Kenya · Data protection

Kenya's Data Protection Act, as published facts.

The duties the Data Protection Act 2019 places on data controllers and processors — registration, DPO publication, collection rules, high-risk consultation — published with verified citations to the consolidated Act.

RegulatorODPC
Primary instrumentData Protection Act, 2019 (Cap. 411C)
Consolidated as at2022-12-31
Published facts59 rows · 60/60 verified quotes

Where this comes from

Published pack rows, not scraped summaries.

Kenya's data protection regime is enforced by the Office of the Data Protection Commissioner, and its obligations reach any organisation processing personal data of Kenyan data subjects — local or foreign. The pack compiles the Data Protection Act 2019 (Cap. 411C) to section level: 1,408 provisions across 4 instruments.

The KE-DATA-PROTECTION pack currently publishes 33 published data-controller obligations. Every published row carries a verified quote span from the consolidated instrument, an explicit review decision, and version history. Published rows are a reviewed subset of the compiled regulatory corpus — depth keeps growing under the same publication policy.

This page is maintained by the Esheria Legal Team. Facts shown here come from published pack rows with verified quote spans, and none of it is legal advice.

Key obligations

Four duties controllers miss most often.

01

Keep your ODPC registration current.

Registered data controllers must notify the Data Commissioner of any change to the particulars in their registration. Stale registrations are a compliance gap regulators can see. (Section 19(5), Data Protection Act, 2019 (No. 24 of 2019, Cap. 411C).)

02

Publish your DPO's contact details.

Where a data protection officer is appointed, the organisation must publish the DPO's contact details on its website and communicate them to the Data Commissioner. (Section 24(6), Data Protection Act, 2019 (No. 24 of 2019, Cap. 411C).)

03

Collect personal data directly from the data subject.

Personal data must be collected directly from the data subject, subject only to the exceptions the Act itself sets out. Indirect collection needs a lawful basis. (Section 28(1), Data Protection Act, 2019 (No. 24 of 2019, Cap. 411C).)

04

Consult the ODPC before high-risk processing.

Where a data protection impact assessment shows that processing would result in high risk, the data controller must consult the Data Commissioner before processing starts. (Section 31(3), Data Protection Act, 2019 (No. 24 of 2019, Cap. 411C).)

Sources & related

Check the source, then go deeper.

Talk to the team

Talk to the team

Mapping your Kenyan data protection exposure? Tell us about your processing footprint and we will show you the published obligations that apply.

Or email hello@esheria.ai