Highlights of the Kenyan Data Protection Act, 2019
Kenyan Data Protection Act 2019 is poised to bolster data protection efforts across Kenya. The Act extends to individuals, businesses, and organizations, regardless of their size or purpose, as long as they process personal data.
Here are the highlights of the Act:
Individual Rights
Right to access: Individuals have the right to access their personal data held by an organization and request corrections or deletions.
Right to rectification: Individuals can request inaccurate or incomplete data to be corrected.
Right to erasure: Individuals can request their data to be deleted under certain circumstances.
Right to object: Individuals can object to the processing of their data for specific purposes, like direct marketing.
Right to data portability: Individuals can request their data to be transferred to another organization in a machine-readable format.
Data Controller Obligations
Lawful processing: Data processing must have a legal basis, like consent or contractual necessity.
Transparency: Individuals must be informed about how their data is collected and used.
Purpose limitation: Data can only be collected and used for specific, legitimate purposes.
Data minimization: Only the minimum amount of necessary data should be collected.
Security: Appropriate security measures must be taken to protect personal data.
Data breach notification: Data controllers must notify authorities and affected individuals in case of a data breach.
The Office of the Data Protection Commissioner (ODPC) oversees the Act’s implementation. Individuals can complain to the ODPC about alleged violations of their data rights. Also, the ODPC has the power to investigate complaints and issue fines and other penalties.
The Act applies to all organizations processing personal data of Kenyan residents, regardless of their location.
It is worth noting that sensitive personal data, like health information, requires stricter protection and consent.
Cross-border data transfers are restricted and require safeguards.
However, exemptions exist for specific situations, like journalism and research.
