The Data Protection Act No. 24 of 2019 applies to every organisation that collects or processes personal data in Kenya, including media houses, digital publishers, technology platforms, and app developers.

The Journalistic Exemption

Section 50 of the DPA 2019 provides a qualified exemption for processing personal data for journalistic, academic, artistic, or literary purposes where publication is reasonably believed to be in the public interest. The exemption covers the right of access, the right to erasure, the right to restriction, and the right to object. It does not exempt media organisations from security obligations or from compliance in their commercial activities.

Audience and Subscriber Data

Audience data, including website analytics, email subscription lists, and app usage data, is personal data subject to the full DPA 2019. Media organisations must register with the ODPC, publish a compliant privacy policy, obtain valid consent for marketing communications, and respond to data subject requests within prescribed timelines.

Technology Platforms: Processor Obligations

Technology companies that process personal data on behalf of clients must have a written data processing agreement specifying the subject matter, duration, nature and purpose of processing, the type of data, and the obligations and rights of the controller. Processing outside controller instructions is prohibited.

Cross-Border Transfers

Transferring personal data outside Kenya requires either an adequacy determination for the recipient country or appropriate safeguards including standard contractual clauses. Technology companies using cloud infrastructure outside Kenya need a transfer compliance assessment.

Need a data protection compliance review for your media or technology business? Contact Clay & Associates Advocates. Book a Consultation