File a Complaint

The Office of the Data Protection Commissioner (ODPC) in Kenya serves as the primary regulatory body for enforcing the Data Protection Act, 2019. This article outlines the critical mechanism available to data subjects for filing complaints regarding infringements of their data privacy rights. It details the procedural steps, required information, and the ODPC's powers of investigation and enforcement, including the issuance of penalty notices and administrative fines. For legal practitioners, understanding this complaint framework is essential for advising clients, whether data subjects seeking redress or data controllers/processors striving for compliance in Kenya's evolving data protection landscape.

Kenya's digital economy continues to expand, making the protection of personal data an increasingly critical concern. In response, the Data Protection Act, 2019 (the "DPA") was enacted, establishing a robust legal framework for safeguarding individual privacy rights. Central to this framework is the Office of the Data Protection Commissioner (ODPC), the independent regulatory body tasked with overseeing the implementation and enforcement of the DPA.

The ODPC's mandate includes receiving and investigating complaints from data subjects who believe their data privacy rights have been infringed. This complaint mechanism is a cornerstone of the DPA's enforcement, providing individuals with an accessible avenue for redress. For legal professionals, navigating this process is paramount, both in assisting aggrieved data subjects and in advising data controllers and processors on their compliance obligations to avoid enforcement actions.

This article delves into the specifics of filing a complaint with the ODPC, outlining the statutory and regulatory basis, the procedural requirements, the ODPC's investigative powers, and the potential outcomes, including recent enforcement trends. It aims to equip practitioners with a comprehensive understanding of this vital aspect of data protection in Kenya.

The foundation of data protection in Kenya is enshrined in Article 31(c) and (d) of the Constitution of Kenya, 2010, which guarantees the right to privacy, including the right not to have information relating to one's family or private affairs unnecessarily revealed.

The Data Protection Act, 2019, operationalizes these constitutional provisions, establishing principles for processing personal data, defining the rights of data subjects, and outlining the obligations of data controllers and processors. Key definitions under Section 2 of the DPA include "personal data" (any information about an identified or identifiable natural person), "data controller" (a person who determines the purpose and means of processing personal data), and "data processor" (a person who processes personal data on behalf of a data controller).

Section 25 of the DPA sets out fundamental data protection principles, requiring personal data to be processed lawfully, fairly, and transparently; collected for specified, explicit, and legitimate purposes; adequate, relevant, and limited to what is necessary; accurate and kept up to date; retained no longer than necessary; and processed securely.

The DPA also established the Office of the Data Protection Commissioner (ODPC) under Section 8, mandating it to oversee, implement, and enforce the Act, maintain a register of data controllers and processors, and investigate complaints. Further procedural clarity is provided by the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 (the "Complaints Regulations"), which detail the mechanisms for lodging, admitting, investigating, and resolving complaints.

Data subjects in Kenya are afforded several fundamental rights under the DPA, which form the basis for complaints to the ODPC. These include the right to be informed about data use (Section 26), the right of access to their data (Section 27), the right to object to processing (Section 28), the right to correction of inaccurate data (Section 31), the right to erasure (Section 33), and the right to data portability (Section 38).

An aggrieved data subject, or a person acting on their behalf, may lodge a complaint with the ODPC orally, electronically, or by any other appropriate means. The complaint must include particulars of the complainant and the respondent, a detailed description of the alleged violation, the actual or potential harm caused, and the remedy sought, along with any supporting documents. Crucially, lodging a complaint with the ODPC is free of charge. Upon receipt, the ODPC acknowledges the complaint within seven days, registers it, and conducts a preliminary screening to determine if further action is warranted.

The ODPC's investigative powers are extensive, akin to those of a quasi-judicial entity. It can issue summons, examine persons under oath, request disclosure of evidence, and obtain court warrants for search and seizure of relevant material. Investigations are typically concluded within ninety days. Outcomes can range from discontinuation if the complaint lacks merit or the complainant fails to cooperate, to facilitating negotiation, mediation, or conciliation between parties.

Where non-compliance is established, the ODPC may issue an enforcement notice, directing the data controller or processor to remedy the breach within a specified period. Failure to comply with an enforcement notice can lead to a penalty notice, imposing administrative fines. The DPA stipulates significant penalties, including fines of up to KES 5 million or one percent of an organization's annual turnover (whichever is lower), or imprisonment for certain offenses. The ODPC has demonstrated its commitment to enforcement, issuing penalty notices to various entities. For instance, in 2023, Mulla Pride Ltd was fined KES 2,975,000 for using third-party contact information without consent, Casa Vera Lounge KES 1,850,000 for posting a reveler's image without consent, and Roma School KES 4,550,000 for publishing minors' images without parental consent. Other notable fines include KES 5,000,000 each against Whitepath Limited and Regus Kenya for various breaches.

It is important for practitioners to note the High Court's affirmation of the ODPC's jurisdiction as the first port of call for data protection complaints. In *Arunda v. Office of the Data Protection Commissioner & Another; Data Privacy and Governance Society of Kenya (Interested Party)* (2025) KEHC 12262, the High Court held that data subjects must first exhaust the remedies available through the ODPC before resorting to the courts, unless the statutory remedy is inadequate or ineffective. Decisions by the ODPC are administrative and can be appealed to the High Court under Section 64 of the DPA.

The complaint mechanism administered by the Office of the Data Protection Commissioner is a cornerstone of Kenya's data protection framework, providing a vital avenue for data subjects to enforce their rights and for the ODPC to ensure compliance with the Data Protection Act, 2019. The ODPC's increasing activity in investigations and the issuance of penalty notices underscores its commitment to robust enforcement, signaling a maturing regulatory environment for data privacy in Kenya.

Legal practitioners must therefore be well-versed in the intricacies of the ODPC's complaint handling procedures. For data subjects, this means diligently preparing complaints with comprehensive details and supporting evidence. For data controllers and processors, it necessitates proactive compliance with the DPA and its Regulations, including implementing robust data protection policies, ensuring lawful data processing, and responding promptly and transparently to any complaints or ODPC inquiries to mitigate legal and reputational risks. The *Arunda v. ODPC* decision further solidifies the ODPC's role as the primary forum for resolving data privacy disputes, making engagement with the Commissioner's office an indispensable first step.