The enactment of the Kenyan Data Protection Act has fundamentally transformed how organizations collect, process, store, transfer, and manage personal data. Businesses, NGOs, financial institutions, schools, hospitals, digital platforms, employers, and even small enterprises handling personal data are now under increasing scrutiny regarding compliance with Kenya’s data protection laws.
One of the key compliance requirements under Kenyan law is the registration of eligible entities as Data Controllers and/or Data Processors with the Office of the Data Protection Commissioner (ODPC).
This guide answers the most frequently asked questions regarding ODPC registration in Kenya.
Key Definitions
- Data: Any information which is processed by means of equipment operating automatically in response to instructions given for that purpose, is recorded with the intention that it should be processed by means of such equipment, is recorded as part of a relevant filing system, or forms part of an accessible record.
- Data Subject: An identified or identifiable natural person who is the subject of personal data. (Essentially, the individual customer, employee, or user whose data you handle).
- Personal Data: Any information relating to an identified or identifiable natural person. This includes names, ID numbers, location data, online identifiers (like IP addresses), or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
- Sensitive Personal Data: Sensitive personal data refers to data that requires a higher level of protection due to its private nature. It includes personal data that reveals a data subject’s genetic data, biometric data, health status, ethnic origin, property details, marital status, family details (including names of children), sex life, or sexual orientation. It carries a much higher threshold of regulatory scrutiny.
⚠ Compliance Note
The processing of sensitive personal data requires explicit consent or another lawful ground under the Act. Entities processing such data must take additional technical and organizational safeguards.
Who is a Data Controller versus a Data Processor?
- Data Controller: A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purpose and means of processing personal data. If your business decides why and how data is collected (e.g., an employer processing staff payroll, a hospital processing patients’ records, schools dealing with students’ records, or a bank processing client accounts), you are a Data Controller. In simpler terms, a data controller decides the purpose and means of processing personal data.
- Data Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller. If your business acts strictly under instructions from another company (e.g., a cloud hosting company, a third-party payroll software provider, or a call center provider) and does not determine the purpose of the data processing, you are a Data Processor.
Note on Dual Roles
Where an entity acts as both a data controller and a data processor, for example, a law firm that determines how it processes client data and processes employee payroll on behalf of another entity, it must register separately for each role, with separate fees payable for each registration.
What is the legal basis for registration?
The obligation to register arises from the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (Legal Notice No. 207 of 2021), made under Section 17 of the Data Protection Act, 2019. The Regulations took effect on 14 July 2022, from which date applications for registration opened via the ODPC’s online portal.
Which entities are required to register with the ODPC?
Subject to the thresholds and exemptions below, every entity, whether a natural or legal person, public authority, agency, or other body that falls into either of the following categories must register:
- As a data controller, if it determines the purpose and means of processing personal data (alone or jointly), and/or
- As a data processor, if it processes personal data on behalf of a data controller.
What are the minimum thresholds for mandatory registration?
A controller or processor must register if it has:
- Annual turnover or revenue of at least KES 5,000,000, or
- At least 10 employees.
An entity below both thresholds (turnover under KES 5M and fewer than 10 employees) is exempt, unless it operates in a mandatory sector.
Note: Meeting only one criterion does not qualify for exemption. For instance, a small NGO with 8 employees but an annual income exceeding KES 5 million must still register. Similarly, a sole proprietor with an annual turnover of KES 3 million but 15 employees must register.
How are entities categorized for purposes of fees?
The Regulations classify entities and fees using the previous year’s turnover and number of employees as follows:
| Category | Description | Registration fee (per controller/processor) | Renewal fee (every 2 years, per controller/processor) |
| Micro & Small | 1 – 50 employees AND turnover up to KES 5M | KES 4,000 | KES 2,000 |
| Medium | 51 – 99 employees AND turnover KES 5,000,001–50,000,000 | KES 16,000 | KES 9,000 |
| Large | >99 employees AND turnover above KES 50M | KES 40,000 | KES 25,000 |
| Public entities | Government functions, any size/turnover | KES 4,000 | KES 2,000 |
| Charities & religious entities | Charity or religious functions, any size/turnover | KES 4,000 | KES 2,000 |
What are the mandatory registration sectors?
Regardless of your turnover or number of employees, if your business processes data within any of the following sectors, registration is 100% mandatory:
- Financial Services (including FinTechs, SACCOs, and Forex bureaus)
- Digital Credit Providers (DCPs)
- Telecommunications network or service providers
- Health administration and provision of patient care (hospitals, clinics, pharmacies)
- Hospitality industry firms (hotels, lodges, lounges – excludes individual tour guides)
- Property management (including real estate agencies and the selling of land)
- Transport services firms (including online passenger-hailing and delivery applications)
- Educational institutions (schools, universities, kindergartens, e-learning platforms)
- Gambling and betting service providers
- Businesses wholly or mainly involved in direct marketing
- Entities processing genetic data
- Crime prevention and prosecution of offenders (including businesses operating commercial CCTV security systems)
- Canvassing political support among the electorate
What information is required in an ODPC registration application?
Under the Act and the Registration Regulations, an application must include:
- Copy of establishment documents (e.g., certificate of incorporation, partnership deed, or other founding instrument)
- Full particulars of the controller/processor (name, contact details, physical and postal address, sector)
- Description of the personal data to be processed
- Description of the purposes of processing
- Categories of data subjects (e.g., employees, clients, students, suppliers)
- Categories of personal data (e.g., names, contacts, ID numbers, financial data)
- Indication of whether sensitive personal data is processed and for what purposes
- Details of any cross‑border transfers of personal data
- General description of risks, safeguards, and security measures to protect the data
- Any measures to indemnify data subjects from unlawful use of their data.
The official DPR1 form annexed to the Regulations guides this information.
What safeguards must an applicant demonstrate?
Applicants are expected to demonstrate reasonable data protection safeguards, including:
- Access control systems;
- Password protection;
- Cybersecurity measures;
- Data backup systems;
- Confidentiality obligations;
- Physical office security;
- Visitor management procedures;
- Privacy policies;
- Internal compliance frameworks.
The ODPC may reject applications where safeguards are inadequate.
How do I register as a data controller and/or processor with ODPC?
The registration process is entirely electronic and managed through the ODPC automated data handler portal. The typical process is:
- Determine role and thresholds
- Assess whether you are a controller, a processor, or both, based on whether you determine purposes and means of processing, or process on behalf of another entity.
- Confirm that you meet the turnover/employee threshold or fall within a mandatory sector.
- Create an account on the ODPC portal
- Access the ODPC data handler registration portal via the ODPC website and create an account for your organization.
- Prepare the required information and documents
- Gather establishment documents, contact details, data inventories, and descriptions of safeguards, as required in DPR1.
- Complete the online application (DPR1)
- Choose whether you are registering as a data controller, data processor, or both.
- Fill in all sections: basic details, categories of data subjects, personal and sensitive data, transfers outside Kenya, safeguards, employee and turnover bands.
- Pay the applicable fee
- The portal computes the fee based on your category (micro/small, medium, large, public, charity).
- Pay electronically through the options provided (e.g., mobile money or bank-based channels).
- ODPC verification and decision
- The Data Commissioner verifies the application and may request clarifications.
- If satisfied, the ODPC issues a certificate of registration within about 14 days and enters your details into the public register.
- If the application is declined, ODPC must notify you in writing within 21 days, stating reasons, and you may apply after addressing them.
- Ongoing compliance and renewal
- Maintain compliance with the Data Protection Act and notify ODPC of any change in particulars within 14 days.
- Apply for renewal using DPR2 and pay the renewal fee before the 24‑month certificate expires.
How long does the process take?
Once a complete application is submitted and the fee is paid, ODPC should process it and issue a certificate within 14 days if it is satisfied that the requirements are met, depending on completeness and sector risk.
Can a foreign entity be required to register in Kenya?
Yes. The Data Protection Act applies to data controllers and processors processing personal data of persons located in Kenya, regardless of whether the controller or processor is established in Kenya. A foreign-based entity processing personal data of persons in Kenya is therefore required to register with the ODPC.
Does registration guarantee full compliance with the Data Protection Act?
No. Registration is only one element of compliance. It does not insulate a registered entity from liability for breaches of other obligations under the Act, including the data protection principles, lawful basis requirements, data subject rights, consent management, cross-border transfer rules, and data breach notification requirements. Registration should be viewed as the foundational step in a broader, ongoing data protection compliance programme.
What are the consequences of failing to renew?
Under the Data Protection Act 2019, it is an offence to:
- Fail to register when required to do so;
- Fail to renew a certificate of registration and continue to process personal data after expiry of the certificate; or
- Provide false information in the course of registration.
| ⚠ Penalty Warning Any person who commits an offence under the registration provisions is liable on conviction to a fine not exceeding KES 3,000,000 or imprisonment for a term not exceeding ten (10) years, or both. Entities should treat registration compliance as a high-priority legal obligation. |
How Njaga & Co. Advocates LLP Can Assist
At Njaga & Co. Advocates LLP, we understand that navigating Kenya’s data protection regime can be complex, particularly for organizations new to the regulatory landscape or those undergoing rapid growth. Our team provides practical, end-to-end data protection advisory and compliance services tailored to your organization’s specific needs and sector. We assist clients across the following areas:
- Determining your registration category
- Preparing all required documents and policies
- Conducting Data Protection Impact Assessments
- Drafting data protection policies and privacy notices
- Handling the ODPC registration process on your behalf
- Training staff in data protection compliance
- Advising on cross‑border data transfers and security measures
Our goal is to ensure your organization is fully compliant, protected, and aligned with Kenya’s data protection laws.
Disclaimer: This article provides general information and does not substitute legal advice on specific circumstances of any individual or organization. While the information is accurate as of the date published, we cannot guarantee it remains accurate at the time you read it or that it will stay current. Before acting on any of this information, please seek professional legal advice tailored to your situation.
