In a significant development, the Office of the Data Protection Commissioner (ODPC) in Kenya has issued three penalty notices totalling KES 9,375,000, setting a crucial precedent in the enforcement of data privacy rights and compliance with the Data Protection Act.
Mulla Pride Ltd Faces KES 2,975,000 Penalty
Mulla Pride Ltd, a Digital Credit Provider (DCP) operating the KeCredit and Faircash mobile lending apps, is the first data controller to face the brunt of these penalties. They were slapped with a hefty fine of KES 2,975,000. The penalty comes as a result of Mulla Pride’s misuse of personal information obtained from third parties. This information was used to send threatening messages and make harassing phone calls to individuals. The penalty not only serves as a deterrent but also emphasizes the importance of notifying data subjects when collecting and processing their data. Additionally, it mandates data controllers to interact only with individuals who have explicitly consented to their data being collected and processed.
Casa Vera Lounge Fined KES 1,850,000
Casa Vera Lounge, a popular restaurant located along Ngong Road in Nairobi, is the second entity to be penalized. They have been fined KES 1,850,000 for posting a customer’s image on their social media platform without the data subject’s consent. This penalty is intended to set a precedent for other lounges, clubs, and similar establishments, highlighting the necessity of seeking customer consent before sharing their images online.
Roma School Faces KES 4,550,000 Penalty
In a groundbreaking move, Roma School, an educational institution in Uthiru, has been fined KES 4,550,000 for posting pictures of minors without obtaining parental consent. This penalty serves as a stern reminder to all schools and facilities handling minors’ personal data that obtaining consent from parents or guardians before processing such data is non-negotiable.
These penalty notices have been issued under the authority of Section 62 and 63 of the Data Protection Act, 2019, and Regulation 20 and 21 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.
Data Protection Commissioner’s Call for Compliance
Data Commissioner Immaculate Kassait has called upon all data controllers and data processors to strictly adhere to the Data Protection Act by implementing data protection principles and safeguards. She emphasized that failure to comply with the Act will result in the initiation of enforcement procedures. This highlights the commitment of the ODPC to ensure that personal data is processed in accordance with the provisions of the Act.
The ODPC has also conducted a compliance audit on WhitePath, a digital credit provider, and conducted an inspection on Naivas Supermarkets following recent data breaches. The findings of these investigations will be shared with the respective data controllers for prompt action.
Furthermore, the ODPC has announced plans to conduct forty compliance audits on various data controllers and processors across different sectors during this financial year. These audits will further strengthen data protection practices and ensure that entities are compliant with the Data Protection Act.
These actions by the Office of the Data Protection Commissioner underscore the growing importance of data privacy and the need for strict compliance with data protection laws in Kenya. It sends a clear message that violations will not be tolerated, and penalties will be enforced to protect the privacy and rights of data subjects.