Contents

1. Summary
   1. Facts
   2. Holding
2. Comment
3. Further resources
4. The Decision

Summary

The Complainant alleged receiving constant unsolicited credit and debit alert messages from Taifa DT SACCO despite not being a member. The Data Commissioner found that the Respondent unlawfully processed the Complainant's personal data and failed to comply with his request to stop. The Respondent was ordered to pay the Complainant KES 250,000 as compensation.

Facts

The Complainant alleged that he has been constantly and consistently receiving credit and debit alert messages from the Respondent since 2022, despite not being a member of the Respondent's SACCO18. He provided screenshots of the messages received as proof18. The Complainant stated he issued a cautionary SMS and email to the Respondent to stop and rectify the issue but they ignored him and he is still receiving the alerts18.

The Respondent stated that it had addressed the concerns raised in the complaint by responding to the Complainant via a letter indicating that thorough investigations had been carried out and the findings implemented. The Respondent provided a letter addressed to the Complainant as proof. In the letter, the Respondent stated that it took up the matter after receiving his email, investigated and established that his mobile phone number was initially allocated to one of its members who used it to receive credit and debit alerts. It further stated that the member inadvertently provided the same number as allocated to someone else within their system where it has no control and therefore is the reason he continued to receive the alerts and messages. The Respondent further stated that, having found the source of the problem, it immediately resolved the issue and the Complainant will no longer receive any further notifications. The Respondent apologised for the inconvenience caused.

The Data Commissioner found that the Complainant's data as a data subject is protected under the Act. Section 2 of the Act defines personal data. Section 26(c) of the Act provides for the right to object to the processing of personal data. The Complainant objected to the further processing of his personal data via SMS alerts, yet the Respondent continued to send them. The Office found that the Respondent violated the Complainant’s right to object to the processing of his personal data. The Respondent also ought to have complied with the Complainant's objection request and stopped sending messages to him.

Legal Provisions Reviewed:

The ODPC reviewed the following legal provisions:

• Section 8(1)(f) of the Data Protection Act, 2019: This section grants the Office of the Data Protection Commissioner the authority to receive and investigate complaints regarding potential violations of the Data Protection Act.
• Regulation 14 of the Data Protection (Complaint Handling Procedure and Enforcement) Regulations, 2021: This regulation mandates that the Data Commissioner must issue a determination on a complaint after the investigation is complete, based on the findings. It’s about what happens at the end of the investigation.
• Article 31(c) and (d) of the Constitution of Kenya: These constitutional articles establish the fundamental right to privacy for individuals in Kenya. This forms the overarching basis for data protection legislation.
• Section 5 of the Data Protection Act, 2019: This section creates the Office of the Data Protection Commissioner and outlines its primary responsibility for regulating the processing of personal data within Kenya. It details the office's mandate to ensure compliance with the Act.
• Section 25 of the Data Protection Act, 2019: This section lays down the core principles that must be adhered to when processing personal data. It's about the fundamental rules for handling personal information.
• Section 56(1) of the Data Protection Act, 2019: This section provides data subjects with the right to file a complaint with the Data Commissioner if they believe their rights under the Act have been infringed. It's the legal avenue for seeking redress.