The Rights of a Data Subject
Take Three (3) Questions as answered
By Njoki Kimemia, Legal & DPO Associate at South-End Tech Limited
Dated: Monday 13/03/2023
What are my rights as a Data Subject?
The Data Protection Act 2019 offers Kenyans the same data privacy protections as per the standards of other international data privacy laws, such as the EU’s General Data Protection Regulation (GDPR).
The Data Protection laws in Kenya grant data subjects a wide range of rights over their personal information. The rights of data subjects include:
- Right to be informed: Data subjects have the right to be informed about the collection and use of their data by an organization.
- Right to access: Data subjects have the right to access the personal data that another organization holds about them.
- Right to rectify: Data subjects have the right to request that an organization corrects any inaccuracies in their data.
- Right to erasure: Data subjects have the right to request that an organization deletes their data.
- Right to restrict processing: Data subjects have the right to request that an organization limits the processing of their data.
- Right to data portability: Data subjects have the right to request that an organization transfers their data to another organization.
- Right to object: Data subjects have the right to object to the processing of their data for certain purposes.
- Right to complain: Data subjects have the right to complain to the relevant data protection authority if they believe that their data has been mishandled or misused.
Figure 2: Your Data is the New Gold
- What are the limitations to my rights as a data subject?
The rights of the data subjects are not absolute and may be subject to certain limitations under Kenyan law. The limitations to data subject’s rights in Kenya include:
- National Security: An entity may withhold or process personal data for national security purposes.
- Law enforcement: Personal data may be processed or disclosed for law enforcement purposes, including the prevention and detection of crime.
- Public interest: Personal data may be processed or disclosed in the public interest for public health or safety reasons.
- Legal claims: Personal data may be processed or disclosed to establish, exercise, or defend legal claims.
- Contractual obligations: Personal data may be processed or disclosed to fulfill contractual obligations between an entity and a data subject.
- Consent: Data subject rights may be subject to limitations if the subject has given consent to the processing of their data for a specific purpose.
- What are the caveats on the limitations to my rights as a data subject?
Any limitations on data subject rights must be proportionate and necessary and do not unduly restrict the data subject’s rights or freedoms. Entities holding personal data have a legal and corporate responsibility to inform the data subject about any limitations on their rights and the reasons for those limitations.