Following on from our recent update on the publication of the Regulations, in this article we provide a summary of some of the key provisions that data controllers and data processors should be aware of. As a reminder, the recently published Regulations consist of the Data Protection (General) Regulations, 2021 (“General Regulations”), the Data Protection (Complaints Handling and Enforcement Regulations), 2021 (“Complaints Handling Regulations”) and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021(“Registration Regulations”) (together “the Regulations”).
We highlight some of the notable provisions in the Regulations below:
1. When do they take effect?
Whilst compliance with the Data Protection Act 2019 (“the Act”) became effective on 25 November 2019, the Regulations of the Office of the Data Protection Commissioner (“ODPC”) were gazetted on 14 January 2022 and are due to take effect on 11 February 2022 subject to annulment or approval by the National Assembly Committed on Delegated Legislation.
Data processors and controllers who meet the prescribed thresholds will be required to register with the ODPC under the Registration Regulations. The Registration Regulations provide a grace period of 6 months for compliance with the Registration Regulations. From our engagements with the ODPC, we understand that the registration portal on the ODPC’s website will be launched in June 2022, and applications for registration must be submitted by 14 July 2022. We discuss this further below and how we can help.
2. Registration Regulations
Application for Registration:
- Applications are to be submitted electronically through the ODPC’s website (https://www.odpc.go.ke/) in the prescribed form and payment of the prescribed registration fees. Organisational details must be submitted as well as a description of the processing activities.
- Where the Data Commissioner (“DC”) is satisfied that the applicant has fulfilled the requirements, a certificate of registration will be issued within 14 days and an entry of the details of the applicant will be made in the register of data controllers and data processors.
- The certificate of registration will be valid for a period of 24 months from the date of issuance. A certificate of registration is renewable every 24 months and an application for renewal will need to be made at the appropriate time.
Exemption from Registration (not exemption from compliance with the Act) – as stated in our previous update, data controllers and data processors with an annual turnover of below KES 5,000,000 (approx. USD 50,000) or annual revenue of below KES 5,000,000 (approx. USD 50,000) and less than 10 employees are exempted from the mandatory registration requirements. It should be noted that the exemption does not apply to data controllers and data processors who process personal data in certain sectors such as operating educational institutions, health administration, provision of patient care and provision of financial services.
3. General Regulations
Processing on the basis of consent: the General Regulations clarify the information to be provided to a data subject where processing of personal data is done on the basis of consent (in line with the duty to notify a data subject prior to processing under section 29 of the Act). In obtaining consent, a data controller or data processor is now required to inform a data subject of its identity; the purpose of the processing operations; the type of personal data collected or used;, information about the use of the personal data for automated-decision making (where applicable); the right to withdraw consent, the implication of providing, withholding or withdrawing consent; the possibility and risks of data transfers; whether the data may be shared with third parties. This information may be provided through a written notice (consent or privacy notice), an oral statement, audio or video message. In obtaining consent, data controllers or data processors must ensure that the individual (the data subject) has capacity to give consent, that such consent has been voluntarily provided and that the consent is specific to the purpose of processing.
Lawful grounds for processing personal data: apart from consent, data controllers and data processors can rely on other lawful grounds as permitted under the Act. The General Regulations clarify that where a data controller uses multiple lawful bases for different processing purposes, the data controller is required to distinguish between the legal bases being used rather than bundling them into one processing purpose.
Commercial use of personal data: the interpretation of the “commercial use” of personal data has been expanded in the revised General Regulations and should be read alongside the pre-existing direct marketing provisions as set out in our update. The General Regulations clarify that the commercial use of personal data arises where the personal data is used to advance commercial or economic interests including inducing another person to buy, join, rent or lease, subscribe to, provide or exchange products, property, information or services or enabling or effecting a commercial transaction directly or indirectly. Personal data may be used for commercial purposes in connection with direct marketing activities only where it is collected from the data subject, the data subject is informed of this fact and consents to the disclosure of his/her personal data for purposes of direct marketing and is provided with a simple op-out mechanism that is free of charge.
Cross-border transfers of personal data: the General Regulations also provide more clarity on the conditions for cross border transfer of personal data. Before transferring personal data outside Kenya, data controllers or data processors are obliged to ascertain that the transfer is based on:
(i) appropriate data protection safeguards- this includes having in place a binding agreement with the recipient of the personal data;
(ii) an adequacy decision made by the DC;
(iii) transfer as a necessity; or
(iv) consent of the data subject.
A laudable addition to the General Regulations is the inclusion of binding corporate rules (BCRs) as one of the mechanisms for cross-border transfer of personal data. The concept of using BCRs to provide adequate safeguards for making restricted transfers was developed under EU law and is familiar to multinational corporate groups. The use of BCRs is one way that controllers and processors can comply with the Act’s third country data transfer requirements.
Personal data breach notification requirements: under the Act, notification of personal data breaches to the DC and communication to the data subject is pegged on whether there is a real risk of harm that the data subject might suffer as a result of the data breach. The General Regulations clarify what would amount to a ‘real risk of harm’ and therefore trigger a mandatory notification to the DC. The General Regulations also set out the timelines for notifying the DC as well as the information that should be provided as part of the notification.
4. Complaints Handling Regulations
The Complaints Handling Regulations set out the procedure for the handling of data subject complaints by the ODPC. Alternative means of dispute resolution such as conciliation, mediation and negotiations are recognized under the Complaints Handling Regulations. Furthermore, there is more clarity on the procedure for issuance, review and appeal of enforcement notices issued by the ODPC as well as issuance and enforcement of penalty notices.
Enforcement of the Act and the Regulations will be high on the agenda for the ODPC and compliance must become an immediate priority for entities operating in Kenya.