Beatrice Ayonjo vs. Quest Holdings Limited

Cases Detail

Cases

Beatrice Ayonjo vs. Quest Holdings Limited

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: data protection,privacy breaches,Unauthorized disclosure,consent

Case Summary

In the case ODPC Complaint No. 1762 of 2023, Beatrice Ayonjo filed a complaint against Quest Holdings Limited, alleging that the company unlawfully disclosed her loan details to her clients without her consent. Ayonjo claimed that despite her ongoing loan repayments, Quest Holdings shared her personal financial information with unauthorised third parties, breaching her right to privacy under the Data Protection Act, 2019.

The Office of the Data Protection Commissioner (ODPC) received the complaint on September 26, 2023. The ODPC notified Quest Holdings of the complaint, requesting a response and relevant evidence. Quest Holdings acknowledged that Ayonjo was their customer and admitted to contacting her through her employer's phone number, which was not authorised as a contact point.

Upon investigation, the ODPC found that Quest Holdings processed Ayonjo's personal data without a lawful basis or her consent, violating the Data Protection Act, 2019. The ODPC determined that Quest Holdings did not provide sufficient justification for disclosing Ayonjo's loan details to third parties and failed to adhere to data protection principles. Consequently, the ODPC ruled in favour of Ayonjo, ordering Quest Holdings to compensate her Kshs. 200,000 for the unlawful processing of her personal data. An Enforcement Notice was also issued against Quest Holdings, highlighting their failure to comply with data protection laws.

The determination emphasised the importance of lawful processing of personal data and provided Ayonjo the right to seek further legal recourse by appealing the decision to the High Court of Kenya within thirty days.

Issues for Determination

  1. Whether the Complainant’s personal data was processed in accordance with the Data Protection Act, 2019.
  2. Whether the Complainant is entitled to any remedies under the Act and the attendant Regulations.

Determination

The ODPC determined that the Respondent, Quest Holdings Limited, is liable for unlawfully processing the Complainant’s personal data, and ordered them to compensate the Complainant Kshs. 200,000 for the unlawful processing of her personal data. The ODPC also stated that the parties have the right to appeal the determination to the High Court of Kenya within thirty (30) days.

Analysis

On whether the Complainant's Personal Data Was Processed in Accordance with the Act

The Data Protection Act, 2019 defines personal data as any information relating to an identified or identifiable natural person. Beatrice Ayonjo's loan details, which were shared without her consent, fall within this definition. Ayonjo provided evidence in the form of screenshots showing that Quest Holdings sent her loan details to third parties without her authorization. Quest Holdings admitted that they contacted Ayonjo through her employer's phone number, which was not listed as an emergency contact or authorised for such communication.

Processing, as defined by the Act, includes operations such as collection, recording, and disclosure of personal data. Quest Holdings’ actions of sending Ayonjo’s loan details to unauthorised parties constitute processing. According to Section 30 of the Act, processing personal data must be based on valid consent or other lawful grounds. Quest Holdings failed to demonstrate that they had Ayonjo’s consent or any lawful basis for processing her personal data.

On whether the Complainant Is Entitled to Any Remedies Under the Act and the Attendant Regulations

Section 65(1) of the Data Protection Act provides for compensation to data subjects who suffer damage due to contraventions of the Act, including financial loss and distress. Given the evidence and the admission by Quest Holdings, the ODPC determined that Quest Holdings unlawfully processed Ayonjo’s personal data, thereby violating her rights. Regulation 14(3)(e) of the Enforcement Regulations allows the Data Commissioner to order compensation for the data subject. Consequently, the ODPC ordered Quest Holdings to compensate Ayonjo Kshs. 200,000 for the unlawful processing of her personal data.

The ODPC also issued an Enforcement Notice against Quest Holdings, citing their failure to adhere to the lawful processing requirements of the Act. This Enforcement Notice serves as a formal directive to ensure compliance with data protection laws and acts as a deterrent to prevent future violations. Furthermore, both parties have the right to appeal this determination to the High Court of Kenya within thirty days, ensuring procedural fairness and accountability in the decision-making process.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.