| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 25, 26(b), 30(1), 30(1)(b)(vii); 51(1), 56, of the Data Protection Act, 2019; Regulation 5(3), 9, 26(b), 33, 51(2)(b), 55(a), of the Data Protection (General) Regulations, 2021; Section 13(1) of the Capital Markets Act; Sections 134 to 137 of the Evidence Act; Article 31(c) and (d) of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 25 October 2024 |
| Decided: | 31 July 2024 |
| Published: | Yes |
| Fine: | KES.1,950,000 |
| 1st Respondent: KES 700,000/= | |
| 2nd Respondent: KES 700,000/= | |
| 3rd Respondent: KES 550,000/= | |
| Parties: | Bharat Thakar vs. WPP ScanGroup PLC, WPP PLC, and Control Risks Group |
| Case No.: | No. 1159, 1160 & 1169 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Bharat Thakrar filed a complaint with the ODPC against his former employer, ScanGroup, and its parent company WPP, for unlawful processing of his personal data. The ODPC found that both companies violated Thakrar's right to access his data and breached the principles of lawfulness and data minimization. However, it ruled that sharing his data with third parties was lawful. The ODPC ordered ScanGroup and WPP to compensate Thakrar KES.1,950,000, provide him data access, and issued an enforcement notice against them.
Bharat Thakrar was the former Chief Executive Officer (CEO) and Director at ScanGroup PLC (hereinafter “Scangroup” or “1st Respondent”).
Scangroup is a public limited liability company specializing in marketing services and is headquartered in Nairobi, Kenya. He is also a shareholder at Scangroup.
WPP PLC (hereinafter “WPP” or “2nd Respondent”) is a British multinational communications, advertising, public relations, technology consulting firm headquartered in London, England. WPP is a significant shareholder in Scangroup.
Control Risks Group (hereinafter “CRG” or “3rd Respondent”) is a risk and strategy consulting firm headquartered in London, England.
The Complainant filed a complaint dated 31st July, 2024, against the Respondents with the Office of the Data Protection Commissioner. The Complainant alleges that his personal data was accessed and processed by WPP and CRG without a legitimate basis or his consent.
According to the Complainant, WPP, as the largest shareholder of Scangroup, played a significant role in the governance and decision-making processes within Scangroup, effectively acting as data controller.
The Complainant alleges that CRG was utilized to access his laptop and other personal data, both physically and backed up on cloud. This was done without his knowledge and consent and included personal WhatsApp messages.
CRG thereafter compiled a report based on their investigations. This report was shared with the Capital Markets Authority (CMA), WPP and Scangroup.
The Complainant alleges that his personal data, and WPP’s failure to provide transparency, safeguard his personal data, and involve him in the process of investigations by CRG resulted in significant professional and personal harm. His personal data was mishandled and improperly shared among these entities during the investigations.
In 2021, the Complainant was suspended from his position as Chief Executive Officer of Scangroup following allegations of misconduct and notified of disciplinary proceedings against him and requested to attend a hearing. This suspension led to his resignation under duress.