The Office of the Data Protection Commissioner has released a Guidance Note on the ongoing registration of Data Controllers and Data Processors in order to assist entities in ascertaining if they are Data Controllers or Data Processors, and appreciate their obligations with respect to mandatory registration.

Here are the Highlights of the Guidance Note;

  1. What makes you a Data Controller?
  2. You decide to collect or process the Personal Data
  3. You decide what the purpose or outcome of the processing was to be
  4. You decide what Personal Data should be collected.
  5. You decide which individuals to collect Personal Data about
  6. You obtain a commercial gain or other benefit from the Processing, except for any payment for services from another controller.
  7. You are Processing the Personal Data as  a result of a contract between you and the Data Subject.
  8. The Data Subjects are your employees
  9. You make decisions about the individuals concerned as part of or as a result of Processing.
  10. You exercise professional judgment in the Processing of the Personal Data.
  11. You have a direct relationship with the Data Subjects.
  12. You have complete autonomy as to how the Personal Data is Processed.
  13. You have appointed the Processors to process the Personal Data on your behalf.
  14. What Makes you a Data Processor?
  15. You have a contract to handle Personal Data on behalf of another entity
  16. You are following instructions from someone else regarding the processing of Personal Data.
  17. You do not decide to collect Personal Data from individuals.
  18. You do not decide what Personal Data should be collected from Individuals.
  19. You do not decide the lawful basis for the use of that Data.
  20. You do not decide what purpose or purposes the Data will be used for.
  21. You do not decide whether to disclose the data, or to whom.
  22. You do not decide how long to retain the data.
  23. You may make some decisions on how data is processed, but implement these decisions under a contract with another Entity.

Under the Act, all Data Controllers and Data Processors MUST register unless an Entity can clearly identify that they fall within an exemption.

Any entities Processing Personal Data for activities, or in the following sectors, regardless of their annual Turnover/Revenue or number of employees MUST COMPLY WITH MANDATORY REGISTRATION. These activities include;

  • Political canvassing,
  • Crime prevention,
  • Gambling,
  • Education,
  • Health administration and provision of patient care,
  • Hospitality,
  • Property management,
  • Financial services,
  • Telecommunications,
  • Direct marketing,
  • Transports, and
  • Entities processing of genetic data


Any company in the private sector that:

  • Is Resident in Kenya; or located outside Kenya;
  • Process Personal Data of persons located in Kenya (including citizens, residents and visitors; and
  • Has an annual Turnover or Revenue of Kshs. 5 million and above or more than 10 employees;

MUST REGISTER UNLESS it is a non-exempt mandatory registration Entity. Non-exempt mandatory registration Entities must register regardless of their annual Turnover/Revenue and/or number of employees.

Follow us for a continued breakdown of the Guidance Notes.

Leave a Comment

Your email address will not be published. Required fields are marked *