On January 10, 2025, the Personal Data Protection Commission (PDPC) issued a final call to all public and private institutions to voluntarily register in compliance with the Personal Data Protection Act No. 11 of 2022 (the “Act”).
The PDPC has set a deadline of April 30, 2025 for all institutions to complete their registration. Failure to comply may result in legal sanctions, including penalties and enforcement actions.
What is Personal Data?
Under the Act, “personal data” means any information relating to an identified or identifiable natural person. This includes, but is not limited to:
- Names, race, national or ethnic origin, religion, age, marital status
- Data relating to the education, the medical, criminal and employment history,
- Contact information (email, phone number),
- Identification numbers (e.g., national ID, passport),
- Biometric data,
- Location data,
- Online identifiers.
What is Sensitive Personal Data?
The Act further defines “sensitive personal data” as a special category of personal data that requires enhanced protection. This includes:
- Data relating to children
- Financial transaction
- Information about a person’s race or ethnicity,
- Religious or philosophical beliefs,
- Political opinions,
- Health or genetic data,
- Sexual orientation,
- Trade union membership,
- Biometric data processed for identification purposes.
- Personal data that would risk the right and interest of the data subject
Handling such data requires stricter safeguards and lawful bases for processing.
Who is a Data Controller?
A Data Controller is any individual or organization who, alone or jointly with others, determines the purposes and means of processing personal data. In practical terms, this is typically the entity that decides why and how personal data is collected and used.
Examples:
- An employer collecting employee data for HR purposes.
- A healthcare provider maintaining patient records.
Who is a Data Processor?
A Data Processor is any individual or organization that processes personal data on behalf of the data controller. They do not decide on the purpose of the processing but act on instructions from the controller.
Examples:
- A cloud service provider hosting customer data on behalf of a company.
- A payroll company processing salaries on behalf of another firm.
Why is Registration Important?
Registration with the PDPC is not merely procedural—it is a legal obligation under the Act and essential for the following reasons:
- Demonstrates Compliance
Registration signals your organization’s commitment to protecting personal data and operating in line with national data protection standards. - Legal Protection
Being registered protects your organization from penalties, investigations, and potential reputational damage due to non-compliance. - Regulatory Oversight
It enables the PDPC to maintain oversight and offer support or guidance to registered institutions, especially in cases of data breaches or public complaints. - Commercial Trust
Clients, partners, and stakeholders increasingly prioritize data protection. Registration enhances your reputation and competitiveness in the market.
Next Steps
All unregistered institutions—public and private—must complete the mandatory registration with the PDPC by April 30, 2025.
We encourage organizations to act promptly and seek legal support to ensure full compliance with the registration process and other obligations under the Act.
For guidance or assistance with registration, policy development, or data protection training, please contact our office.