Data Protection Act, 2019
Lawful bases of processing, data-subject rights and the mandate of the ODPC.
The Kenya Gazette
4notify Kenya · Published by Authority
GAZETTE NOTICE · ODPC · Data Protection Act 2019
Gazette No
KG-KE-005
Date
2026-05-27
Status
In force
Category
Privacy
ODPC, the Data Protection Act 2019 and consent: the permission framework for transactional and commercial delivery
The Office of the Data Protection Commissioner (ODPC) enforces the Data Protection Act, 2019. Commercial communication requires consent, and sensitive data carries reinforced protection. 4notify records the lawful basis and verifies consent at the API edge, on every delivery.
EmailSMSWebhook
Preamble
Section 1 — IN EXERCISE of the powers conferred by the Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021, this Gazette Notice is issued concerning the management of consent in electronic delivery.
Statutory basis
Data Protection (General) Regulations, 2021
Registration of data controllers and processors and the duties of the controller.
ODPC Guidance on Consent
Informed consent, the right to object and the handling of sensitive data.
Implementation
01
Lawful-basis record per delivery
Each envelope carries one of the Act's lawful bases (consent, contract, legal obligation, legitimate interest); it is pinned in the template record.
02
Commercial-consent verification
On commercial messages, consent is verified at envelope level; deliveries without permission are blocked at the API edge.
03
Erasure right within 30 days
Erasure requests propagate within 24 hours through 4notify; the suppression list is updated across all three operators and the email gateway.
04
Breach-notification webhook
Any envelope-level incident raises a webhook to the data controller within one hour.
Delivery envelope
json
{
"event": "delivery.consent_envelope",
"controller_id": "KE-CTRL-12345",
"lawful_basis": "consent",
"consent": {
"registration": "ODPC-2026-001234",
"consent_date": "2025-09-14",
"opt_out_link_present": true
},
"delivery": { "channel": "email", "template": "promo_v2" },
"suppression_check": "approved"
}Sample message
EmailSubject: We updated your marketing preference
Dear customer, From today your marketing permission is withdrawn. You will no longer receive promotional emails, but you will still receive transactional notices (order confirmations, delivery alerts). To exercise your other rights under the Data Protection Act, 2019: [email protected]
Compliance checklist
- Data-controller registration with the ODPC in force
- Data controller configured
- Consent retained for each commercial delivery
- Breach-notification webhook reachable
The 4notify difference
4notify is the only A2P provider that retains the Data Protection Act lawful basis on every envelope, propagates erasure within 24 hours across all three operators and raises a breach webhook to the ODPC on every incident.
Frequently asked questions
Does consent also apply to SMS?
Yes — the Data Protection Act, 2019 covers all commercial communication involving personal data: SMS, email, messaging. Each needs a valid lawful basis.
What if the controller has not registered with the ODPC?
4notify blocks commercial delivery at the API edge until a valid registration exists; transactional delivery (contractual basis) remains available.
Published
4notify Operations Department
2026-05-27 · KG-KE-005
Start free
14 days, no card. English support on weekdays. Karibu.
Other notices in this edition
KG-KE-001 · Banking & payments
Strong authentication, M-Pesa and PesaLink instant: one-time code delivery to Kenyan banks over Safaricom, Airtel and Telkom
KG-KE-002 · Telecommunications
CA numbering plan, alphanumeric sender ID and A2P routing into Kenya
KG-KE-003 · Taxation
KRA iTax, eTIMS e-invoicing and VAT/PIN: delivery and validation notices to the Kenyan taxpayer
KG-KE-004 · Digital government