Institutions and companies which have been fine for privacy breaches

The Office of the Data Protection Commissioner (ODPC) has issued three Penalty Notices to Data Controllers who failed to uphold data privacy standards and comply with the Data Protection Act. The move is aimed at safeguarding data privacy rights for Kenyan citizens.

This decision underscores Kenya’s commitment to protecting personal data and ensuring accountability among organizations. Digital credit provider faces hefty penalty. The first entity to face the brunt of the ODPC’s enforcement measures is Mulla Pride Ltd, a Digital Credit Provider (DCP) responsible for KeCredit and Faircash mobile lending apps.

The company has been slapped with a substantial penalty of Ksh2,975,000 for its transgressions. The ODPC found Mulla Pride guilty of misusing complainants’ personal information, obtained from third parties, to send threatening messages and make unsolicited phone calls. Data Commissioner Immaculate Kassait emphasized the significance of this penalty.

“This Penalty will ensure that digital lenders and financial institutions notify data subjects when collecting and processing their data, and the intention of processing the said data. It will further ensure that data controllers are limited to strictly dealing with data subjects who have consented to the collection and processing of their data,” she said.

Restaurant faces consequences for unauthorized image sharing Casa Vera Lounge, a popular restaurant situated along Ngong Road in Nairobi, is the second entity to face penalties, with a fine of Ksh1,850,000. Their offense? Posting a reveler’s image on their social media platform without the data subject’s consent. This move by the ODPC serves as a stark reminder to lounges, clubs, and other establishments to seek consent from their customers before sharing their images online. Educational institution hit with record fine.

In an unprecedented move, the ODPC has fined Roma School, an educational institution in Uthiru, Ksh4,550,000 for posting pictures of minors without parental consent. This marks the first and the highest penalty imposed on an educational facility, signaling a stern message to schools and organizations handling minors’ personal data. It underscores the importance of obtaining consent from parents or guardians before processing minors’ data. Legal basis for penalties

These penalty notices have been issued pursuant to Section 62 and 63 of the Data Protection Act, 2019 (Act) and Regulation 20 and 21 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.

Data Commissioner Immaculate Kassait delivered a strong message during her statement, saying, “While urging entities to comply with the Data Protection Act by implementing data
protection principles and safeguards, Data Controllers, and Data Processors must ensure that
the processing of personal data is in accordance with the provisions of the Act. Failure to
comply with the Act will result in instituting enforcement procedures.”

Ongoing compliance and audit inspections

In addition to these penalties, the ODPC has conducted a compliance audit on WhitePath, a digital credit provider, and an inspection on Naivas Supermarkets concerning recent data breaches. The findings will be communicated to the respective data controllers for prompt action. The Office also announced plans to conduct forty (40) compliance audits on various Data Controllers and Processors in different sectors during this Financial Year.

The ODPC’s rigorous enforcement actions demonstrate the government’s commitment to safeguarding the data privacy rights of Kenyan citizens and holding organizations accountable for any breaches. This sends a strong message to businesses and institutions across the nation to prioritize data protection and compliance with the law. Data Commissioner Immaculate Kassait has made it clear that Kenya is serious about data protection, and organizations that fail to uphold data privacy standards will face significant penalties. These actions are a testament to Kenya’s commitment to protecting personal data and ensuring transparency and accountability in data handling practices.

Name	Domain	Purpose	Expiry	Type
wpl_user_preference	jedcamedia.com	WP GDPR Cookie Consent Preferences.	1 year	HTTP
YSC	youtube.com	YouTube session cookie.	55 years	HTTP

Name	Domain	Purpose	Expiry	Type
__gads	jedcamedia.com	Google advertising cookie set on the websites domain (unlike the other Google advertising cookies that are set on doubleclick.net domain). According to Google the cookie serves purposes such as measuring interactions with the ads on that domain and preventing the same ads from being shown to you too many times.	1 year	HTTP
VISITOR_INFO1_LIVE	youtube.com	YouTube cookie.	6 months	HTTP

Name	Domain	Purpose	Expiry	Type
_ga	jedcamedia.com	Google Universal Analytics long-time unique user tracking identifier.	2 years	HTTP
IDE	doubleclick.net	Google advertising cookie used for user tracking and ad targeting purposes.	2 years	HTTP

Name	Domain	Purpose	Expiry	Type
NID	google.com	Google unique id for preferences.	6 months	HTTP
JEDCA MEDIA	jedcamedia.com	We use cookies to enhance your browsing experience, analyze site traffic, personalize content, and serve relevant ads. By continuing to use our site, you agree to our use of cookies. You can manage your preferences in our Privacy Policy.	365 DAYS	HTTP

Name	Domain	Purpose	Expiry	Type
nitroCachedPage	jedcamedia.com	---	55 years	---
_ga_MFHCHTY935	jedcamedia.com	---	2 years	---
test_cookie	doubleclick.net	Google advertising domain.	Session	HTTP
tnp-popup-count	jedcamedia.com	---	1 month	---
__gpi	jedcamedia.com	---	1 year	---
__eoi	jedcamedia.com	---	6 months	---
__Secure-ROLLOUT_TOKEN	youtube.com	---	6 months	---
VISITOR_PRIVACY_METADATA	youtube.com	---	6 months	---

Related News

Latest stories