Kenya has taken a significant step toward clarifying how personal data can move beyond its borders in the digital age. The Office of the Data Protection Commissioner (ODPC) has published its Guidance Note on Cross-Border Data Transfers (April 2026), providing practical, detailed rules for organizations transferring personal data outside Kenya while complying with the Data Protection Act, 2019.
This comprehensive 40-page document expands on Part VI of the Act and Regulation 40 of the Data Protection (General) Regulations, 2021. It aims to safeguard the privacy rights of Kenyans, promote transparency and accountability, and mitigate risks such as cyberattacks and data misuse when information leaves the country.
Why This Guidance Note Matters
While Kenya’s Data Protection Act already sets strict conditions for cross-border transfers, many businesses have struggled with practical implementation — especially with cloud computing, multinational operations, and global supply chains. The new Guidance Note fills these gaps by offering clear operational steps, risk assessment tools, and compliance checklists.
Important: This is currently a draft document. The ODPC is inviting public comments until 15 May 2026. Stakeholders can submit feedback to compliance@odpc.go.ke.
Core Principles Governing Every Transfer
All cross-border data transfers must adhere to the seven fundamental data protection principles in the Act:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
Data subjects must be informed about the transfer, its purpose, and associated risks. Controllers and processors bear the burden of proving compliance.
Lawful Bases for Cross-Border Transfers
A transfer is only permitted if at least one of the following bases applies:
- Adequacy Decision – The destination country or international organisation provides an equivalent level of protection, as determined by the Data Commissioner.
- Appropriate Safeguards – Such as Binding Corporate Rules (BCRs) for intra-group transfers (subject to ODPC approval) or legally binding Cross-Border Transfer Agreements that include strong security, liability, audit rights, and restrictions on onward transfers.
- Explicit Consent – Particularly required for sensitive personal data (e.g., health, biometric, ethnic origin). Data subjects must be clearly informed of the risks.
- Derogations / Necessity – Limited cases including contract performance, vital interests of the data subject, legal claims, or important public interest reasons.
Strict Rules on Onward Transfers and Data Localisation
Onward transfers to third parties are heavily restricted. The original recipient remains fully liable and must obtain prior authorisation, conduct a Transfer Impact Assessment (TIA), and ensure equivalent protections apply.
For data related to the strategic interests of the State (civil registration, elections, public finances, protected critical infrastructure, basic education, and primary/secondary health care), the law generally requires localisation: data must be processed on Kenyan servers or a serving copy must remain in Kenya.
Special Focus on Cloud Services and Modern Technologies
The Guidance Note pays close attention to cloud computing — one of the most common vectors for cross-border transfers. Organisations must:
- Perform thorough due diligence on cloud providers
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk scenarios
- Implement robust technical measures (encryption, access controls, audit logs, multi-factor authentication)
- Understand differences between IaaS, PaaS, and SaaS models, with private clouds preferred for sensitive or strategic data
Practical Compliance Tools
The Note includes a detailed Annex 1 Compliance Checklist covering legal basis, documentation, risk assessments, data subject rights, onward transfers, breach notification, and periodic re-evaluation of safeguards.
Organisations must maintain records of every transfer (date, recipient, justification, data categories, safeguards) and be prepared to demonstrate compliance to the ODPC at any time.
Enforcement and Accountability
The ODPC has strong enforcement powers, including audits, investigations, and penalties under the Data Protection Act. Non-compliance can result in significant fines, orders to stop transfers, and liability for breaches.
What This Means for Businesses
For Kenyan companies with international operations: Clearer pathways to legitimise routine transfers while reducing risk.
For multinational firms with Kenyan customers: Expect increased scrutiny. You may need updated contracts, BCRs, explicit consent mechanisms, or stronger localisation measures.
Overall, Kenya is positioning itself as a responsible digital economy in Africa — open to global data flows but firm on protecting privacy and national strategic interests.
Next Steps
Organisations involved in cross-border data transfers are encouraged to review the full Guidance Note and submit comments by 15 May 2026. This input will help shape the final version that will guide compliance for years to come.
