In this series, we take you through the registration process and what is required for the registration of your organization as a Data Handler in Kenya.
How do you register as a Data Handler?
Registration as a Data Handler is done by submitting a filled DPR 1 form as provided under rule 5(1) (a) of the Data Protection (Registration of Data Controllers and Processors) Regulations, 2021 (the “Regulations”.
What details are required for the form?
One is required to provide the following information: –
- Your organization’s postal address, code, county, telephone number, email address, county and country location, business sector, legal establishment i.e., private company/partnership etc. For Public bodies, one must specify the state department or county department.
- The organization’s Data subjects i.e., employees, clients, directors, shareholders, suppliers, service providers, students etc.
- The description of personal data being collected and processed by your organization i.e., names, dates of birth, national identity/ passport numbers, PIN Certificates, postal addresses, email addresses, marital status, dependents, employment status, bank account details etc.
- The purpose of processing personal data i.e., know your customer, payroll, invoicing etc.
- If your organization processes sensitive personal data in the following categories, they are also required to provide the purpose for processing said sensitive personal data.
- Racial or ethnic origin
- Political opinion or adherence
- Religious or philosophical beliefs
- Marital status and family details
- Physical or mental health or condition
- Sexual orientation, practices, or preferences
- Biometric data
- Property Details (Including Financials)
- GPS Location Data
- Genetic Data
- The list of countries in which your organization stores or transfers personal data, if applicable.
- Your organization’s number of employees and the previous year’s turnover.
- The potential risks to the personal data being processed by your organization i.e., unauthorized access/ disclosure, theft, malware, and cyber-attacks.
- The safeguards put in place by your organization to mitigate the risks i.e., visitors’ logbook, data encryption policies, anti-virus software, employee background checks, staff training etc.
Are there any additional details or documents required?
Yes, you are required to upload your organization’s Certificate of Incorporation and evidence of the organization’s turn over i.e., the previous year’s financial statement.
Where do I submit the form?
All the details provided in the form are to be submitted online through the Office of the Data Protection Commissioner (ODPC) registration portal.
Are there any fees to be paid?
Yes, the requisite fees to be paid are prescribed under Schedule 2 of the Regulations as follows: –
|Category||Description||Registration fee in Kshs. per Data Controller/Processor) (payable Once)||Renewal fee in Kshs. per Data Controller/Processor) (after every 2 years|
|Micro and Small Data Controllers /Processors||A data controller/ processor with between 1 and 50 employees and an annual turnover/revenue of a maximum of Kshs 5 Million||
|Medium Data Controllers /Processors||A data controller/ processor with between 51 and 99 employees and an annual turnover/revenue of between Kshs 5,000,001 and a maximum of Kshs 50 Million||
|Large Data Controllers /Processors||Data controller/processor with more than 99 employees and an annual turnover/revenue of more than Kshs 50 Million||
|Public entities||Data controller/processor offering government functions (Regardless of the number of employees or revenue/turnover)||
|Charities and Religious entities||Data controller or Data processor offering charity or religious functions (Regardless of revenue/turnover)||
How do I make the payment?
Payment of the data handler registration application fees is made online through the ODPC registration portal.
Will I be issued a receipt upon payment?
How long will it take for the ODPC to approve my application?
Once you have submitted all the requested information on the DPR 1 form, made payments of the requisite fees, and the ODPC is satisfied with your application, it will take a period of 14 days for approval to be issued.
What happens after my application is approved?
You will be issued with a Certificate of Registration and your organization’s particulars will be entered in the register of Data Handlers.
How long is the Certificate of Registration valid?
The Certificate of Registration is valid for 24 Months.
Can I apply for renewal of registration as a Data Handler?
Yes, you can after the expiry of the Certificate of Registration.
How do I apply for renewal?
Through uploading the details requested on the DPR 2 form specifying if the renewal is for a distinct purpose or categories of data other than that for which you had been registered, respectively and paying the prescribed renewal fees.
In the subsequent series, we shall take you through what happens when your application for registration or renewal is declined.
This article is issued for general information only and should not be relied upon without seeking specific subject matter legal advice.
Please feel free to contact MCCK Advocates LLP for any clarification, questions or advice concerning Data Protection Laws at firstname.lastname@example.org or visit our website at www.mcckadvocatesllp.co.ke