GDPR’s Impact on Kenya – Ong’anya Ombo Advocates

GDPR: Introduction

The European Union (the “EU”) enhanced its Data Laws when it passed the General Data Procedure Rules (the “GDPR”) on May 25, 2016. The GDPR came into effect on May 25, 2018, thus, there was a transition period of two years.

Other than the GDPR addressing the loopholes that existed. The GDPR is in place to address current and future activities that fall under Data Protection.

The GDPR addresses the collecting, recording, organising, storing, using, disclosing, and disseminating of Data.

Why is GDPR Relevant to Kenya or African based entities?

Unlike before, the GDPR applies to all entities that have a presence in the EU, and that does not matter whether it is accessed in one EU State or by a handful people in the EU or one EU State.

Therefore, if any entity that is outside the EU has a presence in the EU and collects whatsoever form of Data from the members of the EU, then it is prudent that the company should set measures that are in line with the GDPR.

How does one establish a presence?

The GDPR is influenced by two significant cases that were decided by the Court of Justice of the European Union (the “CJEU”).  In C-131/12 (the “Google Case”) and C-230/14 (the “Weltimmo Case”) the concept of establishment of presence was addressed in broad terms whereby in the Google Case it addressed the physical establishment while in the Weltimmo Case it addressed the virtual establishment.

Therefore, if one has a company or its subsidiary in the EU, the entity needs to comply with the GDPR, while if its online presence penetrates to EU Citizens, the operations of the website,

inclusive of the company owning it, must comply with the GDPR.

Classification of Data?

The GDPR classifies Data into two general categories that ought to be observed by entities that collect or process such data from the EU Citizens. Under the GDPR, there are two classes of Personal Data: Identifier Personal Data, and Sensitive Personal Data. The information in those groups is treated with different magnitude, based on the GDPR.

Does this obligation end with the entity having a presence in the EU?

The entity having presence in the EU will need to vet its vendors or service providers if they are compliant with the GDPR. For instance, if a Kenyan company collects data from France but the Data is stored in a separate entity established in South Africa, it will be important for the Kenyan entity to make sure that the Data handlers are compliant with the GDPR.

Who is a Data Processing Officer (the “DPO”)?

Depending on the operations of the entity, it might be imperative that the entity appoints someone in the EU as its DPO who will be in charge of effecting the purpose of the GDPR.

Are there penalties for Non-Compliance?

The GDPR provides for penalties for non-compliance with the GDPR. These penalties fall under the Criminal and Civil category, and in certain instances will take effect as a violation of Human Rights.

Contact us: or +254703672515