Pursuant to section 56 of the Act, a data subject or any person aggrieved on any matter under the Act may lodge a complaint with the Data Commissioner.

The Data Commissioner shall acknowledge receipt of the complaint within seven days of receipt of the complaint under sub- regulation (1).

The complaint under sub-regulation (1) shall be lodged free of charge.

The Data Commissioner shall keep and maintain an up to date Register of Complaints.

An entry into the register of complaints shall state the particulars of the complainant and the complaint filed with the Data Commissioner.

The Data Commissioner shall protect the identity of the complainant where the request to protect the identity is sought by the complainant.

The Data Commissioner shall undertake a preliminary review of a complaint, upon receipt of the complaint by the Office.

Despite sub-regulation (2), the Data Commissioner may decline to admit a complaint where the complaint does not raise any issue under the Act.

Where a complaint is declined for admission under sub-regulation (3), the complaint may be re-admitted within six months from the date of decline, where the complaint raises new issues for determination under the Act.

A complaint under sub-regulation (5) shall be lodged in accordance with regulation 4.

The Data Commissioner shall provide the reasons for discontinuation on any of the grounds specified under sub-regulation (1)(a) or (b) and shall, in writing, notify the complainant and respondent within fourteen days from the date the decision to discontinue a complaint is made.

A complainant may, where a complaint has been discontinued pursuant to these Regulations, re-institute a complaint upon providing grounds for the restitution to the Data Commissioner.

A complaint may be withdrawn at any stage during its consideration but before a determination is made.

A complainant may, at any time during the consideration of a complaint lodged pursuant to regulation 4 and before its determination, withdraw the complaint.

An application for a withdrawal under sub-regulation (1) shall be in Form DPC 2 set out in the Schedule.

A withdrawn complaint under sub-regulation (1) may be re- lodged, within six months from the date of withdrawal of such complaint.

A complaint re-lodged under this regulation shall be processed in accordance with the provisions of this Part.

The Data Commissioner shall, with necessary modifications, apply the decision of a test complaint to all the complaints stayed under sub-regulation (1)(b).

The Data Commissioner shall, in writing, communicate to the complainants and all the parties the decision made under this regulation.

Where complaints are consolidated in accordance with this regulation, the complaint shall be treated as a single complaint and shall be determined in accordance with the provisions of these Regulations.

Proceedings before the Office shall be conducted in Kiswahili, English or Kenyan Sign Language.

The Office may ensure that a party who cannot speak, hear or understand the language of proceedings receives the services of an interpreter provided for by the Office.

Where a respondent does not take any action as contemplated under sub-regulation (1), the Data Commissioner shall proceed to determine the complaint in accordance with the Act and these Regulations.

The notice referred to under sub-regulation (1) shall specify options available to resolve a complaint including determining the complaint through alternative dispute resolution mechanisms specified in the Act and these Regulations.

Where it appears to the Data Commissioner, or by an application by either the complainant or the respondent, that it is necessary that a person becomes a party to a complaint, the Data Commissioner may order that person to be enjoined as a party.

A person who has sufficient interest in the outcome of a complaint may apply to the Office for leave to be enjoined in the proceedings prior to the hearing of the complaint.

Upon completion of the investigation, the Data Commissioner shall prepare an investigation report.

In conducting investigations under this regulation, the Data Commissioner shall be guided by the provisions of the Fair Administrative Action Act, 2015 (No. 4 of 2015)

The Data Commissioner shall, upon the conclusion of the investigations, make a determination based on the findings of the investigations.

The Data Commissioner shall within seven days from the date of such determination, communicate the decision under sub-regulation (3) to the parties, in writing.

Where the complaint is to be determined through negotiations, mediation or conciliation, the provisions of these Regulations shall apply.

Where parties to a complaint agree to negotiation, mediation or conciliation, the Data Commissioner may in consultation with the parties facilitate the process.

During the negotiations, mediation or conciliation, the Data Commissioner may apply such procedures as may, in the interest of the parties, deem appropriate in the circumstances.

At the conclusion of the negotiations, mediation or conciliation process, the parties shall sign a negotiation, mediation or conciliation agreement in the manner specified in Form DPC 5 set out in the Schedule.

A negotiation, mediation or conciliation agreement entered into under this regulation shall be deemed to be a determination of the Data Commissioner, and shall be enforceable as such.

Despite this regulation, a party to dispute who is subject to a negotiation, mediation or conciliation may withdraw from the proceedings at any stage and shall notify the Data Commissioner and other parties of such withdrawal within seven days from the date of making such a decision.

Parties to a dispute shall take all reasonable measures to amicably determine a dispute and act in good faith.

Where the complaint is not determined through negotiation, mediation or conciliation, the Data Commissioner shall proceed to determine the complaint as provided for in the Act and these Regulations.

The Data Commissioner may pursuant these Regulations or section 58 of the Act issue an enforcement notice.

An enforcement notice shall specify the consequences of failure to comply with the notice including issuance of a penalty notice as provided under section 62 (1) of the Act.

The enforcement notice shall take effect from the date of service specified under sub-regulation (1).

A person to whom an enforcement notice is given may apply in Form DPC 6 set out in the Schedule to the Data Commissioner for a review of the enforcement notice.

The Data Commissioner shall, where any of the circumstances specified under section 62 of the Act and these Regulations arises, issue a penalty notice for each breach identified in the enforcement notice.

The administrative fine levied under sub-regulation (2)(c) shall consider each individual case and have due regard to factors or reasons outlined under section 62 (2) of the Act.

A penalty notice may impose a daily fine of not more than ten thousand shillings for each breach identified until the breach is rectified.

The daily fine imposed under sub regulation (4) shall be managed in accordance with section 67 of the Act and the Public Finance Management Act, 2012.

A civil registration entity shall seek consent from a data subject for processing of personal data at the time the personal data is collected.

A civil registration entity shall obtain the consent in physical or electronic form.

Consent shall be given either orally or in writing and may include a handwritten signature, an oral statement, or use of an electronic medium to signify agreement.

A civil registration entity shall not presume that a data subject has given consent on the basis that the data subject did not object to a proposal to handle personal data in a particular manner.

Consent shall not be implied, where the intention of the data subject is ambiguous or there is reasonable doubt as to the intention of the data subject.

Subject to section 32(2) and (3) of the Act, the data subject shall be informed of the implications of providing, withholding or withdrawing consent by the civil registration entity.

Where a civil registration entity intends to use personal data for a new purpose, it shall ensure that the new purpose is compatible with the initial purpose.

Where the new purpose is not compatible with the initial purpose, the civil registration entity shall seek fresh consent from the data subject.

Subject to section 32(2) and (3) of the Act, the data subject shall be informed of the implications of providing, withholding or withdrawing consent for the new purpose by the civil registration entity.

A data subject may request a civil registration entity to restrict the processing of their personal data, pursuant to section 34 of the Act.

A request envisaged under paragraph (1) shall be in Form 1 set out in the First Schedule.

Where a civil registration entity declines to comply with a request for restriction in processing, it shall within seven days notify the data subject of such decline giving reasons for the decision.

Where the application for restriction in limitation of processing of the data is declined, the data subject may appeal to the Data Commissioner.

A data subject shall make a request to access their personal data in Form 2 set out in the First Schedule.

Pursuant to section 40 of the Act, a data subject may request a civil registration entity to rectify their personal data, which is inaccurate, outdated, incomplete or misleading.

A request for rectification envisaged under paragraph (1) shall be made in Form 1 set out in the First Schedule.

An application for rectification of personal data shall be supported by the necessary documents, relevant to the rectification being sought.

A civil registration entity shall within thirty days rectify an entry of personal data in the database where the civil registration entity is satisfied that a rectification is necessary.

A civil registration entity shall in writing notify the data subject of its objection to rectify the personal data where such data is required as envisaged under section 40 (3) and provide reasons thereto.

Where rectification of personal data has been denied by the civil registration entity, the data subject may lodge a complaint with the Data Commissioner where dissatisfied with the decision.

In case of any change in personal data in possession of the civil registration entity, the data subject shall notify the civil registration entity to update their personal data.

Subject to section 27 of the Act, where a person duly authorized by the data subject seeks to exercise the rights of a data subject on their behalf, the person exercising that right shall take into consideration the best interests of the data subject.

Where there is doubt as to the existence of a relationship between the duly authorized person and the data subject, the civil registration entity shall halt the request of exercising a right on behalf of the data subject until evidence to the contrary is adduced.

The information given by the civil registration entity pursuant to section 29 of the Act shall be simple, clear and in an understandable language.

In giving the information envisaged under paragraph (1), a civil registration entity may use physical or electronic formats, verbal means or any other technology.

A civil registration entity shall retain processed personal data in perpetuity and in accordance with the enabling written laws.

Where a civil registration entity processes personal data for a specific reason and does not require retention of the personal data in perpetuity, personal data shall be deleted, anonymised or pseudonymised.

A civil registration entity shall formulate administrative mechanisms that describe the categories of personal data that shall be deleted, erased, anonymised or pseudonymised.

Pursuant to section 43 of the Act, a civil registration entity shall in writing notify the Data Commissioner and communicate to the data subject of breach to personal data.

Where a data subject suspects that their personal data has been breached, the data subject may, within fourteen days from the date of such suspicion, notify the respective civil registration entity and the Data Commissioner of such personal data breach in writing.

The provisions of regulation 23 shall apply to this regulation with necessary modifications.

Where a data protection impact assessment may be required in accordance with section 31 of the Act, a civil registration entity shall conduct the data protection impact assessment guided by Form 1 set out in the Second Schedule.

The data impact assessment report prepared pursuant to paragraph (1) shall, with the approval of the Data Commissioner, be published in the manner determined by the Data Commissioner.

Subject to section 25 of the Act, a civil registration entity may make personal data collected by it, available to a public agency, upon request.

Where a data subject is aggrieved by the processing of their personal data, the data subject may lodge a complaint with the civil registration entity.

A complaint made under paragraph (1) may be made orally or in writing.

A civil registration entity shall reduce an oral complaint into writing and shall be executed by the complainant.

The civil registration entity shall investigate the complaint and notify the data subject of the investigation outcome in writing within seven days from the date of completion of the investigation and any action taken where the complaint has been upheld.

The civil registration entity shall inform the data subject of the right to appeal to the Data Commissioner, where the data subject is dissatisfied with the decision of the civil registration entity.

A civil registration entity shall embed data privacy features directly into the design of the database to ensure protection of personal data.

A civil registration entity shall formulate a written data security procedure for its entity.

The civil registration entity shall, on an annual basis, assess the need to update the security procedure.

A civil registration entity that controls several databases may develop a data security procedure in accordance with these Regulations in a single document that concerns all databases it controls.

The up-to-date database structure document and inventory shall be secured in such a manner that only authorized users who require them for the performance of their role shall be provided access.

The civil registration entity shall be responsible to conduct a data security risk assessment.

The risk assessment specified under paragraph 4(a) shall carried out on a periodical basis.

The civil registration entity is responsible to conduct, at least once every eighteen months, access tests to the database systems in order to test their vulnerability to external and internal threats.

The civil registration entity shall consider the results of the access tests and amend the faults found, if any.

A civil registration entity shall ensure that the database and database systems are maintained in a secure place, preventing unauthorized access, and which is suitable to the nature of the database activity and the sensitivity of information therein.

A civil registration entity shall take measures to monitor and document the entry to and exit from sites in which the database or database systems are located, including the setting and removing of equipment in and from the database systems.

A civil registration entity shall not grant access to information stored in the database and shall not change the scope of authorization granted, unless the civil registration entity has undertaken reasonable measures, to screen and place authorized officers, to ensure that the unauthorized user is not granted access to the personal data stored in the database.

The measures specified under paragraph (1) shall be taken in accordance with the sensitivity of the information in the database and the scope of access permissions attached to the role proposed to the relevant person.

Prior to authorized officers gaining access to the database or before a change in the scope of their authorizations, the civil registration entity shall train authorized officer on the obligations embodied in the Act and these Regulations.

A civil registration entity shall determine access permission of authorized users to the database and database systems in accordance with the authorized officer’s responsibilities.

Access permission shall be granted to the extent required for performing the role.

A civil registration entity shall keep an up-to-date record of authorized user’s roles, user permission granted to these roles and the authorized users performing such roles.

Immediately following the termination of an authorized user’s role, a civil registration entity shall revoke the permission of an authorized user who has ceased working in their role, and change the passwords to the database and database systems to which the authorized user could have known.

A civil registration entity shall document cases in which a data security incident was discovered, raising concern regarding a breach of personal data integrity, unauthorized use thereof or deviation from authorization.

The documentation specified under paragraph (1) shall, as far as is practicable, be stored in electronic form.

A civil registration entity shall not connect the database systems to the internet or to another public network without installing the appropriate safeguards against unauthorized access or against software that may damage or disrupt computers or computer material.

The transfer of personal data from the database through a public network or the internet shall be conducted by commonly used encryption methods.

The civil registration entity shall conduct, at least once in twenty-four months, an internal or external audit by an auditor adequately trained in the field of data security who is not the civil registration entity’s data protection officer, in order to ensure it complies with the provisions of the Act and these Regulations.

The auditor shall report on the adherence of the security measures to the data security procedure and to these Regulations, identify shortcomings and recommend the necessary measures to correct the situation.

A civil registration entity shall review the audit reports specified under sub-regulation (2) and assess the need to update the database definitions document or the data security procedure, accordingly.

A civil registration entity that controls several databases may comply with the duty prescribed in this regulation by performing a single audit for all the databases it controls.

The civil registration entity shall retain the backup copy of the data and of the security procedures in a manner that ensures the integrity of the personal data and the ability to restore the information in case of loss or destruction.

In documenting security incidents pursuant to regulation 34, data restoring processes shall also be documented, including the identity of the person who performed the data restoration and the details of the personal data restored.

A civil registration entity shall not transfer personal data collected for civil registration purposes out of Kenya, except with the written approval of the Data Commissioner.

A person who contravenes Paragraph (1) shall, on conviction, be liable to a penalty specified under section 73 of the Act.

The external service provider shall report to the civil registration entity, at least quarterly, the manner the obligations by these Regulations and the agreement are implemented, as well as to notify the civil registration entity any security incident.

The civil registration entity shall take measures to monitor and supervise the compliance of the external service provider with the provisions of the agreement and these Regulations, as appropriate, taking into account any risks.

A civil registration entity that controls several databases and enters into an agreement with an external service provider that includes access to the databases by the external service provider, may enter into a single agreement concerning all databases.

The information under sub-regulation (1) may be presented to the data subject through a written notice, oral statement, audio or video message.

Where the data subject withdraws consent to any part of the processing, the data controller or data processor shall restrict the part of the processing in respect of which consent is withdrawn, subject to section 34 of the Act.

A data controller or data processor may process data without consent of a data subject if the processing is necessary for any reason set out in section 30(1) (b) of the Act.

Processing under sub-regulation (1) shall only rely on one legal basis for processing at a time, which shall be established before the processing.

Where a data controller or data processor collects personal data indirectly, the data controller or data processor shall within fourteen days inform the data subject of the collection.

Where a data controller or data processor intends to use personal data for a new purpose, the data controller or data processor shall ensure that the new purpose is compatible with the initial purpose for which the personal data was collected.

Where the new purpose is not compatible with the initial purpose, a data controller or data processor shall seek fresh consent from the data subject in accordance with regulation 4.

A request for restriction to processing of personal data on any of the grounds provided under section 34 of the Act may be made in Form DPG 1 set out in the First Schedule.

A data controller or data processor may decline to comply with a request for restriction in processing, where such request is manifestly unfounded or excessive.

Where a data controller or data processor declines a request on any of the grounds provided under section 34(2) of the Act, the data controller or data processor shall within fourteen days of the refusal, notify the data subject of the refusal, in writing, and shall provide the reasons for the decision.

A data controller or data processor shall not process personal data that has been restricted, except to store the personal data, in accordance with section 34(2)(a) of the Act.

Pursuant to section 36 of the Act, a data subject may request a data controller or data processor not to process all or part of their personal data, for a specified purpose or in a specified manner.

A request to object the processing may be made in Form DPG 1 set out in the First schedule.

A data controller or data processor shall, without charging any fee, comply with a request for objection under sub-regulation (2) within fourteen days of the request.

The right to object to processing applies as an absolute right where the processing is for direct marketing purposes which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall not be processed for such purposes.

A data subject may request to access their personal data in Form DPG 2 set out in the First Schedule.

A data controller or a data processor shall comply with a request by a data subject to access their personal data within seven days of the of the request.

Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

Compliance with a request for access to personal data shall be free of charge.

Pursuant to section 40 of the Act, a data subject may request a data controller or data processor to rectify their personal data, which is untrue, inaccurate, outdated, incomplete or misleading.

A request for rectification may be made in Form DPG 3 set out in the First Schedule.

An application for rectification of personal data may be supported by such documents as may be relevant to the rectification sought.

A data controller or data processor shall within fourteen days of the request, rectify an entry of personal data in the database where the data controller or data processor is satisfied that a rectification is necessary.

Where a request for rectification is declined, a data controller or data processor shall, in writing, notify a data subject of that refusal within seven days and shall provide reasons for refusal.

A request for rectification shall made free of charge.

Pursuant to section 38 of the Act, a data subject may apply to port or copy their personal data from one data controller or data processor to another.

A request for data portability may be made in Form DPG 4set out in the First Schedule.

A data controller or data processor shall within thirty days of the request and upon payment of the prescribed fees port personal data to the data subject’s choice of recipient.

Where fee is charged under sub-regulation (2), the fee shall be reasonable and not exceed the cost incurred to actualize the request.

A data controller or data processor who receives personal data that has been ported shall, with respect to such data, comply with the requirement of the Act and these Regulations.

Where a data controller or data processor declines the portability request, a data controller or data processor shall, within seven days, notify the data subject of the decline and the reasons for such decline in writing.

The exercise of the right to data portability by a data subject shall not negate the rights of a data subject provided under the Act.

A data subject may request for erasure of their personal data held by a data controller or data processor in Form DPG5 set out in the First Schedule.

A data controller or data processor shall respond to a request for erasure under sub-regulation (2) within fourteen days of the request.

A request for erasure shall be free of charge.

Subject to section 27 of the Act, where a person duly authorised by a data subject seeks to exercise the rights on their behalf, the data controller or data processor shall act in the best interests of the data subject.

Where a data controller or a data processor is uncertain as to the existence of a relationship between the duly authorised person and the data subject, the data controller or data processor may restrict the request of exercising a right on behalf of the data subject until evidence to the contrary is adduced.

For the purposes of section 37 (1) of the Act, a data controller or data processor shall be considered to use personal data for commercial purposes where personal data of a data subject is used to advance commercial or economic interests, including inducing another person to buy, rent, lease, join, subscribe to, provide or exchange products, property, information or services, or enabling or effecting, directly or indirectly, a commercial transaction.

Marketing is not direct where personal data is not used or disclosed to identify or target particular recipients.

A data controller or data processor shall not transmit, for the purposes of direct marketing, messages by any means unless the data controller or data processor indicates particulars to which a data subject may send a request to restrict such communications without incurring charges.

A data controller or data processor who uses personal data for commercial purposes without the consent of the data subject commits an offence and is liable, on conviction, to a fine not exceeding twenty thousand shillings or to a term of imprisonment not exceeding six months, or to both fine and imprisonment.

Where a data subject has opted out, a data controller or data processor shall not use or disclose their personal data for the purpose of direct marketing, in accordance with the data subject’s request.

In communicating with a data subject on direct marketing, a data controller or data processor shall include a statement which is prominently displayed, or otherwise draws the attention of the data subject to the fact that the data subject may make an opt out request.

A data controller or a data processor may use an opt out mechanism that provides a data subject with the opportunity to indicate their direct marketing communication preferences, including the extent to which they wish to opt out.

Despite sub-regulation (3), a data controller or data processor shall provide a data subject with an option to opt out of all future direct marketing communications as one of outlined preferences.

A data subject may request a data controller or data processor to restrict use or disclosure of their personal data, to a third party, for the purpose of facilitating direct marketing.

No fee shall be charged to a data subject for making or giving effect to a request under this Part.

A data controller or data processor shall restrict use or disclosure of personal data for the purpose of facilitating direct marketing by a third party within seven days of the request.

Pursuant to section 39 of the Act, a data controller or data processor shall retain personal data processed for a lawful purpose, for as long as may be reasonably necessary for the purpose for which the personal data is processed.

A data controller or data processor shall establish appropriate time limits for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes.

The personal data storage limitation period and data retention schedule outlined under paragraph (2)(a) may be included as part of the policy envisaged in regulation 23.

A data controller or data processor may accede to the request where satisfied that the request is based on any of the reasons specified under sub-regulation (1) and where the request is in the best interests of the data subject.

Subject to section 25 of the Act, a data controller or data processor may share or exchange personal data collected, upon request, by another data controller, data processor, third party or a data subject.

A data controller or data processor shall determine the purpose and means of sharing personal data from one data controller or data processor to another.

In carrying out any routine data sharing as contemplated under paragraph (3)(f), a data controller shall enter into agreements prior to data sharing.

For the avoidance of doubt, the sharing of data within the organizational structures of a data controller or data processor is not considered as a data sharing.

In this regulation—

“an automated individual decision-making” means a decision made by automated means without any human involvement.

A data controller or data processor shall develop, publish and regularly update a policy reflecting their personal data handling practices.

Subject to section 42(2)(b) of the Act, a data controller shall engage a data processor, through a written contract.

A data processor shall not engage the services of a third party without the prior authorisation of the data controller.

Where authorisation is given, the data processor shall enter into a contract with the third party.

The contract contemplated under sub-regulation (1) shall include such particulars as provided for under sub-regulation 24(2).

A data processor shall remain liable to the data controller for the compliance of any third party that they engage.