March 20, 2019 In Thought Leadership

Congruence between Kenya’s Data Protection Act and EU General Data Protection Regulations


The European Union General Data Protection Regulations (GDPR) are a set of European Union (EU) regulations that came into effect on 25 May 2018. The purpose of the regulations is to protect EU Citizens’ fundamental rights and freedoms as regards their personal data and information.

In the recent past EU Citizens’ personal information was used without their consent or without the necessary safeguards outlined in the GDPR. This has been expensive on entities dealing with information culminating investigations against companies such as British Airways and Facebook with hefty fines.

The GDPR was a response to technological advancements which affected the way data has traditionally been held, collected and used, for example the internet, the cloud and social media.

Impact of the GDPR on Kenyan Businesses holding personal information

Owing to the extra territorial nature of the internet and online services that can be performed outside the EU, the GDPR adopted an approach that extends the limits of its jurisdiction and applicability beyond Europe’s borders. Non-EU data controllers and processers, (defined below) must now comply with the GDPR when handling personal information, save for very specific instances and for this reason it is recommended that businesses establish a risk profile of their various activities. The upshot of this is that any Kenyan entity offering goods and services to EU data subjects, e.g. (banks, hotels, insurance, schools) would need to ensure that they comply with the GDPR owing to the expansion of its territorial scope.

The penalty for non-compliance with the GDPR is limited to the greater of 4% of an entity’s global revenue or EUR 20 million. It is worth noting that regulators have an additional array of sanctions including stopping businesses in continuous non-compliance of the GDPR.

What is a data controller and what is a data processor?

A data controller is the natural or legal person (e.g. incorporated or unincorporated company, partnership, statutory corporation), public authority or other agency which alone or jointly with others, determines the purposes and means of processing of personal data.

A data controller might, for one reason or another, want the data it holds to be processed by a third party. A data processor is the body that processes information on behalf of the data controller.

An illustration of the relationship between a data controller and a data processor can be highlighted in an organisation contracting with a payroll company to handle the organisation’s employee’s payroll. The use of the employees’ information in compiling the payroll by the payroll company is an example of a company handling a person’s personal data.

Personal Data under the GDPR is defined as “any information which is related to an identified or identifiable natural person.” The broad definition of personal data makes it inclusive of a wide array of markers, such as names, GPS locations, IMEI numbers, biometric information, etc. The ability of third parties to identify data subjects using such pieces of data brings it under the ambit of personal data and as such, under the protection of the GDPR. All processing, therefore, must be GDPR-compliant.

Data Protection Act, 2019.

The Data Protection Act, 2019 (the Act) shares a lot with the GDPR with respect to data protection. Prior to its enactment, Kenya lacked a cross-cutting law on the protection of personal data. This led to inconsistent interpretation of the right to privacy as a constitutional right enshrined in the Constitution of Kenya, 2010.

President Uhuru Kenyatta signed the Data Protection Bill into law on 8 November 2019. The purposes of the Act are:

        1. to give effect to Article 31 (c) and (d) of the Constitution;
        2. to establish the Office of the Data Protection Commissioner;
        3. to make provision for the regulation of the processing of personal data; and
        4. to provide for the rights of data subjects and create obligations for data controllers and processors.

The Act shall apply to any entity that deals with the information of Kenyan citizens; or operates within Kenya even though it deals with the personal identifiable information of foreigners.

The penalties imposed for breaching the provisions of the Act are limited to KES 5,000,000 or a prison term of up to 10 years.

Furthermore, the Act, like the GDPR, requires entities or persons dealing with the personal data beyond a certain threshold to have a Data Protection Officer. Both statutes require that a data controller or processor appoint a Data Protection Officer where:

  1. the entity is a public body;
  2. the entity engages in the systematic monitoring of private persons; or
  3. the entity engages in the large-scale processing of sensitive personal data.

The functions of a Data Protection Officer include:

        1. to advise the data controller or data processor and their employees on data processing requirements as provided for under the Act or the GDPR;
        2. to ensure, on behalf of the data controller and the data processor that the Act or GDPR have been complied with;
        3. to facilitate the capacity building of staff involved in data protection exercises at the data controller or the data processor;
        4. to provide advice on Data Protection Impact Assessments; and
        5. to cooperate with the Data Commissioner or any authority on matters to do with data protection.

Where the intended processing of a data subject’s information is likely to cause a high risk to the subject’s rights to personal data then the Act makes it mandatory that a Data Protection Impact Assessment is undertaken by the data controller or the data processor.

Office of the Data Protection Commissioner

The Act establishes the office of the Data Protection Commissioner, which is headed by the Data Commissioner. The Data Protection Commissioner is the regulator for all matters concerning data processing. We await the appointment of the Data Commissioner who shall have the power to issue regulations for the operationalization of the Act.

Registration of Data Controllers and Data Processers

The Act makes registration with the Data Protection Commissioner mandatory for data controllers or data processors beyond a certain threshold. The actual thresholds are to be prescribed by the Data Commissioner, taking into consideration the following:

        1. the nature of the industry;
        2. the volume of data being processed;
        3. whether sensitive or personal data is being processed; and
        4. any other criteria that the Data Commissioner may specify.

Transfer of data outside Kenya

Data controllers and data processors must show that safeguards have been put in place to protect the integrity and privacy of a data subject where there is a transfer of personal data outside the country. This is particularly important to business that have their servers located outside Kenyan borders or that outsource certain processing functions such as data analysis to foreign service providers.


Kenya’s enactment of a data protection legislation is in line with international practice and with the increasing data centricity of business models, compliance is key.

Our data protection team remains available to provide you with any assistance you may require.

Should you require any more information or assistance kindly contact Craig Douglas Oyugi or Samuel Kisuu.

This alert is for general use only and should not be relied upon without seeking specific legal advice on any matter.