Agnes Kimanzi v Garss International Limited and Splomom Muthui

Cases Detail

Cases

Agnes Kimanzi v Garss International Limited and Splomom Muthui

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: privacy,direct marketing

Case Summary

The Complainant alleged that the Respondent has been flooding her phone with promotional messages despite several warnings. The 2nd Respondent was a distributor for the 1st Respondent who sent said messages. The 2nd Respondent responded, claiming the issues were settled through Alternative Dispute Resolution mechanisms, with the solution being that the Complainant blocks the Respondents.

Issues for Determination.

  1. Whether there was a lawful use of Personal Data for commercial purposes
  2. Whether the Complainant's rights were violated
  3. Whether it was mandatory for the parties to adduce an Alternative Dispute Resolution settlement agreement in the event parties conclude and resolve the complaint through the ADR mechanisms.

Determination

The 1st Respondent is found to have violated Section 26 of the Act and Regulation 15 (1)(d), Regulation 17 (1) and Regulations 17 (2)  of the Data Protection (General) Regulations, 2021

Analysis

  1. Whether there was Lawful use of Personal Data for commercial purposes  

Promotional messaging is lawful as long as it is in line with Regulation 15 (1)(d), Regulation 17 (1) and Regulations 17 (2)  of the Data Protection (General) Regulations, 2021 that state that opt out mechanisms must be clearly highlighted and easily accessible to all recipients of promotional communications.  They must not require excessive steps or complicated procedures, ensuring that it can be executed swiftly and simply, and the opt-out option must be prominently displayed in each promotional message sent, ensuring that it is immediately visible and not hidden within lengthy text or obscured by design elements. 

The message sent by the 2nd Respondent did not conform to the regulations; additionally, the Respondents did not provide any evidence that they collected the Complainant’s with prior consent.

  1. Whether the Complainant's rights were violated

The 1st Respondent was already found liable for not abiding by regulations for promotional messaging additionally, the solution of their discussion was not regarded as a solution under the Data Protection Regulations. The ODPC held the Respondent’s action violated Section 26 of the Data Protection Act.

  1. Whether it was mandatory for the parties to adduce an Alternative Dispute Resolution settlement agreement in the event parties conclude and resolve the complaint through the ADR mechanisms

The OPDC reasoned that proof of ADR is mandatory under Regulation 15(4) of the Data Protection (Complaints Handling Procedure under Regulation 15(4) of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021. This provision expressly provides that after the negotiations, mediation or conciliation process the parties shall sign a negotiation, mediation or conciliation agreement in the manner specified in Form DPC 5 set out in the schedule.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.