Data Controller and Data Processor
The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 were published by the Data Protection Commissioner in the Kenya Gazette on 14th January 2022.
The Regulations provide the minimum thresholds for mandatory registration of Data Controllers and Data Processors (except for civil registration entities registered under separate regulations) and the procedure for registration.
The definitions of a Data Controller and Data Processor are similar to the ones used in the Data Protection Act where a Data Controller is defined to mean:
- The person who controls and determines the purpose and means for processing personal data.
- Data Processor is defined to mean the person who processes personal data on behalf of the Data Controller.
- Excludes employees of the Data Controller and has a contractual relationship with the Data Controller:
- The employees have no decision making power on the purpose and means of processing personal data.
However where a Data Processor processes personal data in any way other than as instructed by the Data Controller, the Data Processor shall be considered to be a Data Controller in respect of that processing activity, and would be required to register as a Data Controller.
The Data Protection Act requires mandatory registration of Data Controllers and Data Processors with the Data Commissioner subject to them meeting prescribed thresholds. The regulations provide that an organization is exempted from mandatory registration as follows:
‘A Data Controller or a data processor—
(a) whose annual turnover is below five million shillings or whose annual revenue is below five million shillings; and
(b) who employs less than ten people, is exempt from the mandatory registration under these Regulations.’
However, the Regulations provide a list of businesses excluded from the application of the exemption aforestated and which must register with the Data Commissioner. These include firms:
- Canvassing political support among the electorate
- Crime prevention and prosecution of offenders
- Health administration and provision of patient care
- Hospitality industry firms excluding tour guides
- Property management including selling of land
- Provision of financial services;
- Telecommunications network or service providers
- Businesses that are wholly or mainly in direct marketing
- Transport services firms (including online passenger hailing applications)
- Businesses that process genetic data
For entities required to register or those who voluntarily wish to register as Data Controllers and Data Processors, the requirements for registration are available at https://www.odpc.go.ke/register-data-controllers/ and are as follows:
(i) Completion of the prescribed application form provided in the Regulations;
(ii) The application must be accompanied by the following supporting documents:
- a copy of the establishment documents;
- particulars of the Data Controllers or data processors including name and contact details;
- a description of the purpose for which personal data is processed; and
- a description of categories of personal data being processed.
- Settle the payment.
(iii) You will be required to pay the prescribed registration fees. The overall fee payable for registration as provided under the Second Schedule of the Regulations is determined on the basis of turnover and employees count.
The above information may be amended within 14 days of any change through registration at https://www.odpc.go.ke/register-data-controllers/.
This means that the fee payable depends on the amount of money made by the business within a particular period. This turnover classification encompasses organizations that have an annual turnover of less than KES 2,000,000 to organizations that have an annual turnover of KES 50,000,000.
It is an offence to fail to register or provide further misleading information.