- The template provided is a generic document designed for a typical transaction as described below. Special amendments or additional clauses may be necessary depending on the nature of the transaction and the terms agreed between the parties. Where instructions are provided for respective clauses, please review the instructions carefully and modify the clause to suit the circumstances in your transaction. If in doubt, or if dealing with a complex scenario or transaction, please seek legal advice from an Advocate.
- This article is written in the context of handling data relating to adults. Additional special conditions apply when handling data relating to minors.
Template Copyright Licence:
- Free for commercial use. No attribution required.
An organisation whose activities involve collection, storage, processing and dissemination of data relating to natural persons (individuals) who are resident in Kenya (referred to as “data subjects”) is required to provide certain information to data subjects.
This requirement applies if data is handled through:
- Automated means; or
- Non-automated means, where such data forms part of a filing system.
|Clause Number||Title||Guidelines on Required or Recommended Provisions||Statutory Reference|
Indicate the date from which the policy takes effect.
If applicable, state that this revised policy supersedes prior versions of the policy.
Identify the parties to the policy, being the data controller / data processor and the data subject. The data subject may be a named individual or a defined category of persons (for example employees or website visitors).
If appropriate, a detailed description of the parties can be set out in the primary contract.
|3||Definition of Terms||
Identify key words or phrases used in the policy and provide a corresponding definition, for example:
We recommend that the definitions in the policy should not negate or erode the definitions in Section 2 (Interpretation) of the Data Protection Act.
|Section 2, Data Protection Act|
Outline special rules that apply when interpreting the policy. Without these rules, the meaning or application of certain provisions may be misunderstood.
Indicate that the data subject must be over the age of eighteen (18) years.
Reserve the right to confirm authority of a representative through such means as may be necessary. We recommend that you also reserve the right to withhold services until adequate confirmation is obtained.
NOTE: Additional special restrictions apply when handling personal data relating to minors.
|Sections 27, 33, Data Protection Act|
Specify the mode of acceptance of the policy – whether through manual signature, or electronic signature, or ticking a checkbox on a physical or online form, or any other overt (clear and intentional) action by the data subject. The specified action shall be deemed to be confirmation that the data subject has read, understood and voluntarily accepts the terms of the policy.
If practicable, inform the data subject whether collection of the requested personal data is required by law, and whether submission of the requested data is optional or mandatory. If need be, distinguish optional data from mandatory data.
Indicate that by consenting to the policy the data subject also expressly consents to the following (as applicable):
|Sections 27, 28(1), 28(2)(c), 30(1)(a), 32, 39(1)(c), 49(1), Data Protection Act|
Assure the data subject that personal data will be collected, transmitted, processed, stored and used for the purposes set out below, and shall not be handled in a manner that is incompatible with the specified purposes.
The purposes may include the following (as appropriate):
If personal data relating to family or private affairs is requested, provide a valid explanation.
The stated purpose(s) should not contravene any other law, code of ethics or contract that governs the activities of the data controller / data processor.
|Sections 25(c), 25(e), 26(a), 29(c), 30(1), 34(2), 35(2), 37(1)(a), Data Protection Act|
|8||Nature of Personal Data Handled||
Specify the nature of personal data collected, transmitted, processed, stored and used. Such data should be limited to what is necessary in order to fulfill the specified purposes.
If practicable, inform the data subject whether collection of the requested personal data is required by law, and whether submission of the data is optional or mandatory. If need be, distinguish optional data from mandatory data.
|Sections 25(d), 29(b), 29(g), Data Protection Act|
|9||Rights and Responsibilities of Data Subject||
Inform the data subject of his / her rights, which may be exercised by the data subject or an authorised representative:
Where practicable, we recommend that the data subject should be responsible for ensuring that his / her personal data is up to date at all times.
Where the data controller or data processor has shared the personal data with a third party for processing purposes, the data controller or data processor should take all reasonable steps to inform third parties of data rectification or erasure request.
|Sections 25(f), 26, 27, 29(a), 32(2), 32(3), 34, 36, 38, 40, Data Protection Act|
|10||Consequences of Data Handling Restrictions||
Indicate the consequences that ensue if the data subject:
We recommend that a data controller / data processor should reserve the right to retain certain personal data for compliance purposes, and for reference in resolution of existing or potential complaints or disputes. In this case, inform the data subject that certain data will be retained, but processing will be restricted.
|Sections 29(h), 30(1)(a), 34, 40(3), Data Protection Act|
|11||Access to Data; Account Management||
Indicate how the data subject can access his / her personal data.
Where appropriate, consider indicating the precautions that a data subject can or should take to safeguard the security of his / her account.
|12||Response Time; Applicable Fees||
Indicate the response time within which requests from the data subject will be addressed. Note that data porting requests must be addressed within thirty (30) days; this period may be extended depending on the complexity and volume of data porting requests.
Indicate whether the requests will be attended to free of charge, or at a nominal fee.
|Sections 34(3), 38(6), 38(7), Data Protection Act|
|13||Automated Decision Making||If applicable, indicate that the data controller or processor may rely on automated data processing to make specified decisions that are likely to significantly affect the data subject. In such event, the data subject should be notified as soon as practicable, and in writing, that a decision has been taken based solely on automated processing. The data subject may – within a reasonable period after receiving such notification – request the data controller or data processor to re-consider the decision.||Section 35, Data Protection Act|
Indicate the period for which personal data will be retained in raw form, which should be long enough to satisfy the purpose for which data was collected and processed plus such additional period as necessary:
Upon lapse of the specified retention period, the raw data should be erased or anonymised or pseudonymised.
|Sections 34(3), 39, Data Protection Act|
|15||Data Protection Safeguards||
If practicable, outline the technical and organizational security measures taken to ensure the integrity and confidentiality of the data, for example:
|Sections 25(g), 37(2), 41, Data Protection Act|
If practicable, inform the data subject of:
|Section 29(d), Data Protection Act|
|17||Transfer of Personal Data Outside Kenya||
If applicable, indicate that personal data (including sensitive personal data) will be transferred out of Kenya for reasons consistent with the specified purposes.
We recommend that the data controller / data processor should highlight key data protection safeguards adopted by the data recipient(s).
|Sections 25(h), 48, 49, Data Protection Act|
If applicable, indicate that the data controller / data processor may use personal data to send communication to the data subject, for example:
If personal data will be used to send marketing communication to the data subject, confirm that a simple opt out mechanism will be provided.
We recommend that the data controller / data processor should reserve the right to continue sending certain communication that is essential in relation to the specified purposes even after the data subject opts out from marketing communication.
If the data controller or data processor administers social media or other publicly-accessible platforms, we recommend the following additional provisions:
Indicate the contact details of the data controller / data processor – particularly the contact details through which the data subject can submit requests relating to exercise of his / her rights.
Outline a complaint handling mechanism.
|Section 29(e), Data Protection Act|
If the right of the data controller or data processor to modify the policy is not already provided for in the primary contract – or if the policy is not incorporated by reference in the primary contract – we recommend that this clause should be set out in the policy.
Also indicate how the data subject will be notified of such modifications.
Where applicable, notify the data subject that use the concerned service should be discontinued if the data subject disagrees with the modifications. Also indicate that if consent to modifications is withheld, prior versions of the policy shall continue to apply based on the consent earlier provided.
- Data Protection Act (No. 24 of 2019)
- ABX – Subscription required
- ACX – Free
- ANX – Free