The Data Protection Act establishes the Office of the Data Protection Commissioner as a State Office under Article 260(q) of the Constitution of Kenya.
This Office is headed by the Data Protection Commissioner, who also serves as the accounting officer, alongside other staff members appointed by the Commissioner.
The Office of the Data Protection Commissioner is a body corporate with perpetual succession and a common seal, and it can:
- Sue and be sued in its corporate name.
- Acquire, hold, charge, or dispose of movable and immovable property.
- Enter into contracts and carry out legal transactions necessary for its functions.
- Ensure reasonable access to its services across the country.
The Data Protection Commissioner, in consultation with the Cabinet Secretary for ICT, may establish directorates to improve service delivery.
Functions of the Office of the Data Protection Commissioner
The Office of the Data Protection Commissioner is responsible for:
- Implementing and enforcing the Data Protection Act.
- Registering data controllers and processors.
- Overseeing data processing activities, either independently or upon a data subject’s request.
- Encouraging self-regulation among data controllers and processors.
- Assessing compliance with data protection laws for public and private entities.
- Receiving and investigating complaints about data privacy violations.
- Raising public awareness on data protection laws.
- Inspecting entities that process personal data to evaluate compliance.
- Promoting international cooperation on data protection and ensuring Kenya’s compliance with international conventions.
- Investigating new innovations in data handling to prevent privacy threats.
- Performing additional functions as assigned by law.
The Office may collaborate with national security agencies when required but must maintain its independence while executing its functions.
Powers of the Office of the Data Protection Commissioner
The Office of the Data Protection Commissioner has the authority to:
- Conduct investigations independently or based on complaints from data subjects or third parties.
- Seek expert advice from professionals, organizations, or consultants.
- Facilitate mediation, conciliation, and negotiation in data disputes.
- Issue summons for investigations.
- Require explanations, information, or assistance from persons subject to the Data Protection Act.
- Impose administrative fines for non-compliance with data protection laws.
- Undertake additional activities necessary to fulfill its functions.
- Exercise any other powers prescribed by law.
To strengthen data protection efforts, the Office of the Data Protection Commissioner may partner with local and international organizations.
For more details, refer to the Data Protection Act:
Kenya Law – Data Protection Act
