The Office of the Data Protection Commissioner (ODPC) has issued three penalty notices to three Data Controllers for failing to observe Data Privacy Rights to data subjects and also not complying with the Data Protection Act.
According to a press statement from ODPC, Mulla Pride Ltd, a Digital Credit Provider (DCP) which operates KeCredit and Falcrash mobile lending Apps was the first Data Controller that received a penalty of Ksh 2, 975, 000 after it was found culpable of using names and contact information of the complainants which were obtained from third parties, and subsequently used to send threatening messages and phone calls.
The ODPC maintained that the penalty will ensure the digital lenders and financial institutions notify data subjects when collecting and processing their data, and the intention of processing the said data.
“It will further ensure that the data controllers are limited to strictly dealing with data subjects who have consented to the collection and processing of their data,” read the statement.
The ODPC further revealed that the second Data Controller Casa Vera Lounge, a restaurant based along Ngong Road in Nairobi, was fined Ksh 1, 850, 000 for posting a reveler’s image on their social media platform without the data subject’s consent.
This penalty, according to the ODPC, seeks to ensure that other lounges, clubs etc. seek consent from their customers prior to posting their images online.
“Roma School, an educational institution based in Uthiru has been fined Ksh 4, 550, 000 for posting minors’ pictures without parental consent,” the ODPC disclosed.
This being the first and the highest penalty to an educational facility, the ODPC continued, sends a message to schools and other facilities handling minors’ personal data to obtain consent from parents/guardians prior to processing minors’ data.
The ODPC stated that these penalty notices have been issued pursuant to section 62 and 63 of the Data Protection Act, 2019 (Act) and Regulation 20 and 21 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.
While urging entities to comply with the Act by implementing data protection principles and safeguards, Data Commissioner Immaculate Kassait called upon Data Controllers and Data Processors to ensure that the processing of personal data is in accordance with the provision of the Act, failure to which will result in instituting enforcement procedures.
The Office has also conducted a Compliance Audit on WhitePath, also a DCP and an inspection on Naivas Supermarkets on recent data breach upon which the findings will be shared with the Data Controllers for their swift action.
Further, the Office will also be embarking on conducting forty (40) compliance Audits to various Data Controllers and Processors in various sectors this Financial Year.