Kenya: Office of the Data Protection Commissioner closes consultation on draft guidance on cross border data transfer

On 15 May 2026, the Office of the Data Protection Commissioner (ODPC) closes the consultation on draft guidance on cross-border data transfers. The draft applies to all entities that handle personal data in Kenya and transfer or intend to transfer such data outside the country under the Data Protection Act, No. 24 of 2019, and the Data Protection (General) Regulations, 2021. The draft sets out four legal bases for cross-border transfers. These include appropriate safeguards such as the African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention), reciprocal data protection agreements, or binding corporate rules. It also includes adequacy decisions issued by the Data Commissioner, transfers that are necessary for specific purposes such as contractual performance, legal claims, legitimate interests, vital interests, or public interest, and transfers based on the data subject’s consent. The guidance also addresses conditions for onward transfers, data localisation requirements under Section 50 for personal data processed in relation to the strategic interests of the state, and data subject rights. It further outlines heightened obligations for sensitive personal data under Section 49(1), as well as requirements related to transfer agreements, data protection impact assessments, and documentation under Regulation 41(2). In addition, it covers obligations relating to cloud storage, including service and deployment models and applicable security measures.