3 December, 2024 Rick admin 0 Comments 1 category

DATA PROTECTION ACT – WHO IS ELIGIBLE FOR REGISTRATION 

The Data Protection Act, Act No. 4 of 2019 which has been a subject of discussion for a  number of years was passed into law on 8th November 2019. The Act places an obligation  on any entity handling personal data to ensure that the data is collected only for  legitimate reasons and that the same is stored and processed in a secure, legal,  transparent manner and in accordance with the right to privacy of the owner of the data.  It also requires that the consent of the owner of the data is first hand obtained before  processing of personal data. 

The Act also provides a statutory obligation for all Entities, including individuals, that  process Personal Data to register with the Data Commissioner, subject to the thresholds  set in place by the data commissioner on mandatory registration. 

Pursuant to section 18 of the Act and, particularly, sub-section (2), and section 71 of the  Act, the Cabinet Secretary caused to be developed and, subsequently, gazettement the  Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021  which took effect from 14 July 2022

An entity can either be registered as a data controller or a data processor. The Act defines  a Data Controller as a natural or legal person, public authority, agency or other body  which, alone or jointly with others, determines the purpose and means of Processing of Personal  Data. On the other hand, a data processor is a person who processes data on behalf of the data  controller. 

The below checklist will help you in determining whether you are a data controller or a  data processor 

Checklist: Are you a Data Controller?  

You decide to collect or process the Personal Data.  

You decide what the purpose or outcome of the Processing was to be. 

You decide what Personal Data should be collected.  

You decide which individuals to collect Personal Data about.  

You obtain a commercial gain or other benefit from the Processing, except for any  payment for services from another controller.  

You are Processing the Personal Data as a result of a contract between you and the  Data Subject.  

The Data Subjects are your employees.  

You make decisions about the individuals concerned as part of or as a result of the  Processing. 

You exercise professional judgement in the Processing of the Personal Data.  You have a direct relationship with the Data Subjects.  

You have complete autonomy as to how the Personal Data is processed.  You have appointed the processors to process the Personal Data on your behalf. 

Checklist: Are you a Data Processor?  

You have a contract to handle Personal Data on behalf of another Entity.  

You are following instructions from someone else regarding the Processing of Personal  Data.  

You do not decide to collect Personal Data from individuals.  

You do not decide what Personal Data should be collected from individuals.  You do not decide the lawful basis for the use of that data. 

You do not decide what purpose or purposes the data will be used for.  You do not decide whether to disclose the data, or to whom.  

You do not decide how long to retain the data 

You may make some decisions on how data is processed, but implement these  decisions under a contract with another Entity 

A review of the checklist shows that the Sacco is a data controller. 

MANDATORY REGISTRATION 

All Entities within the private sector that:  

  • are resident in Kenya; or located outside Kenya;  
  • process Personal Data of persons located in Kenya (including citizens, residents  and visitors); and  
  • have an annual Turnover or Revenue of Kshs. 5 million and above or more than  10 employees;  

Are required to register as data controllers or data processors. 

However, non-exempt mandatory registration Entities must register regardless of their  annual Turnover/ Revenue and/or number of employees. 

Any Entities Processing Personal Data for activities, or in the following sectors, regardless  of their annual Turnover/Revenue or number of employees: 

  • political canvassing, 
  • crime prevention, 
  • gambling, 
  • education,
  • health administration and provision of patient care, 
  • hospitality, 
  • property management, 
  • financial services, 
  • telecommunications, 
  • direct marketing, 
  • transports, and 
  • Entities Processing of genetic data 

Get in touch with us for advise on data protection and on registration as a data controller  and/or data processor. 

Category: Blog

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts