Address: Stima Investment Plaza 1, 3rd Floor Wing A


Compliance with Data Protection Laws; Principles of Personal Data Protection in Kenya.

The Data Protection Act was enacted with a view of promoting the right to privacy, particularly in relation to personal information. This information may be collected automatically or manually for several purposes.

These purposes include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation or use, disclosure by transmission, dissemination, or otherwise making available, or alignment or combination, restriction, erasure or destruction. The performance of these purposes for any operation or sets of operation is referred to as data processing.

A data subject is a natural person, like you and me who gives information that is processed by a data controller or by a data processor on behalf of a data controller. A data controller in retrospect is a natural or legal person including companies, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.

A data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

Principles on the use of Personal Data.

Personal data should be used in line with the principles set out under the Data Protection Act, No. 24 of 2019. Personal Data may be processed in accordance with the rights of a data subject. This means that a data processor may not process data in a manner that interferes with the data subject’s rights for example the right of access to information.

A data processor or controller cannot collect or use data illegitimately or in a manner that was not specifically and explicitly set out to a data subject. A data processor also ought to use personal data in a manner that is lawful, fair and transparent in relation to any data subject.

Take for instance the processing of data by credit reference bureaus. This data cannot be processed in a manner that is detrimental to the data subject. The Credit Reference Bureau Regulations of 2019 for instance, allow customers to file information on their credit history in order to challenge the information for the purpose of correcting or challenging information otherwise held by that Bureau concerning that customer.

This opens up the Credit Reference Bureaus for public scrutiny regarding information displayed by them thus enhancing transparency.

Data Controllers and Data Processors ought to ensure that personal data that is being processed is adequate, relevant and limited to what is necessary. When family or private affairs are involved, a valid explanation is required from the data subject before collecting personal data.

Personal Data that is processed by data controllers or data processors should be accurate, up to date and any inaccurate personal data ought to be erased or rectified without delay. Personal data ought to be kept in a form which identifies the data subjects for no longer than is necessary and should be processed for the purposes which it was collected.

It is worth noting that, personal data is not transferable outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject. This brings about a discussion on the delicate balance whether a data processor or controller in on their own incentive ought to decide whether to transfer they can transfer data outside Kenya simply because there are adequate safeguards without the consent from the data subject.

The thin line between consent of a data subject and the decision of a data controller or processor to transfer personal data outside Kenya.

The right to privacy is non-derogable. This means it may not be limited under the auspices of the Constitution of Kenya, 2010. However, the Data Protection Act has provided that personal data may not be transferred outside Kenya without proof of adequate data protection safeguards or consent from the data subject. So this beckons the discussion on whether a data controller or processor may make a decision to transfer personal data outside Kenya if they determine that there are adequate safeguards without the consent of the data subject.

First of all, it is important to note that the provision on consent is preceded by a disjunctive. This means that a data processor or controller may choose to transfer the data outside Kenya if they have adequate data protection safeguards.

Secondly, among the principles guiding the use of includes the principle of processing data in a transparent manner and setting out explicitly and specifically, the purposes of the personal data. Therefore, it is imperative to set out expressly, in the agreement between the data processor or data controller and the data subject that the data may be stored locally or internationally to avoid any shortcomings with the law.


Data processing includes several activities and it is crucial to carry out the said activities while respecting the right to privacy of an individual where personal data is involved. The principles of data protection regarding personal data do not apply independently rather they should be utilized wholly.

Additionally, in this digital age it is advisable that the data controllers or processors, include a clause for the storage of personal data both locally and internationally. Caution should be exercised whenever trying to transfer personal data outside Kenya as it may lead to sanctions.

The information provided in this article is intended for general legal advice and does not constitute legal advice for any specific transaction or case. Since each transaction presents a unique legal context, it is advisable to retain a legal adviser for specific transactions.Visit CR Advocates LLP for Business Registration in Kenya.


To contact us, send us an email on or call +254 100979081 or Book a strategy call HERE or direct message us HERE on WhatsApp at your convenience. Our legal team will be happy to help you.

Leave a Comment

Your email address will not be published. Required fields are marked *