Kenya: Implemented Data Protection (General) Regulations including cross-border data transfer regulation

On 14 February 2022, the Data Protection (General) Regulations, 2021 entered into force. According to the regulations, transfers must be based on appropriate safeguards, an adequacy decision by the Data Commissioner, necessity, or explicit consent from the data subject. All transfers must be documented, including details such as the date, recipient, and justification. Certain countries or territories are recognised as having adequate data protection safeguards, simplifying transfers to these locations. For necessity-based transfers, controllers must ensure the transfer is strictly necessary and does not override fundamental rights. Subsequent transfers require authorisation from the transferring entity or a competent authority, ensuring personal data remains secure and compliant with Kenyan standards during cross-border transfers.