Kenya Data Protection Registration Reference for Data Controllers and Processors
A practical documentation reference for organizations checking whether they need to register with Kenya's Office of the Data Protection Commissioner and what details the ODPC portal expects.
Kenya’s data protection registration system is built around a simple question: does an organization decide why and how personal data is processed, process it for another organization, or do both? The answer determines whether it should register with the Office of the Data Protection Commissioner as a data controller, a data processor, or both.
This reference is for teams that need a working map before they start the ODPC registration process. It is not legal advice, but it translates the public registration rules into the operational details a business, non-profit, public body, school, clinic, platform, or service provider should gather before opening the portal.
Core Terms
A data controller is the person or entity that determines the purpose and means of processing personal data. A data processor processes personal data on behalf of a controller, under a contractual relationship, and does not decide the purpose or means of the processing. Kenya’s Data Protection Registration Regulations also state that a processor that goes beyond the controller’s instructions may be treated as a controller for that processing activity.
In practice, a company can be both. For example, an employer is usually a controller for employee records, while a payroll software provider may be a processor for a client. The same software provider may also be a controller for its own staff, billing, marketing, and supplier records.
Registration Trigger
The Data Protection Act created the registration obligation, and the registration regulations set the procedure. The regulations say every data controller and data processor must register unless an exemption applies.
The main exemption is narrow. Under regulation 13, a controller or processor is exempt from mandatory registration if it has annual turnover or revenue below KSh 5 million and fewer than 10 employees. That exemption does not remove the duty to comply with the processing principles and breach provisions of the Act. It also does not apply where the organization processes personal data for the purposes listed in the Third Schedule.
The ODPC portal reflects that exception by asking smaller entities whether they process data for non-exempted purposes such as political canvassing, operating an educational institution, crime prevention including security CCTV, gambling, health administration and patient care, hospitality, property management, financial services, telecommunications, direct marketing, transport services including online passenger hailing, or genetic data.
Registration Path
The official ODPC registration portal asks applicants to start with an accessible email address. The portal notes that one email address is used for one entity, including when the entity applies as both controller and processor. Organizations with subsidiaries or multiple entities should plan email access carefully before starting.
The applicant then selects the data handler type: Data Controller or Data Processor. If the same entity needs both registrations, the ODPC instructions say to complete one application first, log in to the dashboard, and then use the dashboard link to apply for the other data handler type.
The portal also asks the applicant to choose a relevant category: government institution, private, or not-for-profit entities and religious institutions. Private applicants may be institutional or individual applicants, depending on the structure.
Documents and Details to Prepare
Before opening the form, prepare establishment documents in PDF format. The registration regulations describe establishment documents broadly, including registration certificates, statutes, charters, trust deeds, or other instruments that show how the body is established and governed.
Private applicants should also prepare turnover evidence. The ODPC portal asks for certified audited accounts for the previous accounting period. For newly established entities, it says a signed revenue statement or KRA returns may be submitted instead.
The form also asks for basic organization details such as legal name, postal address, country, county, telephone number, legal establishment, sector, and sub-sector. The ODPC warns that the name entered in the basic details section is exactly how it will appear on the registration certificate, so this field should match official establishment documents.
Personal Data Inventory
Registration is not only an identity check on the organization. The applicant must describe the personal data it processes.
The ODPC portal asks applicants to classify categories of personal data held. It gives examples such as separating employee data from supplier data and describing the type of data in each category, such as contact details or payment information.
A useful preparation table should include:
- Data subject category, such as employees, customers, students, patients, members, suppliers, tenants, app users, or visitors
- Types of personal data, such as names, ID numbers, phone numbers, email addresses, location data, payment records, employment records, or account identifiers
- Purpose of processing, such as payroll, service delivery, KYC, billing, school administration, patient care, customer support, fraud prevention, or statutory reporting
- System or department responsible for the records
- Any third parties or processors with access to the records
This inventory also supports the wider Data Protection Act duties. The Act requires collection, storage, and use of personal data to have a lawful, specific, and explicitly defined purpose.
Sensitive Data and Transfers
The portal has a separate sensitive personal data section. It asks whether the applicant handles sensitive data and, if yes, the purpose. The listed sensitive categories include racial or ethnic origin, property details including financial information, religious or philosophical beliefs, marital details, health status, sex or sexual orientation, biometric data, GPS location data, and genetic data.
The portal also asks whether data resides outside Kenya and, if yes, asks the applicant to list all countries. That question matters because the Data Protection Act contains conditions for transferring personal data outside Kenya, including safeguards and, for sensitive personal data, consent and confirmation of appropriate safeguards.
Teams should verify the location of their cloud services, backups, customer relationship systems, analytics tools, payment providers, support tools, and external processors before answering this section.
Safeguards Required in the Portal
The ODPC registration portal requires applicants to explain technical, organizational, and physical safeguards. It gives examples of technical safeguards such as encryption, firewalls, antivirus or anti-malware tools, access controls, passwords and multi-factor authentication, intrusion detection, network segmentation, data masking, backups, and security patch management.
For organizational safeguards, the portal lists examples such as data protection policies, information security procedures, employee training, confidentiality agreements, data processing agreements, access management, and incident response processes.
For physical safeguards, examples include locked doors, biometric access controls, security guards, CCTV, visitor logs, visitor badges, restricted access areas, and secure storage facilities.
These answers should be specific. A strong entry does not simply say “we use security.” It explains which control protects which system or record, who owns the control, and how it reduces unauthorized access, loss, alteration, disclosure, or destruction.
Certificate, Renewal, and Changes
If the Data Commissioner is satisfied that the applicant meets the registration requirements, the registration regulations say a certificate may be issued and the applicant entered in the register. The certificate is valid for 24 months from the date of issuance.
The regulations require renewal after expiry. They also require a controller or processor to notify the Data Commissioner within 14 days when registration particulars change. A change may include contact details, processing purposes, categories of personal data, address, or data protection officer information.
The ODPC portal states that the certificate is downloadable from the portal and that details will be updated on the online register.
Related Compliance Records
Registration should not be treated as the whole compliance program. The Data Protection General Regulations require controllers and processors to publish and regularly update a policy reflecting personal data handling practices. That policy may cover the nature of personal data collected, rights access, complaints handling, lawful processing purposes, transfers outside Kenya, retention periods, and children’s data.
The same regulations require a personal data retention schedule. A practical retention schedule should list the purpose for retaining each record type, the retention period, periodic review points, and the action to take when the record is no longer needed.
Where a controller engages a processor, the general regulations require a written contract. The contract should cover processing details, controller instructions, confidentiality commitments, security measures, deletion or return of personal data at the end of the engagement, and audit or inspection provisions.
Internal Checklist Before Submission
Before submitting, confirm that the organization has identified whether it is registering as controller, processor, or both. Confirm that the legal name matches establishment documents, the email address is controlled by the entity, turnover and employee details are accurate, and the fee category follows the portal prompts.
Check the personal data inventory against real systems rather than policy assumptions. Review whether sensitive data is being processed, whether data is stored or accessed outside Kenya, and whether processors or third-party service providers have been captured.
Finally, review safeguards with the people who operate the systems: IT, security, HR, finance, operations, legal, compliance, and the service teams that actually collect data. The registration regulations allow refusal where particulars are insufficient or where appropriate safeguards for the privacy of data subjects have not been provided. That makes preparation more than an administrative step. It is the evidence base for showing how the organization handles personal data in practice.