You may be trying to access this site from a secured browser on the server. Please enable scripts and reload this page.
Home
Internal
Deutsch
|
English
Insights – Make Way for E-Invoicing! The Future of Invoicing » |
Worldwide
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
✕
Germany
Ansbach
Bayreuth
Berlin
Bielefeld
Chemnitz
Cologne
Dortmund
Dresden
Eschborn
Fuerth
Hamburg
Herford
Hof
Jena
Mettlach
Muenster
Munich
Nuremberg
Plauen
Regensburg
Selb
Stuttgart
Ulm
Worldwide
Algeria
Angola
Argentina
Australia
Austria
Azerbaijan
Bahrain
Belarus
Belgium
Bosnia and Herzegovina
Botswana
Brazil
Bulgaria
Cambodia
Canada
Chile
China
Colombia
Costa Rica
Croatia
Cyprus
Czech Republic
Denmark
Ecuador
Egypt
Estonia
Ethiopia
Finland
France
Georgia
Germany
Ghana
Greece
Hong Kong (S.A.R.)
Hungary
India
Indonesia
Ireland
Italy
Japan
Kazakhstan
Kenya
Kuwait
Latvia
Libya
Liechtenstein
Lithuania
Luxembourg
Malaysia
Malta
Mauritius
Mexico
Moldova
Mongolia
Morocco
Mozambique
Myanmar
Namibia
Netherlands
New Zealand
Nigeria
North Macedonia
Norway
Oman
Pakistan
Paraguay
Peru
Philippines
Poland
Portugal
Qatar
Romania
Saudi Arabia
Serbia
Singapore
Slovakia
Slovenia
South Africa
South Korea
Spain
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Tunisia
Turkey
Uganda
Ukraine
United Arab Emirates
United Kingdom
Uruguay
USA
Uzbekistan
Vietnam
Zambia
Own offices of Rödl & Partner
German Professional Services Alliance -
GPSA
�������������������������������������������������������������
(Colours appear during mouseover)
We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our
data privacy statement
.
Insights
Services
Expertise from a single source
Our service lines
Legal advisory
Tax consulting
Business Process Outsourcing
Management and IT consulting
Audit services
Interdisciplinary services
MERGERS & ACQUISITIONS
Succession advisory
Mergers & Acquisitions
Newsletter M&A Dialogue
Completed deals
Who we advise
Media
Newsletters
Virtual reality tours
Virtual reality tours
Publications
Good to know
Newsletters
Brochures
Investment guides
Books
Download centre
Releases
Completed deals
Media contacts
Facts and figures
About us
Entrepreneurial spirit and values
Factbook
Facts and figures
Sustainability
Entrepreneurial spirit and values
Factbook
Managing Partners
Founder Dr. Bernd Rödl
Locations worldwide
Social responsibility
Project Fundus
Rödl Employee Fund for Children’s Aid
Partner cities: Kharkiv-Nuremberg
Family and career
Awards
Digital Agenda
Careers
Insights
The Kenya Data Protection Act 2019 and General Data Protection Regulation: What you need to know
ASEAN
ASEAN Forum
Digital Agenda
E-Invoicing
Insights
Currently selected
Recent
Alle Kolumnen
Altersvorsorge
Antitrust Law
AOA
Artikelserie im OMV Fokus
ASEAN
Assurance & IT in der Gesundheits- und Sozialwirtschaft
Aufsichtsrecht
Außenwirtschaft und Zoll
BilRUG und weitere Reformen
International Expert Roundtable
The Kenya Data Protection Act 2019 and General Data Protection Regulation: What you need to know
Page Content
published on 9 August 2024
The Data Protection Act (DPA) is the applicable data protection law in Kenya whereas the General Data Protection Regulation (GDPR) is the applicable data protection law in the European Union (EU). Both the DPA and GDPR have the same foundational principles for ensuring the protection of personal data. These principles generally require processing of personal data in a lawful, fair, transparent manner and that any transfer outside a country is based on adequate data protection safeguards. However, compliance with the GDPR does not automatically imply that an entity from the EU origin has complied with the DPA and vice versa. In essence, the two laws are quite similar, however certain differences exist. This article briefly highlights some of the significant differences.
Registration »
Data subject rights timelines »
Non-compliance fines »
Regulatory authority »
Conclusion »
Registration
The DPA requires all data controllers and data processors processing personal data of persons residing in Kenya, whether or not established in Kenya, to register with the Office of the Data Protection Commissioner (ODPC). Processing personal data in Kenya without a registration certificate from the ODPC or failing to renew an expired registration certificate exposes an entity to a fine of up to 3 million Kes or to imprisonment of up to ten years. Registration with a supervisory authority is not required under the GDPR.
Data subject rights timelines
Both laws guarantee data subjects certain rights and further provide timelines within which inquiries relating to these rights should be attended to. Under the GDPR, an organisation must respond within a month. The timelines are shorter under the DPA as indicated below:
Nature of right
DPA Timelines (Days)
GDPR Timelines (Days)*
Restricted Processing
14
30
Objection
14
30
Data request
7
30
Rectification
14
30
Data portability
30
30
Refusal of data portability
7
30
Erasure
14
30
Under the GDPR, the aforementioned timelines may be extended by a further two months taking into account the complexity of a request. Charging a fee to attend to a data subjects rights is not required under both laws. However, under the DPA, an entity may charge a reasonable fee to facilitate data portability whereas under the GDPR, where the requests are manifestly excessive, an organisation may charge a reasonable administrative fee to cater for administrative costs incurred in providing the information.
Non-compliance fines
Both laws provide for fines and penalties for noncompliance. The fines under the GDPR are considered to be higher (at least under the Kenyan context) when compared to those under the DPA.
Fines under the DPA
Non-compliance
Fine
1
Using personal data for commercial purposes without consent
A fine not exceeding 20,000 Kes or
Imprisonment not exceeding six months or both
2
Contravening the Data Protection Act where no specific penalty is provided
A fine not exceeding 3 million Kes
Imprisonment term not exceeding 10 years or both
Forfeiture of any article or equipment that was used
Prohibition order
3
Failing to provide information requested by the Data Commissioner or providing misleading information
A fine not exceeding 5 million Kes
Imprisonment for a term not exceeding two years or both
4
Failure to implement compliance directives under the DPA
An administrative fine not exceeding 5 million Kes or
1 percent of the annual turnover whichever is lower
5
Failure to register or renew a registration certificate
A fine not exceeding 3 million Kes
Imprisonment for a term not exceeding ten years or both
Fines under the GDPR
Non-compliance
Fine
1
Infringements of the obligations of the controller and the processor relating to a child’s data, special categories of personal data, data protection by design and by default and certification
Infringements of the obligations of relating to certification bodies
administrative fines up to 10 million euros, or in the case of an undertaking
up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher
2
Infringements of the basic principles for processing, including conditions for consent
Infringements of the data subjects' rights pursuant
Infringements of the transfers of personal data to a recipient in a third country or an international organisation
Infringements of any obligations pursuant to Member State law adopted to govern journalistic, official documents, national identification, employment and research
Infringements of non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority or failure to provide access
administrative fines up to 20 million euros or
or in the case of an undertaking up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher
3
Non-compliance with an order by the supervisory authority issued in accordance with the powers vested in the supervisory authority
administrative fines up to 20 million euros or in the case of an undertaking
in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher
Regulatory authority
The DPA establishes the Office of the Data Protection Commissioner (ODPC) as the body responsible for oversighting compliance with the DPA. An organisation processing personal data of persons residing in Kenya is thus subject to the supervisory authority of the ODPC.
On the other hand, the GDPR provides for the establishment of one or more supervisory authorities for each state that is a member of the EU. Each supervisory authority then gets a seat on the European Data Protection Board.
An entity may thus be subject to various supervisory authorities where it has personal data processing activities in Kenya and in a state that has a supervisory authority.
Conclusion
These are some of the significant (but not exhaustive) differences that an entity which has presence in both Kenya and the EU region should be wary of especially when establishing its Personal Data Protection Governance Framework in Kenya. A comprehensive evaluation of the personal data processing environment for such an organisation is thus essential in ensuring that more differences specific to the organisation’s operating environment, are identified and appropriate adaptation mechanisms are employed with a view to enhancing compliance with the DPA.
In the meantime, Kenya has already launched the first Adequacy Dialogue on the African Continent on data governance with the EU. If concluded successfully, it will result to an Adequacy Decision which means that personal data will be able to flow freely from the EU to Kenya without any limitations bringing with great economic benefits. Until then, restrictions contained in the respective regulatory frameworks must be adhered to.
Contact
Edna Adala
Associate Partner
+254 775 9740 50
Send inquiry
How we can help
Rödl & Partner in Kenya
good to know
Kenya: A summary of the tax appeals tribunal rules and procedures
13.8.2024
The Kenya Data Protection Act 2019 and General Data Protection Regulation: What you need to know
9.8.2024
Kenya: Warning letters as a form of disciplinary action
5.7.2024
Kenya: Data Protection Compliance Self-Assessment – why your organisation needs it
24.6.2024
All articles »
Turn on more accessible mode
Turn off more accessible mode
Skip Ribbon Commands
Skip to main content
Turn off Animations
Turn on Animations
Deutschland
Weltweit
Search
Menu
