufficient information for the Controller to meet its 72-hour notification obligation to the ODPC under Section 43(6) of the Data Protection Act No. 24 of 2019.
3.2 The Controller shall notify the ODPC within 72 hours of becoming aware of the breach and shall notify affected data subjects where required under Section 43(7) of the Data Protection Act No. 24 of 2019.
4. AUDIT RIGHTS AND CROSS-BORDER TRANSFERS
4.1 Audit rights: [Audit Rights]. The Processor must cooperate with ODPC inspections under the Data Protection (General) Regulations 2021.
4.2 Cross-border transfer mechanism: [Cross-border Transfer], in compliance with Section 49 of the Data Protection Act No. 24 of 2019.
5. GOVERNING LAW
5.1 This Agreement is governed by the laws of Kenya. Disputes shall be referred to the courts of Kenya sitting in [Governing Jurisdiction], or to the Nairobi Centre for International Arbitration (NCIA) under the Arbitration Act No. 4 of 1995 (revised 2022).
IN WITNESS WHEREOF, the Parties have signed this Agreement on the date first written above.
Authorised Signatory (Controller)
________________
Signature
Authorised Signatory (Processor)
________________
Signature
Witness
________________
Signature
What Is a Data Processing Agreement (Kenya)?
A Data Processing Agreement in Kenya sets out the rights, duties and consideration binding the parties to it.
The Data Protection Act No. 24 of 2019 defines a data controller as a natural or legal person who determines the purpose and means of processing personal data, while a data processor is a person who processes data on behalf of a controller. Common examples in Kenya include: a company (controller) engaging a cloud hosting provider or payroll bureau (processor); a hospital (controller) using a medical records management company (processor); or a bank (controller) outsourcing customer KYC verification to a fintech firm (processor). The distinction is significant because the Data Protection (General) Regulations 2021 impose direct liability on processors who exceed the instructions of the controller or who subcontract processing without prior written authorisation.
The legal basis for data processing in Kenya is grounded in Section 30 of the Data Protection Act No. 24 of 2019, which requires that processing have at least one lawful basis: consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests. A Data Processing Agreement must identify the applicable lawful basis and specify the categories of data subjects and personal data involved. The High Court of Kenya (Constitutional and Human Rights Division) has jurisdiction over constitutional data rights claims under Article 31 of the Constitution of Kenya 2010, which protects the right to privacy including the right to the protection of personal data.
A Kenya Data Processing Agreement differs from a Data Sharing Agreement in an important respect: a DPA governs processing by a third-party service provider acting under instructions, where the processor has no independent decision-making authority over the data. A Data Sharing Agreement, by contrast, governs the transfer of data between two independent controllers, each determining their own processing purposes. Both types of agreements are required by the ODPC, and a single transaction may require both instruments — for example, where two hospitals share patient records (Data Sharing Agreement) and each then engages a cloud provider (Data Processing Agreement).
The Data Protection (General) Regulations 2021 (Legal Notice No. 46 of 2021), made under Section 72 of the Data Protection Act, elaborate the requirements for controller-processor contracts and set out the mandatory provisions that every Data Processing Agreement in Kenya must contain. Processors operating across East Africa must also consider whether the General Data Protection Regulation (GDPR) of the European Union applies to their activities if they process data of EU residents — Kenya's ODPC has acknowledged GDPR adequacy considerations in cross-border data transfer guidance.
Organisations that have already adopted a Data Breach Notification Template and Cybersecurity Policy gain additional compliance benefit from a Data Processing Agreement that formally extends those security obligations to all third-party processors. Without a written Data Processing Agreement, a controller cannot demonstrate to the ODPC during an audit that its processor supply chain meets the security standards required by Section 41 of the Data Protection Act No. 24 of 2019.
When Do You Need a Data Processing Agreement (Kenya)?
A Kenya Data Processing Agreement is required whenever a data controller engages a third-party service provider to process personal data on its behalf, and the Data Protection Act No. 24 of 2019 makes written documentation of this relationship mandatory before processing begins.
A Data Processing Agreement is required when a Kenyan business engages a Software-as-a-Service (SaaS) provider, cloud hosting company, or IT services firm that will have access to customer or employee personal data. Under Section 43(1) of the Data Protection Act No. 24 of 2019, the processor must be bound by a written contract before accessing any personal data. Failure to execute a DPA before the service goes live exposes the controller to enforcement action by the Office of the Data Protection Commissioner (ODPC), including formal investigations and penalty notices.
A Data Processing Agreement is needed when a company registered with the Business Registration Service (BRS) outsources its human resources or payroll functions to a third-party bureau. Payroll processing involves sensitive personal data — National Identity Card (NIC) numbers, KRA PINs, NSSF membership numbers, SHIF registration numbers, salary details, and banking information — all of which are classified as personal data requiring protection under the Data Protection Act No. 24 of 2019.
A Data Processing Agreement is required when a healthcare facility, pharmacy, or diagnostic laboratory in Kenya contracts a third-party records management company, medical transcription service, or electronic health records platform. Health data constitutes sensitive personal data under Section 2 of the Data Protection Act, and its processing requires both a lawful basis and explicit patient consent under Section 32.
A Data Processing Agreement is needed when a financial institution regulated by the Central Bank of Kenya (CBK) or the Capital Markets Authority (CMA) engages a data analytics firm, credit reference bureau, or customer verification service. The CBK Prudential Guidelines and the CMA regulations require institutions to confirm that all outsourced data processing complies with the Data Protection Act No. 24 of 2019.
A Data Processing Agreement is required when a Kenyan company transfers personal data to a processor located outside Kenya. Section 49 of the Data Protection Act restricts cross-border transfers to countries with adequate data protection laws or where the ODPC has approved appropriate safeguards. A DPA incorporating the standard contractual clauses recognised by the ODPC provides the legal mechanism for such transfers.
A Data Processing Agreement is needed when a marketing agency, advertising technology company, or market research firm processes consumer personal data on behalf of a brand or retailer operating in Kenya's consumer goods or telecommunications sector. The Data Subject Consent Form used to collect marketing consent should reference the Data Processing Agreement governing the processor's handling of that data.
What to Include in Your Data Processing Agreement (Kenya)
A Kenya Data Processing Agreement under the Data Protection Act No. 24 of 2019 must contain the following essential elements to satisfy the requirements of Section 43 and the Data Protection (General) Regulations 2021.
Identification of Parties: Full legal names, BRS registration numbers, KRA PINs, and registered addresses of the data controller and data processor. Clarity about the roles is mandatory — confusing controller and processor status creates direct legal liability under the Data Protection Act No. 24 of 2019 and exposes both parties to enforcement by the Office of the Data Protection Commissioner (ODPC).
Scope and Subject Matter of Processing: A precise description of the processing operations, the categories of personal data involved (for example, names, NIC numbers, KRA PINs, financial data, health data), the categories of data subjects (employees, customers, patients), and the purpose for which the controller has instructed the processor to process the data. Vague descriptions that do not specify the lawful basis under Section 30 of the Data Protection Act will not satisfy the ODPC's audit requirements.
Processor Obligations: The processor must process personal data only on the controller's documented instructions; maintain confidentiality of personal data; implement appropriate technical and organisational security measures under Section 41 of the Data Protection Act; and delete or return all personal data to the controller on termination of the agreement. The Data Protection (General) Regulations 2021 require the processor to assist the controller in responding to data subject access requests under Section 26 and breach notifications under Section 43(5).
Sub-processing: The agreement must specify whether the processor may engage sub-processors and, if so, require prior written authorisation from the controller for each sub-processor. The processor remains liable to the controller for any sub-processor's acts or omissions as if the processor itself had performed them — this chain of liability is established by Section 43(3) of the Data Protection Act No. 24 of 2019.
Data Subject Rights Assistance: The processor must assist the controller in fulfilling data subjects' rights under Sections 26 to 35 of the Data Protection Act — including rights of access, rectification, erasure, restriction, portability, and objection — within the timeframes specified by the ODPC. Data subjects whose rights are infringed may lodge complaints directly with the ODPC under Section 56 of the Act.
Security Measures: The parties must agree on the technical and organisational security measures appropriate to the risk, including encryption, access controls, pseudonymisation, regular security testing, and physical security protocols. The Data Protection (General) Regulations 2021 specify minimum security standards for high-risk processing activities, including health data and financial data. The controller's Cybersecurity Policy should be referenced as the baseline security standard that the processor must meet.
Personal Data Breach Notification: The processor must notify the controller without undue delay — and in any event within 24 hours — of becoming aware of a personal data breach, to enable the controller to notify the ODPC within the 72-hour window required by Section 43(6) of the Data Protection Act. The forms-legal.com Data Processing Agreement template includes a breach notification procedure aligned with the ODPC's reporting requirements and the Data Breach Notification Template.
Duration and Termination: The duration of the processing relationship, the consequences of termination (including secure deletion or return of all personal data within a specified period), and the right of either party to terminate immediately for material breach of the data protection obligations.
Audit Rights: The controller must have the contractual right to audit the processor's data protection compliance, either directly or through an independent third party. Processors must cooperate with ODPC inspections under Section 30 of the Data Protection (General) Regulations 2021 and make available all records of processing activities.
Governing Law: Kenya law governs the agreement, with disputes referred to the courts of Kenya or the Nairobi Centre for International Arbitration (NCIA) under the Arbitration Act No. 4 of 1995 (revised 2022). For cross-border processing, the agreement should specify the data transfer mechanism under Section 49 of the Data Protection Act No. 24 of 2019.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Processing Agreement (Kenya) (Kenya) [Legal document template]. Forms Legal. https://forms-legal.com/kenya/business/contracts/data-processing-agreement-kenya
"Data Processing Agreement (Kenya) (Kenya)." Forms Legal, 2026, https://forms-legal.com/kenya/business/contracts/data-processing-agreement-kenya.
@misc{formslegal-data-processing-agreement-kenya,
author = {{Forms Legal}},
title = {Data Processing Agreement (Kenya) (Kenya)},
year = {2026},
howpublished = {\url{https://forms-legal.com/kenya/business/contracts/data-processing-agreement-kenya}},
note = {Free legal document template}
}Also available for these jurisdictions:
Frequently Asked Questions
Yes. Section 43(1) of the Data Protection Act No. 24 of 2019 expressly requires that any processing of personal data carried out on behalf of a data controller by a data processor must be governed by a written contract. The contract must set out the subject matter, duration, nature, and purpose of the processing; the type of personal data; the categories of data subjects; and the obligations and rights of the controller. The Office of the Data Protection Commissioner (ODPC), established under Section 5 of the Data Protection Act, has powers under Section 61 to investigate non-compliance and issue enforcement notices. Operating without a Data Processing Agreement exposes both the controller and the processor to administrative penalties under Section 69 of the Act. The Data Protection (General) Regulations 2021 (Legal Notice No. 46 of 2021) elaborate the minimum content requirements for controller-processor contracts, meaning there is no discretion to omit a DPA where a third party processes personal data on your behalf.
Under Section 2 of the Data Protection Act No. 24 of 2019, a data controller is a natural or legal person who determines the purposes and means of processing personal data, while a data processor is a person who processes personal data on behalf of a data controller. The distinction is functionally and legally significant in Kenya. A controller decides what data is collected, why it is collected, and how long it is retained. A processor only acts on the controller's documented instructions and has no independent authority to use the data for its own purposes. A company that collects customer data is typically the controller; the cloud hosting provider storing that data is the processor. Both must register with the Office of the Data Protection Commissioner (ODPC) if they process personal data above de minimis thresholds. However, if a processor exceeds the controller's instructions and begins determining processing purposes independently, that processor is deemed to have become a controller for that processing activity and assumes full controller liability under the Data Protection Act No. 24 of 2019.
Cross-border transfers of personal data from Kenya to foreign processors are regulated by Section 49 of the Data Protection Act No. 24 of 2019. A transfer is permitted where the recipient country provides an adequate level of data protection as determined by the Office of the Data Protection Commissioner (ODPC), or where the controller has implemented appropriate safeguards approved by the ODPC — typically standard contractual clauses incorporated into the Data Processing Agreement. In the absence of an adequacy determination or approved safeguards, a transfer may only proceed where the data subject has given explicit informed consent to the transfer, the transfer is necessary for the performance of a contract with the data subject, or it is necessary for important public interest reasons. Controllers who transfer data to processors outside Kenya without satisfying one of these conditions commit an offence under Section 49(4) of the Data Protection Act. Processors in Kenya processing data of European Union residents must also consider whether the EU General Data Protection Regulation (GDPR) applies to their activities, as GDPR has extraterritorial effect.
Under Section 43(5) of the Data Protection Act No. 24 of 2019, a data processor in Kenya must notify the data controller without undue delay after becoming aware of a personal data breach. The controller must then notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of the breach, under Section 43(6) of the Act. The notification must describe the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate volume of personal data records affected, the likely consequences of the breach, and the measures taken or proposed to address it. Where there is a high risk to data subjects' rights and freedoms, the controller must also notify the affected data subjects directly without undue delay. A Data Processing Agreement should specify the processor's notification obligations in detail, including the minimum information to be provided and the maximum time within which notification must be made. Failure to notify the ODPC within the required timeframe exposes the controller to enforcement action and penalties under Section 69 of the Data Protection Act No. 24 of 2019.
Data processors in Kenya that process personal data above certain thresholds must register with the Office of the Data Protection Commissioner (ODPC) under Section 17 of the Data Protection Act No. 24 of 2019. The Data Protection (Registration of Data Controllers and Processors) Regulations 2021 prescribe the registration process, fees, and categories of registrants. Processors handling sensitive personal data — defined in Section 2 of the Data Protection Act as data concerning health, race, ethnicity, political opinions, religious beliefs, genetic or biometric data, sexual orientation, or criminal records — must register regardless of processing volume. Unregistered processors who are required to register commit an offence under Section 17(6) of the Data Protection Act. Registration must be renewed periodically, and any material change in processing activities must be notified to the ODPC promptly. A Data Processing Agreement should confirm that the processor holds a current valid registration with the ODPC where required, and that the processor will maintain that registration throughout the term of the agreement.
No. Section 43(3) of the Data Protection Act No. 24 of 2019 requires a data processor to obtain prior written authorisation from the data controller before engaging a sub-processor. The main processor remains fully liable to the controller for the acts and omissions of any sub-processor as if the main processor itself had performed those acts. A Data Processing Agreement in Kenya should therefore specify whether sub-processing is permitted at all, and if so, whether the controller provides general written authorisation (subject to notification of new sub-processors) or requires specific written approval for each sub-processor. The main processor must impose on any sub-processor the same data protection obligations as those imposed on the main processor by the controller. Where a sub-processor fails to fulfil its data protection obligations, the main processor remains fully liable to the controller for the performance of the sub-processor's obligations. Controllers auditing their supply chains under the guidance of the Office of the Data Protection Commissioner (ODPC) should review all sub-processing arrangements as part of their compliance framework.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Sharing Agreement (Kenya)
A Kenya Data Sharing Agreement between two data controllers, compliant with the Data Protection Act No. 24 of 2019 and the Data Protection (General) Regulations 2021, governing the transfer and use of personal data.
Data Subject Consent Form (Kenya)
A Kenya Data Subject Consent Form for obtaining valid, informed consent to process personal data, compliant with the Data Protection Act No. 24 of 2019 and the Data Protection (General) Regulations 2021.
Data Breach Notification (Kenya)
A Kenya Data Breach Notification template for notifying the Office of the Data Protection Commissioner and affected data subjects following a personal data breach, compliant with the Data Protection Act No. 24 of 2019 s.43.
Cybersecurity Policy (Kenya)
A Kenya Cybersecurity Policy setting out an organisation's rules for protecting information systems, networks, and data, compliant with the Computer Misuse and Cybercrimes Act No. 5 of 2018 and the Data Protection Act No. 24 of 2019.
Non-Disclosure Agreement (Kenya)
A Kenya Non-Disclosure Agreement protecting confidential business information, governed by the Law of Contract Act Cap. 23 and the Data Protection Act No. 24 of 2019, enforceable in Kenya courts.