The Office of the Data Protection Commissioner (ODPC) has issued three penalty notices totaling to Ksh.9,375,000 to three companies for violating the Data Protection Act, 2019. The ODPC is the independent regulatory authority mandated to oversee the implementation of and enforce compliance with the Data Protection Act, 2019.
According to a press release dated 26th September 2021 and signed by the Data Protection Commissioner, Immaculate Kassait, the three companies that received the penalty notices are:
- Mulla Pride Ltd., a Digital Credit Provider (DCP) which operates KeCredit and Faircash mobile lending Apps was the First Data Controller that received a penalty of Kshs 2, 975,000. The DCP was found culpable of using names and contact information of the complainants which were obtained from third parties, and subsequently used to send threatening messages and phone calls.
- Casa Vera Lounge, a restaurant based along Ngong Road in Nairobi. The establishment was fined Kshs 1,850,000 for posting a reveler’s image on their social media platform without the Data Subject’s consent.
- Roma School, an educational institution based in Uthiru has been fined Kshs 4,550,000 for posting minor’s pictures without parental consent.
The ODPC stated that the penalty notices were issued after conducting investigations and giving the companies an opportunity to make representations. The ODPC also warned that it will continue to monitor and enforce compliance with the Data Protection Act, 2019 and take appropriate action against any data controllers or data processors who fail to adhere to the law.
The Data Protection Act, 2019 is a comprehensive law that regulates the processing of personal data in Kenya. The law aims to protect the privacy and dignity of individuals by ensuring that their personal data is collected, used, stored and shared in a lawful and transparent manner. The law also grants individuals various rights over their personal data, such as the right to access, rectify, erase, restrict, object and port their data.
The ODPC urged all data controllers and data processors in Kenya to comply with the Data Protection Act, 2019 and register with the ODPC as required by Section 50 of the law. The ODPC also encouraged all individuals to exercise their rights over their personal data and report any suspected data breach or misuse to the ODPC.
Read: NTT Ltd and Qualcomm Technologies set to Revolutionize 5G Device Ecosystem for AI at the Edge