image from

The ODPC is established under section 5 of the Act as a body corporate with perpetual succession similar to Office of the Attorney General or the Office of the Director of Public Prosecutions. The Data Commissioner shall be appointed for a single term of 6 years, and will not be eligible for re-appointment.

The key functions of the ODPC are to:

  • oversee the implementation of the Act;
  • establish and maintain a register for data controllers and processors. The threshold for registration will be set in Regulations under the Act and accordingly, affected stakeholders should be actively engaged in the regulation making process; 
  • assess corporate compliance with the Act; 
  • investigate complaints on infringement of rights granted under the Act; and
  • ensure co-operation with international bodies and security organs where necessary.

In discharging its functions, the ODPC has the power to:

  • conduct investigations and issue summons to a witness; 
  • carry out periodic audits of the processes and systems of companies to ensure compliance with the Act; 
  • require any person to provide explanations, information or assistance in person or in writing; 
  • issue administrative sanctions and fines up to KES 5 Million or 1% of the annual turnover of an organization for the preceding year (per incident);
  • join any relevant national or international associations; and
  • delegate powers as deemed appropriate.