PROTECTING YOUR ONLINE PERSONAL DATA

As digital technologies continue to advance, the regulation of data privacy has become a critical legal and policy concern. The vast collection of personal data by businesses, governments and third parties raises significant questions about consumer rights, corporate responsibility, and governmental oversight. While data collection has fueled innovation in sectors like healthcare, finance and artificial intelligence, it has also led to concerns about surveillance, unauthorized access, and data breaches.

In today’s digital age, personal data is constantly being collected from mobile apps, websites, online transactions, and social media platforms. Recognizing the growing risks of data misuse, Kenya enacted the Data Protection Act, 2019 (DPA), a landmark law that sets clear boundaries on how personal information should be collected, processed, stored, and shared. Under the Act, personal data refers to any information that can identify an individual including names, ID numbers, location data, emails, biometric data, and more. The law gives data subjects rights, such as the right to be informed when your data is being collected, the right to access your data, correct inaccuracies, and even object to its use in certain circumstances.

Any organization or individual handling your data is known as a data controller or data processor and it must follow strict principles, including transparency, purpose limitation, data minimization, and ensuring data security. They are also required to register with the Office of the Data Protection Commissioner (ODPC). For the modern Kenyan citizen, understanding the DPA is not just a legal exercise; it is an essential part of digital hygiene and risk management.

The (DPA) established the Office of the Data Protection Commissioner (ODPC) under section 5 to register data handlers, conduct compliance audits, receive and investigate any complaint by any person on infringements of the rights, undertake research on developments in data processing of personal data and ensure that there is no significant risk or adverse effect of any developments on the privacy of individuals.

The Principles of Processing Personal data

Section 25 of Kenya’s Data Protection Act outlines eight key principles that all individuals and organizations handling personal data must follow. First, data must be processed lawfully, fairly, and transparently meaning it should be collected for a legal reason and the individual must be informed. Second, purpose limitation requires that data be used only for the reason it was collected, unless new consent is obtained for another use. Third, only necessary data should be collected, following the principle of data minimisation. Fourth, the data must be accurate and regularly updated. Fifth, storage limitation means that data should not be kept longer than necessary. Sixth, entities must ensure the integrity and confidentiality of the data by using technical safeguards such as encryption and firewalls. Seventh, companies must be accountable and able to demonstrate compliance with the law. Finally, data should not be transferred outside Kenya unless the receiving country has adequate data protection laws or the user has given explicit consent.

Your Rights as a Data Subject (Section 26)

Section 26 of Kenya’s Data Protection Act empowers individuals by granting them several key rights as data subjects. First, you have the right to be informed, meaning organizations must notify you when collecting your personal data and explain its intended use. You also have the right of access, allowing you to request and review what data a company holds about you. Additionally, you can exercise the right to object, particularly to prevent your data from being used for unsolicited marketing. If any of your personal data is incorrect, you can invoke the right to rectification and have it corrected. The Act also provides the right to erasure commonly known as the “right to be forgotten” which lets you request deletion of data that is outdated or unlawfully collected. Finally, the right to data portability allows you to receive your personal data in a structured, easily transferable format, enabling you to move it to another service provider if desired.

Under the Data Protection Act, data controllers and processors have strict obligations to protect personal data through what is known as “Data protection by design” One key requirement is the Notification of Breach (Section 43), which mandates that in the event of a data breach such as a hack or unauthorized access organizations must inform the Office of the Data Protection Commissioner (ODPC) within 72 hours and notify affected individuals as soon as reasonably possible. Additionally, for high-risk activities like biometric data collection or AI-based profiling, entities must carry out Data Protection Impact Assessments (DPIAs) under section 31 to identify potential risks and implement safeguards before launching such services. To ensure ongoing compliance, many organizations are also required to appoint a Data Protection Officer (DPO), who is responsible for overseeing adherence to data protection laws and practices.

While Kenya’s Data Protection Act offers legal safeguards, individuals must take practical steps to protect their own personal data. Start by auditing the consents you give avoid granting permissions to apps that request access to information unrelated to their core functions, such as a flashlight app seeking your contact list. If your data rights are violated, for instance, by digital lenders contacting your friends or companies sending spam without offering an opt-out option, you can file a complaint through the ODPC’s official portal. Additionally, before sharing sensitive details like your KRA PIN or ID number with any business, always ask to see their Privacy Notice to ensure your information will be handled lawfully and responsibly.

The Data Protection Act, 2019, is a powerful tool for safeguarding human rights in the digital age. By understanding your rights and the obligations of those who handle your information, you can navigate the Kenyan technological landscape with confidence.

At A.O. WANGA ADVOCATES we are happy to assist you with all data protection issues. Please contact us at info@aowangaadvocates.com or +254794600191.

All rights reserved for A.O. WANGA ADVOCATES

www.aowangaadvocates.com