This Data Protection Statement provides information about the ways in which the Office of the Data Protection Commissioner (‘the ODPC’) collects, stores and uses personal data relating to individuals (data subjects). This Data Protection Statement relates to personal data received by the ODPC where data subjects contact, request information from, or provides information to the Office for purposes relating to the Data Protection to the ODPC directly, and also personal data received by the ODPC indirectly, and as set out below.
Who we are?
The ODPC was established by the Data Protection Act 2019 (‘the Act’).
Under the Act the ODPC is responsible for, inter alia, implementation of the Act, the regulation of data controllers and processors and to protect the rights and freedoms of individuals in relation to the processing of personal data. The mandate of the ODPC include, inter alia:
(a) regulating the processing of personal data;
(b) ensuring that the processing of personal data of a data subject is guided by the principles
set out in the Act;
(c) protecting the right to privacy of individuals resident in Kenya;
(d) establishing the legal and institutional mechanism to protect personal data; and
(e) providing data subjects with rights and remedies to protect their personal data from
processing that is not in accordance with the Act.
The ODPC is the controller for the personal data it processes. You can contact the ODPC in a number of ways, which are set out on the contact page of our website.
The ODPC processes personal data for a number of different purposes, which arise from its statutory powers, functions and duties.
The ODPC’s statutory powers, functions and duties derive from the data protection legislation set out above, and include the following:
(a) oversee the implementation of and be responsible for the enforcement of this Act;
(b) Establish and maintain a register of data controllers and data processors;
(c) Exercise oversight on data processing operations, either of its own motion or at the
request of a data subject, and verify whether the processing of data is done in
accordance with the Act;
(d) Promote self-regulation among data controllers and data processors;
(e) Conduct an assessment, on its own initiative, of a public or private body, or at the
request of a private or public body for the purpose of ascertaining whether
information is processed according to the provisions of the Act or any other relevant law;
(f) Receive and investigate any complaint by any person on infringement of the right of the Act
(g) Take such measures as may be necessary to bring the provisions of the Act to the knowledge of the general public;
(h) Carry our inspections of public and private entities with a view to evaluating the processing of personal data;
(i) Promote international cooperation in matters relating to data protection and ensure Country’s compliance on data protection obligations under international conventions and agreements; and
(j) Undertake research on developments in data processing of personal data an ensure that there are no significant risk or adverse effect of any developments on the privacy of individuals.
Some examples of the purposes for which the ODPC may collect personal data in accordance with its functions are:
As set out above, the ODPC processes personal data. This includes, as set out above, personal data received by the ODPC where data subjects contact, or request information from, the ODPC directly, and personal data received by the ODPC indirectly. The personal data that we process includes
(i) basic personal information, such as a data subject’s name / surname; date of birth; the company or organisation a data subject works for;
(ii) contact information, such as a data subject’s postal address, email address and phone number(s); and
(iii) any other personal data that is provided to the ODPC during the course of the performance of its functions.
The ODPC also processes special category data. This includes, as set out above, special category data received by the ODPC where data subjects contact, or request information from, the ODPC directly, and sensitive data received by the ODPC indirectly.
Such sensitive data may include a natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation.
Disclosure to third parties
Personal data collected by the ODPC is held confidentially and is not shared by the ODPC with any third parties, with the following exceptions:
How Long Does the ODPC Retain Personal Data?
The retention periods for personal data held by the ODPC are based on the requirements of the data protection legislation and on the purpose for which the personal data is collected and processed. For example, in the case of complaints, the ODPC will retain personal data (as contained on its case file) for as long as is necessary for the handling of the complaint and for any subsequent action that is required. The retention periods applied by the ODPC to personal data which it processes are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action.
Your Data Protection Rights
Under data protection law, data subjects have certain rights. The data subject rights are:
YOUR RIGHT TO COMPLAIN
If you have any concerns in relation to the manner in which we process your personal data, you can contact us on firstname.lastname@example.org or fill out the form on our report a concern page.
CHANGES TO OUR DATA PROTECTION STATEMENT
This Data Protection Statement is kept under regular review and is therefore subject to change. If you have any comments or queries in relation to this Data Protection Statement, please forward same to email@example.com.
CA Centre • Waiyaki Way,
P.O Box 30920 – 00100
Hours : Monday – Friday, 8:00 am – 5:00 pm