Across Kenya, every tap, swipe and sign in leaves a trail. From loyalty cards at supermarkets to check in books at office receptions, from mobile apps to school admission forms, organizations are constantly collecting and using personal information in ways that are not always transparent or fair. The law does not treat you as a passive source of this data. It recognizes you as a data subject with enforceable rights, and expects controllers and processors to respect those rights or face consequences.
This alert unpacks what it means, in practice, to be a “data subject” in Kenya and how you can take control of your data rather than leaving your privacy to chance.
WHO IS A DATA SUBJECT AND WHAT IS PERSONAL DATA?
Under Section 2 of the Data Protection Act, a data subject is an identified or identifiable natural person who is the subject of personal data. Personal data means any information relating to such a person, whether it identifies them directly (like their name or ID number) or indirectly (like a combination of location, contact and employment details).
In everyday life, this covers information you provide when: opening a bank account, registering a SIM card, applying for a job, joining a Sacco, visiting a hospital, signing a tenancy agreement or even posting on social media. Any organization that determines how and why this information is processed is a data controller; one that processes it on behalf of another is a data processor.
THE CONSTITUTIONAL FOUNDATION: ARTICLE 31
The rights of a data subject in Kenya are rooted in the Constitution of Kenya, 2010. Article 31 guarantees the right to privacy and specifically provides that every person has the right not to have information relating to their family or private affairs unnecessarily required or revealed, and to be protected against unlawful searches and seizures.
This constitutional guarantee is not decorative. It is the anchor for the Data Protection Act, which was enacted to give effect to Article 31(c) and (d) and to translate the broad right to privacy into concrete duties for organizations and specific rights for individuals.
STATUTORY RIGHTS UNDER SECTION 26 OF THE DATA PROTECTION ACT
Section 26 of the Data Protection Act sets out the core rights of a data subject. These rights are the tools that allow you to take control of your data:
- Right to be informed of the use of your data
Before collecting your personal data, a controller or processor must tell you why the data is needed, how it will be used, whether it will be shared with third parties and on what legal basis. This transparency allows you to make an informed decision about whether to provide the data at all.
- Right of access to your personal data
You are entitled to request access to personal data held by a controller or processor and to be informed about the processing activities carried out on that data. This right is essential for checking accuracy and lawfulness.
- Right to object to processing
You may object to the processing of all or part of your personal data, particularly where you did not consent to the purpose or where processing is excessive or incompatible with the original purpose.
- Right to correction of false or misleading data
If data about you is inaccurate, outdated or misleading, you have the right to demand that it be corrected so that it reflects the true position.
- Right to deletion of false or unnecessary data
You may request deletion or destruction of personal data that is false, misleading, no longer necessary for the purpose for which it was collected, or was obtained or processed unlawfully.
These rights are not theoretical. They impose real obligations on organizations and provide a basis for complaints and remedies when breached.
HOW TO ENFORCE YOUR RIGHTS: THE ODPC COMPLAINTS PROCESS
When your data subject rights are violated, you do not have to suffer in silence. The Data Protection Act empowers you to lodge a complaint with the Data Protection Commissioner either orally or in writing. Where a complaint is made orally, the Commissioner is required to reduce it into writing.
The Commissioner may, for purposes of investigating a complaint, require any person to:
- Attend at a specified time and place to be examined orally about the complaint.
- Produce documents, records or articles relevant to the investigation, unless another law prohibits disclosure.
- Furnish a written statement on oath or affirmation setting out information requested.
A person who, without reasonable excuse, fails to comply with such a notice, or who deliberately provides false or misleading information, commits an offence. The Commissioner may then issue determinations, including directions to stop unlawful processing, to correct or delete data, and in appropriate cases, to pay compensation.
CASE STUDY: UNAUTHORISED REPOSTING AND THE RIGHT TO BE INFORMED
In Muthoni v Solpia Kenya Ltd t/a Sista Kenya KEHC 34, the High Court upheld the determination of the ODPC. This was a dispute where a data subject’s photograph was reposted on social media without notice or consent. The case highlighted that even such activity can amount to processing personal data that is subject to the Act and constitutional protections.
The Court affirmed that a data subject is entitled to be informed about how their data will be used and may object to processing that is not lawful or that goes beyond what was originally agreed. The decision sends a clear message to businesses and influencers alike: digital convenience does not override the obligation to respect privacy and obtain valid consent.
CONCLUSION:
In Kenya’s digital economy, every form you sign, every platform you join and every image you share is part of your personal data footprint. The Constitution and the Data Protection Act are designed to ensure that you are not just a passenger while others steer your information for their own purposes.
By understanding your rights: to be informed, to access, to object, to correct and to delete, you move from passive subject to active participant in decisions about your data. By using the ODPC complaints mechanism when those rights are ignored, you reinforce a culture where privacy is respected and unlawful processing has real consequences.
For organizations, this is a reminder that treating personal data as a mere administrative resource is no longer tenable. For individuals, it is an invitation to TAKE CONTROL OF YOUR DATA. Because in a world where information is currency, your privacy is part of your wealth.