The Compliance Brief
A new ODPC guidance note spells out exactly how cross-border data transfers must work. If your business uses a foreign cloud provider, runs multinational payroll, or works with international partners, this affects you today — not eventually.
Cross-border data flow is routine business activity — and in Kenya, it is also a regulated one. The Office of the Data Protection Commissioner has published a comprehensive Guidance Note on Cross-Border Data Transfers, building on the Data Protection Act, 2019. Here is what it actually requires, in the order you'll need to act on it.
Part VI of the Data Protection Act — Sections 48 to 50 — is the entire spine of this framework. Three sections, three very different obligations.
Sets the baseline: transfer only proceeds where "appropriate safeguards" can be proven to the Data Commissioner.
Stricter rules apply — explicit consent becomes mandatory on top of safeguards.
Data in the "strategic interest of the state" must stay on servers physically located in Kenya.
Every lawful transfer takes one of four routes. Only one is currently unavailable in practice — and it's the one that sounds easiest.
A Data Commissioner finding that a country's protections are essentially equivalent to Kenya's. No such list has been published yet — so this route doesn't exist in practice for now.
Legally binding protections built into the transfer itself.
Narrow, situational exceptions — contract performance, public interest, legal claims, vital interests, or compelling legitimate interest that doesn't override the data subject's rights.
The fallback route: the data subject is informed of the risks and agrees anyway. Mandatory — not optional — for sensitive personal data.
With adequacy decisions off the table, almost every serious transfer today runs on Lane B — safeguards you build and document yourself, not a status Kenya grants your destination country.
Race, health status, ethnicity, genetic and biometric data, sexual orientation, marital and family details — Section 49 stacks two requirements rather than offering a choice.
Informed, specific agreement from the data subject, after disclosure of the risks involved.
Proof that appropriate technical and legal protections are in place at the receiving end.
Identifying a legal basis is step one. The ODPC's guidance expects an operational layer on top of it.
A written transfer agreement should cover:
Unfettered access to verify the recipient's data protection systems.
Clearly defined security measures for confidentiality, integrity and availability.
Who's responsible, and for what, if something goes wrong.
A clear mechanism for handling data subject requests at the recipient end.
Section 50 carves out six categories of data considered strategically important to the state — for these, at least one serving copy must stay on a server physically located in Kenya.
Identify every point personal data leaves Kenya — SaaS tools, cloud services, international partners.
For each flow, determine which of the four lanes applies, and document the justification.
Put Standard Contractual Clauses or Binding Corporate Rules in place where Lane B is your route.
Track the guidance as it firms up, and watch for the eventual adequacy list.
Cross-border transfer compliance in Kenya isn't a box-ticking exercise you complete once — it's an operating discipline. Every new SaaS tool, every new international hire, every new partner integration is a fresh transfer that needs a lane, a safeguard, and a paper trail. Businesses that build this into procurement now will move faster later; those that don't will find their most ordinary vendor decisions turning into compliance reviews.
The ODPC's note is guidance, not yet a finalised adequacy framework. The list of adequate countries — when published — will be the single biggest change to how this works. Until then, appropriate safeguards remain the default route.
Cross-border transfer rules are one of the areas the ODPC scrutinises most closely — and one of the easiest to get wrong if your contracts, consent language, or adequacy assessments haven't been reviewed since the guidance changed.
Muchangi Patrick & Co. Advocates advises businesses using foreign cloud providers, SaaS tools, or group-company data sharing on structuring lawful cross-border transfers under Kenya's Data Protection Act. If your business moves personal data outside Kenya, we can help you close the gap.
Muchangi Patrick & Co. Advocates advises fintechs, startups, corporates and institutions on data protection and data privacy compliance across Kenya — from ODPC registration and DPIAs to outsourced DPO services and cross-border data transfer advisory. If the issues raised above touch your business, we can help you get ahead of them.