Mandatory Registration of Data Controllers and Data Processors
Section 18 of the Data Protection Act, 2019, makes it mandatory for individuals to register with the Data Commissioner to be able to act as data controllers or data processors. The fees payable for registration are between Kshs. 4,000/- to Kshs. 40,000/-.
Therefore, all Data Controller and Data Processors MUST register unless an Entity can clearly identify that they fall within an exemption.
Application for Registration of Data Controllers and Data Processors
Section 19 of the Data Protection Act provides for the particulars to accompany an application for registration as a Data Controller or Data Processor. These include—
- A description of the personal data to be processed by the data controller or data processor.
- A description of the purpose for which the personal data is to be processed.
- The category of data subjects, to which the personal data relates.
- Contact details of the data controller or data processor.
- A general description of the risks, safeguards, security measures and mechanisms to ensure the protection of personal data.
- Any measures to indemnify the data subject from unlawful use of data by the data processor or data controller.
The Data Commissioner is to issue a certificate of registration where a Data Controller or Data Processor meets the requirements for registration.
Non-Exempt Mandatory Registration Entities
The Guidance Note on Registration of Data Controllers and Data Processor provides for the entities that must comply with their mandatory registration obligation despite their annual Turnover/ Revenue or number of employees.
These Entities include any entity Processing Personal Data for activities, or in the following sectors, regardless of their annual Turnover/Revenue or number of employees:
- Political canvassing.
- Crime prevention.
- Health administration and provision of patient care.
- Property management.
- Financial services.
- Direct marketing.
- Entities Processing of genetic data.
The fees payable by these Entities, if their annual Turnover/ Revenue is less than Five Million Kenyan Shillings (Kshs. 5,000,000/-) and they have less than ten (10) employees, will be Kshs. 4,000/-.
Registration of Data Controllers in the Private Sector Entities
All Entities within the private sector that are resident in Kenya; or located outside Kenya, process Personal Data of persons located in Kenya (including citizens, residents and visitors), and have an annual Turnover or Revenue of Kshs. 5 million and above or more than 10 employees; unless, the Entity is a non-exempt mandatory registration Entity, are required to register.
The Registration fee in Kshs. per Data Controller/Processor payable for Micro and Small Data Controllers /Processors with between 1 and 50 employees and an annual Turnover/ Revenue of a maximum of Kshs. 5Million is 4000/- and a renewal fee of 2000/- per Data Controller /Processor (after every 2 years).
The Registration fee in Kshs. per Data Controller/Processor payable for Medium Data Controllers /Processors – with between 51 and 99 employees and an annual Turnover/ Revenue of between Kshs. 5,000,001(Five million and one shilling) and maximum of Kshs. 50,000,000 (Fifty million) is 16,000/- and a renewal fee of 9000/– per Data Controller/Processor (after every 2 years).
The Registration fee in Kshs. per Data Controller/Processor payable for Large Data Controllers /Processors – with more than 99 employees and an annual Turnover/ Revenue of more than Kshs. 50 Million is 40,000/- and a renewal fee of 25,000/- per Data Controller/Processor (after every 2 years).
Registration of Data Controllers and Data Processors in Government Entities (MDACs)
The Data Protection (General) Regulations, 2021 provide that State departments or County departments are to register Data Controllers and Processors and pay the fees on behalf of their respective Entities.
These Entities must be public Entities at national or county government which:
- Operate within a state department or county department.
- Is wholly funded from the Consolidated Fund.
- Provides a public service.
The single registration fee of Kshs. 4,000/- and renewal fee of Kshs. 2,000/- is to be paid by the State department or County department. A State Corporation or a County Corporation is required to register as a Data Controller or a Data Processor in respect of their Processing activity.
Registration of Data Controllers and Data Processors in Charities And Religious Institutions
The Data Protection Act, 2019 provides that a standard registration fee of Kshs. 4,000/- and renewal fee of Kshs. 2,000/- will be payable by non-profit making Data Controller or Data Processors.
The Guidance Note on Registration of Data Controllers and Data Processor defines Non-profit making Data Controllers and Data Processors as Entities whose core mandate excludes the generation of profit and includes non-governmental organizations, charitable and religious institutions, multi-lateral agencies or civil society organizations.
That’s all folks.
Author: Robert Muoka, Data Protection and Privacy Consultant at Sheria Online
Data Protection Act, 2019
The Guidance Note on Registration of Data Controllers and Data Processor
Data Protection (GENERAL) Regulations, 2021