How to register as a Data Controller or Processor in Kenya

Geoffrey (Önchong'a) Nevine —Editor-In-Chief
0
How to register as a Data Controller or Processor in Kenya

Introduction

The Data Protection Act (DPA) came into force in 2019, introducing an entire regime of protecting personal data. This ultimately introduced various requirements and obligations aimed at safeguarding personal data, with one key requirement being the registration of data controllers and data processors. Subsequently, the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the Regulations) was published so as to further provide the details of the registration requirements, with the operationalization of the Regulations coming into force on the 14th of July 2022. As such, the applications for registrations will begin from this date, via the online platform of Office of the Data Protection Commissioner (the ODPC).

Data Controller or Data Processor?

A person shall register as a data controller, where the person determines the purpose and means for processing personal data, or as a data processor, where the person processes personal data on behalf of the data controller, to the exclusion of employees of the data controller. A data processor should have a contractual relationship with the data controller and should not have any decision-making power on the purpose and means of processing personal data. A data controller may also apply for registration as both a data controller and a data processor with regards to any processing operations and shall be required to pay the requisite fees applicable for both a data controller and a data processor.

Requirements for Registration

The Regulations provide thresholds for registration where data controllers and data processors with an annual turnover or revenue of KES 5,000,000 and above, as well as those holding more than 10 employees are required to register with the ODPC. In addition, the Regulations require the mandatory registration of a data controller or data processor in areas and industries dealing with;

  1. canvassing of political support among the electorate;
  2. crime prevention and prosecution of offenders;
  3. gambling;
  4. health administration and provision of patient care;
  5. hospitality industry firms excluding tour guides;
  6. property management including selling of land;
  7. provision of financial services;
  8. telecommunications network or service providers;
  9. businesses that are wholly or mainly in direct marketing;
  10. transport services firms (including online passenger hailing applications); and
  11. businesses that process genetic data

For purposes of registration, section 19 of the DPA provides for the particulars to be provided to include:

  • a description of the personal data to be processed by the data controller or data processor;
  • a description of the purpose for which the personal data is to be processed;
  • the category of data subjects, to which the personal data relates;
  • contact details of the data controller or data processor;
  • a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of personal data;
  • any measures to indemnify the data subject from unlawful use of data by the data processor or data controller; and
  • any other details as may be prescribed by the Data Commissioner.

Further, Regulation 5 of the Regulations provides that the application for registration above shall be accompanied by—

  • a copy of the data controller/processor establishment documents;
  • particulars of the data controllers or data processors including name and contact details; and
  • a description of categories of personal data being processed.

This application for registration of a data controller or data processor containing the above information shall be made in Form DPR1 provided in the Regulations and submitted electronically through the ODPC’s website (https://www.odpc.go.ke/). Some additional information required by the form includes the details of the applicant, details of the sensitive personal data obtained (if any), details of any transfer of data outside Kenya and a description of the measures of protection.

To register as a data controller or processor the following are the steps to be followed: 

  1. Through the ODPC website, one has to access the online application portal under the E-Services tab, the menu section. 
  2. Create an account on the portal by using a valid and accurate email address and a strong password.
  3. Complete the application form by filling in the details of names and contact information of the data controller or data processor, the category of the data controller/processor, the categories and purposes of the personal data processed, a description of the category of data subjects, details of revenue/annual turnover, the security protocols in place, agreements for transfer and sharing of the personal data including whether any cross-border transfers are involved and the arrangements with third parties and where applicable the information of the Data Protection Officer. The contact details given must be accurate and valid.
  4. The applicant will be required to pay the registration fee, which may vary depending on the category of the data controller or processor for which every category is influenced by annual turnover. Payments can be made through Mpesa, Credit Debit Cards, Electronic Funds Transfers and even cheques. Alternatively, the payments can be made at the ODPC offices. 
  5. Submission of the application to the ODPC. Where the data commissioner is satisfied with the application a certificate of registration shall be issued within 14 days.
  6. Once you have done the above, you will then submit your application. A lot of times the ODPC’s representative will send back some corrections for you to make if you haven’t filed your application properly. It takes another 14 days from this date before they can further review or approve your application.
  7. Where the data commissioner is satisfied with the application a certificate of registration shall be issued within 14 days (28 days in total if there are corrections). After the date of issuance, the certificate of registration will be valid for a renewable 2-year period.
  8. You will be notified within 21 days if your application for registration has been declined along with a reasoned explanation and are allowed to make a fresh application.
  9. Entities that identify as both data controller and processor can still register as both, one after the other, two different applications, and in each application, similar application fees still apply. 

Review of the Application

Once an application for registration is submitted, the ODPC will review the application and issue a certificate of registration within fourteen (14) days of receiving an application. In the event that the ODPC is not satisfied with the information provided, Regulation 10(2)(b) of the Registration Regulations provides that the ODPC may decline to register an applicant on the following grounds:

  • the particulars provided for inclusion in an entry in the register are insufficient;
  • appropriate safeguards for privacy protection of the data subject have not been provided by the data controller or data processor; or
  • the data controller or data processor is in violation of any provisions of the DPA and the Regulations.

Registration Fees

Large data controllers or data processors, being one with more than 99 employees and an annual turnover/revenue of more than KES 50 Million, are required to pay a fee of KES 40,000 per registration, which is payable once, as well as a fee of KES 2,000 for renewal of the registration, payable every 2 years. On the other hand, micro and small data controllers and data processors with between 1 and 50 employees and an annual turnover/revenue of a maximum of KES 5Million, are required to pay a fee of KES 4,000 per registration that is payable once, as well as a fee of KES 2,000 for the renewal, payable every 2 years. Medium data controllers and data processors holding between between 51 and 99 employees and with an annual turnover/revenue of between KES 5,000,001 and maximum of KES 50,000,000 are mandated to pay a fee of KES 16,000 during registration, an amount payable once, with a renewal fee of KES 9,000 that is payable every 2 years.

Certificate of Registration

Following a successful application, the data controller/processor will be issued with a Certificate of Registration by the ODPC and shall be duly entered into the register of data controllers and data processors, which is maintained by the ODPC. The Certificate of Registration is valid up to twenty-four (24) months from the date of issuance and once this period lapses, the data controller or data processor is expected to apply for a Certificate of Renewal. However, the data controller or processor will be required to apply for registration afresh in the event that it intends to process additional categories of personal data than the approved ones, or the if person processes data for a different purpose from the purpose served when it made its initial registration.

Conclusion

If you are a data controller or processor then what are you waiting for? Get that registration certificate as soon as possible. However, there still exists a wider range of other obligations which need to be met to meet the demands of the Data Protection Act. Compliance is a process and not a one-time destination and the journey of a thousand miles begins with just one step.

Previous Post Next Post

Post a Comment

Post a Comment