Registration of Data Controllers and Processors in Kenya

Registration of Data Controllers and Processors in Kenya

In Kenya, the enrollment of data controllers and processors is regulated by the Data Protection Act, which seeks to safeguard the privacy and integrity of personal data. Pursuant to this legislation, data controllers and processors are mandated to register with the Data Protection Commissioner unless exempted based on specified criteria. Registration entails the submission of particulars regarding the organization, the categories of data being processed, the security protocols in place, and other pertinent details.

Requirements for Registration

An application for registration of a data controller or data processor shall:-
(a)be in Form DPR1; and
(b)be accompanied by the registration fees specified.
(c)An application for registration under shall be accompanied by—
a copy of the establishment documents;
particulars of the data controllers or data processors including name and contact details;
a description of the purpose for which personal data is processed; and
a description of categories of personal data being processed.

Before Registering take note of the following: -

1.An accessible and working email address, ensure the spelling of the email address is correct. Note that you can only use one email for one entity (for both data processor and controller application). In the event that you want to apply for multiple entities, i.e. Subsidiaries, use a different email for every entity.

2.Have the Establishment documents in pdf format.

3.Have the certified audited accounts in pdf format, for previous year accounting period. For newly established entities, submit a signed revenue statement or a KRA returns in pdf format.

4.Safeguards that have been implemented to protect the data. This entails both Technical and organizational Safeguards

Registration Process

1.In the Verification Detail Category, ensure you input the correct email addresses, and double check for correctness. Ensure that you select the correct data handler type, i.e. Data Controller or Data Processor.

2.In the Basic Detail Category, ensure you fill the basic details category correctly, indicating the correct name of the institution, as incorporated or established. Please note that the arrangement and spelling of this entry is exactly how it will appear in the registration certificate.

3.In the Personal Data category, ensure you have classified the categories of personal data you hold. i.e. employee data should be indicated separately from Supplier data. Furthermore, indicate the type of data held in each category exhaustively, for example contact details and Payment information.

4.In the Sensitive Data category, if applicable, ensure you indicate the exact purpose the Sensitive Data is collected for.

5.In the Transfer of Data Category, if applicable, ensure to include ALL jurisdictions where data is transferred to.

6.In the Measures of Protection of Personal Data Category, please ensure you fill ALL the risk measures, with both Technical safeguards and organizational safeguards that apply.

7.Ensure the Audited Turn over documents have also been attached. Kindly note that the employee and turnover category dictate the generation of the correct invoice amount to be paid in the next stage. Submission of inaccurate information on the Turnover amount shall lead to the refusal of the application

8.Once you have verified your email address, payment can then be made
After Registration process
1.In the event where the you wish to apply for both Data Handler types, i.e. both a Data Processor and a Data Controller for one entity, finish one application, i.e. the controller application and then log in to the dashboard to apply for the processor application. Once logged in to your dashboard, you will see a link on the top that states “If you wish to apply for a different data handler type, Click on it to begin the application for the subsequent data handler type, i.e. the processor. This process is same in the event that the applicant registered a processor application first.

2.This certificate is downloadable from the portal and your details will be updated on our online register. 

Exemptions to Mandatory Registration

A data controller or data processor is exempt from mandatory registration under these Regulations where the data controller or data processor:-
a).has an annual turnover of below five million shillings or annual revenue of below five million shillings; and
b). has less than ten employe

For more information on this subject contact: info@mathekaoketch.co.ke