The Data Protection Act, 2019 (the DPA) entered force on 25th November, 2019. Following the enactment of the DPA, the Office of the Data Protection Commissioner (ODPC) was established in 2020. Thereafter, on 14th January, 2022, the ODPC gazetted the following three (3) sets of regulations, effectively paving the way for the full operationalization of the DPA:
The Data Protection (General) Regulations, 2021 (the General Regulations);
The Data Protection (Compliance and Enforcement) Regulations, 2021 (the Compliance and Enforcement Regulations); and
The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the Registration Regulations)
The regulations were due to take effect on 11th February, 2022 save for the Registration Regulations that provided for a grace period of 6 months for compliance pending the launch of a registration portal by the ODPC.
The registration portal has since gone live, and eligible data processors and controllers are now able to submit their applications for registration.
Below is a highlight of the notable provisions under each regulation:
The General Regulations
The General Regulations expound on the rights of data subjects and the corresponding obligations of data processors and controllers within the context of protected data under the DPA. The rights include; the rights to grant prior consent, restrict processing of data, object to the processing of data, make a request for data access, rectification of data, make a data portability request, and erasure of such data.
(a) Consent by a data subject
Prior to processing personal data, a data subject should be informed of the nature and scope of personal data being processed, reasons for processing and whether there is intention to share with a third party.
Additionally, a data processor or controller is required to satisfy itself on the capacity of the data subject to understand and indicate their consent. The data subject should also be informed of the nature of processing in simple and clear language. The consent sought must be specific and given voluntarily. Consent may be given orally or in writing and may include a handwritten signature or use of an electronic/other medium.
(b) Collection of personal data
The General Regulations outlines the various means of obtaining personal data and mandate collection of personal data that a data subject has expressly permitted.
(a) Commercial use of personal data
Where a data controller or processor intends to use personal data for a commercial purpose, they should seek the direct authorization of the data subject.
A data controller or processor may use personal data for commercial purpose if the data subject was notified that one of the purposes for which their data is collected is for direct marketing. A data subject should also be informed of their right to opt out from receiving direct market communication.
(b) Data retention
A data processor and controller should not retain personal data longer than necessary for the purpose for which it is processed.
(c) Automated decision-making
Data controllers/processors are required to inform a data subject when engaging in an automated processing and avail meaningful information about the logic involved in automated decision-making.
(a) Requirement for a data protection policy
A data controller/processor should put in place, publish and regularly update a policy that reflects their personal data handling practices. Such policy should contain, among others, the nature of personal data collected and retained, modes through which data subjects can access personal data, complaint handling mechanisms, lawful purposes for processing personal data, the retention period for personal data collected and any obligations or requirements to transfer personal data outside the country, to third parties or other data controllers/processors.
(b) Localization of personal data
Where data processing is done to actualize a public good, such processing should be done through a server and data centre situated in Kenya, and at least one serving copy of the particular personal data should be stored in a data centre located in Kenya.
(c) Personal data breaches
The General Regulations prescribe categories of notifiable data breaches. Risk of harm to a data subject occurs if the data breach relates to a data subject’s full name or identification number or the personal data contains an account identifier or any password, security code, access code, response to a security question, biometric data or other data used or required to allow access to or use of an individual’s account.
(a) Transfer of data outside of Kenya
The General Regulations outlines the requirements that should be met before transferring personal data outside of Kenya. A data controller/processor is under a legal obligation to ensure the same level of protection as that provided under the DPA and the Regulations and the data subject has consented to the transfer and the transferring entity has taken steps to ensure that the personal data shall not be used or disclosed by the recipient for any other unintended purpose. In addition, the transferring entity is required to enter into a written agreement with the recipient of the personal data.
The Compliance and Enforcement Regulations
The Compliance and Enforcement Regulations set out the procedure for submitting a complaint with the ODPC as well as the process of issuing enforcement and penalty notices under the DPA. A data subject or aggrieved person may lodge a complaint with the ODPC through –
the prescribed form under the Compliance and Enforcement Regulations;
orally;
online by email or web posting;
appropriate electronic means; or
by any other appropriate means.
A complaint may be submitted by the complainant in person, by another person acting on their behalf, a person authorised by law to act on the complainant’s behalf or anonymously. ODPC is required to acknowledge receipt of a complaint made by a data subject.
The Registration Regulations
The Registration Regulations give effect to the requirement under the DPA for data controllers and processors to register with the ODPC. They came into effect in July 2022 and both eligible data controllers and processors are expected to submit their applications for registration through the publicly available portal. Applications should be accompanied with the prescribed fee and supporting documentation.
Once issued, a certificate of registration is valid for 1 year and should displayed prominently at a principal place of business or website and a certified copy thereof displayed at every branch.
An application for renewal should be done 30 days before expiry. The ODPC may decline to grant an application for registration or renewal where an applicant fails to demonstrate appropriate safeguards for the protection of the privacy of data subjects and where an applicant is in violation of any provisions of the DPA.
The Registration Regulations also prescribe the thresholds for mandatory registration as a data controller or processor. A data controller/processor with an annual turnover of above KES. 5 Million and who employs less than 10 people is required to apply for registration and thereafter renewal. Some of the activities which require registration include health administration and provision of patient care, hospitality industry firms, administration of insurance, faith based and religious institutions, property managers, financial services providers, telecommunication network or service providers, marketing firms and internet service providers.
If you require tailored advice or further information or assistance, please contact us on sarinke@mckayadvocates.com.