Do you do business in Kenya? If so, you need to register with Kenya’s Office of Data Protection Commissioner (the ODPC). Data controllers and processors need to register with the ODPC from 14 July 2022 based on the regulations issued by the ODPC. Only registered persons can process personal data in Kenya unless they’re exempt.
You need to:
- work through the steps to determine if you’re required to register or exempt from registering with the ODPC, and
- know what the registration process is.
What is the Office of Data Protection Commissioner (OPDC)?
The ODPC is Kenya’s data protection authority.
Why do you need to register?
The ODPC wants to ensure a transparent and accountable data processing ecosystem that upholds and safeguards the right to privacy of Kenyan residents. This enables the ODPC to regulate data processing effectively and minimises the potential harm to individuals.
Who needs to register?
The ODPC requires data controllers and data processors to register with them.
You’re a controller if you determine the purpose and manner in which personal data is processed.
You’re a processor if you process personal data on behalf of a data controller and you’re subject to their authority. For example, you’re a payroll service provider, advertising agent or ‘software as a service’ provider with access to personal data.
What if you’re not based in Kenya?
If you’re processing the personal data of a data subject in Kenya, you must register with the ODPC. You must register even if you’re not based in Kenya.
Who is exempt?
You’re exempt from registering if your organisation:
- generated less than 5 million shillings annual turnover in the previous financial year, and
- employs less than 10 people.
What if you only meet one requirement?
If you only meet one of the requirements, you may still need to register with the ODPC. For example, suppose you employ more than 10 employees but have less than 5 million annual turnover in the previous financial year. In that case, you need to register your organisation as a micro and small ‘data controller’ or ‘data processor’.
When are you not exempt?
You will not be exempt and must register with the ODPC if you process personal data within the following industries:
- public sector bodies (including electoral campaigns)
- credit bureaus
- crime prevention and prosecution of offenders (including operating security CCTV systems)
- betting and gaming platforms
- education
- health care
- hospitality services
- faith-based or religious institutions
- property (management and sale)
- financial services, including insurance and retirement fund
- telecommunication and internet service providers
- businesses that depend on direct marketing
- internet access
- transport services (including online passenger hailing applications)
- businesses that process genetic data
Guide on how to register with the Office of Data Protection Commissioner
What do you need to register?
When you register, you need to ensure that you have:
- your organisation’s name and contact details
- the registration certificate for your organisation, i.e. company registration
- an outline of the purpose for processing personal data
- a description of the type of personal data you’re processing
- a list of the different data subject categories, i.e. employee, shareholder, supplier or client
- a list of third parties that you will share the personal data with
- financial documents indicating the annual turnover of your organisation, and
- put in place measures to protect personal data, including security safeguards and mechanisms
What is the registration process?
- You start your application by accessing the registration portal on the Office of Data Protection Commissioner’s website.
- You then create an account by providing the necessary information.
- After that, you’re required to pay a once-off registration fee.
- The Data Protection Commissioner will verify your application and issue you a certificate of registration within 14 days of application.
- If your application is rejected, the Office of Data Commissioner has 21 days to give you reasons for rejecting your application.
- The certificate of registration is valid for 24 months from the date of issue. You’re required to apply for renewal once this period lapses.
- If you made errors in your application and want to amend it, you must notify the Data Protection Commissioner in writing through [email protected].
What fees do you need to pay?
Registration fees depend on the category your organisation falls under:
Category |
Initial registration fee |
Renewal fee |
| Micro and small private organisations (less than 50 employees and annual of less than Kshs 5 million) | Kshs 4 000 | Kshs 2 000 |
| Medium-sized private organisations (51 – 99 employees and annual turnover of more than 5 million but less than 50 million) | Kshs 16 000 | Kshs 9 000 |
| Large private organisations (more than 99 employees and an annual turnover of more than Ksh 50 million) | Kshs 40 000 | Kshs 25 000 |
| Public entities | Kshs 4 000 | Kshs 2 000 |
| Charities and religious entities | Kshs 4 000 | Kshs 2 000 |
How we can help you
- Know how the data protection laws in Africa and around the world apply to you by asking us to create a report on it.
- Keep up to date with emerging data protection laws by joining our programme.
- Ask us to help you with your compliance by consulting with one of our attorneys.
