The Office of the Data Protection Commissioner (ODPC) has taken action against three Data Controllers. They have issued a total of Ksh. 9,375,000 in Penalty Notices for significant violations of data privacy rights and non-compliance with the Data Protection Act, 2019.
The penalties were levied against entities operating across finance, hospitality, and education, underscoring the broad scope of the Data Protection Act:
1. Mulla Pride Ltd (KeCredit and Faircash Apps): Ksh. 2,975,000 Fine
Violation: The digital credit provider was found culpable of using names and contact information sourced from third parties to send threatening messages and make harassing phone calls.
Failure to Notify: The mobile lending apps failed to notify Data Subjects when collecting and processing their data.
Sensitive Data Access: The apps were found to have full, unconsented access to users’ phonebook contacts, violating rules regarding sensitive personal data processing.
2. Casa Vera Lounge: Ksh. 1,850,000 Fine
Violation: The Nairobi restaurant was penalized for posting customers’ images on its social media platforms without their consent.
Goal of the Penalty: This action aims to establish a clear precedent, ensuring that other lounges, clubs, and similar businesses must secure explicit consent from their customers before publishing any images online.
3. Roma School: Ksh. 4,550,000 Fine
Violation: The Uthiru-based educational institution was fined for posting minors’ personal data on its social media platform without proper authorization.
Related Finding: The ODPC also noted that the Highlands area of the educational facility sent messages to schools and other facilities handling minors’ personal data, failing to obtain parental/guardian consent prior to processing.
Data Commissioner Immaculate Kassait emphasized the necessity for all Data Controllers and Processors to implement data protection principles and safeguards. She warned that failure to comply with the Act would inevitably lead to institution enforcement procedures.
The ODPC is actively widening its scope of enforcement:
- Audits Conducted: The office has already conducted a compliance audit on Whitepath (a digital credit provider) and an inspection on Naivas Supermarkets following a recent Data Breach.
- Compliance Drive: The ODPC plans to conduct forty-six (46) Compliance Audits across various Data Controllers and Processors in different sectors throughout this Financial Year.