Comparing privacy laws:

GDPR v. Kenya Data

Protection Act
About the authors Table of contents
OneTrust DataGuidanceTM provides a suite of privacy solutions designed to help organisations
monitor regulatory developments, mitigate risk and achieve global compliance. Introduction 5
The OneTrust DataGuidanceTM platform includes focused guidance around core topics (i.e. GDPR, 1. Scope
data transfers, breach notification, among others), Cross-Border Charts which allow you to compare 1.1.
Personal scope 7
regulations across multiple jurisdictions at a glance, a daily customised news service and expert 1.2. Territorial scope 9
analysis. 1.3. Material scope 10
These tools, along with our in-house analyst service to help with your specific research questions,
2. Key definitions
provide a cost-effective and efficient solution to design and support your privacy programme.
2.1. Personal data 13
2.2. Pseudonymisation 15
2.3. Controller and processors 16
2.4. Children 18
2.5. Research 20

3. Legal basis 22
4. Controller and processor obligations
4.1. Data transfers 25
4.2. Data processing records 29
4.3. Data protection impact assessment 34
4.4. Data protection officer appointment 36
4.5. Data security and data breaches 38
4.6. Accountability 42

5. Individuals' rights
5.1. Right to erasure 43
5.2. Right to be informed 47
5.3. Right to object 51
Image production credits:
5.4. Right of access 55
Cover/p.5/p.51: 221A / Signature collection / istockphoto.com | MicroStockHub / Signature collection / istockphoto.com
Scale key p6-49: enisaksoy / Signature collection / istockphoto.com 5.5. Right not to be subject to discrimination 58
Icon p.33-40: AlexeyBlogoodf / Essentials collection / istockphoto.com
Icon p.47-51: cnythzl / Signature collection / istockphoto.com | MicroStockHub / Signature collection / istockphoto.com 5.6. Right to data portability 59

6. Enforcement
6.1. Monetary penalties 61
6.2. Supervisory authority 65
6.3. Civil remedies for individuals 71

2 3
 Introduction
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') came into effect on 25 May 2018, and governs the
protection of personal data in EU and EEA Member States. The Data Protection Act, 2019 ('the Act'), which came into force on 25
November 2019, is the primary piece of data protection legislation in Kenya. The Act provides for the establishment of the Data
Protection Office ('ODPC') to enforce its provisions, however this office has yet to be formed.

The Act has many similarities with the GDPR and often uses the same general concepts as well as the same language on occasion.
While these foundations are largely mirrored between the two pieces of legislation, there are several key, nuanced differences. For
instance, the Act provides less detailed information on the exercise of data subject rights, broader data transfer obligations, and
registration rather than record keeping obligations. Furthermore, the Act specifies at various points that the ODPC will issue further
guidance.

Further to the above, the ODPC issued, in early April 2020, three draft data protection regulations (combined in one document)
(collectively 'the Draft Regulations'), which if passed, will form part of the Act. The Draft Regulations are:

• the Data Protection (General) Regulations, 2021 ('the Draft General Regulations');
• the Data Protection (Compliance and Enforcement) Regulations 2021 ('the Draft Enforcement Regulations'); and
• the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.

The Draft Regulations provide more detail on the general enforcement of the Act, as well as particular requirements and obligations
on data controllers and data processors.

This overview organises provisions from the GDPR and the Act into key topics and sets them alongside each other to enable analysis
and comparison. Each section begins with a detailing of principal information and a general introduction, as well as a consistency
rating.

4 5
 1. Scope
Introduction (cont'd)
Fairly consistent

Structure and overview of the Guide 1.1. Personal scope

This Guide provides a comparison of the two legislative frameworks on the following key provisions:
The Act establishes similar central concepts of data controllers, data processors, and data subjects. However, it is less explicit than
the GDPR in relation to the nationality and place of residence of data subjects, and does not directly address deceased person's
1. Scope
data.
2. Key definitions
3. Legal basis
4. Controller and processor obligations
GDPR The Act
5. Individuals' rights
6. Enforcement Data controller

Article 4(7): 'controller' means the natural or legal person, Section 2: 'data controller' means a natural or legal
Each topic includes relevant provisions from the two legislative legal frameworks, a summary of the comparison, and a detailed
public authority, agency or other body which, alone or jointly person, public authority, agency or other body which,
analysis of the similarities and differences between the GDPR and the Act.
with others, determines the purposes and means of the alone or jointly with others, determines the purpose
processing of personal data; where the purposes and means and means of processing of personal data.
of such processing are determined by Union or Member State

Key for giving the consistency rate law, the controller or the specific criteria for its nomination
may be provided for by Union or Member State law.
 
Consistent: The GDPR and the Act bear a high degree of similarity in the rationale,
core, scope, and the application of the provision considered. Data processor

Fairly consistent: The GDPR and the Act bear a high degree of similarity in the Article 4(8): 'processor' means a natural or legal person, Section 2: 'data processor' means a natural or legal
rationale, core, and the scope of the provision considered, however, the details public authority, agency or other body which processes person, public authority, agency or other body which
governing its application differ. personal data on behalf of the controller. processes personal data on behalf of the data controller.

Fairly inconsistent: The GDPR and the Act bear several differences with regard Data subject
to the scope and application of the provision considered, however, its rationale
and core presents some similarities. Article 4(1): 'personal data' means any information relating to Section 2: 'data subject' means an identified or identifiable
an identified or identifiable natural person ('data subject'); natural person who is the subject of personal data.
Inconsistent: The GDPR and the Act bear a high degree of difference with regard an identifiable natural person is one who can be identified,
to the rationale, core, scope, and application of the provision considered. directly or indirectly, in particular by reference to an identifier Section 2: 'identifiable natural person' means a person
such as a name, an identification number, location data, an who can be identified directly or indirectly, by reference
online identifier or to one or more factors specific to the to an identifier such as a name, an identification number,
physical, physiological, genetic, mental, economic, cultural location data, an online identifier or to one or more
or social identity of that natural person. factors specific to the physical, physiological, genetic,

Usage of the Guide mental, economic, cultural or social or social identity.

This Guide is general and informational in nature, and is not intended to provide, and should not be relied on as a source of, legal
Public bodies
advice. The information and materials provided in the Guide may not be applicable in all (or any) situations and should not be acted
upon without specific legal advice based on particular circumstances.
Article 4(7): 'controller' means the natural or legal person, The definitions of a 'data controller' and 'data
public authority, agency or other body. processor' in Section 2 includes public authorities.

6 7
 GDPR The Act 1.2. Territorial scope
Fairly Inconsistent
Both the GDPR and the Act regulate organisations established within the respective jurisdictions. The Act, though, provides for a
Nationality of data subject broader extraterritorial scope and applies to any controller or processor processing data of Kenyan citizens, regardless of whether
the controller or processor is established in Kenya or their specific processing activities.
Recital 14: The protection afforded by this Regulation Section 4: This Act applies to the processing of personal data -
should apply to natural persons, whatever their (a) entered in a record, by or for a data controller or processor,
GDPR The Act
nationality or place of residence, in relation by making use of automated or nonautomated means:
to the processing of their personal data. Establishment in jurisdiction
Provided that when the recorded personal
data is processed by non-automated means, it Article 3: This Regulation applies to the processing of personal Section 4: This Act applies to the processing of personal data –

forms a whole or part of a filing system; data in the context of the activities of an establishment
of a controller or a processor in the Union, regardless of (a) entered in a record, by or for a data controller or processor,

(b) by a data controller or data processor who - (i) whether the processing takes place in the Union or not. by making use of automated or nonautomated means:

is established or ordinarily resident in Kenya and

processes personal data while in Kenya; or (ii) not Recital 22: Establishment implies the effective and real Provided that when the recorded personal

established or ordinarily resident in Kenya, but processing exercise of activity through stable arrangements. data is processed by non-automated means, it

personal data of data subjects located in Kenya. forms a whole or part of a filing system;

Place of residence (b) by a data controller or data processor who - (i)

is established or ordinarily resident in Kenya and
processes personal data while in Kenya; or (ii) not
See Recital 14, above. See Section 4 of the Act above.
established or ordinarily resident in Kenya, but processing
personal data of data subjects located in Kenya.
Deceased individuals

Recital 27: This Regulation does not apply to the The Act does not explicitly refer to deceased individual's data. Extraterritorial
personal data of deceased persons. Member States
may provide for rules regarding the processing See Article 3, above. See Section 4(b)(ii) above.
of personal data of deceased persons.

Goods & servicies from abroad

Recital 23: In order to ensure that natural persons are The Act does not explicitly refer to goods and services
not deprived of the protection to which they are entitled from abroad, however see Section 4(b)(ii) above.
under this Regulation, the processing of personal data
of data subjects who are in the Union by a controller or a
processor not established in the Union should be subject
to this Regulation where the processing activities are
related to offering goods or services to such data subjects
irrespective of whether connected to a payment.

Monitoring from abroad

Recital 24: The processing of personal data of data The Act does not explicitly refer to monitoring from
subjects who are in the Union by a controller or processor abroad, however see Section 4(b)(ii), above.
not established in the Union should also be subject to
this Regulation when it is related to the monitoring of
the behaviour of such data subjects in so far as their
8 9
behaviour takes place within the Union.
 GDPR The Act

1.3. Material scope Fairly consistent Special categories of data

There are several general similarities between the GDPR and the Act, including that they both explicitly consider anonymised Article 9(1): Processing of personal data revealing racial or Section 2: 'sensitive personal data' means data revealing
and pseudonymised data, apply to automated processing, and have comparable concepts of personal data and sensitive data. ethnic origin, political opinions, religious or philosophical the natural person's race, health status, ethnic social origin,
However, there are key differences in regard to how the anonymisation is referred to and in what types of data are considered beliefs, or trade union membership, and the processing conscience, belief, genetic data, biometric data, property
personal data, with the Act providing including matters such as family members' names. of genetic data, biometric data for the purpose of details, marital status, family details including names of
uniquely identifying a natural person, data concerning the person's children, parents, spouse or spouses, sex or
GDPR The Act health or data concerning a natural person's sex life or the sexual orientation of the data subject. [Sections 44-
sexual orientation shall be prohibited. 48 of the Act regulate the processing of sensitive data.]

Personal data/ personal information

Anonymised data
Article 4(1): 'personal data' means any information relating Section 2: 'personal data' means any information relating
to an identified or identifiable natural person ('data to an identified or identifiable natural person. Recital 26: The principles of data protection should not apply Section 2: 'anonymisation' means the removal of
subject'); an identifiable natural person is one who can be to anonymous information, namely information which does personal identifiers from personal data so that
identified, directly or indirectly, in particular by reference Section 2: 'identifiable natural person' means a person not relate to an identified or identifiable natural person or to the data subject is no longer identifiable.
to an identifier such as a name, an identification number, who can be identified directly or indirectly, by reference personal data rendered anonymous in such a manner that
location data, an online identifier or to one or more factors to an identifier such as a name, an identification number, the data subject is not or no longer identifiable. Section 37(2): A data controller or data processor that
specific to the physical, physiological, genetic, mental, location data, an online identifier or to one or more uses personal data for commercial purposes shall, where
economic, cultural or social identity of that natural person. factors specific to the physical, physiological, genetic, possible, anonymise the data in such a manner as to
mental, economic, cultural or social or social identity. ensure that the data subject is no longer identifiable.

Data processing Section 39(2): A data controller or data processor shall

delete, erase, anonymise or pseudonymise personal data not

Article 4(2): 'processing' means any operation or set necessary to be retained under sub-section (1) in a manner
Section 2: 'processing' means any operation or sets of
of operations which is performed on personal data or as may be specified at the expiry of the retention period.
operations which is performed on personal data or on sets of
on sets of personal data, whether or not by automated personal data whether or not by automated means, such as
means, such as collection, recording, organisation, Pseudonymised data
structuring, storage, adaptation or alteration, retrieval, (a) collection, recording, organisation, structuring;
consultation, use, disclosure by transmission, Article 4(5): 'pseudonymisation' means the processing of Section 2: 'pseudonymisation' means the processing of

dissemination or otherwise making available, alignment or personal data in such a manner that the personal data can no personal data in such a manner that the personal data can
(b) storage, adaptation or alteration;
combination, restriction, erasure or destruction. longer be attributed to a specific data subject without the use of no longer be attributed to a specific data subject without
additional information, provided that such additional information the use of additional information, and such additional
(c) retrieval, consultation or use;
is kept separately and is subject to technical and organisational information is kept separately and is subject to technical and
measures to ensure that the personal data are not attributed to organisational measures to ensure that the personal data is
(d) disclosure by transmission, dissemination,
an identified or identifiable natural person. not attributed to an identified or identifiable natural person.
or otherwise making available; or

(e) alignment or combination, restriction, erasure or destruction. Automated processing

Article 2(1): This Regulation applies to the processing Section 4: This Act applies to the processing of personal data -
of personal data wholly or partly by automated means (a) entered in a record, by or for a data controller or processor,
and to the processing other than by automated means by making use of automated or nonautomated means:
of personal data which form part of a filing system or are
intended to form part of a filing system. Provided that when the recorded personal
data is processed by non-automated means, it
forms a whole or part of a filing system;

10 11 11
 GDPR The Act
2. Key definitions
Automated processing (cont'd)
2.1. Personal data Fairly consistent

(b) by a data controller or data processor who - (i)

Definitions within the GDPR and the Act are relatively similar in relation to personal data and associated terms, and in some cases
is established or ordinarily resident in Kenya and
the Act directly mirrors the GDPR. However, there are slight differences, for example in relation to the specific categories of sensitive
processes personal data while in Kenya; or (ii) not
data.
established or ordinarily resident in Kenya, but processing
personal data of data subjects located in Kenya.
GDPR The Act
General exemptions
Personal data/ personal information
Article 2(2): This Regulation does not apply Section 51: (2) The processing of personal data is
Article 4(1): 'personal data' means any information relating Section 2: 'personal data' means any information relating
to the processing of personal data: exempt from the provisions of this Act if –
to an identified or identifiable natural person ('data to an identified or identifiable natural person.
subject'); an identifiable natural person is one who can be
(a) in the course of an activity which falls (a) it relates to processing of personal data by an individual
identified, directly or indirectly, in particular by reference Section 2: 'identifiable natural person' means a person
outside the scope of Union law; in the course of a purely personal or household activity;
to an identifier such as a name, an identification number, who can be identified directly or indirectly, by reference
location data, an online identifier or to one or more factors to an identifier such as a name, an identification number,
(b) by the Member States when carrying out (b) if it is necessary for national security or public interest; or
specific to the physical, physiological, genetic, mental, location data, an online identifier or to one or more
activities which fall within the scope of Chapter 2
economic, cultural or social identity of that natural person. factors specific to the physical, physiological, genetic,
of Title V of the Treaty on European Union; or (c) disclosure is required by or under any
mental, economic, cultural or social or social identity.
written law or by an order of the court.
(c) by a natural person in the course of a
purely personal or household activity. [Sections 52 and 53 provide further exceptions for journalism, Special categories of data
literature, and art, as well as research and statistics]
Article 9(1): Processing of personal data revealing racial or Section 2: 'sensitive personal data' means data revealing
ethnic origin, political opinions, religious or philosophical beliefs, the natural person's race, health status, ethnic social origin,
or trade union membership, and the processing of genetic data, conscience, belief, genetic data, biometric data, property
biometric data for the purpose of uniquely identifying a natural details, marital status, family details including names
person, data concerning health or data concerning a natural of the person's children, parents, spouse or spouses,
person's sex life or sexual orientation shall be prohibited. sex or the sexual orientation of the data subject.

Online identifiers

Recital 30: Natural persons may be associated with online See the definition of 'identifiable natural person' above,
identifiers provided by their devices, applications, tools which includes reference to 'online identifiers'.
and protocols, such as internet protocol addresses, cookie
identifiers or other identifiers such as radio frequency
identification tags. This may leave traces which, in particular
when combined with unique identifiers and other information
received by the servers, may be used to create profiles of
the natural persons and identify them.

12 13
13
 GDPR The Act 2.2. Pseudonymisation
Consistent

Filing system The definitions of anonymisation and pseudonymisation are essentially the same, although the Act refers to the act of anonymisation
while the GDPR refers to anonymous information.
The GDPR does not provide for a definition of 'data collector'. Section 2: 'filing system' means any structured set
of personal data which is readily accessible by
reference to a data subject or according to specific
GDPR The Act
criteria, whether centralised, decentralised or
dispersed on a functional or geographical basis. Anonymisation

Recital 26: 'anonymous information' is information which does Section 2: 'anonymisation' means the removal of
Profiling
not relate to an identified or identifiable natural person or to personal identifiers from personal data so that
personal data rendered anonymous in such a manner that the data subject is no longer identifiable.
Article 4(9): 'recipient' means a natural or legal person, public Section 2: 'profiling' means any form of automated processing
the data subject is not or no longer identifiable.
authority, agency or another body, to which the personal of personal data consisting of the use of personal data to
data are disclosed, whether a third party or not. 2However, evaluate certain personal aspects relating to a natural person, Pseudonymisation
public authorities which may receive personal data in the in particular to analyse or predict aspects concerning that
framework of a particular inquiry in accordance with Union natural person's race, sex, pregnancy, marital status, health Article 4(5): 'pseudonymisation' means the processing of Section 2: 'pseudonymisation' means the processing of
or Member State law shall not be regarded as recipients; the status, ethnic social origin, colour, age, disability, religion, personal data in such a manner that the personal data can no personal data in such a manner that the personal data can
processing of those data by those public authorities shall conscience, belief, culture, dress, language or birth; personal longer be attributed to a specific data subject without the use of no longer be attributed to a specific data subject without
be in compliance with the applicable data protection rules preferences, interests, behaviour, location or movements. additional information, provided that such additional information the use of additional information, and such additional
according to the purposes of the processing. is kept separately and is subject to technical and organisational information is kept separately and is subject to technical and
measures to ensure that the personal data are not attributed to organisational measures to ensure that the personal data is

Third Party an identified or identifiable natural person. not attributed to an identified or identifiable natural person.

Article 4(9): 'recipient' means a natural or legal person, public Section 2: 'third party' means natural or legal person,
authority, agency or another body, to which the personal public authority, agency or other body, other than the data
data are disclosed, whether a third party or not. 2However, subject, data controller, data processor or persons who,
public authorities which may receive personal data in the under the direct authority of the data controller or data
framework of a particular inquiry in accordance with Union processor, are authorised to process personal data.
or Member State law shall not be regarded as recipients; the
processing of those data by those public authorities shall
be in compliance with the applicable data protection rules
according to the purposes of the processing.

14 15 15
 GDPR The Act
2.3. Controllers and processors
Consistent Data Protection Officer ('DPO')
The definitions for data controllers and processors as well as associated activities are very similar between the GDPR and the Act.
The most notable difference is that the Act provides less detail in regard to the content of contracts between data controllers and DPO is not specifically defined, however Article DPO is not specifically defined, however Section
processors, although it still requires a written contract to be in place. 37 sets out requirements related to DPOs (see 24 sets out requirements related to DPOs (see
section 5.4. for further information). section 4.4. for further information).
GDPR The Act

Data controller

Article 4(7): 'controller' means the natural or legal person, Section 2: 'data controller' means a natural or legal
public authority, agency or other body which, alone or jointly person, public authority, agency or other body which,
with others, determines the purposes and means of the alone or jointly with others, determines the purpose
processing of personal data; where the purposes and means and means of processing of personal data.
of such processing are determined by Union or Member State
law, the controller or the specific criteria for its nomination
may be provided for by Union or Member State law.

Data processor

Article 4(8): 'processor' means a natural or legal Section 2: 'data processor' means a natural or legal
person, public authority, agency or other body which person, public authority, agency or other body which
processes personal data on behalf of the controller. processes personal data on behalf of the data controller.

Controller and processor contracts

Article 28(3): Processing by a processor shall be governed Section 42: (2) Where a data controller is using the

by a contract or other legal act under Union or Member services of a data processor - (a) the data controller

State law, that is binding on the processor with regard to shall opt for a data processor who provides sufficient

the controller and that sets out the subject-matter and guarantees in respect of organisational measures for

duration of the processing, the nature and purpose of the purpose of complying with Section 41(1); and

the processing, the type of personal data and categories

of data subjects and the obligations and rights of the (b) the data controller and the data processor shall enter into

controller. [Article 28 goes on to stipulate necessary a written contract which shall provide that the data processor

information to be included in such a contract.] shall act only on instructions received from the data controller
and shall be bound by obligations of the data controller.

Data Protection Impact Assessment ('DPIA')

DPIA is not specifically defined, however Article 35 Section 31(4): For the purposes of this Section, a 'data protection
sets out requirements for DPIAs (see section 5.3. for impact assessment' means an assessment of the impact of
further information). the envisaged processing operations on the protection of
personal data. (see section 4.3. below for further information).

16 17
 2.4. Children GDPR The Act
Fairly inconsistent

While both the GDPR and the Act consider special requirements for the processing of children's data, they do so in different ways. Privacy notice (children)
The Act more generally discusses the processing of children's data and explicitly considers mechanisms for verification of age and
consent. Recital 58: Given that children merit specific protection, The Act does not explicitly refer to privacy
any information and communication, where processing notices for processing children's data.
GDPR The Act
is addressed to a child, should be in such a clear and
plain language that the child can easily understand.
Children's definition

The GDPR does not specifically define 'child'. However, Article The Act does not specifically define 'child'. However,
8(1) provides: Where point (a) of Article 6(1) applies, in relation Section 33 provides detailed requirement for processing
to the offer of information society services directly to a child, children's data. [Note: Article 260 of the Kenyan Constitution
the processing of the personal data of a child shall be lawful stipulates the age threshold for adulthood to be 18 years]
where the child is at least 16 years old. Where the child is
below the age of 16 years, such processing shall be lawful
only if and to the extent that consent is given or authorised by
the holder of parental responsibility over the child. Member
States may provide by law for a lower age for those purposes
provided that such lower age is not below 13 years.

Consent for processing children's data

Article 8(2): The controller shall make reasonable efforts Section 33: (1) Every data controller or data processor shall
to verify in such cases that consent is given or authorised not process personal data relating to a child unless - (a)
by the holder of parental responsibility over the child, consent is given by the child's parent or guardian; and
taking into consideration available technology. (b) the processing is in such a manner that protects and
advances the rights and best interests of the child.
(2) A data controller or data processor shall incorporate
appropriate mechanisms for age verification and
consent in order to process personal data of a child.
(3) Mechanisms contemplated under sub-section (2) shall
be determined on the basis of - (a) available technology;
(b) volume of personal data processed;
(c) proportion of such personal data likely to be that of a child;
(d) possibility of harm to a child arising out
of processing of personal data; and
(e) such other factors as may be specified
by the Data Commissioner.
(4) A data controller or data processor that exclusively
provides counselling or child protection services
to a child may not be required to obtain parental
consent as set out under sub-section (1).

19
18 19
2.5. Research GDPR The Act
Fairly consistent
While both the GDPR and the Act provide exceptions for processing conducted for research purposes, including requirements for Data subject rights (research)
research as further processing and appropriate safeguards, there are differences in relation to data subject rights. The Act, though,
stipulates that the Data Commissioner should issue a relevant code of practice. Under Article 17(3), the right to erasure may not apply in cases The Act does not set out particular requirements for
of scientific or historical research. Article 21(6), however, data subject rights in the context of research. Section
GDPR The Act provides that data subjects may exercise the right to object 53(4), though, provides that: The Data Commissioner
to data processing for scientific or historical research shall prepare a code of practice containing practical
Scientific/ historical research definition purposes. In addition, Article 89 provides that Member guidance in relation to the processing of personal data
States may derogate from the GDPR in regard to data subject for purposes of Research, History and Statistics.
Recital 159: Where personal data are processed for scientific Although the Act provides requirements and exceptions rights and data processing for research purposes.
research purposes, this Regulation should also apply to for processing for the purposes of research, history, and
that processing. For the purposes of this Regulation, the statistics, it does not explicitly define these purposes.
processing of personal data for scientific research purposes
should be interpreted in a broad manner including for example
technological development and demonstration, fundamental
research, applied research and privately funded research.

Recital 160: Where personal data are processed for historical

research purposes, this Regulation should also apply to that
processing. This should also include historical research and
research for genealogical purposes, bearing in mind that
this Regulation should not apply to deceased persons.

Compatibility with original purpose of collection

Article 5(1)(b): Personal data shall be collected for specified, Section 53(1): The further processing of personal data shall
explicit and legitimate purposes and not further processed be compatible with the purpose of collection if the data
in a manner that is incompatible with those purposes; further is used for historical, statistical or research purposes and
processing for archiving purposes in the public interest, the data controller or data processor shall ensure that the
scientific or historical research purposes or statistical purposes further processing is carried out solely for such purposes
shall, in accordance with Article 89(1), not be considered to be and will not be published in an identifiable form.
incompatible with the initial purposes ('purpose limitation').

Appropriate safeguards

Article 89(1): Processing for archiving purposes in the public Section 53: (2) The data controller or data processor
interest, scientific or historical research purposes or statistical shall take measures to establish appropriate safeguards
purposes, shall be subject to appropriate safeguards, in against the records being used for any other purposes.
accordance with this Regulation, for the rights and freedoms of
the data subject. Those safeguards shall ensure that technical (3) Personal data which is processed only for research purposes
and organisational measures are in place in particular in is exempt from the provisions of this Act if - (a) data is processed
order to ensure respect for the principle of data minimisation. in compliance with the relevant conditions; and (b) results
Those measures may include pseudonymisation provided of the research or resulting statistics are not made available
that those purposes can be fulfilled in that manner. in a form which identifies the data subject or any of them.

20 21
21
 3. Legal basis Fairly consistent
GDPR The Act

The GDPR and the Act set out very similar legal bases for processing both personal data and sensitive data, comparable conditions Sensitive data (legal basis)
of consent, and exceptions for processing for journalism or artistic purposes. There are, however, slight differences in regard to the
withdrawal of consent and consent in relation to the performance of a contract. There are specific requirements for processing There are specific requirements for processing sensitive

GDPR The Act special categories of data, see Article 9 of the data, see Section 45 of the Act for further information.
GDPR for further information.

Legal grounds
Conditions for consent
Article 6(1): Processing shall be lawful only if and to the Section 30: (1) A data controller or data processor shall not
Article 7(3): The data subject shall have the right to Section 32: (1) A data controller or data processor shall bear
extent that at least one of the following applies: process personal data, unless - (a) the data subject consents
withdraw his or her consent at any time. The withdrawal the burden of proof for establishing a data subject's consent to
to the processing for one or more specified purposes; or
of consent shall not affect the lawfulness of processing the processing of their personal data for a specified purpose.
(a) the data subject has given consent to the processing of
based on consent before its withdrawal. Prior to giving
his or her personal data for one or more specific purposes; (b) the processing is necessary -
consent, the data subject shall be informed thereof. It (2) Unless otherwise provided under this Act, a data subject
shall be as easy to withdraw as to give consent. shall have the right to withdraw consent at any time.
(b) processing is necessary for the performance of a contract to (i) for the performance of a contract to which the data
which the data subject is party or in order to take steps at the subject is a party or in order to take steps at the request
Article 4: (11) 'consent' of the data subject means any freely (3) The withdrawal of consent under sub-section
request of the data subject prior to entering into a contract; of the data subject before entering into a contract;
given, specific, informed and unambiguous indication of the (2) shall not affect the lawfulness of processing
data subject's wishes by which he or she, by a statement based on prior consent before its withdrawal.
(c) processing is necessary for compliance with a (ii) for compliance with any legal obligation
or by a clear affirmative action, signifies agreement to
legal obligation to which the controller is subject; to which the controller is subject;
the processing of personal data relating to him or her. (4) In determining whether consent was freely given, account
shall be taken of whether, among others, the performance
(d) processing is necessary in order to protect the vital (iii) in order to protect the vital interests of the
of a contract, including the provision of a service, is
interests of the data subject or of another natural person; data subject or another natural person;
conditional on consent to the processing of personal data
that is not necessary for the performance of that contract.
(e) processing is necessary for the performance of a (iv) for the performance of a task carried out in
task carried out in the public interest or in the exercise the public interest or in the exercise of official
Section 4 of the Draft General Regulations: (3) In
of official authority vested in the controller; or authority vested in the controller;
obtaining consent from a data subject, a data controller
or a data processor shall ensure that the ─
(f) processing is necessary for the purposes of the (v) the performance of any task carried out by a public authority;
legitimate interests pursued by the controller or by a
(a) data subject has capacity to understand
third party, except where such interests are overridden (vi) for the exercise, by any person in the public
and communicate their consent;
by the interests or fundamental rights and freedoms of interest, of any other functions of a public nature;
the data subject which require protection of personal
(b) data subject is informed of the nature of processing
data, in particular where the data subject is a child. (vii) for the legitimate interests pursued by the data controller or
in simple and clear language that is understandable;
data processor by a third party to whom the data is disclosed,
except if the processing is unwarranted in any particular
(c) data subject voluntarily gives consent; and
case having regard to the harm and prejudice to the rights
and freedoms or legitimate interests of the data subject; or
(d) consent is specific.

(viii) for the purpose of historical, statistical, journalistic,

(4) A data subject may prior to the processing of their
literature and art or scientific research.
personal data give consent either orally or in writing, and
may include a handwritten signature, an oral statement, or
use of an electronic or other medium to signify agreement.

22 23 23
 GDPR The Act
4. Controller and processor
Conditions for consent (cont'd)

(5) A data controller or data processor shall not presume

obligations
that a data subject has given consent on the basis
that the data subject did not object to a proposal to
4.1. Data transfers Inconsistent
handle their personal data in a particular manner.

The Act takes an alternative approach to data transfers than the GDPR, by generally requiring that data controllers or processors
(6) Consent shall not be implied, where the intention of demonstrate to the Data Commissioner that there are appropriate safeguards unless consent has been obtained from the data
the data subject is ambiguous or there is reasonable subject. The Act does not explicitly define what would constitute 'appropriate safeguards'. The Act also leaves room for the Cabinet
doubt as to the intention of the data subject. Secretary to establish data localisation / residency requirements.

(7) Subject to Section 32(2) and (3) of the Act, a GDPR The Act
data subject shall be informed of the implications of
providing, withholding or withdrawing consent.
Adequate protection

Legal grounds Article 45(1): A transfer of personal data to a third country Section 48: A data controller or data processor may transfer
or an international organisation may take place where personal data to another country only where – (a) the data
Article 85(1): Member States shall by law reconcile the right Section 52: (1) The principles of processing personal data the Commission has decided that the third country, controller or data processor has given proof to the Data
to the protection of personal data pursuant to this Regulation shall not apply where - (a) processing is undertaken by a a territory or one or more specified sectors within Commissioner on the appropriate safeguards with respect
with the right to freedom of expression and information, person for the publication of a literary or artistic material; (b) that third country, or the international organisation in to the security and protection of the personal data;
including processing for journalistic purposes and the data controller reasonably believes that publication would question ensures an adequate level of protection. Such
purposes of academic, artistic or literary expression. be in the public interest; and (c) data controller reasonably a transfer shall not require any specific authorisation. (b) the data controller or data processor has given
believes that, in all the circumstances, compliance with proof to the Data Commissioner of the appropriate
the provision is incompatible with the special purposes. safeguards with respect to the security and protection of
personal data, and the appropriate safeguards including
(2) Subsection (1) (b) shall only apply where it can be jurisdictions with commensurate data protection laws.
demonstrated that the processing is in compliance
with any self-regulatory or issued code of ethics in Section 49: (1) The processing of sensitive personal
practice and relevant to the publication in question. data out of Kenya shall only be effected upon
obtaining consent of a data subject and on obtaining
(3) The Data Commissioner shall prepare a code of practice confirmation of appropriate safeguards.
containing practical guidance in relation to the processing of
personal data for purposes of Journalism, Literature and Art. (2) The Data Commissioner may request a person
who transfers data to another country to demonstrate
the effectiveness of the security safeguards or the
existence of compelling legitimate interests.

(3) The Data Commissioner may, in order to protect the rights

and fundamental freedoms of data subjects, prohibit, suspend
or subject the transfer to such conditions as may be determined.

Section 40 of the Draft General Regulations: A data

controller or data processor who is a transferring
entity shall before transferring personal data out of
24 Kenya ascertain that the transfer is based on: 25
 GDPR The Act GDPR The Act

Adequate protection (cont'd) Other mechanisms for data transfers (cont'd)

(a) appropriate data protection safeguards; Article 46(1): In the absence of a decision pursuant to Article Section 48: A data controller or data processor may

45(3), a controller or processor may transfer personal data transfer personal data to another country only where -

(b) an adequacy decision made by the Data Commissioner; to a third country or an international organisation only if the
controller or processor has provided appropriate safeguards, […] (c) the transfer is necessary - (i) for the performance of a

(c) transfer as a necessity; or and on condition that enforceable data subject rights and contract between the data subject and the data controller
effective legal remedies for data subjects are available. or data processor or implementation of precontractual

(d) consent of the data subject. (2) The appropriate safeguards referred to in paragraph measures taken at the data subject's request;
1 may be provided for, without requiring any specific

Section 41 of the Draft General Regulations : (1) A authorisation from a supervisory authority, by: (ii) for the conclusion or performance of a contract

transfer of personal data to another country or a (a) a legally binding and enforceable instrument concluded in the interest of the data subject

relevant international organisation is based on the between public authorities or bodies; between the controller and another person;

existence of appropriate safeguards where - (b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the (iii) for any matter of public interest;

(a) a legal instrument containing appropriate safeguards Commission in accordance with the examination

for the protection of personal data binding the procedure referred to in Article 93(2); (iv) for the establishment, exercise or defence of a legal claim;

intended recipient that is essentially equivalent to the (d) standard data protection clauses adopted by a supervisory

protection under the Act and these Regulations; or authority and approved by the Commission pursuant to (v) in order to protect the vital interests of the data
the examination procedure referred to in Article 93(2); subject or of other persons, where the data subject is

(b) the data controller, having assessed all the circumstances (e) an approved code of conduct pursuant to Article 40 together physically or legally incapable of giving consent; or

surrounding transfers of that type of personal data to another with binding and enforceable commitments of the controller

country or relevant international organisation, concludes or processor in the third country to apply the appropriate (vi) for the purpose of compelling legitimate

that appropriate safeguards exist to protect the data. safeguards, including as regards data subjects' rights; or interests pursued by the data controller or data
(f) an approved certification mechanism pursuant processor which are not overridden by the interests,

Section 42 of the Draft General Regulations: For the to Article 42 together with binding and enforceable rights and freedoms of the data subjects.

purpose of confirming the existence of appropriate data commitments of the controller or processor in the

protection safeguards anticipated under section 49(1) third country to apply the appropriate safeguards, Section 48 of the Draft General Regulations: A

of the Act, any country or a territory is taken to have including as regards data subjects' rights. transferring entity may enter into a written agreement

such safeguards if that country or territory has — (3) Subject to the authorisation from the competent with the recipient of personal data, which contract
supervisory authority, the appropriate safeguards referred shall contain provisions relating to —

(a) ratified the African Union Convention on Cyber to in paragraph 1 may also be provided for, in particular, by:

Security and Personal Data Protection; (a) contractual clauses between the controller or processor (a) the unlimited access by the transferring entity to
and the controller, processor or the recipient of the personal ascertain the existence of a robust information system

(b) reciprocal data protection agreement with Kenya; or data in the third country or international organisation; or of the recipient for storing the personal data; and
(b) provisions to be inserted into administrative

(c) a contractual binding corporate rules among a arrangements between public authorities or bodies which (b) the countries and territories to which the personal

concerned group of undertakings or enterprises. include enforceable and effective data subject rights. data may be transferred under the contract.

[Note: Sections 43 to 47 of the Draft General

Regulatitons provide further detail on each of the
transfer methods noted in Section 40 of the same.

27
26 27
 GDPR The Act 4.2. Data processing records
Inconsistent

Data localisation Unlike the GDPR, the Act establishes general processing registration / notification requirements and does not explicitly require
records of processing.
Not applicable. Section 50: The Cabinet Secretary may prescribe, based
on grounds of strategic interests of the state or protection GDPR The Act
of revenue, certain nature of processing that shall only be
effected through a server or a data centre located in Kenya.
Data controller obligation
Section 25 of the General Regulations: (1) Pursuant
to Section 50 of the Act, a data controller or data
Article 30(1): Each controller and, where applicable, The Act does not explicitly provide for
processor who processes personal data for the
the controller's representative, shall maintain a record processing record keeping obligations.
purpose of actualising a public good set out under
of processing activities under its responsibility. That
Section 50(2) shall be required to ensure that —
record shall contain all of the following information:
(a) such processing is effected through a server
and data centre located in Kenya; and
(a) the name and contact details of the controller and,
(b) at least one serving copy of the concerned personal
where applicable, the joint controller, the controller's
data is stored in a data centre located in Kenya.
representative and the data protection officer;
(2) The purposes contemplated under paragraph
(1) that require processing in Kenya include —
(b) the purposes of the processing;
(a) administering a national civil registration
system including registrations of births and
(c) a description of the categories of data subjects
deaths, persons, adoption and marriages;
and of the categories of personal data;
(b) operating a population register and identity management
system including any issuance of any public document of
(d) the categories of recipients to whom the personal
identity; (c) managing personal data to facilitate access
data have been or will be disclosed including recipients
of primary and secondary education in the country;
in third countries or international organisations;
(d) the conduct of elections in the country;
(e) managing any electronic payments systems
(e) where applicable, transfers of personal data to a third country
licensed under the National Payment Systems Act;
or an international organisation, including the identification
(f) any revenue administration system for public finances;
of that third country or international organisation and, in the
(g) processing health data for any other purpose other
case of transfers referred to in the second subparagraph of
than providing health care directly to a data subject; or
Article 49(1), the documentation of suitable safeguards;
(h) managing any system designated as a protected
computer system in terms of Section 20 of the
(f) where possible, the envisaged time limits for
Computer Misuse and Cybercrime Act, 2018.
erasure of the different categories of data; and
(3) Despite paragraph (2), the Cabinet Secretary may require
a data controller who processes personal data outside
(g) where possible, a general description of the technical and
Kenya to comply with paragraph (1), if the data controller —
organisational security measures referred to in Article 32(1).
(a) has been notified that personal data outside Kenya has been

breached or its services have been used to violate the Act and
has not taken measures to stop or handle the violation; and
(b) resists, obstructs or fails to comply with requests of the
Data Commissioner or any other relevant authority in —
(i) cooperating to investigate and handle such violations; or
(ii) neutralise and disable the effect of cyber
security protection measures.

28 2929
 GDPR The Act GDPR The Act

Data processor obligation Required to make available (cont'd)

Article 30(2): Each processor and, where applicable, The Act does not explicitly provide for
(3) A person who, without reasonable excuse, fails or
the processor's representative shall maintain a equivalent record keeping obligations.
refuses to comply with a notice, or who furnishes to the
record of all categories of processing activities
Data Commissioner any information which the person
carried out on behalf of a controller, containing:
knows to be false or misleading, commits an offence.

(a) the name and contact details of the processor or processors

and of each controller on behalf of which the processor Exemptions
is acting, and, where applicable, of the controller's or the
Article 30(5): The obligations referred to in paragraphs 1 The Act does not explicitly provide for
processor's representative, and the data protection officer;
and 2 shall not apply to an enterprise or an organisation equivalent record keeping obligations.
employing fewer than 250 persons unless the processing
(b) the categories of processing carried
it carries out is likely to result in a risk to the rights and
out on behalf of each controller;
freedoms of data subjects, the processing is not occasional,
or the processing includes special categories of data as
(c) where applicable, transfers of personal data to a third country
referred to in Article 9(1) or personal data relating to criminal
or an international organisation, including the identification
convictions and offences referred to in Article 10.
of that third country or international organisation and, in the
case of transfers referred to in the second subparagraph of
Article 49(1), the documentation of suitable safeguards; and General Data Processing Notification ('DPN')

(d) where possible, a general description of the technical and Not applicable. Section 18: (1) Subject to sub-section (2), no person shall act

organisational security measures referred to in Article 32(1). as a data controller or data processor unless registered with
the Data Commissioner. (2) The Data Commissioner shall
prescribe thresholds required for mandatory registration of
Records format
data controllers and data processors, and in making such
determination, the Data Commissioner shall consider -
Article 30(3): The records referred to in paragraphs 1 The Act does not explicitly provide for
and 2 shall be in writing, including in electronic form. equivalent record keeping obligations.
(a) the nature of industry;

Required to make available

(b) the volumes of data processed;

Article 30(4): The controller or the processor and, Section 57: (1) The Data Commissioner may, for the
(c) whether sensitive personal data is being processed; and
where applicable, the controller's or the processor's purpose of the investigation of a complaint, order any

representative, shall make the record available person to – […] (b) produce such book, document, record
(d) any other criteria the Data Commissioner may specify.
to the supervisory authority on request. or article as may be required with respect to any matter
relevant to the investigation, which the person is not
[Note: the Act goes on to detail these registration
prevented by any other enactment from disclosing;
requirements further in Sections 19-22. See Kenya -
Data Processing Notification for further information].
[…] (2) Where material to which an investigation relates
consists of information stored in any mechanical or electronic
device, the Data Commissioner may require the person
named to produce or give access to it in a form in which it
can be taken away and in which it is visible and legible.

31
30 31
Global Regulatory Build a global privacy program by
comparing key legal frameworks
Research Software against the GDPR
40 In-House Legal Researchers, 500 Lawyers CCPA | Russia | Thailand | Brazil | Japan | China
Across 300 Jurisdictions and 20+ other global laws & frameworks
Monitor regulatory developments, mitigate risk,
and achieve global compliance Understand and compare key provisions of the GDPR
with relevant data protection laws from around the globe

The GDPR Benchmarking tool provides comparison of the

various pieces of legislation on the following key provisions

Scope Rights

Definitions and legal basis Enforcement

• Employ topic specific guidance to develop your

compliance activities

• Monitor news and access written opinion pieces on

the most recent developments

Start your free trial at

www.dataguidance.com
 GDPR The Act
4.3. D
 ata protection impact
assessment Fairly consistent DPIA content requirements (cont'd)

Although the Act is less detailed, it contains broadly similar provisions to the GDPR in relation to DPIAs. This includes potential prior (c) an assessment of the risks to the rights and freedoms (c) an assessment of the risks to the rights
consultation and obligations to conduct DPIAs when processing is likely to result in high risks to data subjects. of data subjects referred to in paragraph 1; and and freedoms of data subjects;

GDPR The Act

(d) the measures envisaged to address the risks, including (d) the measures envisaged to address the risks and the
safeguards, security measures and mechanisms to ensure the safeguards, security measures and mechanisms to ensure the
When is a DPIA required protection of personal data and to demonstrate compliance protection of personal data and to demonstrate compliance
with this Regulation taking into account the rights and legitimate with this Act, taking into account the rights, and legitimate
Article 35(1): Where a type of processing in particular using new Section 31(1): Where a processing operation is likely to result
interests of data subjects and other persons concerned. interests of data subjects and other persons concerned.
technologies, and taking into account the nature, scope, context in high risk to the rights and freedoms of a data subject, by
and purposes of the processing, is likely to result in a high risk to virtue of its nature, scope, context and purposes, a data
Consultation with authority
the rights and freedoms of natural persons, the controller shall, controller or data processor shall, prior to the processing,
prior to the processing, carry out an assessment of the impact carry out a data protection impact assessment.
Article 36(1): The controller shall consult the supervisory Section 31(3): The data controller or data processor shall
of the envisaged processing operations on the protection
authority prior to processing where a data protection impact consult the Data Commissioner prior to the processing if
of personal data. A single assessment may address a set of
assessment under Article 35 indicates that the processing a data protection impact assessment prepared under this
similar processing operations that present similar high risks.
would result in a high risk in the absence of measures taken by section indicates that the processing of the data would result
the controller to mitigate the risk. [Article 36 goes on to detail in a high risk to the rights and freedoms of a data subject.
[…] (3) A data protection impact assessment referred to in
requirements related to such prior consultation].
paragraph 1 shall in particular be required in the case of:
[…] (5) The data impact assessment reports shall be
submitted sixty days prior to the processing of data.
(a) a systematic and extensive evaluation of personal aspects
relating to natural persons which is based on automated
(6) The Data Commissioner shall set out guidelines for
processing, including profiling, and on which decisions are
carrying out an impact assessment under this section.
based that produce legal effects concerning the natural
person or similarly significantly affect the natural person;
Section 52 of the Draft General Regulations: (1) In conducting
a data protection impact assessment, a data controller
(b) processing on a large scale of special categories of data
or a data processor may consult the Office for advice
referred to in Article 9(1), or of personal data relating to
on whether risks identified and mitigation measures
criminal convictions and offences referred to in Article 10; or
suggested are viable in the outlined circumstances.

(c) a systematic monitoring of a publicly accessible

area on a large scale.

DPIA content requirements

Article 35(7): The assessment shall contain at least: Section 31(2): A data protection impact assessment shall
include the following - (a) a systematic description of the
(a) a systematic description of the envisaged envisaged processing operations and the purposes of the
processing operations and the purposes of the processing, including, where applicable, the legitimate
processing, including, where applicable, the interest pursued by the data controller or data processor;
legitimate interest pursued by the controller;
(b) an assessment of the necessity and proportionality of
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
the processing operations in relation to the purposes;

35
34 35
4.4. D
 ata protection officer GDPR The Act
appointment Fairly consistent
When is a DPO required (cont'd)
The concepts of DPOs, their tasks, and the associated provisions regulating the appointment of DPOs are very similar between the
GDPR and the Act. The primary difference is that the Act uses different language and terms such as 'may' rather than 'shall'. (b) the core activities of the controller or the processor (b) the core activities of the data controller or data
consist of processing operations which, by virtue of their processor consist of processing operations which, by
GDPR The Act
nature, their scope and/or their purposes, require regular and virtue of their nature, their scope or their purposes, require
systematic monitoring of data subjects on a large scale; or regular and systematic monitoring of data subjects; or
DPO tasks
(c) the core activities of the controller or the processor (c) the core activities of the data controller or the data processor
Article 39(1): The data protection officer shall Section 24(7): A data protection officer shall - (a) consist of processing on a large scale of special categories consist of processing of sensitive categories of personal data.
have at least the following tasks: advise the data controller or data processor and of data pursuant to Article 9 and personal data relating to
their employees on data processing requirements criminal convictions and offences referred to in Article 10.
(a) to inform and advise the controller or the processor provided under this Act or any other written law;
and the employees who carry out processing of their
Group appointments
obligations pursuant to this Regulation and to other (b) ensure on behalf of the data controller or data
Union or Member State data protection provisions; processor that this Act is complied with;
Article 37(2): A group of undertakings may appoint a single Section 24: (3) A group of entities may appoint
data protection officer provided that a data protection a single data protection officer provided that
(b) to monitor compliance with this Regulation, with other (c) facilitate capacity building of staff involved
officer is easily accessible from each establishment. such officer is accessible by each entity.
Union or Member State data protection provisions and in data processing operations;
with the policies of the controller or processor in relation to
(4) Where a data controller or a data processor is a
the protection of personal data, including the assignment (d) provide advice on data protection impact assessment; and
public body, a single data protection officer may be
of responsibilities, awareness-raising and training of staff
designated for several such public bodies, taking
involved in processing operations, and the related audits; (e) co-operate with the Data Commissioner and any
into account their organisational structures.
other authority on matters relating to data protection.
(c) to provide advice where requested as regards
Notification of DPO
the data protection impact assessment and monitor Section 24(2): A data protection officer may be a staff
its performance pursuant to Article 35; member of the data controller or data processor and
Article 37(7): The controller or the processor shall publish Section 24(6): A data controller or data processor
may fulfil other tasks and duties provided that any such
the contact details of the data protection officer and shall publish the contact details of the data protection
(d) to cooperate with the supervisory authority; and tasks and duties do not result in a conflict of interest.
communicate them to the supervisory authority. officer on the website and communicate them to the
Data Commissioner who shall ensure that the same
(e) to act as the contact point for the supervisory authority
information is available on the official website.
on issues relating to processing, including the prior
consultation referred to in Article 36, and to consult,
where appropriate, with regard to any other matter.
Qualifications

Section 24(5): A person may be designated or appointed as

When is a DPO required Article 37(5): The data protection officer shall be designated
on the basis of professional qualities and, in particular, expert a data protection officer, if that person has relevant academic

knowledge of data protection law and practices and the or professional qualifications which may include knowledge
Article 37(1): The controller and the processor shall Section 24(1): A data controller or data processor
ability to fulfil the tasks referred to in Article 39. and technical skills in matters relating to data protection.
designate a data protection officer in any case where: may designate or appoint a data protection officer
on such terms and conditions as the data controller
(a) the processing is carried out by a public authority or or data processor may determine, where -
body, except for courts acting in their judicial capacity;
(a) the processing is carried out by a public body or private
body, except for courts acting in their judicial capacity;

36 3737
4.5. Data security and data GDPR The Act
breaches
Fairly consistent
Data breach notification to authority
The Act and the GDPR have broadly similar security requirements with both establishing principles of Privacy by Default and by
Design. They also have comparable data breach notification obligations, such as notifying authorities within 72 hours. However,
Article 33(1): In the case of a personal data breach, the Section 43(1): Where personal data has been accessed or
some of the details within the provisions vary.
controller shall without undue delay and, where feasible, acquired by an unauthorised person, and there is a real risk
not later than 72 hours after having become aware of it, of harm to the data subject whose personal data has been
In addition, the Draft General Regulations further clarify what would constitute a notifiable data breach under the Act and outline the
notify the personal data breach to the supervisory authority subjected to the unauthorised access, a data controller
information that should be included in a notification.
competent in accordance with Article 55, unless the personal shall - (a) notify the Data Commissioner without delay, within
GDPR The Act data breach is unlikely to result in a risk to the rights and seventy-two hours of becoming aware of such breach.
freedoms of natural persons. Where the notification to […] (5) The notification and communication referred to

Security measures defined the supervisory authority is not made within 72 hours, it under subsection (1) shall provide sufficient information
shall be accompanied by reasons for the delay. to allow the data subject to take protective measures

Article 32(1): Taking into account the state of the art, the costs of Section 41: (1) Every data controller or data against the potential consequences of the data breach,

implementation and the nature, scope, context and purposes of processor shall implement appropriate technical and including - (a) description of the nature of the data breach;

processing as well as the risk of varying likelihood and severity organisational measures which are designed - (b) description of the measures that the data

for the rights and freedoms of natural persons, the controller (a) to implement the data protection principles in controller or data processor intends to take or

and the processor shall implement appropriate technical an effective manner; and (b) to integrate necessary has taken to address the data breach;

and organisational measures to ensure a level of security safeguards for that purpose into the processing. (c) recommendation on the measures to be

appropriate to the risk, including inter alia as appropriate: (2) The duty under subsection (1) applies both at the taken by the data subject to mitigate the adverse

time of the determination of the means of processing effects of the security compromise;

(a) the pseudonymisation and encryption of personal data; the data and at the time of the processing. (d) where applicable, the identity of the unauthorised person

(3) A data controller or data processor shall implement who may have accessed or acquired the personal data; and

(b) the ability to ensure the ongoing confidentiality, integrity, appropriate technical and organisational measures for ensuring (e) the name and contact details of the data protection

availability and resilience of processing systems and services; that, by default, only personal data which is necessary for each officer where applicable or other contact point from

specific purpose is processed, taking into consideration whom more information could be obtained.

(c) the ability to restore the availability and (a) the amount of personal data collected; […] (8) The data controller shall record the following information

access to personal data in a timely manner in the (b) the extent of its processing; in relation to a personal data breach - (a) the facts relating to

event of a physical or technical incident; (c) the period of its storage; the breach; (b) its effects; and (c) the remedial action taken.

(d) its accessibility; and Section 37 of the Draft General Regulations: (1) For the purpose

(d) a process for regularly testing, assessing and evaluating (e) the cost of processing data and the of section 43 of the Act, a data breach is taken to result in real

the effectiveness of technical and organisational technologies and tools used. risk of harm to a data subject if that data breach relates to —

measures for ensuring the security of the processing. (4) To give effect to this section, the data controller or data (a) the data subject’s full name or identification number and

processor shall consider measures such as - (a) to identify any of the personal data or classes of personal data relating

reasonably foreseeable internal and external risks to to the data subject set out in the Second Schedule; or

personal data under the person's possession or control; (b) the following personal data relating to a data subject’s

(b) to establish and maintain appropriate account with a data controller or data processor —

safeguards against the identified risks; (i) the data subject’s account identifier, such

(c) to the pseudonymisation and encryption of personal data; as an account name or number; and

(d) to the ability to restore the availability and Section 38 of the Draft General Regulations: (1) A

access to personal data in a timely manner in the notification by data controller or data processor to the Data

event of a physical or technical incident; Commissioner of a notifiable data breach under Section

(e) to verify that the safeguards are effectively implemented; and 43 of the Act shall include - (a) the date on which and the

(f) to ensure that the safeguards are continually circumstances in which the data controller or data processor

updated in response to new risks or deficiencies. first became aware that the data breach had occurred;

[Section 42 sets out further criteria for assessing organisational (ii) any password, security code, access code, response to a

measures, and particularly in relation to data processors] security question, biometric data or other data that is used or
38 required to allow access to or use of the individual’s account. 39
39
 GDPR The Act GDPR The Act

Data breach notification to authority (cont'd) Timeframe for breach notification

(2) A breach of any personal data envisaged under paragraph (1) See Article 33(1) above. Section 43(1): Where personal data has been accessed or

amounts to notifiable data breach under Section 43 of the Act. acquired by an unauthorised person, and there is a real risk

Section 38 of the Draft General Regulations: (1) A of harm to the data subject whose personal data has been

notification by data controller or data processor to the Data subjected to the unauthorised access, a data controller

Commissioner of a notifiable data breach under Section shall - (a) notify the Data Commissioner without delay, within

43 of the Act shall include - (a) the date on which and the seventy-two hours of becoming aware of such breach.

circumstances in which the data controller or data processor […] (2) Where the notification to the Data Commissioner

first became aware that the data breach had occurred; is not made within seventy-two hours, the notification

(b) a chronological account of the steps taken by the data shall be accompanied by reasons for the delay.

controller or data processor after the data controller or

data processor became aware that the data breach had Notifying data subjects of data breach
occurred, including the data controller or data processor’s
assessment that the data breach is a notifiable data breach; Article 34(1): When the personal data breach is likely to Section 43: (1) Where personal data has been accessed or
(c) details on how the notifiable data breach result in a high risk to the rights and freedoms of natural acquired by an unauthorised person, and there is a real risk
occurred, where applicable; persons, the controller shall communicate the personal data of harm to the data subject whose personal data has been
(d) the number of data subjects or other persons breach to the data subject without undue delay. subjected to the unauthorised access, a data controller shall -
affected by the notifiable data breach; […] (b) subject to subsection (3), communicate to the data
(e) the personal data or classes of personal data subject in writing within a reasonably practical period, unless
affected by the notifiable data breach; the identity of the data subject cannot be established.
(f) the potential harm to the affected data subjects
as a result of the notifiable data breach;
Data processor notification of data breach
(g) information on any action by the data controller or data
Article 33(2): The processor shall notify the controller Section 43(3): Where a data processor becomes aware of a
processor, whether taken before or to be taken after the data
without undue delay after becoming aware of a personal data breach, the data processor shall notify the data
controller or data processor notifies the Data Commissioner
personal data breach. controller without delay and where reasonably practicable,
of the occurrence of the notifiable data breach to —
within forty-eight hours of becoming aware of such breach.
(i) eliminate or mitigate any potential harm to
any affected data subject or other person as a
result of the notifiable data breach; and Exceptions
(ii) address or remedy any failure or shortcoming
Article 34(3): The communication to the data subject Section 43: (6) The communication of a breach to the data
that the data controller or data processor believes
referred to in paragraph 1 shall not be required subject shall not be required where the data controller or data
to have caused, or enabled or facilitated the
if any of the following conditions are met: processor has implemented appropriate security safeguards
occurrence of, the notifiable data breach;
(a) the controller has implemented appropriate technical which may include encryption of affected personal data.
(h) all or any affected individuals or the public that the
and organisational protection measures, and those (7) Where and to the extent that it is not possible to provide all
notifiable data breach has occurred and how an affected
measures were applied to the personal data affected by the information mentioned in subsection (5) at the same time,
data subject may eliminate or mitigate any potential
the personal data breach, in particular those that render the information may be provided in phases without undue delay.
harm as a result of the notifiable data breach;
the personal data unintelligible to any person who is
(i) contact information of an authorized representative
not authorised to access it, such as encryption;
of the data controller or data processor.
(b) the controller has taken subsequent measures which ensure
(2) Where, despite Section 43(1)(b) of the Act, data controller
that the high risk to the rights and freedoms of data subjects
or data processor does not intend to communicate to a data
referred to in paragraph 1 is no longer likely to materialise;
subject affected by a notifiable data breach, the notification to
(c) it would involve disproportionate effort. In such a
the Data Commissioner under paragraph (1) shall additionally
case, there shall instead be a public communication
specify the grounds for not notifying the affected data subject.
or similar measure whereby the data subjects are
40 41
informed in an equally effective manner.
4.6. Accountability
Fairly consistent
5. Rights Fairly consistent

Although the Act does not contain an explicit accountability principle like the GDPR, it does establish relevant provisions and 5.1. Right to erasure
provides a clear distinction of controller and processor liabilities.
Like the GDPR, the Act provides data subjects with the capacity to request the erasure of data that the data controller or processor
GDPR The Act
is no longer authorised to retain, irrelevant, excessive or obtained unlawfully.

Principle of accountability Notably, the Draft General Regulation provides some further detail with regards to the right to erasure.

Article 5(2): The controller shall be responsible for, and be able The Act does not specifically define a principle of GDPR The Act
to demonstrate compliance with, paragraph 1 ('accountability'). accountability, although many of its provisions may be
[Paragraph 1 details principles of: lawfulness, fairness and considered to relate to accountability expectations. Grounds for erasure
transparency, purpose limitation, data minimisation, accuracy,
storage limitation, integrity and confidentiality.] Article 17(1): The data subject shall have the right to obtain Section 40(1)(b): A data subject may request a data
from the controller the erasure of personal data concerning controller or data processor to erase or destroy without
Liability of data controllers and data processors him or her without undue delay and the controller shall undue delay personal data that the data controller
have the obligation to erase personal data without undue or data processor is no longer authorised to retain,
Article 82(2): Any controller involved in processing shall Section 65: (1) A person who suffers damage by delay where one of the following grounds applies: irrelevant, excessive or obtained unlawfully.
be liable for the damage caused by processing which reason of a contravention of a requirement of this
infringes this Regulation. A processor shall be liable for Act is entitled to compensation for that damage (a) the personal data are no longer necessary in relation to the Section 12(1) of the Draft General Regulations: Pursuant
the damage caused by processing only where it has not from the data controller or the data processor. purposes for which they were collected or otherwise processed; to section 40(1)(b) of the Act, a data subject has the
complied with obligations of this Regulation specifically right to have their personal data erased if—
directed to processors or where it has acted outside (2) Subject to subsection (1) - (a) a data controller (b) the data subject withdraws consent on which the
or contrary to lawful instructions of the controller. involved in processing of personal data is liable for processing is based according to point (a) of Article (a) the personal data is no longer necessary for the
any damage caused by the processing; and 6(1), or point (a) of Article 9(2), and where there is purpose which it was originally collected;
no other legal ground for the processing;
(b) a data processor involved in processing of personal data (b) the data subject withdraws their consent that was
is liable for damage caused by the processing only if the (c) the data subject objects to the processing pursuant the lawful basis for retaining the personal data;
processor - (i) has not complied with an obligation under the to Article 21(1) and there are no overriding legitimate
Act specifically directed at data processors; or (ii) has acted grounds for the processing, or the data subject objects (c) the data subject objects to the processing of
outside, or contrary to, the data controller's lawful instructions. to the processing pursuant to Article 21(2); their data and there is no overriding legitimate
interest to continue the processing;
(d) the personal data have been unlawfully processed;
(d) the processing of personal data is for direct marketing
(e) the personal data have to be erased for compliance purposes and the individual objects to that processing;
with a legal obligation in Union or Member State
law to which the controller is subject; (e) the processing of personal data has been unlawful
including in breach of the lawfulness requirement; or
(f) the personal data have been collected in relation to the
offer of information society services referred to in Article 8(1). (f) required to comply with a legal obligation.

42 43
43
 GDPR The Act GDPR The Act

Inform data subject of right Format of response

Article 12(1): The controller shall take appropriate measures to Section 26: A data subject has a right – (a) to be informed Article 12(1): The information shall be provided in writing, or Section 40(3): Where a data controller or data processor
provide any information referred to in Articles 13 and 14 and of the use to which their personal data is to be put; by other means, including, where appropriate, by electronic is required to rectify or erase personal data under sub-
any communication under Articles 15 to 22 and 34 relating (b) to access their personal data in custody means. When requested by the data subject, the information section (1), but the personal data is required for the purposes
to processing to the data subject in a concise, transparent, of data controller or data processor; may be provided orally, provided that the identity of the of evidence, the data controller or data processor shall,
intelligible and easily accessible form, using clear and (c) to object to the processing of all or part of their personal data; data subject is proven by other means. instead of erasing or rectifying, restrict its processing
plain language, in particular for any information addressed (d) to correct false or misleading data; and and inform the data subject within a reasonable time.
specifically to a child. The information shall be provided in (e) to delete false or misleading data about them.
writing, or by other means, including, where appropriate, Publicly available data
by electronic means. When requested by the data subject, Section 29: A data controller or data processor shall, before
the information may be provided orally, provided that the collecting personal data, in so far as practicable, inform the data Article 17(2): Where the controller has made the personal Section 40(2)(b): Where the data controller has shared the
identity of the data subject is proven by other means. subject of the rights of data subject specified under Section 26. data public and is obliged pursuant to paragraph 1 to erase personal data with a third party for processing purposes, the
the personal data, the controller, taking account of available data controller or data processor shall take all reasonable
Fees technology and the cost of implementation, shall take steps to inform third parties processing such data, that the
reasonable steps, including technical measures, to inform data subject has requested the erasure or destruction of such

Article 12(5): Information provided under Articles 13 and The Act does not explicitly refer to this topic. controllers which are processing the personal data that the data personal data that the data controller is no longer authorised

14 and any communication and any actions taken under subject has requested the erasure by such controllers of any to retain, irrelevant, excessive or obtained unlawfully.

Articles 15 to 22 and 34 shall be provided free of charge. Section 12(5) of the Draft General Regulations: A compliance links to, or copy or replication of, those personal data.

Where requests from a data subject are manifestly with a request for erasure shall be free of charge.

unfounded or excessive, in particular because of their Exceptions

repetitive character, the controller may either:

Article 17(3): Paragraphs 1 and 2 shall not apply Section 40(3): Where a data controller or data processor
(a) charge a reasonable fee taking into account the to the extent that processing is necessary: is required to rectify or erase personal data under sub-
administrative costs of providing the information or section (1), but the personal data is required for the purposes
communication or taking the action requested; or (a) for exercising the right of freedom of of evidence, the data controller or data processor shall,

expression and information; instead of erasing or rectifying, restrict its processing

(b) refuse to act on the request. The controller shall and inform the data subject within a reasonable time.
bear the burden of demonstrating the manifestly (b) for compliance with a legal obligation which requires
unfounded or excessive character of the request. processing by Union or Member State law to which Section 12(4) of the Draft General Regulations: A

the controller is subject or for the performance of a right of erasure does not apply if processing is

Response timeframe task carried out in the public interest or in the exercise necessary for one of the following reasons –

of official authority vested in the controller;

Section 40(1)(b): A data subject may request a data (a) to exercise the right of freedom of
Article 12(3): The controller shall provide information on
controller or data processor to erase or destroy without (c) for reasons of public interest in the area of expression and information;
action taken on a request under Articles 15 to 22 to the
data subject without undue delay and in any event within undue delay personal data that the data controller public health in accordance with points (h) and
or data processor is no longer authorised to retain, (i) of Article 9(2) as well as Article 9(3); (b) to comply with a legal obligation;
one month of receipt of the request. That period may be
irrelevant, excessive or obtained unlawfully. (c) for the performance of a task carried out in the
extended by two further months where necessary, taking
(d) for archiving purposes in the public interest, scientific public interest or in the exercise of official authority;
into account the complexity and number of the requests. The
controller shall inform the data subject of any such extension Section 12(3) of the Draft General Regulations: A or historical research purposes or statistical purposes in
data controller or data processor shall respond to a accordance with Article 89(1) in so far as the right referred to (d) for archiving purposes in the public interest, scientific
within one month of receipt of the request, together with
request for erasure within 14 days of the request. in paragraph 1 is likely to render impossible or seriously impair research historical research or statistical purposes
the reasons for the delay. Where the data subject makes
the achievement of the objectives of that processing; or where erasure is likely to render impossible or seriously
the request by electronic form means, the information
impair the achievement of that processing; or
shall be provided by electronic means where possible,
unless otherwise requested by the data subject.
(e) for the establishment, exercise or defence of a legal claim.
44 45
45
 GDPR The Act
5.2. Right to be informed
Fairly consistent
Exceptions (cont'd) The GDPR and the Act provide generally similar requirements for providing specific information to a data subject when collecting
data. However, the Act is less explicit in terms of format and intelligibility requirements.
(e) for the establishment, exercise or defence of legal claims.
GDPR The Act
Article 12(5): Information provided under Articles 13 and
14 and any communication and any actions taken under
Informed prior to/ at collection
Articles 15 to 22 and 34 shall be provided free of charge.
Where requests from a data subject are manifestly
Article 13(1): Where personal data relating to a data subject Section 26: A data controller or data processor
unfounded or excessive, in particular because of their
are collected from the data subject, the controller shall, shall, before collecting personal data, in so far
repetitive character, the controller may either:
at the time when personal data are obtained, provide as practicable, inform the data subject of -
the data subject with all of the following information:
(a) charge a reasonable fee taking into account the
(a) the rights of data subject specified under Section 26;
administrative costs of providing the information or
(a) the identity and the contact details of the controller and,
communication or taking the action requested; or
where applicable, of the controller's representative; (b) the fact that personal data is being collected;

(b) refuse to act on the request. The controller shall

(b) the contact details of the data protection (c) the purpose for which the personal data is being collected;
bear the burden of demonstrating the manifestly
officer, where applicable;
unfounded or excessive character of the request.
(d) the third parties whose personal data has been or will be
(c) the purposes of the processing for which the personal data transferred to, including details of safeguards adopted;
The The Act does not provide specific
are intended as well as the legal basis for the processing;
exceptions to a right to erasure.
(e) the contacts of the data controller or data
(d) where the processing is based on point (f) of Article 6(1), the processor and on whether any other entity may
legitimate interests pursued by the controller or by a third party; receive the collected personal data;

(e) the recipients or categories of recipients (f) a description of the technical and organizational
of the personal data, if any; security measures taken to ensure the integrity
and confidentiality of the data;
(f) where applicable, the fact that the controller intends to
transfer personal data to a third country or international (g) the data being collected pursuant to any law and
organisation and the existence or absence of an adequacy whether such collection is voluntary or mandatory; and
decision by the Commission, or in the case of transfers
referred to in Article 46 or 47, or the second subparagraph (h) the consequences if any, where the data subject
of Article 49(1), reference to the appropriate or suitable fails to provide all or any part of the requested data.
safeguards and the means by which to obtain a copy
of them or where they have been made available. Section 4(1) of the Draft General Regulations: Subject to
section 32 of the Act, a data controller or data processor shall,
(2) In addition to the information referred to in paragraph 1, the before processing personal data, inform the data subject ─
controller shall, at the time when personal data are obtained,
provide the data subject with the following further information (a) the nature of personal data to be processed;
necessary to ensure fair and transparent processing:

(b) the scope of personal data to be processed;

(a) the period for which the personal data will be stored, or if
that is not possible, the criteria used to determine that period;

46 4747
 GDPR The Act GDPR The Act

Informed prior to/ at collection (cont'd) When data is from third party

(b) the existence of the right to request from the controller (c) the reasons for processing the required (c) the data subject has consented to the
access to and rectification or erasure of personal data or personal data; and (d) whether the personal data collection from another source;
restriction of processing concerning the data subject or to processed shall be shared with third parties.
object to processing as well as the right to data portability; (d) the data subject has an incapacity, the guardian appointed
[Note: Section 4(2), (3), and (7) of the Draft General has consented to the collection from another source;
(c) where the processing is based on point (a) of Article Regulations provide further details on the manner
6(1) or point (a) of Article 9(2), the existence of the right to of informing data subjects of the above.] (e) the collection from another source would not
withdraw consent at any time, without affecting the lawfulness prejudice the interests of the data subject;
of processing based on consent before its withdrawal;

(f) collection of data from another source is necessary -

(d) the right to lodge a complaint with a supervisory authority;

(i) for the prevention, detection, investigation,

(e) whether the provision of personal data is a statutory prosecution and punishment of crime;
or contractual requirement, or a requirement necessary
to enter into a contract, as well as whether the data (ii) for the enforcement of a law which
subject is obliged to provide the personal data and of the imposes a pecuniary penalty; or
possible consequences of failure to provide such data; (f)
the existence of automated decision-making, including (iii) for the protection of the interests of the
profiling, referred to in Article 22(1) and (4) and, at least data subject or another person.
in those cases, meaningful information about the logic
involved, as well as the significance and the envisaged
Intelligibility requirements
consequences of such processing for the data subject.

Article 12(1): The controller shall take appropriate measures to The Act does not explicitly refer to intelligibility requirements.
What information is to be provided provide any information referred to in Articles 13 and 14 and
any communication under Articles 15 to 22 and 34 relating
See Article 13(1) and (2) above. See Section 26 of the Act above. to processing to the data subject in a concise, transparent,
intelligible and easily accessible form, using clear and

When data is from third party plain language, in particular for any information addressed
specifically to a child. The information shall be provided in
In addition to the information required under Article 13, Whilst the Act does not explicitly provide for notification writing, or by other means, including, where appropriate,
Article 14(2) replaces the requirement that data subjects are requirements when data is collected from a third party, by electronic means. When requested by the data subject,
provided with information on the legitimate interests pursued Section 28 provides: (1) A data controller or data processor the information may be provided orally, provided that the
by the controller or by a third party, with an obligation to shall collect personal data directly from the data subject. identity of the data subject is proven by other means.
inform data subjects of the categories of personal data.
Furthermore, paragraph (e) of Article 13(2) is replaced (2) Despite sub-section (1), personal data Format
with a requirement to inform data subjects of the source may be collected indirectly where -
from which the personal data originate, and if applicable, See Article 12(1) above. The Act does not explicitly refer to format requirements.
whether it came from publicly accessible sources. (a) the data is contained in a public record;

(b) the data subject has deliberately made the data public;

48 49
49
 GDPR The Act 5.3. Right to object Fairly consistent

Exceptions The Act provides a more general concept of the right to object than the GDPR and does not specify associated requirements such
as fees and timeframes. Like the GDPR, however, the Act also establishes obligations regarding restricting processing.
The requirements of Article 13 do not apply where The Act does not explicitly refer to particular exceptions.
the data subject already has the information. Notably, the Draft General Regulation provides some further detail with regards to the right to object.

GDPR The Act

The requirements of Article 14 do not apply where:

(a) the data subject already has the information; Grounds for right to object/ opt out

(b) the provision of such information proves impossible or would Article 21(1): The data subject shall have the right to object, on Section 26: A data subject has a right - […] (c) to object

involve a disproportionate effort, in particular for processing grounds relating to his or her particular situation, at any time to the processing of all or part of their personal data.

for archiving purposes in the public interest, scientific or to processing of personal data concerning him or her which is

historical research purposes or statistical purposes, subject based on point (e) or (f) of Article 6(1), including profiling based Section 36: A data subject has a right to object to the

to the conditions and safeguards referred to in Article 89(1) on those provisions. The controller shall no longer process the processing of their personal data, unless the data controller or

or in so far as the obligation referred to in paragraph 1 of this personal data unless the controller demonstrates compelling data processor demonstrates compelling legitimate interest

Article is likely to render impossible or seriously impair the legitimate grounds for the processing which override the for the processing which overrides the data subject's interests,

achievement of the objectives of that processing. In such interests, rights and freedoms of the data subject or for the or for the establishment, exercise or defence of a legal claim.

cases the controller shall take appropriate measures to establishment, exercise or defence of legal claims.

protect the data subject's rights and freedoms and legitimate Section 8(1) of the Draft General Regulations: Pursuant to

interests, including making the information publicly available; Section 36 of the Act, a data subject may, where a specified
processing may result in an unwarranted interference with their

(c) obtaining or disclosure is expressly laid down by interests or rights, object to such processing by requesting a

Union or Member State law to which the controller is data controller or data processor not to process their personal

subject and which provides appropriate measures to data generally, for specified purpose or in a specified manner.

protect the data subject's legitimate interests; or

Section 8(4) of the Draft General Regulations: The right to

(d) where the personal data must remain confidential subject object applies as an absolute right where the processing of

to an obligation of professional secrecy regulated by Union or personal data is for direct marketing purposes which includes

Member State law, including a statutory obligation of secrecy. profiling to the extent that it is related to such direct marketing.

Withdraw consent

Article 7(3): The data subject shall have the right to Section 32(2): Unless otherwise provided under this Act, a data
withdraw his or her consent at any time. The withdrawal subject shall have the right to withdraw consent at any time.
of consent shall not affect the lawfulness of processing
based on consent before its withdrawal. Prior to giving
consent, the data subject shall be informed thereof. It
shall be as easy to withdraw as to give consent.

Restrict processing

Article 18(1): The data subject shall have the Section 34: (1) A data controller or data processor

right to obtain from the controller restriction of shall, at the request of a data subject, restrict

processing where one of the following applies: the processing of personal data where -
50 5151
 GDPR The Act GDPR The Act

Restrict processing (cont'd) Object to direct marketing

Article 21(3): Where the data subject objects to processing [See Section 36 of the Act above on a general right to object]
(a) the accuracy of the personal data is contested by (a) accuracy of the personal data is contested by
for direct marketing purposes, the personal data shall no
the data subject, for a period enabling the controller the data subject, for a period enabling the data
longer be processed for such purposes. Section 37: (1) A person shall not use, for commercial purposes,
to verify the accuracy of the personal data; controller to verify the accuracy of the data;
personal data obtained pursuant to the provisions of this
(b) personal data is no longer required for the purpose
Act unless the person - (a) has sought and obtained express
(b) the processing is unlawful and the data subject of the processing, unless the data controller or
consent from a data subject; or (b) is authorised to do so under
opposes the erasure of the personal data and data processor requires the personal data for the
any written law and the data subject has been informed of
requests the restriction of their use instead; establishment, exercise or defence of a legal claim;
such use when collecting the data from the data subject.
(c) processing is unlawful and the data subject
(c) the controller no longer needs the personal data opposes the erasure of the personal data and
(2) A data controller or data processor that uses personal
for the purposes of the processing, but they are requests the restriction of their use instead; or
data for commercial purposes shall, where possible,
required by the data subject for the establishment, (d) data subject has objected to the processing, pending
anonymise the data in such a manner as to ensure
exercise or defence of legal claims; verification as to whether the legitimate interests of the data
that the data subject is no longer identifiable.
controller or data processor overrides those of the data subject.
(d) the data subject has objected to processing pursuant to Section 7(3) of the Draft General Regulations: A data controller
(3) The Cabinet Secretary, in consultation with the Data
Article 21(1) pending the verification whether the legitimate or data processor shall upon receiving the request —
Commissioner, may prescribe practice guidelines for
grounds of the controller override those of the data subject. (a) consider the restriction request;
commercial use of personal data in accordance with this Act.
(b) respond, in writing, to the data subject within fourteen
days from the date of receiving the request;
Section 8(4) of the Draft General Regulations:
(c) indicate on its system that the processing of
The right to object to processing applies —
personal data has been restricted; and
(d) notify any relevant third party where personal data
(a) as an absolute right where the processing of
subject to such restriction may have been shared.
personal data is for direct marketing purposes; […].
Section 7(4) of the Draft General Regulations: A
data controller or a data processor may implement
[Note: Section 18 of the Draft General Regulations provides
a restriction to processing request by —
further details on the right to object to direct marketing.]
(a) temporarily moving the personal data
to another processing system;
(b) making the personal data unavailable to third parties; or Inform data subject of right
(c) temporarily removing published data from
a website or other public medium. See Article 12(1) in section 5.1. above. In addition, Section 29: A data controller or data processor
Section 7(5) of the Draft General Regulations: Where a data Article 21(4) provides: At the latest at the time of the first shall, before collecting personal data, in so far as
controller or data processor declines to comply with a request communication with the data subject, the right referred practicable, inform the data subject of - (a) the rights
for restriction in processing, it shall within seven days notify the to in paragraphs 1 and 2 shall be explicitly brought to of data subject specified under Section 26.
data subject of such decline giving reasons for the decision. the attention of the data subject and shall be presented
clearly and separately from any other information.

52 53
53
 GDPR The Act 5.4. Right of access Fairly inconsistent

Fees While the Act establishes a right of access in Section 26, it does not provide further requirements or clarify the processes for
exercising this right.
See Article 12(5) in section 5.1. above. The Act does not explicitly address this topic.

Notably, the Draft General Regulation provides some further detail with regards to the right of access.
Section 8(6) of the Draft General Regulations: A data
controller or data processor shall, without charging GDPR The Act
any fee, comply with a request to object processing
within fourteen days of the receipt of the request. Grounds for right of access

Response timeframe Article 15(1): The data subject shall have the right to obtain Section 26: A data subject has a right - […] to access their
from the controller confirmation as to whether or not personal personal data in custody of data controller or data processor.
data concerning him or her are being processed.
See Article 12(3) in section 5.1. above. The Act does not explicitly address this topic.

Section 8(6) of the Draft General Regulations: A data Information to be accessed

controller or data processor shall, without charging
any fee, comply with a request to object processing Article 15(1): The data subject shall have the right to The Act does not explicitly refer to the

within fourteen days of the receipt of the request. obtain from the controller confirmation as to whether information that can be accessed.
or not personal data concerning him or her are being

Format of response processed, and, where that is the case, access to

the personal data and the following information:

See Article 12(1) in section 5.1. above. The Act does not explicitly address this topic. Section 9(1) of the Draft General Regulations: A data subject
(a) the purposes of the processing; has a right to obtain from the data controller or data processor
confirmation as to whether or not personal data concerning
Exceptions
(b) the categories of personal data concerned; them is being processed, and where that is the case,
access to the personal data and the information as to -
See Article 12(5) in section 5.1. above. The Act does not specific exceptions for the right to object.
(c) the recipients or categories of recipient to whom the
personal data have been or will be disclosed, in particular (a) the purposes of the processing;
Section 8(5) of the Draft General Regulations: Where the
recipients in third countries or international organisations;
right to object is not absolute in circumstances contemplated
(b) the categories of personal data concerned;
under paragraph (4)(b), the data subject shall demonstrate —
(d) where possible, the envisaged period for which
the personal data will be stored, or, if not possible, (c) the recipients or categories of recipient to whom
(a) compelling legitimate grounds for the processing, which
the criteria used to determine that period; the personal data have been or will be disclosed,
override the interests, rights and freedoms of the individual; or
including recipients in other countries or territories;
(e) the existence of the right to request from the
(b) the processing is for the establishment,
controller rectification or erasure of personal data or (d) where possible, the envisaged period for which
exercise or defence of a legal claim.
restriction of processing of personal data concerning the personal data may be stored, or, if not possible,
the data subject or to object to such processing; the criteria used to determine that period; and

(e) where the personal data is not collected from the data
subject, any available information as to the source of collection.

54 5555
 GDPR The Act GDPR The Act

Information to be accessed (cont'd) Response timeframe

(f) the right to lodge a complaint with a supervisory authority;

See Article 12(3) in section 5.1. above. The Act does not explicitly refer to this topic.

(g) where the personal data are not collected from the data
Section 9(4) of the Draft General Regulations: A data
subject, any available information as to their source; and
controller or a data processor shall comply with a
request by a data subject to access their personal
(h) the existence of automated decision-making, including
data within seven days of the of the request.
profiling, referred to in Article 22(1) and (4) and, at least in
those cases, meaningful information about the logic involved,
as well as the significance and the envisaged consequences
Format of response
of such processing for the data subject.
See Article 12(1) in section 5.1. above. The Act does not explicitly refer to this topic.

Inform data subject of right

Section 9(5) of the Draft General Regulations: Where the data
subject makes the request by electronic means, and unless
See Article 12(1) in section 5.1. Section 29: A data controller or data processor
otherwise requested by the data subject, the information
shall, before collecting personal data, in so far as
shall be provided in a commonly used electronic form.
practicable, inform the data subject of - (a) the rights
of data subject specified under Section 26.
Exceptions

Fees See Article 12(5) in section 5.1. above. The Act does not explicitly refer to
exceptions to the right to access.
See Article 12(5) in section 5.1. above. The Act does not explicitly refer to fees for access.

Section 9(6) of the Draft General Regulations: A compliance with

a request for access to personal data shall be free of charge.

Verify data subject request

Recital 64: The controller should use all reasonable measures The Act does not explicitly refer to identity verification
to verify the identity of a data subject who requests access, in for general access. See Section 33 above in
particular in the context of online services and online identifiers. regard to age verification for children's data.
A controller should not retain personal data for the sole
purpose of being able to react to potential requests.

56 57 57
5.5. Right not to be subject to 5.6. Right to data portability
Consistent Inconsistent
discrimination The Act establishes a right to data portability with many similarities to the GDPR. A primary difference is that the Act frames this right
in broader terms.
The GDPR and the Act provide similarly for the regulation of automated processing by stipulating that data subjects have a right not
to be subject to decisions made solely through automated processing which significantly affects the data subject.
Notably, the Draft General Regulation provides some further detail with regards to the right to data portability.

GDPR The Act

GDPR The Act
Grounds for portability
Definition of right
Article 20(1): The data subject shall have the right to receive Section 38: (1) A data subject has the right to receive
The GDPR only implies this right and does The Act only implies this right and does not the personal data concerning him or her, which he or she has personal data concerning them in a structured,
not provide an explicit definition for it. provide an explicit definition for it. provided to a controller, in a structured, commonly used and commonly used and machine-readable format.
machine-readable format and have the right to transmit those

Automated processing data to another controller without hindrance from the controller (2) A data subject has the right to transmit the data
to which the personal data have been provided, where: obtained under sub-section (1), to another data
controller or data processor without any hindrance.
Article 22(1): The data subject shall have the right not to be Article 35(1): Every data subject has a right not to be subject
(a) the processing is based on consent pursuant to
subject to a decision based solely on automated processing, to a decision based solely on automated processing,
point (a) of Article 6(1) or point (a) of Article 9(2) or on Section 12(1) of the Draft General Regulations:
including profiling, which produces legal effects concerning including profiling, which produces legal effects concerning
a contract pursuant to point (b) of Article 6(1); and Pursuant to Section 38 of the Act, a data subject may
him or her or similarly significantly affects him or her. [Article 22 or significantly affects the data subject. [Article 35
apply to port or copy their personal data from one
goes on to detail this right, including exceptions] goes on to detail this right, including exceptions]
(b) the processing is carried out by automated means. data controller or data processor to another.

Inform data subject of right

See Article 12(1) in section 5.1. The Act does not explicitly refer to informing data
subjects about their right to data portability.

Fees

See Article 12(5) in section 5.1. above. Section 38(6): A data controller or data processor
shall comply with data portability requests, at
reasonable cost and within a period of thirty days.

Section 11(4) of the Draft General Regulations: Where a fee is

charged under paragraph (2), the fee shall be reasonable and
not exceed the actual cost incurred to actualise the request.

Response timeframe

See Article 12(3) in section 5.1. above. Section 38(6): A data controller or data processor
shall comply with data portability requests, at
reasonable cost and within a period of thirty days.

59
58 59
 GDPR
Response timeframe
The Act
6. Enforcement Fairly inconsistent

See Article 12(3) in section 5.1. above. Section 11(3) of the Draft General Regulations: The data 6.1. Monetary penalties
controller or data processor shall within thirty days from the
date of receipt of the request and upon payment of any charge There are several similarities between the GDPR and the Act, including the provisions of monetary penalties and the types of
port personal data to the data subject’s choice of recipient. mitigating factors that can be taken into account. However, key differences between the pieces of legislation are that the Act
provides for potential prison terms, that individuals may be held liable for offences, and that the amount of fines that may be issued
Section 11(6) of the Draft General Regulations: Where a data differ.
controller or data processor declines the portability request,
it shall within seven days notify, in writing, the data subject GDPR The Act
of the decision and the reasons for such decline in writing.

Provides for monetary penalties

Format
The GDPR provides for monetary penalties. The Act provides for monetary penalties.

See Article 20(1) above. See Section 38(1) of the Act above.

Issued by
Controller to controller
Article 58(2) Each supervisory authority shall Sections 61 and 63 provide that the Data Protection
Article 20(2): In exercising his or her right to data portability Section 38(3): Where technically possible, the data subject have all of the following corrective powers: Commissioner has the power to issue fines.
pursuant to paragraph 1, the data subject shall have the shall have the right to have the personal data transmitted
right to have the personal data transmitted directly from one directly from one data controller or processor to another. […] (i): to impose an administrative fine pursuant to Article 83, in
controller to another, where technically feasible. addition to, or instead of measures referred to in this paragraph,
depending on the circumstances of each individual case.

Technically feasible
Fine maximum
See Article 20(2) above. See Section 38(3) of the Act above.
Article 83(5): infringements of the following provisions Section 61: A person who, in relation to the
shall, in accordance with paragraph 2, be subject to exercise of a power conferred by Section 9 -
Exceptions administrative fines up to 20 000 000 EUR, or in the case (a) obstructs or impedes the Data Commissioner
of an undertaking, up to 4 % of the total worldwide annual in the exercise of their powers;
See Article 12(5) in section 5.1. above. Section 38(7): Where the portability request is complex
turnover of the preceding financial year, whichever is higher: (b) fails to provide assistance or information
or numerous, the period under sub-section (6) may be
(a) the basic principles for processing, including conditions requested by the Data Commissioner;
extended for a further period as may be determined
for consent, pursuant to Articles 5, 6, 7 and 9; (c) refuses to allow the Data Commissioner to
in consultation with the Data Commissioner.
(b) the data subjects' rights pursuant to Articles 12 to 22; enter any premises or to take any person with
(c) the transfers of personal data to a recipient in a third country them in the exercise of their functions;
Section 11(7) of the Draft General Regulations: The exercise
or an international organisation pursuant to Articles 44 to 49; (d) gives to the Data Commissioner any information which
of the right to data portability by a data subject shall not
(d) any obligations pursuant to Member State is false or misleading in any material aspect, commits an
negate the rights of a data subject provided under the Act.
law adopted under Chapter IX; offence and is liable on conviction to a fine not exceeding
(e) non-compliance with an order or a temporary or definitive 5,000,000 shillings [approx. €38,000], or to imprisonment
limitation on processing or the suspension of data flows for a term not exceeding two years, or to both.
by the supervisory authority pursuant to Article 58(2) or Section 63: In relation to an infringement of a provision of
failure to provide access in violation of Article 58(1). this Act, the maximum amount of the penalty that may be

60 61
 GDPR The Act GDPR The Act

Fine maximum (cont'd) Mitigating factors (cont'd)

(6) Non-compliance with an order by the supervisory authority imposed by the Data Commissioner in a penalty notice (g) the categories of personal data affected by the infringement;
as referred to in Article 58(2) shall, in accordance with is up to 5,000,000 shillings [approx. €38,000], or in the
paragraph 2 of this Article, be subject to administrative fines case of an undertaking, up to 1% of its annual turnover (h) the manner in which the infringement became known to the
up to 20 000 000 EUR, or in the case of an undertaking, of the preceding financial year, whichever is lower. supervisory authority, in particular whether, and if so to what
up to 4 % of the total worldwide annual turnover of extent, the controller or processor notified the infringement;
the preceding financial year, whichever is higher.
(i) where measures referred to in Article 58(2) have

Percentage of turnover previously been ordered against the controller or

processor concerned with regard to the same subject-

Under Article 83(4), (5), and (6), fines may be issued Under Section 63, in the case of an undertaking, matter, compliance with those measures;

that equate to 2% or 4% of the total worldwide annual fines may be issued that equate to up to 1% of its
turnover of the preceding financial year. annual turnover of the preceding financial year. (j) adherence to approved codes of conduct
pursuant to Article 40 or approved certification
mechanisms pursuant to Article 42; and
Mitigating factors
(k) any other aggravating or mitigating factor applicable to the
Article 83(2): When deciding whether to impose Section 62(2): In deciding whether to give a penalty notice
circumstances of the case, such as financial benefits gained,
an administrative fine and deciding on the amount to a person and determining the amount of the penalty, the
or losses avoided, directly or indirectly, from the infringement.
of the administrative fine in each individual case Data Commissioner shall, so far as relevant, have regard -
due regard shall be given to the following:
(a) to the nature, gravity and duration of the failure;
Imprisonment
(a) the nature, gravity and duration of the infringement
Not applicable. Section 58(3): Any person who, without reasonable
taking into account the nature scope or purpose of the (b) to the intentional or negligent character of the failure;
excuse, fails to comply with an enforcement notice
processing concerned as well as the number of data subjects
commits an offence and is liable on conviction to a fine
affected and the level of damage suffered by them; (c) to any action taken by the data controller or data processor
not exceeding five million shillings or to imprisonment
to mitigate the damage or distress suffered by data subjects;
for a term not exceeding two years, or to both.
(b) the intentional or negligent character of the infringement;
(d) to the degree of responsibility of the data
Section 61: A person who, in relation to the
(c) any action taken by the controller or processor to controller or data processor, taking into account
exercise of a power conferred by section 9 -
mitigate the damage suffered by data subjects; technical and organisational measures;

(a) obstructs or impedes the Data Commissioner

(d) the degree of responsibility of the controller or processor (e) to any relevant previous failures by the data controller
in the exercise of their powers;
taking into account technical and organisational measures or data processor; to the degree of co-operation with the
implemented by them pursuant to Articles 25 and 32; Data Commissioner, in order to remedy the failure and
(b) fails to provide assistance or information
mitigate the possible adverse effects of the failure;
requested by the Data Commissioner;
(e) any relevant previous infringements
by the controller or processor; (g) to the categories of personal data affected by the failure;
(c) refuses to allow the Data Commissioner to
enter any premises or to take any person with
(f) the degree of cooperation with the supervisory (h) to the manner in which the infringement became
them in the exercise of their functions;
authority, in order to remedy the infringement and mitigate known to the Data Commissioner, including whether, and
the possible adverse effects of the infringement; if so to what extent, the data controller or data processor
(d) gives to the Data Commissioner any information which
notified the Data Commissioner of the failure;
is false or misleading in any material aspect, commits
an offence and is liable on conviction to a fine

62 63
 GDPR The Act 6.2. Supervisory authority
Fairly consistent
Imprisonment
Imprisonment The scope, general powers, and tasks assigned to data protection authorities under the GDPR and the Act are largely similar. There
is, however, a significant difference in the level of detail provided to describe and regulate these powers.
Section 73: A person who commits an offence under
this Act for which no specific penalty is provided or who
otherwise contravenes this Act shall, on conviction, be GDPR The Act
liable to a fine not exceeding three million shillings or to an
imprisonment term not exceeding ten years, or to both. Provides for data protection authority

Article 51(1): Each Member State shall provide for one or Section 5(1): There is established the office of the Data
DPO liability
more independent public authorities to be responsible for Protection Commissioner which shall be a body corporate
monitoring the application of this Regulation, in order to protect with perpetual succession and a common seal.
Not applicable. See above for liability of persons.
the fundamental rights and freedoms of natural persons
in relation to processing and to facilitate the free flow of
personal data within the Union ('supervisory authority').

Investigatory powers

Article 58(1): Each supervisory authority shall have Section 9: The Data Commissioner shall have power to -
all of the following investigative powers:
(a) conduct investigations on own initiative, or on the basis
(a) to order the controller and the processor, and, of a complaint made by a data subject or a third party;
where applicable, the controller's or the processor's
representative to provide any information it (b) obtain professional assistance, consultancy or advice
requires for the performance of its tasks; from such persons or organisations whether within or
outside public service as considered appropriate;
(b) to carry out investigations in the form
of data protection audits; (c) facilitate conciliation, mediation and negotiation
on disputes arising from this Act;
(c) to carry out a review on certifications
issued pursuant to Article 42(7); (d) issue summons to a witness for the purposes of investigation;

(d) to notify the controller or the processor of an (e) require any person that is subject to this
alleged infringement of this Regulation; Act to provide explanations, information and
assistance in person and in writing;
(e) to obtain, from the controller and the processor,
access to all personal data and to all information (f) impose administrative fines for failures to comply with this Act;
necessary for the performance of its tasks;
(g) undertake any activity necessary for the fulfilment
(f) to obtain access to any premises of the of any of the functions of the Office; and
controller and the processor, including to any data
processing equipment and means, in accordance (h) exercise any powers prescribed by any other legislation.
with Union or Member State procedural law.
Part II of the Draft Enforcement Regulations further
outlines the procedure for handling complaints.

64 65
 GDPR The Act GDPR The Act

Corrective powers Corrective powers (cont'd)

Article 58(2): Each supervisory authority shall Under Sections 9, 58, 62, 63, and 66, the Data (i) to impose an administrative fine pursuant to Article 83, in

have all of the following corrective powers: Protection Commissioner has the power to: addition to, or instead of measures referred to in this paragraph,
depending on the circumstances of each individual case;

(a) to issue warnings to a controller or processor (a) issue enforcement notices;

that intended processing operations are likely (j) to order the suspension of data flows to a recipient

to infringe provisions of this Regulation; (b) issue penalty notices; in a third country or to an international organisation.

(b) to issue reprimands to a controller or a (c) administrative fines; and Authorisation/ advisory powers
processor where processing operations have
infringed provisions of this Regulation; (d) apply for a preservation order. Article 58(3): Each supervisory authority shall have all Section 9: The Data Commissioner shall have power to -
of the following authorisation and advisory powers:

(c) to order the controller or the processor to comply Part III of the Draft Enforcement Regulations specifies […] (b) obtain professional assistance, consultancy or
with the data subject's requests to exercise his the requirements for issuing enforcement notices. (a) to advise the controller in accordance with the prior advice from such persons or organisations whether within
or her rights pursuant to this Regulation; consultation procedure referred to in Article 36; or outside public service as considered appropriate;

(d) to order the controller or processor to bring (b) to issue, on its own initiative or on request, opinions to (c) facilitate conciliation, mediation and negotiation
processing operations into compliance with the the national parliament, the Member State government on disputes arising from this Act;
provisions of this Regulation, where appropriate, in a or, in accordance with Member State law, to other

specified manner and within a specified period; institutions and bodies as well as to the public on any […] (e) require any person that is subject to this
issue related to the protection of personal data; Act to provide explanations, information and
(e) to order the controller to communicate a assistance in person and in writing;
personal data breach to the data subject; (c) to authorise processing referred to in Article 36(5), if the
law of the Member State requires such prior authorisation; […] (g) undertake any activity necessary for the
(f) to impose a temporary or definitive limitation fulfilment of any of the functions of the Office; and
including a ban on processing; (d) to issue an opinion and approve draft codes
of conduct pursuant to Article 40(5); (h) exercise any powers prescribed by any other legislation.
(g) to order the rectification or erasure of personal
data or restriction of processing pursuant to Articles (e) to accredit certification bodies pursuant to Article 43;

16, 17 and 18 and the notification of such actions to

recipients to whom the personal data have been (f) to issue certifications and approve criteria of

disclosed pursuant to Article 17(2) and Article 19; certification in accordance with Article 42(5);

(h) to withdraw a certification or to order the certification body (g) to adopt standard data protection clauses referred

to withdraw a certification issued pursuant to Articles 42 and 43, to in Article 28(8) and in point (d) of Article 46(2);

or to order the certification body not to issue certification if the

requirements for the certification are not or are no longer met; (h) to authorise contractual clauses referred
to in point (a) of Article 46(3);

(i) to authorise administrative arrangements

referred to in point (b) of Article 46(3);

(j) to approve binding corporate rules pursuant to Article 47.

66 67
 GDPR The Act GDPR The Act

Tasks of authority Tasks of authority (cont'd)

Article 57(1): Without prejudice to other tasks set out under this Section 8: The Office shall - the development of information and communication (2) The Office of the Data Commissioner may,
Regulation, each supervisory authority shall on its territory: technologies and commercial practices; in the performance of its functions collaborate
(a) oversee the implementation of and be with the national security organs.
(a) monitor and enforce the application of this Regulation; responsible for the enforcement of this Act; (j) adopt standard contractual clauses referred to in
Article 28(8) and in point (d) of Article 46(2); (3) The Data Commissioner shall act independently in exercise
(b) promote public awareness and understanding (b) establish and maintain a register of data of powers and carrying out of functions under this Act.
of the risks, rules, safeguards and rights in relation controllers and data processors; (k) establish and maintain a list in relation to the requirement for
to processing. Activities addressed specifically data protection impact assessment pursuant to Article 35(4);
to children shall receive specific attention; (c) exercise oversight on data processing operations,
either of own motion or at the request of a data (l) give advice on the processing operations
(c) advise, in accordance with Member State law, subject, and verify whether the processing of referred to in Article 36(2);
the national parliament, the government, and other data is done in accordance with this Act;
institutions and bodies on legislative and administrative (m) encourage the drawing up of codes of conduct
measures relating to the protection of natural persons' (d) promote self-regulation among data pursuant to Article 40(1) and provide an opinion
rights and freedoms with regard to processing; controllers and data processors; and approve such codes of conduct which provide
sufficient safeguards, pursuant to Article 40(5);
(d) promote the awareness of controllers and processors (e) conduct an assessment, on its own initiative of a public or
of their obligations under this Regulation; private body, or at the request of a private or public body for (n) encourage the establishment of data protection
the purpose of ascertaining whether information is processed certification mechanisms and of data protection seals
(e) upon request, provide information to any data subject according to the provisions of this Act or any other relevant law; and marks pursuant to Article 42(1), and approve the
concerning the exercise of their rights under this Regulation criteria of certification pursuant to Article 42(5);
and, if appropriate, cooperate with the supervisory (f) receive and investigate any complaint by any person
authorities in other Member States to that end; on infringements of the rights under this Act; (o) where applicable, carry out a periodic review of
certifications issued in accordance with Article 42(7);
(f) handle complaints lodged by a data subject, or by a (g) take such measures as may be necessary to bring the
body, organisation or association in accordance with Article provisions of this Act to the knowledge of the general public; (p) draft and publish the criteria for accreditation of a
80, and investigate, to the extent appropriate, the subject body for monitoring codes of conduct pursuant to Article
matter of the complaint and inform the complainant of the (h) carry out inspections of public and private entities with 41 and of a certification body pursuant to Article 43;
progress and the outcome of the investigation within a a view to evaluating the processing of personal data;
reasonable period, in particular if further investigation or (q) conduct the accreditation of a body for monitoring
coordination with another supervisory authority is necessary; (i) promote international cooperation in matters relating to data codes of conduct pursuant to Article 41 and of a
protection and ensure country's compliance on data protection certification body pursuant to Article 43;
(g) cooperate with, including sharing information obligations under international conventions and agreements;
and provide mutual assistance to, other supervisory (r) authorise contractual clauses and
authorities with a view to ensuring the consistency of (j) undertake research on developments in data provisions referred to in Article 46(3);
application and enforcement of this Regulation; processing of personal data and ensure that
there is no significant risk or adverse effect of any (s) approve binding corporate rules pursuant to Article 47;
(h) conduct investigations on the application of this developments on the privacy of individuals; and
Regulation, including on the basis of information received (t) contribute to the activities of the Board;
from another supervisory authority or other public authority; (k) perform such other functions as may be prescribed by any
other law or as necessary for the promotion of object of this Act. (u) keep internal records of infringements of this Regulation
(i) monitor relevant developments, insofar as they have an and of measures taken in accordance with Article 58(2); and
impact on the protection of personal data, in particular

68 69
 GDPR The Act 6.3. Civil remedies for individuals
Fairly consistent
Tasks of authority (cont'd) Both the GDPR and the Act provide for data subjects to seek compensation or judicial remedy if they have suffered material
or non-material damage. Similarly, both legislative frameworks establish that data processors may be held liable under certain
(v) fulfil any other tasks related to the circumstances and do not specify an amount for damages. The GDPR and the Act differ, though, in relation to the capacity to
protection of personal data. mandate another body to act as representative for the data subject.

Annual report GDPR The Act

Article 59: Each supervisory authority shall draw up Section 70: The Data Commissioner shall, within three Provides for claims/ cause of action
an annual report on its activities, which may include months after the end of each financial year, prepare and
a list of types of infringement notified and types of submit to the Cabinet Secretary a report of the operations Article 79: Without prejudice to any available administrative or Section 56: A data subject who is aggrieved by a decision
measures taken in accordance with Article 58(2). Those of the Office for the immediately preceding year. non-judicial remedy, including the right to lodge a complaint of any person under this Act may lodge a complaint with
reports shall be transmitted to the national parliament, with a supervisory authority pursuant to Article 77, each data the Data Commissioner in accordance with this Act.
the government and other authorities as designated subject shall have the right to an effective judicial remedy where
by Member State law. They shall be made available to he or she considers that his or her rights under this Regulation Section 65: A person who suffers damage by
the public, to the Commission and to the Board. have been infringed as a result of the processing of his or her reason of a contravention of a requirement of this
personal data in non-compliance with this Regulation. Act is entitled to compensation for that damage
from the data controller or the data processor.

Section 58 of the Draft General Regulations: A person

aggrieved by any decision under the Regulation or
noncompliance with any with any provision may lodge
a complaint with the Data Commissioner in accordance
with the Act and the Regulations made thereunder.

Material and non-material damage

Article 82(1): Any person who has suffered material or non- Section 65(4): 'damage' includes financial loss and
material damage as a result of an infringement of this Regulation damage not involving financial loss, including distress.
shall have the right to receive compensation from the
controller or processor for the damage suffered.

Mandate for representation

Article 80(1): The data subject shall have the right to mandate The Act does not explicitly refer to mandates for representation.
a not-for-profit body, organisation or association which has
been properly constituted in accordance with the law of
a Member State, has statutory objectives which are in the
public interest, and is active in the field of the protection
of data subjects' rights and freedoms with regard to the
protection of their personal data to lodge the complaint on
his or her behalf, to exercise the rights referred to in Articles
77, 78 and 79 on his or her behalf, and to exercise the right
to receive compensation referred to in Article 82 on his
or her behalf where provided for by Member State law.

70 71
 GDPR The Act
Specifies amount for damages

Not applicable. Not applicable.

Processor liability

Article 82(2): Any controller involved in processing shall Section 65(2): Subject to subsection (1) -
be liable for the damage caused by processing which
infringes this Regulation. A processor shall be liable for (a) a data controller involved in processing of personal data
the damage caused by processing only where it has not is liable for any damage caused by the processing; and
complied with obligations of this Regulation specifically
directed to processors or where it has acted outside (b) a data processor involved in processing of
or contrary to lawful instructions of the controller. personal data is liable for damage caused by
the processing only if the processor -

(i) has not complied with an obligation under the

Act specifically directed at data processors; or

(ii) has acted outside, or contrary to, the

data controller's lawful instructions.

Exceptions

Article 82(3): A controller or processor shall be exempt from Section 65(3): A data controller or data processor is not
liability under paragraph 2 if it proves that it is not in any way liable in the manner specified in subsection (2) if the data
responsible for the event giving rise to the damage. controller or data processor proves that they are not in any
way responsible for the event giving rise to the damage.

72