WHO IS A DATA CONTROLLER IN KENYA?
Section 2 of the Kenya Data Protection Act (KDPA) defines a Data controller as a natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purpose and means of processing of personal data.
The legal definition consists of three main components:
(1) A natural or legal person, public authority, agency, or other body.
(2) That alone or jointly with others.
(3) Determines the purposes and means of data processing.
Section 51(2)(a) of the DPA provides that processing of personal data is exempt from the provisions of the Act if it relates to the processing of personal data by an individual in the course of a purely personal or household activity. The word purely implies a narrow interpretation. It should be noted that if processing concerns both private and business information, the exception will not be applicable.
To determine whether you are a controller or processor, you will need to consider your role and responsibilities in relation to your data processing activities. If you exercise overall control of the purpose and means of the processing of personal data i.e., you decide what data to process and why you are a controller. Controllership depends not upon the execution of data processing but upon decision-making power. The relevant questions are: why does the processing take place, and who initiated it?
A more relatable example would be; if Company A is an online business when you sign up to purchase a product/service from them; they collect some of your personal data, and thus company A is a controller of your data. If you contract company Z to be your email service provider, then it is a data processor.
Controllers shoulder the highest level of compliance responsibility and need to demonstrate compliance with, all the data protection principles. You are also responsible for the compliance of your processor(s). If you don’t have any purpose of your own for processing the data and you only act on a client’s instructions, you are likely to be a processor even if you make some technical decisions about how you process the data. Your employees are not data processors but are acting as the agent of the data controller/data processor.
OBLIGATIONS OF A DATA CONTROLLER.
A.Register as a data controller with the ODPC (Section 18)
B.Implement appropriate technical and organizational measures to protect the security of data.
·???????Encryption, pseudonymization of data if appropriate
·???????Ability to ensure confidentiality, integrity, and resilience of data
·???????Process for regularly testing, assessing, and evaluating security
·????????Restoration of access following physical/technical incidents and regular testing of measures.
·???????Adopting relevant data protection and information security policies.
C.Breach notification
·???????Inform supervisory authority within 72 hours of the breach if high risk likely to data subjects
·???????Data subject notice, if appropriate.
D.Principles of data processing
·???????Ensure data is processed lawfully and in a transparent manner to the data subject
·???????Ensure data is collected and processed for specific purposes, and not in a manner incompatible with original purposes.
·???????Ensure collected data is accurate and up-to-date
E.Communication
·??????Ensure information/communications are concise, transparent, intelligible, and in an easily accessible form (especially when specifically addressing a child).
·??????Provide requested information by data subjects without undue delay
领英推荐
·??????Provide certain information when personal data is (and when it is not) collected from data subjects. Information that must be provided includes; Controller’s identity & contact details Data Protection Officer's contact details Purposes & legal basis for processing, Recipients of the personal data, The period that the data will be stored
F.Data protection officer.
·??????Designate a DPO where obligatory under the DPA.
·??????Publish the DPO’s contact details and communicate them to the supervisory body.
·??????The organization should ensure the DPO is involved in all issues relating to the protection of personal data, should provide the necessary resources for the performance of DPO tasks, and should ensure DPO tasks and duties do not cause a conflict of interest
G.Data protection impact Assessment
·??????Carry out a Data Protection Impact Assessment (DPIA) prior to carrying out potentially high-risk processing, and seek the advice of its DPO while doing so.
H.Privacy notice
·???????Must be available to the data subject.
·???????Describe what data will be collected and for what purposes.
·???????Detail any recipients who will receive the data, including if will be transferred outside Kenya.
·???????If any legitimate interests exist in collecting and/or processing the data.
·???????Describe data retention and/or storage periods, or the criteria used to determine retention periods.
·???????Describe data subject rights, and how a data subject can exercise his/her rights.
·???????Details around any uses of automated decision-making.?
I.Contractual Requirements with Processor
Enter into a written contract with processors to specify processing activities and duration. In addition, ensure compliance with specific DPA obligations (e.g. agreeing that the processor may only act on documented instructions from the controller when processing personal data).
·???????Only employ processors who comply with the DPA
·???????Only employ processors which can appropriately protect data subject data.
·???????Describe subject matter, duration, and nature of processing activity.
·???????Describe the nature and purpose of processing.
·???????Describe the types of personal data being processed.
·???????Describe categories of data subjects being processed.
J.Cross border data transfer
Comply with conditions laid down within the DPA to ensure personal data is adequately protected when transferred to a third country.
K.Data Protection by design and default
Follow the principles of data protection by design and default; meaning that both in the planning and implementation of processing activities, data protection principles and appropriate safeguards are addressed and implemented.