Data Protection Act, 2019


REPUBLIC OF KENYA

# KENYA GAZETTE SUPPLEMENT

ACTS, 2019

NAIROBI, 11th November, 2019

CONTENT

Act-

PAGE

The Data Protection Act, 2019.. ..901

NATIONAL COUNCIL FOR LAW REPORTING RECEIVED

18 NOV 2019

MO. Dax 10448- 06106 NAIROBI, KENYA TEL: 2719231 FAX: 2712694

PRINTED AND PUBLISHED BY THE GOVERNMENT PRINTER, NAIROBI

# THE DATA PROTECTION ACT

# No. 24 of 2019

Date of Assent: 8th November, 2019

Date of Commencement: 25th November, 2019

ARRANGEMENT OF SECTIONS

# Sections

# PART I—PRELIMINARY

1. —Short title.
2. -Interpretation.
3. —Object and purpose of this Act.
4. —Application.

# PART II—ESTABLISHMENT OF THE OFFICE OFTHE DATA PROTECTION COMMISSIONER

1. —Establishment of the Office.
2. — Appointment of the Data Commissioner.
3. —Qualifications of the Data Commissioner.
4. —Functions of the Data Commissioner.

. —Powers of the Office. 10. —Delegation by the Data Commissioner. 11. — Vacancy in the Office of the Data Commissioner. 12. —Removal of the Data Commissioner from office. 13. —Staff of the Office. 14. —Remuneration of the Data Commissioner and staff. 15. —Oath of Office. 1.Confidentiality agreements. 17.—Protection from personal liability.

# PART III—REGISTRATION OF DATA CONTROLLERS AND DATA PROCESSORS

1. —Registration of data controllers and data Processors.
2. —Application for registration.
3. —Duration of the registration certificate.

Register of data controllers and data processors.

1. —Cancellation or variation of the certificate.
2. —Compliance and audit.
3. —Designation of the Data Protection Officer.

# PART IV-PRINCIPLES AND OBLIGATIONS OF PERSONAL DATA PROTECTION

1. —Principles of personal data protection.
2. —Rights of a data subject.
3. —Exercise of rights by data subject.
4. —Collection of personal data.
5. — Duty to notify.
6. —Lawful processing of personal data.
7. —Data protection impact assessment.
8. —Conditions for consent.
9. —Processing of personal data relating to a child.
10. —Restriction on processing.
11. —Automated individual decision making.
12. —Objecting to processing.
13. —processing for direct marketing.
14. —Right to data portability.
15. —Limitation to retention of personal data.
16. —Right of rectification and erasure.
17. —Data protection by design or default.
18. —Particulars of determining organisational measures.
19. —Notification and communication of breach.

# PART V—GROUNDS FOR PROCESSING OF SENSITIVE PERSONAL DATA

1. —Processing of sensitive personal data.
2. -Permitted grounds for processing sensitive personal data.
3. —Personal data relating to health.
4. —Further categories of sensitive personal data.

# PART VI—TRANSFER OF PERSONAE DATA OUTSIDE KENYA

1. —Conditions for transfer out of Kenya.
2. —Safeguards prior to transfer of personal data out of Kenya.
3. —Processing through a data server or centre in Kenya.

# PART VII—EXEMPTIONS

1. —General exemptions.
2. —Journalism, literature and art.
3. —Research, history and statistics.
4. —Exemptions by the Data Commissioner.
5. —Data-sharing code.

# PART VIII—ENFORCEMENT PROVISIONS

1. —Complaints to the Data Commissioner.
2. —Investigation of complaints.
3. —Enforcement notices.
4. —Power to seek assistance.
5. — Power of entry and search.
6. —Obstruction of the Data Commissioner.
7. —Penalty notices.
8. —Administrative fines.
9. Right of appeal.
10. —Compensation of data subject.
11. —Preservation Order.