Registration of Data Controllers and Processors
Register as a Data Controller and/or Data Processor with the Office of Data Protection Commissioner (ODPC)
Section 18 of the Data Protection Act, 2019 and Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 require that all public and private organizations and individuals processing personal data register with the ODPC.
Registration commences on 14 July 2022, using the online application portal developed and managed by the ODPC.
Why is registration required?
Registration is just one, but very important, element of compliance with the data protection legislation as entities, including individuals, cannot act as Data Controllers or Data Processors in Kenya unless they have registered with the ODPC.
Registration goes beyond compliance: by providing the prescribed information to the OPDC, entities play their part in ensuring a transparent, and accountable data processing ecosystem which encourages the upholding and safeguarding of privacy rights of persons in Kenya. As society sees an exponential use of new technologies and the increased pace of digitalization, it is essential that individuals know how entities that are processing their data comply with the law, which helps increase trust and contributes to economic growth.
Registration also gives the ODPC an additional tool to promote Data Protection compliance and effectively regulate the processing of data to minimize potential harm, damage or distress caused to individuals.
Who needs to register?
Data Controllers and Data Processors established in Kenya or processing personal information of individuals located in Kenya, will have to register with the OPDC, unless they are exempt from Mandatroy Registration.
Who is exempt from mandatory registration?
The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 provides for some exemptions from the mandatory registration. The table below illustrates which organisations must register with the ODPC, and those which may be exempted.
Civil registration entities (such as the Office of the Registrar of Persons) Exempt
Any entities processing personal data for activities, or in
the following sectors, regardless of their annual turnover/revenue or number of employees:
• political canvassing,
• crime prevention,
• health administration and provision of patient care,
• property management,
• financial services,
• direct marketing,
• transports, and
• entities processing of genetic data
Data controllers and data processors (not processing personal data for one of the above activities or in one of the above sectors)
– with an annual turnover or annual revenue below KES 5 million; and
– with less than 10 employees.
What information must be provided during the registration?
Entities making an application will need to complete an online form. The information required as part of the process includes: basic details about the registering entity; the categories and description of personal data being collected and processed and the purpose for such processing; if personal data is transferred outside Kenya, the name of the country(ies) to which personal data is to be transferred; and risks to personal data and safeguards to reduce or mitigate against such risks;
The application must be accompanied by a copy of the establishment documents or proof of registraion such as CR12, Partnership Deed, Society registration, or a copy of an ID for individuals that are required to register.
Is there a registration fee?
The registration process includes the payment of a prescribed fee, which varies depending on the category within which the data controller or data processor falls. The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 classifies data controllers and data processors for the purposes of registration/certificate renewal fees as outlined below:
Registration fee in Kshs. per Data Controller/Processor (payable Once)
Renewal fee in Kshs. per Data Controller/Processor (after every 2 years)
Micro and Small Data Controllers /Processors – with between 1 and 50 employees and an annual turnover/revenue of a maximum of Kshs 5Million
Medium Data Controllers /Processors – with between 51 and 99 employees and an annual turnover/revenue of between Kshs 5,000,001 and maximum of Kshs 50,000,000
Large Data Controllers /Processors – with more than 99 employees and an annual turnover/revenue of more than Kshs 50Million
Public entities – offering government functions (Regardless of number of employees or revenue/turnover)
Charities and Religious entities – offering charity or religious functions (Regardless or revenue/turnover
Can I register as a Data Controller and Data Processor?
An entity can register as a data controller and data processor. However, this is two separate registration processes. Therefore, a separate fee will be charged for each registration.
All entites must first establish whether they are a data controller or data processor; or whether they are both a data controller and data processor.
Who is a Data Controller and who is a data processor?
A data controller is defined as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.
A data processor is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. A data processor has no decision making power relating to the purpose of processing and has a contractual agreement between the data processor entity and data controller. Further, an employee of a data controller is not a data controller for the purposes of registration under the Act.
What happens if my organization processes data without registration?
As registration is mandatory in most cases, it will be an offence for an entity that is not exempt from mandatory registration to process data without registering, or fails to renew its certificate of registration and continues to process personal data after the expiry of its certificate.
An offence will also be committed if false or misleading information is provided as part of the registration. In addition to penalties that may attach to provision of false or misleading information, an entity may have its certificate of registration revoked.
What happens after I have registered my organization?
Upon submission of the online application and confirmation of the payment of the registration fees, the ODPC will verify the information provided and, if satisfied, issue the applicant with a certificate of registration and enters the successful applicant’s details in the register of data controllers and/or data processors.
The certificate of registration issued is valid for a period of two (2) years (renewable).