Kenya: Office of the Data Protection Commissioner adopted guidance on processing of biometric data

On 6 November 2025, the Office of the Data Protection Commissioner (ODPC) adopted a guidance note on the processing of biometric data. The guidance note, issued under the Data Protection Act, 2019, and the Data Protection (General) Regulations, 2021, sets out regulatory requirements and good practices for the lawful processing of biometric personal data across public and private sectors. It details the lawful bases for processing under Section 30 of the Act, including consent, contractual performance, legal obligation, and legitimate interest, and clarifies compliance obligations such as registration with the ODPC, duty to notify, privacy by design and default, cross-border transfer restrictions, data localisation, and data breach notification. The guidance also provides technical direction on implementing data protection principles, conducting Data Protection Impact Assessments (DPIAs), and safeguarding data subject rights such as access, rectification, erasure, and portability.