List of Businesses That Must Obtain New Mandatory Registration

  • Traders pictured in Gikomba Market, Nairobi.
    Traders pictured in Gikomba Market, Nairobi.
  • The Office of the Data Protection Commission has directed all data controlling and processing entities to obtain new registration details. 

    According to ODPC, the entities comprise public and private entities including individuals, that handle your personal data, Non-Governmental Organisations (NGOs) and religious institutions - churches, mosques, and temples among others. 

    A majority of these are firms which have employees and visitors fill out data forms or leave Identity Cards and passports at the reception. 

    ODPC stated that the new directive is in line with the Data Protection (Registration of Data Controllers and Data Processor) Regulations, 2021 published in the Kenya Gazette on Thursday, July 14.

    A pharmacist attending to his store
    A pharmacist attending to his store

     "There will be a statutory requirement for any data controller and data processor processing (including collecting and storing data) of persons located in Kenya to register with the ODPC.

    "Registration is an important element of compliance with the data protection legislation as organizations cannot act as Data Controller or Processor in Kenya unless they have registered with the ODPC," the commission clarified, adding that entities should submit their registration application online. 

    The full list of companies that handle data and ought to register a fresh regardless of their annual turnover or revenue. 

    Property management organisations including law firms, landlords, caretakers and real estate agencies. 

    Transport services firms, from PSVs to online taxis and bikes. Companies canvass political support among the electorate (example: Political Parties, Youth Political Organisations).

    Crime prevention and prosecution of offenders like companies offering security services. Firms with CCTV cameras, including private security companies, building managers operating CCTV equipment, CCTV for security equipment and solutions providers.

    Gambling companies - betting companies and entities collecting funds on behalf of betting companies.

    Organisations operating an educational institution, from training providers and teachers whether for primary, high or tertiary education.

    Health administration and provision of patient care. This includes dispensaries, clinics, mental healthcare providers, and digital/ e-health providers. 

    Taxi drivers at a parking lot in Nairobi
    Taxi drivers at a parking lot in Nairobi

    Hospitality industry firms save for tour guides. This affects restaurants, bars and hotels. 

    Companies providing financial services, from mobile money agents, digital lenders, Saccos and micro-lenders.

    Others include telecommunications network firms and service providers, businesses that are wholly or mainly in direct marketing and those processing genetic data. This includes medical research companies and medical labs. 

    Provisions in the Data Protection Act guarantee that every person has the right to privacy, including not to have information relating to their family or private affairs unnecessarily required or revealed and not to have the privacy of their communications infringed. 

    The Data Commission noted that it will issue varying requirements in light of most data controllers and processors' diverse sectors.