Compliance Alert: Registration of Data Controllers, Data Processors and Data Protection Officers
Legal Alerts

Compliance Alert: Registration of Data Controllers, Data Processors and Data Protection Officers

Section 18 of the Data Protection Act, 2019 and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 requires all organizations and individuals processing and controlling personal data to register. Section 28 of the Act allows data controllers and data processors to have data protection officers, while the Data Protection (Registration of Data Controllers and Data Processors) Regulations requires them to register their data protection officers.

A data controller or data processor who isn’t established or residing in Kenya but processes personal data of persons resident in Kenya, is required to register since the law applies to those controlling and processing personal data of persons located in Kenya.

Registration is very vital to compliance because unregistered organizations or individuals cannot act as data controllers or data processors. It also aids data subjects in knowing how their data is processed and the precautions taken to protect their data.

Who is a data subject?

A data subject is an identified or identifiable natural person whose personal data is being processed or controlled.

What is personal data?

Any information relating to a data subject like: full name, identity card number, physical and postal address, phone number, location data and online identifier.

Personal data need not be in written form. It can also be information on how a data subject looks or sounds like. For example, biometrics, genetics data, photos, audio or video recordings.

What is sensitive data?

Any data revealing a person’s race, health status, ethnicity, conscience, belief, genetic data, sex, sexual orientation, biometric data, property details, marital status, family details including names of a person’s children, parents, spouse or siblings.

This data requires additional protection because of the high risk posed to an individual if it’s accessed by unauthorized persons/entities.

Who is a data controller?

An individual, a legal entity, public authority or agency who individually or jointly with others, determine the purpose and means of processing personal data.

Examples include: telecommunication operators, hotels, hospitals, insurance companies, educational institutions, mobile money or loan vendors, betting companies, retailers, government departments, professional service providers, independent commissions, charities and religious entities.

Who is a data processor?

A person who processes personal data on behalf of the data controller and—

Has a contractual relationship with the data controller and doesn’t decide how the data is processed or what it shall be used for.

Who is a data protection officer?

A person who ensures that an organisation processes personal data of its employees, clients, suppliers or any other individuals; in compliance with data protection laws and regulations.

Factors to consider when appointing a data protection officer are: personal and professional qualities, expert knowledge of data protection and a good understanding of how the organisation operates.  

Exemption from Mandatory Registration

A data controller or data processor whose annual turnover is below KShs. 5,000,000 and employs less than 10 people is exempt from mandatory registration.

Where a data controller or data processor meets only one exemption requirement, the data controller or data processor is not exempt and must register.

Data controllers or data processors processing personal data for the purposes listed below, are not exempt from mandatory registration, regardless of their annual turnover and number of employees—

  1. Canvassing political support among the electorate. (Example: political parties and youth political organizations)
  2. Operating Credit Bureaus.
  3. Crime prevention and prosecution of offenders (Example: operating security CCTV systems. This includes private security companies, building managers operating CCTV equipment, CCTV for security equipment and solution providers.)
  4. Debt administration and factoring.
  5. Gambling (Example: gaming and betting companies or entities collecting funds on behalf of betting companies).
  6. Provision of education (Example: training providers; primary and secondary schools or tertiary education providers).
  7. Health administration and provision of patient care. (Example: dispensaries, clinics, mental healthcare providers or digital/e-health providers).
  8. Hospitality industry firms excluding tour guides. (Example: restaurants, bars or hotels).
  9. Insurance administration and undertakings.
  10. Faith based or religious institutions.
  11. Retirement benefits administration.
  12. Property management including the selling of land. (Example: law firms, property managers, real estate agencies).
  13. Provision of financial services. (Example: mobile money agents, digital lenders, saccos or micro-lenders).
  14. Telecommunications network or service providers. (Example: mobile network operators, mobile virtual network operators, ISPs, CSPs).
  15. Businesses that are wholly or mainly in direct marketing.
  16. Internet access provider.
  17. Transport services firms. (Example: online passenger hailing applications, ride hailing application providers, public service vehicle operators)
  18. Public sector bodies.
  19. Businesses that process genetic data. (Medical research companies or medical labs)

The Registration Process

Registration commenced on 14th July 2022. Applicants are required to register through the online application portal managed by the Office of the Data Protection Commissioner (https://dataportal.odpc.go.ke/).

Applications are submitted in the prescribed form and registration fees paid. The applicants are required to provide a copy of the founding documents and the following information—

  1. Description of personal data being processed, category of data subjects, purpose of processing and to whom the data will be disclosed.
  2. Categories of sensitive personal data being processed and the purpose of such processing.
  3. Personal data of the data controller and/or data processors.
  4. Measures taken to protect personal data.
  5. Where applicant transfers data outside Kenya, the list of countries and purpose of data transfer.
  6. The address of the principal places of business for the data controllers and data processors;
  7. Details of the data protection officer.
  8. Number of employees.
  9. Turnover for the previous year.

Where the Data Protection Commissioner is satisfied that the requirements have been fulfilled; she will issue a certificate of registration within 14 days and enter the details of the applicant in the register of data controllers and data processors.

Where the Data Protection Commissioner rejects the registration application, she shall notify the applicant within 21 days and provide reasons for such rejection. Where the application is declined, the applicant can make a fresh application.

Validity and Renewal of a Registration Certificate

The certificate of registration will be valid for 24 months from the date of issuance. Once the period lapses, the data controller or data processor will be required to make an application for renewal.

Offences for Non-Compliance

Though registration is an ongoing compliance issue, it is advisable for data controllers and data processors to register on or immediately after 14th July 2022. This is because, the Data Protection Commissioner may investigate complaints regarding non-compliance by data controllers and data processors.

Further, a person commits an offence and shall be liable to a fine not exceeding KShs. 3,000,000.00 or imprisonment not exceeding 10 years or to both, where they—

  1. Process personal data outside their scope;
  2. Process personal data for any purpose, other than the purpose for which they are registered to process;
  3. Discloses personal data to unauthorized third party; or
  4. Transfers personal data to undisclosed country or territory.


Registration and Renewal Fees Charged

Registration and renewal fees depend on the category that a data controller or data processor falls.

CategoryRegistration Fee Per Data Controller/Processor. (Payable Once)Renewal Fee Per Data Controller/Processor.
Micro and Small Data Controllers /Processors – with between 1 and 50 employees and an annual turnover/revenue of a maximum of KShs 5,000,000  KShs. 4,000KShs. 2,000
Medium Data Controllers /Processors – with between 51 and 99 employees and an annual revenue of between KShs 5,000,001 and maximum of KShs 50,000,000  KShs. 16,000  KShs. 9,000
Large Data Controllers /Processors – with more than 99 employees and an annual turnover of more than KShs 50,000,000  KShs. 40,000KShs. 25,000
Public entities – offering government functions (Regardless of number of employees or revenue/turnover)  KShs. 4,000KShs. 2,000
Charities and Religious entities – offering charity or religious functions (Regardless or revenue/turnover)  KShs. 4,000KShs. 2,000

This alert is for informational purposes only and should not be taken to be a legal opinion. If you have any queries or need clarification on registration or how the Data Protection Regulations might affect you and/or your business, please do not hesitate to contact us at kamollomwalo.associates@gmail.com or +254113417179

Leave feedback about this

  • Informative
  • Educational
  • Inspiring
  • Professional

PROS

+
Add Field

CONS

+
Add Field
Choose Image
X