“System uptime, data protection and identity theft are weighty issues. It takes real ingenuity to out-think the fraudsters who are trying to steal identities and hack into enterprise systems. “- Chris Shipley


The Data Protection Act No. 24 of 2019 was assented to by the President on 8th November 2019 and the date of commencement was on 25th November 2019. Admittedly, however fast regulations move, technology often moves faster. This explains the reason why the Act strikes a balance between the rights of individuals to privacy as espoused under Article 31(c) and (d) of the Constitution of Kenya, 2010 and the rights of financial institutions to use the data obtained from their clients. The purpose of the Act is to ensure the regulation of processing of personal data. This means that financial institutions should protect the privacy of their clients by establishing legal and institutional mechanisms that protect personal data. Further, the Act ensures that there are rights and remedies that protect client’s personal data from processing that is not in accordance with the provisions of the Act.

This Article delves into an analysis of the Data Protection Act and how its enactment will affect operations in financial institutions. The Article looks into the Establishment of the Office of the Data Protection Commissioner, Principles and Obligations of Personal Data Protection, Transfer of Personal Data outside Kenya, Consequences of Breach and Non-Compliance and the Exemptions in which the provisions of the Act do not apply. Moreover, the Article will shed light on the terminologies used and their meaning and further the implication of the Act on financial institutions when it comes to the state of privacy of the data obtained from their clients. Notably, continuous data protection is important because for instance, when a network or computer crashes as a result of a virus before data is backed up, then the backup systems would not protect data at the end of the day.


Worth mentioning is the breakdown of certain terms according to Section 2 of the Act: Data controller refers to either a legal person or natural person, agency, public authority or any other body alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, Data processor refers to a legal person or natural person, agency, public authority or any other body involved in processing personal data on behalf of the data controller. Finally, Data subject refers to an identified or identifiable natural person who is the subject of personal data.

Establishment of the office of the Data Protection Commissioner

Section 5 of the Act provides for the office of the Data Protection Commissioner. This office should be treated as a body corporate with perpetual succession and a common seal and capable of suing and being sued, entering into contracts, taking, purchasing or acquiring, holding, charging or disposing of movable and immovable property or performing any other legal acts necessary for the proper performance of the functions of the office. Subsequently, financial institutions act as data controllers and in order to comply with the provisions of the Act, they should ensure that they have established the office of the Data Protection Commissioner. The essence of this office is to ensure that financial institutions implement and enforce Section 18 by ensuring that a register of data controllers and data processors is maintained and the office also exercises an oversight role on data processing operations in financial institutions. Additionally, Section 7(2) asserts that the Data Protection Commissioner shall be appointed for a single term of six years and shall not be eligible for a reappointment. Further, the office may collaborate with national security organs however, the Data Protection Commissioner shall act independently in exercising its powers as stipulated under Section 8.

Dealing with personal data obtained

Section 32 of the Data Protection Act provides for the conditions of consent when dealing with personal data obtained from clients. This is further buttressed by Section 31 of the Banking Act, Chapter 488 Laws of Kenya which outlines that the Central Bank or the Minister may publish in whole or in part, at such times and in such manner deemed fit, any information furnished under the Banking Act provided that the information so furnished shall not be published if it would disclose the financial affairs of any person, unless the consent in writing of that person has first been given. It is the duty of the data controller or data processor to bear the burden of proof for establishing a data subject’s consent to the processing of their personal data for a specified purpose.

However, a data subject has the right to withdraw consent at any time. Noteworthy, the withdrawal of consent shall not affect the lawfulness of processing based on prior consent before its withdrawal. Thus, in determining whether consent was freely given, account shall be taken of whether, among others, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Financial Institutions will now have to make some changes with regards to how they deal with data obtained from their customers. This article begs the question whether financial institutions can share their customer’s data in an instance where there are corruption allegations facing their customer? What measures should financial institutions take in order to comply with the Act?

In such a situation, financial institutions will have to seek consent from their customers before sharing any information to third parties. Therefore, financial institutions should not disclose any information without the consent of their data subjects. However, Section 51 of the Act provides for exemptions where such information may be disclosed without the customers consent. For example, if the data is necessary for national security or public interest purposes or the disclosure is required by an order of the court.

Principles and Obligations of Personal Data Protection

Part IV of the Act provides for principles and obligations of personal data protection that financial institutions must comply with. They include: as making sure that personal data is processed lawfully, in a transparent and fair manner in accordance with the right to privacy of the customer according to Section 25. The personal data should also be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed and that the data is kept up to date. “If you exchange information internationally, you must strengthen data protection. Those are two sides of the same coin.”- Gijs de Vries. Section 48 provides that financial institutions can transfer data outside Kenya only upon the approval of the Data Protection Commissioner. This is a safeguard against revealing information relating to a person’s family or private affairs to the outside world. Section 49 provides for safeguards prior to transfer of personal data out of Kenya. Therefore, financial institutions should be aware that the customer has the right to be informed of how their personal data would be used, to access their data whenever they are in need of it, to correct false or misleading data and deletion of such false data about them.

Consequences of Breach or Non-Compliance

Section 72 of the Act provides for offences of unlawful disclosure of personal data. In cases of breach or non-compliance by financial institutions, a data subject may lodge a complaint either orally or in writing with the Data Commissioner. Thereafter, the complaint shall be investigated and concluded within 90 days. For purposes of investigation, the Data Protection Commissioner may order any person to be examined orally at a specified time and place, to produce such book, document, record or article as may be required with respect to any matter relevant to the investigation or to furnish a statement in writing made under oath or on affirmation setting out all information which may be required. If a person fails to comply with the above requirements, then they commit an offence and the general penalty is being imprisoned for a term not exceeding 10 years or paying a fine not exceeding Ksh.3,000,000/- or both according to Section 73.


From the foregoing, it is evident that Financial Institutions should take all the necessary steps to ensure compliance with the Data Protection Act in order to avoid any penalties.

If you have any query regarding the same, please do not hesitate to contact Virginiah Nduta or Lilian Orero at virginiah@wamaeallen.com or lilian@wamaeallen.com. Note that this alert is meant for general information only and should not be relied upon without seeking specific subject matter legal advice.

About the author


Virginiah is a promising transactional advocate specializing in Real Estate and Securitization, Banking and Finance.

Advocate Trainee, 2020
Share this

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and legal updates from our team.

You have successfully subscribed to Wamae & Allen Quarterly.