The Office of the Data Protection Commissioner (ODPC) has issued 184 compensation orders to Kenyans affected by data breaches since the enactment of the Data Protection Act, 2019 (DPA), underscoring increased enforcement of Kenya’s data privacy laws.
The compensation orders stem from complaints lodged by individuals whose personal data was mishandled in violation of the law. Since the DPA came into force, the ODPC has received 9,061 complaints, reflecting rising public awareness of data protection rights and obligations. Out of these cases, 84 were resolved through the Alternative Dispute Resolution (ADR) framework, which allows parties to settle disputes without formal enforcement proceedings.
“The ODPC has taken swift action on these complaints, issuing 357 determinations, 134 enforcement notices, and 20 penalty notices to ensure compliance with data protection regulations,” Data Commissioner Immaculate Kassait said.
ODPC on Legal Framework and Individual Rights
The Data Protection Act, 2019, was enacted to give effect to the constitutional right to privacy under Article 31(c) and (d) of the Constitution. It remains Kenya’s primary law governing the collection, processing, storage, and protection of personal data by both public and private entities.
Under the Act, individuals are entitled to be informed about how their data is collected and used, to access their personal information, and to object to certain forms of data processing. The law also provides for the correction or deletion of inaccurate or unlawfully held data, reinforcing accountability among data handlers.
Data controllers and processors are required to register with the ODPC and comply with specific obligations both before and after registration. These obligations include implementing appropriate safeguards to prevent data breaches and ensuring lawful processing of personal information.
Also Read: Company Ordered to Pay Ksh400,000 for Unlawful Use of Personal Data
“The ODPC has taken swift action on these complaints, issuing 357 determinations, 134 enforcement notices, and 20 penalty notices,” Kassait said ahead of the 2026 Data Privacy Day Conference in Mombasa.
Entities found in breach of the Act face severe penalties, including fines of up to Sh5 million, imprisonment of up to 10 years, or both, depending on the nature of the offence.
Expansion and Compliance Efforts
To enhance service delivery and enforcement capacity, the ODPC has expanded its presence across the country. The regulator now operates regional offices in Nairobi, Mombasa, Kisumu, Nakuru, Eldoret, Machakos, Garissa, and Nyeri, thereby improving nationwide access to data protection services.
Also Read: Data Protection Office Confirms Full Deletion of Worldcoin’s Biometric Data
In 2024, the ODPC launched its second strategic plan for the 2025–2029 period. The plan prioritises strengthening data protection policies and regulations, enhancing institutional capacity, and increasing compliance with data protection laws across sectors.
“In 2024, we launched our second strategic plan for 2025–2029, focusing on strengthening data protection policies and regulations, enhancing institutional capacity, and increasing compliance with data protection laws,” Kassait said.
The Compliance and Inspection Directorate has issued registration certificates to more than 15,000 entities, signalling growing adherence to data protection requirements and continued enforcement of Kenya’s data privacy regime.
Follow our WhatsApp Channel and X Account for real-time news updates.
