The Data Protection Act, No. 24 of 2019 (“the DPA”), which became effective on 25^th November, 2019, established a frame work for the protection of personal data in Kenya. The DPA introduced various requirements to ensure the protection of personal data, including the mandatory registration of data controllers and data processors.

To provide clarity on the registration requirements of data controllers and processors, the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021(“the Regulations”) were published in the Kenya Gazette on 14^th January, 2022. These regulations outline the specific requirements for registering data controllers and data processors.

The definition of a data controller and a data processor

The definition of a data controller and a data processor is set out in Section 2 of the DPA as follows:

• A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.
• A data processor is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

From the definition, if a data processor acts beyond the data controller’s instructions, it assumes the role of a data controller for those activities and must be registered accordingly.

Registration of a data controller and a data processor

Section 18 of the DPA stipulates that no person shall act as a data controller or data processor unless registered with the Office of the Data Protection Commissioner (“the ODPC”). Further, the Regulations specify that data controllers and data processors with an annual turnover or revenue of KES 5,000,000 and above, as well as those holding more than 10 employees are required to be registered.

The Regulations require mandatory registration of data controllers and data processors in specific sectors, including: canvassing political support among the electorate, crime prevention and prosecution of offenders, gambling, operating an educational institution, health administration and provision of patient care, hospitality industry firms (excluding tour guides), property management, including the sale of land, provision of financial services, telecommunications networks or service providers, businesses that are wholly or mainly in direct marketing, transport service firms (including online passenger hailing applications) and businesses that process genetic data.

The registration requirements

Article 19 of the DPA and Regulation 5 of the Regulations provide that an application for the registration of a data controller or processor shall contain the following:

• a copy of the establishment documents;
• the particulars of the data controllers or data processors including the name and contact details;
• a description of categories of personal data being processed;
• a description of the personal data to be processed by the data controller or data processor;
• a description of the purpose for which the personal data is to be processed;
• the category of data subjects, to which the personal data relate:
• the contact details of the data controller or data processor;
• a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of personal data;
• any measures to indemnify the data subject from unlawful use of data by the data processor or data controller; and
• any other details as may be prescribed by the Data Commissioner.

Applications for the registration of a data controller or processor are to be submitted electronically through the ODPC’s website (https://www.odpc.go.ke/ ) in the prescribed form and on payment of the registration fees.

The registration process

Upon submission, the ODPC shall review the application within fourteen (14) days and issue a certificate of registration which shall be valid for a period of twenty four (24) months from the date of issuance and is renewable for a period of twenty four (24) months thereafter.

Where the ODPC is dissatisfied and rejects the registration application, the ODPC shall notify the applicant within twenty one (21) days and shall provide reasons for the rejection.

Key Considerations for a smooth registration process

• Accuracy of Information: Applicants should ensure that all information provided in the application is accurate to avoid delays caused by the rejection of an application. Inaccuracies or incomplete information can lead to the rejection of the application.

• Separate Applications for Dual Roles: If an entity functions as both a data controller and a data processor, separate applications must be submitted for each role, each with the applicable registration fees

• Ongoing Compliance: Compliance with the DPA involves more than registration; it requires ongoing adherence to the data protection principles and obligations as set out in the DPA.

Should you have any questions or require clarifications, please contact us at info@cfllegal.com .