Skip to content

Kenya: Stay compliant by renewing your data protection registration certificate

10 July 2024
– 3 Minute Read

DOWNLOAD ARTICLE

Overview

  • The Data Protection Act was enacted in 2019 (DPA) and shortly after, the Data Protection (Registration of Data Controllers and Data Processors) Regulations (Registration Regulations), came into effect in 2021 creating procedures for the registration of data controllers and data processors that are established in Kenya or process personal data of data subjects located in Kenya.

The Data Protection Act was enacted in 2019 (DPA) and shortly after, the Data Protection (Registration of Data Controllers and Data Processors) Regulations (Registration Regulations), came into effect in 2021 creating procedures for the registration of data controllers and data processors that are established in Kenya or process personal data of data subjects located in Kenya. This was also outlined in the Guidance Note on the Registration of Data Controllers and Data Processors available here.

In our previous article here, we note that the Office of the Data Protection Commissioner (ODPC), initially rolled out the requirement to register on 14th July 2022. The DPA and the Registration Regulations provide that upon registration with the ODPC and where the Data Commissioner is satisfied that the requirements have been fulfilled, the applicants are entitled to receive a registration certificate. The registration certificate is valid for two years from the date of issuance and registered data controllers and data processors are required to apply for a renewal of registration to take effect upon expiry of the initial registration. We expect that most entities that were prompt in filing their registration application will now need to consider renewing their registrations.

The Data Commissioner shall renew the certificate of registration when she is satisfied that the applicant complies with the requirements for registration. Additionally, where the renewal is for a different processing purpose or category of data than what the data controller or processor was originally registered for, the Data Commissioner will carry out a further verification process.

The Data Commissioner may decline to grant the renewal certificate where particulars to be included in the register are insufficient, appropriate safeguards for the protection of the privacy of the data subject have not been provided or the applicant violates the DPA and its attendant regulations. The Data Commissioner must communicate such refusal within 21 days from the date of the renewal application. An applicant whose application for renewal has been declined under the Registration Regulations may make a fresh renewal application upon complying with the requirements specified in the refusal notice.

As clients, what do you need to know?

  • We understand that an email renewal prompt will be sent to the registered account 30 days before the expiry;
  • The process of renewal will require registrants to provide similar information as those provided during registration in the prescribed form (the “DPR 2”);
  • Payment of the stated renewal fees.

What next?

As and when your renewal reminder is received from the ODPC, we are on hand to assist all our clients in remaining compliant by ensuring their registration certificates are renewed promptly.