Law & Practice
KENYA: Mandatory Registration Requirement for Data Controllers and Processors Takes Effect
Published: August 2, 2022
Shem Otanga Kieti Law LLP Nairobi, Kenya Data Protection Committee
Verifier
Elizabeth Lenjo MyIP Legal Studio Nairobi, Kenya Data Protection Committee
The procedure for implementing the requirement for the registration of data controllers and data processors in Kenya came into force on July 14, 2022. The enactment of the Kenyan Data Protection Act (the DPA) in 2019 introduced the registration requirement. However, the lack of procedural rules, among other things, meant it was never implemented.
To address the procedural gap, the Cabinet Secretary for ICT [Information, Communications, and Telecommunication], Innovation, and Youth Affairs issued the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the Regulations) at the end of 2021. They provided for a deferred commencement date of July 14, 2022, effectively creating a grace period for affected controllers and processors to become familiar with the procedures for registration before being required to lodge their registration applications.
The DPA defines a controller as a person who determines the purpose and means for processing personal data. It defines a processor, on the other hand, as a person who processes data on behalf of the data controller. The Regulations reiterate the DPA’s general requirement for these two categories of persons to register with the Data Commissioner but introduce a number of exceptions:
- Processors are only required to be registered with the Data Commissioner if they have:
- a contractual relationship with the controller; and
- no decision-making power on the purpose and means of processing personal data.
- Controllers and processors need not register if they have:
- an annual “turnover” or “revenue” of below KES (Kenyan shillings) 5 million (approximately US $43,000); and
- fewer than 10 employees.
The Regulations define “turnover” as the utilized annual budget of nonprofit-making controllers or processors for the year immediately preceding the year of registration. They define “revenue” as the total income of profit-making controllers or processors for such a period. It is also notable that the Regulations limit the registration requirement to controllers and processors in 12 sectors, including the telecommunications, financial, health care, and gambling sectors.
Brand owners to whom the Regulations apply should ensure that they were compliant as of the commencement date, as failure to do so constitutes an offense and could result in the cancellation of operational licenses and almost certainly would also pose a reputational hazard to their brand equity.
Although every effort has been made to verify the accuracy of this article, readers are urged to check independently on matters of specific concern or interest. Law & Practice updates are published without comment from INTA except where it has taken an official position.
© 2022 International Trademark Association
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
To find out more please see our Cookies Policy and Privacy Policy.
These cookies are used to identify a user’s browser as the visitor goes from page to page on the Site. These are session cookies, which means that the cookie is deleted when you leave the Site. It is an integral piece of the Site software and used to let the server know which users are on the Site at any given time and make certain parts of the Site easier to use.
|
|
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
These cookies are used to collect information about how visitors use our Site. The cookies collect information in anonymous form, including the numbers of visitors to the Site, where visitors have come to the Site from, the pages they visited and how they have interacted with tools on the Site like search and embedded media players. We use the information to compile statistical reports of our users’ browsing patterns so that we can improve the Site.
|
|
Please enable Functionality Cookies first so that we can save your preferences!
These cookies are used to deliver advertising relevant to the interests of visitors to our Site. They are persistent, which means they will remain on your device after you leave the Site.
- Facebook (Ad Pixel)
- Google (Ad Pixel)
- LinkedIn (Ad Pixel)
- Quattro Anonymous
Please enable Functionality Cookies first so that we can save your preferences!