By Victor Orandi 

The registration for Data Controllers and Data Commissioners commenced on 14th July 2022. The Data Protection Act, 2019 and Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 require that all public and private organizations and individuals that process personal data register with the Office of the Data Protection Commission (ODPC). 

Entities must register with the ODPC in order to act as a Data Controller or Data Processor in Kenya and to ensure the upholding and safeguarding of privacy rights of persons in Kenya. The law applies to data controllers and data processors processing data about data subjects in Kenya. A data controller or processor not established or residing in Kenya processing personal data of persons resident in Kenya will also be required to register.

Personal data includes an identified or identifiable natural person. For example, a person’s full name, identity card number, date of birth, gender, physical and postal address, phone number, location data, and an online identifier. Data can be written or biometrics, genetic data, photos, audio and video recordings. Under the Data Protection Act, 2019 (DPA), this means data revealing a person’s race, health status, ethnicity, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details, including names of a person’s children, parents, spouse or spouses, sex, or sexual orientation. 

Exemption

Data controllers or processors whose annual turnover/ revenue is below five million shillings and employ less than ten people are exempt from the mandatory registration under the registration regulations.

Where a Data Controller or Data Processor does not meet the requirement of having an annual turnover or revenue of less than Kshs. 5 Million and has less than ten employees, the data controller or processor will NOT be exempt and must register. Data controllers or processors processing personal data for the purposes listed below are also NOT exempt from mandatory registration, regardless of annual turnover/revenue or employee count:

• Canvassing political support among the electorate.
• Operating Credit Bureaus.
• Crime prevention and prosecution of offenders (including operating security CCTV systems) – including private security service providers.
• Debt administration and factoring.
• Gaming and betting operators.
• Provision of education.
• Health administration and provision of patient care.
• Hospitality industry firms.
• Insurance administration and undertakings.
• Faith-based or religious institutions.
• Retirement benefits administration.
• Property management, including the selling of land.
• Provision of financial services.
• Telecommunications network or service providers.
• Businesses that are wholly or mainly in direct marketing.
• Internet access provider.
• Transport services firms (including online passenger hailing applications)
• Public sector bodies.
• Businesses that process genetic data.

Registration fees

The registration fees depend on the category within which the data controller or data processor falls. The Registration Regulations classify profit-making or private sector data controllers and data processors for purposes of registration into three tiers:

1. Micro and small data controllers /processors
2. Medium data controllers /processors (with an annual turnover/revenue of above Kshs. 5 million but less than Kshs. 50 million and 51 to 99 employees)
3. Large data controllers and processors (those with an annual turnover/revenue of more than Kshs. 50 million and more than 99 employees) 

• Public entities and non-profit entities such as charities; and religious entities (regardless of revenue/turnover) are also required to register.

You can reach out to us through victor@mmagareadvocates.com or matthew@mmagareadvocates.com for further advice on the above requirements and compliance with the Data Protection laws.