The Office of the Data Protection Commissioner (ODPC) has progressively increased its enforcement activities since becoming operational in 2020. Businesses and individuals that receive an ODPC enforcement notice, investigation letter, or access order now face significant legal and financial exposure: fines of up to KES 5 million per violation under the Data Protection Act 2019 (DPA) for corporates, and up to KES 3 million or two years imprisonment for individuals. Understanding how to respond effectively to ODPC enforcement action, what rights the investigated party has, and how legal representation can protect the data controller’s position is essential for any business operating in Kenya’s digital economy.

The ODPC’s Enforcement Powers Under the DPA 2019

The Data Protection Act 2019 grants the ODPC extensive enforcement powers. The Commissioner may: receive and investigate complaints from data subjects; conduct investigations on their own motion; issue enforcement notices requiring a data controller or processor to take specified remedial action; issue assessment notices requiring a data controller to permit an inspection of their data processing operations; issue stop processing notices temporarily or permanently prohibiting specific processing activities; and impose administrative fines. Criminal prosecutions under the DPA may also be referred to the Director of Public Prosecutions. The ODPC’s powers were tested and confirmed in several published decisions and enforcement actions since 2021.

Common Triggers for ODPC Enforcement Action

ODPC enforcement actions are typically triggered by: a data subject complaint alleging unlawful processing, breach of data subject rights, or a data breach notification failure; a complaint from a competitor about unlawful data practices; a data breach report filed by the data controller that reveals systemic compliance failures; an ODPC-initiated investigation into a specific sector or category of data processing; or a media report about data misuse. For businesses, the most common enforcement triggers are failure to register as a data controller, unlawful processing of sensitive personal data without explicit consent, failure to honour data subject access requests within the prescribed timeframe, and inadequate data breach notification.

Receiving an ODPC Investigation Letter

An ODPC investigation typically begins with a written notice to the data controller or processor informing them that an investigation has been initiated, identifying the complainant (or indicating that the investigation is own-motion), and requiring the data controller to provide information, documents, or responses within a specified timeframe. The initial response to this letter is critically important. The data controller’s response sets the factual and legal framework for the entire investigation. An inadequate, incomplete, or legally unsophisticated response can significantly worsen the outcome of the investigation.

Rights During the Investigation

A data controller under investigation has the right to: be informed of the specific breach alleged; respond to the allegations with evidence and submissions; engage legal representation throughout the process; challenge findings through the internal reconsideration process; and appeal enforcement decisions to the High Court under section 62 of the DPA. These rights are important protections and must be actively exercised. A data controller that fails to engage substantively with the investigation process may have enforcement action taken against them on the basis of an incomplete factual record.

Responding to an ODPC Enforcement Notice

An enforcement notice typically requires the data controller to: stop processing in a specified way; implement specified technical or organisational security measures; delete or return specified data; provide a specified notification to affected data subjects; or appoint a Data Protection Officer where required. The data controller has 21 days (or such other period as specified) to comply with an enforcement notice or to apply to the ODPC for a variation of the notice on grounds that compliance is technically or commercially impracticable or that the notice is legally incorrect. Where the data controller believes the enforcement notice is wrong in fact or law, a formal objection must be filed within the prescribed period.

ODPC Fines and Mitigation Factors

When determining the fine for a DPA violation, the ODPC considers factors including: the nature, gravity, and duration of the infringement; the number of data subjects affected; the degree of responsibility of the data controller; the degree of cooperation with the investigation; any previous infringements; and the financial position of the data controller. Demonstrating proactive remediation steps, cooperation with the investigation, and implementation of improved compliance measures can significantly mitigate the fine imposed. The maximum fine is KES 5 million per violation for corporates and KES 3 million or imprisonment for individuals.

Appeals Against ODPC Decisions

A data controller dissatisfied with an ODPC enforcement decision may appeal to the High Court under section 62 of the DPA 2019. The appeal must be filed within 30 days of the ODPC decision. The High Court reviews the ODPC decision and may confirm, vary, or reverse it. Legal representation is strongly advised for ODPC appeals given the technical nature of data protection law and the complexity of administrative law appeals.

Proactive Compliance to Avoid Enforcement

The most effective defence against ODPC enforcement is a proactive data protection compliance programme that reduces the likelihood of a breach or violation occurring in the first place. This includes: ODPC registration as a data controller; a DPA 2019-compliant privacy policy; data subject rights management procedures; a data breach response protocol; and regular staff training on data protection obligations. A well-documented compliance programme also provides evidence of good faith that mitigates fines if enforcement action is taken.

Our regulatory compliance practice represents data controllers in ODPC investigations, drafts formal responses to enforcement notices, and advises on ODPC appeal strategy. For proactive data protection compliance, we offer a fixed-fee ODPC registration and privacy policy package. See also our guide on the Data Protection Act 2019 Kenya. The ODPC website at odpc.go.ke provides information on the investigation and enforcement process.

Cross-Border Data Transfer Restrictions Under the DPA 2019

Section 48 of the Data Protection Act 2019 prohibits the transfer of personal data from Kenya to a recipient country unless that country provides an adequate level of data protection comparable to Kenyan standards, the data subject has given explicit consent to the transfer, the transfer is necessary for the performance of a contract with the data subject, or the transfer is made subject to appropriate safeguards including standard contractual clauses approved by the ODPC. In practice, cloud service providers, multinational companies with centralised data processing facilities, and businesses using offshore customer support operations must assess whether their cross-border data flows comply with section 48. The ODPC has not yet published a list of countries deemed to have adequate protection, which creates uncertainty and means that most cross-border transfers must rely on consent or standard contractual clauses. Legal advice on cross-border transfer compliance should be sought before deploying any system that routes Kenyan personal data to servers outside Kenya.

Data Breach Notification Requirements

Section 43 of the DPA 2019 requires a data controller to notify the ODPC of a data breach within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of data subjects. If the breach is likely to result in a high risk to data subjects (such as where sensitive personal data including health information, financial data, or identity documents has been compromised), the data controller must also notify affected data subjects without undue delay. The 72-hour notification timeline requires data controllers to have a data breach response plan in place before a breach occurs. Key elements of a breach response plan include: a data breach incident register; designated persons responsible for breach assessment; a template ODPC notification; and pre-approved communications to affected data subjects. For data protection compliance including breach response planning, our team advises data controllers at all stages of their data protection programme.