Kenya: Office of the Data Protection Commissioner adopted guidance for digital credit providers clarifying the data protection obligations for digital lenders under Data Protection Act

On 22 December 2023, the Office of the Data Protection Commissioner (ODPC) adopted the "Guidance Note for Digital Credit Providers" to provide clarity on data protection obligations for digital lenders under the Data Protection Act, 2019. The guidance highlights the need for digital credit providers (DCPs) to comply with data protection principles, including transparency, fairness, and lawfulness in processing personal data. It emphasises that DCPs must obtain valid consent, ensure data minimisation, and process personal data for specified legitimate purposes. The guidance further outlines the rights of data subjects, such as the right to access, rectify, and delete personal data, as well as the right to object to processing. Additionally, it offers practical steps for DCPs to ensure data security, including conducting privacy impact assessments and implementing appropriate security measures. The guidance also references relevant legislation, including the Central Bank of Kenya Amendment Act and the Digital Credit Providers Regulations 2022, to ensure compliance with the regulatory frameworks governing digital credit services.