In our June 2021 Newsletter we reviewed the draft regulations made under the Data Protection Act. These draft regulations were the Data Protection (General) Regulations, 2021, the Data Protection (Compliance and Enforcement) Regulations, 2021, and the Data Protection Regulations (Registration of Data Controllers and Data Processors) Regulations, 2021. They had been published for public participation. The Regulations have now been gazetted. We highlight the changes made below.
The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the “Registration Regulations”)
The following significant changes were made to the Registration Regulations after public participation:
- The validity of the Certificate of Registration was extended from one year to two years from the date of issuance. This reduces costs of renewals to once every two years.
- Applications for renewal of the Certificate of Registration will be done after expiry of the certificate as opposed to thirty days before its expiry. There is also no timeline to apply for the renewal of the Certificate of Registration. However, failing to renew the Certificate of Registration is an offence.
- Data Controllers and Data Processors with an annual turnover below KES 5 million or annual revenue below KES 5 million and with less than 10 employees are still exempt from mandatory registration under the Regulations. However, the Registration Regulations have for clarity and specificity defined “revenue” and “turnover”. Turnover means the preceding year’s annual budget of NGOs, charitable organizations, religious institutions, and civil society organizations. Revenue means the total income of profit-making data controllers or data processors for the year immediately preceding the year of registration.
- The Registration Regulations also provide that Data Controllers and Data Processors exempted from mandatory registration, must comply with the principles and obligations of data protection and the rules on transfer of personal data outside the country under the Act.
- The Registration Regulations have also removed the mandatory registration requirement for the following categories of entities: operating credit bureaus; debt administration and factoring; insurance administration and undertakings; faith based and religious institutions; retirement benefits administration; and public sector bodies.
The Data Protection (“Complaints Handling Procedure and Enforcement”) Regulations, 2021 (the “Complaints Regulations”).
Previously, these were published as the Data Protection (Compliance and Enforcement) Regulations, 2021. The Complaints Regulations were largely adopted as they were in the draft form save for the following changes:
- Under the Complaints Regulations, the Data Protection Commissioner (the “Commissioner”) may only decline to admit a complaint where it does not raise any issue under the Act. In the draft Regulations, the Commissioner could refuse to admit any complaint that was trivial, scandalous or vexatious; not made in good faith; or warrants declining on any other circumstances.
- In the draft Regulations, decisions of the Commissioner on complaints were final. The Complaints Regulations now allow the Commissioner to review her decisions. This has been achieved by allowing parties to apply for re-admission of previously declined complaints, re-institute discontinued complaints, or re-file a withdrawn complaint. This allows for a second look at a complaint prior to or in substitute for a formal appeal on a complaint where the Complainant is so aggrieved.
- The Complaints Regulations now allow the Commissioner of her own choice, or on the request of a party to join a party to a complaint. This affords parties with an interest in a matter to have their position heard before decisions that will impact them are made.
The Data Protection (General) Regulations 2021 (the “General Regulations”)
The general structure of the General Regulations was retained from the draft form. Most changes made were to firm up the rights of Data Subjects and the duties of Data Controllers. Below are some additional comments on the General Regulations.
In addition to the responsibilities of Data Controllers, the General Regulations now require a Data Controller or Data Processor who collects personal data indirectly, to inform the Data Subject of the collection within fourteen days.
Data Controllers and Data o Processors are also required to implement elements of the principle of fairness. These include granting Data Subjects the highest degree of autonomy with respect to control over their personal data; enabling a Data Subject to communicate and exercise their rights; and incorporating human intervention to minimize biases caused by automated decision-making processes.
The provisions on the transfer of data outside Kenya have been bolstered to provide for transfers to international organisations involved in law enforcement. Transfer to such organizations requires there to be in place safeguard mechanisms containing appropriate safeguards for the protection of personal data. These mechanisms should bind the intended recipient of the personal data and should essentially be equivalent to the protections under the Act. Alternatively, the Data Controller must assess all the circumstances surrounding transfers of that type of personal data outside the country, and determine that appropriate safeguards exist.
Click to Download
This briefing is a highlight of legislative and policy changes and is intended to be of general use only. It is not intended to create an advocate-client relationship between the sender and the receiver. It does not constitute legal advice or a legal opinion. You should not act or rely on any information contained in this legal update without first seeking the advice of an advocate.