Mandatory Registration of Data Controllers and Processors

Mandatory Registration of Data Controllers and Processors


The Office of the Data Protection Commissioner (ODPC) has announced, through the Guidance Note on Registration of Data Controllers and Data Processors (the Guidance Note), that the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the Regulations) are in force effective 14 July 2022.

The Regulations give effect to section 18 of the Data Protection Act, 2019 (the Act) which requires entities that collect and process data to register with ODPC.

Mandatory Registration of Data Controllers and Processors

Subject to the thresholds highlighted below, every entity (whether a natural or legal person, public authority, agency, or other body) must to register with ODPC starting 14 July 2022 if it falls into the following categories:

  • As a data controller if, alone or jointly with others, the entity determines the purpose and means of processing of personal data; and/or
  • As a data processor if the entity processes personal data on behalf of a data controller.

Mandatory Registration Thresholds

All data controllers and processors who have an annual turnover or annual revenue above Kenya Shillings five million (KES 5,000,000/=) and more than ten (10) employees must register with ODPC.

An entity that has an annual turnover or annual revenue below Kenya Shillings five million (KES 5,000,000/=) and less than ten (10) employees is exempt from registration if it can clearly identify that it falls within this category. The exemption from registration does not however apply to an entity processing personal data for the following activities or in the following sectors even though the entity is below the mandatory registration threshold:

  • political canvassing;
  • crime prevention;
  • gambling;
  • education;
  • health administration and provision of patient care;
  • hospitality;
  • property management;
  • financial services;
  • telecommunications;
  • direct marketing;
  • transports; and
  • entities processing genetic data

Civil registration entities involved in the processing of personal data relating to registration of births, deaths, marriages, adoptions, persons, issuance of passport and other identity documents are also exempt from the mandatory registration under the Regulations.

Registration Procedure

Registration as a data controller or a data processor is done though the online application portal developed and managed by ODPC. The registration procedures and applicable fees can be found on the Guidance Note and the Regulations.

Once registered as either data controller or processor, you are required to display the certificate of registration issued to you by the ODPC in a conspicuous place (website included). The certificate is valid for a period of two years. Each registered entity is required to renew the certificate of registration thirty (30) days before expiry.

Offences and Sanctions

You commit an offence under the Regulations if you:

  • process personal data without registering in accordance with the Regulations;
  • provide false or misleading information to ODPC for the purpose of registration; or
  • fail to renew a certificate of registration and continue to process personal data after the expiry of the certificate.

Any person who commits any offence above is liable on conviction to a fine not exceeding Kenya Shillings three million (KES. 3,000,000/=) or to an imprisonment term not exceeding ten (10) years, or to both.

If you have any inquiries relating to the above or Data Protection matters generally, please do not hesitate to contact Peter Mwaura at [email protected]. Please note that this e-alert is meant for general information only and should not be relied on without seeking specific subject matter legal advice.

We use cookies on our website to see how you interact with it. By accepting, you agree to our use of such cookies.Privacy Policy That's Fine