| Authority: |
ODPC - Kenya |
| Jurisdiction: |
Kenya |
| Relevant law: |
Section 25, 30, 45, 65 of the Data Protection Act, 2019; Regulation 14 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021; Section 9A(1) of the County Government Act, 2012; Article 31 of the Constitution of Kenya |
| Type: |
Complaint |
| Outcome: |
Violation |
| Started: |
28 November 2024 |
| Decided: |
25 february 2025 |
| Published: |
Yes |
| Fine: |
KES.200,000 |
| Parties: |
Kennedy Omondi Ochieng vs. Fingrow Capital Ltd |
| Case No.: |
1966 of 2024 |
| Appeal: |
N/A |
| Original Source: |
ODPC |
| Original contributor: |
MZIZI Africa |
Contents
- Summary
- Facts
- Holding
- Comment
- Further resources
- The Decision
Summary
Kennedy Omondi complained of unlawful disclosure of his financial data to third parties by Fingrow Capital Ltd without consent. The respondent was non-responsive. The ODPC found the respondent processed the data unlawfully by sharing it via email without a legal basis. The final ruling held the respondent liable and ordered compensation of KES 200,000.
Facts
The complainant alleged that the Respondent unlawfully disclosed his confidential financial personal data to third parties without his consent. Specifically, the complainant stated that after taking a credit facility from the Respondent, the Respondent through its general manager retrieved his confidential financial personal address, email address, that is accessed by numerous individuals in the bank not authorised to handle private personal staff data.
The complainant further contended that the confidential financial information was shared as an attachment via email, including February, March & April 2024 payslips, 6-month account statements, a promotion letter, and his National Identity Card, guarantor's personal details, including their ID numbers, name, telephone number, occupation, and gross pay.
The Respondent was non-responsive and did not respond to the Notification of Complaint filed against it. Despite being given an opportunity to respond, the Respondent did not file a response to the allegations despite being duly notified. As such, the Complainant’s allegations remained uncontroverted.
The ODPC found that:
- the Respondent processed the Complainant's personal data unlawfully. The specific findings included that the personal information shared via email as an attachment was sent to the Complainant's colleagues and guarantor without his authorisation. The allegations put forth by the Complainant, that his personal financial data was sent to third parties, and that the Respondent’s customer service email address allowed disclosure by transmission, dissemination, or otherwise making available this data, were evident.
- the Respondent failed to establish a lawful basis for processing the Complainant's personal data.
Legal provisions reviewed
- Article 31 (c) and (d) of the Constitution of Kenya: This article provides for the right to privacy.
- The Data Protection Act, 2019 (hereinafter known as 'the Act'): This entire Act is the basis for the Office of the Data Protection Commissioner's mandate to regulate the processing of personal data1 . Specific sections reviewed appear to include:
- Section 2: Defines the meaning of processing personal data, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation or use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Section 30: Provides the lawful bases for processing personal data. It states that a data controller or data processor shall not process personal data unless the data subject consents or the processing is necessary for specific reasons such as performance of a contract, compliance with a legal obligation, protection of vital interests, public interest, legitimate interests, or for historical, statistical, literary, or art or scientific research5 . The ODPC specifically considered whether the processing fell under these lawful bases5 .
- Regulation 14 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021: This regulation pertains to the determination of a complaint and the remedies that the Data Commissioner may order.
- Section 8 (1) (f) of the Act: Provides that the Office can receive and investigate any complaint by any person on infringements of the rights under the Act.
- Section 56 (1) of the Act: Provides that a data subject who is aggrieved by a decision of any person under the Act may lodge a complaint with the Data Commissioner.
- Regulation 11 of the Enforcement Regulations: Outlines the procedure for notifying the respondent of a complaint.
- Regulation 11 (2) of the Enforcement Regulations: Provides that where a Respondent does not take any action as contemplated in the notification, the Data Commissioner shall proceed to determine the complaint in accordance with the Act and these Regulations8.
- Section 65 (1) of the Act: Provides for the right to compensation to a data subject who suffers damage by reason of a contravention of the Act.
- Section 65 (4) of the Act: States that "damage" includes financial loss and damage not involving financial loss, including distress.
- Regulation 14 (3) (e) of the Enforcement Regulations: Provides that the Data Commissioner may make an order for compensation to the data subject by the Respondent.
Holding
The Data Commissioner made the following determination: