In this series, we take you through frequently asked questions and questions that you may not have thought of regarding compliance with Data Protection Laws in Kenya.
Did you know that
- details such as an individual’s name, identity number, location, gender, marital status, contact details, health information, etc. are personal data.
- you can be penalized for obtaining personal data from individuals without their consent.
- the penalties for breach of data protection laws include a fine of up to Kshs. 5,000,000/= or imprisonment for not more than 2 years or both.
How then can one avoid the penalties?
Compliance, Compliance, Compliance.
How does one comply?
Organizations or individuals who collect, record, store, and disseminate personal data are required to register as Data Controllers or Data Processors with the Office of the Data Protection Commissioner.
Who are Data Controllers and Data Processors?
A Data Controller is any person, company or public body that determines the purpose and means of processing personal data that has been collected.
A Data Processor is any person, company or public body that processes i.e., collects, records, organizes, disseminates etc., any personal data on behalf of a Data Controller.
How do you know if you are a Data Controller, Data Processor or both?
The Data controller controls the procedures and purpose of data usage while the Data Processor collects the information for the Data Controller. The data controller will be the one to dictate how and why data is going to be used by the organization. The data processor has no possessory rights over the data as it is an agent of the data controller.
The table below provides guidelines to determine what type of Data handler one falls under.
| DATA HANDLER CATEGORY CHECKLIST | |
| Checklist: Are you a Data Controller? | Checklist: Are you a Data Processor? |
| ☐ You decide to collect or process the Personal Data.
☐ You decide what the purpose or outcome of the Processing is to be. ☐ You decide what Personal Data should be collected. ☐ You decide which individuals to collect Personal Data about. ☐ You obtain a commercial gain or other benefits from the Processing, except for any payment for services from another controller. ☐ You are Processing the Personal Data as a result of a contract between you and the Data Subject. ☐ The Data Subjects are your employees. ☐ You make decisions about the individuals concerned as part of or as a result of the Processing. ☐ You exercise professional judgement in the Processing of Personal Data. ☐ You have a direct relationship with the Data Subjects. ☐ You have complete autonomy as to how the Personal Data is processed. ☐ You have appointed the processors to process the Personal Data on your behalf. |
☐ You have a contract to handle Personal Data on behalf of another Entity.
☐ You are following instructions from someone else regarding processing personal data. ☐ You do not decide to collect Personal Data from individuals. ☐ You do not decide what Personal Data should be collected from individuals. ☐ You do not decide the lawful basis for the use of that data. ☐ You do not decide what purpose or purposes the data will be used for. ☐ You do not decide whether to disclose the data or to whom. ☐ You do not decide how long to retain the data. ☐ You may make some decisions on how data is processed, but implement these decisions under a contract with another Entity. |
What is a day-to-day example that briefly describes Data Handlers?
For illustration purposes, we will use an Insurance Agent. An insurance agent acts as a Data Processor when he/she takes details of a potential customer/ client as he/she is collecting and recording information on behalf of the Insurance Company. The Insurance Company, as the Data Controller will then determine what to do with that information, how to store it, and whether to disseminate it i.e., decide if the person is eligible for an insurance cover or which cover would best suits the potential customer etc.
Do I have to register?
Yes, if you do not fall under the exemption category.
Who is exempted from registration?
Organizations or individuals whose annual turnover/ revenue is below five million shillings and employ less than ten people and are not under the category of non-exempt mandatory registration Entities.
Who are non-exempt mandatory registration Entities?
These are organizations or individuals, regardless of their annual turnover being below five million or their number of employees being less than ten people that have a mandatory obligation to register.
They are entities that process Data in the following fields: –
- political canvassing among the electorate;
- crime prevention and prosecution including private security service providers and operating of security cameras i.e., CCTV systems;
- gambling, gaming and betting operators;
- education;
- health administration and provision of patient care;
- hospitality;
- faith-based or religious institutions;
- property management, including selling of land;
- financial services;
- debt administration and factoring;
- retirement benefits administration;
- insurance administration and undertakings;
- operating credit bureaus;
- telecommunications networks or service providers;
- internet access providers;
- direct marketing;
- transport services including online passenger hailing applications;
- Entities Processing genetic data; and
- Public sector bodies
How do I register as a Data Handler?
One can register as a Data Handler from the Office of the Data Protection Commissioner website.
In the next series, we shall take you through the registration process and the requirements.
Kindly feel free to contact MCCK Advocates LLP for any clarification and questions concerning Data Protection Laws at info@mcckadvocatesllp.co.ke or visit our website at www.mcckadvocatesllp.co.ke