Kenya Data Privacy Laws: DPA 2019, ODPC Enforcement, and 2026 Compliance Guide

Kenya's Data Protection Act No. 24 of 2019, grounded in Article 31 of the Constitution of Kenya 2010, governs how any organization collects or processes personal data of individuals in Kenya. The Office of the Data Protection Commissioner enforces the Act, requiring registration above set thresholds and breach notification within 72 hours.

Kenya stands as one of the strongest data privacy jurisdictions in Africa. The Data Protection Act No. 24 of 2019 (DPA) established a comprehensive legal framework governing how personal data is collected, processed, stored, and transferred, and the Office of the Data Protection Commissioner (ODPC) has moved from awareness-building into active, financially significant enforcement.

This guide covers every major aspect of Kenya's data privacy framework: the constitutional foundation, the 2021 implementing regulations, registration requirements, data subject rights, breach notification, Data Protection Officer obligations, cross-border transfer rules, the full enforcement record through 2026, and the legislative changes now moving through Parliament.

For an overview of how Kenya's recording consent rules interact with privacy law, see our guide to Kenya recording laws.

Quick Answer

Kenya's data protection regime rests on the Data Protection Act 2019, four sets of 2021 implementing regulations, and the ODPC as regulator. The Act applies to any organization, public or private, that processes personal data of individuals in Kenya. Registration with the ODPC is mandatory above defined thresholds. Breach notification runs 72 hours to the ODPC. Penalties reach KES 5 million administratively, plus criminal liability up to KES 3 million and 10 years imprisonment.

Constitutional Foundation: Article 31

Kenya's data protection framework is rooted in the Constitution of Kenya 2010. Article 31 of the Bill of Rights guarantees every person the right to privacy.

Specifically, Article 31 provides that every person has the right not to have:

• Their person, home, or property searched
• Their possessions seized
• Information relating to their family or private affairs unnecessarily required or revealed
• The privacy of their communications infringed

The DPA 2019 was enacted to give effect to Articles 31(c) and 31(d). These subsections protect individuals from having private information unnecessarily disclosed and communications unlawfully intercepted.

This constitutional grounding gives privacy protections a legal weight beyond the statutory level. Violations can be challenged not only under the DPA but also as constitutional rights violations before the High Court, which carries broader remedies and greater public scrutiny.

The Data Protection Act 2019: Core Provisions

The DPA 2019 applies to all organizations, whether public or private, that collect, process, or store personal data of individuals in Kenya. It covers both automated and manual processing.

Definition of Personal Data

The Act defines "personal data" as any information relating to an identified or identifiable natural person. This includes data that can directly or indirectly identify someone through identifiers such as a name, identification number, location data, or online identifier.

Sensitive Personal Data

The DPA defines a special category of "sensitive personal data" that receives heightened protection. It includes information revealing:

• Race or ethnic social origin
• Health status
• Conscience, belief, or religious affiliations
• Genetic data
• Biometric data, including fingerprinting, DNA analysis, retinal scanning, and voice recognition
• Property details
• Marital status and family details
• Sex or sexual orientation

The Data Commissioner may also designate additional categories where processing could cause significant harm to data subjects. The pending Data Protection Amendment Bill 2025 proposes adding political opinions and trade union memberships to this list.

Processing sensitive personal data generally requires explicit consent or must fall within narrow statutory exceptions.

Lawful Bases for Processing

No organization may process personal data without a lawful basis. The Act recognizes six grounds:

1. Consent of the data subject, which must be freely given, specific, informed, and unambiguous
2. Contractual necessity, where processing is required to perform or enter into a contract with the data subject
3. Legal obligation, where processing is required by Kenyan law
4. Vital interests, where processing is necessary to protect someone's life
5. Public interest, where processing is necessary for tasks carried out in the public interest
6. Legitimate interests of the data controller, balanced against the rights of the data subject

Consent Requirements

The DPA sets strict standards for valid consent. Consent is not considered freely given where:

• It is presumed because the data subject did not object
• It is presented as a non-negotiable part of terms and conditions
• The subject cannot refuse or withdraw without suffering a detriment
• Multiple purposes are bundled without separate consent for each
• The intention behind the data collection is ambiguous

Data subjects have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal, but organizations must stop processing on consent-based grounds immediately upon receiving a withdrawal.

The 2021 Implementing Regulations

The DPA is supplemented by four sets of regulations that provide detailed operational guidance:

• Data Protection (General) Regulations 2021: The core operational framework covering Data Protection Impact Assessments, breach notification procedures, and processing requirements
• Registration of Data Controllers and Data Processors Regulations 2021: Governs registration requirements, fees, procedures, and certificates
• Complaints Handling and Enforcement Regulations 2021: Establishes procedures for complaints, investigations, and enforcement actions
• Civil Registration Regulations 2020: Specific protections for civil registration data

Kenya is also a signatory to the African Union's Malabo Convention on Cyber Security and Personal Data Protection, reinforcing its commitment to regional data protection standards.

In December 2024, the ODPC published two additional draft regulations for stakeholder consultation: the Conduct of Compliance Audit Regulations, which would establish accreditation criteria for auditors of data controllers and processors, and a Data Sharing Code to regulate ethical data sharing across government and private sectors.

ODPC Registration Requirements

A fundamental obligation under the DPA is the mandatory registration of data controllers and data processors with the ODPC. No person may act as a data controller or data processor without first being registered.

Who Must Register

Registration is mandatory for organizations that:

• Have an annual turnover or revenue above KES 5,000,000, or
• Have more than 10 employees, or
• Process personal data in mandatory sectors, regardless of revenue or employee count

Not-for-profit organizations, charitable institutions, religious organizations, multilateral agencies, and civil society organizations must register if they process any personal information, regardless of revenue.

Exemptions

Data controllers and processors with annual revenue below KES 5 million and fewer than 10 employees are exempt from registration, provided they do not operate in a mandatory sector.

Registration Process and Fees

Applications are submitted electronically through the ODPC website. The registration fee is KES 4,000, and the renewal fee is KES 2,000. The ODPC issues a certificate of registration within 14 days if the application meets all requirements. Certificates are valid for 24 months. Controllers and processors must apply for renewal at least 30 days before expiry.

As of 2025, the ODPC had registered 7,223 data controllers and processors, reflecting broad uptake of the registration regime.

Data Subject Rights Under the DPA

The DPA grants individuals a comprehensive set of rights over their personal data.

Right to Be Informed

Data subjects have the right to be told how their personal data will be used before or at the time of collection. Data controllers must provide clear, accessible privacy notices covering the purposes of processing, categories of data collected, retention periods, and the data subject's rights.

Right of Access

Individuals can request confirmation of whether their personal data is being processed and, if so, obtain a copy of that data along with information about purposes, categories of data, and recipients.

Right to Correction

Data subjects may request correction of false, misleading, or inaccurate personal data held about them. Organizations must act without undue delay.

Right to Deletion (Erasure)

Individuals can request deletion of their personal data where it is no longer necessary for the purpose it was collected, where consent has been withdrawn and no other lawful basis exists, or where the data has been unlawfully processed.

The ODPC has actively enforced this right. In 2025, it awarded KES 500,000 in compensation to a former employee of a major service provider who continued receiving unsolicited marketing messages despite exercising the right to erasure.

Right to Object

Data subjects may object to or restrict the processing of their personal data on legitimate grounds, unless the data controller demonstrates compelling legitimate interests that override the individual's rights.

Right to Data Portability

Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. The pending Data Protection Amendment Bill 2025 would codify automated decision-making protections alongside this right.

Data Protection Officer Requirements

The DPA and General Regulations create a framework for appointing Data Protection Officers, though the obligation is not universally mandatory.

When a DPO Must Be Designated

A data controller or processor must designate a DPO if it:

• Is a public body
• Processes sensitive personal data on a large scale
• Has core activities that require regular and systematic monitoring of data subjects on a large scale

Structural Flexibility

The Act does not require the DPO to be an internal employee. A group of entities may share a single DPO. The DPO may also hold other roles within the organization, provided there is no conflict of interest.

ODPC Notification

Organizations required to appoint a DPO must notify the ODPC of the DPO's contact details. The DPO's contact information must also be published on the organization's website. The DPO serves as the primary contact point between the organization and the Data Commissioner.

Data Protection Impact Assessments

The General Regulations 2021 require data controllers and processors to conduct a DPIA before starting processing operations likely to result in high risk to the rights and freedoms of data subjects.

When a DPIA Is Required

High-risk processing operations that trigger a DPIA include:

• Large-scale processing of personal data for a purpose other than the original collection purpose
• Systematic monitoring of publicly accessible areas
• Processing of sensitive personal data on a large scale
• Use of new technologies that pose elevated privacy risks

DPIA Content and Submission

A DPIA must include a systematic description of the proposed processing, an assessment of its necessity and proportionality, an assessment of risks to data subjects' rights and freedoms, and the measures planned to address and mitigate those risks.

DPIAs must be submitted to the Data Commissioner at least 60 days before processing begins. If a DPIA indicates high risk that cannot be adequately mitigated, the data controller must consult the Data Commissioner before proceeding.

Data Breach Notification Requirements

Kenya's breach notification framework is one of the most clearly defined in Africa. The General Regulations 2021 elaborate the procedures.

72-Hour Notification to the ODPC

In the event of a personal data breach, data controllers must notify the Data Commissioner without undue delay, and no later than 72 hours after becoming aware of the breach. The ODPC has created an online breach notification portal on its website to streamline the reporting process.

48-Hour Processor-to-Controller Notification

Where a data processor discovers a breach, it must notify the relevant data controller within 48 hours of discovery. This gives the controller time to assess the breach and meet the 72-hour ODPC deadline.

Notification Content

Breach notifications must include:

• A description of the nature of the breach
• The categories and approximate number of data subjects affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects

Notification to Affected Individuals

Where a breach is likely to result in a high risk to the rights and freedoms of data subjects, the affected individuals must be notified without undue delay in clear, plain language, including practical advice on steps they can take to protect themselves.

Cross-Border Data Transfers

Kenya imposes strict requirements on the transfer of personal data outside the country. Section 48 of the DPA governs cross-border transfers.

Adequate Safeguards Requirement

Transferring personal data outside Kenya is prohibited unless the receiving country or organization provides adequate data protection safeguards. Prior to any transfer, the data controller or processor must provide proof to the Data Commissioner of appropriate safeguards. These include:

• The receiving jurisdiction having comparable data protection laws
• Appropriate contractual clauses between the parties
• Binding corporate rules for intra-group transfers
• Technical security measures such as encryption and access controls

For transfers of sensitive personal data, explicit consent of the data subject is required in addition to the safeguards requirement.

Data Localization Requirement

Section 50 of the DPA imposes a data localization obligation. Every data controller or processor must ensure the storage of at least one serving copy of personal data on a server or data center located within Kenya. For personal data classified as strategic to the interests of the state, all processing must occur through servers within Kenya.

This has significant implications for cloud computing. Organizations using international hosting providers must ensure their infrastructure includes Kenya-based storage.

The ODPC's December 2024 Cloud Policy further encourages data localization when entities adopt cloud solutions, particularly for sensitive government and critical infrastructure data.

EU-Kenya Adequacy Dialogue

In May 2024, Kenya and the European Union launched an adequacy dialogue, the first such dialogue on the African continent. If successful, an EU adequacy decision would allow personal data to flow freely from the EU to Kenya without additional safeguards. Kenya's Data Protection Act closely mirrors the GDPR, which puts it in a strong position for a positive adequacy determination. As of early 2026, the dialogue is ongoing.

Penalties and Enforcement

The DPA provides for administrative, criminal, and civil enforcement mechanisms, and the ODPC has deployed all three.

Administrative Penalties

The Data Commissioner may impose administrative fines of up to KES 5,000,000 (approximately USD 38,500) or up to 1% of the organization's annual turnover for the preceding financial year, whichever is lower.

Criminal Penalties

The general criminal penalty for offenses under the DPA is a fine not exceeding KES 3,000,000 or imprisonment for up to 10 years, or both. Specific criminal offenses include processing personal data without a lawful basis, failing to register, obstructing the Data Commissioner, and unauthorized disclosure of personal data.

Daily Penalties

For continuing violations, the Act imposes daily fines of up to KES 10,000 per day for each day the breach remains unrectified.

Civil Remedies

Data subjects may pursue civil claims for compensation in court. The High Court has jurisdiction over constitutional petitions involving privacy violations under Article 31.

ODPC Enforcement Record: Key Cases and Statistics

The ODPC has moved decisively from awareness-building into financially significant enforcement. Since the Act came into force, the ODPC received 9,061 data protection complaints, resolved 84 through Alternative Dispute Resolution, and issued 357 determinations, 134 enforcement notices, 20 penalty notices, and 184 compensation orders as of 2025. Total fines imposed on businesses exceeded KES 26 million through September 2024.

Landmark Penalty Cases

Oppo Kenya (December 2022): The ODPC's first penalty notice imposed a KES 5 million fine on Oppo Kenya after the company posted a data subject's photograph on its Instagram account for commercial purposes without consent. The company had also failed to maintain a data protection policy. The ODPC preceded the fine with an enforcement notice in November 2022, which Oppo Kenya did not act on.

Whitepath Company Limited (April 2023): The digital lender behind the Instarcash and Zuricash apps was fined KES 5 million following approximately 150 complaints. The ODPC found that Whitepath had unlawfully accessed borrowers' contact lists and used those contacts to send unsolicited debt collection messages to third parties who had no relationship with the lender. In March 2025, the ODPC imposed a second fine of KES 250,000 on Whitepath for listing an individual as a loan guarantor without consent and subjecting them to collection calls.

Regus Kenya Limited (April 2023): The ODPC fined Regus KES 5 million for continuing to send unsolicited automated marketing messages to a former client after the end of the commercial relationship. Regus failed to respond to the initial ODPC complaint notification or a subsequent reminder notice, prompting a formal enforcement notice in February 2023. On appeal, the High Court upheld the Commissioner's findings but reduced the penalty to KES 2.5 million, finding the original amount harsh for a first-time offender. The court affirmed that the Commissioner's enforcement authority is well-founded under the Act.

Roma School (September 2023): The school was fined KES 4,550,000 for posting photographs of minors on its marketing materials and social media without obtaining parental consent.

Mulla Pride (September 2023): The digital lender was fined KES 2,975,000 for using third-party contact information, obtained from borrowers' phones without consent, to make threatening debt collection calls to individuals who were not customers of the lender.

Casa Vera Lounge (September 2023): Fined KES 1,850,000 for posting a patron's image on social media without consent.

Nova Pioneer Limited (2024): Fined KES 950,000 for using an individual's image on billboards and the company's website without consent.

SBM Bank (2024): Fined KES 450,000 for sending 327 spam emails over 10 months to an individual who had no account with the bank.

Worldcoin (September 2023): The ODPC suspended Worldcoin's operations in Kenya for 12 months for non-compliance with the DPA related to biometric data collection practices.

Compensation Orders

Beyond fines, the ODPC has issued 184 compensation orders requiring organizations to pay damages directly to affected individuals. Some compensation awards have reached KES 500,000 per individual. During 2025, Kenyan organizations collectively paid over KES 30 million in compensation for privacy violations, signaling a shift toward remedies that directly benefit data subjects rather than flowing to the state.

Enforcement Infrastructure: Regional Offices

The ODPC has decentralized enforcement through regional offices. As of early 2026, the ODPC operates offices in Mombasa, Nakuru, Kisumu, Garissa, Eldoret, Nyeri, and Machakos. The Eldoret office was launched on Data Privacy Day 2025 on January 28, 2025. The ODPC's 2025-2029 Strategic Plan calls for expanding from seven to thirteen regional offices.

The ODPC 2025-2029 Strategic Plan

The ODPC launched its five-year strategic plan in 2025, anchored on five pillars: governance strengthening, organizational sustainability, compliance enhancement, enforcement oversight, and self-regulation promotion. The plan carries a total cost of KES 12.64 billion, with a funding gap of KES 3.675 billion.

Key institutional changes include the creation of a Senior Deputy Data Commissioner position, Assistant Data Commissioners, and expansion to thirteen regional offices. The ODPC achieved a 96% resolution rate on 6,817 complaints in its first five years of operation.

Recent Legislative Developments

Data Protection Amendment Bill 2025

The Kenyan government introduced the Data Protection Amendment Bill 2025, developed by the Data Privacy and Governance Society of Kenya, to strengthen and modernize the framework. Key proposed changes:

Expanded sensitive data categories: Political opinions and trade union memberships would be added to the sensitive data list, aligning with GDPR Article 9(1).

Higher financial penalties: The most significant change is amending Section 63 to replace "whichever is lower" with "whichever is higher" for administrative fines. This would expose large organizations to fines of up to KES 5 million or 1% of annual turnover, whichever is higher.

Data Protection Appeals Tribunal: New Sections 64A through 64F would establish a dedicated appeals tribunal required to resolve complaints within 60 days, reducing the High Court caseload for data protection matters.

Expanded complaint access: The change from "data subject" to "any person" in the complaints provision would allow legal entities, not just individuals, to lodge complaints with the ODPC.

Enhanced ODPC powers: The Commissioner would gain authority to develop data protection training frameworks and accredit trainers, expanding the ODPC's role in building compliance culture.

Stronger security obligations: Data controllers and processors would be required to not only implement appropriate technical and organizational security measures but also demonstrate compliance with the Act on an ongoing basis.

The Bill was pending legislative consideration as of early 2026.

Artificial Intelligence Bill 2026

Kenya is moving toward comprehensive AI regulation. The draft Artificial Intelligence Bill 2026, introduced as a Senate Bill, establishes a risk-based regime for AI systems modelled in part on the EU AI Act. High-risk AI systems would face stringent governance, transparency, data protection, and record-keeping requirements.

The Bill creates the Office of the Artificial Intelligence Commissioner as an independent body with enforcement powers including the ability to enter premises, inspect AI systems, issue enforcement notices, and impose administrative fines.

For data protection practitioners, the Bill ties AI governance directly to the Data Protection Act 2019. High-risk AI providers and deployers must comply with the DPA in relation to personal data processing, including conducting data protection impact assessments before deploying high-risk AI systems. The Bill had been published as a Senate Bill but had not yet been tabled for debate as of early 2026.

Kenya Information and Communications (Amendment) Bill 2025

A separate legislative development that has raised significant privacy concerns is the Kenya Information and Communications (Amendment) Bill 2025. The Bill proposes requiring Internet Service Providers to assign each subscriber a unique trackable meter number, collect detailed personal data including names, ID numbers, and usage patterns, and submit this information to the Communications Authority of Kenya. The Bill would also empower the Cabinet Secretary to mandate ISPs to install surveillance tools enabling real-time monitoring of users' data.

Human rights organizations and legal commentators have raised serious concerns that these provisions conflict with the DPA 2019 and Article 31 constitutional privacy protections. The ICJ Kenya has described the Bill as a potential vehicle for mass surveillance. The Bill was under parliamentary review as of May 2026.

Business Compliance Checklist

Organizations operating in Kenya or processing personal data of Kenyan residents should take these steps:

1. Register with the ODPC if your organization meets the registration thresholds (revenue above KES 5M, more than 10 employees, or operation in a mandatory sector)
2. Identify the lawful basis for each type of personal data processing before any collection begins
3. Implement consent mechanisms that meet the DPA's requirements: freely given, specific, informed, and unambiguous
4. Publish a privacy notice that clearly explains collection, use, storage, sharing, and data subject rights
5. Designate a DPO if your organization is a public body or conducts large-scale processing of sensitive data or large-scale systematic monitoring
6. Establish breach notification procedures to meet the 72-hour ODPC reporting deadline and the 48-hour processor-to-controller notification requirement
7. Conduct DPIAs for high-risk processing activities at least 60 days before processing begins
8. Ensure data localization compliance by maintaining at least one serving copy of personal data on Kenya-based servers
9. Document cross-border transfer safeguards for any personal data sent outside Kenya
10. Respond promptly to ODPC notices to avoid escalation from compliance notice to enforcement notice to penalty notice
11. Conduct regular consent audits, particularly for marketing communications, to ensure continued compliance with erasure and opt-out requests
12. Train employees on data protection obligations, including how to recognize and respond to data subject rights requests