Kenya finally has a Data Protection Act which took effect on 25th November 2019.

The Act has adopted and incorporated the key provisions and principles of the General Data Protection Regulations (GDPR) which came into force on 25th May 2018 in all E.U. member states and whose aim was to harmonize data privacy laws across Europe.

In this article, I shall highlight the key provisions of the Act which employers should bear in mind. 


The primary objective of the Act is to give effect to the right of privacy as provided for in Article 31(c) and (d) of the Constitution, by setting out the requirements for the protection of personal data processed by both public and private entities.

The Constitutional right to privacy

Article 31 guarantees every person the right to privacy which includes the right not to have (c) information relating to their family or private affairs unnecessarily required or revealed, or (d) the privacy of their communications infringed.

Key definitions

“Data controller”  is defined as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data;

“Data processor”  is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;

“Data subject  is defined as an identified or identifiable natural person who is the subject of personal data;

“Personal data”  is defined as any information relating to an identified or identifiable natural person.

“Processing” is defined as any operation … which is performed on personal data … such as:-

  • Collection, recording, organisation, structuring;
  • Storage, adaptation or alteration;
  • Retrieval, consultation or use;
  • Disclosure by transmission, dissemination or otherwise making available;
  • Alignment or combination, restriction, erasure or destruction.

What this means: Employers, by the mere fact that they collect and hold information relating to their employees, are automatically captured in the definition of “data controllers” and all employees are data subjects.

Data Protection Commissioner 

Section 5 establishes the office of the Data Protection Commissioner whose duties include to: –

  • Oversee the implementation and enforcement of the Act;
  • Establish and maintain a register of data controllers and data processors;
  • Exercise oversight on data processing operations.

Registration of data controllers and processors

According to Section 18, no person shall act as a data controller or data processor unless registered with the Data Commissioner.

The Data Commissioner shall prescribe thresholds for mandatory legislation considering: – 

  • The nature of the industry;
  • The volumes of data processed;
  • Whether sensitive personal data is being processed; and
  • Any other criteria the Data Commissioner may specify.

What this means: Depending on the threshold that shall eventually be set, many employers may have to register as “data controllers”. Those who manage data within their organizations will have to register as “data processors”. 

Audits (Section 23)

The Data Commissioner has the power to carry out periodical audits of the processes and systems of the data controllers or data processors to ensure compliance with this Act.

Principles and Obligations of Personal Data Collection

Section 25 sets out the following principles of personal data collection:-

Every data controller or data processor shall ensure that personal data is: –

  • Processed in accordance with the right to privacy of the data subject;
  • Processed lawfully, fairly and in a transparent manner in relation to any data subject;
  • Collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
  • Adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
  • Collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
  • Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
  • Kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
  • Not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

What this means: Employers must ensure compliance with the above principles in their management of employee’s data.

Rights of Data subjects (Section 26)

Data subjects (employees) have the following rights:-

  • To be informed of the use to which their personal data is to be put;
  • To access their personal data in the custody of the data controller or data processor;
  • To object to the processing of all or part of their personal data;
  • To the correction of false or misleading data; and
  • To deletion of false or misleading data about them. 

Before collecting personal data, a data collector is required to inform the data subject of, among other things, their rights, purposes of data collection and measures to be taken to ensure confidentiality of the data etc. (Section 29).

Consent of the data subject (employee) is required prior to processing the data (Section 30). A data controller or data processor shall bear the burden of proof for establishing a data subject’s consent to the processing of their personal data for a specified purpose (Section 32).

What does this mean (at the very least):-

  1. Employers should put in place measures to ensure that the data management principles set out above are observed;
  2. Employee consent should be obtained for data collection and use – from the point of recruitment through to all operations involving the use of personal data;
  3. Employers should be forthright about the use for which the data is being collected. Valid explanations should be given for the collection and use of information relating to an employee’s family and private affairs;
  4. Employers should ensure that employees are clear on their data protection rights;
  5. Employers should audit their data management processes (including data monitoring) to ensure compliance with the Act and particularly, to ensure that there are no breaches of privacy;
  6. Employers should introduce or amend existing data protection policies to ensure compliance with the Act.

Sensitive personal data

“Sensitive personal data” is defined as data revealing an employee’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject.

Processing of sensitive personal data should be done in accordance with the principles set out in Section 25

Sensitive personal data may be processed where the processing is necessary for:-

  • The establishment, exercise or defence of a legal claim;
  • The purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject; or
  • Protecting the vital interests of the data subject.

Personal data relating to health 

Section 46 provides that data relating to health should only be processed:-

  • By or under the responsibility of a health care provider; or
  • By a person subject to the obligation of professional secrecy under any law.

Transfer of personal data outside Kenya

Section 49 provides that the processing of sensitive personal data out of Kenya shall only be effected upon obtaining the consent of a data subject and on obtaining confirmation of appropriate safeguards.


There is need for Regulations to operationalise some parts of the Act. According to Section 71, the Cabinet Secretary may make regulations for prescribing anything required or necessary to be prescribed by or under the Act. The regulations may also provide for:-

  • The requirements which are imposed on a data controller or data processor when processing personal data;
  • Mechanisms of conducting certification program;
  • The contents which a notice or registration by a data controller or data processor should contain;
  • Information to be provided to a data subject and how such information shall be provided;
  • The levying of fees and taking of charges;
  • The measures to safeguard a data subject’s rights, freedoms and legitimate interests;
  • The processing of data through a data server or data centre in Kenya;
  • Issuing and approval of codes of practice and guidelines; or
  • Any other matter that the Cabinet Secretary may deem fit.

Enforcements & Penalities

Any person who, without reasonable excuse, fails to comply with an enforcement notice issued by the Data Commissioner commits an offence and is liable on conviction to a fine not exceeding five million shillings or to imprisonment for a term not exceeding two years, or to both (Section 58).

If the Data Commissioner is satisfied that a person has failed or is failing as described in section 58, the Data Commissioner may issue a penalty notice requiring the person to pay to the Office of the Data Commissioner an amount specified in the notice (Section 62).

Section 63 – the maximum amount of penalty that may be imposed by the Data Commissioner is up to five million shillings, or in the case of an undertaking, up to one per centum of its annual turnover of the preceding financial year, whichever is lower.

Section 65 – a data subject who suffers damage by reason of a contravention of the Act is entitled to compensation from the data controller or the data processor. “Damage” includes financial loss and damage not involving financial loss, including distress.


Have you found our articles useful? Are you a business owner, HR practitioner or legal practitioner? Help us do better by taking just 2 minutes to complete these 10 survey questions…CLICK HERE

***THE END***

About Anne Babu

Anne is an Advocate of the High Court of Kenya and the Founding Partner of Anne Babu & Co. She has practised employment law for over 12 years and her employment law practice has been recognized by the prestigious Chambers & Partners. Anne cares about employers and their labour issues.


The information on this website is for general guidance on your rights and responsibilities and is not legal advice. If you need more details on your rights or legal advice about what action to take, please contact a lawyer.

We try to ensure that the information on this website is accurate. However, we will not accept liability for any loss, damage or inconvenience arising as a consequence of any use of or the inability to use any information on this website.

We assume no responsibility for the contents of linked websites. The inclusion of any link should not be taken as an endorsement of any kind by us of the linked website or any association with its operators. Further, we have no control over the availability of the linked pages.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


  1. Alex Kakungi says:

    This is quite an insightful piece for not only those in the hr profession but also for all employers in Kenya

  2. James says: it legal for a business say like supermarket to use my mobile no.(that I used to pay with mpesa) to send me promotional sms without my consent?

    1. Anne Babu says:

      They need your consent to do that.

error: Content is protected !!
%d bloggers like this: