By Mercy King’ori and Ridwan Oloyede
Registration of data controllers and processors is one of the unique aspects of data protection laws in Africa. Of the 36 countries with data protection laws, 11 have registration requirements for data controllers and processors.[1] In some of these countries, the processing of personal data is prohibited until registration is completed and recorded in a central registry maintained by the data protection authority (DPA). This makes registration a foundational step in the compliance journey for controllers and processors. Registration has been justified as a means of generating revenue, mapping a country’s data controllers and processors to aid in compliance and enforcement efforts, assisting controllers and processors in acquiring legitimacy to process data, and fostering consumer trust.
The process of registration varies significantly among countries. The differences are visible in the validity period of a registration certificate, exemptions from registration, and thresholds for mandatory registration, among other aspects. In many countries, the process begins with submitting an application for registration, in which the applicant is required by law to provide specific information. This marks the initial point of comparison among countries. Common registration information requirements include a description of the categories of personal data to be processed,[2] a description of the purpose for processing personal data, and details about international data transfer, among other information. While the registration requirements of some countries are explicit, some laws, such as those of Zimbabwe[3] and Botswana,[4] require notification to the DPA before the commencement of automated processing activities. These laws mandate the DPAs to maintain registers whose content resembles the registration requirements found in the laws of countries with express provisions. In Zimbabwe, however, registration is being proposed as part of the draft Regulations.[5] Concerning thresholds for registration, some laws categorise which controllers and processors should register with the authority. For example, Nigeria’s recently passed Data Protection Act includes a registration requirement for data controllers of significant importance.
To simplify the process of registration, some DPAs have created online portals[6] that registrants can access to initiate the process. Leveraging digital forms as opposed to manually filling in forms has greatly simplified the process of registration by saving time and resources for the authorities. After an application has been made, the required fees are paid. Some countries have a tiered fee system based on criteria such as the number of employees, or turnover of an entity that is used to classify a controller or processor based on size.[7] The authority then verifies the provided information to ensure that it complies with the requirements of the applicable laws. The period within which an authority should respond to an application also varies. In Kenya, a prospective registrant should expect to receive a response within 14 days[8] while in Seychelles it can be within 6 months[9].
Upon verification of an application, a DPA may accept or reject it, give reasons for such rejection, and provide an opportunity for the applicant to amend the application. In the former case, the majority of authorities issue a certificate of registration that is renewable after a certain period of time, which also varies among countries.[10]. For example, in Kenya, the certificate is valid for a period of 24 months from the date of issuance,[11] while in Mauritius, the certificate is valid for 3 years from the date of issuance,[12] and in Seychelles, it is valid for 5 years.[13] In countries like Seychelles, an applicant is permitted to have a certificate of registration that is valid for a shorter period than the stipulated 5 years but not less than 1 year.[14] In an effort to guarantee the openness of the registration procedure, most laws require that the register of controllers and processors be publicly accessible.[15] For instance, the authorities in Kenya, Uganda, Mauritius, and Ghana maintain a public portal listing successful registrants according to the entity’s name, regardless of whether it is a controller or processor. In addition, authorities in Ghana, Rwanda, and Uganda have been running campaigns and reminding data controllers and processors to register with them.
As mentioned above, differences also exist with regard to exemption from registration. Some laws have mandatory registration for all data controllers and processors such as Ghana[16] and Kenya while others exempt certain controllers and processors from registration. In Zambia, exemption from registration is subject to a declaration from the authority[17] while in Uganda, the DPA may, by a notice in the gazette, exempt certain data controllers and processors[18].
Lastly, it is crucial to keep in mind that, although registration represents only a single step on the path to compliance, it is an important step in assisting controllers and processors to comprehend and consolidate their data processing activities, thereby facilitating further compliance, especially with regard to the principle of accountability.
[1] Kenya, Rwanda, Ghana, Egypt, Zambia, Nigeria, Mauritius, Seychelles, Sao Tome and Principe, Tanzania and Uganda.
[2] Kenya (Section 19(2)), Uganda- section 16(2)(e), Mauritius- section 15(2)(c), Rwanda- Article 30 (3)
[3] Section 20 and 21 of the Data Protection Act, 2021
[4] Section 34(1) & (2), 2018
[5] Section 3 of Draft Cyber and Data Protection (Licensing of Data Controllers and Appointment of DPOs)
Regulations, 2022
[6] Kenya, Uganda, Mauritius, Ghana
[7] Second Schedule of Kenya’s Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021
[8] Section 8 of the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021
[9] Section 11(1) of Seychelles Data Protection Act, 2003
[10] Under Kenya’s Data Protection (Registration of Data Controllers and Processors) Regulation there is a threshold for controllers and processors who should register.
[11] Regulation 9, Data Protection (Registration of Data Controllers and Processors) Regulations, 2021
[12] Section 16(3), Data Protection Act, 2017
[13] Section 12(2) Data Protection Act
[14] Section 12(3), Data Protection Act
[15] Kenya- Section 21(1) (4), Data Protection Act, 2019, Rwanda – Article 36, Data Protection Act, 2021, Mauritius – Section 20(3)(a)
[16] Section 27, Data Protection Act, 2012
[17] Section 27, Data Protection Act, 2019
[18] Regulation 15(2), The Data Protectection and Privacy Regulations, 2021