I&M Bank House, 7th Floor, 2nd Ngong Avenue

+254 716 209 673


Who is a Data Controller or a Data Processor?

CM Advocates > Legal News  > Who is a Data Controller or a Data Processor?

Who is a Data Controller or a Data Processor?

The Data Protection Act, No. 24 of 2019 (the DPA), introduced various concepts and principles aimed at bringing to life the right to privacy enshrined under our Constitution.  The DPA categorizes persons that processes personal data as either “data controller” or “data processor”.

In simple terms, the data controller controls the procedures and purpose of data usage. In some instances, the data controller may work with a third-party or outsource to an external service provider to process the data that has been collected. The third-party company that the data controller chose to use and process the data is called the data processor. The data processor therefore, simply processes any data that the data controller gives them.

The data controller will remain in control of the data by specifying how the data is going to be used and processed by the data processor. The data processor does not own or control the data but just follows the instructions given by the data controller. There are instances where one may be both a data controller and data processor.

Data controller is defined in the DPA as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. This means that any person holding personal data and has the authority to determine the use of such data will be deemed a data controller.

Data processor on the other hand is defined in the DPA as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

The definitions would capture almost anyone holding personal data, including employers holding their employees’ personal data to businesses holding their clients’ (or customers’) information and persons or organizations requiring customer information in order to provide services or for purposes of client identification (Know Your Client procedures).

Registration of Data Controller & Data Processor
The DPA provides for a mandatory requirement for the registration of data controllers and data processors with the Data Commissioner where certain thresholds are met. Failure to comply with this registration requirement is a criminal offence. However, the thresholds are yet to be prescribed as the DPA is fairly new and the first Data Commissioner has only recently been appointed. As such, we can expect the thresholds for mandatory registration to be published in the coming weeks.

The Data Commissioner shall issue a certificate of registration where a data controller or data processor meets the requirements, which shall be valid for a period determined at the time of the application, considering the need for the for certificate. This certificate may also be varied or cancelled by the Data Commissioner in the event misleading information is given or for failure to comply with the provisions of the DPA.

The DPA imposes a number of obligations on the data controller and data processor, and likewise attracts a penalty for failure of compliance. We shall look further into the roles and responsibilities of both in the coming weeks.

Data Controller Responsibilities

You are the data controller if your company or organization decides:
•  To collect the personal information of your employee, customers, site visitors, and other targets. You must have legal authority to do so.
•    What to collect.
•    To change or modify the data that you get.
•    Where and how to use the data and towards what purpose.
•    Whether to keep the data in-house or to share it with third parties.
•    How long the data is kept, and when to dispose of it.

Data Processor Responsibilities
A data processor is the one who carries out the actual processing of the data under the specific instructions of the data controller. You are the data processor if you are instructed or tasked by a data controller to perform some of the following:

•    Design, create, and implement IT processes and systems that would enable the data controller to gather personal data.
•    Use tools and strategies to gather personal data.
•    Implement security measures that would safeguard personal data.
•    Store personal data gathered by the data controller.
•  Transfer data from the data controller to another organization and vice versa.

Why it’s Important to Understand Your Role
A data controller and a data processor have different roles and responsibilities. It is important to know which role you play. For instance, in the event of a data breach the risk exposure will be different for a data controller and a data processor. It is therefore important to know your obligations under the DPA.
For more information, please contact our corporate team through email or


× How can I help you?