| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 5, 8 (1) (f), 43, 55 (1), 58 of the Data Protection Act, 2019; Regulations 14 14 (2) and (3),16 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021; Article 31 of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 26 July 2024 |
| Decided: | 19 October 2024 |
| Published: | Yes |
| Fine: | N/A |
| Parties: | John Thuo Kamau vs. The Board of Kenya Motor Sports Federation Ltd & Anor |
| Case No.: | No. 1099 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
The Complainant alleged that the 2nd Respondent, a director of a sports federation, shared his personal data with a third party without consent. The Respondents claimed they shared the data for legitimate reasons and notified the ODPC after becoming aware of the breach.The ODPC found the Respondents violated the Data Protection Act by failing to promptly report the data breach and sharing data without consent. They issued an Enforcement Notice and held the Respondents liable.
The Complainant, John Thuo Kamau, alleged that the 2nd Respondent, Maina Muturi, upon becoming a member and director of the 1st Respondent, Sports Federation Motor, shared the Complainant's personal data with third parties without his knowledge, authority, or consent.
The Complainant had provided his personal details to the Federation to apply for Formula One passes. The 2nd Respondent shared this data with a third party, who offered the same passes to the Complainant's wife and guests.
The Complainant became aware of this data breach on July 19, 2024, through an email copied to him.
The Respondents, in their response, stated that the secretary shared the Complainant's personal information with the FIA for the issuance of the requested passes. They contended that the secretary copied all directors of the Federation on the email with the Complainant's personal information as required by internal transparency rules.
The Respondents acknowledged that a data breach occurred on July 19th, 2024, when a director shared the Complainant's personal information with a third party.
However, they claimed that they did not immediately inform the ODPC about the data breach due to an oversight in interpreting the law.
They further argued that the KMSF Secretariat, upon receiving a notice from the Complainant, notified the ODPC about the data breach, fulfilling their responsibility to report.
The ODPC determined that the Respondents did not fulfil their obligation as stipulated under Section 43 of the Act. Although the Respondents became aware of the data breach on July 19th, 2024, they did not inform the Office of the same. This omission constituted a breach of Section 43, which mandates the data controller to notify the Data Commissioner without delay within seventy-two hours of becoming aware of a data breach.
The ODPC also found that the Respondents did not lawfully process the Complainant's personal data. They shared the Complainant's data with a third party without consent.
Legal Provisions Reviewed:
The ODPC reviewed the following legal provisions: