CRB & Data Protection in Kenya: Your Rights Under the DPA 2019

The Legal Landscape for CRB Data in Kenya

CRB operations in Kenya sit at the intersection of three legal frameworks:

• Banking Act (Cap 488): Authorises banks to share credit data with licensed CRBs
• Credit Reference Bureau Regulations 2013 & 2020: Govern how CRBs collect, process, and share credit information
• Data Protection Act 2019 (DPA): The overarching personal data law that applies to ALL data processors — including CRBs — since November 2019

The DPA introduced significant individual rights over personal data and created the Office of the Data Protection Commissioner (ODPC) as the enforcement authority.

Your Rights Over Your CRB Data Under DPA 2019

1. Right of Access: You can request a copy of all personal data held about you by a CRB — including your full credit file — once per year free of charge
2. Right to Rectification: If your CRB file contains inaccurate or outdated data, you can demand it be corrected. The CRB must investigate and respond within 30 days
3. Right to Erasure (limited): You can request deletion of data that is no longer necessary, unlawfully processed, or retained beyond the permitted period (5 years for negative listings)
4. Right to Object: You can object to how your data is being used — for example, if a CRB is sharing your data with non-CRB entities without your consent
5. Right to Data Portability: You can request your data in a structured, commonly used format

What CRBs Are Allowed to Collect and Process

Under the CRB Regulations and DPA 2019, CRBs in Kenya may lawfully process:

• Loan account details submitted by licensed financial institutions
• Payment history for credit facilities
• Public records (court judgements, bankruptcy orders)
• Identity information (name, national ID, KRA PIN)

CRBs may NOT lawfully process:

• Health data
• Political opinions or affiliations
• Race, ethnicity, religion (unless directly relevant to a specific DPA exception)
• Data obtained without the appropriate legal basis

How to File a CRB Data Protection Complaint

1. Step 1 — Complain to the CRB directly: Write a formal complaint to the relevant bureau (TransUnion, Metropol, or CreditInfo). They must respond within 30 days under DPA 2019
2. Step 2 — Escalate to the ODPC: If the CRB does not respond or fails to resolve your complaint, file with the Office of the Data Protection Commissioner at odpc.go.ke
3. Step 3 — CBK: For complaints specifically about CRB compliance with financial regulations, write to the Central Bank of Kenya (Financial Consumer Protection Division)
4. Step 4 — Courts: The DPA 2019 creates a right of private action — you can sue for damages if processing of your data caused harm

The 5-Year Retention Rule

Negative CRB listings in Kenya may not be retained beyond 5 years from the date of the adverse event. After 5 years, the bureau must delete or anonymise the specific negative entry. This applies even if the underlying debt was never repaid — after 5 years, the entry must go.

However, if you repay the debt, the status changes to "settled" much sooner — which significantly reduces the listing's practical impact, even before the 5-year period expires.