Privacy Policy (Kenya)
PRIVACY POLICY
Data Protection Act No. 24 of 2019 | Data Protection (General) Regulations 2021
[Organisation Name]
Effective Date: [Effective Date]
Website / Application: [Website URL]
1. IDENTITY OF THE DATA CONTROLLER
1.1 [Organisation Name] ("we", "us", or "our") is the data controller responsible for your personal data. We are registered and operating in Kenya and are subject to the Data Protection Act No. 24 of 2019 ("DPA 2019") and the Data Protection (General) Regulations 2021, administered by the Office of the Data Protection Commissioner ("ODPC") established under Section 5 of the DPA 2019.
1.2 Contact details:
Address: [Organisation Address]
Email: [Organisation Email]
Phone: [Organisation Phone]
Website: [Website URL]
1.3 Data Protection Officer (DPO): [DPO Name], Email: [DPO Email]. You may contact our DPO directly with any questions or concerns about how we handle your personal data.
2. PERSONAL DATA WE COLLECT
2.1 We collect the following categories of personal data: [Data Categories]
2.2 We collect personal data through the following methods: [Collection Methods]
2.3 Sensitive personal data: Where we process sensitive personal data as defined under Section 2 of the DPA 2019 — including health data, biometric data, financial data, or data revealing religious or political beliefs — we do so only on the basis of your explicit consent under Section 33 of the DPA 2019 or another lawful basis prescribed by law.
3. PURPOSES AND LAWFUL BASIS FOR PROCESSING
3.1 Under Section 30 of the DPA 2019, we process your personal data for the following purposes: [Processing Purposes]
3.2 Where we rely on consent as our lawful basis, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. Where we rely on legitimate interests under Section 30(f) of the DPA 2019, you have the right to object to such processing.
3.3 We will not process your personal data for purposes incompatible with those stated above without informing you and, where required, obtaining fresh consent under the DPA 2019.
4. SHARING PERSONAL DATA WITH THIRD PARTIES
4.1 Categories of third parties with whom we share personal data: [Third Party Categories]
4.2 All third-party service providers who process personal data on our behalf are required to enter into a Data Processing Agreement under Section 37 of the DPA 2019 and to implement appropriate security measures. We do not sell your personal data to any third party.
4.3 We may also disclose personal data to government authorities — including the Kenya Revenue Authority (KRA) under the Tax Procedures Act No. 29 of 2015, the ODPC under the DPA 2019, and courts of competent jurisdiction — where required by law.
5. CROSS-BORDER TRANSFERS OF PERSONAL DATA
5.1 We transfer personal data outside Kenya to the following countries or regions: [Cross Border Countries]
5.2 Such transfers are made in accordance with Section 48 of the DPA 2019. Where the destination country does not have adequate data protection laws, we rely on standard contractual clauses, explicit consent from the data subject, or other lawful safeguards approved by the ODPC to ensure your personal data is protected to a standard equivalent to the DPA 2019.
6. DATA RETENTION
6.1 We retain personal data only for as long as necessary for the purposes set out in this Privacy Policy, or as required by law. Our retention periods are as follows: [Retention Period]
6.2 Where personal data is no longer required, we securely delete, destroy, or anonymise it. Financial records are retained for a minimum of 5 years in compliance with the Tax Procedures Act No. 29 of 2015.
7. YOUR DATA SUBJECT RIGHTS
7.1 Under Section 26 of the Data Protection Act No. 24 of 2019, you have the following rights in respect of your personal data:
(a) Right of access — to obtain confirmation that we process your personal data and to receive a copy.
(b) Right to rectification — to require us to correct inaccurate or incomplete personal data.
(c) Right to erasure — to request deletion of your personal data in certain circumstances.
(d) Right to object — to object to processing based on legitimate interests or for direct marketing.
(e) Right to restriction — to request that we limit how we use your personal data.
(f) Right to data portability — to receive your personal data in a structured, machine-readable format.
(g) Right in relation to automated decision-making — not to be subject to decisions based solely on automated processing that significantly affect you.
7.2 To exercise any of these rights, please contact us at: [Rights Request Contact]. We will respond within [Response Days] calendar days. Requests are free of charge for an initial request in any 12-month period.
7.3 If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) under Section 56 of the DPA 2019.
8. SECURITY OF YOUR PERSONAL DATA
8.1 We implement appropriate technical and organisational measures under Section 41 of the DPA 2019 to protect your personal data against unauthorised access, disclosure, alteration, or destruction. Our security measures include: [Security Measures]
8.2 In the event of a personal data breach that is likely to affect your rights and freedoms, we will notify the ODPC within 72 hours under Section 43 of the DPA 2019, and will notify affected data subjects without undue delay.
9. COOKIES AND TRACKING TECHNOLOGIES
9.1 Our website and applications may use cookies and similar tracking technologies to improve your experience and to analyse usage. Cookies are small files placed on your device when you visit our website.
9.2 We use the following types of cookies: (a) Essential cookies — necessary for the website to function correctly; (b) Analytics cookies — to understand how visitors interact with our website; (c) Marketing cookies — to deliver relevant advertisements where you have consented.
9.3 You can control your cookie preferences through your browser settings or through our cookie consent banner. Disabling certain cookies may affect the functionality of our website. For a detailed description of cookies used, please refer to our Cookie Policy at [Website URL].
10. CHANGES TO THIS PRIVACY POLICY
10.1 We review this Privacy Policy periodically and will update it to reflect changes in our data processing activities, changes in law, or ODPC guidance. The effective date at the top of this document shows when the current version took effect.
10.2 Where changes are material — involving new purposes, new data categories, or new third-party recipients — we will notify you by email or by a prominent notice on our website and, where required by the DPA 2019, seek fresh consent.
11. CONTACT US
For any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact:
[Organisation Name]
Email: [Organisation Email]
Phone: [Organisation Phone]
Address: [Organisation Address]
This Privacy Policy is prepared in accordance with the Data Protection Act No. 24 of 2019 and the Data Protection (General) Regulations 2021, Kenya.
Data Controller Representative
________________
Signature
What Is a Privacy Policy (Kenya)?
A Privacy Policy in Kenya sets out the rules and standards the organisation expects those it covers to follow.
Section 25 of the DPA 2019 sets out the data protection principles that every data controller and processor must observe. Personal data must be processed lawfully, fairly, and transparently (Section 25(a)); collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes (Section 25(b)); adequate, relevant, and limited to what is necessary (Section 25(c)); accurate and kept up to date (Section 25(d)); not kept longer than necessary (Section 25(e)); and processed with appropriate technical and organisational security measures (Section 25(f)). A Privacy Policy is the primary mechanism by which a data controller demonstrates compliance with the transparency principle under Section 25(a).
The DPA 2019 distinguishes between a data controller — a person who determines the purpose and means of processing — and a data processor — a person who processes data on behalf of a data controller. Both categories must register with the ODPC under Section 17 of the Act once the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021 came into force. The annual registration fee is KES 5,000 for small organisations and KES 50,000 for large organisations, as defined in the Regulations.
A Kenya Privacy Policy must identify the lawful basis for each category of processing. Under Section 30 of the DPA 2019, the lawful bases available to a data controller include: consent of the data subject (Section 30(a)); performance of a contract (Section 30(b)); compliance with a legal obligation (Section 30(c)); protection of vital interests (Section 30(d)); public interest or official authority (Section 30(e)); and legitimate interests (Section 30(f)). Consent, where relied upon, must be freely given, specific, informed, and unambiguous under Section 32 of the DPA 2019.
The DPA 2019 grants data subjects a suite of rights: the right to access personal data (Section 26(a)); the right to rectification of inaccurate data (Section 26(b)); the right to erasure (Section 26(c)); the right to object to processing (Section 26(d)); the right to data portability (Section 26(e)); and the right not to be subject to automated decision-making (Section 26(f)). The Privacy Policy must explain how data subjects can exercise each of these rights and the timeframe within which the data controller will respond.
Cross-border transfers of personal data outside Kenya are regulated under Section 48 of the DPA 2019. Transfers are permitted where the destination country has adequate data protection laws, where the data subject has consented, where standard contractual clauses have been used, or where binding corporate rules are in place. A Privacy Policy for any Kenyan business that shares data with foreign service providers — including cloud platforms, email marketing tools, or analytics providers hosted outside Kenya — must address cross-border transfers and the safeguards in place.
The Data Protection (General) Regulations 2021 published under the DPA 2019 further detail the content requirements for privacy notices, the procedures for handling data subject rights requests, and the records of processing activities that must be maintained. Non-compliance with the DPA 2019 attracts administrative fines of up to KES 5,000,000 or imprisonment of up to 10 years under Section 71, making a strong Privacy Policy essential for every Kenyan business.
When Do You Need a Privacy Policy (Kenya)?
A Privacy Policy in Kenya is required as soon as any organisation collects, stores, or processes personal data of individuals located in Kenya, regardless of the organisation's size, sector, or the volume of data processed.
A Privacy Policy is needed when a Kenyan business operates a website, mobile application, or online platform that collects user data — including names, email addresses, phone numbers, IP addresses, or cookies. The DPA 2019 and the Data Protection (General) Regulations 2021 require a privacy notice to be provided at the point of data collection. Failure to publish a compliant Privacy Policy exposes the business to investigation and fines by the Office of the Data Protection Commissioner.
A Privacy Policy is required when a company registers with the ODPC as a data controller or data processor under the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021. The ODPC's registration process requires submission of the organisation's privacy policy as part of the application. Organisations that process data of 1,000 or more data subjects, or that process sensitive personal data, are required to register.
A Privacy Policy is needed when a Kenyan employer collects employee personal data — including biometric data for attendance systems, payroll data, and health information — which constitutes sensitive personal data under Section 2 of the DPA 2019. The employer must inform employees about how their data will be used, the lawful basis, retention periods, and rights available to them.
A Privacy Policy is required when a Kenyan business engages in email marketing or direct marketing using personal data. The DPA 2019 requires prior consent for electronic marketing communications, and the Privacy Policy must describe the marketing use and how recipients can opt out.
A Privacy Policy is essential when a Kenyan business shares customer data with third parties — payment processors, delivery companies, cloud service providers, or advertising platforms. The Privacy Policy must identify the categories of third-party recipients and the basis for sharing, including any cross-border transfers under Section 48 of the DPA 2019.
A Privacy Policy is needed before launching a health-tech, fintech, or ed-tech product in Kenya where sensitive personal data — defined under Section 2 of the DPA 2019 to include health data, financial data, biometric data, and data revealing religious or political beliefs — will be processed. Such products require a Data Protection Impact Assessment (DPIA) under Section 31 of the DPA 2019, and the Privacy Policy forms part of the DPIA documentation.
What to Include in Your Privacy Policy (Kenya)
A Kenya Privacy Policy compliant with the Data Protection Act No. 24 of 2019 and the Data Protection (General) Regulations 2021 must contain the following essential elements.
Identity of the Data Controller: The full legal name of the organisation, its Business Registration Service (BRS) number or company number under the Companies Act No. 17 of 2015, physical address, email address, and the name and contact details of the designated Data Protection Officer (DPO) where one has been appointed. Section 24 of the DPA 2019 requires data controllers to publish contact details through which data subjects can exercise their rights.
Types of Personal Data Collected: A clear description of each category of personal data collected — identification data (name, ID number), contact data (email, phone), financial data (payment information, bank account details), technical data (IP address, device identifiers, cookies), and any sensitive personal data as defined in Section 2 of the DPA 2019. The policy must be specific, not generic.
Lawful Basis for Processing: For each purpose of processing, the lawful basis under Section 30 of the DPA 2019 must be stated. Where consent is the basis, the mechanism for obtaining and withdrawing consent must be explained. Where legitimate interests are relied upon, the nature of the legitimate interest and the balancing test conducted must be described.
Purposes of Processing: Each purpose for which personal data is processed must be stated with specificity — for example, order fulfilment, fraud prevention, customer service, marketing, regulatory compliance, or analytics. The DPA 2019 prohibits processing for purposes incompatible with those originally stated without obtaining fresh consent or identifying a new lawful basis.
Data Retention Periods: The period for which each category of personal data will be retained, or the criteria used to determine the retention period. Where data is retained to comply with a legal obligation — for example, the Tax Procedures Act No. 29 of 2015 requires financial records to be retained for 5 years — that legal obligation should be cited.
Data Subject Rights: A clear explanation of each right available under Section 26 of the DPA 2019 — access, rectification, erasure, objection, restriction, data portability, and rights in relation to automated decision-making — together with the procedure for submitting a request and the response timeframe (typically 30 days under the Regulations).
Third-Party Sharing and Processors: The categories of third parties with whom personal data is shared, whether as independent controllers or as data processors acting under a Data Processing Agreement (DPA) under Section 37 of the DPA 2019. Specific third-party tools used — payment gateways like Pesalink or Cellulant, analytics platforms, or CRM systems — should be disclosed.
Cross-Border Transfers: Where personal data is transferred outside Kenya, the countries or regions involved, the legal mechanism relied upon (adequacy decision, standard contractual clauses, or consent under Section 48 of the DPA 2019), and the safeguards in place must be disclosed. Cloud services hosted in the European Union, United States, or South Africa must be specifically addressed.
Security Measures: A description of the technical and organisational security measures implemented to protect personal data, including encryption, access controls, staff training, and incident response procedures. Section 41 of the DPA 2019 requires data controllers to implement appropriate security measures.
Data Breach Notification: The policy should state that in the event of a personal data breach affecting data subjects' rights and freedoms, the ODPC will be notified within 72 hours under Section 43 of the DPA 2019, and affected data subjects will be notified without undue delay.
Cookies and Tracking Technologies: Where the organisation operates a website or application, the types of cookies and tracking technologies used, their purposes, and how users can manage their cookie preferences must be disclosed in accordance with the Data Protection (General) Regulations 2021.
The forms-legal.com Kenya Privacy Policy template incorporates all elements required by the DPA 2019, the Data Protection (General) Regulations 2021, and ODPC guidance, and can be customised for any Kenyan business sector.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Privacy Policy (Kenya) (Kenya) [Legal document template]. Forms Legal. https://forms-legal.com/kenya/business/policies/privacy-policy-kenya
"Privacy Policy (Kenya) (Kenya)." Forms Legal, 2026, https://forms-legal.com/kenya/business/policies/privacy-policy-kenya.
@misc{formslegal-privacy-policy-kenya,
author = {{Forms Legal}},
title = {Privacy Policy (Kenya) (Kenya)},
year = {2026},
howpublished = {\url{https://forms-legal.com/kenya/business/policies/privacy-policy-kenya}},
note = {Free legal document template}
}
Frequently Asked Questions
Under the Data Protection Act No. 24 of 2019 (DPA 2019), every data controller and data processor in Kenya that processes personal data of individuals located in Kenya is required to provide a privacy notice. This obligation applies regardless of the size of the business or the volume of data processed. Section 25(a) of the DPA 2019 requires that personal data be processed transparently, and Section 26 requires data controllers to inform data subjects of the identity of the controller, the purposes of processing, the lawful bases, the data subject's rights, and other prescribed information. The Data Protection (General) Regulations 2021 further specify the content of privacy notices. Organisations that process data of 1,000 or more data subjects, or that process sensitive personal data — including health, biometric, or financial data — must additionally register with the Office of the Data Protection Commissioner (ODPC) under the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021. Failure to publish a compliant Privacy Policy or to register with the ODPC can attract fines of up to KES 5,000,000 under Section 71 of the DPA 2019.
Section 2 of the Data Protection Act No. 24 of 2019 defines sensitive personal data as personal data revealing the natural person's race or ethnic origin, health status, political opinions, religious or philosophical beliefs, trade union membership, financial data, sex life or sexual orientation, biometric or genetic data, and data relating to a child. Processing sensitive personal data requires an additional lawful basis beyond the general lawful bases in Section 30. Under Section 33 of the DPA 2019, sensitive personal data may be processed only with the data subject's explicit consent, for vital interests, for establishment of a legal claim, for public interest in public health, or for archiving and research purposes. Employers processing biometric attendance data, health insurers processing medical records, and fintech companies processing financial data must all comply with the heightened requirements for sensitive personal data. The Privacy Policy must expressly identify categories of sensitive personal data collected and the specific lawful basis relied upon for processing each category.
Under Section 26(a) of the Data Protection Act No. 24 of 2019, a data subject has the right to obtain from a data controller confirmation of whether their personal data is being processed and, if so, to receive a copy of that data along with prescribed supplementary information. The Data Protection (General) Regulations 2021 prescribe that a data controller must respond to a data subject access request within a reasonable time, which is generally interpreted as 30 days. The response must be provided free of charge for a first request; reasonable fees may be charged for subsequent requests within a 12-month period. Where the data controller cannot comply with the request — for example because it would adversely affect the rights of another person — the controller must explain the reason for refusal and inform the data subject of their right to complain to the ODPC under Section 56 of the DPA 2019. Organisations should have an internal process for logging, verifying the identity of, and responding to data subject access requests, and the Privacy Policy should explain this process clearly.
The Data Protection Act No. 24 of 2019 establishes a graduated enforcement regime administered by the Office of the Data Protection Commissioner (ODPC). Under Section 71 of the DPA 2019, a person who contravenes any provision of the Act commits an offence and is liable on conviction to a fine not exceeding KES 3,000,000 or imprisonment for a term not exceeding 10 years, or both. For corporate offenders, a fine not exceeding KES 5,000,000 may be imposed. The ODPC also has power to issue administrative enforcement notices, compliance orders, and data processing restrictions. In addition to criminal penalties, data subjects who suffer damage as a result of a breach of the DPA 2019 are entitled to claim compensation from the data controller or data processor under Section 72. The ODPC has already commenced enforcement action against several Kenyan organisations following complaints and its own investigations. Organisations should treat Privacy Policy compliance as a standing legal obligation and conduct regular Data Protection Impact Assessments for high-risk processing activities.
Cross-border transfers of personal data from Kenya to a country outside Kenya are regulated under Section 48 of the Data Protection Act No. 24 of 2019. A data controller may transfer personal data to a foreign country if the Office of the Data Protection Commissioner has determined that the destination country has adequate data protection laws and practices; or if the data subject has given explicit consent to the transfer; or if the transfer is necessary for the performance of a contract between the data subject and the controller; or if standard contractual clauses or binding corporate rules approved by the ODPC are in place. Transfers to countries without adequate data protection — which currently includes the United States, India, and many other popular cloud hosting jurisdictions — must rely on contractual safeguards. Any Kenya business using international cloud services (Google Cloud, Amazon Web Services, Microsoft Azure), email marketing platforms, or analytics tools hosted outside Kenya must address these transfers in its Privacy Policy and ensure appropriate contractual mechanisms are in place with the foreign service providers.
Yes. Section 3 of the Data Protection Act No. 24 of 2019 establishes that the Act applies to any data controller or data processor established in Kenya, and also to controllers and processors not established in Kenya where they process personal data of data subjects who are in Kenya or where the processing relates to the offering of goods or services to individuals in Kenya, or to monitoring behaviour of individuals in Kenya. This extraterritorial scope mirrors the approach taken by the European Union's General Data Protection Regulation (GDPR). Foreign companies with Kenyan customers — including multinational e-commerce platforms, social media companies, and subscription services — must comply with the DPA 2019 in respect of their Kenyan users' data. Such companies should appoint a local representative in Kenya, register with the ODPC if required, and ensure their Privacy Policies are accessible in a language understood by their Kenyan data subjects and reflect the rights available under the DPA 2019.
A Kenya Privacy Policy should be reviewed and updated whenever there is a material change in the organisation's data processing activities — including when new personal data categories are collected, new purposes of processing are introduced, new third-party processors are engaged, or data is transferred to a new foreign jurisdiction. Best practice under the Data Protection Act No. 24 of 2019 is to conduct an annual review of the Privacy Policy to ensure ongoing compliance with ODPC guidance, amendments to the Data Protection Regulations, and changes in the organisation's business model. When a Privacy Policy is updated, the data controller must notify data subjects of the changes. Where the changes involve a new purpose of processing or a new lawful basis, fresh consent may need to be obtained from data subjects who previously consented to the original terms. The date of the last update should be prominently displayed at the top of the Privacy Policy so that data subjects can identify the current version.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Processing Agreement (Kenya)
A Kenya Data Processing Agreement between a data controller and data processor, compliant with the Data Protection Act No. 24 of 2019 s.45 and the Data Protection (General) Regulations 2021.
Data Breach Notification (Kenya)
A Kenya Data Breach Notification template for notifying the Office of the Data Protection Commissioner and affected data subjects following a personal data breach, compliant with the Data Protection Act No. 24 of 2019 s.43.
Cookie Policy (Kenya)
A Kenya Cookie Policy disclosing the types of cookies used on a website, the purposes for their use, and users' rights under the Data Protection Act No. 24 of 2019, enforceable by the Office of the Data Protection Commissioner (ODPC).