The increased collection of data by service providers has spurred individuals to raise pertinent questions regarding the collection, storage and use of data by the service providers. In a bid to safeguard the data shared with companies and organizations, the Kenyan Government has put in place several data protection regulations.

On 14th July 2022, the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the Regulations) came into effect. This means that in accordance with section 18 (2) of the Data Protection Act, 2019 as well as the said regulations, data controllers and data processors must now begin to register with the Office of Data Protection Commissioner (ODPC).

Who is a data controller?

A data controller is anyone that determines the purpose and means of processing of personal data for whatever reason. This may be an individual or a company or other entity that is public (the State or any of its agencies) or private (a business, professional body or association).

Who is a data processor?

A data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. Data processors do not include the employees of the controller.

Entities that require to register as data controllers and processors.

As per the 3rd Schedule of the Regulations organizations processing the following information must register as data controllers and processors:

  1. Canvassing political support among the electorate.
  2. Operating Credit Bureaus.
  3. Crime prevention and prosecution of offenders (including operating security CCTV systems).
  4. Debt administration and factoring.
  5. Gaming and betting operators.
  6. Provision of education.
  7. Health administration and provision of patient care.
  8. Hospitality industry firms.
  9. Insurance administration and undertakings.
  10. Faith based or religious institutions.
  11. Retirement benefits administration.
  12. Property management including the selling of land.
  13. Provision of financial services.
  14. Telecommunications network or service providers.
  15. Businesses that are wholly or mainly in direct marketing.
  16. Internet access providers.
  17. Transport services firms (including online passenger hailing applications)
  18. Public sector bodies.
  19. Businesses that process genetic data.

It is important to note that separate licenses must be sought for entities that qualify as both data controllers and processors.

Entities exempt from registration.

The regulations provide for various exemptions when it comes to registration. The exempt organizations includes:

  • A data controller or a data processor whose annual turnover is below Kenya Shillings Five million (Kshs. 5M) or whose annual revenue is below Kenya Shillings Five million (Kshs. 5M).
  • A data controller or a data processor who employs less than ten people.
  • Civil registration registries as specified in the Data Protection (Civil Registration) Regulations, 2020 e.g., the Registrar of Persons.

Registration process.

  1. For an entity to successfully register as a data controller or data processors, the following must be submitted on the ODPC online registration portal:
  2. The prescribed application form provided in the Regulations.
  3. Supporting documents including:
    1. Copy of the establishment documents;
    1. Particulars of the data controllers or data processors including name and contact details;
    1. A description of the purpose for which personal data is processed;
    1. A description of categories of personal data being processed; and
    1. Other relevant information.
  • The entity will thereafter pay the prescribed registration fees which is pegged on the turnover and employee count of the entity.
  • Upon submission of the application and payment of the registration fees, the ODPC will undertake a verification process of the information provided.
  • Upon satisfaction of the authenticity of the information provided, the ODPC will issue the applicant with a certificate of registration, which is valid for a period of two (2) years and is renewable.
  • The ODPC will enter the successful applicant’s details in the register of data controllers and processors. This is done within 14 days of making the application.
  • Where the application is rejected, the same should be communicated within 21 days and reasons thereof given.

Penalties for not registering.

Under Section 73 of the Data Protection Act, a person found in contravention of the Act and regulations thereof is subject to the following penalties:

  • A fine not exceeding Kenya Shillings Three Million (Kshs. 3M) or to an imprisonment term not exceeding ten (10) years, or both;
  • Forfeiture of any equipment or any article used or connected in any way with the commission of the offence (Court sanctioned); or
  • An order to prohibit the doing of any act to stop the continuing contravention.

Further the Data Commissioner has the right to impose an administrative fine of up to Kenya Shillings Five Million (Kshs. 5M) or up to 1% of the infringing entity’s annual turnover, whichever is lower.


It is our recommendation that organizations which fall in the category of data processors or controllers put their books in order to ensure they are compliant with the Data Protection Act. Thereafter the various parties should immediately proceed to undertake their registration with the ODPC to avoid penalties.

Disclaimer: Kindly note that this write-up does not constitute legal advice but is provided for information purposes only. If you have any specific inquiries on this subject and other related matters, please contact us at .