| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal Provisions Reviewed |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 27 November 2024 |
| Decided: | 24 February 2025 |
| Published: | Yes |
| Fine: | KES.500,000 (KES.250,000 each) |
| Parties: | Catherine Kainyu Murithi vs. Becton Dickinson and Company T/A BD East Africa and Safaricom PLC |
| Case No.: | No. 1958 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Catherine Kainyu Murithi complained to the Office of the Data Protection Commissioner about unauthorised disclosure of her national ID card by Becton Dickinson (her former employer) and Safaricom, leading to an unauthorised SIM card transfer. The Data Commissioner found both respondents liable for infringing her rights and ordered them to pay compensation.
The Complainant alleged the unauthorised disclosure of her copy of national identity card by the 1st Respondent (BD) to the 2nd Respondent (Safaricom), as well as the Respondents' handling and processing of the Complainant's personal data for an alleged unauthorised mobile number account/sim card ownership transfer without consent.
The Complainant stated that prior to her start date with BD, she provided various personal documents, including her national identity card, in August 2021.
She alleged that BD's Office Administrator did not inform her of the use to which her personal data was to be put.
She further contended that BD disclosed her personal information without consent and this information was used for purposes both during her tenure and post-employment.
She stated that after her employment ended, BD's Office Administrator reached out and informed her that her postpaid Airtel number was under the BD account, and she needed to terminate Airtel SIM services under the BD account. Subsequently, the number became the Complainant's official communication number.
BD stated that it shared all relevant material with the Office, including the Employee Privacy Notice. BD maintained that the processing of the Complainant's personal data was lawful and fair. BD explained the purposes for which the personal data was collected and processed, mainly for pre-employment processing and during employment.
BD denied failing to provide a valid explanation for processing the Complainant's personal data. BD contended that the transfer of the Complainant's line from BD's account to her name was with her consent. BD argued that it had policies in place regarding data protection and had trained its staff. BD denied transferring the Complainant's personal data outside of Kenya without proof of adequate data protection safeguards or consent.
BD stated that the concerned employees are subject to employment contracts that include confidentiality clauses.
Safaricom stated that based on their records, the Complainant's mobile number was initially registered under BD. Following a request, the line was transferred to the Complainant's name. Safaricom asserted that all actions taken were based on instructions and documentation provided. Safaricom further explained the process of SIM card registration and transfer, emphasizing the need for identification documents. Safaricom maintained that it acted in accordance with the law and its internal procedures. Safaricom denied contravening the Complainant's consumer protection rights. Safaricom also denied failing to comply with the requirements of the Kenya Information and Communications (Registration of SIM-Cards) Regulations.
The Data Commissioner found that both BD and Safaricom were data controllers as per the definitions in the Act. The Office determined that BD unlawfully disclosed the Complainant's personal data (copy of National ID card) to Safaricom without her consent, violating Section 25 of the Act. The Data Commissioner also found that Safaricom processed the Complainant's personal data for the SIM card transfer without her proper consent, contravening Sections 25 and 30(1)(a) of the Act.