In a statement released by the Office of the Data Protection Commissioner on the 26th of 2023, the office issued three Penalty Notices to three Data Controllers for failing to observe Data Privacy Rights to Data Subjects and also not complying with the Data Protection Act. Data Commissioner Immaculate Kassait called upon Data controllers and Data Processors to ensure that the processing of personal data is in accordance with the provision of the Act. Failure to comply with the Act will result in instituting enforcement procedures.
Casa Vera Lounge which is located along Ngong Road in Nairobi is amongst the establishments that have found themselves on the wrong side of the law when it comes to the Data Protection Act, 2019. The establishment was fined Kenya shillings one million, eight hundred and fifty (1,850,000) for posting a reveler’s image on their social media platform with the Data Subject’s consent.
Other establishments include Mulla Pride Limited, a Digital credit Provider (DCP), which operates KeCredit and Faircash mobile lending Apps which was fined Kenya Shillings two million, nine hundred and seventy five thousand (2,975,000) for using names and contact information of the complainants which were obtained from third parties and subsequently used to send threatening messages and phone calls. Roma School, an Educational Institution based in Uthiru has been fine Kenya Shillings four million, five hundred and fifty thousand (4,550,000) for posting minors’ pictures without parental consent.
The statement titled “OFFICE OF THE DATA PROTECTION COMMISIONER ISSUES THREE(3) PENALTY NOTICES TOTALLING TO KENYA SHILLINGS 9,375,000”, reads ” NAIROBI, Kenya, 26 September 2023 – The Office of the Data Protection Commissioner (ODPC) has issued three Penalty Notices to three Data Controllers for failing to observe Data Privacy Rights to Data subjects and also not complying with the Data Protection Act.
Mulla Pride Ltd, a Digital credit Provider (DCP), which operates KeCredit and Faircash mobile lending Apps was the First Data Controller that received a Penalty of KES 2,975,000. The DCP was found culpable of using names and contact information of the Complainants which was obtained from third parties, and subsequently used to send to send threatening messages and phone calls. This Penalty will ensure that Digital lenders and financial institutions notify data subjects when collecting and processing their data, and the intension of processing the said data. It will further ensure that the data controllers are limited to strictly dealing with data subjects who have consented to the collection and processing of their data.
The Second Data Controller that has been fined today is Casa Vera Lounge, a restaurant based along Ngong Road in Nairobi. the establishment was fined KES 1,850,000 for posting reveler’s image on their social media platform without the Data Subject’s consent. This Penalty seeks to ensure that other lounges, clubs etc. seek consent from their customers prior to posting images online.
Lastly, Roma School, and Educational Institution based in Uthiru has been fined KES 4,550,000 for posting minors’ pictures without parental consent. This being the first and the highest penalty to an educational facility sends a message to schools and other facilities handling minors’ personal data to obtain consent from parents/guardians prior to processing minors’ data.
The penalty notices have been issued pursuant to Section 62 and 63 of the Data protection Act, 2019 (Act) and Regulation 20 and 21 of the Data Protection (Complaints Handling and Enforcement) regulations, 2021.
While urging entities to comply with the Data Protection Act by implementing data protection principles and safeguards, Data Commissioner Immaculate Kassait called upon Data controllers and Data Processors to ensure that the processing of personal data is in accordance with the provision of the Act. Failure to comply with the Act will result in instituting enforcement procedures.
The office has also conducted audit on WhitePath, (a digital credit provider) and an inspection on Naivas Supermarkets on recent Data Breach. The findings will be shared with the Data Controllers for swift action. The Office will embark on conducting forty (40) Compliance Audits to various Data Controllers and Processors in various sectors this Financial Year.
For media enquiries:
Email: communications@odpc.go.ke”