We advise fintechs, platforms, and data controllers and processors on registration with the Office of the Data Protection Commissioner, cross-border transfer, and the compliance obligations that come with handling personal data at scale.
Muchangi Patrick & Co. Advocates is a Nairobi-based technology law practice focused on data protection, privacy, and digital regulatory compliance. We work with founders, in-house counsel, and compliance teams who need law explained in terms their engineering and product teams can act on.
Our practice sits squarely under the Data Protection Act, 2019 and its regulations, and extends to the cross-border questions Kenyan companies face when their users, vendors, or servers sit outside the country — including GDPR exposure for firms handling EU personal data.
Each engagement maps to a specific compliance obligation under Kenyan and, where relevant, international data protection law.
Determining whether you register as a controller, processor, or both — and managing the filing, category classification, and annual renewal.
Structured DPIAs for high-risk processing: biometric identity checks, credit scoring, geolocation, and large-scale profiling.
Adequacy analysis, standard contractual clauses, and vendor agreements for data leaving Kenya — including AWS, EU, and US-hosted infrastructure.
Rapid-response counsel when a breach occurs: containment advice, Commissioner notification, and communication to affected data subjects.
Drafting privacy notices, consent flows, and internal data handling policies that hold up to regulatory scrutiny and actually get read.
Representation before the Office of the Data Protection Commissioner and in data-related civil litigation.
A typical compliance engagement moves through four stages — timelines vary with the scale of processing involved.
We inventory what personal data you collect, where it lives, who touches it, and where your current practices fall short of the Data Protection Act.
High-risk processing activities are flagged for a formal DPIA; everything else is prioritised against ODPC enforcement patterns.
We prepare and file ODPC registration, draft or revise your privacy policy, and put data processing agreements in place with vendors.
Annual renewals, breach-readiness reviews, and standing counsel as your product or data footprint changes.
Personal data obligations look different depending on what you collect and why.
KYC data, credit scoring, and mobile money compliance.
Privacy-by-design for products scaling across borders.
Sensitive personal data and heightened consent requirements.
Customer data, marketing consent, and payment information.
Large-scale data processing under sectoral regulation.
Processor obligations and data hosting arrangements.
Employee data, background checks, and workplace monitoring.
Data on minors and the added duty of care it requires.
"They translated the Data Protection Act into a checklist our engineering team could actually implement, instead of a document that sat in a drawer."
"Our ODPC registration and DPIA were handled end-to-end, with clear timelines at every step."
"Responsive during a live incident, and thorough with the notification process afterward."
Illustrative client feedback — replace with verified quotes and attributions before publishing.
Tell us about your data processing activities and we'll get back to you with next steps — usually within one business day.