Data protection law originated from Europe in the 1970s as a reaction to the rise of the use of  computers. This eventually led to the development and adoption of the now-famous General  Data Protection Regulation (GDPR) in 2016 which became enforceable in 2018. The GDPR is a  legal framework that sets guidelines for the protection of the personal information of European  Union citizens. The GDPR has since then become a reference point for other data protection laws  globally.

In Kenya, The Constitution of Kenya 2010, Article 31 provides that every person has the right to  privacy, which includes the right not to have the privacy of their communications infringed and  information relating to their family or private affairs unnecessarily revealed. The Data Protection  Act No. 24 of 2019 (“the DPA”)gives effect to the above Article 31, together with the  Regulations below:

1. The Data Protection (Registration of Data Controllers and Data Processors) Regulations,  2021 (the “Registration Regulations”);
2. The Data Protection (Complaints Handling Procedure and Enforcement) Regulations,  2021 (the “Complaints Regulations”); and
3. The Data Protection (General) Regulations, 2021 (the “General Regulations”).

The DPA applies to all entities processing the personal data of data subjects residing in Kenya,  regardless of their location.

What is Personal Data? 

The DPA defines personal data as any information relating to an identified or identifiable natural  person. Further, it is any information that may identify a natural person such as a name, an  identification number, location data, an online identifier or to one or more factors specific to the  physical, physiological, genetic, mental, economic, cultural or social or social identity. For  purposes of land transactions, the name of a person, their National ID or Passport Number, their  KRA PIN, their passport photos, their Ardhisasa ID and their address are personal data.

What Responsibilities are placed on persons’ dealings with land transactions? 

Primarily, the DPA introduces Data Controllers and Data Processors, who are persons and/or  entities that deal with information pertaining to land and real estate transactions.

Section 2 of the DPA provides that a Data Controller as a natural or legal person determining the  purpose and means of the processing of personal data while a Data Processor is a natural or legal  person, that processes personal data on behalf of the data controller.

How does this apply to Real Estate? 

Regulation 13 of the Data Protection (General) Regulations, 2021, provides that Data  Controllers and Data Processors must register with the Office of the Data Protection

Commissioner (“the ODPC”). Further, the ODPC has provided a guideline to the effect that  registration is mandatory for Data Controllers and Processors who process personal data for  property management including the selling of land. For this purpose, the following

players involved in a property purchase and/or sale are registrable with the ODPC :

1. Buyer’s Agent (Real Estate Agent)
2. Listing Agent
3. Insurance Company
4. Appraiser
5. Local Authority/County Governments
6. Purchaser
7. Advocates
8. Lands Registry
9. Attorneys/Notary Signing Agent
10. Tax Advisors

The above persons use personal data from various data subjects when dealing with property,  including processing IDs, photos, signatures, location, bank account information etc. and as  Data Controller, when deciding what use to put the said data to, to facilitate the completion of a  purchase, transfer, registration of a lease, legal charge etc. over a property.

Is Property Information Personal Data ? 

Property information is linked to an owner as the details of the said property are not complete  without the description of the owner, for example, their name, ID number and address. Thus, this  data is an ‘identifiable marker’ and is thus considered to be personal regarding the individual.

It is important as a property owner to know that the usage of your personal data in the process  relating to your property is sensitive in nature and the law affords you the: Right to give consent  to the usage of personal data (e.g., the location of your name, property etc. Being disclosed)

1. Right to demand for safety protocols to be put in place to safeguard and protect your data b. Right to be informed how your personal data will be used
2. Right to be informed how long your personal data will be used
3. Right to options to stop and relinquish the processing of personal data
4. Right to be informed if the persons dealing with your property registered with the ODPA  and if compliant with the DPA

What does this mean to me? 

The introduction of the DPA protects individuals including but not limited to property owners. If  you are a person who deals with any personal data relating to a property transaction, you should  register with the ODPC and process data lawfully; minimize the collection of data; impose  restrictions on the processing of data; ensure data quality; establish and maintain security  safeguards to protect personal data and generally comply with the DPA.

Article by June Njoroge & Mary Ndung’u 

Published on 26th January 2023

Disclaimer 

This article is intended for general knowledge only. It does not create an advocate-client  relationship between any reader and Mboya Wangong’u & Waiyaki Advocates. For particular  expert advice on any matter dealt with above, please contact us through

jnjoroge@lexgroupafrica.com or mndungu@lexgroupafrica.com

admin