The purpose of the Act is to give effect to Article 31(c) and (d) of the Constitution that contains the right to privacy which is a fundamental human right. Data protection is the process of safeguarding personal information, in accordance with a set of principles laid down by law.
The Data Protection Bill which has been a subject of discussion for a number of years was passed into law on 8th November 2019. There has been an increase in the adoption and implementation of data protection laws and frameworks by countries at large.
The Data Protection Act 2019, has in many ways drawn from the General Data Protection Regulation of Europe.
The frameworks and laws have developed mainly in response to technological advances which increase the collection, holding and dissemination of personal information as well as surveillance of people.
The Act is extremely broad based and covers all persons and entities who deal with or store data.
|personal data||information relating to an identified or identifiable
natural person this being a “data subject”
|data controller||a natural or legal person, public authority, agency or
other body which, alone or jointly with others, determines
the purpose and means of processing of personal data
|data processor||a natural or legal person, public authority, agency
or other body which processes personal data on behalf of the
|sensitive personal data||data revealing the natural person's race, health
status, ethnic social origin, conscience, belief, genetic data,
biometric data, property details, marital status, family details
including names of the person's children, parents, spouse
or spouses, sex or the sexual orientation of the
The Act provides that every data controller or data processor shall ensure that personal data is:-
As a rule, a data controller or data processor ought to collect personal data directly from the data subject.
Notwithstanding the general rule on collection of data directly, the Act provides that personal data may be collected indirectly where the-
Before collecting personal data, in so far as practicable, data controllers or data processors are required to inform the data subject of -
The Act imposes stringent conditions for processing of sensitive personal data which is distinguished from personal data.
The burden of proof for establishing a data subject's consent to the processing of their personal data for a specified purpose is borne by a data controller or data processor.
The Act provides that a data controller who, without lawful excuse, discloses personal data in any manner that is incompatible with the purpose for which such data has been collected or a data processor who, without lawful excuse, discloses personal data processed by the data processor without the prior authority of the data controller, commits an offence under the Act.
Section 26 of the Act provides that a data subject has a right to-
Further, a data subject shall have the right to withdraw consent at any time. However, the such withdrawal of consent shall not affect the lawfulness of processing based on prior consent before its withdrawal.
A right conferred on a data subject may be exercised-
Data controllers or data processors are prohibited from processing personal data relating to a child except where consent is given by the child's parent or guardian and the processing is in such a manner that protects and advances the rights and best interests of the child.
Data controllers or data processors shall be required to incorporate appropriate mechanisms for age verification and consent in order to process personal data of a child, determined on the basis of-
The processing of personal data is exempt from the provisions of the Act if the same is necessary for national security or its disclosure is required under any written law or an order of the court or for the prevention or detection of a crime.
Further, the Act prohibits cross-border transfer of personal data, except where there is proof of adequate data protection safeguards or consent from the data subject.
It is essential for data controllers or processors to familiarise themselves with the provisions of the Act and to develop policies and systems that are compliant with the requirements of the Act.
Many organisations will require a Data Protection Officer whose main function will be to ensure compliance with the Act, failure to which organisations may be exposed to hefty fines.
Data controllers and processors are required to process data lawfully whilst minimise its collection and ensuring that there are sufficient safeguards in place to protect personal data.
Should you have any queries or need any clarifications with respect to data protection matters, please do not hesitate to contact Vikram C. Kanji or Ruby Njenga at A.B. Patel & Patel LLP.
The contents of this publication are for reference purposes only. They do not constitute legal advice and should not be relied upon. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
Updates & Publications