Introduction
The Data Protection Act (DPA) came into force in 2019, introducing an entire regime of protecting personal data. This ultimately introduced various requirements and obligations aimed at safeguarding personal data, with one key requirement being the registration of data controllers and data processors. Subsequently, the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the Regulations) was published so as to further provide the details of the registration requirements, with the operationalization of the Regulations coming into force on the 14th of July 2022. As such, the applications for registrations will begin from this date, via the online platform of Office of the Data Protection Commissioner (the ODPC).
A data controller may also apply for registration as both a data controller and a data processor with regards to any processing operations and shall be required to pay the requisite fees applicable for both a data controller and a data processor.
Data Controller or Data Processor?
A person shall register as a data controller, where the person determines the purpose and means for processing personal data, or as a data processor, where the person processes personal data on behalf of the data controller, to the exclusion of employees of the data controller. A data processor should have a contractual relationship with the data controller and should not have any decision-making power on the purpose and means of processing personal data.
A data controller may also apply for registration as both a data controller and a data processor with regards to any processing operations and shall be required to pay the requisite fees applicable for both a data controller and a data processor.
Requirements for Registration
The Regulations provide thresholds for registration where data controllers and data processors with an annual turnover or revenue of KES 5,000,000 and above, as well as those holding more than 10 employees are required to register with the ODPC. In addition, the Regulations require the mandatory registration of a data controller or data processor in areas and industries dealing with;
- canvassing of political support among the electorate;
- crime prevention and prosecution of offenders;
- gambling;
- health administration and provision of patient care;
- hospitality industry firms excluding tour guides;
- property management including selling of land;
- provision of financial services;
- telecommunications network or service providers;
- businesses that are wholly or mainly in direct marketing;
- transport services firms (including online passenger hailing applications); and
- businesses that process genetic data
For purposes of registration, section 19 of the DPA provides for the particulars to be provided to include:
- a description of the personal data to be processed by the data controller or data processor;
- a description of the purpose for which the personal data is to be processed;
- the category of data subjects, to which the personal data relates;
- contact details of the data controller or data processor;
- a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of personal data;
- any measures to indemnify the data subject from unlawful use of data by the data processor or data controller; and
- any other details as may be prescribed by the Data Commissioner.
Further, Regulation 5 of the Regulations provides that the application for registration above shall be accompanied by—
- a copy of the data controller/processor establishment documents;
- particulars of the data controllers or data processors including name and contact details; and
- a description of categories of personal data being processed.
This application for registration of a data controller or data processor containing the above information shall be made in Form DPR1 provided in the Regulations and submitted electronically through the ODPC’s website (https://www.odpc.go.ke/). Some additional information required by the form includes the details of the applicant, details of the sensitive personal data obtained (if any), details of any transfer of data outside Kenya and a description of the measures of protection.
Review of the Application
Once an application for registration is submitted, the ODPC will review the application and issue a certificate of registration within fourteen (14) days of receiving an application. In the event that the ODPC is not satisfied with the information provided, Regulation 10(2)(b) of the Registration Regulations provides that the ODPC may decline to register an applicant on the following grounds:
- the particulars provided for inclusion in an entry in the register are insufficient;
- appropriate safeguards for privacy protection of the data subject have not been provided by the data controller or data processor; or
- the data controller or data processor is in violation of any provisions of the DPA and the Regulations.
Registration Fees
Large data controllers or data processors, being one with more than 99 employees and an annual turnover/revenue of more than KES 50 Million, are required to pay a fee of KES 40,000 per registration, which is payable once, as well as a fee of KES 2,000 for renewal of the registration, payable every 2 years.
On the other hand, micro and small data controllers and data processors with between 1 and 50 employees and an annual turnover/revenue of a maximum of KES 5Million, are required to pay a fee of KES 4,000 per registration that is payable once, as well as a fee of KES 2,000 for the renewal, payable every 2 years.
Medium data controllers and data processors holding between between 51 and 99 employees and with an annual turnover/revenue of between KES 5,000,001 and maximum of KES 50,000,000 are mandated to pay a fee of KES 16,000 during registration, an amount payable once, with a renewal fee of KES 9,000 that is payable every 2 years.
Certificate of Registration
Following a successful application, the data controller/processor will be issued with a Certificate of Registration by the ODPC and shall be duly entered into the register of data controllers and data processors, which is maintained by the ODPC.
The Certificate of Registration is valid up to twenty-four (24) months from the date of issuance and once this period lapses, the data controller or data processor is expected to apply for a Certificate of Renewal. However, the data controller or processor will be required to apply for registration afresh in the event that it intends to process additional categories of personal data than the approved ones, or the if person processes data for a different purpose from the purpose served when it made its initial registration.
Conclusion
Please note that the registration process is anticipated to begin on 14th July, 2022 and we at Barizi Data Privacy Services, are happy provide assistance in your Organization’s registration process. Further, if you require any clarification on the same, please do not hesitate to contact us.