Data Controller and Data Processors

Who is a Data Controller?

The Data Protection Act, 2019 defines a “data controller” as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.

The Guidance Note on Registration of Data Controllers and Data Processor provides that Data Controllers must comply and demonstrate compliance with, all the data protection principles and meet all obligations under the Act and all regulations therein.

Data Controllers are also responsible for the compliance of Data Processors contracted to process Personal Data on their behalf. Data Controllers established or resident in Kenya and Data Controllers outside Kenya that process the Personal Data of individuals located in Kenya (not just citizens or residents) must register with the Office.

It is important to note that the Office of the Data Commissioner may take enforcement action against a Data Controller when there is a breach of its obligations. This may be occasioned by a complaint from a Data Subject, following an audit of the Data Controller or following an investigation on the Office’s own initiative.

What is the Checklist for a Data Controller?

The Guidance Notes on Registration of Data Controllers and Data Processors by the Office of the Data Commissioner provides for the Checklist on whether a person or organization is a Data Controller. These include whether they:

1. Decide to collect or process the Personal Data.
2. Decide what the purpose or outcome of the Processing was to be.
3. Decide what Personal Data should be collected.
4. Decide which individuals to collect Personal Data about.
5. Obtain a commercial gain or other benefit from the Processing, except for any payment for services from another controller.
6. Processing the Personal Data as a result of a contract between you and the Data Subject.
7. The Data Subjects are your employees.
8. Make decisions about the individuals concerned as part of or as a result of the Processing.
9. Exercise professional judgment in the Processing of the Personal Data.
10. Have a direct relationship with the Data Subjects.
11. Have complete autonomy as to how the Personal Data is processed.
12. Have appointed the processors to process the Personal Data on your behalf.

Who is a Data Processor?

A Data Processor is A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.

It is important to note that there must be a contract between the Data Processor and the Data Controller that clearly defines this relationship. The Data Processor has no decision-making power on the Personal Data that they are processing.

What is the Checklist for a Data Processor?

The Guidance Notes on Registration of Data Controllers and Data Processors by the Office of the Data Commissioner provides for the Checklist on whether a person or organization is a Data Processor. These include whether they:

1. You have a contract to handle Personal Data on behalf of another Entity. 
2. You are following instructions from someone else regarding the Processing of Personal Data.
3. You do not decide to collect Personal Data from individuals. 
4. You do not decide what Personal Data should be collected from individuals. 
5. You do not decide the lawful basis for the use of that data.
6. You do not decide what purpose or purposes the data will be used for. 
7. You do not decide whether to disclose the data, or to whom. 
8. You do not decide how long to retain the data. 
9. You may make some decisions on how data is processed, but implement these decisions under a contract with another Entity.

What is processing of Data according to the Data Protection Act, 2019?

The Data Protection Act, 2019 defines “processing of data” as any operation or sets of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as 

1. Collection, recording, organisation, structuring.
2. Storage, adaptation or alteration.
3. Retrieval, consultation or use.
4. Disclosure by transmission, dissemination, or otherwise making available.
5. Alignment or combination, restriction, erasure or destruction.

That’s all folks.

Author: Robert Muoka, Data Protection and Privacy Consultant at Sheria Online

References

The Data Protection Act, 2019

The Guidance Notes on Registration of Data Controllers and Data Processors by the Office of the Data Commissioner