Data protection compliance media technology Kenya, the Data Protection Act No. 24 of 2019 applies to every organisation that collects or processes personal data in Kenya, including media houses, digital publishers, technology platforms, and app developers.
Data Protection Compliance Media Technology Kenya: Key Obligations Under the 2019 Act
Section 50 of the DPA 2019 provides a qualified exemption for processing personal data for journalistic, academic, artistic, or literary purposes where publication is reasonably believed to be in the public interest. The exemption covers the right of access, the right to erasure, the right to restriction, and the right to object. It does not exempt media organisations from security obligations or from compliance in their commercial activities.
Audience and Subscriber Data
Audience data, including website analytics, email subscription lists, and app usage data, is personal data subject to the full DPA 2019. Media organisations must register with the ODPC, publish a compliant privacy policy, obtain valid consent for marketing communications, and respond to data subject requests within prescribed timelines.
Technology Platforms: Processor Obligations
Technology companies that process personal data on behalf of clients must have a written data processing agreement specifying the subject matter, duration, nature and purpose of processing, the type of data, and the obligations and rights of the controller. Processing outside controller instructions is prohibited.
Cross-Border Transfers
Transferring personal data outside Kenya requires either an adequacy determination for the recipient country or appropriate safeguards including standard contractual clauses. Technology companies using cloud infrastructure outside Kenya need a transfer compliance assessment.
Data Protection Compliance Media Technology Kenya: ODPC Registration
Data controllers and processors meeting the threshold under the Data Protection (Registration) Regulations 2021 must register with the Office of the Data Protection Commissioner before processing personal data. Registration is mandatory for any organisation processing the data of more than 1,000 data subjects per month, or for high-risk processing activities involving sensitive personal data. Media organisations with subscriber databases and technology companies running SaaS platforms in Kenya generally exceed the threshold. Failure to register when required constitutes a breach of the Data Protection Act No. 24 of 2019 and may attract administrative fines of up to KES 5,000,000.
Data Protection Compliance Media Technology Kenya: Lawful Basis for Processing
The DPA 2019 identifies six lawful bases for processing personal data: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Media and technology companies commonly rely on consent for newsletter subscriptions and direct marketing, contract for subscription agreements, and legitimate interests for analytics and security monitoring. Reliance on legitimate interests requires a balancing test demonstrating that processing does not override the data subject’s fundamental rights. The journalistic exemption under Section 52 operates as a specific override for editorial and public interest reporting but does not displace security obligations or commercial data processing compliance requirements.
Data Protection Compliance Media Technology Kenya: Data Subject Rights
Every data subject holds the right to access their personal data under Section 26 of the DPA 2019, rectification under Section 33, erasure in specified circumstances under Section 34, restriction of processing under Section 35, and the right to object under Section 36. Media and technology companies must establish documented procedures for handling data subject requests within the statutory 21-day response period. Failure to respond within the period is itself a breach of the Act and may be the subject of a complaint to the ODPC. Data portability rights under Section 38 are particularly relevant to technology platforms that hold significant user data.
Data Protection Compliance Media Technology Kenya: Privacy Notices
At the point of data collection, the DPA 2019 requires disclosure of the controller’s identity, the ODPC registration number once registered, the purpose and legal basis for processing, the retention period, and information about third-party sharing or international transfers. Technology platforms relying on consent must ensure it is freely given, specific, informed, and unambiguous, pre-ticked consent boxes and consent bundled into terms of service are not compliant. Cookie consent banners must meet the same standard: passive scrolling does not constitute valid consent under the Act.
Data Protection Compliance Media Technology Kenya: Security and Breach Notification
Section 41 of the DPA 2019 requires data controllers and processors to implement appropriate technical and organisational security measures, proportionate to the risk and sensitivity of data being processed. In the event of a data breach likely to result in high risk to data subjects, the controller must notify the ODPC without undue delay, and where feasible within 72 hours of becoming aware of the breach. All breaches must be documented whether or not notification was required. Clay & Associates Advocates advises media houses, publishers, and technology companies on designing compliant data governance frameworks covering registration, lawful basis mapping, data subject rights procedures, processor agreements, and breach response protocols.
Data Protection Compliance Media Technology Kenya: ODPC Enforcement
The ODPC has demonstrated an active enforcement posture since 2022. Notable enforcement actions have resulted in administrative fines against entities that failed to respond to enforcement notices or that processed personal data without a lawful basis. The ODPC has the power to conduct audits, investigations, and inspections of data controllers and processors, and may issue enforcement notices, penalty notices, and administrative fines under Sections 58, 62, and 63 of the DPA 2019. Media organisations that use personal data for targeted advertising, profiling, or behavioural analytics face particular scrutiny, given the sensitivity of the data involved and the scale of processing.
Data Protection Compliance Media Technology Kenya: Building a Compliance Programme
A workable data protection compliance programme for a media or technology company in Kenya should cover six core elements: a data inventory and mapping exercise to identify all processing activities and data flows; a lawful basis analysis for each processing activity; a privacy notice review and update covering all collection touchpoints including websites, apps, and marketing materials; a data subject rights response procedure tested against the 21-day statutory deadline; a processor agreement audit covering all third-party vendors, cloud providers, and sub-processors; and a security and breach response playbook. Data protection compliance media technology Kenya obligations are ongoing and not a one-time exercise, the ODPC expects controllers to demonstrate continuous compliance through documented policies, staff training records, and periodic reviews. The Regulations also require annual renewal of registration, making the annual cycle a natural checkpoint for reviewing and updating compliance documentation.
For media companies, the specific intersection of data protection and editorial work requires careful management: audience data used for commercial purposes such as advertising targeting is not covered by the journalistic exemption and must be processed under a separate lawful basis. This creates a structural compliance challenge for organisations that use the same data for both editorial and commercial purposes. The ODPC has indicated in published guidance that it expects media organisations to implement data governance structures that clearly separate journalistic processing from commercial processing, with separate privacy notices, lawful bases, and retention periods applying to each. Technology companies operating data marketplaces, adtech platforms, or data analytics services face the highest compliance burden under the DPA 2019, given the volume and sensitivity of data involved, and should prioritise ODPC registration, data mapping, and breach response capability as the first three implementation steps.
Need a data protection compliance review for your media or technology business? Contact Clay & Associates Advocates. Book a Consultation
For tailored legal advice on this matter, speak with our communications and media legal services team at Clay & Associates Advocates. We advise businesses and individuals across Kenya on Communications and Media matters from our offices at Nextgen Mall, Nairobi.






