AfriVest — Digitizing Africa

Kenya — Regional Standard

DPA Kenya

Kenya's landmark data protection legislation — securing digital rights in East Africa's innovation hub

— Overview

Understanding DPA Kenya

Kenya's Data Protection Act 2019 was enacted to give effect to Article 31(c) and (d) of the Constitution of Kenya, which guarantees every person the right to privacy — including the right not to have information relating to their family or private affairs unnecessarily required or revealed, and the right not to have the privacy of their communications infringed.

As East Africa's technology and innovation hub — home to M-Pesa, Silicon Savannah, and a thriving fintech ecosystem — Kenya's data protection framework carries outsized significance for the continent's digital economy. The Act establishes seven principles of data processing: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.

The Office of the Data Protection Commissioner (ODPC) was established in November 2020 and has since issued guidance on data protection impact assessments, registration requirements, and cross-border data transfers. Kenya's approach balances innovation-friendliness with robust protection, recognizing the country's role as a testbed for digital financial services.

For AfriVest, Kenya represents a critical market given its advanced mobile money infrastructure (M-Pesa processes over $300 billion annually), cooperative movement (over 22,000 registered cooperatives with 14 million members), and progressive regulatory environment. Our platform processes personal data of Kenyan data subjects through cooperative governance tools, digital identity verification, and cross-border payment services — all requiring full DPA compliance.

The Act's provisions on automated decision-making are particularly relevant for AfriVest's credit scoring and risk assessment systems, which use alternative data to evaluate cooperative members' creditworthiness. We ensure transparency in algorithmic decisions and provide mechanisms for human review of automated determinations that significantly affect data subjects.

Regulator
Office of the Data Protection Commissioner (ODPC)
Enacted
2019
Effective Date
25 November 2019
Scope
Processing of personal data by controllers and processors within Kenya, or relating to data subjects in Kenya
55M+
Population
2019
Enacted
7
Principles
KES 5M
Max Fine

— Key Provisions

Core Provisions of DPA Kenya

Principles of Data Processing

Seven core principles govern all processing: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. AfriVest embeds these principles in platform architecture through privacy-by-design.

Registration of Data Controllers and Processors

All data controllers and processors must register with the ODPC, providing details of processing activities, categories of data, and security measures. AfriVest maintains current registration for all Kenyan processing activities.

Data Protection Impact Assessment

Required before processing that involves new technologies, automated decision-making, large-scale processing of sensitive data, or systematic monitoring. AfriVest conducts DPIAs for all new features affecting Kenyan users.

Transfer of Personal Data Outside Kenya

Cross-border transfers require proof of appropriate safeguards — including adequacy of the recipient country's protection, binding corporate rules, or consent of the data subject.

Rights Regarding Automated Decision-Making

Data subjects have the right not to be subject to decisions based solely on automated processing that significantly affect them, and to obtain human intervention in such decisions.

Data Breach Notification

Controllers must notify the ODPC within 72 hours of becoming aware of a data breach, and notify affected data subjects where the breach is likely to result in high risk to their rights.

— Data Subject Rights

Individual Rights Under DPA Kenya

Right to be Informed

Data subjects must be informed of the collection of their personal data, including the purpose, legal basis, recipients, and retention period.

Right of Access

Data subjects can request confirmation of processing and access to their personal data, along with supplementary information about the processing.

Right to Rectification

Data subjects can request correction of inaccurate data and completion of incomplete data.

Right to Erasure

Data subjects can request deletion of personal data where processing is no longer necessary or lawful.

Right to Object

Data subjects can object to processing based on legitimate interests, public interest, or for direct marketing purposes.

Right to Data Portability

Data subjects can receive their data in a structured, commonly used format and transmit it to another controller.

— Compliance

Compliance Requirements

ODPC Registration

Register as a data controller/processor with the Office of the Data Protection Commissioner and maintain current registration.

Privacy Notice

Provide clear, accessible privacy notices to all data subjects at the point of data collection.

Data Protection Officer

Appoint a DPO where processing is carried out by a public authority, involves large-scale systematic monitoring, or large-scale processing of sensitive data.

Records of Processing

Maintain detailed records of all processing activities, including purposes, categories, recipients, transfers, and security measures.

Security Measures

Implement appropriate technical and organizational security measures proportionate to the risk, including encryption and access controls.

DPIA for High-Risk Processing

Conduct Data Protection Impact Assessments before any processing likely to result in high risk to data subjects.

— Enforcement

Penalties & Enforcement

Administrative Fine (Individual)
Up to KES 3 million

For individuals who commit offenses under the Act.

Administrative Fine (Body Corporate)
Up to KES 5 million

For corporate entities that commit offenses under the Act.

Imprisonment
Up to 10 years

For serious offenses including unauthorized disclosure, obstruction of the Commissioner, and fraudulent data collection.

AfriVest

Let's build Africa's
digital future together.

Connect with our team to explore how AfriVest's sovereign infrastructure can serve your nation, institution, or community.