Data Subject Consent Form (Kenya)
DATA SUBJECT CONSENT FORM
Data Protection Act No. 24 of 2019 | Data Protection (General) Regulations 2021
This Data Subject Consent Form is issued by [Controller Name] (BRS No: [Controller BRS No.], KRA PIN: [Controller KRA PIN], ODPC Reg. No: [Controller ODPC Reg. No.]), of [Controller Address].
Data Protection Officer contact: [DPO Contact].
Date: [Consent Date]
1. DATA SUBJECT DETAILS
Full name: [Data Subject Name]
National Identity Card (NIC) Number: [Data Subject NIC]
Phone number: [Data Subject Phone]
Email address: [Data Subject Email]
Below 18 years of age (minor): [Is Minor]
Parent or guardian details (if applicable): [Parent/Guardian Name and NIC]
2. PERSONAL DATA COLLECTED AND PURPOSE
2.1 [Controller Name] will collect and process the following categories of your personal data: [Data Categories].
2.2 Sensitive personal data included: [Sensitive Data Included]. Where sensitive personal data is processed, [Controller Name] relies on explicit consent under Section 32 of the Data Protection Act No. 24 of 2019 in addition to the lawful basis stated below.
2.3 Your personal data is collected for the following purpose: [Processing Purpose].
2.4 The lawful basis for processing under Section 30 of the Data Protection Act No. 24 of 2019 is: [Lawful Basis].
3. DATA SHARING, RETENTION, AND CROSS-BORDER TRANSFER
3.1 Your personal data may be shared with the following third parties: [Third Party Recipients].
3.2 Your personal data will be retained for [Retention Period], after which it will be securely deleted or anonymised.
3.3 Transfer of data outside Kenya: [Cross-Border Transfer]. Details: [Cross-Border Transfer Details].
4. YOUR RIGHTS UNDER THE DATA PROTECTION ACT NO. 24 OF 2019
You have the following rights in relation to your personal data under Sections 26 to 35 of the Data Protection Act No. 24 of 2019:
(a) Right of access — to request a copy of your personal data held by [Controller Name];
(b) Right to rectification — to request correction of inaccurate personal data;
(c) Right to erasure — to request deletion of your personal data where it is no longer necessary or where consent has been withdrawn;
(d) Right to restrict processing — to request that processing be restricted pending resolution of an accuracy dispute;
(e) Right to data portability — to receive your data in a structured, machine-readable format;
(f) Right to object — to object to processing based on legitimate interests.
To exercise your rights, contact: [DPO Contact].
You may also lodge a complaint with the Office of the Data Protection Commissioner (ODPC) under Section 56 of the Data Protection Act No. 24 of 2019.
5. CONSENT DECLARATION AND RIGHT TO WITHDRAW
I, [Data Subject Name], confirm that I have read and understood the information set out in this Data Subject Consent Form. I understand what personal data is being collected, why it is being collected, with whom it will be shared, and how long it will be retained. I give my freely given, specific, informed, and unambiguous consent to the collection and processing of my personal data by [Controller Name] as described above.
I understand that I have the right to withdraw this consent at any time by contacting [DPO Contact]. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
For minors: I, [Parent/Guardian Name and NIC], as parent or legal guardian of [Data Subject Name], give consent on behalf of the above minor in accordance with the Children Act No. 29 of 2022 and the Data Protection Act No. 24 of 2019.
Data Subject (or Parent/Guardian if minor)
________________
Signature
Data Controller Representative
________________
Signature
Witness
________________
Signature
What Is a Data Subject Consent Form (Kenya)?
A Data Subject Consent Form (Kenya) is a formal document through which a data controller obtains a data subject's freely given, specific, informed, and unambiguous consent to the processing of their personal data, as required under Section 30(a) and Section 32 of the Data Protection Act No. 24 of 2019. The Office of the Data Protection Commissioner (ODPC), established under Section 5 of the Data Protection Act, enforces the consent standard and requires controllers to maintain records demonstrating that valid consent was obtained before processing commenced.
The Data Protection Act No. 24 of 2019 defines consent as any freely given, specific, informed, and unambiguous indication of the data subject's wishes, by which the data subject — by a statement or clear affirmative action — signifies agreement to the processing of personal data relating to them. Silent acceptance, pre-ticked boxes, and blanket terms buried in general contracts do not meet this standard under the Act. The Data Protection (General) Regulations 2021 (Legal Notice No. 46 of 2021) further specify that consent must be distinguishable from other matters, must be presented in plain language accessible to a lay person, and must inform the data subject of their right to withdraw consent at any time without detriment.
Consent in Kenya operates as one of six lawful bases for processing personal data under Section 30 of the Data Protection Act No. 24 of 2019. For sensitive personal data — defined in Section 2 of the Act to include data concerning health, racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic or biometric data, sexual orientation, and criminal records — explicit consent under Section 32 is typically required unless another specific statutory ground applies. The ODPC's guidance notes that explicit consent requires a clear, affirmative statement from the data subject specifically acknowledging the sensitive nature of the data being processed.
A Kenya Data Subject Consent Form is distinct from general consent mechanisms embedded in website terms of service or employment contracts. The ODPC's enforcement approach, modelled on international standard practices including the European Union's General Data Protection Regulation (GDPR) and the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), treats consent as genuinely meaningful only where the data subject has sufficient information to understand exactly what they are consenting to and has a genuine, consequences-free choice to refuse or withdraw consent. Courts of Kenya adjudicating constitutional privacy claims under Article 31 of the Constitution of Kenya 2010 have increasingly aligned with this purposive interpretation of consent.
Data controllers in Kenya must retain records of consent under Section 22 of the Data Protection Act No. 24 of 2019. A well-structured Data Subject Consent Form creates a permanent, auditable record that the controller can produce during ODPC inspections, judicial proceedings before the High Court of Kenya, or internal compliance audits.
The legal framework governing the Data Subject Consent Form (Kenya) in Kenya draws on several key statutes and regulatory bodies. Under the Companies Act No. 17 of 2015, the Registrar of Companies at the Office of the Attorney General maintains the register of Kenyan companies. Section 3 of the Law of Contract Act (Cap. 23) governs contractual obligations. The Competition Authority of Kenya (CAK) enforces the Competition Act No. 12 of 2010. The Kenya Revenue Authority (KRA) administers corporate tax under the Income Tax Act (Cap. 470). The High Court of Kenya has unlimited original jurisdiction under Article 165 of the Constitution of Kenya 2010. Parties executing a Data Subject Consent Form (Kenya) in Kenya should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Data Protection Act No. 24 of 2019 sets the foundational requirements.
When Do You Need a Data Subject Consent Form (Kenya)?
A Kenya Data Subject Consent Form is required whenever a data controller relies on consent as the lawful basis for processing personal data, and is mandatory in several common Kenyan commercial and institutional scenarios.
A Data Subject Consent Form is required when a healthcare facility — hospital, clinic, pharmacy, or diagnostic laboratory — collects and processes patient health data for medical treatment, research, or insurance claim purposes. Health data constitutes sensitive personal data under Section 2 of the Data Protection Act No. 24 of 2019, and explicit consent under Section 32 is required unless the processing is strictly necessary for vital interests or a specific statutory obligation. The Kenya Medical Practitioners and Dentists Council and the Pharmacy and Poisons Board expect licensed facilities to maintain consent records.
A Data Subject Consent Form is needed when a financial institution, mobile money operator, or fintech company regulated by the Central Bank of Kenya (CBK) collects and processes customer personal data beyond what is strictly necessary for the contracted financial service — for example, when processing biometric data for identity verification, or when using customer transaction data for marketing and profiling purposes.
A Data Subject Consent Form is required when an employer collects sensitive employee personal data — health screening results, disability information, or trade union membership — beyond the minimum information required under the Employment Act No. 11 of 2007. The Employment and Labour Relations Court (ELRC) has treated unlawful collection of employee personal data as a breach of the employment relationship.
A Data Subject Consent Form is needed when a marketing company, e-commerce platform, or media company collects personal data for direct marketing, behavioural advertising, or customer profiling. The Data Protection Act No. 24 of 2019 and the Consumer Protection Act No. 46 of 2012 both require informed consent before direct marketing communications may be sent to individuals in Kenya.
A Data Subject Consent Form is required when a school, university, or educational institution in Kenya collects and processes student personal data — including performance records, health information, or biometric attendance data. Where students are below the age of 18, parental or guardian consent is required under the Children Act No. 29 of 2022 and the Data Protection Act No. 24 of 2019.
A Data Subject Consent Form is needed when a Kenyan NGO, research institution, or government body conducts surveys, studies, or data collection exercises involving personal data from members of the public. The Data Protection (General) Regulations 2021 require documented consent for research processing where no other lawful basis applies.
What to Include in Your Data Subject Consent Form (Kenya)
A valid Kenya Data Subject Consent Form under the Data Protection Act No. 24 of 2019 must contain the following essential elements to constitute legally effective consent recognised by the Office of the Data Protection Commissioner (ODPC).
Identity of the Data Controller: The full legal name, BRS registration number, physical address, KRA PIN, and ODPC registration number of the data controller collecting the consent. Data subjects have a right under Section 26 of the Data Protection Act to know the identity of the organisation collecting their data, and the ODPC requires this information to be prominently disclosed on the consent form.
Description of Personal Data Being Collected: A clear, specific description of the categories of personal data that will be collected and processed — for example, name, National Identity Card (NIC) number, KRA PIN, health records, biometric data, financial details, or location data. General descriptions like "your information" do not satisfy the specificity requirement of the Data Protection (General) Regulations 2021.
Purpose of Processing: A plain-language explanation of why the data is being collected and how it will be used. Where data will be used for multiple purposes — for example, both service delivery and marketing — separate consent must be obtained for each distinct purpose. Bundled consent for multiple purposes is not valid under Section 30(a) of the Data Protection Act No. 24 of 2019.
Lawful Basis: Identification of the lawful basis under Section 30 of the Data Protection Act on which the controller relies. For sensitive personal data, the specific condition under Section 32 relied upon must be stated.
Data Retention Period: The period for which the personal data will be retained, or the criteria used to determine that period. The Data Protection Act No. 24 of 2019 requires controllers to inform data subjects of retention periods at the time of consent collection.
Data Sharing and Third Parties: Disclosure of any third parties — processors under a Data Processing Agreement, or other controllers under a Data Sharing Agreement — to whom the data will be disclosed. Data subjects must be informed of all recipients or categories of recipients before giving consent.
Cross-Border Transfers: Where data will be transferred outside Kenya, the consent form must identify the recipient countries and confirm the legal basis for the transfer under Section 49 of the Data Protection Act No. 24 of 2019, including whether an ODPC adequacy determination or approved standard contractual clauses are in place.
Data Subject Rights: A plain-language summary of the data subject's rights under Sections 26 to 35 of the Data Protection Act No. 24 of 2019 — including rights of access, rectification, erasure, restriction, portability, and objection — and instructions on how to exercise those rights, including the contact details of the controller's data protection officer (DPO) and the ODPC complaint mechanism under Section 56.
Right to Withdraw Consent: A clear statement that the data subject has the right to withdraw consent at any time without negative consequences, and instructions for how to withdraw consent. The withdrawal mechanism must be as easy as the original consent mechanism. The forms-legal.com Data Subject Consent Form template includes a detachable withdrawal notice section.
Signature and Date: The data subject's full name, signature (or clear affirmative action equivalent for digital consent), and the date of consent. For data subjects under 18 years of age, parental or guardian consent is required under the Children Act No. 29 of 2022, and the form must include the parent's or guardian's details and signature.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Subject Consent Form (Kenya) (Kenya) [Legal document template]. Forms Legal. https://forms-legal.com/kenya/business/contracts/data-subject-consent-form-kenya
"Data Subject Consent Form (Kenya) (Kenya)." Forms Legal, 2026, https://forms-legal.com/kenya/business/contracts/data-subject-consent-form-kenya.
@misc{formslegal-data-subject-consent-form-kenya,
author = {{Forms Legal}},
title = {Data Subject Consent Form (Kenya) (Kenya)},
year = {2026},
howpublished = {\url{https://forms-legal.com/kenya/business/contracts/data-subject-consent-form-kenya}},
note = {Free legal document template}
}Frequently Asked Questions
Valid consent under the Data Protection Act No. 24 of 2019 must be freely given, specific, informed, and unambiguous. Freely given means the data subject had a genuine choice — consent obtained under coercion, or where refusal would result in denial of a service to which the person is legally entitled, is not valid. Specific means consent must be obtained separately for each distinct processing purpose. Informed means the data subject must receive clear information about who is collecting their data, why, for how long, and with whom it will be shared — before giving consent. Unambiguous means consent must be given through a clear affirmative action: a tick box, a written signature, or a comparable positive act. Pre-ticked boxes, silence, inactivity, or buried consent clauses in general contracts do not meet this standard. The Office of the Data Protection Commissioner (ODPC) enforces this standard and has powers to investigate complaints and issue enforcement notices under Sections 56 to 63 of the Data Protection Act No. 24 of 2019. For sensitive personal data — health, biometric, genetic, or criminal data — explicit consent under Section 32 imposes an even higher evidential threshold.
Yes. The Data Protection Act No. 24 of 2019 expressly provides that a data subject may withdraw consent at any time. The data controller must inform the data subject of the right to withdraw before consent is given, and withdrawal must be as easy as the original consent mechanism — if consent was given by ticking a box online, withdrawal must be achievable equally simply. Once consent is withdrawn, the controller must stop processing the data for the purpose covered by that consent, unless an alternative lawful basis under Section 30 of the Data Protection Act exists. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. Controllers who continue processing personal data after consent has been withdrawn, without an alternative lawful basis, commit an offence under the Data Protection Act No. 24 of 2019 and expose themselves to enforcement action by the Office of the Data Protection Commissioner (ODPC). A well-designed Data Subject Consent Form should include a clearly visible withdrawal mechanism — typically a tear-off section or a digital opt-out link.
Yes. Where a data controller in Kenya processes personal data relating to a child below the age of 18, parental or guardian consent is required under the Children Act No. 29 of 2022 and the Data Protection Act No. 24 of 2019. The best interests of the child are the paramount consideration under the Children Act No. 29 of 2022, which replaced the Children Act 2001 and brought Kenya's child welfare framework into alignment with the Constitution of Kenya 2010. A Data Subject Consent Form collecting children's data must identify the parent or legal guardian, include their NIC number and contact details, and record the parent's or guardian's written consent in place of (or alongside) the child's assent where the child is of sufficient age and maturity to understand the consent. Schools, health facilities, and online service providers that collect data from minors must implement age-verification mechanisms and parental consent workflows that satisfy both the Data Protection Act No. 24 of 2019 and the Children Act No. 29 of 2022.
The Data Protection Act No. 24 of 2019 does not require consent to be in writing in all cases, but the law does require controllers to maintain records demonstrating that valid consent was obtained under Section 22 of the Act. In practice, a written Data Subject Consent Form is the most reliable method of meeting both the consent standard and the record-keeping obligation. Oral consent may be valid if recorded and documented, but is difficult to prove in an ODPC audit or enforcement action. For sensitive personal data under Section 32 — health, biometric, genetic, racial, religious, or criminal data — the explicit consent standard requires a clear, affirmative, documented statement from the data subject. Digital consent mechanisms — including e-signatures, confirmation emails, and consent management platforms — are valid where they generate a durable record of the consent event, the information provided to the data subject, and the date of consent. The Office of the Data Protection Commissioner (ODPC) expects controllers to be able to produce consent records on demand, and the absence of documented consent is treated as evidence that valid consent was not obtained.
Processing personal data in Kenya without a valid lawful basis — including invalid or absent consent where consent is relied upon — constitutes an infringement of the Data Protection Act No. 24 of 2019. The Office of the Data Protection Commissioner (ODPC) has powers under Sections 56 to 63 of the Act to investigate complaints, conduct inspections, issue enforcement notices, and impose financial penalties under Section 69. Data subjects who suffer harm as a result of unlawful processing — whether material harm such as financial loss or identity theft, or non-material harm such as distress and reputational damage — may seek compensation from the data controller before the ODPC or the High Court of Kenya. Processing sensitive personal data without a valid lawful basis under Section 32 carries criminal liability under Section 71 of the Data Protection Act, with penalties including fines and imprisonment. Controllers who breach Article 31 of the Constitution of Kenya 2010 (the constitutional right to privacy) may also face constitutional petition proceedings before the High Court (Constitutional and Human Rights Division). These consequences underscore why a properly structured Data Subject Consent Form is an essential compliance tool.
Consent is generally not the appropriate lawful basis for processing employee personal data in Kenya, because the power imbalance between an employer and employee means that employee consent is rarely freely given — an employee who fears job loss or negative consequences if they refuse consent is not giving consent voluntarily as required by Section 30(a) of the Data Protection Act No. 24 of 2019. The Office of the Data Protection Commissioner (ODPC) has cautioned Kenyan employers against over-relying on consent for routine employment data processing. For core employment data — payroll, PAYE deductions under the Income Tax Act Cap. 470, NSSF contributions under the National Social Security Fund Act No. 45 of 2013, SHIF contributions under the Social Health Insurance Act No. 16 of 2024, and the Housing Levy — the appropriate lawful basis is contractual necessity or legal obligation, not consent. Consent may however be appropriate where an employer processes data beyond what is required for the employment relationship — for example, collecting biometric data for an optional benefits programme, or using employee photographs in marketing materials — where the employee genuinely has a free choice to opt in or out without adverse employment consequences.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Processing Agreement (Kenya)
A Kenya Data Processing Agreement between a data controller and data processor, compliant with the Data Protection Act No. 24 of 2019 s.45 and the Data Protection (General) Regulations 2021.
Non-Disclosure Agreement (Kenya)
A Kenya Non-Disclosure Agreement protecting confidential business information, governed by the Law of Contract Act Cap. 23 and the Data Protection Act No. 24 of 2019, enforceable in Kenya courts.