The Data Protection Commissioner (DPC) revealed that data businesses that failed to register with the institution as stipulated by the law would be issued a penalty of up to Ksh5 million.
In a statement dated Tuesday, February 21, the commissioner stated that the move was to safeguard and protect all data collected.
The businesses targetted included phone operators, hotels, hospitals, insurance companies, schools, ride-hailing apps, mobile money services, providers, loan vendors, owners of CCTV cameras, betting companies, and government departments.
Data processors, including insurance brokers, travel booking agents, Uber drivers, and mobile money operators, are also expected to adhere to the same law.
“The law stipulates that data controllers and processors must register with the Office of the Data Protection Commissioner, the institution created by the law to safeguard data.
"It is part of our mandate as the Office of the Data Protection Commissioner(ODPC)to promote and protect the right to privacy by ensuring data controllers and data processors adhere to their obligations under the law. This increases trust and promotes economic development," the commissioner stated.
However, ODPC stated that data controllers or processors whose annual turnover was below Ksh5 million and employed less than 10 people were exempted from the mandatory registration.
Depending on the type of business, a registration fee between Ksh2,000 and Ksh25,000 is incurred during the registration process.
Further issuing instructions for the application process, DPC directed the data businesses to submit their applications electronically through their website dataportal(dot)odpc(dot)go(dot)ke.
ODPC stated that when satisfied with the applicant, it will issue a certificate of registration within 14 days from the registration date.
“When satisfied that the applicant has fulfilled the requirements, a certificate of registration will be issued, and an entry of the applicant's details will be made in the register of data controllers and data processors.
“The certificate is valid for two years from the date of issuance after which an application for renewal should be made at least 30 days prior to the expiry of the certificate,” ODPC noted.
However, if an application is rejected, the commissioner stated it would write to the business within 21 days, providing reasons for the rejection.
“One can make a fresh application to the Data Commissioner upon complying with the requirements specified in the refusal notice. This will incur a new registration fee,” explained the commissioner.
