# (Legislative Supplement No. 106)
Legal Notice No. 263
THE DATA PROTECTION ACT
(No. 24 of 2019)
THE DATA PROTECTION (GENERAL) REGULATIONS, 2021
ARRANGEMENT OF REGULATIONS
Regulation
# PART I—PRELIMINARY
1—Citation. 2—Interpretation. 3—Exemption.
PART II—ENABLING THE RIGHTS OF A DATA SUBJECT
4—Processing on the basis of consent. 5—Lawful basis for processing. 6—Mode of collection of personal data. 7—Restriction to processing. 8—Objection to processing. 9—Data access request. 10—Rectification of personal data. 11—Data portability request. 12—Right of erasure. 13—Exercise of rights by others.
# PART III—RESTRICTIONS ON THE COMMERCIAL USE OF PERSONAL DATA
14—Interpretation of commercial purpose. 15—Permitted commercial use of personal data. 16—Features of an opt out message. 17—Mechanisms to comply with opt out requirement. 18—Requestsfor restriction of further direct marketig
# PART IV—OBLIGATIONS OF DATA CONTROLLERS AND DATA PROCESSORS
19—Retention of personal data.
20—Requests to deal anonymously or pseudonymously. 21—Sharing of personal data. 22—Automated individual decision making. 23—Data protection policy. 24—Contract between data controller and data processor 25—Obligations of a data processor. 26—Requirement for specified processing data to be done in Kenya.
# PART V— ELEMENTS TO IMPLEMENT DATA PROTECTION BY DESIGN OR BY DEFAULT
27—Data protection by design or default. 28—Elements of data protection by design or default. 29—Elements for principle of lawfulness. 30—Elements for principle of transparency. 31—Elements for principle of purpose limitation. ennlity 33—Elements for principle of data minimization. 34—Elements for principle of accuracy. 35—Elements for principle of storage limitation. 36—Elements for principle of fairness
# PART VI—NOTIFICATION OF PERSONAL DATA BREACHES
37—Categories of notifiable data breach. 38—Notification to Data Commissioner.
# PART VII—TRANSFER OF PERSONAL DATA OUTSIDE KENYA
39—Interpretation of Part VII. 40—General principles for transfers of personal data out of the country. 41—Transfers on the basis of appropriate safeguards. 42—Deeming of appropriate safeguards. 43—Binding corporate rules. 44—Transfers on the basis of an adequacy decision 45—Transfers on the basis of necessity. 46—Transfer on basis of consent. 47—Subsequent transfers. 48—Provisions for the agreement to cross boarder transfer.
# PART VIII—DATA PROTECTION IMPACT ASSESSMENT
49—Processing activities requiring data protection impact asessment 50—Conduct of data protection impact assessment. 51—Prior consultation. 52—Consideration of data protection impact assessment report. 53—Audit of compliance with assessment report.
PART IX—PROVISIONS ON EXEMPTIONS UNDER THE ACT
54—Exemption for national security. 55—Exemptions for public interest 56—Permitted general situation. 57—Permitted health situation.
PART X—GENERAL PROVISIONS
58— Complaints against Data Controller and Data Processor.
SCHEDULES
# THE DATA PROTECTION ACT, 2019
# (No. 24 of 2019)
IN EXERCISE of the powers conferred by section 71 of the Data Protection Act, 2019, the Cabinet Secretary for Information, Communication, Technology, Innovation and Youth Affairs makes the following Regulations—
# THE DATA PROTECTION (GENERAL) REGULATIONS, 2021
# PART I—PRELIMINARY
- These Regulations may be cited as the Data Protection (General) Regulations, 2021.
In these Regulations, unless the context otherwise requires—
Citation.
"Act" means the Data Protection Act, 2019;
Interpretation.
"Data Commissioner" means the person appointed as such pursuant to section 6 of the Act; and
No. 24 of 2019.
"Office" has the meaning assigned to it under the Act.