OFFICE OF THE DATA PROTECTION COMMISSIONER KENYA

Data Protection Statement

This Data Protection Statement provides information about the ways in which the Office of the Data Protection Commissioner (‘the ODPC’) collects, stores and uses personal data relating to individuals (data subjects). This Data Protection Statement relates to personal data received by the ODPC where data subjects contact, request information from, or provides information to the Office for purposes relating to the Data Protection to the ODPC directly, and also personal data received by the ODPC indirectly, and as set out below.

THE OFFICE OF THE DATA PROTECTION COMMISSIONER 

Who we are?

The ODPC was established by the Data Protection Act 2019 (‘the Act’).

Under the Act the ODPC is responsible for, inter alia, implementation of the Act, the regulation of data controllers and processors and to protect the rights and freedoms of individuals in relation to the processing of personal data.  The mandate of the ODPC include, inter alia:

  • regulating the processing of personal data;
  • ensuring that the processing of personal data of a data subject is guided by the principles set out in the Act;
  • protecting the right to privacy of individuals resident in Kenya;
  • establishing the legal and institutional mechanism to protect personal data; and
  • providing data subjects with rights and remedies to protect their personal data from processing that is not in accordance with the Act.

Contact details

The ODPC is the controller for the personal data it processes. You can contact the ODPC in a number of ways, which are set out on the contact page of our website.

 

PROCESSING OF PERSONAL DATA BY THE ODPC 

The ODPC processes personal data for a number of different purposes, which arise from its statutory powers, functions and duties.

The ODPC’s statutory powers, functions and duties derive from the data protection legislation set out above, and include the following:

(a)   oversee the implementation of and be responsible for the enforcement of this Act;

(b)  Establish and maintain a register of data controllers and data processors;

(c)   Exercise oversight on data processing operations, either of its own motion or at the request of a data subject, and verify whether the processing of data is done in accordance with the Act;

(d)  Promote self-regulation among data controllers and data processors;

(e)   Conduct an assessment, on its own initiative, of a public or private body, or at the request of a private or public body for the purpose of ascertaining whether information is processed according to the provisions of the Act or any other relevant law;

(f)   Receive and investigate any complaint by any person on infringement of the right of the Act

(g)  Take such measures as may be necessary to bring the provisions of the Act to the knowledge of the general public;

(h)  Carry our inspections of public and private entities with a view to evaluating the processing of personal data;

(i)    Promote international cooperation in matters relating to data protection and ensure Country’s compliance on data protection obligations under international conventions and agreements; and

(j)    Undertake research on developments in data processing of personal data an ensure that there are no significant risk or adverse effect of any developments on the privacy of individuals.

Some examples of the purposes for which the ODPC may collect personal data in accordance with its functions are:

  • Complaint handling – including personal data received from a data subject directly (or through his or her representatives) where the data subject makes a complaint to the ODPC; personal data relating to a data subject received by the ODPC from an organisation about which the ODPC has received a complaint; and personal data relating to a data subject received by the ODPC from a complainant.
  • Inquiries and investigations – including personal data received from data subjects directly; and personal data received from an organisation, which is the subject of an inquiry or investigation. This will also include personal data received by the ODPC in conducting investigations and inspections;
  • Breach notifications – including personal data contained in breach notifications to the ODPC;
  • Queries and concerns – including personal data received from individuals who have raised queries or concerns with the ODPC;
  • Service providers and suppliers – including personal data obtained from service providers or suppliers engaged by the ODPC;
  • Conferences, events and stakeholder forums – including personal data relating to attendees at conferences, events and stakeholder forums organised by the ODPC.

WHAT PERSONAL DATA DOES THE ODPC PROCESS?

Personal data 

As set out above, the ODPC processes personal data. This includes, as set out above, personal data received by the ODPC where data subjects contact, or request information from, the ODPC directly, and personal data received by the ODPC indirectly.

The personal data that we process includes (i) basic personal information, such as a data subject’s name / surname; date of birth; the company or organisation a data subject works for; (ii) contact information, such as a data subject’s postal address, email address and phone number(s); and (iii) any other personal data that is provided to the ODPC during the course of the performance of its functions.

Sensitive data

The ODPC also processes special category data. This includes, as set out above, special category data received by the ODPC where data subjects contact, or request information from, the ODPC directly, and sensitive data received by the ODPC indirectly. Such sensitive data may include a natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation.

WHO ARE THE RECIPIENTS OF PERSONAL DATA PROCESSED BY THE ODPC?

Disclosure to third parties

Personal data collected by the ODPC is held confidentially and is not shared by the ODPC with any third parties, with the following exceptions:

  • Where the sharing of the personal data is necessary for the performance by the ODPC of its functions.  This may arise, for example, in the context of complaints handling, where the ODPC will usually disclose the complainant’s identity and the subject matter of the complaint to the data controller or data processor against whom the complaint is made. This is required both for practicality (because without disclosing the identity of the complainant in this manner, it will likely be impossible for the ODPC to investigate the complaint) as well as to ensure procedural fairness.
  • In the case of cross border processing or for the purpose of co-operation with other supervisory authorities. In certain circumstances, the ODPC must cooperate with and assist other Data Protection Authorities, globally, in handing complaints and investigations.  This may arise, for example, where the matter involves cross border processing.  In such circumstances, in accordance with the law, we may share some or all of the content of the ODPC’s file with relevant Data Protection Authority.
  • For the purpose of legal proceedings. In the event that the matter or complaint in question is brought before the Courts, the materials, including any information, documents or submissions provided by an individual, may be made public in open court.
  • In the case of service providers or suppliers to the ODPC. The ODPC uses data processors to provide certain services to the ODPC. The ODPC requires such processors to abide by certain terms to protect any personal data which is processed by the service provider/supplier during the course of providing the service.

How Long Does the ODPC Retain Personal Data? 

The retention periods for personal data held by the ODPC are based on the requirements of the data protection legislation and on the purpose for which the personal data is collected and processed. For example, in the case of complaints, the ODPC will retain personal data (as contained on its case file) for as long as is necessary for the handling of the complaint and for any subsequent action that is required.

The retention periods applied by the ODPC to personal data which it processes are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action.

Your Data Protection Rights

Under data protection law, data subjects have certain rights. The data subject rights are:

  1. The right to be informed about the processing of your personal data;
  2. The right to access your personal data;
  3. The right to rectification of your personal data;
  4. The right to erasure of your personal data;
  5. The right to data portability;
  6. The right to object to processing of your personal data; and
  7. The right to restrict processing of your personal data.

YOUR RIGHT TO COMPLAIN

If you have any concerns in relation to the manner in which we process your personal data, you can contact us on info@odpc.go.ke or fill out the general enquiries on Contact us page  page.

CHANGES TO OUR DATA PROTECTION STATEMENT 

This Data Protection Statement is kept under regular review and is therefore subject to change.

If you have any comments or queries in relation to this Data Protection Statement, please forward same to info@odpc.go.ke.

Skip to content