Kenya Data Protection Act Compliance
Last updated: September 2025
This document describes how PublicMoodTracker complies with the Kenya Data Protection Act 2019 (No. 24 of 2019) and its subsidiary legislation, including the Data Protection (General) Regulations 2021, Data Protection (Compliance and Enforcement) Regulations 2021, and Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021.
1. Registration as Data Controller
PublicMoodTracker is registered as a Data Controller with the Office of the Data Protection Commissioner (ODPC) as required under Section 17 of the KDPA and Regulation 4 of the Registration Regulations. Our Certificate of Registration is available for inspection at our registered office in Nairobi or by written request to dataprotection@siasaiq.com.
Where PublicMoodTracker engages third-party providers (cloud hosting, email delivery) to process personal data on our behalf, those providers are engaged as Data Processors under written Data Processing Agreements as required by Section 50 KDPA.
2. Data Processing Principles (Section 25 KDPA)
All personal data processing at PublicMoodTracker is conducted in accordance with the eight principles under Section 25 of the KDPA:
| Principle | KDPA Section | How PublicMoodTracker Complies |
|---|---|---|
| Lawfulness, fairness, and transparency | s.25(a) | Processing has a documented lawful basis; this policy provides transparency to data subjects. |
| Purpose limitation | s.25(b) | Data collected for specified, explicit purposes only; not repurposed without consent or new lawful basis. |
| Data minimisation | s.25(c) | Only data necessary for the stated purpose is collected; phone number and payment reference are the minimum required. |
| Accuracy | s.25(d) | Users may update account data at any time; inaccurate payment data is corrected within 48 hours of notification. |
| Storage limitation | s.25(e) | Retention periods defined per data category (see Section 7 of Privacy Policy); automated deletion schedules in place. |
| Integrity and confidentiality (security) | s.25(f) | AES-256 encryption at rest, TLS 1.3 in transit, RBAC, annual penetration testing. |
| Accountability | s.25(g) | DPO appointed; processing records maintained under s.31; staff data protection training mandatory annually. |
| Restriction on further processing | s.25(h) | Data not sold, traded, or shared beyond purposes stated in this document. |
3. Lawful Bases for Processing (Section 30 KDPA)
| Processing Activity | Lawful Basis | KDPA Reference |
|---|---|---|
| Account creation and service delivery | Performance of a contract | s.30(1)(b) |
| Payment processing and receipts | Performance of a contract | s.30(1)(b) |
| KRA tax record retention | Compliance with legal obligation | s.30(1)(c) |
| Platform security and fraud detection | Legitimate interests | s.30(1)(f) |
| Marketing communications | Consent | s.30(1)(a) |
4. Sensitive Personal Data (Section 44 KDPA)
Section 44 KDPA prohibits processing of sensitive personal data (health, race, ethnicity, religion, political beliefs, disability, sexual orientation, biometrics) without explicit consent or another specific lawful basis.
PublicMoodTracker does not collect sensitive personal data from its users.The political sentiment data we generate concerns public figures in their public roles, which is not sensitive personal data about our users. Incidental exposure to political content does not constitute collection of a user's political beliefs.
5. Data Subject Rights (Part IV KDPA)
| Right | KDPA Section | How to Exercise | Response Deadline |
|---|---|---|---|
| Right of access to personal data | s.26 | Email dataprotection@siasaiq.com | 21 days |
| Right to correction of false data | s.27 | Email dataprotection@siasaiq.com | 21 days |
| Right to object to processing | s.35 | Email dataprotection@siasaiq.com | Immediate for direct marketing; 21 days for other |
| Right to restriction of processing | s.34 | Email dataprotection@siasaiq.com | 21 days |
| Right to deletion ("erasure") | s.38 | Email dataprotection@siasaiq.com | 21 days |
| Right to data portability | s.39 | Email dataprotection@siasaiq.com | 21 days |
| Right not to be subject to automated decisions | s.40 | Email dataprotection@siasaiq.com | 21 days |
6. Data Breach Management (Section 43 KDPA)
PublicMoodTracker maintains a documented Data Breach Response Plan. In the event of a personal data breach:
- Detection and containment (within 1 hour of discovery): Isolate affected systems, preserve evidence, stop ongoing exposure.
- Assessment (within 24 hours): Determine nature of breach, categories and volume of data affected, likely impact on data subjects.
- ODPC notification (within 72 hours): Submit breach notification to ODPC if the breach is likely to result in risk to data subjects, as required by Section 43(1) KDPA.
- Data subject notification (without undue delay): Notify affected individuals by SMS, email, or platform notice if the breach creates high risk to their rights.
- Remediation: Patch vulnerabilities, reset compromised credentials, conduct post-incident review.
- ODPC final report: Submit a full incident report to the ODPC within 30 days including root cause analysis and corrective actions.
7. Cross-Border Data Transfers (Section 48 KDPA)
Personal data may only be transferred outside Kenya to a third country if at least one of the following conditions is met (Section 48 KDPA):
- The third country has an adequate level of data protection (as determined by the ODPC).
- Appropriate safeguards are in place (e.g., Standard Contractual Clauses).
- The data subject has given explicit, informed consent to the transfer.
- The transfer is necessary for the performance of a contract with the data subject.
PublicMoodTracker's primary infrastructure is hosted in Kenya. Where we use EEA-based sub-processors, we rely on Standard Contractual Clauses as the transfer safeguard.
8. Data Protection Officer (DPO)
PublicMoodTracker has designated a Data Protection Officer as required under Regulation 7 of the General Regulations for organisations processing personal data at scale. The DPO's responsibilities include:
- Monitoring compliance with the KDPA and internal data protection policies.
- Advising on Data Protection Impact Assessments (DPIAs).
- Acting as the primary contact point for the ODPC.
- Handling data subject rights requests and complaints.
- Conducting and overseeing annual staff data protection training.
DPO contact: dataprotection@siasaiq.com
9. Records of Processing Activities (Section 31 KDPA)
PublicMoodTracker maintains a Register of Processing Activities (ROPA) as required by Section 31 KDPA, documenting: processing purposes, data categories, data subject categories, recipients, cross-border transfers, retention periods, and security measures. The ROPA is available for inspection by the ODPC on request.
10. Filing a Complaint with the ODPC
If you believe PublicMoodTracker has violated your data protection rights, you may first contact our DPO at dataprotection@siasaiq.com. If the matter is not resolved within 21 days, you may lodge a formal complaint with the ODPC:
Office of the Data Protection Commissioner (ODPC)
P.O. Box 41079 – 00100, GPO, Nairobi
Telephone: +254 20 424 0000
Email: info@odpc.go.ke
Website: www.odpc.go.ke