The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 were published by the Data Protection Commissioner in the Kenya Gazette on 14th January 2022.
The Regulations provide the minimum thresholds for mandatory registration of data controllers and data processors (except for civil registration entities registered under separate regulations) and the procedure for registration.
The definitions of a data controller and data processor are similar to the ones used in the Data Protection Act where a data controller is defined to mean the person who controls and determines the purpose and means for processing personal data, and a data processor is defined to mean the person who processes personal data on behalf of the data controller but excludes employees of the data controller and has a contractual relationship with the data controller; and no decision making power on the purpose and means of processing personal data. Where a data processor processes personal data in any way other than as instructed by the data controller, the data processor shall be considered to be a data controller in respect of that processing activity, and would be required to register as a data controller.
The Act requires mandatory registration of data controllers and data processors with the Data Commissioner subject to them meeting prescribed thresholds. The Regulations provide the registration thresholds by setting out the parameters by which a data controller or data processor is exempted from mandatory registration as follows:
‘A data controller or a data processor—
(a) whose annual turnover is below five million shillings or whose annual revenue is below five million shillings; and
(b) who employs less than ten people,
is exempt from the mandatory registration under these Regulations.’
However, the Regulations provides a list of businesses excluded from the application of the exemption and which must register with the Data Commissioner. These include firms:
- Canvassing political support among the electorate
- Crime prevention and prosectution of offenders
- Gambling
- Health administration and provision of patient care
- Hospitality industry firms excluding tour guides
- Property management including selling of land
- Provision of financial services;
- Telecommunications network or service providers
- Businesses that are wholly or mainly in direct marketing
- Transport services firms (including online passenger hailing applications)
- Businesses that process genetic data
For entities required to register or those who voluntarily wish to register as data controllers and data processors, the requirements for registration are as follows:
(i) Completion of the prescribed application form provided in the Regulations;
(ii) The application must be accompanied by the following supporting documents:
- a copy of the establishment documents;
- particulars of the data controllers or data processors including name and contact details;
- a description of the purpose for which personal data is processed; and
- a description of categories of personal data being processed.
(iii) You will be required to pay the prescribed registration fees. The overall fee payable for registration as provided under the Second Schedule of the Regulations is determined on the basis of turnover and employees count. This means that the fee payable depends on the amount of money made by the business within a particular period. This turnover classification encompasses organizations that have an annual turnover of less than KES 2,000,000 to organizations that have an annual turnover of KES 50,000,000. The table below shows the schedule of fees payable depending on the annual turnover and number of employees:
Category | Description | Registration fee in KES per Data Controller/Processor) (payable once) | Renewal fee in KES per Data Controller/Processor) (after every 2 years) |
Micro and Small Data Controllers /Processors | A data controller/ processor with between 1 and 50 employees and an annual turnover/revenue of a maximum of KES 5Million | 4,000 | 2,000 |
Medium Data Controllers /Processors | A data controller/ processor with between 51 and 99 employees and an annual turnover/revenue of between KES 5,000,001 and maximum of KES 50,000,000 | 16,000 | 9,000 |
Large Data Controllers /Processors | Data controller/processor with more than 99 employees and an annual turnover/revenue of more than KES 50 Million | 40,000 | 25,000 |
Public entities | Data controller/processor offering government functions (Regardless of number of employees or revenue/turnover) | 4,000 | 2,000 |
Charities and Religious entities | Data controller or Data processor offering charity or religious functions (Regardless or revenue/turnover) | 4,000 | 2,000 |
The process of verifying the application for registration is done by the Data Commissioner who when satisfied that the applicant fulfills the requirements for registration under the Regulations, will issue the applicant with a registration certificate within 14 days. The certificate of registration is valid for a period of 24 months from the date of issuance.
On the other hand, if the Data Commissioner declines to approve the registration, the Data Commissioner would be obliged to write to the applicant explaining the reasons for refusal. The data controller or data processor can re-apply for registration once they meet the requirements.
Should you have any queries or require any assistance regarding registration as a data controller or data processor, please contact Felicia Solomon Tunje at felicia@mmsadvocates.co.ke or Andrew Wanga at andrew@mmsadvocates.co.ke.