Registration of Data Controllers and Data Processors in Kenya


published on 20 July 2022 | reading time approx. 3 minutes


Kenya has made great strides towards passing legislation aimed at protecting the privacy of personal data. This includes enacting the following regulations to assist in implementing the Data Protection Act, 2019.



  • The Data Protection (General) Regulations, 2021;
  • The Data Protection ( Complaints Handling and Enforcement) Regulations, 2021;
  • The Data Protection( Registration of Data Controllers and Data Processors) Regulations, 2021.
The General Regulations and the Complaints Handling Regulations took effect in February, 2022.
The Registration Regulations will take effect on the 14th July, 2022.  This therefore implies that Data Controllers and Data Processors in Kenya will be required to start registering with the Office of the Data Protection Commissioner (ODPC) from the 14th July, 2022.

Some of the information that will be required from Data Controllers and Processors during the registration include:
  • details of personal data processed and the purpose of processing these data;
  • the types of sensitive personal data processed;
  • countries holding data that has been transferred outside Kenya;
  • technical and organisational measures that have been put in place to protect the personal data.
The details provided will then be verified and where the Data Commissioner is satisfied that the applicant fulfils the requirements for registration, a certificate of registration valid for  two years will be issued.

The Data Commissioner may decline to register an applicant where:
  • appropriate safeguards for the protection of personal data have not been put in place;
  • the particulars provided during the registration process are insufficient; or
  • the applicant is in violation of any provisions of the Act and Regulations.

The Registration Regulations provide that it is an offence to:
  • process personal data without registering;
  • provide false or misleading information during the registration; and
  • fail to renew the registration certificate after its expiry.

On conviction, the liable party is liable to  a fine not exceeding three million shillings or to an imprisonment term not exceeding ten years or to both. In addition to this penalty, an order may be issued to forfeit any equipment or article that was connected with the commission of the offence or to prohibit the doing of any act to stop the offence.

Exemption from Mandatory Registration

Data controllers or Data Processors with an annual turnover of below five million shillings or annual revenue of below five million shillings and have less than ten employees are exempt from mandatory registration. They are however not exempt from compliance with the Act on prescribed obligations and grounds for processing of sensitive personal data.

It is  also important to note that Data Controllers and Data processors processing personal data for the following purposes are NOT exempt from mandatory registration notwithstanding that their annual revenue or turnover may be below five million shillings:
  • canvassing political support among the electorate;
  • crime prevention and prosecution of offenders (including operating CCTV systems);
  • gambling;
  • operating an educational institution;
  • health administration and provision of patient care;
  • hospitality industry firms but excludes tour guides;
  • property management including the selling of land;
  • provision of financial services;
  • telecommunications network or service providers;
  • businesses that are wholly or mainly in direct marketing;
  • transport service firms (including online passenger hailing applications);
  • businesses that process genetic data.

To facilitate an effective registration process preparation is necessary. This preparation entails conducting a self-evaluation with a view to assessing the extent of compliance with the Data Protection Act, 2019.
Deutschland Weltweit Search Menu