Institutions and companies which have been fine for privacy breaches

The Office of the Data Protection Commissioner (ODPC) has issued three Penalty Notices to Data Controllers who failed to uphold data privacy standards and comply with the Data Protection Act. The move is aimed at safeguarding data privacy rights for Kenyan citizens.

This decision underscores Kenya’s commitment to protecting personal data and ensuring accountability among organizations. Digital credit provider faces hefty penalty. The first entity to face the brunt of the ODPC’s enforcement measures is Mulla Pride Ltd, a Digital Credit Provider (DCP) responsible for KeCredit and Faircash mobile lending apps.

The company has been slapped with a substantial penalty of Ksh2,975,000 for its transgressions. The ODPC found Mulla Pride guilty of misusing complainants’ personal information, obtained from third parties, to send threatening messages and make unsolicited phone calls. Data Commissioner Immaculate Kassait emphasized the significance of this penalty.

“This Penalty will ensure that digital lenders and financial institutions notify data subjects when collecting and processing their data, and the intention of processing the said data. It will further ensure that data controllers are limited to strictly dealing with data subjects who have consented to the collection and processing of their data,” she said.

Restaurant faces consequences for unauthorized image sharing Casa Vera Lounge, a popular restaurant situated along Ngong Road in Nairobi, is the second entity to face penalties, with a fine of Ksh1,850,000. Their offense? Posting a reveler’s image on their social media platform without the data subject’s consent. This move by the ODPC serves as a stark reminder to lounges, clubs, and other establishments to seek consent from their customers before sharing their images online. Educational institution hit with record fine.

In an unprecedented move, the ODPC has fined Roma School, an educational institution in Uthiru, Ksh4,550,000 for posting pictures of minors without parental consent. This marks the first and the highest penalty imposed on an educational facility, signaling a stern message to schools and organizations handling minors’ personal data. It underscores the importance of obtaining consent from parents or guardians before processing minors’ data. Legal basis for penalties

These penalty notices have been issued pursuant to Section 62 and 63 of the Data Protection Act, 2019 (Act) and Regulation 20 and 21 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.

Data Commissioner Immaculate Kassait delivered a strong message during her statement, saying, “While urging entities to comply with the Data Protection Act by implementing data
protection principles and safeguards, Data Controllers, and Data Processors must ensure that
the processing of personal data is in accordance with the provisions of the Act. Failure to
comply with the Act will result in instituting enforcement procedures.”

Ongoing compliance and audit inspections

In addition to these penalties, the ODPC has conducted a compliance audit on WhitePath, a digital credit provider, and an inspection on Naivas Supermarkets concerning recent data breaches. The findings will be communicated to the respective data controllers for prompt action. The Office also announced plans to conduct forty (40) compliance audits on various Data Controllers and Processors in different sectors during this Financial Year.

The ODPC’s rigorous enforcement actions demonstrate the government’s commitment to safeguarding the data privacy rights of Kenyan citizens and holding organizations accountable for any breaches. This sends a strong message to businesses and institutions across the nation to prioritize data protection and compliance with the law. Data Commissioner Immaculate Kassait has made it clear that Kenya is serious about data protection, and organizations that fail to uphold data privacy standards will face significant penalties. These actions are a testament to Kenya’s commitment to protecting personal data and ensuring transparency and accountability in data handling practices.