FREQUENTLY ASKED QUESTIONS

Section 18 of the Data Protection Act, 2019 and Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 require that all public and private organizations and individuals processing personal data register with the ODPC.

Registration commences on 14 July 2022, using the online application portal developed and managed by the ODPC.

1. Why is registration required?

Registration is just one, but very important, element of compliance with the data protection legislation as entities, including individuals, cannot act as Data Controllers or Data Processors in Kenya unless they have registered with the ODPC.

Registration goes beyond compliance: by providing the prescribed information to the OPDC, entities play their part in ensuring a transparent, and accountable data processing ecosystem which encourages the upholding and safeguarding of  privacy rights of persons in Kenya. As society sees an exponential use of new technologies and the increased pace of digitalization, it is essential that individuals know how entities that are processing their data comply with the law, which helps increase trust and contributes to economic growth.

Registration also gives the ODPC an additional tool to promote Data Protection compliance and effectively regulate the processing of data to minimize potential harm, damage or distress caused to individuals.

2. What is personal data?

Any information relating to an identified or identifiable natural person. For example, a person’s full name, identity card number, date of birth, gender, physical and postal address, phone number, location data, an online identifier. Personal data doesn’t have to be in written form, it can also be information about what a data subject looks or sounds like, for example biometrics, genetic data, photos, audio or video recordings.

3. What is sensitive data?

Under the Data Protection Act, 2019 (DPA), this means data revealing a person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of a person’s children, parents, spouse or spouses, sex, or sexual orientation. It is personal data that requires additional protection due to the high risk an individual is likely to face if it is accessed by unauthorized persons/ entities.

4. Who is a data controller?

A natural or legal person, public authority, agency, or other body which alone, or jointly with others, determines the purpose and means of processing of personal data. For example, telecommunication operators, hotels, hospitals, insurance companies, educational institutions, mobile money or loan vendors, betting companies, retailers, government departments, professional service providers, independent commissions, charities and Religious entities.

5. Who is a data processor?

A natural or legal person, public authority, agency, or other body which alone or jointly with others processes personal data on behalf of the data controller. A Data Processor processes personal data based on a contractual arrangement that it has with the Data Controller. For example, agents for telecommunication operators or a service provider, cloud computing providers that store personal information on behalf of a data controller; CRM or ERP solution providers with access to personal data.

The data processor is usually a third party external to the Data controller and not the employees of the Data Controller.

6. Are there exemptions from mandatory registration of data controllers and data processors?

Data controllers or data processors whose annual turnover/ revenue is below five million shillings and employ less than ten people, are exempt from the mandatory registration under the registration regulations.

However, organisations processing personal data for the purposes listed below (see Question 6), even if their annual turnover/revenue is below five million shillings and employs less than ten people, are not exempt from mandatory registration.

7. What if I meet one of the requirements for exemption but not both?

Where a Data Controller or Data Processor does not meet BOTH the requirement of having an annual turnover/ revenue of less than Kshs. 5 Million and have less that ten employees, the data controller or data processor will not be exempt and must register.

For example, if a data controller or data processor has an annual Turnover of more than five million but less than 10 employees, the Entity will be required to pay Kshs. 4000/-. If the Entity has more than 10 employees and less than 5 million in annual Turnover or Revenue, the Entity will be required to register as a micro and small Data Controller or Data Processor.

8. What sectors/categories of data controllers and data processors are not exempt from mandatory registration?

Data controllers or data processors processing personal data below listed purposes are not exempt from mandatory registration, regardless of their annual turnover/revenue and the number of employees they have:

• Canvassing political support among the electorate.
• Operating Credit Bureaus.
• Crime prevention and prosecution of offenders (including operating security CCTV systems) – including private security service providers.
• Debt administration and factoring.
• Gaming and betting operators.
• Provision of education.
• Health administration and provision of patient care.
• Hospitality industry firms.
• Insurance administration and undertakings.
• Faith based or religious institutions.
• Retirement benefits administration.
• Property management including the selling of land.
• Provision of financial services.
• Telecommunications network or service providers.
• Businesses that are wholly or mainly in direct marketing.
• Internet access provider.
• Transport services firms (including online passenger hailing applications)
• Public sector bodies.
• Businesses that process genetic data.
•  

9. Do the data controller or data processor have to be established in Kenya?

The law applies to data controllers and data processors processing data about data subjects located in Kenya. A data controller or the data processor not established or residing in Kenya processing personal data of persons resident in Kenya will be required to register.

10 What is the process for registration?

• Registration commences on 14 July 2022. Applications are to be submitted electronically through the ODPC’s website (https://www.odpc.go.ke/) in the prescribed form and payment of registration fees.  The required organisational details must be submitted as well as a description of the processing activities. 
• Where the Data Commissioner is satisfied that the applicant has fulfilled the requirements, a certificate of registration will be issued within 14 days and an entry of the details of the applicant will be made in the register of data controllers and data processors.
• The certificate of registration will be valid for a period of 24 months from the date of issuance. A certificate of registration is renewable every 24 months and an application for renewal will need to be made at the appropriate time.
• Where the data commissioner is dissatisfied and rejects the registration application, the Data Commissioner shall notify the applicant within 21 days and provide reasons. Where the application had been declined, the applicant may make a fresh application.

11. What are the timelines for registration?

• The Data Protection Regulations on Registration of Data Controllers and Processors will take effect on the 14th July 2022. Therefore, registration will commence on this date.
• The requirement to register is an ongoing compliance issue and Data Controller and Data Processors are advised to register on or as soon after 14 July 2022 as possible.
• Data controllers and Data Processors will be expected to submit applications for registrations from 14 July 2022. The data commissioner may investigate complaints where a data controller or processor has failed to take the steps necessary to commence compliance with the Data Protection Act or registration regulations.

12. How much is the registration fees?

The registration fees depend on the category within which the data controller or data processor falls. The Registration Regulations classifies profit-making or private sector data controllers and data processors for purposes of registration into three tiers:

• Micro and small data controllers /processors, (those with an annual turnover/revenue of Kshs. 5 million and 1 to 50 employees);
• Medium data controllers /processors (those with an annual turnover/revenue of above Kshs. 5 million but less than Kshs. 50 million and 51 to 99 employees);
• Large data controllers and processors (those with an annual turnover/revenue of more than Kshs. 50 million and more than 99 employees);

Public entities and non-profit making entities such as charities; and religious entities (regardless of revenue/turnover) are also required to register.

13. What if I do not meet one of the tier requirements?

To graduate to the next tier for purposes of payment, a data controller or data processor must meet both requirements.

For example, if a data controller or data processor has an annual turnover/ tevenue of more than 5 million but has 10 employees, the data controller or data processor will be required to register as a Micro and Small Data Controller/ Processor and will pay Kshs. 4,000/-.

Another example: If a data controller or data processor has an annual turnover/ revenue of Kshs. 53 Million and has 51 employees, the data controller or data processor will register as a Medium Data Controller/ Processor

14. Why is the registration of data controllers and data processors important?

It is part of our mandate as the ODPC is to promote and protection the right to privacy by ensuring data controllers and data processors adhere to their obligations under the DPA and regulations. By doing this, we’re fostering a culture of compliance, by creating an environment for data protection to thrive.

How can data controllers and data processors get ready for registration?

• Ensure all the requirements for registration area ready including:
• a copy of establishment documents;
• particulars of the data controllers or processors including name and contact details;
• a description of the purpose for which personal data is processed E.g. for payroll, invoicing, Know Your Customer (KYC), registration, etc.
• a description of categories of personal data processed e.g. name, address, Identification number;
• a description of categories of data subjects e.g. employee, client, students, supplier, shareholder
• recipient (s) to whom personal data is (are) disclosed e.g. KRA, CBK among other requirements as per the regulations.
• The previous annual turnover/revenue of the entity seeking to be registered.
• Put measures in place for protection of personal data by identifying risks to personal data (E.g. unauthorized access/disclosure, theft, etc.) and putting Safeguards, security measures and mechanisms implemented to protect personal data (E.g. Access control, visitors’ logbook, privacy policy, information security policy, etc.)
• For data controllers and data processors to familiarize themselves with the provisions of the Act and adopt practices that promote compliance.

16. How should I register if I act both as data controller and data processor?

If you are a Data Controller and a Data Processor, you will be required to register twice as a Data Controller and a Data Processor.  These are two separate applications that incur two separate fees.

17. How long the certificate of registration is valid and can it be renewed?

The Certificate of Registration is valid for 24 months, unless it is cancelled by the Data Commissioner.

18. What if my application is rejected?

The Data Commissioner will write to you within 21 days of your application being rejected.  Reasons for the rejection will be provided in the written refusal notice.

A data controller or data processor whose application has been rejected can make a fresh application to the data commissioner upon complying with the requirements specified in the refusal notice.  This will incur a new registration fee.

19. What if my entities circumstances changes after the registration?

Where there is a change in any of the particulars in your application after payment of the registration fee, a data controller or data processer should, within 14 days of the date of the change, notify the Office of the Data Protection Commissioner in writing of the nature of the change through registration@odpc.go.ke.

20. When should a data controller or data processor renew their certificate of registration?

A certificate of registration is valid for 24 months following issuance.  A data controller or data processor is obligated to make an application for renewal at least 30 days prior to the expiration of certificate.

21. What are the costs for renewal of a certificate?

22. What methods of payment are available?

Following successful completion of the application, the following payment methods will be available:

• Mpesa
• Credit/Debit Card Payments
• Electronic Fund Transfers (RTGS)
• Cheque

The Office is working to integrate all other mobile money payments.

23. Is there an additional charge over and above the registration fee?

Payments by mobile money such as Mpesa and credit/debit card payment will attract an additional Kshs. 50/- fee as a transaction cost.

In bank payments and electronic fund transfers will not attract this transaction/convenience fee.

24. At what point will my registration application be reviewed by the Office of the Data Protection Commissioner?

The Applications will be reviewed following confirmation of payment.  Therefore, if you make a payment by cheque, we will receive confirmation once the cheque has cleared and your application will then be queued for approval.

25. If I have any questions, on registration, how can I contact the Office of the Data Protection Commissioner?

You can contact the Office through the following means:

26. If I want further information on registration, is there a Guidance Note I can access?

The Office of the Data Protection Commissioner published a Guidance Note on Registration of Data Processors and Data Controllers, which can be found here.

27. If I wish to make a complaint, how can I contact the Office?

You may make a complaint on our website www.odpc.go.ke or send an email to complaint@odpc.go.ke.