Kenya Data Privacy Laws: DPA 2019 Compliance Guide (2026)
Kenya stands as one of the leading countries in Africa for data privacy protection. The Data Protection Act No. 24 of 2019 established a comprehensive legal framework governing how personal data is collected, processed, stored, and transferred within and outside the country.
The Act took effect on November 25, 2019, making Kenya one of the first nations in East Africa to adopt dedicated data protection legislation. The Office of the Data Protection Commissioner (ODPC) serves as the primary regulatory body responsible for enforcement.
This guide covers every major aspect of Kenya's data privacy framework, including the constitutional foundation, the DPA's core provisions, enforcement actions, and practical compliance requirements for organizations operating in Kenya.
Constitutional Foundation: Article 31 Right to Privacy
Kenya's data protection framework is rooted in the Constitution of Kenya, 2010. Article 31 of the Bill of Rights guarantees every person the right to privacy.
Specifically, Article 31 provides that every person has the right not to have:
- Their person, home, or property searched
- Their possessions seized
- Information relating to their family or private affairs unnecessarily required or revealed
- The privacy of their communications infringed
The Data Protection Act 2019 was specifically enacted to give effect to Articles 31(c) and 31(d) of the Constitution. These subsections protect individuals from having their private information unnecessarily disclosed and their communications unlawfully intercepted.
This constitutional grounding gives Kenya's data privacy protections a stronger legal standing than in many other countries. Privacy violations can be challenged not only under the DPA but also as constitutional rights violations before the High Court.
The Data Protection Act 2019: Core Provisions
The DPA 2019 applies to all organizations, whether public or private, that collect, process, or store personal data of individuals in Kenya. It applies to both automated and manual processing of personal data.
Definition of Personal Data
The Act defines "personal data" as any information relating to an identified or identifiable natural person. This includes data that can directly or indirectly identify someone through identifiers such as a name, identification number, location data, or online identifier.
Sensitive Personal Data
The DPA defines "sensitive personal data" as a special category that includes information revealing:
- Race or ethnic social origin
- Health status
- Conscience or religious beliefs
- Genetic data
- Biometric data (including fingerprinting, DNA analysis, retinal scanning, and voice recognition)
- Property details
- Marital status and family details
- Sex or sexual orientation
The Data Commissioner may designate additional categories of personal data as sensitive where the processing of that data could cause significant harm to data subjects.
Sensitive personal data receives heightened protection under the Act. Processing of sensitive data generally requires explicit consent or must fall within specific statutory exceptions.
Lawful Bases for Processing
Under the DPA, no organization may process personal data without a lawful basis. The Act recognizes six lawful grounds for processing:
- Consent of the data subject, which must be freely given, specific, informed, and unambiguous
- Contractual necessity, where processing is required to perform or enter into a contract with the individual
- Legal obligation, where processing is required by Kenyan law
- Vital interests, where processing is necessary to protect someone's life
- Public interest, where processing is necessary for tasks carried out in the public interest
- Legitimate interests of the data controller, balanced against the rights of the data subject
Consent Requirements
The DPA sets strict requirements for what constitutes valid consent. Consent is not considered freely given where:
- It is presumed because the data subject did not object
- It is presented as a non-negotiable part of terms and conditions
- The subject cannot refuse or withdraw without detriment
- Multiple purposes are merged without specific consent for each
- The intention behind the data collection is ambiguous
Data subjects have the right to withdraw consent at any time. However, withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.
Data Subject Rights Under the DPA
The DPA grants individuals a comprehensive set of rights over their personal data. These rights form the backbone of Kenya's data protection framework.
Right to Be Informed
Data subjects have the right to be told how their personal data will be used before or at the time of collection. Data controllers must provide clear and accessible privacy notices.
Right of Access
Individuals can request confirmation of whether their personal data is being processed and, if so, obtain a copy of that data along with information about the purposes and categories of processing.
Right to Correction
Data subjects may request the correction of false, misleading, or inaccurate personal data held about them. Organizations must act on these requests without undue delay.
Right to Deletion
Individuals can request the deletion of their personal data where it is no longer necessary for the purpose it was collected, or where they withdraw consent and no other lawful basis for processing exists.
Right to Object
Data subjects may object to or restrict the processing of their personal data on legitimate grounds, unless the data controller demonstrates compelling legitimate interests that override the individual's rights.
Right to Data Portability
Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
The ODPC has actively enforced these rights. In 2025, the regulator awarded KES 500,000 in compensation to a former employee of a major service provider who continued receiving unsolicited marketing messages despite exercising the right to erasure.
ODPC Registration Requirements
A fundamental obligation under the DPA is the mandatory registration of data controllers and data processors with the ODPC. No person may act as a data controller or data processor without being registered.
Who Must Register
Registration is mandatory for all data controllers and processors that:
- Have an annual turnover or revenue above KES 5,000,000, or
- Have more than 10 employees, or
- Process personal data in mandatory sectors (regardless of revenue or employee count)
Not-for-profit organizations, charitable institutions, religious organizations, multilateral agencies, and civil society organizations must also register if they process any personal information, regardless of their revenue.
Exemptions
Data controllers and processors with annual revenue below KES 5 million and fewer than 10 employees are exempt from registration, provided they do not operate in a mandatory sector.
Registration Process and Fees
Applications are submitted electronically through the ODPC website. The registration fee is KES 4,000, and the renewal fee is KES 2,000. The ODPC issues a certificate of registration within 14 days if the application meets all requirements.
Registration certificates are valid for 24 months. Controllers and processors must apply for renewal at least 30 days before expiry.
Data Breach Notification Requirements
Kenya's breach notification framework is one of the most clearly defined in Africa. The Data Protection (General) Regulations 2021 elaborate on the notification procedures.
72-Hour Notification to the ODPC
In the event of a personal data breach, data controllers must notify the Data Commissioner without undue delay, and no later than 72 hours after becoming aware of the breach.
48-Hour Processor-to-Controller Notification
Where a data processor discovers a breach, the processor must notify the relevant data controller within 48 hours. This gives the controller time to assess the breach and meet the 72-hour notification deadline to the ODPC.
Notification Content
Breach notifications to the Commissioner must include:
- A description of the nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
Notification to Affected Individuals
Where a breach is likely to result in a high risk to the rights and freedoms of data subjects, the affected individuals must also be notified without undue delay. The notification must describe the breach in clear, plain language and include practical advice on steps individuals can take to protect themselves.
The ODPC has created an online breach notification portal on its website to streamline the reporting process.
Penalties and Enforcement
The DPA provides for administrative, criminal, and civil enforcement mechanisms.
Administrative Penalties
The Data Commissioner may impose administrative fines of up to KES 5,000,000 (approximately USD 38,500) or up to 1% of the organization's annual turnover for the preceding financial year, whichever is lower.
The pending Data Protection (Amendment) Bill 2025 proposes changing "whichever is lower" to "whichever is higher," which would substantially increase the financial exposure for large organizations.
Criminal Penalties
The Act provides for criminal prosecution. The general penalty for offenses under the DPA is a fine not exceeding KES 3,000,000 or imprisonment for a term not exceeding 10 years, or both.
Specific offenses include:
- Processing personal data without a lawful basis
- Failing to register as a data controller or processor
- Obstructing or hindering the Data Commissioner
- Unauthorized disclosure of personal data
Daily Penalties
For continuing violations, the Act imposes daily fines of up to KES 10,000 per day for each day the breach remains unrectified.
Civil Remedies
Data subjects may also pursue civil claims for compensation in court. The High Court has jurisdiction over constitutional petitions involving privacy violations under Article 31.
2025-2026 Enforcement Trends
The ODPC has signaled a major shift from awareness-building to aggressive enforcement. During 2025, Kenyan organizations collectively paid over KES 30 million in compensation to individuals for privacy violations.
Key enforcement focus areas include:
- Unsolicited marketing communications from digital lenders, retailers, and telecom firms
- Right to erasure violations where firms retain data after deletion requests
- Inadequate data retention and destruction practices
The ODPC now requires organizations to resolve complaints within 90-day windows.
Cross-Border Data Transfers
Kenya imposes strict requirements on the transfer of personal data outside the country. Section 48 of the DPA governs cross-border transfers.
Adequate Safeguards Requirement
Transferring personal data outside Kenya is prohibited unless the receiving country or organization provides adequate data protection safeguards. Prior to any transfer, the data controller or processor must provide proof to the Data Commissioner of appropriate safeguards.
These safeguards include:
- The receiving jurisdiction having comparable data protection laws
- Appropriate contractual clauses between the parties
- Binding corporate rules for intra-group transfers
- Technical security measures such as encryption and access controls
Consent for Sensitive Data Transfers
For transfers of sensitive personal data out of Kenya, explicit consent of the data subject is required in addition to the adequate safeguards requirement.
Data Localization Requirement
Section 50 of the DPA imposes a data localization obligation. Every data controller or data processor must ensure the storage of at least one serving copy of personal data on a server or data center located in Kenya.
For personal data classified as strategic to the interests of the state, all processing must occur through servers and data centers located within Kenya.
This requirement has significant implications for cloud computing and organizations using international hosting providers. Companies must ensure that their infrastructure includes Kenya-based storage to comply with the localization mandate.
Data Protection Impact Assessments
The Data Protection (General) Regulations 2021 require data controllers and processors to conduct a Data Protection Impact Assessment (DPIA) before starting processing operations that are likely to result in high risk to the rights and freedoms of data subjects.
When a DPIA Is Required
High-risk processing operations that trigger a DPIA include:
- Large-scale processing of personal data for a purpose other than the original collection purpose
- Systematic monitoring of publicly accessible areas
- Processing of sensitive personal data on a large scale
- Use of new technologies that pose elevated privacy risks
DPIA Content
A DPIA must include:
- A systematic description of the proposed processing operations
- An assessment of the necessity and proportionality of the processing
- An assessment of the risks to data subjects' rights and freedoms
- The measures planned to address and mitigate those risks
Submission Timeline
DPIAs must be submitted to the Data Commissioner at least 60 days before the processing begins. If a DPIA indicates high risk that cannot be adequately mitigated, the data controller must consult the Data Commissioner before proceeding.
The Data Protection (Amendment) Bill 2025
The Kenyan government introduced the Data Protection (Amendment) Bill 2025 to strengthen and modernize the data protection framework. Key proposed changes include:
Expanded Definition of Sensitive Data
The Bill proposes adding political opinions and trade union memberships to the list of sensitive personal data categories, aligning more closely with the EU's GDPR.
Enhanced ODPC Powers
The Commissioner would gain additional powers to develop data protection training frameworks, accredit data protection trainers, and offer advisory services.
Increased Financial Penalties
The most significant proposed change is amending Section 63 to replace "whichever is lower" with "whichever is higher" for administrative fines. This would mean organizations face fines of up to KES 5 million or 1% of annual turnover, whichever is higher, rather than the current lower threshold.
Data Protection Appeals Tribunal
The Bill proposes establishing a dedicated Data Protection Appeals Tribunal through new Sections 64A through 64F, providing a specialized forum for challenging ODPC decisions.
Broader Complaint Access
The Bill would replace "data subject" with "any person" in the complaints provision, allowing legal entities (not just individuals) to lodge complaints with the ODPC.
Supporting Regulations
The DPA is supplemented by several sets of regulations that provide detailed operational guidance:
- Data Protection (General) Regulations 2021: The core operational framework covering DPIAs, breach notification procedures, and processing requirements
- Registration of Data Controllers and Data Processors Regulations 2021: Governs registration requirements, fees, and procedures
- Complaints Handling and Enforcement Regulations 2021: Establishes procedures for complaints, investigations, and enforcement actions
- Civil Registration Regulations 2020: Specific protections for civil registration data
Kenya is also a signatory to the African Union's Malabo Convention on Cyber Security and Personal Data Protection, reinforcing its commitment to regional data protection standards.
Compliance Checklist for Organizations
Organizations operating in Kenya or processing personal data of Kenyan residents should take these steps to achieve and maintain compliance:
- Register with the ODPC if your organization meets the registration thresholds
- Identify your lawful basis for each type of personal data processing
- Implement consent mechanisms that meet the DPA's strict requirements for freely given, specific, and informed consent
- Publish a privacy notice that clearly explains how personal data is collected, used, stored, and shared
- Establish breach notification procedures to meet the 72-hour reporting deadline
- Conduct DPIAs for high-risk processing activities at least 60 days before processing begins
- Ensure data localization compliance by maintaining at least one serving copy of personal data on Kenya-based servers
- Document cross-border transfer safeguards for any personal data sent outside Kenya
- Train employees on data protection obligations and procedures
- Establish a complaints resolution process that can address data subject requests within 90 days
Sources and References
Sources and References
- Kenya Law - Data Protection Act No. 24 of 2019 (Full Text)(kenyalaw.org).gov
- ODPC - Data Protection Laws Kenya(odpc.go.ke).gov
- Kenya Law Reform Commission - Article 31 of the Constitution of Kenya(klrc.go.ke).gov
- ODPC - 2025 Determinations(odpc.go.ke).gov
- ODPC - 2026 Determinations(odpc.go.ke).gov
- ODPC - Data Protection (General) Regulations 2021(odpc.go.ke).gov
- ODPC - Registration of Data Controllers and Data Processors Regulations 2021(odpc.go.ke).gov
- Kenya Trade Network Agency - Data Protection Act Full Text(kentrade.go.ke).gov
- DLA Piper - Data Protection Laws in Kenya(dlapiperdataprotection.com)
- DLA Piper Africa - When a Data Breach Hits: Why the First 72 Hours Define a Companys Future(dlapiperafrica.com)
- ITIF - Kenyas Cross-Border Data Transfer Regulation(itif.org)
- TechTrends Kenya - ODPC Signals Tighter Privacy Enforcement as Payouts Hit Sh30 Million(techtrendske.co.ke)
- Wamae and Allen LLP - Summary of the Data Protection Amendment Bill 2025(wamaeallen.com)