General Data Protection Regulation (“GDPR”)
Right to receive a notification on breach
In the event of a data breach, Data Controllers are required to report to the relevant local supervisory authority within seventy two (72) hours of becoming aware of the breach. If the breach poses a high risk to the Data Subject, the Data Subject must also be notifi ed without undue delay. It is not clear what will occur when data breaches occur in countries without a local supervisory authority but it is expected that an EU supervisory authority will liaise with overseas regulators to monitor breaches. We anticipate that the impending Kenyan data protection legislation will establish a relevant authority to enforce compliance.
Right of access
Data Subjects are able to ask whether their personal data is being processed. A Data Controller must then provide a copy of the Personal Data held free of charge in a prescribed format within one month of receipt of the request. This should outline:
a) The type of data being processed;
b) The recipients of the data;
c) The period of time the data will be processed; and
d) Meaningful information about how the information is used to profile and the logic behind the processing.
Right to be informed
Where Personal Data is being transferred to another country or organization, the Data Subject has the right to be informed of the appropriate safeguards relating to the transfer.
Right to be forgotten
Data Subjects have the right to request the erasure of all their Personal Data. However, this is not an absolute right and applies only in the following circumstances:
a) If the Personal Data is no longer necessary for the purpose it was originally collected;
b) If the Data Controller was relying on consent as the lawful basis for holding data and the consent is withdrawn;
c) If there is no overriding legitimate interest to continue the processing;
d) If the Personal Data is being processed for marketing purposes and the Data Subject objects; or
e) If the Personal Data was being processed unlawfully.
A Data Subject can request their information in a commonly used and machine readable format to be submitted to another Data Controller free of charge.