A data subject has a right—
(a) to be informed of the use to which their personal data is to be put;
(b) to access their personal data in custody of data controller or data processor;
(c) to object to the processing of all or part of their personal data;
(d) to correction of false or misleading data;
(e) to deletion of false or misleading data about them.
A right conferred on a data subject may be exercised—
(a) where the data subject is a minor, by a person who has parental authority or by a guardian;
(b) where the data subject has a mental or other disability, by a person duly authorized to act as their or their guardian or administrator; or
(c) in any other case, by a person duly authorized by the data subject.
Every data controller or data processor shall ensure that personal data is—
(a) processed in accordance with the right to privacy of the data subject;
(b) processed lawfully, fairly and in a transparent manner in relation to any data subject;
(c) collected manner collected for explicit, specified and legitimate purposes and not further processed in a manner in compatible with those purposes;
(d) adequate, is adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
(e) collected or collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
(f) accurate to accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
(g) kept in a form which identifies the data subjects for no longer than is necessary for the purposes and purposes which it was collected; and
(h) not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.