4. (1) Subject to regulation 13 (1), every data controller and data
processor shall be required to register in accordance with the provisions
of the Act and these Regulations.
(2) For purposes of registration, a person shall register as a—
(a) data controller, where the person determines the purpose
and means for processing personal data; or (b) data processor, where the person processes personal data on
behalf of the data controller but excludes employees of the
data controller and has—
(i) a contractual relationship with the data controller; and
(ii) no decision making power on the purpose and means
of processing personal data.
(3) Despite sub-regulation (2) (a), a data controller may apply for
registration as both a data controller and a data processor with regards
to any processing operations and shall be required to pay the requisite
fees applicable for both a data controller and a data processor thereto.
(4) Despite sub-regulation (2) (b), where a data processor
processes personal data other than as instructed by the data controller,
thedata processor shall be considered to be a data controller in respect
of that processing activity, for purposes of assessing liability.
+254 732 945 560
Free Call