As part of its mandate, the TaskForce of the Office of the Data Protection Commissioner (ODPC) published three sets of Data Protection Regulations (on the 20th of April, 2021) namely:
- The Data Protection (General) Regulations, 2021;
- Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021;
- Data Protection (Compliance and Enforcement) Regulations, 2021.
Following the public participation forums held by the ODPC in relation these Regulations, I sought to embark on a data protection series where I debunk the rights of data subjects accorded by the data protection laws of Kenya and the obligations arising on data controllers and data processors as a result of safeguarding these rights.
On this episode, I examine the rights of a data subject as envisaged in the Data Protection (General) Regulations and the legal redress available to the data subject in contravention of such rights as provided for by the Data Protection (Compliance and Enforcement) Regulations. This includes the statutory requirement of the data controller and/or data processor, requisite forms for application, timelines for delivery as well as applicable statutory fees in respect to each request. It is important to note that due to the significant feedback that was received during the public participation forums, certain administrative requirements may be subject to change prior to the gazettement of these Regulations.
Glossary
*DC – Data Controller
*DP – Data Processor
*DS – Data Subject
*DPIA – Data Protection Impact Assessment
*ODPC – Office of the Data Protection Commissioner
| DATA PROTECTION (GENERAL) REGULATIONS | |||||
| ENABLING RIGHTS OF A DATA SUBJECT | |||||
| Reg. | Right of Data Subject | Statutory Requirement | Form for Application | Timeline | Charges |
| 4 | Consent. | A DC or DP shall before processing of personal data, inform the data subject on the nature and scope of personal data to be processed, reasons for processing and whether the personal data shall be shared with 3rd parties.This information may be made through a public notice accessible to a data subject prior to the collection of the personal data. In obtaining consent, DC or DP must ensure that: data subject has the capacity to understand and communicate their consent; data subject is informed of the nature of processing in simple and clear language that is understandable; data subject voluntarily gives consent, consent is specific.Consent may be given orally or in writing, and may include a handwritten signature, oral statement or use of an electronic or other medium to signify agreement. A DC or DP shall not presume that a data subject has given consent on the basis that the DS did not object to a proposal to handle their personal data. Consent shall not be implied where intention of DS is ambiguous or there is reasonable doubt as to the intention. | – | – | – |
| 5 | Collection of personal data for new purpose. | Where a DC or DP intends to use personal data for a new purpose, it shall ensure that the new purpose is compatible with the initial purpose. Where the purpose is not compatible with the initial purpose, a DC or DP shall seek fresh consent from the data subject in accordance to Regulation 4 above. | – | – | – |
| 6 | Restriction of processing personal data. | A DS may request a DC or DP to restrict their personal data on the grounds that:the DS contests the accuracy of their personal data;the personal data has been unlawfully processed and the DS opposes the erasure and requests restriction instead;the DS no longer needs their personal data but requires it to be kept in order to establish, exercise or defend a legal claim;the DS has objected to the processing of their personal data and a DC or DP is considering legitimate grounds that override those of the data subject.A DC or DP shall upon receiving the request:consider the request;respond in writing upon receiving the request;indicate on its system that the processing of personal data has been restricted; and notify any relevant 3rd party where personal data subject to such restriction may have been shared. A DC or DP may implement a restriction to processing by: temporarily moving personal data to another processing system;making the personal data unavailable to 3rd parties;temporarily removing published data from a website or other public medium. | Form 1 – 1st Schedule. | 14 days | – |
| LimitationWhere a DC or DP declines to comply with such request, it shall notify the data subject of such decline giving reasons for the decision. | – | 7 days | – | ||
| 7 | Objection to processing. | A DS may, where a specified processing may result in unwarranted interference with their interests or rights, object to such processing by requesting a DC or DP not to process their personal data generally for specified purposes in a specified manner. An objection may be in all or part of their personal data. The right to object to processing applies (a) as an absolute right where the processing of personal data is for direct marketing purposes; unless (b) where the processing is for:a task carried out in public interest;the exercise of official authority vested in DC or DP;a DS legitimate interests or those of a 3rd party. Where the right to object is not absolute, the DC or DP shall demonstrate (a) compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual, or (b) the processing is for establishment, exercise or defence of a legal claim. | Form 1 – 1st Schedule. | 14 days | Free |
| LimitationWhere a DC or DP declines a request, they shall communicate refusal to DS and provide reasons for their decision. | – | 14 days | – | ||
| 8 | Access to personal data. | A DC or DP shall: on request, provide access to a data subject of their personal data in its possession;put in place electronic or manual mechanisms to enable a DS access all their personal data; or provide the DS with a copy of their personal data and details of the use and disclosure of their personal data. if requirement under (c) is impracticable, the DC or DP shall allow the DS a reasonable opportunity to examine their personal data and the use and disclosure of their personal data. | Form 3 – 1st Schedule. | – | Free |
| LimitationA request on access to personal data may be denied where:giving access would result to a serious threat to the life, health and safety of a data subject, or to public health or to public safety;giving access would have unreasonable impact on the privacy of another data subject;the request for access is frivolous and vexatious;giving access would be unlawful;denial of access is authorised by an order of the court; and giving access would likely reveal evaluative information generated by the DC or DP in connection to commercially sensitive decision-making process. | |||||
| 9 | Rectification of personal data. | A DS may request a DC or DP to rectify their personal data, which is untrue, inaccurate, outdated, incomplete or misleading. Request may be supported by the necessary documents relevant to the rectification.A DC or DP upon receiving a request, rectify an entry of personal data in the database where the DC or DP is satisfied that a rectification is necessary. | Form 4 – 1st Schedule | 7 days | Free |
| LimitationWhere request is declined, a DC or DP should notify the DS of that refusal and provide reasons. | |||||
| 10 | Data Portability. | A DS may apply to transfer or copy their personal data from one DC or DP to another. The DC or DP shall upon receipt of the request and upon payment of any charge, port personal data to the DS’ choice of recipient. A DC or DP who received data that has been ported, shall comply with the Act and these Regulations. The exercise of the right to data portability shall not negate the rights of a data subject provided under the Act. | Form 2 – 1st Schedule | 30 days | At Cost |
| 11 | Right of erasure. | A DS has the right to have their personal data erased if:The personal data is no longer necessary for the purpose for which it was originally collected;The data subject withdraws their consent that was the lawful basis for retaining their personal data;The DS objects to the processing of their personal data and there is no overriding legitimate interest to continue the processing;The processing for personal data is for direct marketing purposes and the individual objects to that processing;The processing of personal data has been unlawful including the breach of the lawfulness requirement; or required to comply with a legal obligation. | Form 5 – 1st Schedule | 14 days | Free |
| LimitationTo exercise the right of freedom of expression and information;To comply with a legal obligation;For the performance of a task carried out in the public interest or in the exercise of official authority;For archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing;For the establishment, exercise or defence of a legal claim. | – | – | – | ||
| 12 | Exercise of DS rights by others. | Where a person duly authorised by a data subject seeks to exercise the rights on their behalf, the DC or DP shall consider the best interests of the DS. In relation to processing personal data relating to a child, a DC or DP shall ensure that:a person exercising the right is appropriately identified;profiling of a child that is related to direct marketing is prohibited; and the parent or guardian is informed of the inherent risks in processing and safeguards put in place. Where there is doubt as to the existence of a relationship between the duly authorised person and a DS, the DC or DP may halt the request of exercising a right on behalf of the data subject until evidence to the contrary is adduced. | – | – | – |
| RESTRICTIONS TO COMMERCIAL USE OF PERSONAL DATA | |||||
| 13 | Modes of Direct Marketing. | A DC or DP shall be deemed to use personal data for commercial purposes where the DC or DP:Sends a catalogue through any medium addressed to a data subject;Displays an advertisement on an online media site a data subject is logged on using their personal data, including data collected by cookies, relating to website the DS has viewed; or Sends an electronic message to a DS about a sale, or other advertising material relating to a sale, using personal data provided by a DS. Exception:Marketing is not direct, if personal data is not used or disclosed to identify or target particular recipients. | – | – | – |
| 14 | Permitted use of commercial data. | A DC or DP may use personal data, other than sensitive information, concerning a DS for the purpose of direct marketing only if:the DC or DP has collected the personal data from the DS; a DS is notified that direct marketing is one of the purposes for which personal data is collected and (i) the DS has consented to the use or disclosure of the personal data for that purpose; (ii) the DC or DP provides a simple opt-out mechanism for the DS to request not to receive direct marketing communications; and (iii) the data subject has not made an opt-put request. | – | – | – |
| 15 | Mechanisms to comply with opt-out request. | In each direct marketing communication with the DS, a DC or DP shall include a prominent statement, or otherwise draw the DS’ attention to the fact that the DS may make an opt out request. A DC or DP may in complying with an opt out requirement:clearly indicate, in each direct marketing message, that a DS can opt out of receiving future messages by replying with a single word instruction in the subject line; ensuring that a link is prominently located in the email, which takes a DS to a subscription control centre;clearly indicating that a DS can opt out of future direct marketing by replying to a direct marketing text message with a single word instruction;informing the recipient of a direct marketing phone call that they can verbally opt out from any future phone calls; and including instructions on how to opt out from future direct marketing, in each message. A DC or DP may use an opt out mechanism that provides a DS with the opportunity to indicate their direct marketing communication preferences, including the extent to which they wish to opt out. | – | – | – |
| NOTIFICATION OF PERSONAL DATA BREACHES | |||||
| 35 | Notifiable data breach. | A data breach is taken to result in a real risk of harm to a DS if the data breach relates to:the DS’ full name or identification number and any other personal data as set out in the Second Schedule; or the following personal data relating to a DS’ account with a DC or DP such as the DS’ account identifier (account name or number) or any password, security code, access code, response to a security question, biometric data or other data that is used to allow access to a DS’ account. | – | – | – |
| LimitationThe personal data referenced in the Second Schedule excludes any personal data that is publicly available and any personal data that is disclosed to the extent that is permitted by law. | – | – | – | ||
| 36 | Notification to Data Commissioner. | Notification of a notifiable data breach shall include: data and circumstances on which DC or DP first became aware of the data breach; a chronological order of the steps taken by the DC or DP after becoming aware of the breach including assessment that the breach is a notifiable data breach; details on how the breach occurred, where applicable; number of DS affected by the breach; personal data or classes of personal data affected by the breach; potential harm to affected DS as a result of the breach; information on any action by the DC or DP to eliminate or mitigate any potential harm to the DS as a result of the breach and address or remedy any failure on the part of the DC or DP in the occurrence of the data breach; any information of an authorised representative of the DC or DP. Where DC or DP does not intend to communicate to a DS affected by a notifiable data breach, the notification to the Data Commissioner shall specify the reasons why. | – | – | – |
| DATA PROTECTION (COMPLIANCE AND ENFORCEMENT) REGULATIONS | |||||
| Reg. | COMPLAINT HANDLING PROCEDURE | ||||
| 4 | Lodging of complaints. | A DS or any person aggrieved by a decision of any person under the Data Protection Act may lodge a complaint with the Data Commissioner:in accordance to Form 1 as set out in the schedule;orally;online by email, web posting, complaint management information system; and by any other appropriate means. A complaint may be lodged by:the complainant in person (DS), person acting on behalf of the complainant;any other person authorised by law to act on behalf of that person; or anonymously. Upon receipt of the complaint, the ODPC shall acknowledge receipt of the complaint to the DS. | Form 1 | – | Free |
| 6 | Screening of complaints. | The office may upon screening the complaint:admit the complaint;where appropriate, advise the complainant that the matter is not within the mandate of the Data Commissioner;advise the complainant that the matter lies for determination by another body or institution and refer the complainant to that institution. The Data Commissioner may decline to admit a complaint where:it does not raise any issue under the Act;is trivial, scandalous or vexatious;it is not made in good faith;it warrants a decline on any other circumstances. Upon screening of the complaint, the Data Commissioner may:conduct an inquiry into the complaint;conduct investigations;undertake or facilitate mediation, conciliation or negotiation;use any other mechanisms to resolve a complaint. | Form 2 | – | – |
| 7 | Discontinuation of a complaint. | The Commissioner may discontinue a compliant where:a complaint does not merit further consideration; ora complainant is required to communicate with the Office and fails or neglects to communicate without justifiable reasons; and shall record the reasons for discontinuation and shall notify the complainant accordingly. | Form 3 | – | – |
| 8 | Withdrawal of a complaint. | A complainant may withdraw a complaint at any stage during its consideration and before a determination is made. Where a complaint is withdrawn, it may be deemed to have been settled. | Form 3 | – | – |
| 9 | Joinder of complaints. | Where 2 or more complaints are lodged in which the same or similar allegations are raised against a respondent, the Commissioner may:consolidate the complaints; or treat one complaint as a test complaint and stay further action on the other complaints pending resolution of the test complaint. The decision of a test complaint shall apply, with necessary modifications, to all other complaints with which the test complaint was consolidated. | – | – | – |
| 11 | Notification of complaint to the respondent. | Upon admission of a complaint, ODPC shall notify the respondent and require the respondent to: make representations and provide any relevant material or evidence in support of its representations;review the complaint with a view of summarily resolving the complaint; or provide a response with the required information. Where a respondent does not take any action, ODPC shall proceed to determine the complaint in accordance with the Regulations. The notice aforementioned shall specify options available to resolve a complaint including referring the dispute to alternative dispute resolution mechanisms. | Form 4 | 14 days | – |
| 12 | Investigation of a complaint. | In investigating a complaint, the Data Commissioner may:issue summons requiring the attendance of any person at a specified date, time and place;examine any person in relation to a complaint;administer an oath or affirmation on any person during the proceedings;require any person to produce any document or information from a person or institution; and on obtaining warrant from the court, enter into any establishments or premises and conduct a search and may seize any material relevant to the investigation. Upon completion of the investigation, the Data Commissioner shall prepare an investigation report. | Form 5 | – | – |
| 13 | Outcome of investigation. | Upon the conclusion of an investigation, the Commissioner shall make a determination on the findings. A determination shall be in writing and shall state:nature of the complaint;a summary of the relevant evidence and facts adduced;the reason for the decision;the remedy to which the complainant is entitled and any other relevant matters. The remedies may include:issuance of an enforcement notice in accordance with the Regulations;issuance of a penalty notice imposing an administrative fine where a respondent fails to comply with the penalty notice;dismissal of the complaint where it lacks merit; (iv)recommendation for prosecution;an order for compensation to the DS by the respondent. The Data Commissioner shall communicate the decision in writing to the parties. The decision shall be binding and enforced as an order of the court. | – | – | – |
| 14 | Negotiation, mediation or conciliation. | Where parties agree to negotiation, mediation and conciliation, the ODPC shall in consultation with the parties facilitate the process. The Data Commissioner may apply such procedures as may in the interests of the parties deem appropriate in the circumstances. At conclusion, the parties shall sign a negotiation, mediation or conciliation agreement in the manner specified in the Schedule. An agreement entered into under this regulation shall be deemed to be a determination of the ODPC and shall be enforceable as such. Nonetheless, a party to dispute who is subject to a negotiation, mediation or conciliation may withdraw from the proceedings at any stage and shall notify the Data Commissioner and other parties upon the making of such determination. All parties to a dispute shall take reasonable measures to amicably determine a dispute and act in good faith. | Form 6 | 7 days | – |
| ENFORCEMENT PROVISIONS | |||||
| 15 | Issuance of an enforcement notice. | The Commissioner may issue an enforcement notice to a person who had failed to copy with any provision of the Data Protection Act.An enforcement notice shall specify the consequences of failure to comply with the notice including the issuance of a penalty notice. | Form 7 | 30 days | – |
| 16 | Service of an enforcement notice. | An enforcement notice shall be deemed to be duly served on the concerned person if:an electronic copy of the enforcement notice is sent through the concerned person’s registered email address; or the enforcement notice is posted or physically delivered to the registered offices of the concerned person, in the absence of an electronic address. Enforcement notice shall take effect from the date of service. | – | – | – |
| 17 | Review of an enforcement notice. | A person to whom an enforcement notice is given may apply to the Data Commissioner for a review of the enforcement notice. An application may be made only:before the end of the period of the enforcement notice; andon the ground that (a) a change of circumstances or new facts have arisen or (b) one or more provisions of that notice need not be complied with in order to remedy the failure identified in the notice. | Form 9 | 15 days | – |
| 18 | Appeals against enforcement notice. | A person may before the lapse of 21 days from the date of service of the enforcement notice, appeal to the High Court against a decision arising out of the enforcement of the notice. | – | 21 days | – |
| 19 | Issuance of a penalty notice. | The Data Commissioner shall, where the respondent fails to adhere to an enforcement notice, issue a penalty notice for each breach identified in the enforcement notice. A penalty notice shall contain:the name and address of the concerned person to whom it is addressed;the reasons why the Data Commissioner proposes to impose the penalty and the amount thereof;an administrative fine;details of how the penalty is to be paid; anddetails of the right of appeal. The administrative fine levied shall consider each individual case. A penalty notice may impose a daily fine of not more than Kshs. 10,000/= for each breach identified until the breach is rectified. | Form 10 | – | – |
| 20 | Enforcement of a penalty notice. | The Data Commissioner shall enforce or take action to recover a penalty:on the lapse of the period specified in the penalty notice for payment of penalty;on the final determination of any appeal against the penalty notice;on the lapse of the period given to appeal against the penalty. | – | – | – |
