The Data Protection Act, 2019 (“the Act”) provides for various safeguards in relation to the
protection of personal data of data subjects. To achieve this, it places certain obligations on data
controllers and data processors. The Act defines a data controller as a natural or legal person,
public authority, agency or other body which, alone or jointly with others, determines the
purpose and means of processing of personal data. On the other hand, a data processor is defined
as a natural or legal person, public authority, agency or other body which processes personal data
on behalf of the data controller. Simply stated, a data processor acts on and within the scope of
instructions from the data controller.
From the outset, it is imperative for all entities and individuals involved in the processing of
personal data to, based on their specific roles, establish whether they are data processors or
controllers. This determination will aid in understanding and appreciating their specific data
protection compliance mandates.
Principles of Data Processing in the Act as a Guide for Compliance for Data Controllers and
Data Processors
• Accuracy
This refers to the verification of the correctness of personal data with the data subject before
and at different stages of the processing depending on the nature of the personal data and in
relation to how many times it may change. This further entails giving the data subjects an
overview and easy access to personal data in order to control accuracy and verify it.
• Data minimization
This entails limiting the processing of personal data for the specific necessary purpose or
avoiding the processing of personal data altogether when this is possible. A data controller or
processor must demonstrate the relevance of the data to the processing in question. In
addition, pseudonymising personal data is a key requirement as soon as the data is no longer
necessary for the purpose.
• Integrity, confidentiality and availability
The principle entails having in place an operative means of managing policies and procedures
for information security. This encompasses assessing the risks against the security of personal
data and putting in place technical and organizational measures to counter the risks.
• Purpose limitation
The purpose limitation principle entails specifying the legitimate purpose for the processing
of personal data before designing organizational measures and safeguards with respect to the
processing. The purpose of collecting personal data should be the main determinant for
personal data collection. Data controllers and processors should regularly review their
processing activities to determine whether the processing is necessary for the purposes for
which the data was collected and test the design against purpose limitation.
• Storage Limitation
The storage limitation principle requires data controllers and processors to determine the
length of storage required for a given type of personal data collected. In this regard, data
processors and controllers are under obligation to establish data retention policies and
procedures including procedures for archiving and deletion of personal data.
• Transparency
The transparency principle mandates data controllers and processors to use clear, simple and
plain language to communicate with the data subject to enable the data subject to make
informed decisions on the processing of their personal data. Additionally, the information on
the processing of personal data should be made available to the data subjects.
• Lawfulness
The appropriate legal basis or legitimate interests should be clearly connected to the specific
purposes of processing. The data subject should know what they consented to with a
simplified method of withdrawing their consent.
Applicability of the Principles of Data Processing
It is imperative that data processors and controllers ensure strict compliance with the data
protection principles in their day-to-day personal data processing activities. The data protection
principles should be the bedrock upon which all decisions relating to personal data processing
including implementation of technical and organisational safeguard should be anchored.
Other Obligations of Data Processors and Controllers
The Act requires data processors and controllers to be registered with the Office of the Data
Protection Commissioner (ODPC). An application for registration should provide for the
description of the personal data to be processed, the purpose for which it is being processed, the
general description of the risks, safeguards and security measures that have been put in place to
ensure the protection of personal data. It is worth noting that entities with a turnover/revenue of
below Kshs. Five Million (5,000,000/=) or with less than 10 employees are exempted from
mandatory registration. The exemption from mandatory registration based on the turnover limit
and number of employees will not apply to entities operating in the following industries: financial
sector, health, gambling, hospitality industry, telecommunication sector or service providers,
educational and political institutions, property management, and entities dealing with genetic
data.
The Act also requires data processors and controllers to inform data subjects, prior to collection
of personal data on among others: their rights, the fact that their personal data is being collected,
the purpose for the collection, the safeguards to be adopted, data sharing arrangements, the
consequences if any, where the data subject fails to provide all or any part of the requested data.
Additionally, the Act mandates data processors and controllers to carry out a data protection
impact assessment where it is envisaged that a processing activity is likely to result in high risk
to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes.
Further, a personal data breach should be reported by a data controller to the ODPC within 72
hours of occurrence.
Consequences of Failure to Comply with Data Protection Obligations
The enforcement mechanisms upon breach of obligations by data processors and controllers have
been underpinned under Part VIII of the Act to include issuance of enforcement notices, penalty
notices, administrative fines and compensation of data subjects. The ODPC is required to first
issue an enforcement notice to a data controller and processor who is in breach of the Act
requiring remedial actions. Failure of a data processor or controller to comply with the ODPC
enforcement notice will result in a penalty of an amount not exceeding Kes. 5 million or 1% of the
data processor’s or controller’s annual turnover of the preceding financial year or to
imprisonment for a term not exceeding two years, or to both.
Article by Mary Ndung’u, Pauline Njau and Emily Ogonyo
Published on 5th February, 2024
This article is intended for general knowledge only. For substantive legal advice on this, please
contact us through cgmbugua@lexgroupafrica.com and mndungu@lexgroupafrica.com