Every time your organisation shares personal data with a third party that processes it on your behalf - a cloud provider, a payroll bureau, a marketing platform, an analytics service - you are engaging a data processor. Section 42 of the Kenya Data Protection Act 2019 requires that relationship to be governed by a written contract with specific mandatory content.
Most organisations have gaps here. They onboard vendors through standard procurement processes, sign the vendor's own terms, and assume that covers their obligations. It does not. Your obligations under section 42 are not transferred to the vendor by signing their terms - they remain yours.
Controller vs. Processor: The Distinction That Matters
A data controller determines the purposes and means of processing personal data. The controller decides why and how data is processed. The Kenya DPA 2019 places primary accountability on the controller.
A data processor processes personal data on behalf of a controller, acting on the controller's instructions. The processor does not determine the purpose of processing - it carries out the controller's instructions.
Common processors your organisation may engage include:
| Processor Type | Examples |
|---|---|
| Cloud infrastructure | AWS, Google Cloud, Azure |
| Payroll and HR platforms | Workday, Sage HR, local payroll bureaux |
| Email marketing platforms | Mailchimp, Brevo, HubSpot |
| Analytics and tracking | Google Analytics, Mixpanel |
| Customer support platforms | Zendesk, Freshdesk, Intercom |
| Payment processors | Pesapal, iPay, Stripe |
If a third party processes personal data solely on your instructions, for your purposes, they are a processor. You need a written contract that meets section 42.
When Is a DPA Required?
Section 42(1) is direct: processing by a processor must be governed by a contract or other legal act. There is no threshold on volume, sensitivity, or duration. If you engage a processor, you need a compliant contract.
This applies regardless of whether the processor is a large multinational cloud provider or a local sole trader, whether they process a large dataset or a small one, or whether they are located in Kenya or abroad.
Many processors - particularly international SaaS platforms - offer their own Data Processing Addendum or data processing terms. Review these carefully against the section 42 requirements. A vendor's standard DPA may satisfy GDPR requirements without fully addressing the Kenya DPA 2019 - particularly on ODPC cooperation and the response timeframes for Kenyan data subject rights.
What the DPA Must Contain
Section 42(2) sets out the mandatory content of a data processing agreement. The contract must require the processor to meet the following obligations.
Process data only on documented controller instructions. The processor may only process personal data for the purposes and in the manner the controller has documented. Processing outside those instructions - even if the processor believes it would be beneficial - is a breach of both the contract and the Act. The instructions must be specific: what data, for what purposes, in what manner, for how long. "Process data to provide the service" is not sufficiently specific.
Ensure authorised persons are bound by confidentiality. Everyone in the processor's organisation who handles your data - engineers, support staff, contractors - must be bound by confidentiality obligations. This is typically achieved through employment contracts or individual non-disclosure agreements. The processor's obligation is to ensure those arrangements exist, not merely to assert that staff understand the concept.
Implement appropriate technical and organisational security measures. The processor must implement security measures appropriate to the risk of the processing. The DPA should reference the applicable standard - ISO 27001 compliance, penetration testing frequency, encryption requirements - and require the processor to maintain and demonstrate those standards.
Assist with data subject requests. Where a data subject exercises their rights under the Kenya DPA 2019 - access (s.26), erasure (s.40), portability (s.38), rectification (s.40), objection (s.36) - the processor must assist the controller in fulfilling those requests. In practice: the processor must be able to search for, export, correct, and delete a specific individual's data on the controller's instruction, within the statutory timeframes set by the Regulations 2021.
Assist with breach notification, DPIAs, and ODPC consultation. The processor must support the controller's obligations under the Act. This includes alerting the controller promptly when a breach occurs or is suspected (so the 72-hour ODPC notification window under section 43 can be met), providing information needed to complete a DPIA under section 31, and cooperating with any ODPC investigation.
Return or delete data at the end of the service. When the processing relationship ends - contract expiry, service termination, or on the controller's instruction - the processor must either return all personal data to the controller or securely delete it. The processor should not retain copies after the relationship ends without explicit written authorisation. The DPA should specify the format for data return and the timeframe for deletion or return after termination.
Provide information and support audits. The processor must provide documentation and cooperate with audits conducted by the controller or a designated auditor. This gives the controller a mechanism to verify that the processor is actually meeting its obligations. Where a processor refuses audit rights, that refusal should itself be treated as a risk signal.
Managing Sub-Processors
Section 42 prohibits a processor from engaging a sub-processor without the controller's prior written authorisation. The DPA must either name specific sub-processors that are pre-authorised, or grant general authorisation subject to notification requirements - meaning the controller is informed before a new sub-processor is engaged and has an opportunity to object.
The Act also requires the processor to impose the same data protection obligations on any sub-processor as those the controller imposed on the processor. The sub-processor must be subject to the same standards - not lesser ones.
This matters because when your cloud provider uses a sub-processor for support or logging, that sub-processor handles your data. If the sub-processor has weaker security standards or no deletion obligation, your compliance posture is weakened at the weakest link in the chain.
Practical Steps for DPA Management
Identify all your processors. Your ROPA under section 25 should identify every third party that processes personal data on your behalf. Audit against this list: do you have a written, section 42-compliant contract for each?
Review existing vendor contracts. For each processor, review the current contract against the section 42(2) requirements. Standard procurement or service contracts rarely contain the required data protection clauses. Where gaps exist, you need a data processing addendum.
Prioritise by risk. Prioritise DPA remediation for processors handling sensitive personal data as defined in s.2, processors handling large volumes of data, processors located outside Kenya (where cross-border transfer controls under section 48 also apply), and processors with direct access to production systems.
Use your DPA to drive accountability. A DPA is not just a compliance document - it is a commercial instrument. Use it to define the security standards you require, the notification timelines you need (e.g., breach notification within 24 hours to meet your 72-hour ODPC window), and the audit rights you may want to exercise.
Section 42 Checklist
| Requirement | Reference |
|---|---|
| Written contract in place for every processor | s.42(1) |
| Processor processes data only on documented controller instructions | s.42(2) |
| Authorised persons bound by confidentiality obligations | s.42(2) |
| Appropriate technical and organisational security measures required | s.42(2) |
| Processor assists with data subject rights fulfilment | s.42(2) |
| Processor assists with breach notification, DPIA, and ODPC cooperation | s.42(2) |
| Data return or deletion obligation on contract end | s.42(2) |
| Audit and information rights included | s.42(2) |
| Prior written authorisation required for sub-processors | s.42 |
| Sub-processors subject to the same obligations as the processor | s.42 |
A data processing agreement is the mechanism by which you extend your compliance obligations to the third parties who handle your data - and the contractual basis on which you can hold them accountable when things go wrong. An organisation without adequate DPAs in place cannot demonstrate that it controls the processing it has outsourced.