8th November, 2019 marked a great milestone in the history of Kenyan legislation with the enactment of the long-awaited Data Protection Act, 2019 (the Act). The purpose of the Act is to inter alia regulate the collection and processing of data in Kenya. The Act has introduced elaborate obligations to persons who collect and process data whose infringement would lead to stiff penalties of an administrative fine of up to KES 5 million or in case of an undertaking, up to 1% of its annual turnover of the preceding year, whichever is lower.
The Act establishes the office of the Data Protection Commissioner which is to be headed by a Data Commissioner. The role of the office of the Data Protection Commissioner includes overseeing the implementation of the Act, establishing and maintaining a register of data controllers and data processors, exercising oversight on data processing operations, receiving and investigating any complaint by any person on infringement of the rights under the Act.
The Act has extraterritorial application as it applies to data controllers and processors established or resident in or outside Kenya in so far as they process personal data while in Kenya or of data subjects located in Kenya.
All data controllers and data processors who meet the thresholds to be prescribed will now be required to be registered with the Data Commissioner. Failure to register is an offence, whose fine on conviction is KES 3 million or an imprisonment term not exceeding ten (10) years or both.
The Data Commissioner may carry out periodical audits of the processes and systems of the data controllers or data processors to ensure compliance with the Act.
Section 24 of the Act allows data controllers and data processors to appoint a data protection officer who may be a staff member whose role includes advising on compliance with the Act. A group of entities is allowed to appoint a single data protection officer provided that the officer is accessible by each entity.
The Act outlines the principles of data protection which are modelled on the principles set out in the EU General Data Protection Regulation. It further stipulates the rights of persons whose data is collected, including the right to: be informed of the use to which their personal data is to be put; access their personal data in custody of a data controller or data processor; to correction of false or misleading data; and to deletion of false or misleading data about them.
Processing of data is prohibited unless certain conditions set out under the Act, including the obtainment of the consent of the person whose data is processed are fulfilled. In addition, the processing of sensitive personal data is prohibited except for the stipulated permitted grounds. Further, personal data relating to the health of a person may only be processed by or under the responsibility of a health care provider; or by a person subject to the obligation of professional secrecy under any law.
The Act also stipulates that a person shall not use, for commercial purposes, personal data unless inter-alia the person obtains consent from the person whose data is to be used.
The Act outlines the conditions for the transfer of personal data outside of Kenya and the safeguards that must be considered. For instance, where the transfer is necessary for the performance of a contract between a person whose data is collected and the data controller or data processor or implementation of pre-contractual measures taken at the person’s request.
The impact of this Act is that persons who collect, control, manage and store data will need to review their terms and conditions and operations to avoid the risks of non-compliance.
This alert is for informational purposes only. If you have any queries or need clarifications, please do not hesitate to contact Jacob Ochieng, Partner, Milly Mbedi, Senior Associate or your usual contact at our firm, for advice relating to the Data Protection Act, 2019 and how the same will affect you