Cyber and Data Protection (Licensing of Data Controllers and Appointment of DPOs) Regulations, 2022 (No...)
IT is hereby notified that the Minister of Information and Communications Technologies has, in terms of section 32 of the Cyber and Data Protection Act [Chapter 12:07], made the following regulations after consultations with the Authority: -
1These regulations may be cited as the Cyber and Data Protection Regulations, 2022 (No. .…) 2.These regulations shall be deemed to come into operation on the date of publication.
# PART I
# 3. Licensing and Registration of Data Controllers
(1) A person, entity or public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data shall apply for a data protection licence. (2) Data controllers must carry out a self- assessment in terms of the licensing eligibility tool available at the Authority's website and Form DP1 contained in Part I of the First Schedule. (3) Data Controllers eligible for licensing shall apply for data protection licence and renew registration annually using Form DP2 contained in Part II of the First Schedule. (4) An applicant for data protection licence or a licensee shall pay an applicable application or renewal fee specified in the Second Schedule. (5) The application for data protection licence shall be made within the months of these regulations coming into effect ,in the case of existing entities employing more than 30 persons or with a gross turnover of (6) The Authority shall maintain a register of licensed data controllers.
# 4.Licence Categories
(1) The Authority shall issue any of the following data protection licences to a data controller eligible for licensing in terms of section 3(1)-
(a) Tier 1 Data Protection Licence
A Tier 1 Data Protection licence shall be issued to organisations with a maximum of 50 employees or a minimum annual gross turnover of or exceeding. US$500 000 ,as the case may be
(b) Tier 2 Data Protection Licence
A Tier 2 Data Protection Licence shall be issued to small to medium enterprises or joint controllers with a minimum of 50 and a maximum of 75 employees or a minimum annual gross turnover of US$1,000,000.00
(c) A Tier 3 Data Protection Licence shall be issued to a large enterprise or joint controllers with a minimum of 76 employees, or a total annual gross turnover of more than US$1,000,000.00 (d) Special Data Protection Licence issued under section 5.
- Special data protection licence
(1) Public authorities, statutory bodies and religious organisations shall apply for a special data protection licence in terms of this section upon payment of an application or renewal fee specified in the First Schedule.
- Exemption from licensing
(1Data controllers processing personal data for one or more of the following purposes:
I. Not-for-profit purposes. II.Personal, family or household affairs. III. Judicial functions.
shall be exempt from applying for a data protection licence.