Data subject requests (DSRs) are the operational face of the Kenya Data Protection Act 2019. They arrive from employees, customers, patients, and website visitors - and they come with statutory response deadlines that vary by request type. Missing those deadlines is a compliance failure with consequences.
This guide covers the five core rights under the Kenya DPA 2019, the specific deadlines set by the Data Protection (General) Regulations 2021, and how to build a DSR process that keeps your organisation on track.
The Five Core Data Subject Rights
The Kenya DPA 2019 provides individuals with the following rights in relation to their personal data:
| Right | Section | Deadline (Regs. 2021) |
|---|---|---|
| Right of access | s.26 | 7 days |
| Right to erasure | s.40 | 7 days |
| Right to data portability | s.38 | 30 days |
| Right to rectification | s.40 | 7 days |
| Right to object | s.36 | 7 days |
The Act also provides a right to restrict processing (s.34) - handle it with the same 7-day discipline. These deadlines are set by the Data Protection (General) Regulations 2021 - not by the Act itself. The Act sets the rights; the Regulations set the response timeframes. Both are legally binding.
The working rule: 7 calendar days for data subject requests, with 30 days for data portability (s.38(6)). Build your process around the 7-day clock - it is shorter than GDPR's one month, and it catches organisations that assume they have more time.
Right of Access - Section 26
Section 26 gives an individual the right to request confirmation that you hold their personal data, and a copy of that data together with specific processing information.
The response must include:
- Confirmation of whether you hold their data
- A copy of the data itself
- The purposes of processing
- The categories of data held
- The recipients or categories of recipients
- The retention period, or the criteria used to determine it
- The individual's rights to rectification, erasure, restriction, and objection
Provide the response in a commonly used electronic format where the request was made electronically. You may ask for proof of identity before disclosing data - proportionate verification is legitimate. You may charge a reasonable fee for manifestly unfounded or excessive requests, or refuse them, but document the reason.
Deadline: 7 days under the Regulations 2021.
Right to Erasure - Section 40
Section 40 gives an individual the right to request deletion of their personal data. Erasure can be requested where:
- The data is no longer necessary for the purpose for which it was collected
- The data subject withdraws consent and there is no other legal basis
- The data subject objects under section 36 and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Erasure is required to comply with a legal obligation
Erasure is not absolute. You may refuse where the processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or on other specific statutory grounds. Where data is needed for evidence, restricting processing (s.34) rather than erasing may be the correct response. Where you refuse, document the ground and communicate it to the data subject. Where the data has been shared with third parties, take reasonable steps to inform them of the erasure request.
Deadline: 7 days under the Regulations 2021.
Right to Data Portability - Section 38
Section 38 gives an individual the right to receive their personal data in a structured, commonly used, machine-readable format - and, where technically feasible, to have that data transmitted directly to another controller. The Act permits recovering the reasonable cost of fulfilment. Common formats include CSV, JSON, and XML. Where direct transmission to another controller is not technically feasible, providing a downloadable file in a machine-readable format satisfies the obligation.
Deadline: 30 days under the Regulations 2021.
Right to Rectification - Section 40
Section 40 gives an individual the right to request correction of inaccurate personal data and completion of incomplete personal data. Inaccuracy must be demonstrated by the data subject - you are not obliged to accept an unsupported assertion that data is wrong. Where you cannot verify accuracy, consider adding a note to the record that the accuracy is disputed. If the inaccurate data has been shared with third parties, notify them of the rectification.
Deadline: 7 days under the Regulations 2021.
Right to Object - Section 36
Section 36 gives an individual the right to object to processing of their personal data where the processing is based on legitimate interests (section 30) or carried out for public interest purposes. On receiving a valid objection, you must stop the processing unless you can demonstrate compelling legitimate grounds that override the data subject's interests, rights, and freedoms - or unless the processing is necessary for legal claims.
An objection to direct marketing always succeeds - there are no overriding grounds for continuing direct marketing processing after a valid objection. Document your assessment of whether overriding grounds exist for every objection you do not fully honour.
Deadline: 7 days under the Regulations 2021.
Building a DSR Process That Works
Step 1: Create a single intake channel. Data subjects should be able to submit requests via a dedicated, clearly communicated channel - a form, an email address, or an in-app request mechanism. Making it difficult to submit a request is itself a compliance concern. Document the date and time of receipt. The clock starts when the request arrives, not when it reaches the person who will handle it.
Step 2: Verify identity proportionately. You need reasonable assurance that the person making the request is who they say they are. The level of verification should be proportionate to the sensitivity of the data - email verification or account login may be sufficient for basic contact data, while health data or financial data warrants a stronger step. Do not use identity verification as a barrier: requiring excessive documentation delays the process without improving security.
Step 3: Identify and locate the data. This requires knowing where personal data for this individual is held across all your systems. A complete Records of Processing Activities (ROPA) under section 25 is the foundation - without it, data discovery is ad hoc and incomplete. Check production databases, backup systems, archived records, email systems, and third-party processors.
Step 4: Assess and respond within the deadline. For each request type, apply the relevant deadline from the Regulations 2021. Your response must confirm receipt and state when the data subject will receive a substantive response, address the request in full, and be in clear, plain language - or explain in writing why you are declining or limiting the response.
Step 5: Document the request and your response. Section 25 (accountability) requires you to demonstrate compliance. Record the date of receipt, the type of request, the identity verification step taken, the data located, the response provided and date, and any grounds for refusal or limitation.
When You Cannot Fully Comply
Not every DSR must be fully granted. You may limit your response where:
- Exemptions apply - legal professional privilege, ongoing law enforcement requests, or statutory obligations that require retention
- The request is manifestly unfounded or excessive - repetitive requests with no new basis, or requests designed to harass rather than exercise a genuine right
- Complying would adversely affect the rights of third parties - for example, an access request that would reveal another individual's personal data
Where you decline or limit a response, you must:
- Communicate the refusal in writing within the deadline
- State the specific ground for refusal
- Inform the data subject of their right to complain to the ODPC
Silence is not a valid response to a DSR. Failing to respond at all - even to decline - within the statutory period is a breach of the Act.
DSR Response Deadlines at a Glance
| Request Type | Section | Deadline | Notes |
|---|---|---|---|
| Access | s.26 | 7 days | Copy of data + processing information |
| Rectification | s.40 | 7 days | Correct inaccurate or incomplete data |
| Erasure | s.40 | 7 days | Grounds for erasure must be established |
| Objection | s.36 | 7 days | Immediate stop for direct marketing objections |
| Restriction | s.34 | 7 days | Four statutory grounds; notify before lifting |
| Portability | s.38 | 30 days | Structured, machine-readable format |
All deadlines set by the Data Protection (General) Regulations 2021.
Organisations that handle DSRs well treat them as a service interaction, not a compliance burden. A prompt, transparent response to a data subject builds trust. A missed deadline, an unhelpful refusal, or a request that falls into a backlog and is forgotten will eventually produce an ODPC complaint - and a compliance investigation.