The Process of Registering as a Data Controller and Data Processor


Last week, we learned that Data Controllers and Data Processors must register their organizations according to the stipulations in the Data Protection Act, 2019. The law, which went into effect in late 2019, was also supplemented by the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021. The amendments were made official at the start of 2022 and came into effect just last week.

In the spirit of making the details regarding registration, we have since assessed what organizations qualify as data controllers or data processors. At the same time, we highlighted the registration fees, the validity of the issued certificates, and exemptions to registration. All these details can be accessed in the links below.

State Opens Registration of Data Processors and Data Controllers

Who Is Data Controller and Data Processor?

Registration Charges for Data Controllers and Data Processors

The Process of Registration

First and foremost, the ODPC has since opened a portal for the registration of data processors and controllers.

The portal:

Once you have accessed the portal, you will be asked to log in, or else, create an account.

At this stage, the portal will guide you, including the details required for the registration exercise, including the registration fees that we have highlighted above.

According to the ODPC, the required organizational details must be submitted as well as a description of the processing activities. 

Now, where the Data Commissioner is satisfied that the applicant has fulfilled the requirements, a certificate of registration will be issued within 14 days and an entry of the details of the applicant will be made in the register of data controllers and data processors.

As said before, the certificate of registration will be valid for a period of 24 months from the date of issuance.

A certificate of registration is renewable every 24 months and an application for renewal will need to be made at the appropriate time.

Lastly, where the data commissioner is dissatisfied and rejects the registration application, the Data Commissioner shall notify the applicant within 21 days and provide reasons. Where the application had been declined, the applicant may make a fresh application.