Blog Single Post

One of the greatest benefits of the Data Protection Act of Kenya is the protection of the rights of data subjects in section 26 of the Act. A data subject is a human being.  These rights are:  information, access, objection, correction and deletion. The right to information, means that a data subject is given the reason and use to which the personal data will be put. Access means that the data subject is entitled to get the personal data on request. Objection is the data subject’s right to decline consent of use of either part or all their personal data. Correction is simply the right to ask for the amendment or rectification of such data, where false or misleading and deletion can be sought where a data controller or data processor has the custody of a data subjects’ personal data and it is false or misleading.  (A data processor is a legal or natural person who processes personal data on behalf of a data controller.  A data controller is a legal or natural person who determines the purpose or means of processing personal data.)

Apart from these rights in section 25, are others spread out in this law and the different Regulations (subsidiary legislation) which are part of it, such as the right to:

• object to the sharing of the data subjects’ personal data with third parties:
• give express consent for commercial uses of personal data:
• portability (transfer) of such personal data:
• personal data being processed anonymously or under a pseudonym:
• erasure of data:
• notification in event of personal data breach:
• in the case of a child data subject, to consent on their behalf by a parent or guardian:
• the right to notification and consent in event of transfer of data outside Kenya:
• complain in event any of these rights are infringed or violated.

In event of a violation the best place for a person (a data subject) to start is with the organisation or organisations controlling or processing that data. In other words, the entities that either collected, accessed, and are using it for any purpose.  This was established by the Data Commissioner in ODPC Complaint No. 0574 of 2023 Jeff Nduko vs One Acre Fund. This means it would be considered premature for a data subject to lodge a complaint to the Data Commissioner if the data processor or data controller has not been approached to address the infringement or grievance.   The value of the Kenyan Data Protection Act from a data subjects’ perspective is the protection of individual privacy. There are Complaints Regulations in the Act detailed in terms of the procedure to be followed in event of a complaint and the forms to be used to present such complaints to the Regulator.

(If you need further or other information on Data Protection matters kindly contact us as this brief summary is intended to inform and not to be treated as legal advice.)