Registration of Data Controllers and Processors with the ODPC
The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (hereinafter “the Regulations”) took effect on 14th July 2022. The implication of this is that all data controllers and processors will be required to register with the office of the data protection officer (ODPC). Any entity falling within the definition of a data processor or controller is mandated to register with the ODPC unless exempt from the registration requirement.
- Registration
The ODPC is seeking to obtain information from data controllers and processors relating to the personal data processed and the reason for processing; the types of sensitive personal data processed by the entity; details of any data transferred and held in any jurisdiction outside Kenya; and the technical measures applied by entities to protect personal data among others. The registration is dependent on the following aspects:
- the annual turnover or revenue of the entity;
- the number of employees in an entity;
- whether an entity is a public entity; and
- whether an entity is a non-profit organization.
Regardless of the aspects laid out above, it is mandatory for data processors and controllers falling within the following sectors to register with the ODPC.
| Sector | Sector | Sector |
|
|
|
|
|
|
|
|
|
|
|
- Registration of Entities in the Private Sector
Entities in the private sector that are both resident or located outside Kenya; that process personal data of persons located in Kenya; and having an annual turnover or revenues of KES 5 million and above are required to register with the ODPC unless they are exempt. Entities in the private sector that have not met these requirements but falling within the sectors highlighted above will be required to register regardless. Where an entity serves as both a data controller and a data processor, it will be required to register separately as both a data controller and a data processor.
The fees payable for registration of these private entities is as illustrated below: –
| Category | Registration fee | Renewal fee |
| Micro and Small Data Controllers
/Processors – with between 1 and 50 employees and an annual Turnover/ Revenue of a maximum of KES. 5 million |
4,000 | 2,000 |
| Medium Data Controllers /Processors – with between 51 and 99 employees and an annual Turnover/ Revenue of between KES. 5,000,001 and maximum of KES. 50 million | 16,000 | 9,000 |
| Large Data Controllers /Processors – with more than 99 employees and an annual Turnover/ Revenue of more than KES. 50 million | 40,000 | 25,000 |
- Government Entities
The regulations also provide that state departments and county departments have to register with the ODPC. The entities applying for registration must public entities at national or county government; operating within a state department or county department; are wholly funded by the consolidated fund; and provide a public service. In applying for registration, state departments will list all the public entities under it. This means that the public entities under state and county departments are not required to register separately. However, state and county corporations will be required to register separately. The registration fee for government entities is KES. 4,000 and a renewal fee of KES. 2,000.
- Not for Profit Organizations
Not for profit organizations such as charitable and religious institutions, multi-lateral agencies or civil society organizations are also required to register with the ODPC if they process any personal information regardless of their revenues or turnover. The registration fee is KES. 4,000 and a renewal fee of KES. 2,000.
- Certificate of Registration
Once the registration is done, the ODPC will issue the entity with a certificate of registration which is renewable after 24 months from the date of registration, a data controller or processor is required to lodge an application for renewal 30 days before the expiry of the certificate. It is also required that the certificate of registration be displayed in a conspicuous location in the principal address of the entity or on the official website. The certificate may be varied on the request of a data controller or processor.
- Exempt Entities
Data controllers and processors that process personal data which does not fall within the mandatory sectors highlighted above and which have an annual turnover or annual revenue of below KES. 5 million and with less than 10 employees are exempt from registration with the ODPC.
- Implication for Non-Registration
Any data controller or processor that; processes personal data without registering in accordance with the Regulations; or provides false or misleading information for the purpose of registration; or fails to renew a certificate of registration and continues to process Personal Data after the expiry of the certificate, commits an offence and is liable to imprisonment for a term not exceeding 10 years or to a fine not exceeding three million shillings or both.
