The Data Protection (General) Regulations

Section 1. Citation Section These Regulations may be cited as the Data Protection (General) Regulations.

Section 2. Interpretation Section In these Regulations, unless the context otherwise requires— Act means the Data Protection Act (Cap 411C); Data Commissioner means the person appointed as such pursuant to section 6 of the Act; and Office has the meaning assigned to it under the Act.

Section 3. Exemption Section These Regulations shall not apply to civil registration entities specified under the Data Protection (Civil Registration) Regulations (L.N. 196/2020).

Section 4. Processing on the basis of consent Section 4(1)(a) the identity of the data controller or data processor; Section 4(1)(b) the purpose of each of the processing operations for which consent is sought; Section 4(1)(c) the type of personal data that is collected and used; Section 4(1)(d) information about the use of the personal data for automated decision-making, where relevant; Section 4(1)(e) the possible risks of data transfers due to absence of an adequacy decision or appropriate safeguards; Section 4(1)(f) whether the personal data processed shall be shared with third parties; Section 4(1)(g) the right to withdraw consent; and Section 4(1)(h) the implications of providing, withholding or withdrawing consent. Section 4(2) The information under subregulation (1) may be presented to the data subject through a written notice, oral statement, audio or video message. Section 4(3)(a) data subject has capacity to give consent; Section 4(3)(b) data subject voluntarily gives consent; and Section 4(3)(c) consent is specific to the purpose of processing. Section 4(4)(a) it is presumed on the basis that the data subject did not object to a proposal to processing of their personal...

Section 5. Lawful basis for processing Section 5(1) A data controller or data processor may process data without consent of a data subject if the processing is necessary for any reason set out in section 30(1) (b) of the Act. Section 5(2) Processing under subregulation (1) shall only rely on one legal basis for processing at a time, which shall be established before the processing. Section 5(3)(a) distinguish between the legal bases being used; and Section 5(3)(b) respond to any data subject rights requests.

Section 6. Mode of collection of personal data Section 6(1)(a) any person other than the data subject; Section 6(1)(b) publications or databases; Section 6(1)(c) surveillance cameras, where an individual is identifiable or reasonably identifiable; Section 6(1)(d) information associated with web browsing; or Section 6(1)(e) biometric technology, including voice or facial recognition. Section 6(2)(a) ensure that processing is limited to personal data which the data subject has permitted the data controller or data processor to collect; Section 6(2)(b) undertake steps to ensure that personal data is accurate, not in excessive and up to date; Section 6(2)(c) undertake processes to secure personal data; and Section 6(2)(d) comply with the lawful processing principles set out under Part IV of the Act. Section 6(3) Where a data controller or data processor collects personal data indirectly, the data controller or data processor shall within fourteen days inform the data subject of the collection. Section 6(4) Where a data controller or data processor intends to use personal data for a new purpose, the data controller or data processor shall ensure that the new purpose is compatible with t...

Section 7. Restriction to processing Section 7(1)(a) the data subject contests the accuracy of their personal data; Section 7(1)(b) the personal data has been unlawfully processed and the data subject opposes the erasure and requests restriction instead; Section 7(1)(c) the data subject no longer needs their personal data but the data controller or data processor requires the personal data to be kept in order to establish, exercise or defend a legal claim; or Section 7(1)(d) a data subject has objected to the processing of their personal data under regulation 8 and a data controller or data processor is considering legitimate grounds that override those of the data subject. Section 7(2) A request for restriction to processing of personal data on any of the grounds provided under section 34 of the Act may be made in Form DPG 1 set out in the First Schedule. Section 7(3)(a) admit and implement the request; Section 7(3)(b) indicate on the data controller or data processors system that the processing of the personal data has been restricted; and Section 7(3)(c) notify any relevant third party of the restriction where personal data, subject to such restriction, may have been shared. Sec...

Section 8. Objection to processing Section 8(1) Pursuant to section 36 of the Act, a data subject may request a data controller or data processor not to process all or part of their personal data, for a specified purpose or in a specified manner. Section 8(2) A request to object the processing may be made in Form DPG 1 set out in the First schedule. Section 8(3) A data controller or data processor shall, without charging any fee, comply with a request for objection under subregulation (2) within fourteen days of the request. Section 8(4) The right to object to processing applies as an absolute right where the processing is for direct marketing purposes which includes profiling to the extent that it is related to such direct marketing. Section 8(5) Where the data subject objects to processing for direct marketing purposes, the personal data shall not be processed for such purposes. Section 8(6)(a) the reasons for declining the request for objection; and Section 8(6)(b) the right to lodge a complaint to the Data Commissioner where dissatisfied. Section 8(7)(a) the reasons for declining the request for objection; and Section 8(7)(b) the right to lodge a complaint to the Data Commissio...

Section 9. Data access request Section 9(1)(a) the purposes of the processing; Section 9(1)(b) the categories of personal data concerned; Section 9(1)(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, including recipients in other countries or territories; Section 9(1)(d) where possible, the envisaged period for which the personal data may be stored, or, if not possible, the criteria used to determine that period; and Section 9(1)(e) where the personal data is not collected from the data subject, any available information as to the source of collection. Section 9(2) A data subject may request to access their personal data in Form DPG 2 set out in the First Schedule. Section 9(3)(a) on request, provide access to a data subject of their personal data in its possession; Section 9(3)(b) put in place mechanisms to enable a data subject to proactively access or examine their personal data; or Section 9(3)(c) provide the data subject with a copy of their personal data. Section 9(4) A data controller or a data processor shall comply with a request by a data subject to access their personal data within seven days of the of the request. Se...

Section 10. Rectification of personal data Section 10(1) Pursuant to section 40 of the Act, a data subject may request a data controller or data processor to rectify their personal data, which is untrue, inaccurate, outdated, incomplete or misleading. Section 10(2) A request for rectification may be made in Form DPG 3 set out in the First Schedule. Section 10(3) An application for rectification of personal data may be supported by such documents as may be relevant to the rectification sought. Section 10(4) A data controller or data processor shall within fourteen days of the request, rectify an entry of personal data in the database where the data controller or data processor is satisfied that a rectification is necessary. Section 10(5) Where a request for rectification is declined, a data controller or data processor shall, in writing, notify a data subject of that refusal within seven days and shall provide reasons for refusal. Section 10(6) A request for rectification shall made free of charge.

Section 11. Data portability request Section 11(1) Pursuant to section 38 of the Act, a data subject may apply to port or copy their personal data from one data controller or data processor to another. Section 11(2) A request for data portability may be made in Form DPG 4set out in the First Schedule. Section 11(3) A data controller or data processor shall within thirty days of the request and upon payment of the prescribed fees port personal data to the data subject’s choice of recipient. Section 11(4) Where fee is charged under subregulation (2), the fee shall be reasonable and not exceed the cost incurred to actualize the request. Section 11(5) A data controller or data processor who receives personal data that has been ported shall, with respect to such data, comply with the requirement of the Act and these Regulations. Section 11(6) Where a data controller or data processor declines the portability request, a data controller or data processor shall, within seven days, notify the data subject of the decline and the reasons for such decline in writing. Section 11(7) The exercise of the right to data portability by a data subject shall not negate the rights of a data subject prov...

Section 12. Right of erasure Section 12(1)(a) the personal data is no longer necessary for the purpose which it was collected; Section 12(1)(b) the data subject withdraws their consent that was the lawful basis for retaining the personal data; Section 12(1)(c) the data subject objects to the processing of their data and there is no overriding legitimate interest to continue the processing; Section 12(1)(d) the processing of personal data is for direct marketing purposes and the individual objects to that processing; Section 12(1)(e) the processing of personal data is unlawful including in breach of the lawfulness requirement; or Section 12(1)(f) the erasure is necessary to comply with a legal obligation. Section 12(2) A data subject may request for erasure of their personal data held by a data controller or data processor in Form DPG5 set out in the First Schedule. Section 12(3) A data controller or data processor shall respond to a request for erasure under subregulation (2) within fourteen days of the request. Section 12(4)(a) to exercise the right of freedom of expression and information; Section 12(4)(b) to comply with a legal obligation; Section 12(4)(c) for the performance of...

Section 13. Exercise of rights by others Section 13(1) Subject to section 27 of the Act, where a person duly authorised by a data subject seeks to exercise the rights on their behalf, the data controller or data processor shall act in the best interests of the data subject. Section 13(2)(a) a person exercising the right is appropriately identified; Section 13(2)(b) profiling of a child that is related to direct marketing is prohibited; and Section 13(2)(c) the parent or guardian is informed of the inherent risks in processing and the safeguards put in place. Section 13(3) Where a data controller or a data processor is uncertain as to the existence of a relationship between the duly authorised person and the data subject, the data controller or data processor may restrict the request of exercising a right on behalf of the data subject until evidence to the contrary is adduced.

Section 14. Interpretation of commercial purposes Section 14(1) For the purposes of section 37(1) of the Act, a data controller or data processor shall be considered to use personal data for commercial purposes where personal data of a data subject is used to advance commercial or economic interests, including inducing another person to buy, rent, lease, join, subscribe to, provide or exchange products, property, information or services, or enabling or effecting, directly or indirectly, a commercial transaction. Section 14(2)(a) sending a catalogue through any medium addressed to a data subject; Section 14(2)(b) displaying an advertisement on an online media site where a data subject is logged on using their personal data; or Section 14(2)(c) sending an electronic message to a data subject about a sale, or other advertising material relating to a sale, using personal data provided by a data subject. Section 14(3) Marketing is not direct where personal data is not used or disclosed to identify or target particular recipients.

Section 15. Permitted commercial use of personal data Section 15(1)(a) the data controller or data processor has collected the personal data from the data subject; Section 15(1)(b) a data subject is notified that direct marketing is one of the purposes for which personal data is collected; Section 15(1)(c) the data subject has consented to the use or disclosure of the personal data for the purpose of direct marketing; Section 15(1)(d) the data controller or data processor provides a simplified opt out mechanism for the data subject to request not to receive direct marketing communications; or Section 15(1)(e) the data subject has not made an opt out request. Section 15(2) A data controller or data processor shall not transmit, for the purposes of direct marketing, messages by any means unless the data controller or data processor indicates particulars to which a data subject may send a request to restrict such communications without incurring charges. Section 15(3)(a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; Section 15(3)(b) where a valid address to which the recipient of the communication may send a request t...

Section 16. Features of an opt out message Section 16(1)(a) have a visible, clear and easily understood explanation of how to opt out; Section 16(1)(b) include a process for opting out that requires minimal time and effort; Section 16(1)(c) provide a direct and accessible communication channel; Section 16(1)(d) be free of charge or where necessary involve a nominal cost to a data subject; and Section 16(1)(e) be accessible to persons with a disability. Section 16(2) Where a data subject has opted out, a data controller or data processor shall not use or disclose their personal data for the purpose of direct marketing, in accordance with the data subject’s request.

Section 17. Mechanisms to comply with opt out requirement Section 17(1) In communicating with a data subject on direct marketing, a data controller or data processor shall include a statement which is prominently displayed, or otherwise draws the attention of the data subject to the fact that the data subject may make an opt out request. Section 17(2)(a) clearly indicate, in each direct marketing message, that a data subject may opt out of receiving future messages by replying with a single word instruction in the subject line; Section 17(2)(b) ensure that a link is prominently located in the email, which takes a data subject to a subscription control centre; Section 17(2)(c) clearly indicate that a data subject may opt out of future direct marketing by replying to a direct marketing text message with a single word instruction; Section 17(2)(d) inform the recipient of a direct marketing phone call that they can verbally opt out from any future calls; and Section 17(2)(e) include instructions on how to opt out from future direct marketing, in each message. Section 17(3) A data controller or a data processor may use an opt out mechanism that provides a data subject with the opportuni...

Section 18. Request for restriction of further direct marketing Section 18(1) A data subject may request a data controller or data processor to restrict use or disclosure of their personal data, to a third party, for the purpose of facilitating direct marketing. Section 18(2) No fee shall be charged to a data subject for making or giving effect to a request under this Part. Section 18(3) A data controller or data processor shall restrict use or disclosure of personal data for the purpose of facilitating direct marketing by a third party within seven days of the request.

Section 19. Retention of personal data Section 19(1) Pursuant to section 39 of the Act, a data controller or data processor shall retain personal data processed for a lawful purpose, for as long as may be reasonably necessary for the purpose for which the personal data is processed. Section 19(2)(a) establish personal data retention schedule with appropriate time limits for the periodic review of the need for the continued storage of personal data that is no longer necessary or where the retention period is reached; and Section 19(2)(b) erase, delete anonymise or pseudonymise personal data upon the lapse of the purpose for which the personal data was collected. Section 19(3)(a) purpose for retention; Section 19(3)(b) the retention period; Section 19(3)(c) provision for periodic audit of the personal data retained; and Section 19(3)(d) actions to be taken after the audit of the personal data retained. Section 19(4)(a) review records with a view of identifying personal data that no longer requires to be retained and permanently delete the personal data; Section 19(4)(b) ensure the retained data is accurate and up-to-date; Section 19(4)(c) specify the purpose for retention of personal...

Section 20. Requests to deal anonymously or pseudonymously Section 20(1)(a) not to be identified; Section 20(1)(b) to avoid subsequent contact such as direct marketing from an entity or third parties; Section 20(1)(c) to enhance their privacy on the whereabouts of a data subject; Section 20(1)(d) to access services such as counselling or health services without it becoming known to others; Section 20(1)(e) to express views in a public arena without being personally identified; or Section 20(1)(f) to minimise the risk of identity fraud. Section 20(2) A data controller or data processor may accede to the request where satisfied that the request is based on any of the reasons specified under subregulation (1) and where the request is in the best interests of the data subject.

Section 21. Sharing of personal data Section 21(1) Subject to section 25 of the Act, a data controller or data processor may share or exchange personal data collected, upon request, by another data controller, data processor, third party or a data subject. Section 21(2) A data controller or data processor shall determine the purpose and means of sharing personal data from one data controller or data processor to another. Section 21(3)(a) providing personal data to a third party by whatever means by the data controller or data processor; Section 21(3)(b) receiving personal data from a data controller or data processor as joint participant in a data sharing arrangement; Section 21(3)(c) exchanging or transmission of personal data; Section 21(3)(d) providing third party with access to personal data on the data controller’s information systems; Section 21(3)(e) separate or joint initiatives by data controllers or data processors to pool personal data making the data available to each other or a third-party subject to entering into an agreement, as may be applicable; or Section 21(3)(f) routine data sharing between data controllers on a regular or pre-planned basis. Section 21(4) In car...

Section 22. Automated individual decision making Section 22(1) In this regulation— “an automated individual decision-making” means a decision made by automated means without any human involvement. Section 22(2)(a) inform a data subject when engaging in processing based on automated individual decision making; Section 22(2)(b) provide meaningful information about the logic involved; Section 22(2)(c) specific transparency and fairness requirements are in place; Section 22(2)(c)(i) specific transparency and fairness requirements are in place; Section 22(2)(c)(ii) rights for a data subject to oppose profiling and specifically profiling for marketing are present; and Section 22(2)(c)(iii) where conditions specified under section 31 of the Act arise, a data protection impact assessment is carried out; Section 22(2)(d) explain the significance and envisaged consequences of the processing; Section 22(2)(e) ensure the prevention of errors; Section 22(2)(f) use appropriate mathematical or statistical procedures; Section 22(2)(g) put appropriate technical and organisational measures in place to correct inaccuracies and minimise the risk of errors; Section 22(2)(h) process personal data in a w...

Section 23. Data protection policy Section 23(1) A data controller or data processor shall develop, publish and regularly update a policy reflecting their personal data handling practices. Section 23(2)(a) the nature of personal data collected and held; Section 23(2)(b) how a data subject may access their personal data and exercise their rights in respect to that personal data; Section 23(2)(c) complaints handling mechanisms; Section 23(2)(d) lawful purpose for processing personal data; Section 23(2)(e) obligations or requirements where personal data is to be transferred outside the country, to third parties, or other data controllers or data processors located outside Kenya and where possible, specify such recipients; Section 23(2)(f) the retention period and schedule contemplated under regulation 19; and Section 23(2)(g) the collection of personal data from children, and the criteria to be applied.

Section 24. Contract between data controller and data processor Section 24(1) Subject to section 42(2)(b) of the Act, a data controller shall engage a data processor, through a written contract. Section 24(2)(a) the subject matter of the processing; Section 24(2)(a)(i) the subject matter of the processing; Section 24(2)(a)(ii) the duration of the processing; Section 24(2)(a)(iii) the nature and purpose of the processing; Section 24(2)(a)(iv) the type of personal data being processed; Section 24(2)(a)(v) the categories of data subjects; and Section 24(2)(a)(vi) the obligations and rights of the data controller; Section 24(2)(b) instructions of the data controller; Section 24(2)(c) duty on the data processors to obtain a commitment of confidentiality from any person or entity that the data processors allows to process the personal data; Section 24(2)(d) security measures subjecting the data processor to appropriate technical and organizational measures in relation to keeping personal data secure; Section 24(2)(e) provision stipulating that all personal data must be permanently deleted or returned on termination or lapse of the agreement, as decided by the data controller; and Section...

Section 25. Obligations of a data processor Section 25(1) A data processor shall not engage the services of a third party without the prior authorisation of the data controller. Section 25(2) Where authorisation is given, the data processor shall enter into a contract with the third party. Section 25(3) The contract contemplated under subregulation (1) shall include such particulars as provided for under subregulation 24(2). Section 25(4) A data processor shall remain liable to the data controller for the compliance of any third party that they engage.

Section 26. Requirement for specified processing to be done in Kenya Section 26(1)(a) process such personal data through a server and data centre located in Kenya; or Section 26(1)(b) store at least one serving copy of the concerned personal datain a data centre located in Kenya. Section 26(2)(a) administering of the civil registration and legal identity management systems; Section 26(2)(b) facilitating the conduct of elections for the representation of the people under the Constitution; Section 26(2)(c) overseeing any system for administering public finances by any state organ; Section 26(2)(d) running any system designated as a protected computer system in terms of section 20 of the Computer Misuse and Cybercrime Act (Cap. 79C); Section 26(2)(e) offering any form of early childhood education and basic education under the Basic Education Act (Cap. 211); or Section 26(2)(f) provision of primary or secondary health care for a data subject in the country. Section 26(3)(a) has been notified that personal data outside Kenya has been breached or its services have been used to violate the Act and has not taken measures to stop or handle the violation; and Section 26(3)(b) cooperating to...

Section 54. Exemption for national security Section 54(1) For the purposes of section 51(2)(b) of the Act, the processing of personal data by a national security organ referred to in Article 239(1) of the Constitution in furtherance of their mandate constitutes a processing for national security. Section 54(2) Despite subregulation (1), a data controller or data processor who processes personal data for national security and wishes to be exempt on that ground shall apply to the Cabinet Secretary for an exemption. Section 54(3) The Cabinet Secretary shall, upon being satisfied that the grounds supporting the application are sufficient, issue a certificate of exemption. Section 54(4) The Cabinet Secretary may revoke a certificate of exemption issued, at any time, where the grounds on which the certificate was issued no longer apply.

Section 55. Exemptions for public interest Section permitted general situation; or

Section 56. Permitted general situation Section lessening or preventing a serious threat to the life, health or safety of any data subject, or to public health or safety;

Section 57. Permitted health situation Section 57(1)(a) the collection of health information to provide a health service; Section 57(1)(b) the collection, use, or disclosure of health data is for health research and related purposes; Section 57(1)(c) the use or disclosure of genetic information where necessary and obtained in course of providing a health service; Section 57(1)(d) the disclosure of health information for a secondary purpose to a responsible person for a data subject. Section 57(2)(a) they provide a health service to the data subject; Section 57(2)(b) the recipient of the personal data is a responsible person for the data subject; Section 57(2)(c) a data subject is either physically or legally incapable of giving consent to the disclosure, or physically cannot communicate consent to the disclosure; Section 57(2)(d) the disclosure is necessary to provide appropriate care or treatment of a data subject, or the disclosure is made for compassionate reasons; Section 57(2)(e) the disclosure is not contrary to any wish expressed by the data subject before the data subject became unable to give or communicate consent of which the carer is aware or of which the carer could re...

Section 27. Data protection by design or default Section establish the data protection mechanisms set out under the Act and these Regulations are embedded in the processing; and

Section 28. Elements of data protection by design or default Section The elements for the protection of personal data by design or by default that are necessary to implement the data protection principles outlined under section 25 of the Act are as set out in this Part.

Section 29. Elements for principle of lawfulness Section appropriate legal basis or legitimate interests clearly connected to the specific purpose of processing;

Section 30. Elements for principle of transparency Section the use of clear, simple and plain language to communicate with a data subject to enable a data subject to make decisions on the processing of their personal data;

Section 31. Elements for principle of purpose limitation Section specifying the purpose for each processing of personal data;

Section 32. Elements for principle of integrity, confidentiality and availability Section having an operative means of managing policies and procedures for information security;

Section 33. Elements for principle of data minimization Section avoiding the processing of personal data altogether when this is possible for the relevant purpose;

Section 34. Elements for principle of accuracy Section ensuring data sources are reliable in terms of data accuracy;

Section 35. Elements for principle of storage limitation Section having clear internal procedures for deletion and destruction;

Section 36. Elements for principle of fairness Section granting the data subjects the highest degree of autonomy with respect to control over their personal data;

Section 37. Categories of notifiable data breach Section 37(1)(a) the data subject’s full name or identification number and any of the personal data or classes of personal data relating to the data subject set out in the Second Schedule; or Section 37(1)(b) the data subject’s account identifier, such as an account name or number; and Section 37(1)(b)(i) the data subject’s account identifier, such as an account name or number; and Section 37(1)(b)(ii) any password, security code, access code, response to a security question, biometric data or other data that is used or required to allow access to or use of the individual’s account. Section 37(2) A breach of any personal data envisaged under subregulation (1) amounts to notifiable data breach under section 43 of the Act. Section 37(3)(a) any personal data that is publicly available; or Section 37(3)(b) any personal data that is disclosed to the extent that is required or permitted under any written law. Section 37(4) The personal data referred to in sub-paragraph (3)(a) shall not be publicly available solely because of any data breach.

Section 38. Notification to Data Commissioner Section 38(1)(a) the date on which and the circumstances in which the data controller or data processor first became aware that the data breach had occurred; Section 38(1)(b) a chronological account of the steps taken by the data controller or data processor after the data controller or data processor became aware that the data breach had occurred, including the data controller or data processor’s assessment that the data breach is a notifiable data breach; Section 38(1)(c) details on how the notifiable data breach occurred, where applicable; Section 38(1)(d) the number of data subjects or other persons affected by the notifiable data breach; Section 38(1)(e) the personal data or classes of personal data affected by the notifiable data breach; Section 38(1)(f) the potential harm to the affected data subjects as a result of the notifiable data breach; Section 38(1)(g) eliminate or mitigate any potential harm to any affected data subject or other person as a result of the notifiable data breach; or Section 38(1)(g)(i) eliminate or mitigate any potential harm to any affected data subject or other person as a result of the notifiable data b...

Section 39. Interpretation of the Part VII Section “data in transit” means personal data transferred through Kenya in the course of onward transportation to a country or territory outside Kenya, without the personal data being accessed or used by, or disclosed to, any entity while in Kenya, except for the purpose of such transportation;

Section 40. General principles for transfers of personal data out of the country Section appropriate data protection safeguards;

Section 41. Transfers on the basis of appropriate safeguards Section 41(1)(a) a legal instrument containing appropriate safeguards for the protection of personal data binding the intended recipient that is essentially equivalent to the protection under the Act and these Regulations; or Section 41(1)(b) the data controller, having assessed all the circumstances surrounding transfers of that type of personal data to another country or relevant international organisation, concludes that appropriate safeguards exist to protect the data. Section 41(2)(a) the transfer shall be documented; Section 41(2)(b) the documentation shall be provided to the Commissioner on request; and Section 41(2)(c) the date and time of the transfer; Section 41(2)(c)(i) the date and time of the transfer; Section 41(2)(c)(ii) the name of the recipient; Section 41(2)(c)(iii) the justification for the transfer; and Section 41(2)(c)(iv) a description of the personal data transferred.

Section 42. Deeming of appropriate safeguards Section ratified the African Union Convention on Cyber Security and Personal Data Protection;

Section 43. Binding corporate rules Section 43(1)(a) are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees; Section 43(1)(b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and Section 43(1)(c) fulfil the requirements laid down in subregulation (2). Section 43(2)(a) the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members; Section 43(2)(b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of another country or countries in question; Section 43(2)(c) their legally binding nature, both internally and externally; Section 43(2)(d) the application of the general data protection principles; Section 43(2)(e) the rights of data subjects in regard to processing and the means to exercise those rights; Section 43(2)(f) the complaint procedures; and Section 43(2)(g) the mecha...

Section 44. Transfers on the basis of an adequacy decision Section 44(1)(a) the other country or a territory or one or more specified sectors within that other country, or Section 44(1)(b) the international organization, ensures an adequate level of protection of personal data. Section 44(2) The Data Commissioner may publish on its website a list of the countries, territories and specified sectors within that other country and relevant international organisation for which the Data Commissioner has made a decision that an adequate level of protection is ensured.

Section 45. Transfers on the basis of necessity Section 45(1) Personal data may be transferred to another country or territory on the basis of necessity is such a transfer is necessary for any of the purpose outlined under section 48(c) of the Act. Section 45(2)(a) that the transfer is strictly necessary in a specific case outlined under section 48(c) of the Act; Section 45(2)(b) there are no fundamental rights and freedoms of the data subject concerned that override the public interest necessitating the transfer. Section 45(3) This section does not affect the operation of any international agreement in force between Kenya and other countries in the field of judicial co-operation in criminal matters and police co-operation.

Section 46. Transfer on basis of consent Section 46(1)(a) has explicitly consented to the proposed transfer; and Section 46(1)(b) has been informed of the possible risks of such transfers. Section 46(2) Without limiting the generality of subregulation (1), a data controller or processor must seek consent from a data subject for the transfer of sensitive personal data, in accordance with section 49 of the Act.