The Data Protection Law recognises two parties who deal with personal data:
- Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
- Data Controller: the subject or legal entity that decides on the processing of personal data.
Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.
According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:
- Legitimacy: Personal data must be collected and processed in a lawful manner;
- Consent: The data subject must give its consent for the processing of its personal data;
- Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
- Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
- Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
- Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
- Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.
Additionally, the following legal requirements should be taken into account when processing personal data:
- Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
- Personal data must not be obtained through deceptive or fraudulent means;
- In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
- Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.
According to the CDLP the processing of all data shall be carried out:
- In a manner consistent with the law;
- For the purposes permitted by the legal system; and
- With attention to the full exercise of the fundamental rights of the data subject.
Consent of the data subject: Article 4 of the law establishes that the processing of personal data is permitted only when the law authorises it, or the subject expressly consents or authorises it. However, the law does not provide a definition of what the “authorisation” or “consent” of the data subject means or entails.
Quality: Article 6 of the law establishes that personal data will be: destroyed or cancelled when the purpose of its storage has no legal basis or when it has expired; modified when it is inaccurate, inexact, misleading or incomplete; and blocked when it cannot be destroyed or cancelled, and its accuracy cannot be established or whose validity is doubtful.
Confidentiality: Article 7 of the law establishes that people who work in the processing of personal data, in the private and public sector, must maintain confidentiality when the data comes from sources not accessible to the public, as well as with respect to other data information related to the data bank; an obligation that does not cease upon completion of its functions or activities in that field.
Purpose: Personal data will be used only for the purposes for which it was collected, unless it is obtained from sources accessible to the public (Article 9 of the law)
Personal data: Article 10 of the law prescribes that sensitive personal data, defined as any information regarding characteristics of a physical or moral nature of an individual or facts or circumstances of his private life, such as personal habits, racial or ethnic origin, ideologies and political opinions, religious beliefs or convictions, physical or mental health and sexual life, cannot be processed unless:
- The law authorises it;
- The data subject expressly accepts said processing;
- Such data is necessary to establish or grant health benefits that pertain to the respective data subject.
Data security: Article 11 of the law establishes that those responsible for the registries or personal data must “take care of them with due diligence” and be liable for damages.
Data Processing Principles:
All data processors/controllers are required to follow the data protection principles, which are:
- Data processing in accordance with the right to privacy of the data subject;
- Fair and transparent processing of a data subject's personal data;
- Collection of personal data for specified and legitimate purposes and not further processing beyond those purposes;
- Purpose limitation for data collected;
- Collection of personal data relating to family or private affairs only where a valid explanation is provided;
- Accuracy of collected personal data and every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
- Personal data is to be kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected;
- Personal data shall not be transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject.
Duty to Notify:
Before collecting any personal data, data processors/controllers are required to notify a data subject of:
- Their rights as data subjects under the DPA;
- The fact that their data is being collected and the purpose for the collection;
- Any third parties that have or will have access to their data including details of safeguards adopted;
- The contacts of the data controller/processor and any other entity receiving the collected personal data;
- The technical and organisational security measures taken to ensure the integrity and confidentiality of the data;
- Whether the data is being collected pursuant to any law and whether such collection is voluntary or mandatory;
- The consequences if any, if they fail to provide all or any part of the requested data
Personal data may only be processed on the lawful basis provided under Section 30 of the DPA as:
- Consent: the individual has given clear consent for a data processor or controller to process their personal data for a specific purpose;
- Contract: the processing is necessary for a contract's performance between a data processor or controller and the data subject or because the data subject has asked the data processor or controller take specific steps before entering into a contract;
- Legal obligation: the processing is necessary for a data processor or controller to comply with the law (not including contractual obligations);
- Vital interests: the processing is necessary to protect the vital interests of the data subject or another natural person;
- Public task: the processing is necessary for a data processor or controller to perform a task in the public interest or the exercise of official authority vested in the controller;
- Legitimate interests: the processing is necessary for a data processor or controller's legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the data subject's data which overrides those legitimate interests;
- Historical, Statistical, Journalistic, Literature and Art or Scientific research: if the data is required in such pursuits.