17
2019
Data Protection
No.
(7) A data protection officer shall—
(a) advise the data controller or data processor and
their employees on data processing requirements
provided under this Act or any other written law;
(b) ensure on behalf of the data controller or data
processor that this Act is complied with;
(c) facilitate capacity building of staff involved in data
processing operations;
(d) provide advice on data protection impact
assessment; and
(e) co-operate with the Data Commissioner and any
other authority on matters relating to data
protection.
PART IV—PRINCIPLES AND OBLIGATIONS OF
PERSONAL DATA PROTECTION
25. Every data controller or data processor shall
ensure that personal data is—
(a) processed in accordance with the right to privacy
of the data subject;
(b) processed lawfully, fairly and in a transparent
manner in relation to any data subject;
(c) collected for explicit, specified and legitimate
purposes and not further processed in a manner
incompatible with those purposes;
(d) adequate, relevant, limited to what is necessary in
relation to the purposes for which it is processed;
(e) collected only where a valid explanation is
provided whenever information relating to family
or private affairs is required;
(f) accurate and, where necessary, kept up to date,
with every reasonable step being taken to ensure
that any inaccurate personal data is erased or
rectified without delay;
(g) kept in a form which identifies the data subjects
for no longer than is necessary for the purposes
which it was collected; and
(h) not transferred outside Kenya, unless there is proof
of adequate data protection safeguards or consent
from the data subject.
Principles of data
protection.
!