— Overview
Understanding DPA Kenya
Kenya's Data Protection Act 2019 was enacted to give effect to Article 31(c) and (d) of the Constitution of Kenya, which guarantees every person the right to privacy — including the right not to have information relating to their family or private affairs unnecessarily required or revealed, and the right not to have the privacy of their communications infringed.
As East Africa's technology and innovation hub — home to M-Pesa, Silicon Savannah, and a thriving fintech ecosystem — Kenya's data protection framework carries outsized significance for the continent's digital economy. The Act establishes seven principles of data processing: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
The Office of the Data Protection Commissioner (ODPC) was established in November 2020 and has since issued guidance on data protection impact assessments, registration requirements, and cross-border data transfers. Kenya's approach balances innovation-friendliness with robust protection, recognizing the country's role as a testbed for digital financial services.
For AfriVest, Kenya represents a critical market given its advanced mobile money infrastructure (M-Pesa processes over $300 billion annually), cooperative movement (over 22,000 registered cooperatives with 14 million members), and progressive regulatory environment. Our platform processes personal data of Kenyan data subjects through cooperative governance tools, digital identity verification, and cross-border payment services — all requiring full DPA compliance.
The Act's provisions on automated decision-making are particularly relevant for AfriVest's credit scoring and risk assessment systems, which use alternative data to evaluate cooperative members' creditworthiness. We ensure transparency in algorithmic decisions and provide mechanisms for human review of automated determinations that significantly affect data subjects.
— Key Provisions
Core Provisions of DPA Kenya
Principles of Data Processing
Seven core principles govern all processing: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. AfriVest embeds these principles in platform architecture through privacy-by-design.
Registration of Data Controllers and Processors
All data controllers and processors must register with the ODPC, providing details of processing activities, categories of data, and security measures. AfriVest maintains current registration for all Kenyan processing activities.
Data Protection Impact Assessment
Required before processing that involves new technologies, automated decision-making, large-scale processing of sensitive data, or systematic monitoring. AfriVest conducts DPIAs for all new features affecting Kenyan users.
Transfer of Personal Data Outside Kenya
Cross-border transfers require proof of appropriate safeguards — including adequacy of the recipient country's protection, binding corporate rules, or consent of the data subject.
Rights Regarding Automated Decision-Making
Data subjects have the right not to be subject to decisions based solely on automated processing that significantly affect them, and to obtain human intervention in such decisions.
Data Breach Notification
Controllers must notify the ODPC within 72 hours of becoming aware of a data breach, and notify affected data subjects where the breach is likely to result in high risk to their rights.
— Data Subject Rights
Individual Rights Under DPA Kenya
Right to be Informed
Data subjects must be informed of the collection of their personal data, including the purpose, legal basis, recipients, and retention period.
Right of Access
Data subjects can request confirmation of processing and access to their personal data, along with supplementary information about the processing.
Right to Rectification
Data subjects can request correction of inaccurate data and completion of incomplete data.
Right to Erasure
Data subjects can request deletion of personal data where processing is no longer necessary or lawful.
Right to Object
Data subjects can object to processing based on legitimate interests, public interest, or for direct marketing purposes.
Right to Data Portability
Data subjects can receive their data in a structured, commonly used format and transmit it to another controller.
— Compliance
Compliance Requirements
ODPC Registration
Register as a data controller/processor with the Office of the Data Protection Commissioner and maintain current registration.
Privacy Notice
Provide clear, accessible privacy notices to all data subjects at the point of data collection.
Data Protection Officer
Appoint a DPO where processing is carried out by a public authority, involves large-scale systematic monitoring, or large-scale processing of sensitive data.
Records of Processing
Maintain detailed records of all processing activities, including purposes, categories, recipients, transfers, and security measures.
Security Measures
Implement appropriate technical and organizational security measures proportionate to the risk, including encryption and access controls.
DPIA for High-Risk Processing
Conduct Data Protection Impact Assessments before any processing likely to result in high risk to data subjects.
— Enforcement
Penalties & Enforcement
For individuals who commit offenses under the Act.
For corporate entities that commit offenses under the Act.
For serious offenses including unauthorized disclosure, obstruction of the Commissioner, and fraudulent data collection.




