The Data Protection (Complaints Handling Procedure and Enforcement) Regulations

Section 1. Citation Section These Regulations may be cited as the Data Protection (Complaints Handling Procedure and Enforcement) Regulations.

Section 2. Interpretation Section In these Regulations, unless the context otherwise requires— "Act" means Data Protection Act (Cap. 411C); "complainant" means a data subject or a person who has lodged a complaint pursuant to regulation 4; "Data Commissioner" means the person appointed under section 6 of the Act; "Office" means the office of the Data Protection Commissioner; "enforcement notice" means a notice issued by the Data Commissioner under regulation 16; "penalty" means a penalty imposed by a penalty notice; "penalty notice" means a notice issued by the Data Commissioner under regulation 20; "respondent" means a person against whom a complaint is lodged; and "summons" means an order of the Data Commissioner, in writing, directing a person to appear before the Office.

Section 3. Object and purpose of the Regulations Section facilitate a fair, impartial, just, expeditious, proportionate and affordable determination of complaints lodged with the Data Commissioner in accordance with the Act and these Regulations, without undue regard to technicalities of procedure;

Section 4. Lodging of a complaint Section 4(1) Pursuant to section 56 of the Act, a data subject or any person aggrieved on any matter under the Act may lodge a complaint with the Data Commissioner. Section 4(2)(a) orally, subject to section 56(3) of the Act; Section 4(2)(b) through electronic means, including email, web posting, complaint management information system; or Section 4(2)(c) by any other appropriate means. Section 4(3)(a) by the complainant in person; Section 4(3)(b) by a person acting on behalf of the complainant; Section 4(3)(c) by any other person authorized by law to act on behalf of a data subject; or Section 4(3)(d) anonymously. Section 4(4) The Data Commissioner shall acknowledge receipt of the complaint within seven days of receipt of the complaint under subregulation (1). Section 4(5) The complaint under subregulation (1) shall be lodged free of charge.

Section 5. Register of complaints Section 5(1) The Data Commissioner shall keep and maintain an up to date Register of Complaints. Section 5(2) An entry into the register of complaints shall state the particulars of the complainant and the complaint filed with the Data Commissioner. Section 5(3) The Data Commissioner shall protect the identity of the complainant where the request to protect the identity is sought by the complainant.

Section 6. Admission of complaint Section 6(1) The Data Commissioner shall undertake a preliminary review of a complaint, upon receipt of the complaint by the Office. Section 6(2)(a) admit the complaint; Section 6(2)(b) where applicable, advise the complainant in writing that the matter is not within the mandate of the Data Commissioner; or Section 6(2)(c) advise the complainant that the matter lies for determination by another body or institution and refer the complainant to that body or institution. Section 6(3) Despite subregulation (2), the Data Commissioner may decline to admit a complaint where the complaint does not raise any issue under the Act. Section 6(4)(a) conduct an inquiry into the complaint; Section 6(4)(b) conduct investigations; Section 6(4)(c) facilitate mediation, conciliation or negotiation in accordance with the Act and these Regulations; or Section 6(4)(d) use any other mechanisms to resolve the complaint. Section 6(5) Where a complaint is declined for admission under subregulation (3), the complaint may be re-admitted within six months from the date of decline, where the complaint raises new issues for determination under the Act. Section 6(6) A complaint un...

Section 7. Discontinuation of a complaint Section 7(1)(a) a complaint does not merit further consideration; or Section 7(1)(b) a complainant refuses, fails or neglects to communicate without justifiable cause. Section 7(2) The Data Commissioner shall provide the reasons for discontinuation on any of the grounds specified under subregulation (1)(a) or (b) and shall, in writing, notify the complainant and respondent within fourteen days from the date the decision to discontinue a complaint is made. Section 7(3) A complainant may, where a complaint has been discontinued pursuant to these Regulations, re-institute a complaint upon providing grounds for the restitution to the Data Commissioner.

Section 8. Withdrawal of a complaint Section 8(1) A complaint may be withdrawn at any stage during its consideration but before a determination is made. Section 8(2) A complainant may, at any time during the consideration of a complaint lodged pursuant to regulation 4 and before its determination, withdraw the complaint. Section 8(3) An application for a withdrawal under subregulation (1) shall be in Form DPC 2 set out in the Schedule. Section 8(4) A withdrawn complaint under subregulation (1) may be re-lodged, within six months from the date of withdrawal of such complaint. Section 8(5) A complaint re-lodged under this regulation shall be processed in accordance with the provisions of this Part.

Section 9. Joint consideration of complaints Section 9(1)(a) consolidate the complaints and make a determination; or Section 9(1)(b) treat one complaint as a test complaint and stay further action on the other complaints pending resolution of the test complaint. Section 9(2) The Data Commissioner shall, with necessary modifications, apply the decision of a test complaint to all the complaints stayed under subregulation (1)(b). Section 9(3) The Data Commissioner shall, in writing, communicate to the complainants and all the parties the decision made under this regulation. Section 9(4) Where complaints are consolidated in accordance with this regulation, the complaint shall be treated as a single complaint and shall be determined in accordance with the provisions of these Regulations.

Section 10. Language Section 10(1) Proceedings before the Office shall be conducted in Kiswahili, English or Kenyan Sign Language. Section 10(2) The Office may ensure that a party who cannot speak, hear or understand the language of proceedings receives the services of an interpreter provided for by the Office.

Section 11. Notification of a complaint to the respondent Section 11(1)(a) make representations and provide any relevant material or evidence in support of its representations; Section 11(1)(b) review the complaint with a view of summarily resolving the complaint to the satisfaction of the complainant; or Section 11(1)(c) provide a response with the required information. Section 11(2) Where a respondent does not take any action as contemplated under subregulation (1), the Data Commissioner shall proceed to determine the complaint in accordance with the Act and these Regulations. Section 11(3) The notice referred to under subregulation (1) shall specify options available to resolve a complaint including determining the complaint through alternative dispute resolution mechanisms specified in the Act and these Regulations.

Section 12. Joinder of parties Section 12(1) Where it appears to the Data Commissioner, or by an application by either the complainant or the respondent, that it is necessary that a person becomes a party to a complaint, the Data Commissioner may order that person to be enjoined as a party. Section 12(2) A person who has sufficient interest in the outcome of a complaint may apply to the Office for leave to be enjoined in the proceedings prior to the hearing of the complaint. Section 12(3)(a) the names of the parties to which that application relates; Section 12(3)(b) the name and address for service of the person wishing to be enjoined; Section 12(3)(c) the grounds the applicant relies on to be enjoined; Section 12(3)(d) a copy of any relevant document in support of the application; and Section 12(3)(e) the relief sought.

Section 13. Investigations of a complaint Section 13(1)(a) issue summons in Form DPC 4 set out in the Schedule requiring the attendance of any person at a specified date, time and place for examination; Section 13(1)(b) examine any person in relation to a complaint; Section 13(1)(c) administer an oath or affirmation on any person during the proceedings; Section 13(1)(d) require any person to produce any document or information from a person or institution; and Section 13(1)(e) on obtaining warrants from the court, enter into any establishment or premises and conduct a search and may seize any material relevant to the investigation. Section 13(2) Upon completion of the investigation, the Data Commissioner shall prepare an investigation report. Section 13(3) In conducting investigations under this regulation, the Data Commissioner shall be guided by the provisions of the Fair Administrative Action Act (Cap. 7J).

Section 14. Outcome of investigation Section 14(1) The Data Commissioner shall, upon the conclusion of the investigations, make a determination based on the findings of the investigations. Section 14(2)(a) the nature of the complaint; Section 14(2)(b) a summary of the relevant facts and evidence adduced; Section 14(2)(c) the decision and the reasons for the decision; Section 14(2)(d) the remedy to which the complainant is entitled; and Section 14(2)(e) any other relevant matter. Section 14(3)(a) issuance of an enforcement notice to the respondent in accordance with the Act and these Regulations; Section 14(3)(b) issuance of a penalty notice imposing an administrative fine where a respondent fails to comply with the enforcement notice; Section 14(3)(c) dismissal of the complaint where it lacks merit; Section 14(3)(d) recommendation for prosecution; or Section 14(3)(e) an order for compensation to the data subject by the respondent. Section 14(4) The Data Commissioner shall within seven days from the date of such determination, communicate the decision under subregulation (3) to the parties, in writing. Section 14(5)(a) binding on the parties; and Section 14(5)(b) shall be enforced a...

Section 15. Negotiation, mediation or conciliation Section 15(1) Where the complaint is to be determined through negotiations, mediation or conciliation, the provisions of these Regulations shall apply. Section 15(2) Where parties to a complaint agree to negotiation, mediation or conciliation, the Data Commissioner may in consultation with the parties facilitate the process. Section 15(3) During the negotiations, mediation or conciliation, the Data Commissioner may apply such procedures as may, in the interest of the parties, deem appropriate in the circumstances. Section 15(4) At the conclusion of the negotiations, mediation or conciliation process, the parties shall sign a negotiation, mediation or conciliation agreement in the manner specified in Form DPC 5 set out in the Schedule. Section 15(5) A negotiation, mediation or conciliation agreement entered into under this regulation shall be deemed to be a determination of the Data Commissioner, and shall be enforceable as such. Section 15(6) Despite this regulation, a party to dispute who is subject to a negotiation, mediation or conciliation may withdraw from the proceedings at any stage and shall notify the Data Commissioner and...

Section 16. Issuance of enforcement notice Section 16(1) The Data Commissioner may pursuant these Regulations or section 58 of the Act issue an enforcement notice. Section 16(2) An enforcement notice shall specify the consequences of failure to comply with the notice including issuance of a penalty notice as provided under section 62(1) of the Act.

Section 17. Service of an enforcement notice Section 17(1)(a) an electronic copy of enforcement notice is sent to the concerned person’s last used email address; or Section 17(1)(b) the enforcement notice is posted or physically delivered to the registered offices of the concerned person, in the absence of an electronic address. Section 17(2) The enforcement notice shall take effect from the date of service specified under subregulation (1).

Section 18. Review of enforcement notice Section 18(1) A person to whom an enforcement notice is given may apply in Form DPC 6 set out in the Schedule to the Data Commissioner for a review of the enforcement notice. Section 18(2)(a) before the end of the period specified in the enforcement notice; and Section 18(2)(b) a change of circumstances or new facts have arisen; or Section 18(2)(b)(i) a change of circumstances or new facts have arisen; or Section 18(2)(b)(ii) one or more of the provisions of that notice need not be complied with in order to remedy the failure identified in the notice.

Section 19. Appeals against enforcement notice Section Subject to sections 58(2)(d) and 64 of the Act, a person may before the lapse of thirty days from the date of service of the enforcement notice, appeal to the High Court against a decision arising out of the enforcement of the notice.

Section 20. Issuance of penalty notice Section 20(1) The Data Commissioner shall, where any of the circumstances specified under section 62 of the Act and these Regulations arises, issue a penalty notice for each breach identified in the enforcement notice. Section 20(2)(a) the name and address of the concerned person, to whom it is addressed; Section 20(2)(b) the reasons why the Data Commissioner proposes to impose the penalty and the amount thereof; Section 20(2)(c) an administrative fine imposed as contemplated under section 63 of the Act; Section 20(2)(d) details of how the penalty is to be paid; and Section 20(2)(e) details of the rights of appeal under section 64 of the Act. Section 20(3) The administrative fine levied under subregulation (2)(c) shall consider each individual case and have due regard to factors or reasons outlined under section 62(2) of the Act. Section 20(4) A penalty notice may impose a daily fine of not more than ten thousand shillings for each breach identified until the breach is rectified. Section 20(5) The daily fine imposed under subregulation (4) shall be managed in accordance with section 67 of the Act and the Public Finance Management Act (Cap. 412...

Section 21. Enforcement of penalty notice Section upon the lapse of the period specified in the penalty notice for payment of the penalty;