Enforcement Structure and Complaint Mechanisms (Article 9)
August 16, 2022

Part 11: Enforcement Structure and Complaint Mechanisms

By Benedict Alex Ishabakaki


11.1 Introduction

A good law in the books of statutes is nothing until when is implemented. Every data protection law must contain a proper and effective enforcement mechanism. Enforcement ensures compliance with Legislation, regulations, rules, standards, and social norms.[i] In designing an enforcement mechanism, the first thing which comes into one’s mind is, an enforcement body or authority. This is true even in data protection law. There must be put in place an authority that is mandated to enforce the provisions of the law. The authority may be named variously such as data protection authority, commission, office, bureau and so forth. The nomenclature is not that very relevant.


11.2 Models of Data Protection Authority

There are two models of data protection authority. The first one is the adoption of existing authority and the other is an establishment of the new authority. Therefore, the model of data protection authority will depend on each country’s legal regime or the presence of existing organs that govern and control digital and cyber-Legislation. Some countries will adopt an existing authority while others will establish a new one.  Furthermore, the decision to adopt either model is dictated by factors such as financial and human resources. Once established, data protection authority is vested with powers to enforce the law, investigate, determine complaints and issue decision (s) with respect to data breach complaints.

As stated earlier above, the model of the data protection authorities may vary. For instance, in Europe, under the GDPR, a one-stop-shop mechanism is established. This means that cross-border enforcement under the GDPR is organized by the lead supervisory authority and the authority of the Member State where the data controller or processor has its main establishment.[ii]

In Kenya, section 5 of the Kenya Data Protection Act[iii] establishes the office of the Data Protection Commissioner.  The authority is a body corporate with perpetual succession.  It is an independent authority and is designated as a State Office in accordance with the provisions of article 260 (q) of the Kenya Constitution[iv]. The authority is headed by the Data Commissioner who is appointed by the Chief Registrar of the Judiciary. Other staffs of the authority are appointed by the Data Commissioner. Among others, the duties of the Data Commissioner involve receiving and investigating any complaint by any person on infringements of the rights under the Data Protection Act, overseeing the implementation of and enforcement of the Act.

On the other hand, Uganda employs a different approach.  An existing authority known as the National Information Technology Authority has been designated as the data protection authority.  Data protection officer is appointed under section 4 of the Act. [v]The duties of the data protection officer include receiving and investigating any complaint by any person on infringements of the rights under the Data Protection Act, overseeing the implementation of and enforcement of the provisions of the Act.

As perfectly stated earlier, the choice to use an existing authority or establish a new one, is largely dictated by the governing Legislation and other existing organs relating to cyber-Legislation.


11.3 Independence of the Data Protection Authorities

Data as a sensitive property must be put under the custodian of an impartial authority. It is a trite principle under GDPR and the Convention on Cyber Security and Data Protection of the African Union (Malabo Convention)[vi]  that, data protection authority must be fully independent and autonomous. This independence may enable the authority to effectively exercise its duties.  The independence has two broad dimensions, personal/institutional independence and financial independence.

Personal or institutional independence entails two things. First, the personnel must be independent. This means that their manner of appointment or recruitment should ensure that they are independent in discharging their functions. The best practice is for these personnel to be recruited through a competitive recruitment process rather than being appointed by the political authority. Minimally that ensures their independence in the execution of their duties. Second, the institution (Data protection authority) shall be independent of any other authority. The functions and powers of the data protection authority shall not be subjected to the direction or interference of any other authority. In order to ensure this is independence is safeguarded; interference of any kind with the functions or powers of the authority is considered an offence.

By financial independence, we mean that, these authorities shall be financially independent. To achieve that, the authorities must have their own sustainable sources of income. In some jurisdictions, the funds generated from registration fees of the data collector, processor or controller, annual membership fees and fines have been used as sources of the authority fund. The Government’s financial intervention must be reduced as much as possible in order to avoid real or potential interference with the independence of the data protection authority.


11.4 Complaints handling mechanism

The complaints handling procedure is vital in data protection Legislation. One of the powers which data protection authority must be vested with, is the power to receive complaints from data subject or data processor, determine the same and issue administrative sanctions.[vii]  These may include power to issue monetary sanctions. However, it is a good practice not to vest data protection authority with all powers.  For instance, the power to prosecute certain offenses can be vested with the national prosecution agency or power to hear and determine complaints from the claimant in certain circumstances must be determined by a competent court of law.  Each data protection law must stipulate circumstances or type of complaints that require court intervention. This position is reflected under Article 12 (e) of the Malabo Convention where the intervention of the judiciary in certain circumstances is entertained. Court’s intervention is necessary especially when data protection authority is not given a clear mandate to conduct necessary enforcement actions or when there is lack of the technical expertise needed to carry out Legislation effectively.


11.5 Data Protection Audit

Data protection authorities are also empowered to conduct data protection audits on controllers to check that they comply with data protection law. [viii]Essentially, a data protection audit is a process of determining the extent of compliance with the data protection legislation. A compliance audit involves an auditor from the data protection authority verifying the data controller’s compliance with the law.[ix]

Normally, an audit may look at a number of areas such as data protection governance, the structures, policies and procedures to ensure compliance with data protection legislation, the processes for managing files containing personal data, the processes for responding to any request for personal data, the measures in place to ensure the security of personal data stored, and the provision of staff data protection training and staff awareness of data protection requirements.[x]


This current article encompasses the eleventh part of the data protection and privacy articles series. The next part which is titled the LEGAL CONSEQUENCES OF DATA PROTECTION & PRIVACY NON-COMPLIANCE will be released on 17TH August 2022.



This article is not intended to provide legal advice but to provide general information on the matter covered in the Article. The article does not constitute and is not to be relied upon as legal advice. Victory Attorneys & Consultants shall not be responsible for any loss in the event this Article is relied upon without seeking our professional advice first.  


[i] See Black’s Law Dictionary, Enforcement (2d ed. 1910).

[ii] The DSA Enforcement Framework, Lessons Learned from the GDPR https://eulawenforcement.com/?p=8038 , accessed on 18th November 2021.

[iii] The Data Protection Act No.24 of 2019.

[iv] Section 5(2) of the Data Protection Act No.24 of 2019.

[v] The Data Protection & Privacy Act, 2019.

[vi] Article 11.1 of The Convention on Cyber Security and Data Protection of the African Union (known as the Malabo Convention, 2000.

[vii] Article 12 (b) (e) (f).

[viii]https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjG4fTg4e31AhURGwKHbktC7AQFnoECAUQAQ&url=https%3A%2F%2Fico.org.uk%2Ffor-organisations%2Faudits%2F&usg=AOvVaw2C2b2Xoho68CajS-cAeQBo, accessed on 6th October 2021.

[ix] Ibid.

[x]https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjG4fTg4e31AhURG-wKHbktC7AQFnoECAUQAQ&url=https%3A%2F%2Fico.org.uk%2Ffor-organisations%2Faudits%2F&usg=AOvVaw2C2b2Xoho68CajS-cAeQBo, accessed on 6th October 2021

Victory Attorneys & Consultants © 2023

Augustine Dominic Shio

Managing Partner

Augustine Dominic Shio is also known as Mr Shio is a highly sought-after and widely recognized criminal law expert with more than 30 years of experience advising and assisting corporations and individuals charged with white-collar crimes.


Before founding the firm Mr Shio held several positions in the public sector, he served as a Principal State Attorney at the Attorney General’s Chambers, Legal Advisor at the President’s Office (Commission for Enforcement of the Leadership Code), Director of Legal Services and Complaints at the Ministry of Home Affairs and retired as a Deputy Director of Public Prosecutions at the Directorate of the Public Prosecutions.

Mr Shio is a recipient of the Presidential Medal for his distinctive public services and ethics of the highest order. His distinguished aptitude in handling complex criminal cases, particularly money laundering, economic and organized crimes has enabled the firm to handle high profile criminal cases in Tanzania.

Practice Focus

As the firm’s head of the Financial & Organized Crimes Department, Mr Shio represents corporations and individuals in the telecoms, media & ICT, mining, oil & gas and banking sectors in high profile criminal cases. He has advised and prepared legal compliance models and for large scale agribusiness operators, public listed companies and securities dealers and brokers in line with sector-specific laws.

He possesses vast experience in advising multinational corporations on money laundering and tax evasion throughout the life span of their commercial transactions.

Mr Shio has represented clients in major plea bargaining negotiations at the office of the Director of Public Prosecutions. He is renowned for closing some of the best pleas deals in the country on behalf of many locals and expatriates charged with money laundering, economic and organized crimes and cybercrimes. Additionally, Mr Shio consults and assists criminally charged individuals to secure pre-trail and post-trial bail on serious criminal charges.


Mr Shio holds a Bachelor’s Degree (LL.B Hons) from the University of Dar es Salaam, Certificate in Criminal Justice and Treatment of Offenders from the United Nations Institute (Fuchu, Japan). He is a certified criminal law expert in Money Laundering and Terrorism.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest legal updates, events announcements and many more.

You have Successfully Subscribed!

Share This