The Registration Regulations have been promulgated to provide the procedure for registration of data controllers and data processors as provided for under the Data Protection Act 2019 (the DPA). Section 18 of the DPA, prohibits all persons from acting as data controllers or data processors without first being registered with the Data Commissioner. The DPA defines a “data controller” as a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. A “data processor” on the other hand is defined as a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.
The Registration Regulations shall come into effect six (6) months after the date of publication (that is on 14 July 2022).
Requirement for registration
Regulation 4 of the Registration Regulations requires all data controllers or data processors to register with the Data Commissioner. The requirement to register as a data controller applies to persons who determine the purpose and means for processing personal data. The requirement to register as a data processor on the other hand applies to persons who process personal data on behalf of the data controller and have:
- a contractual relationship with the data controller; and
- no decision-making power on the purpose and means of processing personal data.
A data controller’s employees are expressly exempted from the requirement to register as data processors.
Regulation 13 (2) exempts data controllers or data processors from mandatory registration under the Registration Regulations where they have:
- an annual “turnover” or “revenue” of below five (5) million Kenya Shillings; and
- less than ten employees.
The Registration Regulations defines turnover as the utilized annual budget of non-profit making data controllers or data processors for the year immediately preceding the year of registration. This includes non-governmental organizations, charitable and religious institutions, multi-lateral agencies, or civil society organizations. Revenue on the other hand is defined as the total income of profit-making data controllers or data processors for the year immediately preceding the year of registration.
Further, Regulation 13 (4) requires data controllers or data processors that process personal data for the purposes specified under the third schedule to the Registration Regulations to register as data controllers or data processors even where their “turnover” (not revenue) is less than 5 million Kenya Shillings. These purposes include: crime prevention and prosecution of offenders (including operating security CCTV systems), gambling, operating an educational institution, health administration and provision of patient care, hospitality industry firms (excluding tour guides), property management including the selling of land, provision of financial services, telecommunications network or service providers, transport service firms (including online passenger hailing applications), businesses that are wholly or mainly in direct marketing, canvassing political support among the electorate and businesses that process genetic data. As such, any entities that process personal data for any of these specified purposes will not be exempt from the requirement to register with the Data Commissioner even where they meet the criteria for exemption based on turnover/revenue and number of employees as set out above.
Regulation 13 (5) however contradicts the exemption under Regulation 13 (2) in stating that the data controllers or data processors that are contemplated under Regulation 13 (2) (the exemption clause) shall be required to undertake mandatory registration in accordance with the DPA and the Registration Regulations. This is a clause that ought to be amended to resolve the contradiction, ideally before the effective date for the registration obligation on 14 July 2022. Based on this drafting error in the Registration Regulations, it would be advisable for all data controllers and data processors to register with the Data Commissioner to avoid any risk of incurring the penalties described below.
Applications for registration as data controllers or data processors are required to be made in a prescribed form (form DPR1) and to be accompanied by the prescribed fees which range between KES 4,000 (approximately USD 35) and KES 40,000 (approximately USD 350) depending on the size of the applicant entity in terms of turnover/revenue and number of employees. Applications are required to be made by electronic means through the Office of the Data Protection Commissioner’s website.
An application must be accompanied by:
- a copy of the applicant’s establishment documents;
- applicant’s particulars including name and contact details;
- a description of the purpose for which personal data is processed; and
- a description of categories of personal data being processed.
Upon lodging of the application for registration, the Data Commissioner will undertake a verification process of the details provided in the application. Where the Data Commissioner is satisfied that the applicant fulfils the requirements for registration, she is required enter the applicant’s particulars in the register of data controllers and processors and issue the applicant a certificate within 14 days. The certificate is issued with a validity period of 24 months and may be renewed upon application. Both registration and renewal may be refused by the Data Commissioner for specified reasons including a lack of provision of any required information or where the applicant has violated the requirements of the DPA.
Offences under these Regulations
Contravening the mandatory registration requirements is an offence as is providing false or misleading information for the purpose of registration. The penalty for these offences is a fine not exceeding 3 million Kenya Shillings or a jail term not exceeding ten years, or both.