The Data Protection Act, No. 24 of 2019 (herein the Act) requires all Data controllers or Data processors who are either established or ordinarily resident in Kenya and processes personal data while in Kenya or who are not established or ordinarily resident in Kenya but processing personal data of data subjects located in Kenya be register with the office of the Data Protection Commissioner (ODPC). This is a mandatory requirement under section 18 of the Act.

Many entities especially those involved in processing of sensitive personal data of either their employees, clients, customers, suppliers, contractors (data subjects) struggle with the registration due to lack of proper guidance on where to pay attention while submitting their application for registration. In this article we provide an insight of the requirements, timeline and key areas an applicant should focus on while making an application for registration.

A) Requirements

The following are the requirements for registration as Data controller or Data processor under the Act:

  1. A copy of the Certificate of incorporation and Registration number;
  2. Organization email address and phone number;
  3. Name and address of a designated organization contact person;
  4. Annual turnover evidence (e.g., most recent audited financial statement);
  5. Categories of data collected or processed;
  6. Reason for collection or processing personal data (e.g., if the data collected is for employee the reason is to process payments, if suppliers the reason is contracting and know your client check etc.);
  7. Technical and organizational safeguard measures put in place by the organization to safeguard personal data being collected or processed;
  8. Whether the organization collects or processes sensitive personal data (sensitive personal data means data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse(s), sex or the sexual orientation of the data subject); And
  9. Whether the organization transfers any personal data collected or processed outside Kenya.

B) where to pay attention when making an application for registration

An applicant for registration as a Data controller or Data Processor must pay attention to the following areas while making the application:

  1. Each category of data being collected or processed must be outlined separately and distinct from each other.
  2. Where the Data collected or processed is transfer outside Kenya there must be a legal basis for the transfer. The applicant must specifically state to which country is the data being transferred and why?
  3. The applicant organization MUST have in place both technical and organizational safeguard measures to protect Data subjects’ personal data being collected or processed. Technical measures mean the measures and controls afforded to the systems and the technological aspect of the organization such as devices, networks and hardware they include steps taken to prevent Cybersecurity i.e.  firewalls, malware scans, anti-virus protection, patches and updating of software, how the organization handles Encryption and pseudonymization, password theft etc.  Organizational safeguard on the other hand means the internal policies, organizational methods or standards, controls and even audits that the controllers or processors has applied to ensure the security of personal data. They include measures such as having a privacy policy statement, conducting staff training, review and regular auditing of organization safety measures and due diligence.
  4. The technical and organizational safeguard measures must be in place at the time of making the application for registration.
  5. Where the organization collects or process sensitive personal data such data must be specifically specified and the reasons for collecting or processing clearly stated.

C) timeline for registration

The timeline for registration as a Data controller or Processor as stated by the ODPC is 14 working days. However, this may take longer depending on the number of applications submitted and the accuracy and correctness of the details submitted.

At A.O.WANGA ADVOCATES we guarantee timely submission and registration of our clients as Data controllers’ and Data Processors’. We also offer other data protection related services such as conducting Data Protection Impact Assessment, review of Data privacy policy statements to align it with Kenyan Data Protection Laws, Draft agreement including Data Processing Agreements (DPA) and Joint Controllership Agreement (JCA) among others.

Feel free to reach out to us on info@aowangaadvocates.com or +254794600191

All rights reserved for A.O.WANGA ADVOCATES


Share your thoughts