Who is a Data Controller and Data Processor?


Last week, the state announced that it has started registering Data Controllers and Data Processors. This followed stipulations stated in the Data Protection Act, 2019, and Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021, which came into effect in early 2022. Both public and private entities have been tasked to register. At the same time, people that deal with personal data will also be expected to do so.

Personal Data

This is information that is used to identify a person. Such information includes a person’s full name, ID number, date of birth, gender, physical and postal address, phone number, location data, and online identifiers.

According to the Office of the Data Protection Commissioner (ODPC), personal data does not have to be in written form, meaning it also includes genetic and biometric data, photos, audio, and video recordings.

Sensitive Data

Under the Data Protection Act, 2019, sensitive data reveals a person’s race, health status, ethnic social origin, conscience, beliefs, genetic data, biometric data, property details, marital status, and family details including names of a person’s children, parents, spouse or spouses, sex, or sexual orientation.

To this end, sensitive data needs extra protections due to its high-risk nature, as it can pose issues if it were accessed by an unauthorized person or unauthorized authority.

Data Controller

A data controller determines the purpose or function for which and the means by which personal data is processed.

This means that if a company or firm determines why and how personal data should be processed, then it is a data controller.

Examples of data controllers include telcos, hotels, hospitals, insurance companies, educational institutions, mobile money or loan vendors, betting companies, retailers, government departments, professional service providers, independent commissions, charities and Religious entities.

Data Processor

A data processor, basically, processes data on behalf of the data controller. A data processor, often, is a third party external to the data controller. The functions of a data processor toward the controller must also be specified.

An obvious example is a firm offering IT solutions, such as cloud storage.

Others include agents for telecommunication operators or service providers, and CRM or ERP solution providers with access to personal data.

Exemptions to Registration of Data Processors/Controllers

According to the ODPC, data controllers or data processors whose yearly turnover/ revenue falls under KES 5 million and employ less than ten people, are exempt from the mandatory registration under the registration regulations.

However, in case a data controller or data processor meets one of the requirements (more than 10 employees but more than 5M in yearly revenues or vice versa), the data controller or data processor must register.

READ MORE: State Opens Registration for Data Processors and Data Controllers