KENYA: Mandatory Registration Requirement for Data Controllers and Processors Takes Effect

The procedure for implementing the requirement for the registration of data controllers and data processors in Kenya came into force on July 14, 2022. The enactment of the Kenyan Data Protection Act (the DPA) in 2019 introduced the registration requirement. However, the lack of procedural rules, among other things, meant it was never implemented.

To address the procedural gap, the Cabinet Secretary for ICT [Information, Communications, and Telecommunication], Innovation, and Youth Affairs issued the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the Regulations) at the end of 2021. They provided for a deferred commencement date of July 14, 2022, effectively creating a grace period for affected controllers and processors to become familiar with the procedures for registration before being required to lodge their registration applications.

The DPA defines a controller as a person who determines the purpose and means for processing personal data. It defines a processor, on the other hand, as a person who processes data on behalf of the data controller. The Regulations reiterate the DPA’s general requirement for these two categories of persons to register with the Data Commissioner but introduce a number of exceptions:

• Processors are only required to be registered with the Data Commissioner if they have:
  • a contractual relationship with the controller; and
  • no decision-making power on the purpose and means of processing personal data.

• Controllers and processors need not register if they have:
  • an annual “turnover” or “revenue” of below KES (Kenyan shillings) 5 million (approximately US $43,000); and
  • fewer than 10 employees.

The Regulations define “turnover” as the utilized annual budget of nonprofit-making controllers or processors for the year immediately preceding the year of registration. They define “revenue” as the total income of profit-making controllers or processors for such a period. It is also notable that the Regulations limit the registration requirement to controllers and processors in 12 sectors, including the telecommunications, financial, health care, and gambling sectors.

Brand owners to whom the Regulations apply should ensure that they were compliant as of the commencement date, as failure to do so constitutes an offense and could result in the cancellation of operational licenses and almost certainly would also pose a reputational hazard to their brand equity.

Although every effort has been made to verify the accuracy of this article, readers are urged to check independently on matters of specific concern or interest. Law & Practice updates are published without comment from INTA except where it has taken an official position.

© 2022 International Trademark Association