The Office of the Data Protection Commissioner (ODPC) has issued three penalty notices to different data controllers for failing to observe Data Privacy Rights to Data Subjects. The three had also not complied with the Data Protection Act.
The Data controllers that were fined by ODPC are The Casa Vera Lounge, Roma School, and Mulla Pride.
Roma School was fined $30,774 (KeS 4.55 Million) for posting a minor’s image without parental consent while Casa Vera was fined $12,512 (KeS 1.85 Million) for posting an image of a customer on their social media platform without the person’s consent.
The case with Mulla Pride Ltd is something that Kenyans had complained a lot about digital lenders. Mulla Pride Ltd. operates KeCredit and Faircash mobile lending apps, and was fined $20,128 (Ksh.2.975.000). They were found to have used names and contact information of complainants which were obtained from third parties, and subsequently used to send threatening messages and phone calls.
In all the three cases, ODPC termed it as a warning to other data controllers that were misusing the data they collected and defied Data Protection Act requirements. For the Casa Vera case, the office of the data protection commissioner said, “This penalty seeks to ensure that other lounges, clubs, etc. seek consent from their customers prior to posting their images online.”
Roma School, on the other hand, having received “the first and highest penalty to an educational facility sends a message to schools and other facilities handling minors’ personal data to obtain consent from parents/guardians prior to processing minors’ data.”
With Mulla Pride Ltd, the whip has not come as a surprise given the complaints that had been raised on how digital lenders use their customer’s data. The ODPC said that Mulla Pride Ltd was found culpable of using names and contact information of the complainants which were obtained from third parties, and subsequently used to send threatening messages and phone calls.
“This penalty will ensure that Digital lenders and financial institution notify data subjects when collecting and processing their data, and the intention of processing the said data. It will further ensure that the data controllers are limited to strictly dealing with data subjects who have consented to the collection and processing of their data,” ODPC’s statement read in part.
Different entities have been urged to comply with the Data Protection Act by implementing data protection principles to ensure that the identity of citizens is safeguarded.
“Failure to comply with the Act will result in instituting enforcement procedures.”
ODPC also seeks to embarking on conducting 40 compliance audits on various data controllers and in various sectors this year.