In our previous two articles in this series ( see part I on the General Regulations and part II on the Registration Regulations), we analysed the extent to which the Data Protection Act, 2019 (DPA) empowered data subjects with numerous mechanisms through which to exercise their privacy-related rights.

28 February 22

One such mechanism is a complaint to the Office of the Data Protection Commissioner (ODPC) in relation to the conduct of data controllers or data processors. In addition to receiving complaints, the ODPC may also initiate its own investigations into the conduct of data controllers and data processors.

In 2021, we witnessed the ODPC’s investigative and complaints handling functions being called into action in two separate instances. Despite these specific instances being handled within the framework of the DPA, there were no enabling regulations to give clarity on the various procedures involved in an investigation. This has since changed with the issuance of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 (the Complaints Regulations).

In part III of the series, we set out the key highlights of the Complaints Regulations, which have been issued to facilitate a fair and expeditious complaints mechanism administered by the ODPC. They further clarify the ODPC’s powers of investigation and enforcement and also for alternative dispute resolution. Click here to read the full article.

Should you have any questions on this legal alert, or need any advice in relation to the Data Protection Regulations, please do not hesitate to reach out to Sonal Tejpar, Anne Kiunuhe or Wangui Kaniaru.



1. Charlotte Patrick-Patel – Senior Associate
2. Jade Makory – Associate
3. Abdulmalik Sugow – Trainee Lawyer
4. Abdullahi Ali – Trainee Lawyer
5. Olivia Njoroge – Trainee Lawyer

The content of this alert is intended to be of general use only and should not be relied upon without seeking specific legal advice on any matter.