Data protection regulations in Kenya

The Data Protection (Registration of Data Controllers and Data Processors) processes in Kenya are regulated by the Data Protection Commissioner in Kenya.
The Regulations provide the thresholds for registration of data controllers and data processors in Kenya and the procedure for registration.
A data controller is defined to mean "the person who controls and determines the purpose and means for processing personal data", and a data processor is defined to mean "the person who processes personal data on behalf of the data controller but excludes employees of the data controller and has a contractual relationship with the data controller; and no decision making power on the purpose and means of processing personal data".

The Act requires mandatory registration of data controllers and data processors with the Data Commissioner subject to them meeting prescribed thresholds. The Regulations provide the registration thresholds by setting out the parameters by which a data controller or data processor is exempted from mandatory registration

Understanding Data Controller and Data Processor

Data Controller

A data controller determines the purpose or function for which and the means by which personal data is processed. This means that if a company or firm determines why and how personal data should be processed, then it is a data controller. Examples of data controllers include telcos, hotels, hospitals, insurance companies, educational institutions, mobile money or loan vendors, betting companies, retailers, government departments, professional service providers, independent commissions, charities and Religious entities.

Examples of data controllers include:

  • Telcos
  • Hotels
  • Hospitals
  • Insurance companies
  • Educational institutions
  • Mobile money or loan vendors
  • Betting companies
  • Retailers
  • Government departments
  • Professional service providers
  • Independent commissions
  • Charities
  • Religious entities

Data Processor

A data controller holds the authority to determine the purpose and means by which personal data is processed. In simpler terms, if an entity dictates why and how personal data should be processed, it qualifies as a data controller. Various entities fall under this category, including telcos, hospitals, educational institutions, retailers, and government departments, among others..

Examples of data processors include:

  • Firms offering IT solutions, such as cloud storage providers
  • Agents for telecommunication operators or service providers
  • CRM or ERP solution providers with access to personal data

Example of a Data Controller and Data Processor

An eCommerce website collects personal data from a customer located Nairobi during the customer’s purchase of a product. The personal data of the client includes information such as

  • The customer’s name
  • Address
  • Phone number
  • Email address
Taking note that after the purchase, the product has to be delivered to the customer.
The operator of the eCmmerce website uses a third-party warehouse to store and ship the products on its behalf.
In order to make sure the purchase is delievered to the purchaser, the website operator sends to the warehouse the customer’s data including the cuttomes name and address.
The warehouse then ships the package to the consumer.

The website operator is the controller. They collect the data and determine how it is processed.

The warehouse is the processor. They receive the data from the controller and use it to mail the package.

There are some overlapping requirements that apply to both data processors and data controllers. However, there are a number of areas where the responsibilities are different .

Differences between a Data Controller vs. Data Processor

The key differences between a data processor and a data controller is an important concept to grasp.

Three definitions from Article 4 should help speed your understanding of processors and controllers along:

  1. A data controller determines the purposes and means of the processing of personal data.
  2. A processor engages in personal data processing on behalf of the controller.
  3. Processing involves any operation (or set) performed on personal data (such as, but not limited to, collection, structuring, storage, use or disclosure).
  4. A data controller controls the procedures and purpose of data usage, while a data processor processes any data that the data controller gives them.

Types of data protected in Kenya

  1. Personal Data

    This is information that is used to identify a person. Such information includes a person’s full name, ID number, date of birth, gender, physical and postal address, phone number, location data, and online identifiers. According to the Office of the Data Protection Commissioner (ODPC), personal data does not have to be in written form, meaning it also includes genetic and biometric data, photos, audio, and video recordings.

  2. Sensitive Data

    Under the Data Protection Act, 2019, sensitive data reveals a person’s race, health status, ethnic social origin, conscience, beliefs, genetic data, biometric data, property details, marital status, and family details including names of a person’s children, parents, spouse or spouses, sex, or sexual orientation. To this end, sensitive data needs extra protections due to its high-risk nature, as it can pose issues if it were accessed by an unauthorized person or unauthorized authority.

Exemptions to Registration of Data Processors/Controllers

According to the Office of the Data Protection Commissioner (ODPC), data controllers or data processors whose yearly turnover/revenue falls under KES 5 million and employ less than ten people are exempt from mandatory registration under the registration regulations.

However, in case a data controller or data processor meets one of the requirements (more than 10 employees but more than 5M in yearly revenues or vice versa), the data controller or data processor must register.

How to get a Data Protection Licence in Kenya

Mandatory Registration of Data Controllers and Processors

Subject to the thresholds highlighted below, every entity (whether a natural or legal person, public authority, agency, or other body) must to register with ODPC starting 14 July 2022 if it falls into the following categories:

  1. As a data controller if, alone or jointly with others, the entity determines the purpose and means of processing of personal data; and/or
  2. As a data processor if the entity processes personal data on behalf of a data controller.

Mandatory Registration Thresholds

All data controllers and processors who have an annual turnover or annual revenue above Kenya Shillings five million (KES 5,000,000/=) and more than ten (10) employees must register with ODPC.
An entity that has an annual turnover or annual revenue below Kenya Shillings five million (KES 5,000,000/=) and less than ten (10) employees is exempt from registration if it can clearly identify that it falls within this category.

The exemption from registration does not however apply to an entity processing personal data for the following activities or in the following sectors even though the entity is below the mandatory registration threshold. ul>

  • political canvassing
  • gambling
  • education
  • crime prevention
  • health administration and provision of patient care
  • hospitality
  • property management
  • financial services
  • telecommunications
  • direct marketing
  • transports
  • entities processing genetic data
  • Civil registration entities involved in the processing of personal data relating to registration of births, deaths, marriages, adoptions, persons, issuance of passport and other identity documents are also exempt from the mandatory registration under the Regulations.

    Registration Procedure

    Registration as a data controller or a data processor is done though the online application portal developed and managed by ODPC. The registration procedures and applicable fees can be found on the Guidance Note and the Regulations.
    Once registered as either data controller or processor, you are required to display the certificate of registration issued to you by the ODPC in a conspicuous place (website included).

    The certificate is valid for a period of two years.
    Each registered entity is required to renew the certificate of registration thirty (30) days before expiry.

    Guide on how to register with the Office of Data Protection Commissioner

    To register, you need to ensure that you have the following, ul>

  • Your organisation’s name and contact details
  • The registration certificate for your organisation, i.e. company registration
  • An outline of the purpose for processing personal data
  • A description of the type of personal data you’re processing
  • A list of the different data subject categories, i.e. employee, shareholder, supplier or client
  • A list of third parties that you will share the personal data with
  • Financial documents indicating the annual turnover of your organisation, and
  • Measures to protect personal data, including security safeguards and mechanisms
  • The process of registration.

    1. You start your application by accessing the registration portal on the Office of Data Protection Commissioner’s website.
    2. You then create an account by providing the necessary information.
    3. After that, you’re required to pay a once-off registration fee.
    4. The Data Protection Commissioner will verify your application and issue you a certificate of registration within 14 days of application.
    5. If your application is rejected, the Office of Data Commissioner has 21 days to give you reasons for rejecting your application.
    6. The certificate of registration is valid for 24 months from the date of issue. You’re required to apply for renewal once this period lapses.
    7. If you made errors in your application and want to amend it, you must notify the Data Protection Commissioner in writing through

    What fees do you need to pay?

    Registration fees depend on the category your organisation falls under:

    Category                         Initial registration fee                                      Renewal fee

    • Micro and small private organisations (less than 50 employees and annual of less than Kshs 5 million) Kshs 4 000 Kshs 2 000
    • Medium-sized private organisations (51 – 99 employees and annual turnover of more than 5 million but less than 50 million) Kshs 16 000 Kshs 9 000
    • Large private organisations (more than 99 employees and an annual turnover of more than Ksh 50 million) Kshs 40 000 Kshs 25 000
    • Public entities Kshs 4 000 Kshs 2 000
    • Charities and religious entities Kshs 4 000 Kshs 2 000

    Data protection services in Kenya

    What we do <p>

    We provide practical solutions to individuals, Businesses and organizations for you registration and compliance requirements all over kenya

    Go! click me