• Mulla Pride Ltd, a digital credit provider which operates KeCredit and Falcrash mobile lending apps, was the first data controller that received a penalty of Sh2,975,000.
• Casa Vera Lounge, a restaurant based along Ngong Road in Nairobi, was fined Sh1,850,000 for posting a reveller’s image on their social media platform without the data subject’s consent.
The Office of the Data Protection Commissioner has issued three penalty notices to three data controllers for failing to observe privacy rights and not complying with the law.
A statement from ODPC says Mulla Pride Ltd, a digital credit provider which operates KeCredit and Falcrash mobile lending apps, was the first data controller that received a penalty of Sh2,975,000.
This was after it was found culpable of using names and contact information of the complainants, which were obtained from third parties, and subsequently used to send threatening messages and phone calls.
The ODPC maintained that the penalty will ensure that digital lenders and financial institutions notify subjects when collecting and processing their data, and the intention.
“It will further ensure that the data controllers are limited to strictly dealing with data subjects who have consented to the collection and processing of their data,” the statement reads.
The ODPC further revealed that the second data controller, Casa Vera Lounge, a restaurant based along Ngong Road in Nairobi, was fined Sh1,850,000 for posting a reveller’s image on their social media platform without the data subject’s consent.
This penalty, according to the ODPC, seeks to ensure that other lounges and clubs seek consent from their customers prior to posting their images online.
“Roma School, an educational institution based in Uthiru has been fined Sh4,550,000 for posting minors’ pictures without parental consent,” the ODPC disclosed.
This being the first and the highest penalty to an educational facility, the ODPC said, sends a message to schools and other facilities handling minors’ personal data to obtain consent from parents/guardians prior to processing the minors’ data.
The ODPC said these penalty notices have been issued pursuant to section 62 and 63 of the Data Protection Act, 2019 (Act) and Regulation 20 and 21 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.
Data Commissioner Immaculate Kassait urged entities to comply with the Data Protection Act.
She called upon data controllers and data processors to ensure that the processing of personal data is in accordance with the provision of the Act, failure to which will result in instituting enforcement procedures.
The office has also conducted a Compliance Audit on WhitePath, also a DCP and an inspection on Naivas Supermarkets on recent data breach upon which the findings will be shared with the data controllers for their swift action.
Further, the office will also be embarking on conducting 40 compliance audits to various data controllers and processors in various sectors this Financial Year.