Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Kenya: ODPC issues fines totalling KES 9.3M on Mulla Pride, Casa Vera, and Roma School for violations of the Data Protection Act
On September 26, 2023, the Office of the Data Protection Commission (ODPC) announced, via LinkedIn, that it had issued three penalty notices totaling KES 9.3 million (approx. $63,430) against three data controllers for violating data subject rights and for non-compliance with the Data Protection Act, 2019 (the Act), after receiving complaints.
Background to the decision
In particular, the ODPC stated that the complaints against Mulla Pride Ltd, a Digital Credit Provider (DCP) that operates mobile lending apps, concerned Mulla Pride's use of the complainants' personal data including names and contact information obtained from third parties, to call the complainants and send them text messages without the complainants' consent.
The ODPC explained that the complainant in the case of Casa Vera Lounge, a restaurant, had alleged that Casa Vera had posted the complainant's image on its social media platforms without the complainant's consent.
In the third case, the ODPC noted that Roma School, an educational institution, had posted the personal data of minors, including their pictures, without first obtaining parental consent.
Findings of the ODPC
As such, the ODPC found that Mula Pride, Casa Vera Lounge, and Roma School had violated the rights of data subjects and failed to comply with the Act. The ODPC stated that data controllers should notify data subjects when collecting and processing their data, and businesses should seek consent from their customers prior to posting their customers' images online. Further, the ODPC highlighted that entities that handle minors' personal data should obtain consent from parents or guardians before processing the personal data of minors.
In light of the nature of the violations, the ODPC issued the following fines:
- KES 2.9 million (approx. $19,621) on Mulla Pride;
- KES 1.8 million (approx. $12,178) on Casa Vera Lounge; and
- KES 4.5 million (approx. $30,446) on Roma School.
Outcomes
In conclusion, the ODPC further noted that it had conducted a compliance audit of Whitepath Company Limited, a DCP, and an inspection of Naivas Limited, a retailer, following a data breach. The ODPC stated that it would share its findings with both data controllers for their action.
You can read the announcement here.