Kenya's data protection regime is dynamic, with organizations adjusting to comply with the Data Protection Act, 2019 (DPA19) and complaints being filed at the Office of the Data Protection Commissioner (the "Data Protection Commissioner"or ODPC"). The ODPC has continued to issue determinations that clarify and provide critical insights into the Commission's interpretation of key provisions of the DPA19.

A notable trend shows that smaller organizations or SMEs are more frequently cited for compliance violations and ordered to provide compensation by the Commissioner compared to larger, better-resourced organizations. This trend underscores the need for these smaller entities to establish and strengthen their data compliance measures.

<aside> ➡️

Access Country Determinations/Rulings

</aside>

Violations

Violations are inevitable. But what do you do when served with a complaint filed at the Office of the Data Protection Commissioner?

We have analysed complaints made to ODPC in the Country (Kenya) Determination’s Database and noted that the following represents typical requirements by the ODPC when soliciting a Respondents answer to a complaint:

• A response to the allegations made by the Complainant,
• Any relevant materials or evidence supporting the response,
• The mitigation measures adopted or being adopted to address the complaint,
• Details of the standard contract with the Complainant, if applicable,
• Details on how personal data is obtained, stored, and processed, including consent from the Complainant,
• The legal basis for processing the Complainant's personal data and compliance with notification duties,
• Technological and organizational safeguards to prevent recurrence of the issue mentioned in the complaint, and
• Demonstration of compliance with data protection requirements and how data subjects can exercise their rights.

Lessons from DataHub

When faced with a complaint, it's crucial for respondents to meticulously address the allegations, demonstrating their commitment to compliance and the protection of personal data. Here’s a detailed exploration of the typical requirements and the process of responding to such allegations.

Responding to Allegations

The first and foremost step in addressing a complaint from the ODPC is not to ignore the summons. Consider obtaining representation or consulting experts to help you navigate the process if you are not sure how to proceed.

<aside> 💡

Looking for expert guidance on data protection compliance?

At MZIZI Africa, we specialize in helping organizations navigate the complexities of data protection laws, including Kenya’s Data Protection Act 2019. Whether you need assistance for cross-border data transfers, training your teams on compliance, or developing robust data protection strategies, our consulting and training services are here to support you. Let us help you stay compliant and protect your business.

📧Contact us today at [email protected] to learn more.

</aside>

The Data Commissioner will hold that all facts as presented by the Complainant are un-controverted in the absence of a response from you, as the Respondent. This may be illustrated by the case of Haron Korir & Another vs. SureCred Capital Ltd (YesCash) where the Respondent failed, refused or neglected to file a response with the Data Commissioner to its detriment.