africa
Kenya
Kenya's Data Protection Act established a modern national regime overseen by the Office of the Data Protection Commissioner.
Editorial caveat
Structured values summarize official materials for research and planning. They are reviewed by humans before publication and should not be treated as legal advice.
medium confidence, Requires a more detailed pass on transfer and registration mechanics.
Breach
- Breach deadline (hours)
- 72
- Breach notification required
- Yes
Marketing
- Cookie consent rule
- Cookie and tracking obligations are shaped by consent, fairness, and purpose limitation requirements.
Transfers
- Cross-border transfer restricted
- Yes
- Data localization required
- No
Governance
- DPO required
- Yes
- Impact assessment required
- Yes
- Records of processing required
- Yes
Identity
- Effective date
- 2019-11-25
- Effective status
- in-force
- Last amended
- 2022-09-14
- Law status
- active
Scope
- Extraterritorial application
- Yes
- Private sector coverage
- Applies broadly to private-sector data controllers and processors.
- Public sector coverage
- Public entities are also subject to the framework.
- Territorial scope
- Applies to processing in Kenya and, in some circumstances, processing by controllers or processors outside Kenya that handle data of persons in Kenya.
Legal Basis
- Legal bases
- consent, contract, legal obligation, public interest, legitimate interests
- Requires legal basis
- Yes
Enforcement
- Maximum fine
- The ODPC can issue enforcement notices and meaningful financial penalties for violations.
- Private right of action
- Yes
- Regulator or enforcement authority summary
- Office of the Data Protection Commissioner
Definitions
- Personal data definition
- Personal data means any information relating to an identified or identifiable natural person.
- Sensitive data recognized
- Yes
Rights
- Right of access
- Yes
- Right to appeal
- Yes
- Right to deletion
- Yes
- Right to erasure or delete summary
- Deletion rights
- Right to object
- Yes
- Right to portability
- Yes
- Right to rectification or correction summary
- Rectification right
Official sources
- Kenya Data Protection Act textPrimary official law • en • html
- ODPC guidanceSecondary official material • en • html