| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 26 (a) & (c) of the Data Protection Act, 2019; Regulation 17(1) of the Data Protection (General) Regulations, 2021; Article 31 of the Constitution of Kenya |
| Type: | Complaints |
| Outcome: | Violation |
| Started: | 10 October 2023 and 7 November 2023 |
| Decided: | 5 January 2024 |
| Published: | Yes |
| Fine: | Kes.2,600,000/= |
| Parties: | David Owuor & 2 Others vs. Ceres Tech Ktd (t/a RocketPesa) |
| Case No.: | ODPC Consolidated Complaints No. 1994 of 2023 |
| Appeal: | Yes - Judicial Review |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Ceres Tech Limited (the “Respondent”) was found liable for sending unsolicited promotional messages and calls to induce the Complainants to take a loan.
The case involves three complainants, David Owuor, Dennis Mwenda, and Richard Abongo, who filed complaints against Ceres Tech Limited T/A Rocketpesa regarding unsolicited promotional messages and calls aimed at inducing them to take a loan with the respondent.
The complaints alleged that the respondent violated their right to privacy by sending unsolicited promotional messages without providing an opt-out mechanism. The complaints also highlighted that the respondent collected the complainants' mobile phone numbers without informing them that the numbers would be used for sending promotional messages.
The legal basis for the case is rooted in the Data Protection Act, 2019, which guarantees the right to privacy in Kenya. The Act requires data controllers or processors to provide a simplified opt-out mechanism for data subjects to request not to receive direct marketing communications.
The Office of the Data Protection Commissioner conducted investigations and requested the respondent to respond to the allegations made by the complainants, provide relevant materials or evidence in support of the response, detail the mitigation measures adopted or being adopted to address the complaints, and demonstrate compliance with the Act and the Regulations.
The investigations revealed that the respondent did not provide an opt-out mechanism for the complainants to request not to receive promotional messages, thereby violating Regulation 17(1) of the Data Protection (General) Regulations, 2021. Additionally, the respondent collected the mobile phone numbers of the complainants without informing them of their intended use, and despite objections from the Complainants, continued to send the messages, thereby violating their rights under Sections 26(a) and 26(c) of the Act.
As a result, the Office determined that the respondent violated the complainants' rights and, if the respondent did not comply with the requirements under the Act and the Regulations, an Enforcement Notice would be issued against the respondent. It was also noted that the respondent was a repeat offender, having been found liable for similar violations in a previous case.
The ODPC held that: