Kenya: Office of the Data Protection Commissioner adopted guidance note on registration of data controllers and data processors

On 30 November 2023, the Office of the Data Protection Commissioner (ODPC) adopted the Guidance Note on Registration of Data Controllers and Data Processors. It outlines the statutory obligation under the Data Protection Act, 2019 and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 for all entities processing personal data to register as either Data Controllers or Data Processors. It defines the roles of Data Controllers, who determine the purposes and means of processing personal data, and Data Processors, who act on behalf of Controllers. The document specifies registration requirements based on turnover, employee count, and sectoral activities, with certain entities mandatorily required to register regardless of thresholds. It details the registration process, including providing entity details, describing personal data processed, identifying data protection measures, and paying tiered registration fees. Exemptions apply to entities below prescribed thresholds, except for those in specified sectors. Offences for non-compliance include processing personal data without registration or providing false information. Registration certificates are valid for two years unless revoked or varied.