Data protection law originated from Europe in the 1970s as a reaction to the rise of the use of computers. This eventually led to the development and adoption of the now-famous General Data Protection Regulation (GDPR) in 2016 which became enforceable in 2018. The GDPR is a legal framework that sets guidelines for the protection of the personal information of European Union citizens. The GDPR has since then become a reference point for other data protection laws globally.

In Kenya, The Constitution of Kenya 2010, Article 31 provides that every person has the right to privacy, which includes the right not to have the privacy of their communications infringed and information relating to their family or private affairs unnecessarily revealed. The Data Protection Act No. 24 of 2019 (“the DPA”)gives effect to the above Article 31, together with the Regulations below:

  1. The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the “Registration Regulations”);
  2. The Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 (the “Complaints Regulations”); and
  3. The Data Protection (General) Regulations, 2021 (the “General Regulations”).

The DPA applies to all entities processing the personal data of data subjects residing in Kenya, regardless of their location.

What is Personal Data?

The DPA defines personal data as any information relating to an identified or identifiable natural person. Further, it is any information that may identify a natural person such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or social identity. For purposes of land transactions, the name of a person, their National ID or Passport Number, their KRA PIN, their passport photos, their Ardhisasa ID and their address are personal data.

What Responsibilities are placed on persons' dealings with land transactions?

Primarily, the DPA introduces Data Controllers and Data Processors, who are persons and/or entities that deal with information pertaining to land and real estate transactions.

Section 2 of the DPA provides that a Data Controller as a natural or legal person determining the purpose and means of the processing of personal data while a Data Processor is a natural or legal person, that processes personal data on behalf of the data controller.

How does this apply to Real Estate?

Regulation 13 of the Data  Protection (General) Regulations, 2021, provides that Data Controllers and Data Processors must register with the Office of the Data Protection Commissioner (“the ODPC”). Further, the ODPC has provided a guideline to the effect that registration is mandatory for Data Controllers and Processors who process personal data for property management including the selling of land. For this purpose, the following

players involved in a property purchase and/or sale are registrable with the ODPC :

  1. Buyer’s Agent (Real Estate Agent)
  2. Listing Agent
  3. Insurance Company
  4. Appraiser
  5. Local Authority/County Governments
  6. Purchaser
  7. Advocates
  8. Lands Registry
  9. Attorneys/Notary Signing Agent
  10. Tax Advisors

The above persons use personal data from various data subjects when dealing with property, including processing   IDs, photos, signatures, location, bank account information etc. and as Data Controller, when deciding what use to put the said data to, to facilitate the completion of a purchase, transfer, registration of a lease, legal charge etc. over a property.

Is Property Information Personal Data ?

Property information is linked to an owner as the details of the said property are not complete without the description of the owner, for example, their name, ID number and address. Thus, this data is an ‘identifiable marker’ and is thus considered to be personal regarding the individual.

It is important as a property owner to know that the usage of your personal data in the process relating to your property is sensitive in nature and the law affords you the: Right to give consent to the usage of personal data (e.g., the location of your name, property etc. Being disclosed)

  1. Right to demand for safety protocols to be put in place to safeguard and protect your data
  2. Right to be informed how your personal data will be used
  3. Right to be informed how long your personal data will be used
  4. Right to options to stop and relinquish the processing of personal data
  5. Right to be informed if the persons dealing with your property registered with the ODPA and if compliant with the DPA

What does this mean to me?

The introduction of the DPA protects individuals including but not limited to property owners. If you are a person who deals with any personal data relating to a property transaction, you should register with the ODPC and process data lawfully; minimize the collection of data; impose restrictions on the processing of data; ensure data quality; establish and maintain security safeguards to protect personal data and generally comply with the DPA.

Article by  June Njoroge & Mary Ndung’u 

Published on 26th January 2023



This article is intended for general knowledge only. It does not create an advocate-client relationship between any reader and Mboya Wangong’u & Waiyaki Advocates. For particular expert advice on any matter dealt with above, please contact us through

This email address is being protected from spambots. You need JavaScript enabled to view it. or This email address is being protected from spambots. You need JavaScript enabled to view it.

Pin It