The Data Protection Act of 2019 (DPA) is an extensive legislation that regulates the collection, processing and storage of personal data by the private and government sector. This summary outlines the key features, including obligations of data controllers and processors and mandatory registration and renewal.
Data controller refers to an entity or individual that determines the purpose and means of processing of personal data. If your company or organisation determines the ‘why’ and ‘how’ of personal data processing, it is the data controller.
A data processor is an entity or individual which processes personal data on behalf of the data controller.
Obligations of Data Controllers and Data Processors
Data controllers and processors have specific obligations under the law. Personal data processed for a lawful purpose must only be kept for as long as reasonably necessary. and regularly review the data held, deleting or anonymizing it when no longer needed. Data subjects can request anonymous or pseudonymous processing of their data, particularly to enhance privacy or avoid direct marketing. The purpose and method must be determined when sharing personal data with other controllers, processors, or third parties.
Controllers and processors are also required to develop, publish, and update a data protection policy detailing their personal data handling practices. This policy should cover aspects such as types of personal data collected, access rights for data subjects, complaint handling mechanisms, lawful processing purposes, and data transfer requirements. Written contracts between controllers and processors must include key safeguards, and processors must obtain authorization before engaging third parties for data processing. Data related to state strategic interests must be processed or stored on servers located in Kenya.
Registration
To register as a data controller or processor, entities must submit form DPR 1, including but not limited to details about the personal data processed and the purpose for processing these data, data subject categories, contact information, and descriptions of risks and safeguards.
Additionally, the application must be accompanied by a copy of the establishment documents or proof of registration (such as CR12, partnership deed or copy of an ID of individuals required to register).
The registration fees are categorized based on the size of the data controller or processor. Micro and small entities with annual revenue up to Kshs. 5 million and 1 to 50 employees are required to pay Kshs. 4,000. Medium entities with revenue between Kshs. 5 million and Kshs. 50 million and 51 to 99 employees pay Kshs. 16,000. Large entities with revenue over Kshs. 50 million and more than 99 employees pay Kshs. 40,000. Public entities, charities, and religious organizations pay Kshs. 4,000 regardless of size.
Individuals or entities that act as both data controllers and data processors are required to submit two separate applications (which will also incur two separate fees).
Penalty for non-registration:
The DPA provides that a data controller or processor who fails to comply with the registration requirements commits an offence. The penalty for this offence is a fine not exceeding Kshs 3,000,000 (about US$23,000) or imprisonment for a term not exceeding ten years, or both.
License and Renewal
Registration certificates are valid for 24 months from the date of issuance and must be renewed at least 30 days before expiration. The renewal fees are Kshs. 2,000 for micro and small entities, Kshs. 9,000 for medium entities, and Kshs. 25,000 for large entities. Public entities, charities, and religious organizations are required to pay Kshs. 2,000 for renewal.
