Introduction
The Data Protection Act (DPA) came into force in 2019, introducing an entire regime of protecting personal data. This ultimately introduced various requirements and obligations aimed at safeguarding personal data, with one key requirement being the registration of data controllers and data processors. Subsequently, the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the Regulations) was published so as to further provide the details of the registration requirements, with the operationalization of the Regulations coming into force on the 14th of July 2022. As such, the applications for registrations will begin from this date, via the online platform of Office of the Data Protection Commissioner (the ODPC).Data Controller or Data Processor?
A person shall register as a data controller, where the person determines the purpose and means for processing personal data, or as a data processor, where the person processes personal data on behalf of the data controller, to the exclusion of employees of the data controller. A data processor should have a contractual relationship with the data controller and should not have any decision-making power on the purpose and means of processing personal data. A data controller may also apply for registration as both a data controller and a data processor with regards to any processing operations and shall be required to pay the requisite fees applicable for both a data controller and a data processor.Requirements for Registration
The Regulations provide thresholds for registration where data controllers and data processors with an annual turnover or revenue of KES 5,000,000 and above, as well as those holding more than 10 employees are required to register with the ODPC. In addition, the Regulations require the mandatory registration of a data controller or data processor in areas and industries dealing with;- canvassing of political support among the electorate;
- crime prevention and prosecution of offenders;
- gambling;
- health administration and provision of patient care;
- hospitality industry firms excluding tour guides;
- property management including selling of land;
- provision of financial services;
- telecommunications network or service providers;
- businesses that are wholly or mainly in direct marketing;
- transport services firms (including online passenger hailing applications); and
- businesses that process genetic data
- a description of the personal data to be processed by the data controller or data processor;
- a description of the purpose for which the personal data is to be processed;
- the category of data subjects, to which the personal data relates;
- contact details of the data controller or data processor;
- a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of personal data;
- any measures to indemnify the data subject from unlawful use of data by the data processor or data controller; and
- any other details as may be prescribed by the Data Commissioner.
- a copy of the data controller/processor establishment documents;
- particulars of the data controllers or data processors including name and contact details; and
- a description of categories of personal data being processed.
Review of the Application
Once an application for registration is submitted, the ODPC will review the application and issue a certificate of registration within fourteen (14) days of receiving an application. In the event that the ODPC is not satisfied with the information provided, Regulation 10(2)(b) of the Registration Regulations provides that the ODPC may decline to register an applicant on the following grounds:- the particulars provided for inclusion in an entry in the register are insufficient;
- appropriate safeguards for privacy protection of the data subject have not been provided by the data controller or data processor; or
- the data controller or data processor is in violation of any provisions of the DPA and the Regulations.
Registration Fees
Large data controllers or data processors, being one with more than 99 employees and an annual turnover/revenue of more than KES 50 Million, are required to pay a fee of KES 40,000 per registration, which is payable once, as well as a fee of KES 2,000 for renewal of the registration, payable every 2 years. On the other hand, micro and small data controllers and data processors with between 1 and 50 employees and an annual turnover/revenue of a maximum of KES 5Million, are required to pay a fee of KES 4,000 per registration that is payable once, as well as a fee of KES 2,000 for the renewal, payable every 2 years. Medium data controllers and data processors holding between between 51 and 99 employees and with an annual turnover/revenue of between KES 5,000,001 and maximum of KES 50,000,000 are mandated to pay a fee of KES 16,000 during registration, an amount payable once, with a renewal fee of KES 9,000 that is payable every 2 years.Certificate of Registration
Following a successful application, the data controller/processor will be issued with a Certificate of Registration by the ODPC and shall be duly entered into the register of data controllers and data processors, which is maintained by the ODPC. The Certificate of Registration is valid up to twenty-four (24) months from the date of issuance and once this period lapses, the data controller or data processor is expected to apply for a Certificate of Renewal. However, the data controller or processor will be required to apply for registration afresh in the event that it intends to process additional categories of personal data than the approved ones, or the if person processes data for a different purpose from the purpose served when it made its initial registration.Conclusion
Please note that the registration process is anticipated to begin on 14th July, 2022 and we at CM Advocates LLP, are happy provide assistance in your Organization’s registration process. Further, if you require any clarification on the same, please do not hesitate to contact us.Related Services: Cyber Security, Privacy & Data ProtectionRelated blogs & news
What you need to know about the Data Protection Act, 2019
For a long time, Kenya has lacked a comprehensive personal data protection legislation which has been quite necessary in this age of digital use and access. This has exposed citizens to the risk of their personal data being misused. ...
The Data Protection Act: A Series
The Data Protection Act, No. 24 of 2019 (the DPA) was enacted into law on 11 November 2019 through Gazette Supplement Number 181. The provisions of the DPA gives life to Article 31 (c) and (d) of the Constitution of Kenya which guarantees the right to privacy including the right of a person not to have information relating to their family or private affairs unnecessarily required or revealed and the right not to have the privacy of their communications infringed....
Data Subject - What you need to know
The Data Protection Act, No. 24 of 2019 (the DPA), introduced various concepts and principles aimed at bringing to life the right to privacy enshrined under our Constitution. ...
Data Security Today
Technology has so strongly been synced to our everyday lives and as a result, data security is both personal and a corporate consideration. Personal computer and mobile phone users are faced with concerns on the accessibility of their devices and the data contained in the same way that businesses are concerned with customer data....
Notification of Data Breach
One of the distinct changes made to the way we handle and perceive personal data relates to responding to a breach of personal data....
Share this blogLinkedIn Twitter Facebook Print