Faqs On Data Protection

Does the Data Protection Act 2019 (the Act) cover corporate entities?

The Act applies to all persons processing personal data of data subjects residing in Kenya, whether or not such persons are established or resident in Kenya. Therefore, a corporate entity (being a legal person) that undertakes any form of processing of personal data of data subjects residing in Kenya is required to be compliant with the Act.

Who needs to register with the Office of the Data Protection Commissioner (the ODPC)?

The Data Protection Act provides for the registration of a data controller and data processor where an entity has an annual turnover of more than KES 5 million and employs more than ten (10) people. In addition, the Act and the subsequent Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 require the mandatory registration of a data controller or processor participating in the following activities:

• canvassing political support among the electorate;

• crime prevention and prosecution of offenders (including operating CCTV systems);
• gambling;
• operating an educational institution;
• health administration and provision of patient care;
• hospitality industry firms but excludes tour guides;
• property management including the selling of land;
• provision of financial services;
• telecommunications network or service providers;
• businesses that are wholly or mainly in direct marketing;
• transport service firms (including online passenger hailing applications); and
• businesses that process genetic data.

What happens to the personal data previously collected and processed?

All persons processing personal data, whether previously or going-forward are required to be in compliance with the Data Protection Act and its subsequent regulations. As such, all persons who have previously collected or processed personal data in any way will be required to ensure their processing is done in compliance with the Act. This means that such persons should ensure their obligations are performed effectively, such as ensuring they obtain the consent of the data subjects before any further processing, ensuring there are appropriate safeguards are in place, ensuring the data subjects are informed of their rights and purpose of processing, among other responsibilities.

What are the penalties for non-compliance with the Data Protection Act?

The Act under Section 58 gives the ODPC the power to impose administrative fines for a failure to comply with any provision of this Act. The ODPC may impose a fine of up to KES. 5 million (approx. USD. 41,700) or, in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower. In addition, there are further sanctions imposed on specific offences provided under the Act, including;

1. Unlawful disclosure of personal data in a manner incompatible with the purpose for which the data was collected;
2. Unlawful disclosure of personal data that the data processor processed without the prior authorization of the data controller;
3. Obtaining access to personal data without the prior authorization of the data controller or processor holding the data;
4. Disclosure of personal data to a third party without prior authorization by the data controller or processor holding the data;
5. Sale of personal data obtained unlawfully. Advertising the sale of such data constitutes an offer to sell under this offence;
6. Failure to register with the Office of the Data Commissioner as a data processor or controller;
7. Provision of false or misleading information during the application process for registration as a data processor or controller; and
8. Obstruction of the Office of the Data Commissioner during an investigation.

On conviction, an offence under the DPA carries a general penalty of a fine not exceeding KES. 3 million (USD. 30,000) or an imprisonment term not exceeding ten years, or both. In addition, obstruction of the Data Commissioner during an investigation is an offence liable to a fine not exceeding KES. 5 million (USD. 50,000) or imprisonment for a term not exceeding two years, or to both.

What amounts to valid consent?

For the consent of a data subject to be deemed to be valid, the Data Protection Act requires such consent to be “freely given, specific, unambiguous, express, explicit, unequivocal and informed indication of the data subject’s wishes” by which the said person signifies agreement to the processing of their personal data either by a statement verbally or in writing or by a clear affirmative action.

Can One Register as Both a Data Controller and A Data Processor?

This is possible. A person can register both as a data controller and data processor where they are performing both functions as part of the nature of their operations.

How long should a company/business retain an employee’s personal information once he/she leaves the organization?

The Data Protection Act does not provide for a specific timeline within which one must get rid of personal data who’s intended purpose for processing has been achieved, as Act appreciates that the data is collected for different reasons. It only provides that one must retain personal data for a reasonable time and that one must not hold personal data where the data has accomplished the purpose for collection. This means that the retention of personal data is based on the purpose and use attributed to it at the point of collection. As such, personal data relating to employees may be kept after the employee leaves the organization, only where there may be some use of such information thereafter, for instance, where required by law to retain information for a specific period of time. The Act mandates that one should keep information for “no longer than is necessary”, and for a legitimate purpose which must not be excessive. Ultimately, the retention of personal data for a reasonable time period after an employee leave will be determined on a case-to-case basis where the company/business would have to justify the period they require such information to be held. The emphasis is on the employer (as the data controller) to have systems/policies in place to determine how long the data should be retained and when records should be disposed off or destroyed. Please note that there are various uses of an employee’s personal data, including when defending against a claim brought by the data subject (former employee). Among other things, you may be used to disprove details of their accusations or even serve as evidence that you complied with the law as an employer. A claim for unfair dismissal must be filed within a maximum of up to three (3) years after such dismissal (Section 90 of the Employment Act). For this reason, it’s would be justifiable to retain such information for a similar period. For more information, please contact our corporate team through email law@cmadvocates.com.