The Data Protection Act, 2019

NATIONAL COUNCIL FOR LAW REPORTING LIBRARY

SPECIAL ISSUE

Kenya Gazette Supplement No. 181 (Acts No. 24)

!img-0.jpeg

REPUBLIC OF KENYA

# KENYA GAZETTE SUPPLEMENT

ACTS, 2019

NAIROBI, 11th November, 2019

CONTENT

Act—

PAGE

The Data Protection Act, 2019...901

NATIONAL COUNCIL FOR LAW REPORTING RECEIVED 18 NOV 2019 P.O. Box 10448-00108 NAIROBI, KENYA TEL: 2719231 FAX: 2712694

PRINTED AND PUBLISHED BY THE GOVERNMENT PRINTER, NAIROBI

901

# THE DATA PROTECTION ACT

No. 24 of 2019

Date of Assent: 8th November, 2019

Date of Commencement: 25th November, 2019

# ARRANGEMENT OF SECTIONS

Sections

PART I—PRELIMINARY

1. —Short title.
2. —Interpretation.
3. —Object and purpose of this Act.
4. —Application.

PART II—ESTABLISHMENT OF THE OFFICE OF THE DATA PROTECTION COMMISSIONER

1. —Establishment of the Office.
2. —Appointment of the Data Commissioner.
3. —Qualifications of the Data Commissioner.
4. —Functions of the Data Commissioner.
5. —Powers of the Office.
6. —Delegation by the Data Commissioner.
7. —Vacancy in the Office of the Data Commissioner.
8. —Removal of the Data Commissioner from office.
9. —Staff of the Office.
10. —Remuneration of the Data Commissioner and staff.
11. —Oath of Office.
12. —Confidentiality agreements.
13. —Protection from personal liability.

PART III—REGISTRATION OF DATA CONTROLLERS AND DATA PROCESSORS

1. —Registration of data controllers and data Processors.
2. —Application for registration.
3. —Duration of the registration certificate.
4. —Register of data controllers and data processors.

902

No. 24

Data Protection

1. —Cancellation or variation of the certificate.

1. —Compliance and audit.

1. —Designation of the Data Protection Officer.

PART IV—PRINCIPLES AND OBLIGATIONS OF PERSONAL DATA PROTECTION

1. —Principles of personal data protection.

1. —Rights of a data subject.

1. —Exercise of rights by data subject.

1. —Collection of personal data.

1. —Duty to notify.

1. —Lawful processing of personal data.

1. —Data protection impact assessment.

1. —Conditions for consent.

1. —Processing of personal data relating to a child.

1. —Restriction on processing.

1. —Automated individual decision making.

1. —Objecting to processing.

1. —processing for direct marketing.

1. —Right to data portability.

1. —Limitation to retention of personal data.

1. —Right of rectification and erasure.

1. —Data protection by design or default.

1. —Particulars of determining organisational measures.

1. —Notification and communication of breach.

PART V—GROUNDS FOR PROCESSING OF SENSITIVE PERSONAL DATA

1. —Processing of sensitive personal data.

1. —Permitted grounds for processing sensitive personal data.

1. —Personal data relating to health.

1. —Further categories of sensitive personal data.

903

2019

Data Protection

No. 24

# PART VI—TRANSFER OF PERSONAL DATA OUTSIDE KENYA

1. —Conditions for transfer out of Kenya.
2. —Safeguards prior to transfer of personal data out of Kenya.
3. —Processing through a data server or centre in Kenya.

# PART VII—EXEMPTIONS

1. —General exemptions.
2. —Journalism, literature and art.
3. —Research, history and statistics.
4. —Exemptions by the Data Commissioner.
5. —Data-sharing code.

# PART VIII—ENFORCEMENT PROVISIONS

1. —Complaints to the Data Commissioner.
2. —Investigation of complaints.
3. —Enforcement notices.
4. —Power to seek assistance.
5. —Power of entry and search.