In a landmark move, the Office of the Data Protection Commissioner (ODPC) in Kenya has issued three penalty notices to businesses for violating data privacy rights. The penalties, totaling KES 9,375,000, underline the importance of data privacy and consent in today’s digital age.
Digital Lender Mulla Pride Ltd Fined KES 2,975,000
Mulla Pride Ltd, a digital credit provider operating KeCredit and Faircash mobile lending apps, was fined KES 2,975,000. The company was found guilty of using names and contact information obtained from third parties to send threatening messages and phone calls. This penalty aims to ensure that digital lenders and financial institutions notify data subjects when collecting and processing their data.
Casa Vera Lounge Penalized KES 1,850,000 for Posting Image Without Consent
Casa Vera Lounge, a restaurant along Ngong Road in Nairobi, was fined KES 1,850,000 for posting a customer’s image on their social media platform without consent. This penalty serves as a reminder for lounges and clubs to seek consent from customers before posting their images online. It also highlights the potential value of images in the digital age.
Roma School Receives Record Penalty of KES 4,550,000
Roma School, an educational institution based in Uthiru, was fined KES 4,550,000 for posting minors’ pictures without parental consent. This is the first and highest penalty issued to an educational facility and sends a strong message to schools handling minors’ personal data to obtain parental consent before processing such data.
The penalties were issued under Section 62 and 63 of the Data Protection Act, 2019 (Act) and Regulation 20 and 21 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.
Data Commissioner Immaculate Kassait urged entities to comply with the Data Protection Act by implementing data protection principles and safeguards. She warned that failure to comply with the Act would result in enforcement procedures.
The office has also conducted a compliance audit on WhitePath (a digital credit provider) and an inspection on Naivas Supermarkets regarding a recent data breach. The findings will be shared with the data controllers for swift action. The office plans to conduct forty compliance audits on various data controllers and processors in different sectors this financial year.
In conclusion, these penalties serve as a stark reminder of the importance of data privacy and consent. Businesses must ensure they are compliant with data protection laws or face significant fines.
