Brian Mwalimu Volisi v. Fin Kenya (Formerly Trustgro Sca Limited)

Cases Detail

Cases

Brian Mwalimu Volisi v. Fin Kenya (Formerly Trustgro Sca Limited)

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: data protection,privacy breaches,data processing,consent

Case Summary

The complaint involves the unauthorised use of the Complainant's employment details by the Respondent to process a loan application without consent. The legal basis for data protection in Kenya, as outlined in the Constitution and the Data Protection Act, 2019, establishes the rights of individuals to privacy and control over their personal data. 

Despite the allegations made by the Complainant, the Respondent failed to respond, leading to a violation of the Complainant's rights under the Act. The Data Commissioner proceeded to make determinations based on investigations as per the Enforcement Regulations. The final determination found the Respondent liable for infringing the Complainant's rights and violating obligations under the Act. Consequently, the Respondent was ordered to compensate the Complainant for financial loss and rights violation, with the right to appeal to the High Court of Kenya within thirty days.

Issues for Determination

The issues for determination in this case include:

  1. Whether there was a violation of the Complainant's rights under the Act, specifically under Section 26(a) and (b) regarding the use of personal data.
  2. Whether the Respondent fulfilled its obligations under the Act, particularly in adhering to the principles of data protection while processing the Complainant's personal data.
  3. Whether the Complainant is entitled to any remedies under the Act and the attendant Regulations, such as compensation for financial loss and distress due to the unauthorised processing of personal data.
  4. Whether the Respondent responded to the allegations made by the Complainant and provided evidence to support their actions, including the legal basis for processing the Complainant's employment data for the loan application.
  5. Whether the Respondent's actions, specifically processing the Complainant's data without consent for a second loan application, were compatible with the initial purpose of data collection and lawful under the Act.
  6. Whether the Respondent's failure to respond to the complaint and provide necessary documentation constitutes non-compliance with data protection regulations and obligations as a data controller and processor.

Determination

The final determination of this case found the Respondent liable for infringement of the Complainant's rights and violation of obligations under the Data Protection Act. The Respondent was ordered to compensate the Complainant for financial loss and rights violation. Additionally, the Respondent was directed to provide the Complainant with his loan statement and the loan application form used for the second loan. The Data Commissioner's decision is subject to appeal to the High Court of Kenya within thirty days. This determination was made based on the findings of the investigations conducted in response to the complaint filed by the Complainant regarding the unauthorised use of his employment data for a loan application.

Analysis

The case at hand involves a complaint filed by the Complainant against the Respondent regarding the unauthorised use of the Complainant's employment details for a loan application without consent. The Data Protection Commissioner in Kenya conducted investigations into the matter, and the Respondent failed to respond to the allegations raised by the Complainant. This lack of response led to a finding of non-compliance with data protection regulations and obligations.

The Data Commissioner's final determination concluded that the Respondent infringed upon the Complainant's rights and violated obligations under the Data Protection Act. As a result, the Respondent was ordered to compensate the Complainant for financial loss and rights violation. The determination highlighted the importance of lawful processing of personal data, the burden of proof on data controllers and processors to establish consent for data processing, and the rights of data subjects to object to the processing of their personal data.

Furthermore, the determination emphasised the Complainant's entitlement to remedies under the Act and regulations, including compensation for financial loss and distress caused by the unauthorised processing of personal data. The Respondent was directed to provide the Complainant with relevant documentation, such as the loan statement and application form, and an enforcement notice was issued against the Respondent for the violations found.

In conclusion, the case highlights the importance of data protection, the rights of data subjects, and the obligations of data controllers and processors. It emphasises the need for lawful processing of personal data, consent from data subjects, and the burden of proof on controllers and processors to establish lawful processing. The Complainant's entitlement to remedies under the Act and regulations, including compensation for financial loss and distress, is outlined based on the violations found against the Respondent.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.