The Kenya Data Protection Act 2019 and General Data Protection Regulation: What you need to know

PrintMailRate-it

​​​​​​​​​​​​​​​​published on 9 August 2024


The Data Protection Act (DPA) is the applicable data protection law in Kenya whereas the General Data Protection Regulation (GDPR) is the applicable data protection law in the European Union (EU). Both the DPA and GDPR have the same foundational principles for ensuring the protection of personal data. These principles generally require processing of personal data in a lawful, fair, transparent manner and that any transfer outside a country is based on adequate data protection safeguards. However, compliance with the GDPR does not automatically imply that an entity from the EU origin has complied with the DPA and vice versa. In essence, the two laws are quite similar, however certain differences exist. This article briefly highlights some of the significant differences.

 

Registration

The DPA requires all data controllers and data processors processing personal data of persons residing in Kenya, whether or not established in Kenya, to register with the Office of the Data Protection Commissioner (ODPC). Processing personal data in Kenya without a registration certificate from the ODPC or failing to renew an expired registration certificate exposes an entity to a fine of up to 3 million Kes or to imprisonment of up to ten years. Registration with a supervisory authority is not required under the GDPR.
 

Data subject rights timelines

​Both laws guarantee data subjects certain rights and further provide timelines within which inquiries relating to these rights should be attended to. Under the GDPR, an organisation must respond within a month. The timelines are shorter under the DPA as indicated below:
 
​Nature of right
​DPA Timelines (Days)
​GDPR Timelines (Days)*
​Restricted Processing
​14
​30
​Objection
​14
​30
​Data request
​7
​30
​Rectification
​14
​30
​Data portability
​30
​30
​Refusal of data portability
​7
​30
​Erasure​
​14
​30
​​ 
Under the GDPR, the aforementioned timelines may be extended by a further two months taking into account the complexity of a request. Charging a fee to attend to a data subjects rights is not required under both laws. However, under the DPA, an entity may charge a reasonable fee to facilitate data portability whereas under the GDPR, where the requests are manifestly excessive, an organisation may charge a reasonable administrative fee to cater for administrative costs incurred in providing the information.
 

Non-compliance fines

​Both laws provide for fines and penalties for noncompliance. The fines under the GDPR are considered to be higher (at least under the Kenyan context) when compared to those under the DPA.
 

Fines under the DPA

  

​Non-compliance​​
​Fine
​1
​Using personal data for commercial purposes without consent
  • ​A fine not exceeding 20,000 Kes or 
  • Imprisonment not exceeding six months or both
​2
​Contravening the Data Protection Act where no specific penalty is provided
  • ​A fine not exceeding 3 million Kes
  • Imprisonment term not exceeding 10 years or both
  • Forfeiture of any article or equipment that was used
  • Prohibition order
​3
​Failing to provide information requested by the Data Commissioner or providing misleading information
  • ​A fine not exceeding 5 million Kes
  • Imprisonment for a term not exceeding two years or both
​4
​Failure to implement compliance directives under the DPA
  • ​An administrative fine not exceeding 5 million Kes or
  • 1 percent of the annual turnover whichever is lower
​5
​Failure to register or renew a registration certificate
  • ​A fine not exceeding 3 million Kes
  • Imprisonment for a term not exceeding ten years or both
 

Fines under the GDPR 

 
​​
​Non-compliance
​Fine
​1
  • ​Infringements of the obligations of the controller and the processor relating to a child’s data, special categories of personal data, data protection by design and by default and certification
  • Infringements of the obligations of relating to certification bodies
  • ​administrative fines up to 10 million euros, or in the case of an undertaking
  • up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher
​2
  • ​Infringements of the basic principles for processing, including conditions for consent
  • Infringements of the data subjects' rights pursuant
  • Infringements of the transfers of personal data to a recipient in a third country or an international organisation
  • Infringements of any obligations pursuant to Member State law adopted to govern journalistic, official documents, national identification, employment and research
  • Infringements of non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority or failure to provide access
  • ​administrative fines up to 20 million euros or
  • or in the case of an undertaking up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher
​3
​Non-compliance with an order by the supervisory authority issued in accordance with the powers vested in the supervisory authority
  • ​administrative fines up to 20 million euros or in the case of an undertaking
  • in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher
 

Regulatory authority​

​The DPA establishes the Office of the Data Protection Commissioner (ODPC) as the body responsible for oversighting compliance with the DPA. An organisation processing personal data of persons residing in Kenya is thus subject to the supervisory authority of the ODPC.
 
On the other hand, the GDPR provides for the establishment of one or more supervisory authorities for each state that is a member of the EU. Each supervisory authority then gets a seat on the European Data Protection Board.
 
An entity may thus be subject to various supervisory authorities where it has personal data processing activities in Kenya and in a state that has a supervisory authority.
 

Conclusion

These are some of the significant (but not exhaustive) differences that an entity which has presence in both Kenya and the EU region should be wary of especially when establishing its Personal Data Protection Governance Framework in Kenya. A comprehensive evaluation of the personal data processing environment for such an organisation is thus essential in ensuring that more differences specific to the organisation’s operating environment, are identified and appropriate adaptation mechanisms are employed with a view to enhancing compliance with the DPA.
 
In the meantime, Kenya has already launched the first Adequacy Dialogue on the African Continent on data governance with the EU. If concluded successfully, it will result to an Adequacy Decision which means that personal data will be able to flow freely from the EU to Kenya without any limitations bringing with great economic benefits. Until then, restrictions contained in the respective regulatory frameworks must be adhered to.
Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu