| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 8(1)(f) and 56, 29(d), 30(1)(b)(i) and (vii), 65(4) of the Data Protection Act, 2019; Regulation 5(1) and (2), 14(1), 65, 14(3)(e) of the Data Protection (General) Regulations, 2021; Regulation 14 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021; Article 31 of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 13 June 2024 |
| Decided: | 10 September 2024 |
| Published: | Yes |
| Fine: | KES.25,000 |
| Parties: | S.M.M. vs. AAR Insurance Kenya Limited |
| Case No.: | 842 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
A complainant filed a complaint against AAR Insurance Kenya Limited alleging the company shared his family's health insurance information with a third party without his consent. The third party then sent him unsolicited messages about the plan. AAR Insurance Kenya was found liable for failing to fulfil its duty to notify the complainant under Section 29 of the Act and was ordered to pay the complainant KES. 25,000/= in nominal compensation.
The Complainant alleged that the Respondent shared his family's health insurance information with a third party, M-TIBA, without his consent.
The Complainant was enrolled in the Respondent's health insurance plan, and the Respondent subsequently shared his information with M-TIBA, a mobile-based healthcare platform. The Complainant received unsolicited marketing messages from the external entity, M-TIBA.
The Respondent asserted that it is a provider of health insurance and other insurance services regulated by the Insurance Regulatory Authority (IRA) and markets and underwrites healthcare schemes for corporate and retail clients.
The Respondent stated that it entered into a partnership agreement with CarePay Limited (CarePay) and CSL Services Limited (CSL) to manage its schemes on the M-TIBA Platform.
The Respondent stated that it lawfully processed the Complainant's personal data and that CarePay and CSL are also lawfully processing the Complainant's personal data, asserting that there has therefore been no breach of the Act and its attendant Regulations.
The Office established that the Complainant had indeed received messages regarding his family medical plan from a third party.
It was also determined that the Respondent shared the Complainant's personal data with a third party, who subsequently sent him messages about his family medical plan.
However, the ODPC found that the messages sent to the Complainant did not amount to commercial use of his personal data, as they did not satisfy the ingredients above, for use of personal data for commercial purposes.