Since the enactment of the Data Protection Act (the DPA) in 2019, and the establishment of the Office of the Data Protection Commissioner in 2020, the issuance of regulations necessary to give effect to many of the provisions contained in the DPA has long been awaited. 


17 February 22

This changed on 11 February 2022 when the regulations came into force, including the Data Protection (General) Regulations, 2021 (General Regulations), the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.

In the first instalment of a continuing series of articles analysing these regulations, we examine the General Regulations, which provide for the various instances which trigger obligations for data controllers and data processors to data subjects.

Additionally, the General Regulations provide for restrictions on the use of personal data for commercial purposes as well as provide for exemptions under the DPA, which include data processing in relation to national security and public interest.

For individuals and corporates alike, the General Regulations serve to clarify some of the more procedural aspects of the aspirations contained in the DPA, such as how the right to privacy should be maintained in commercial activities.

Click here to read the full article focused on the General Regulations.

Should you have any questions on this legal alert, or need any advice in relation to the Data Protection Regulations, please do not hesitate to reach out to Sonal Tejpar, Anne Kiunuhe or Wangui Kaniaru.


1. Charlotte Patrick-Patel – Senior Associate
2. Jade Makory – Associate
3. Abdulmalik Sugow – Trainee Lawyer
4. Abdullahi Ali – Trainee Lawyer
5. Olivia Njoroge – Trainee Lawyer

The content of this alert is intended to be of general use only and should not be relied upon without seeking specific legal advice on any matter.