PREREQUISITE FOR TRANSFERRING PERSONAL DATA OUTSIDE KENYA
The Data Protection Act No. 24 of 2019 sets Conditions for transfer personal data out of Kenya and it provides that A data controller or data processor may transfer personal data to another country only where:
- the data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of the personal data;
- the data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of personal data, and the appropriate safeguards including jurisdictions with commensurate data protection laws;
- the transfer is necessary
- for the performance of a contract between the data subject and the data controller or data processor or implementation of pre-contractual measures taken at the data subject’s request;
- for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another person;
- for any matter of public interest;
- for the establishment, exercise or defence of a legal claim;
- in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
- for the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.
The act further provides the Safeguards prior to transfer of personal data out of Kenya and it provide that:
- Where the processing and transfer involves sensitive personal data, the transfer out of Kenya shall only be effected upon obtaining consent of the data subject and on obtaining confirmation of appropriate safeguards.
- The Data Commissioner may request a person who transfers data to another country to demonstrate the effectiveness of the security safeguards or the existence of compelling legitimate interests.
- The Data Commissioner may, in order to protect the rights and fundamental freedoms of data subjects, prohibit, suspend or subject the transfer to such conditions as may be determined.
Furthermore, under the Data Protection (General) Regulations, 2021, there are the guiding Principles for the transfer of data outside Kenya. The regulation provides that a data controller or data processor who is a transferring entity shall before transferring personal data out of Kenya ascertain that the transfer is based on:
- Appropriate safeguards;
- Adequacy decision made by the Data Commissioner;
- transfer as a necessity; or
- consent of the data subject.
It is interesting to note that in the absence of an adequacy decision by Data Commissioner or appropriate safeguards or prerequisites for transfer as a matter of necessity; a transfer of personal data to another country shall take place only on the condition that the data subject:
- has explicitly consented to the proposed transfer; and
- has been informed of the possible risks of such transfers.
Where a transfer is based on the consent of a Data subject and in the opinion of the Data Commissioner such transfer poses a risk to the safety of Data and privacy of the Data subject, the Data Commissioner may as well object to such transfer.
At A.O.WANGA ADVOCATES we are happy to assist you in all your Data protection concerns in Kenya.
All rights reserved for A.O.WANGA ADVOCATES